diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:28 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:28 +0000 |
commit | 14509ce60103dab695cef4d4f31321bab27ab967 (patch) | |
tree | 5959cfb9832b3af242a1ca45d4a1227acae67d87 /bin/tests/system/mirror | |
parent | Adding debian version 1:9.18.19-1~deb12u1. (diff) | |
download | bind9-14509ce60103dab695cef4d4f31321bab27ab967.tar.xz bind9-14509ce60103dab695cef4d4f31321bab27ab967.zip |
Merging upstream version 1:9.18.24.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/mirror')
-rw-r--r-- | bin/tests/system/mirror/ns1/sign.sh | 14 | ||||
-rw-r--r-- | bin/tests/system/mirror/ns2/sign.sh | 70 | ||||
-rw-r--r-- | bin/tests/system/mirror/ns3/named.conf.in | 2 | ||||
-rw-r--r-- | bin/tests/system/mirror/setup.sh | 6 | ||||
-rw-r--r-- | bin/tests/system/mirror/tests.sh | 388 |
5 files changed, 240 insertions, 240 deletions
diff --git a/bin/tests/system/mirror/ns1/sign.sh b/bin/tests/system/mirror/ns1/sign.sh index ab613d5..4337500 100644 --- a/bin/tests/system/mirror/ns1/sign.sh +++ b/bin/tests/system/mirror/ns1/sign.sh @@ -13,7 +13,7 @@ . ../../conf.sh -( cd ../ns2 && $SHELL -e sign.sh ) +(cd ../ns2 && $SHELL -e sign.sh) cp ../ns2/dsset-* . @@ -21,17 +21,17 @@ zone=. infile=root.db.in zonefile=root.db -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) -keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) +keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Add a trust anchor for a name whose non-existence can be securely proved # without recursing when the root zone is mirrored. This will exercise code # attempting to send TAT queries for such names (in ns3). Key data is # irrelevant here, so just reuse the root zone key generated above. -sed "s/^\./nonexistent./;" $keyname1.key > $keyname1.modified.key +sed "s/^\./nonexistent./;" $keyname1.key >$keyname1.modified.key -keyfile_to_static_ds $keyname1 $keyname1.modified > trusted.conf +keyfile_to_static_ds $keyname1 $keyname1.modified >trusted.conf diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh index 519fd83..2cd449b 100644 --- a/bin/tests/system/mirror/ns2/sign.sh +++ b/bin/tests/system/mirror/ns2/sign.sh @@ -16,16 +16,16 @@ keys_to_trust="" for zonename in sub.example example initially-unavailable; do - zone=$zonename - infile=$zonename.db.in - zonefile=$zonename.db + zone=$zonename + infile=$zonename.db.in + zonefile=$zonename.db - keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) - keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) + keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) + keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) - cat $infile $keyname1.key $keyname2.key > $zonefile + cat $infile $keyname1.key $keyname2.key >$zonefile - $SIGNER -P -g -o $zone $zonefile > /dev/null + $SIGNER -P -g -o $zone $zonefile >/dev/null done # Only add the key for "initially-unavailable" to the list of keys trusted by @@ -39,9 +39,9 @@ zone=verify-csk infile=verify.db.in zonefile=verify-csk.db -keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) -cat $infile $keyname.key > $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) +cat $infile $keyname.key >$zonefile +$SIGNER -P -o $zone $zonefile >/dev/null keys_to_trust="$keys_to_trust $keyname" # Prepare remaining zones used in the test. @@ -50,30 +50,30 @@ UPDATED_SERIAL_BAD=$((ORIGINAL_SERIAL + 1)) UPDATED_SERIAL_GOOD=$((ORIGINAL_SERIAL + 2)) for variant in addzone axfr ixfr load reconfig untrusted; do - zone=verify-$variant - infile=verify.db.in - zonefile=verify-$variant.db - - keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) - keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) - - cat $infile $keyname1.key $keyname2.key > $zonefile - - # Prepare a properly signed version of the zone ("*.original.signed"). - $SIGNER -P -o $zone $zonefile > /dev/null - cp $zonefile.signed $zonefile.original.signed - # Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed"). - sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed > $zonefile.bad.signed - # Prepare another properly signed version of the zone ("*.good.signed"). - sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile > $zonefile.good - $SIGNER -P -o $zone $zonefile.good > /dev/null - rm -f $zonefile.good - - # Except for the "verify-untrusted" zone, declare the KSK used for - # signing the zone to be a trust anchor for ns3. - if [ "$variant" != "untrusted" ]; then - keys_to_trust="$keys_to_trust $keyname1" - fi + zone=verify-$variant + infile=verify.db.in + zonefile=verify-$variant.db + + keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) + keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) + + cat $infile $keyname1.key $keyname2.key >$zonefile + + # Prepare a properly signed version of the zone ("*.original.signed"). + $SIGNER -P -o $zone $zonefile >/dev/null + cp $zonefile.signed $zonefile.original.signed + # Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed"). + sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed >$zonefile.bad.signed + # Prepare another properly signed version of the zone ("*.good.signed"). + sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile >$zonefile.good + $SIGNER -P -o $zone $zonefile.good >/dev/null + rm -f $zonefile.good + + # Except for the "verify-untrusted" zone, declare the KSK used for + # signing the zone to be a trust anchor for ns3. + if [ "$variant" != "untrusted" ]; then + keys_to_trust="$keys_to_trust $keyname1" + fi done -keyfile_to_static_ds $keys_to_trust > trusted-mirror.conf +keyfile_to_static_ds $keys_to_trust >trusted-mirror.conf diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in index b644f45..edbfed8 100644 --- a/bin/tests/system/mirror/ns3/named.conf.in +++ b/bin/tests/system/mirror/ns3/named.conf.in @@ -37,7 +37,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "." { diff --git a/bin/tests/system/mirror/setup.sh b/bin/tests/system/mirror/setup.sh index b80e797..21d1093 100644 --- a/bin/tests/system/mirror/setup.sh +++ b/bin/tests/system/mirror/setup.sh @@ -19,7 +19,7 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf -( cd ns1 && $SHELL -e sign.sh ) +(cd ns1 && $SHELL -e sign.sh) -cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed -cat ns2/verify-load.db.bad.signed > ns3/verify-load.db.mirror +cat ns2/verify-axfr.db.bad.signed >ns2/verify-axfr.db.signed +cat ns2/verify-load.db.bad.signed >ns3/verify-load.db.mirror diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh index dc6cffa..78c884e 100644 --- a/bin/tests/system/mirror/tests.sh +++ b/bin/tests/system/mirror/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT} -b 10.53.0.1 +dnssec +time=2 +tries=1 +multi" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # Wait until the transfer of the given zone to ns3 either completes # successfully or is aborted by a verification failure or a REFUSED response @@ -25,47 +25,47 @@ RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" # end with the "IXFR failed" status, which is followed by an AXFR retry and # this test needs to check what the result of the latter transfer attempt is. wait_for_transfer() { - zone=$1 - for i in 1 2 3 4 5 6 7 8 9 10; do - # Wait until a "freeing transfer context" message is logged - # after one of the transfer results we are looking for is - # logged. This is needed to prevent races when checking for - # "mirror zone is now in use" messages. - nextpartpeek ns3/named.run | \ - awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" | \ - grep "'$zone/IN'.*freeing transfer context" > /dev/null && return - sleep 1 - done - echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run" - ret=1 + zone=$1 + for i in 1 2 3 4 5 6 7 8 9 10; do + # Wait until a "freeing transfer context" message is logged + # after one of the transfer results we are looking for is + # logged. This is needed to prevent races when checking for + # "mirror zone is now in use" messages. + nextpartpeek ns3/named.run \ + | awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" \ + | grep "'$zone/IN'.*freeing transfer context" >/dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run" + ret=1 } # Wait until loading the given zone on the given server either completes # successfully for the specified serial number or fails. wait_for_load() { - zone=$1 - serial=$2 - log=$3 - for i in 1 2 3 4 5 6 7 8 9 10; do - # Wait until a "zone_postload: (...): done" message is logged - # after one of the loading-related messages we are looking for - # is logged. This is needed to prevent races when checking for - # "mirror zone is now in use" messages. - nextpartpeek $log | \ - awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" | \ - grep "zone_postload: zone $zone/IN: done" > /dev/null && return - sleep 1 - done - echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log" - ret=1 + zone=$1 + serial=$2 + log=$3 + for i in 1 2 3 4 5 6 7 8 9 10; do + # Wait until a "zone_postload: (...): done" message is logged + # after one of the loading-related messages we are looking for + # is logged. This is needed to prevent races when checking for + # "mirror zone is now in use" messages. + nextpartpeek $log \ + | awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" \ + | grep "zone_postload: zone $zone/IN: done" >/dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log" + ret=1 } # Trigger a reload of ns2 and wait until loading the given zone completes. reload_zone() { - zone=$1 - serial=$2 - rndc_reload ns2 10.53.0.2 - wait_for_load $zone $serial ns2/named.run + zone=$1 + serial=$2 + rndc_reload ns2 10.53.0.2 + wait_for_load $zone $serial ns2/named.run } status=0 @@ -79,11 +79,11 @@ n=$((n + 1)) echo_i "checking that an unsigned mirror zone is rejected ($n)" ret=0 wait_for_transfer verify-unsigned -$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -92,11 +92,11 @@ echo_i "checking that a mirror zone signed using an untrusted key is rejected ($ ret=0 nextpartreset ns3/named.run wait_for_transfer verify-untrusted -$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -105,10 +105,10 @@ echo_i "checking that a mirror zone signed using a CSK without the SEP bit set i ret=0 nextpartreset ns3/named.run wait_for_transfer verify-csk -$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -117,26 +117,26 @@ echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ( ret=0 nextpartreset ns3/named.run wait_for_transfer verify-axfr -$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-axfr SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-axfr SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that an AXFR of an updated, correctly signed mirror zone is accepted ($n)" ret=0 -nextpart ns3/named.run > /dev/null -cat ns2/verify-axfr.db.good.signed > ns2/verify-axfr.db.signed +nextpart ns3/named.run >/dev/null +cat ns2/verify-axfr.db.good.signed >ns2/verify-axfr.db.signed reload_zone verify-axfr ${UPDATED_SERIAL_GOOD} -$RNDCCMD 10.53.0.3 retransfer verify-axfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 retransfer verify-axfr >/dev/null 2>&1 wait_for_transfer verify-axfr -$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -147,59 +147,59 @@ ret=0 wait_for_transfer verify-ixfr # Sanity check: the initial, properly signed version of the zone should have # been announced as coming into effect. -nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1 +nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null || ret=1 # Make a copy of the original zone file for reuse in journal tests below. cp ns2/verify-ixfr.db.signed ns3/verify-journal.db.mirror # Wait 1 second so that the zone file timestamp changes and the subsequent # invocation of "rndc reload" triggers a zone reload. sleep 1 -cat ns2/verify-ixfr.db.bad.signed > ns2/verify-ixfr.db.signed +cat ns2/verify-ixfr.db.bad.signed >ns2/verify-ixfr.db.signed reload_zone verify-ixfr ${UPDATED_SERIAL_BAD} # Make a copy of the bad zone journal for reuse in journal tests below. cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.bad.mirror.jnl # Trigger IXFR. -$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 refresh verify-ixfr >/dev/null 2>&1 wait_for_transfer verify-ixfr # Ensure the transfer was incremental as expected. if [ $(nextpartpeek ns3/named.run | grep "verify-ixfr.*got incremental response" | wc -l) -eq 0 ]; then - echo_i "failed: did not get an incremental response" - ret=1 + echo_i "failed: did not get an incremental response" + ret=1 fi # Ensure the new, bad version of the zone was not accepted. -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 # A positive answer is expected as the original version of the "verify-ixfr" # zone should have been successfully verified. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" >/dev/null || ret=1 # Despite the verification failure for this IXFR, this mirror zone should still # be in use as its previous version should have been verified successfully. -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that an IXFR of an updated, correctly signed mirror zone is accepted after AXFR failover ($n)" ret=0 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Wait 1 second so that the zone file timestamp changes and the subsequent # invocation of "rndc reload" triggers a zone reload. sleep 1 -cat ns2/verify-ixfr.db.good.signed > ns2/verify-ixfr.db.signed +cat ns2/verify-ixfr.db.good.signed >ns2/verify-ixfr.db.signed reload_zone verify-ixfr ${UPDATED_SERIAL_GOOD} # Make a copy of the good zone journal for reuse in journal tests below. cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.good.mirror.jnl # Trigger IXFR. -$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 refresh verify-ixfr >/dev/null 2>&1 wait_for_transfer verify-ixfr # Ensure the new, good version of the zone was accepted. -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 # The log message announcing the mirror zone coming into effect should not have # been logged this time since the mirror zone in question is expected to # already be in use before this test case is checked. -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -208,11 +208,11 @@ echo_i "checking that loading an incorrectly signed mirror zone from disk fails ret=0 nextpartreset ns3/named.run wait_for_load verify-load ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-load SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-load SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -220,7 +220,7 @@ n=$((n + 1)) echo_i "ensuring trust anchor telemetry queries are sent upstream for a mirror zone ($n)" ret=0 # ns3 is started with "-T tat=3", so TAT queries should have already been sent. -grep "_ta-[-0-9a-f]*/NULL" ns1/named.run > /dev/null || ret=1 +grep "_ta-[-0-9a-f]*/NULL" ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -228,14 +228,14 @@ n=$((n + 1)) echo_i "checking that loading a correctly signed mirror zone from disk succeeds ($n)" ret=0 stop_server --use-rndc --port ${CONTROLPORT} ns3 -cat ns2/verify-load.db.good.signed > ns3/verify-load.db.mirror -nextpart ns3/named.run > /dev/null +cat ns2/verify-load.db.good.signed >ns3/verify-load.db.mirror +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-load ${UPDATED_SERIAL_GOOD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -253,22 +253,22 @@ cp ns3/verify-journal.db.bad.mirror.jnl ns3/verify-ixfr.db.mirror.jnl # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-ixfr" {$/,/^};$/ { s/10.53.0.3/10.53.0.254/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-ixfr ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null && ret=1 # Restore transfers for the "verify-ixfr" zone on ns2. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-ixfr" {$/,/^};$/ { s/10.53.0.254/10.53.0.3/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -280,40 +280,40 @@ ret=0 stop_server --use-rndc --port ${CONTROLPORT} ns3 cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror cp ns3/verify-journal.db.good.mirror.jnl ns3/verify-ixfr.db.mirror.jnl -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-ixfr ${UPDATED_SERIAL_GOOD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking delegations sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 foo.example A +norec > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.example A +norec >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null && ret=1 # Check that a delegation containing a DS RRset and glue is present. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "example.*IN.*NS" dig.out.ns3.test$n > /dev/null || ret=1 -grep "example.*IN.*DS" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "example.*IN.*NS" dig.out.ns3.test$n >/dev/null || ret=1 +grep "example.*IN.*DS" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that resolution involving a mirror zone works as expected ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 foo.example A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.example A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Ensure ns1 was not queried. -grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1 +grep "query 'foo.example/A/IN'" ns1/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -321,13 +321,13 @@ n=$((n + 1)) echo_i "checking that non-recursive queries for names below mirror zone get responded from cache ($n)" ret=0 # Issue a non-recursive query for an RRset which is expected to be in cache. -$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Ensure the response is not a delegation. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -336,41 +336,41 @@ echo_i "checking that delegations from cache which improve mirror zone delegatio ret=0 # First, issue a recursive query in order to cache an RRset which is not within # the mirror zone's bailiwick. -$DIG $DIGOPTS @10.53.0.3 sub.example. NS > dig.out.ns3.test$n.1 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 sub.example. NS >dig.out.ns3.test$n.1 2>&1 || ret=1 # Ensure the child-side NS RRset is returned. -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Issue a non-recursive query for something below the cached zone cut. -$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A > dig.out.ns3.test$n.2 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A >dig.out.ns3.test$n.2 2>&1 || ret=1 # Ensure the cached NS RRset is returned in a delegation, along with the # parent-side DS RRset. -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 . DNSKEY >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 . SOA >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -380,30 +380,30 @@ ret=0 wait_for_transfer initially-unavailable # Query for a record in a zone that is set up to be mirrored, but # untransferrable from the configured primary. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.1 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n.1 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Sanity check: the authoritative server should have been queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null || ret=1 # Reconfigure ns2 so that the zone can be mirrored on ns3. sed '/^zone "initially-unavailable" {$/,/^};$/ { s/10.53.0.254/10.53.0.3/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 # Flush the cache on ns3 and retransfer the mirror zone. -$RNDCCMD 10.53.0.3 flush > /dev/null 2>&1 -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 retransfer initially-unavailable > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 flush >/dev/null 2>&1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 retransfer initially-unavailable >/dev/null 2>&1 wait_for_transfer initially-unavailable # Query for the same record again. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.2 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n.2 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null || ret=1 # Ensure the authoritative server was not queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null && ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -414,60 +414,60 @@ ret=0 # mirrored on ns3. sed '/^zone "initially-unavailable" {$/,/^};$/ { s/10.53.0.3/10.53.0.254/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 # Stop ns3, update the timestamp of the zone file to one far in the past, then # restart ns3. stop_server --use-rndc --port ${CONTROLPORT} ns3 touch -t 200001010000 ns3/initially-unavailable.db.mirror -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 # Ensure named attempts to retransfer the zone due to its expiry. wait_for_transfer initially-unavailable # Ensure the expected messages were logged. -nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" >/dev/null || ret=1 # Query for a record in the expired zone. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Sanity check: the authoritative server should have been queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that clients without cache access cannot retrieve mirror zone data ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "REFUSED" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1 +grep "REFUSED" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that outgoing transfers of mirror zones are disabled by default ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . AXFR > dig.out.ns3.test$n 2>&1 || ret=1 -grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 . AXFR >dig.out.ns3.test$n 2>&1 || ret=1 +grep "; Transfer failed" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that notifies are disabled by default for mirror zones ($n)" ret=0 -grep "initially-unavailable.*sending notifies" ns3/named.run > /dev/null && ret=1 +grep "initially-unavailable.*sending notifies" ns3/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking output of \"rndc zonestatus\" for a mirror zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 zonestatus . > rndc.out.ns3.test$n 2>&1 -grep "type: mirror" rndc.out.ns3.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus . >rndc.out.ns3.test$n 2>&1 +grep "type: mirror" rndc.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -475,26 +475,26 @@ n=$((n + 1)) echo_i "checking that \"rndc reconfig\" properly handles a mirror -> secondary zone type change ($n)" ret=0 # Sanity check before we start. -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Reconfigure the zone so that it is no longer a mirror zone. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { s/type mirror;/type secondary;/ -}' ns3/named.conf > ns3/named.conf.modified +}' ns3/named.conf >ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null rndc_reconfig ns3 10.53.0.3 # Zones whose type was changed should not be reusable, which means the tested # zone should have been reloaded from disk. wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run # Ensure responses sourced from the reconfigured zone have AA=1 and AD=0. -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -502,20 +502,20 @@ n=$((n + 1)) echo_i "checking that \"rndc reconfig\" properly handles a secondary -> mirror zone type change ($n)" ret=0 # Put an incorrectly signed version of the zone in the zone file used by ns3. -nextpart ns3/named.run > /dev/null -cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror +nextpart ns3/named.run >/dev/null +cat ns2/verify-reconfig.db.bad.signed >ns3/verify-reconfig.db.mirror # Reconfigure the zone so that it is a mirror zone again. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { s/type secondary;/type mirror;/ -}' ns3/named.conf > ns3/named.conf.modified +}' ns3/named.conf >ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf rndc_reconfig ns3 10.53.0.3 # The reconfigured zone should fail verification. wait_for_load verify-reconfig ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpart ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-reconfig SOA" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpart ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-reconfig SOA" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -523,19 +523,19 @@ n=$((n + 1)) echo_i "checking that a mirror zone can be added using rndc ($n)" ret=0 # Sanity check: the zone should not exist in the root zone. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 -grep "NXDOMAIN" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Mirror a zone which does not exist in the root zone. -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; primaries { 10.53.0.2; }; };' > rndc.out.ns3.test$n 2>&1 || ret=1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; primaries { 10.53.0.2; }; };' >rndc.out.ns3.test$n 2>&1 || ret=1 wait_for_transfer verify-addzone # Check whether the mirror zone was added and whether it behaves as expected. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -543,14 +543,14 @@ n=$((n + 1)) echo_i "checking that a mirror zone can be deleted using rndc ($n)" ret=0 # Remove the mirror zone added in the previous test. -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 delzone verify-addzone > rndc.out.ns3.test$n 2>&1 || ret=1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 delzone verify-addzone >rndc.out.ns3.test$n 2>&1 || ret=1 wait_for_log 20 "zone verify-addzone/IN: mirror zone is no longer in use; reverting to normal recursion" ns3/named.run || ret=1 # Check whether the mirror zone was removed. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) |