diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:29 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 16:41:29 +0000 |
| commit | e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca (patch) | |
| tree | 65e6bbf5e12c3fe09b43e577f8d1786d06bcd559 /bin/tests/system | |
| parent | Releasing progress-linux version 1:9.18.19-1~deb12u1progress7u1. (diff) | |
| download | bind9-e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca.tar.xz bind9-e2fc8e037ea6bb5de92b25ec9c12a624737ac5ca.zip | |
Merging upstream version 1:9.18.24.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system')
492 files changed, 27035 insertions, 24925 deletions
diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 72d464a..befd512 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -18,6 +18,8 @@ LDADD += \ $(LIBISC_LIBS) if HAVE_PERL +if HAVE_PYTHON +if HAVE_PYTEST noinst_PROGRAMS = \ feature-test \ @@ -81,23 +83,14 @@ tkey_keydelete_LDADD = \ $(LDADD) \ $(LIBDNS_LIBS) -TESTS = - -if HAVE_PERLMOD_TIME_HIRES -TESTS += serve-stale -endif HAVE_PERLMOD_TIME_HIRES - -if HAVE_PERLMOD_NET_DNS -TESTS += \ - rpzrecurse -endif HAVE_PERLMOD_NET_DNS - -if HAVE_LIBNGHTTP2 -TESTS += \ - doth -endif - -TESTS += \ +# Longer running tests are listed (and executed) first to take the most +# advantage of parallel execution. +TESTS = \ + rpz \ + rpzrecurse \ + serve-stale \ + timeouts \ + upforwd \ acl \ additional \ addzone \ @@ -109,13 +102,21 @@ TESTS += \ case \ catz \ cds \ + chain \ checkconf \ + checkds \ checknames \ checkzone \ + cookie \ database \ dialup \ + digdelv \ + dispatch \ dlzexternal \ dns64 \ + dnssec \ + dnstap \ + doth \ dsdigest \ dupsigs \ dyndb \ @@ -125,18 +126,23 @@ TESTS += \ emptyzones \ enginepkcs11 \ filter-aaaa \ + fetchlimit \ formerr \ + forward \ geoip2 \ glue \ idna \ include-multiplecfg \ inline \ integrity \ + ixfr \ hooks \ host \ journal \ + kasp \ keepalive \ keyfromlabel \ + keymgr2kasp \ legacy \ limits \ logfileconfig \ @@ -149,24 +155,35 @@ TESTS += \ notify \ nsec3 \ nslookup \ + nsupdate \ + nzd2nzf \ padding \ pending \ + pipelined \ + qmin \ + reclimit \ redirect \ + resolver \ rndc \ rootkeysentinel \ - rpz \ + rpzextra \ rrchecker \ rrl \ rrsetorder \ rsabigexponent \ runtime \ sfcache \ + shutdown \ smartsign \ sortlist \ spf \ staticstub \ + statistics \ + statschannel \ + stress \ stub \ synthfromdnssec \ + tcp \ tkey \ tools \ transport-acl \ @@ -177,62 +194,21 @@ TESTS += \ verify \ views \ wildcard \ + xfer \ xferquota \ + zero \ zonechecks -if HAVE_LMDB -TESTS += nzd2nzf -endif # HAVE_LMDB - -if HAVE_PERLMOD_NET_DNS - -TESTS += \ - fetchlimit \ - ixfr \ - nsupdate \ - resolver \ - statistics \ - stress \ - upforwd \ - zero - -if HAVE_DNSTAP -TESTS += dnstap -endif - -if HAVE_PERLMOD_FILE_FETCH -TESTS += statschannel -endif HAVE_PERLMOD_FILE_FETCH - -if HAVE_PERLMOD_DIGEST_HMAC -TESTS += xfer -endif HAVE_PERLMOD_DIGEST_HMAC - -if HAVE_PERLMOD_NET_DNS_NAMESERVER -TESTS += reclimit -endif HAVE_PERLMOD_NET_DNS_NAMESERVER - -endif HAVE_PERLMOD_NET_DNS - -if HAVE_PYTHON -TESTS += kasp keymgr2kasp tcp pipelined - -if HAVE_PYTEST -TESTS += checkds dispatch rpzextra shutdown timeouts -endif - -if HAVE_PYMOD_DNS -TESTS += qmin cookie -if HAVE_PERLMOD_NET_DNS -TESTS += digdelv dnssec forward -if HAVE_PERLMOD_NET_DNS_NAMESERVER -TESTS += chain -endif HAVE_PERLMOD_NET_DNS_NAMESERVER -endif HAVE_PERLMOD_NET_DNS -endif HAVE_PYMOD_DNS - -endif HAVE_PYTHON - +else !HAVE_PYTEST +check: + echo pytest is not available, no tests were ran + exit 1 +endif !HAVE_PYTEST +else !HAVE_PYTHON +check: + echo Python is not available, no tests were ran + exit 1 +endif !HAVE_PYTHON else !HAVE_PERL check: echo Perl is not available, no tests were ran @@ -247,12 +223,9 @@ LOG_DRIVER_V_1 = --verbose yes LOG_DRIVER = $(srcdir)/custom-test-driver AM_LOG_DRIVER_FLAGS = $(LOG_DRIVER_V) -LOG_COMPILER = $(builddir)/legacy.run.sh -AM_LOG_FLAGS = -r - -$(TESTS): legacy.run.sh +LOG_COMPILER = $(srcdir)/run.sh test-local: check clean-local:: - -find $(builddir) -maxdepth 1 -type d -name "*_*" | xargs rm -rf + -find -L . -mindepth 1 -maxdepth 1 -type d -name "*_*" -and -not -name "_common" -exec rm -rf {} \; diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in index eb62072..b907194 100644 --- a/bin/tests/system/Makefile.in +++ b/bin/tests/system/Makefile.in @@ -95,39 +95,14 @@ target_triplet = @target@ @HOST_MACOS_TRUE@am__append_1 = \ @HOST_MACOS_TRUE@ -Wl,-flat_namespace -@HAVE_PERL_TRUE@noinst_PROGRAMS = feature-test$(EXEEXT) \ -@HAVE_PERL_TRUE@ makejournal$(EXEEXT) \ -@HAVE_PERL_TRUE@ pipelined/pipequeries$(EXEEXT) \ -@HAVE_PERL_TRUE@ resolve$(EXEEXT) rndc/gencheck$(EXEEXT) \ -@HAVE_PERL_TRUE@ rpz/dnsrps$(EXEEXT) tkey/keycreate$(EXEEXT) \ -@HAVE_PERL_TRUE@ tkey/keydelete$(EXEEXT) -@HAVE_PERLMOD_TIME_HIRES_TRUE@@HAVE_PERL_TRUE@am__append_2 = serve-stale -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_3 = \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ rpzrecurse - -@HAVE_LIBNGHTTP2_TRUE@@HAVE_PERL_TRUE@am__append_4 = \ -@HAVE_LIBNGHTTP2_TRUE@@HAVE_PERL_TRUE@ doth - -@HAVE_LMDB_TRUE@@HAVE_PERL_TRUE@am__append_5 = nzd2nzf -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_6 = \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ fetchlimit \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ ixfr \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ nsupdate \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ resolver \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ statistics \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ stress \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ upforwd \ -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@ zero - -@HAVE_DNSTAP_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_7 = dnstap -@HAVE_PERLMOD_FILE_FETCH_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_8 = statschannel -@HAVE_PERLMOD_DIGEST_HMAC_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_9 = xfer -@HAVE_PERLMOD_NET_DNS_NAMESERVER_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@am__append_10 = reclimit -@HAVE_PERL_TRUE@@HAVE_PYTHON_TRUE@am__append_11 = kasp keymgr2kasp tcp pipelined -@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@am__append_12 = checkds dispatch rpzextra shutdown timeouts -@HAVE_PERL_TRUE@@HAVE_PYMOD_DNS_TRUE@@HAVE_PYTHON_TRUE@am__append_13 = qmin cookie -@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@@HAVE_PYMOD_DNS_TRUE@@HAVE_PYTHON_TRUE@am__append_14 = digdelv dnssec forward -@HAVE_PERLMOD_NET_DNS_NAMESERVER_TRUE@@HAVE_PERLMOD_NET_DNS_TRUE@@HAVE_PERL_TRUE@@HAVE_PYMOD_DNS_TRUE@@HAVE_PYTHON_TRUE@am__append_15 = chain +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@noinst_PROGRAMS = feature-test$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ makejournal$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ pipelined/pipequeries$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ resolve$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rndc/gencheck$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rpz/dnsrps$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tkey/keycreate$(EXEEXT) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tkey/keydelete$(EXEEXT) subdir = bin/tests/system ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ @@ -136,11 +111,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ @@ -165,30 +138,40 @@ am__v_lt_0 = --silent am__v_lt_1 = makejournal_SOURCES = makejournal.c makejournal_OBJECTS = makejournal-makejournal.$(OBJEXT) -@HAVE_PERL_TRUE@makejournal_DEPENDENCIES = $(LDADD) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@makejournal_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) pipelined_pipequeries_SOURCES = pipelined/pipequeries.c am__dirstamp = $(am__leading_dot)dirstamp pipelined_pipequeries_OBJECTS = \ pipelined/pipequeries-pipequeries.$(OBJEXT) -@HAVE_PERL_TRUE@pipelined_pipequeries_DEPENDENCIES = $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@pipelined_pipequeries_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) resolve_SOURCES = resolve.c resolve_OBJECTS = resolve-resolve.$(OBJEXT) -@HAVE_PERL_TRUE@resolve_DEPENDENCIES = $(LIBISC_LIBS) $(LIBIRS_LIBS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@resolve_DEPENDENCIES = $(LIBISC_LIBS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBIRS_LIBS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) rndc_gencheck_SOURCES = rndc/gencheck.c rndc_gencheck_OBJECTS = rndc/gencheck.$(OBJEXT) rndc_gencheck_LDADD = $(LDADD) rndc_gencheck_DEPENDENCIES = $(LIBISC_LIBS) rpz_dnsrps_SOURCES = rpz/dnsrps.c rpz_dnsrps_OBJECTS = rpz/dnsrps-dnsrps.$(OBJEXT) -@HAVE_PERL_TRUE@rpz_dnsrps_DEPENDENCIES = $(LDADD) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@rpz_dnsrps_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) tkey_keycreate_SOURCES = tkey/keycreate.c tkey_keycreate_OBJECTS = tkey/keycreate-keycreate.$(OBJEXT) -@HAVE_PERL_TRUE@tkey_keycreate_DEPENDENCIES = $(LDADD) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keycreate_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) tkey_keydelete_SOURCES = tkey/keydelete.c tkey_keydelete_OBJECTS = tkey/keydelete-keydelete.$(OBJEXT) -@HAVE_PERL_TRUE@tkey_keydelete_DEPENDENCIES = $(LDADD) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keydelete_DEPENDENCIES = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -767,88 +750,181 @@ LIBBIND9_LIBS = \ EXTRA_DIST = . SUBDIRS = dyndb/driver dlzexternal/driver hooks/driver -@HAVE_PERL_TRUE@feature_test_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@makejournal_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@makejournal_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@pipelined_pipequeries_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@pipelined_pipequeries_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@resolve_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBISC_CFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBIRS_CFLAGS) - -@HAVE_PERL_TRUE@resolve_LDADD = $(LIBISC_LIBS) $(LIBIRS_LIBS) $(LIBDNS_LIBS) -@HAVE_PERL_TRUE@rpz_dnsrps_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@rpz_dnsrps_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@tkey_keycreate_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@tkey_keycreate_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@tkey_keydelete_CPPFLAGS = \ -@HAVE_PERL_TRUE@ $(AM_CPPFLAGS) \ -@HAVE_PERL_TRUE@ $(LIBDNS_CFLAGS) - -@HAVE_PERL_TRUE@tkey_keydelete_LDADD = \ -@HAVE_PERL_TRUE@ $(LDADD) \ -@HAVE_PERL_TRUE@ $(LIBDNS_LIBS) - -@HAVE_PERL_TRUE@TESTS = $(am__append_2) $(am__append_3) \ -@HAVE_PERL_TRUE@ $(am__append_4) acl additional addzone \ -@HAVE_PERL_TRUE@ allow-query auth autosign builtin cacheclean \ -@HAVE_PERL_TRUE@ case catz cds checkconf checknames checkzone \ -@HAVE_PERL_TRUE@ database dialup dlzexternal dns64 dsdigest \ -@HAVE_PERL_TRUE@ dupsigs dyndb ecdsa eddsa ednscompliance \ -@HAVE_PERL_TRUE@ emptyzones enginepkcs11 filter-aaaa formerr \ -@HAVE_PERL_TRUE@ geoip2 glue idna include-multiplecfg inline \ -@HAVE_PERL_TRUE@ integrity hooks host journal keepalive \ -@HAVE_PERL_TRUE@ keyfromlabel legacy limits logfileconfig \ -@HAVE_PERL_TRUE@ masterfile masterformat metadata mirror mkeys \ -@HAVE_PERL_TRUE@ names notify nsec3 nslookup padding pending \ -@HAVE_PERL_TRUE@ redirect rndc rootkeysentinel rpz rrchecker \ -@HAVE_PERL_TRUE@ rrl rrsetorder rsabigexponent runtime sfcache \ -@HAVE_PERL_TRUE@ smartsign sortlist spf staticstub stub \ -@HAVE_PERL_TRUE@ synthfromdnssec tkey tools transport-acl tsig \ -@HAVE_PERL_TRUE@ tsiggss ttl unknown verify views wildcard \ -@HAVE_PERL_TRUE@ xferquota zonechecks $(am__append_5) \ -@HAVE_PERL_TRUE@ $(am__append_6) $(am__append_7) \ -@HAVE_PERL_TRUE@ $(am__append_8) $(am__append_9) \ -@HAVE_PERL_TRUE@ $(am__append_10) $(am__append_11) \ -@HAVE_PERL_TRUE@ $(am__append_12) $(am__append_13) \ -@HAVE_PERL_TRUE@ $(am__append_14) $(am__append_15) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@feature_test_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@makejournal_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@makejournal_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@pipelined_pipequeries_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@pipelined_pipequeries_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@resolve_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBISC_CFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBIRS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@resolve_LDADD = $(LIBISC_LIBS) $(LIBIRS_LIBS) $(LIBDNS_LIBS) +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@rpz_dnsrps_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@rpz_dnsrps_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keycreate_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keycreate_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keydelete_CPPFLAGS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(AM_CPPFLAGS) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_CFLAGS) + +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@tkey_keydelete_LDADD = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LDADD) \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ $(LIBDNS_LIBS) + + +# Longer running tests are listed (and executed) first to take the most +# advantage of parallel execution. +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@TESTS = \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rpz \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rpzrecurse \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ serve-stale \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ timeouts \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ upforwd \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ acl \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ additional \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ addzone \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ allow-query \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ auth \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ autosign \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ builtin \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ cacheclean \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ case \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ catz \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ cds \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ chain \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ checkconf \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ checkds \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ checknames \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ checkzone \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ cookie \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ database \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dialup \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ digdelv \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dispatch \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dlzexternal \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dns64 \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dnssec \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dnstap \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ doth \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dsdigest \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dupsigs \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ dyndb \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ ecdsa \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ eddsa \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ ednscompliance \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ emptyzones \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ enginepkcs11 \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ filter-aaaa \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ fetchlimit \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ formerr \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ forward \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ geoip2 \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ glue \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ idna \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ include-multiplecfg \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ inline \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ integrity \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ ixfr \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ hooks \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ host \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ journal \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ kasp \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ keepalive \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ keyfromlabel \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ keymgr2kasp \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ legacy \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ limits \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ logfileconfig \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ masterfile \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ masterformat \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ metadata \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ mirror \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ mkeys \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ names \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ notify \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ nsec3 \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ nslookup \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ nsupdate \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ nzd2nzf \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ padding \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ pending \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ pipelined \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ qmin \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ reclimit \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ redirect \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ resolver \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rndc \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rootkeysentinel \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rpzextra \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rrchecker \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rrl \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rrsetorder \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ rsabigexponent \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ runtime \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ sfcache \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ shutdown \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ smartsign \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ sortlist \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ spf \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ staticstub \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ statistics \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ statschannel \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ stress \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ stub \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ synthfromdnssec \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tcp \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tkey \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tools \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ transport-acl \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tsig \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ tsiggss \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ ttl \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ unknown \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ verify \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ views \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ wildcard \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ xfer \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ xferquota \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ zero \ +@HAVE_PERL_TRUE@@HAVE_PYTEST_TRUE@@HAVE_PYTHON_TRUE@ zonechecks + LOG_DRIVER_V = $(LOG_DRIVER_V_@AM_V@) LOG_DRIVER_V_ = $(LOG_DRIVER_V_@AM_DEFAULT_V@) LOG_DRIVER_V_0 = --verbose no LOG_DRIVER_V_1 = --verbose yes LOG_DRIVER = $(srcdir)/custom-test-driver AM_LOG_DRIVER_FLAGS = $(LOG_DRIVER_V) -LOG_COMPILER = $(builddir)/legacy.run.sh -AM_LOG_FLAGS = -r +LOG_COMPILER = $(srcdir)/run.sh all: all-recursive .SUFFIXES: @@ -1369,9 +1445,9 @@ recheck: all am__force_recheck=am--force-recheck \ TEST_LOGS="$$log_list"; \ exit $$? -serve-stale.log: serve-stale - @p='serve-stale'; \ - b='serve-stale'; \ +rpz.log: rpz + @p='rpz'; \ + b='rpz'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -1383,9 +1459,23 @@ rpzrecurse.log: rpzrecurse --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -doth.log: doth - @p='doth'; \ - b='doth'; \ +serve-stale.log: serve-stale + @p='serve-stale'; \ + b='serve-stale'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +timeouts.log: timeouts + @p='timeouts'; \ + b='timeouts'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +upforwd.log: upforwd + @p='upforwd'; \ + b='upforwd'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -1467,6 +1557,13 @@ cds.log: cds --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +chain.log: chain + @p='chain'; \ + b='chain'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) checkconf.log: checkconf @p='checkconf'; \ b='checkconf'; \ @@ -1474,6 +1571,13 @@ checkconf.log: checkconf --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +checkds.log: checkds + @p='checkds'; \ + b='checkds'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) checknames.log: checknames @p='checknames'; \ b='checknames'; \ @@ -1488,6 +1592,13 @@ checkzone.log: checkzone --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +cookie.log: cookie + @p='cookie'; \ + b='cookie'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) database.log: database @p='database'; \ b='database'; \ @@ -1502,6 +1613,20 @@ dialup.log: dialup --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +digdelv.log: digdelv + @p='digdelv'; \ + b='digdelv'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +dispatch.log: dispatch + @p='dispatch'; \ + b='dispatch'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) dlzexternal.log: dlzexternal @p='dlzexternal'; \ b='dlzexternal'; \ @@ -1516,6 +1641,27 @@ dns64.log: dns64 --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +dnssec.log: dnssec + @p='dnssec'; \ + b='dnssec'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +dnstap.log: dnstap + @p='dnstap'; \ + b='dnstap'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +doth.log: doth + @p='doth'; \ + b='doth'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) dsdigest.log: dsdigest @p='dsdigest'; \ b='dsdigest'; \ @@ -1579,6 +1725,13 @@ filter-aaaa.log: filter-aaaa --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +fetchlimit.log: fetchlimit + @p='fetchlimit'; \ + b='fetchlimit'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) formerr.log: formerr @p='formerr'; \ b='formerr'; \ @@ -1586,6 +1739,13 @@ formerr.log: formerr --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +forward.log: forward + @p='forward'; \ + b='forward'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) geoip2.log: geoip2 @p='geoip2'; \ b='geoip2'; \ @@ -1628,6 +1788,13 @@ integrity.log: integrity --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +ixfr.log: ixfr + @p='ixfr'; \ + b='ixfr'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) hooks.log: hooks @p='hooks'; \ b='hooks'; \ @@ -1649,6 +1816,13 @@ journal.log: journal --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +kasp.log: kasp + @p='kasp'; \ + b='kasp'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) keepalive.log: keepalive @p='keepalive'; \ b='keepalive'; \ @@ -1663,6 +1837,13 @@ keyfromlabel.log: keyfromlabel --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +keymgr2kasp.log: keymgr2kasp + @p='keymgr2kasp'; \ + b='keymgr2kasp'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) legacy.log: legacy @p='legacy'; \ b='legacy'; \ @@ -1747,6 +1928,20 @@ nslookup.log: nslookup --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +nsupdate.log: nsupdate + @p='nsupdate'; \ + b='nsupdate'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +nzd2nzf.log: nzd2nzf + @p='nzd2nzf'; \ + b='nzd2nzf'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) padding.log: padding @p='padding'; \ b='padding'; \ @@ -1761,6 +1956,27 @@ pending.log: pending --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +pipelined.log: pipelined + @p='pipelined'; \ + b='pipelined'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +qmin.log: qmin + @p='qmin'; \ + b='qmin'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +reclimit.log: reclimit + @p='reclimit'; \ + b='reclimit'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) redirect.log: redirect @p='redirect'; \ b='redirect'; \ @@ -1768,6 +1984,13 @@ redirect.log: redirect --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +resolver.log: resolver + @p='resolver'; \ + b='resolver'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) rndc.log: rndc @p='rndc'; \ b='rndc'; \ @@ -1782,9 +2005,9 @@ rootkeysentinel.log: rootkeysentinel --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -rpz.log: rpz - @p='rpz'; \ - b='rpz'; \ +rpzextra.log: rpzextra + @p='rpzextra'; \ + b='rpzextra'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -1831,6 +2054,13 @@ sfcache.log: sfcache --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +shutdown.log: shutdown + @p='shutdown'; \ + b='shutdown'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) smartsign.log: smartsign @p='smartsign'; \ b='smartsign'; \ @@ -1859,6 +2089,27 @@ staticstub.log: staticstub --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +statistics.log: statistics + @p='statistics'; \ + b='statistics'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +statschannel.log: statschannel + @p='statschannel'; \ + b='statschannel'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +stress.log: stress + @p='stress'; \ + b='stress'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) stub.log: stub @p='stub'; \ b='stub'; \ @@ -1873,6 +2124,13 @@ synthfromdnssec.log: synthfromdnssec --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +tcp.log: tcp + @p='tcp'; \ + b='tcp'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) tkey.log: tkey @p='tkey'; \ b='tkey'; \ @@ -1943,97 +2201,6 @@ wildcard.log: wildcard --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -xferquota.log: xferquota - @p='xferquota'; \ - b='xferquota'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -zonechecks.log: zonechecks - @p='zonechecks'; \ - b='zonechecks'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -nzd2nzf.log: nzd2nzf - @p='nzd2nzf'; \ - b='nzd2nzf'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -fetchlimit.log: fetchlimit - @p='fetchlimit'; \ - b='fetchlimit'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -ixfr.log: ixfr - @p='ixfr'; \ - b='ixfr'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -nsupdate.log: nsupdate - @p='nsupdate'; \ - b='nsupdate'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -resolver.log: resolver - @p='resolver'; \ - b='resolver'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -statistics.log: statistics - @p='statistics'; \ - b='statistics'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -stress.log: stress - @p='stress'; \ - b='stress'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -upforwd.log: upforwd - @p='upforwd'; \ - b='upforwd'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -zero.log: zero - @p='zero'; \ - b='zero'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -dnstap.log: dnstap - @p='dnstap'; \ - b='dnstap'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -statschannel.log: statschannel - @p='statschannel'; \ - b='statschannel'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) xfer.log: xfer @p='xfer'; \ b='xfer'; \ @@ -2041,114 +2208,23 @@ xfer.log: xfer --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -reclimit.log: reclimit - @p='reclimit'; \ - b='reclimit'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -kasp.log: kasp - @p='kasp'; \ - b='kasp'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -keymgr2kasp.log: keymgr2kasp - @p='keymgr2kasp'; \ - b='keymgr2kasp'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -tcp.log: tcp - @p='tcp'; \ - b='tcp'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -pipelined.log: pipelined - @p='pipelined'; \ - b='pipelined'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -checkds.log: checkds - @p='checkds'; \ - b='checkds'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -dispatch.log: dispatch - @p='dispatch'; \ - b='dispatch'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -rpzextra.log: rpzextra - @p='rpzextra'; \ - b='rpzextra'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -shutdown.log: shutdown - @p='shutdown'; \ - b='shutdown'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -timeouts.log: timeouts - @p='timeouts'; \ - b='timeouts'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -qmin.log: qmin - @p='qmin'; \ - b='qmin'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -cookie.log: cookie - @p='cookie'; \ - b='cookie'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -digdelv.log: digdelv - @p='digdelv'; \ - b='digdelv'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -dnssec.log: dnssec - @p='dnssec'; \ - b='dnssec'; \ +xferquota.log: xferquota + @p='xferquota'; \ + b='xferquota'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -forward.log: forward - @p='forward'; \ - b='forward'; \ +zero.log: zero + @p='zero'; \ + b='zero'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -chain.log: chain - @p='chain'; \ - b='chain'; \ +zonechecks.log: zonechecks + @p='zonechecks'; \ + b='zonechecks'; \ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ @@ -2400,16 +2476,20 @@ dist-hook: sed -n "s|^Would remove \(.*\)|$(distdir)/\1|p" | \ xargs -I{} rm -rf "{}" +@HAVE_PERL_TRUE@@HAVE_PYTEST_FALSE@@HAVE_PYTHON_TRUE@check: +@HAVE_PERL_TRUE@@HAVE_PYTEST_FALSE@@HAVE_PYTHON_TRUE@ echo pytest is not available, no tests were ran +@HAVE_PERL_TRUE@@HAVE_PYTEST_FALSE@@HAVE_PYTHON_TRUE@ exit 1 +@HAVE_PERL_TRUE@@HAVE_PYTHON_FALSE@check: +@HAVE_PERL_TRUE@@HAVE_PYTHON_FALSE@ echo Python is not available, no tests were ran +@HAVE_PERL_TRUE@@HAVE_PYTHON_FALSE@ exit 1 @HAVE_PERL_FALSE@check: @HAVE_PERL_FALSE@ echo Perl is not available, no tests were ran @HAVE_PERL_FALSE@ exit 1 -$(TESTS): legacy.run.sh - test-local: check clean-local:: - -find $(builddir) -maxdepth 1 -type d -name "*_*" | xargs rm -rf + -find -L . -mindepth 1 -maxdepth 1 -type d -name "*_*" -and -not -name "_common" -exec rm -rf {} \; # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/bin/tests/system/README b/bin/tests/system/README index 265a9ef..cb9f71b 100644 --- a/bin/tests/system/README +++ b/bin/tests/system/README @@ -14,10 +14,9 @@ Introduction This directory holds a simple test environment for running bind9 system tests involving multiple name servers. -With the exception of "common" (which holds configuration information common to -multiple tests), each directory holds a set of scripts and configuration -files to test different parts of BIND. The directories are named for the -aspect of BIND they test, for example: +Each system test directory holds a set of scripts and configuration files to +test different parts of BIND. The directories are named for the aspect of BIND +they test, for example: dnssec/ DNSSEC tests forward/ Forwarding tests @@ -25,6 +24,9 @@ aspect of BIND they test, for example: etc. +A system test directory must start with an alphabetic character and may not +contain any special characters. Only hyphen may be used as a word separator. + Typically each set of tests sets up 2-5 name servers and then performs one or more tests against them. Within the test subdirectory, each name server has a separate subdirectory containing its configuration data. These subdirectories @@ -323,6 +325,8 @@ setup.sh Run after prereq.sh, this sets up the preconditions for the tests. tests.sh Runs the actual tests. This file is mandatory. +tests_sh_xyz.py A glue file for the pytest runner for executing shell tests. + clean.sh Run at the end to clean up temporary files, but only if the test was completed successfully and its running was not inhibited by the "-n" switch being passed to "legacy.run.sh". Otherwise the @@ -542,6 +546,17 @@ e. Retain a count of test failures and return this as the exit status from the script. +tests_sh_xyz.py +--------------- +This glue file is required by the pytest runner in order to find and execute +the shell tests in tests.sh. + +Replace the "xyz" with the system test name and create the file with the +following contents. + + def test_xyz(run_tests_sh): + run_tests_sh() + clean.sh --- The inverse of "setup.sh", this is invoked by the framework to clean up the @@ -695,13 +710,13 @@ or SEQUENTIAL variables. need to edit multiple files to add a test.) -Valgrind +rr --- -When running system tests, named can be run under Valgrind. The output from -Valgrind are sent to per-process files that can be reviewed after the test has -completed. To enable this, set the USE_VALGRIND environment variable to -"helgrind" to run the Helgrind tool, or any other value to run the Memcheck -tool. To use "helgrind" effectively, build BIND with --disable-atomic. + +When running system tests, named can be run under the rr tool. rr records a +trace to the $system_test/nsX/named-Y/ directory, which can be later used to +replay named. To enable this, execute start.pl with the USE_RR environment +variable set. Developer Notes for pytest runner === diff --git a/bin/tests/system/common/controls.conf.in b/bin/tests/system/_common/controls.conf.in index 1db9286..1db9286 100644 --- a/bin/tests/system/common/controls.conf.in +++ b/bin/tests/system/_common/controls.conf.in diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/_common/rndc.conf index b887ec3..b887ec3 100644 --- a/bin/tests/system/common/rndc.conf +++ b/bin/tests/system/_common/rndc.conf diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/_common/rndc.key index 3ef41c3..3ef41c3 100644 --- a/bin/tests/system/common/rndc.key +++ b/bin/tests/system/_common/rndc.key diff --git a/bin/tests/system/common/root.hint b/bin/tests/system/_common/root.hint index e0f186c..e0f186c 100644 --- a/bin/tests/system/common/root.hint +++ b/bin/tests/system/_common/root.hint diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in index c3343a3..d87b1a7 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -47,7 +47,7 @@ key two { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in index ac9ac84..2456e99 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -47,7 +47,7 @@ key two { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in index efa73fa..99320a7 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -60,7 +60,7 @@ acl accept { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in index 54c0da3..08bd80c 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -59,7 +59,7 @@ acl check2 { !key two; 10.53.0.2; }; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in index e5b57f0..94371d0 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -49,7 +49,7 @@ key two { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index 48536da..4e6c241 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 t=0 @@ -25,15 +25,20 @@ echo_i "testing basic ACL processing" # key "one" should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # any other key should be fine t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} copy_setports ns2/named2.conf.in ns2/named.conf rndc_reload ns2 10.53.0.2 @@ -42,19 +47,28 @@ sleep 5 # prefix 10/8 should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # any other address should work, as long as it sends key "one" t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} echo_i "testing nested ACL processing" # all combinations of 10.53.0.{1|2} with key {one|two}, should succeed @@ -65,43 +79,64 @@ sleep 5 # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # but only one or the other should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $tt failed" + status=1 +} # and other values? right out t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two copy_setports ns2/named4.conf.in ns2/named.conf @@ -111,32 +146,47 @@ sleep 5 # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should succeed t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 && { + echo_i "test $t failed" + status=1 +} # should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} # should fail t=$((t + 1)) $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 >dig.out.${t} +grep "^;" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} echo_i "testing allow-query-on ACL processing" copy_setports ns2/named5.conf.in ns2/named.conf @@ -144,27 +194,30 @@ rndc_reload ns2 10.53.0.2 sleep 5 t=$((t + 1)) $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.${t} -grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + @10.53.0.2 -b 10.53.0.3 >dig.out.${t} +grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { + echo_i "test $t failed" + status=1 +} echo_i "testing blackhole ACL processing" t=$((t + 1)) ret=0 $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.1.${t} -grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.3 >dig.out.1.${t} +grep "status: NOERROR" dig.out.1.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} +tcp soa example. \ - @10.53.0.2 -b 10.53.0.8 > dig.out.2.${t} && ret=1 -grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1 -grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.8 >dig.out.2.${t} && ret=1 +grep "status: NOERROR" dig.out.2.${t} >/dev/null 2>&1 && ret=1 +grep "communications error" dig.out.2.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} soa example. \ - @10.53.0.2 -b 10.53.0.3 > dig.out.3.${t} -grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.3 >dig.out.3.${t} +grep "status: NOERROR" dig.out.3.${t} >/dev/null 2>&1 || ret=1 $DIG -p ${PORT} soa example. \ - @10.53.0.2 -b 10.53.0.8 > dig.out.4.${t} && ret=1 -grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1 -grep "timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1 -grep ";; no servers could be reached" dig.out.4.${t} > /dev/null 2>&1 || ret=1 + @10.53.0.2 -b 10.53.0.8 >dig.out.4.${t} && ret=1 +grep "status: NOERROR" dig.out.4.${t} >/dev/null 2>&1 && ret=1 +grep "timed out" dig.out.4.${t} >/dev/null 2>&1 || ret=1 +grep ";; no servers could be reached" dig.out.4.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -179,7 +232,7 @@ sleep 1 t=$((t + 1)) ret=0 echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -192,7 +245,7 @@ sleep 1 t=$((t + 1)) ret=0 echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.3 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -208,7 +261,7 @@ sleep 1 t=$((t + 1)) ret=0 echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -221,7 +274,7 @@ sleep 1 t=$((t + 1)) ret=0 echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})" -$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1 +$DIG -p ${PORT} @10.53.0.4 example.com axfr >dig.out.${t} 2>&1 grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/additional/ns1/named1.conf.in b/bin/tests/system/additional/ns1/named1.conf.in index d058d1e..0d07e54 100644 --- a/bin/tests/system/additional/ns1/named1.conf.in +++ b/bin/tests/system/additional/ns1/named1.conf.in @@ -25,7 +25,7 @@ options { minimal-responses yes; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/additional/ns1/named2.conf.in b/bin/tests/system/additional/ns1/named2.conf.in index 56c6d4b..efed639 100644 --- a/bin/tests/system/additional/ns1/named2.conf.in +++ b/bin/tests/system/additional/ns1/named2.conf.in @@ -25,7 +25,7 @@ options { minimal-responses no; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/additional/ns1/named3.conf.in b/bin/tests/system/additional/ns1/named3.conf.in index ad453a3..0ff7125 100644 --- a/bin/tests/system/additional/ns1/named3.conf.in +++ b/bin/tests/system/additional/ns1/named3.conf.in @@ -26,7 +26,7 @@ options { minimal-responses no-auth; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/additional/ns1/named4.conf.in b/bin/tests/system/additional/ns1/named4.conf.in index 69479b9..8c53086 100644 --- a/bin/tests/system/additional/ns1/named4.conf.in +++ b/bin/tests/system/additional/ns1/named4.conf.in @@ -25,7 +25,7 @@ options { minimal-responses no-auth-recursive; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh index a50004c..193c9f9 100644 --- a/bin/tests/system/additional/tests.sh +++ b/bin/tests/system/additional/tests.sh @@ -16,235 +16,251 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 dotests() { - n=$((n + 1)) - echo_i "test with RT, single zone (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with RT, two zones (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NAPTR, single zone (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NAPTR, two zones (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with LP (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + n=$((n + 1)) + echo_i "test with RT, single zone (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with RT, two zones (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NAPTR, single zone (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NAPTR, two zones (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with LP (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in no) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; yes) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 ;; no-auth) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NID (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NID + LP (+rec) ($n)" - ret=0 - $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with RT, single zone (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with RT, two zones (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NAPTR, single zone (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NAPTR, two zones (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with LP (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NID (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NID + LP (+rec) ($n)" + ret=0 + $DIG $DIGOPTS +rec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with RT, single zone (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t RT rt.rt.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with RT, two zones (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t RT rt.rt2.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NAPTR, single zone (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NAPTR nap.naptr.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NAPTR, two zones (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NAPTR nap.hang3b.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with LP (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t LP nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in no) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; yes) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 ;; no-auth) - grep -w "NS" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep -w "NS" dig.out.$n > /dev/null || ret=1 - grep -w "L64" dig.out.$n > /dev/null || ret=1 - grep -w "L32" dig.out.$n > /dev/null || ret=1 + grep -w "NS" dig.out.$n >/dev/null || ret=1 + grep -w "L64" dig.out.$n >/dev/null || ret=1 + grep -w "L32" dig.out.$n >/dev/null || ret=1 ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NID (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NID + LP (+norec) ($n)" - ret=0 - $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 > dig.out.$n || ret=1 - if [ $minimal = no ] ; then - # change && to || when we support NID additional processing - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - else - grep -w "LP" dig.out.$n > /dev/null && ret=1 - grep -w "L64" dig.out.$n > /dev/null && ret=1 - grep -w "L32" dig.out.$n > /dev/null && ret=1 - fi - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NS, root zone ($n)" - ret=0 - $DIG $DIGOPTS -t NS . @10.53.0.1 > dig.out.$n || ret=1 - # Always expect glue for root priming queries, regardless $minimal - grep 'ADDITIONAL: 3' dig.out.$n > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi - - n=$((n + 1)) - echo_i "test with NS, non-root zone ($n)" - ret=0 - $DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 - case $minimal in + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NID (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NID ns1.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NID + LP (+norec) ($n)" + ret=0 + $DIG $DIGOPTS +norec -t NID nid2.nid.example @10.53.0.1 >dig.out.$n || ret=1 + if [ $minimal = no ]; then + # change && to || when we support NID additional processing + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + else + grep -w "LP" dig.out.$n >/dev/null && ret=1 + grep -w "L64" dig.out.$n >/dev/null && ret=1 + grep -w "L32" dig.out.$n >/dev/null && ret=1 + fi + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NS, root zone ($n)" + ret=0 + $DIG $DIGOPTS -t NS . @10.53.0.1 >dig.out.$n || ret=1 + # Always expect glue for root priming queries, regardless $minimal + grep 'ADDITIONAL: 3' dig.out.$n >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi + + n=$((n + 1)) + echo_i "test with NS, non-root zone ($n)" + ret=0 + $DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1 + case $minimal in yes) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no-auth) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; no-auth-recursive) - grep 'ADDITIONAL: 2' dig.out.$n > /dev/null || ret=1 + grep 'ADDITIONAL: 2' dig.out.$n >/dev/null || ret=1 ;; - esac - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) - fi + esac + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) + fi } echo_i "testing with 'minimal-responses yes;'" @@ -262,10 +278,11 @@ dotests n=$((n + 1)) echo_i "testing with 'minimal-any no;' ($n)" ret=0 -$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "reconfiguring server: minimal-any yes" @@ -275,28 +292,31 @@ rndc_reconfig ns1 10.53.0.1 n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over UDP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over TCP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +tcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing with 'minimal-any yes;' over UDP ($n)" ret=0 -$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY +notcp www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "testing with 'minimal-responses no-auth;'" @@ -314,23 +334,25 @@ dotests n=$((n + 1)) echo_i "testing returning TLSA records with MX query ($n)" ret=0 -$DIG $DIGOPTS -t mx mx.example @10.53.0.1 > dig.out.$n || ret=1 -grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n > /dev/null || ret=1 -grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1 -grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t mx mx.example @10.53.0.1 >dig.out.$n || ret=1 +grep "mx\.example\..*MX.0 mail\.mx\.example" dig.out.$n >/dev/null || ret=1 +grep "mail\.mx\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1 +grep "_25\._tcp\.mail\.mx\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing returning TLSA records with SRV query ($n)" ret=0 -$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 > dig.out.$n || ret=1 -grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n > /dev/null || ret=1 -grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n > /dev/null || ret=1 -grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t srv _xmpp-client._tcp.srv.example @10.53.0.1 >dig.out.$n || ret=1 +grep "_xmpp-client\._tcp\.srv\.example\..*SRV.1 0 5222 server\.srv\.example" dig.out.$n >/dev/null || ret=1 +grep "server\.srv\.example\..*A.1\.2\.3\.4" dig.out.$n >/dev/null || ret=1 +grep "_5222\._tcp\.server\.srv\.example\..*TLSA.3 0 1 5B30F9602297D558EB719162C225088184FAA32CA45E1ED15DE58A21 D9FCE383" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "reconfiguring server: minimal-responses no" @@ -340,39 +362,43 @@ rndc_reconfig ns1 10.53.0.1 n=$((n + 1)) echo_i "testing NS handling in ANY responses (authoritative) ($n)" ret=0 -$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 -grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 +grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing NS handling in ANY responses (recursive) ($n)" ret=0 -$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 > dig.out.$n || ret=1 -grep "AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 -grep "NS[ ]*ns" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t ANY rt.example @10.53.0.3 >dig.out.$n || ret=1 +grep "AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 +grep "NS[ ]*ns" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing out-of-zone additional data from auth zones (authoritative) ($n)" ret=0 -$DIG $DIGOPTS -t NS rt.example @10.53.0.1 > dig.out.$n || ret=1 -grep "ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t NS rt.example @10.53.0.1 >dig.out.$n || ret=1 +grep "ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi n=$((n + 1)) echo_i "testing out-of-zone additional data from auth zones (recursive) ($n)" ret=0 -$DIG $DIGOPTS -t NS ex @10.53.0.3 > dig.out.$n || ret=1 -grep "ADDITIONAL: 3" dig.out.$n > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=$((status+1)) +$DIG $DIGOPTS -t NS ex @10.53.0.3 >dig.out.$n || ret=1 +grep "ADDITIONAL: 3" dig.out.$n >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "exit status: $status" diff --git a/bin/tests/system/addzone/ns1/named.conf.in b/bin/tests/system/addzone/ns1/named.conf.in index 9015e1b..8c94791 100644 --- a/bin/tests/system/addzone/ns1/named.conf.in +++ b/bin/tests/system/addzone/ns1/named.conf.in @@ -33,7 +33,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "inlinesec.example" { diff --git a/bin/tests/system/addzone/ns2/named1.conf.in b/bin/tests/system/addzone/ns2/named1.conf.in index 23be60e..bd94f6e 100644 --- a/bin/tests/system/addzone/ns2/named1.conf.in +++ b/bin/tests/system/addzone/ns2/named1.conf.in @@ -22,7 +22,7 @@ options { dnssec-validation no; }; -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -30,7 +30,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/addzone/ns2/named2.conf.in b/bin/tests/system/addzone/ns2/named2.conf.in index 8b0f23d..ef9adeb 100644 --- a/bin/tests/system/addzone/ns2/named2.conf.in +++ b/bin/tests/system/addzone/ns2/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -36,7 +36,7 @@ view internal { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "policy" { @@ -51,7 +51,7 @@ view external { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; diff --git a/bin/tests/system/addzone/ns2/named3.conf.in b/bin/tests/system/addzone/ns2/named3.conf.in index 7078ce9..ca934c4 100644 --- a/bin/tests/system/addzone/ns2/named3.conf.in +++ b/bin/tests/system/addzone/ns2/named3.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -36,7 +36,7 @@ view internal { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "policy" { @@ -51,7 +51,7 @@ view directory { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; @@ -61,7 +61,7 @@ view external { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; diff --git a/bin/tests/system/addzone/ns3/named1.conf.in b/bin/tests/system/addzone/ns3/named1.conf.in index 6c512a6..0202b8e 100644 --- a/bin/tests/system/addzone/ns3/named1.conf.in +++ b/bin/tests/system/addzone/ns3/named1.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/addzone/ns3/named2.conf.in b/bin/tests/system/addzone/ns3/named2.conf.in index 6ca25f1..2e95b4c 100644 --- a/bin/tests/system/addzone/ns3/named2.conf.in +++ b/bin/tests/system/addzone/ns3/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/addzone/tests.sh b/bin/tests/system/addzone/tests.sh index 2937e79..39b4fdb 100755 --- a/bin/tests/system/addzone/tests.sh +++ b/bin/tests/system/addzone/tests.sh @@ -16,12 +16,12 @@ set -e . ../conf.sh DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnssec -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" check_zonestatus() ( - $RNDCCMD "10.53.0.$1" zonestatus -redirect > "zonestatus.out.ns$1.$n" && - grep "type: redirect" "zonestatus.out.ns$1.$n" > /dev/null && - grep "serial: 1" "zonestatus.out.ns$1.$n" > /dev/null + $RNDCCMD "10.53.0.$1" zonestatus -redirect >"zonestatus.out.ns$1.$n" \ + && grep "type: redirect" "zonestatus.out.ns$1.$n" >/dev/null \ + && grep "serial: 1" "zonestatus.out.ns$1.$n" >/dev/null ) status=0 @@ -29,9 +29,9 @@ n=0 echo_i "checking normally loaded zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -40,28 +40,28 @@ status=$((status + ret)) # NZF to NZD occurs during named startup echo_i "checking previously added zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.previous.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.previous.example' dig.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if $FEATURETEST --with-lmdb; then - echo_i "checking that existing NZF file was renamed after migration ($n)" - [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking that existing NZF file was renamed after migration ($n)" + [ -e ns2/3bf305731dd26307.nzf~ ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "adding new zone ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -_check_adding_new_zone () ( - $DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.$n > /dev/null +_check_adding_new_zone() ( + $DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_adding_new_zone || ret=1 n=$((n + 1)) @@ -71,7 +71,7 @@ status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "checking addzone errors are logged correctly" ret=0 -$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone bad.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1 wait_for_log_peek 20 "addzone: 'mister' unexpected" ns2/named.run || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -80,7 +80,7 @@ status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "checking modzone errors are logged correctly" ret=0 -$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 modzone added.example '{ type mister; };' 2>&1 | grep 'unexpected token' >/dev/null 2>&1 || ret=1 wait_for_log_peek 20 "modzone: 'mister' unexpected" ns2/named.run || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -91,9 +91,9 @@ ret=0 $RNDCCMD 10.53.0.2 addzone '"32/1.0.0.127-in-addr.added.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_zone_that_requires_quotes() ( - $DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.32/1.0.0.127-in-addr.added.example" a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.32/1.0.0.127-in-addr.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_zone_that_requires_quotes || ret=1 n=$((n + 1)) @@ -104,9 +104,9 @@ echo_i "adding a zone with a quote in the name ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone '"foo\"bar.example" { check-names ignore; type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_zone_with_a_quote() ( - $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.foo\\"bar.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.foo\\"bar.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_zone_with_a_quote || ret=1 n=$((n + 1)) @@ -115,30 +115,30 @@ status=$((status + ret)) echo_i "adding new zone with missing file ($n)" ret=0 -$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.pre.$n || ret=1 -grep "status: REFUSED" dig.out.ns2.pre.$n > /dev/null || ret=1 -$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2> rndc.out.ns2.$n && ret=1 -grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 -$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a > dig.out.ns2.post.$n || ret=1 -grep "status: REFUSED" dig.out.ns2.post.$n > /dev/null || ret=1 +$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.pre.$n || ret=1 +grep "status: REFUSED" dig.out.ns2.pre.$n >/dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'missing.example { type primary; file "missing.db"; };' 2>rndc.out.ns2.$n && ret=1 +grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1 +$DIG $DIGOPTS +all @10.53.0.2 a.missing.example a >dig.out.ns2.post.$n || ret=1 +grep "status: REFUSED" dig.out.ns2.post.$n >/dev/null || ret=1 digcomp dig.out.ns2.pre.$n dig.out.ns2.post.$n || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if ! $FEATURETEST --with-lmdb; then - echo_i "verifying no comments in NZF file ($n)" - ret=0 - hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) - [ $hcount -eq 0 ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "verifying no comments in NZF file ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) + [ $hcount -eq 0 ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking rndc showzone with previously added zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone previous.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone previous.example >rndc.out.ns2.$n expected='zone "previous.example" { type primary; file "previous.db"; };' [ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 n=$((n + 1)) @@ -146,20 +146,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if $FEATURETEST --with-lmdb; then - echo_i "checking zone is present in NZD ($n)" - ret=0 - $NZD2NZF ns2/_default.nzd | grep previous.example > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking zone is present in NZD ($n)" + ret=0 + $NZD2NZF ns2/_default.nzd | grep previous.example >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "deleting previously added zone ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone previous.example 2>&1 | sed 's/^/I:ns2 /' _check_deleting_previously_added_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.previous.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.previous.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.previous.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.previous.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_previously_added_zone || ret=1 n=$((n + 1)) @@ -167,34 +167,34 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) check_nzd2nzf() ( - $NZD2NZF ns2/_default.nzd > nzd2nzf.out.$n && - ! grep previous.example nzd2nzf.out.$n > /dev/null + $NZD2NZF ns2/_default.nzd >nzd2nzf.out.$n \ + && ! grep previous.example nzd2nzf.out.$n >/dev/null ) if $FEATURETEST --with-lmdb; then - echo_i "checking zone was deleted from NZD ($n)" - retry_quiet 10 check_nzd2nzf || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking zone was deleted from NZD ($n)" + retry_quiet 10 check_nzd2nzf || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi if ! $FEATURETEST --with-lmdb; then - echo_i "checking NZF file now has comment ($n)" - ret=0 - hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) - [ $hcount -eq 1 ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking NZF file now has comment ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: _default" ns2/3bf305731dd26307.nzf | wc -l) + [ $hcount -eq 1 ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "deleting newly added zone added.example ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone added.example 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.added.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.added.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone || ret=1 n=$((n + 1)) @@ -205,9 +205,9 @@ echo_i "deleting newly added zone with escaped quote ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone "foo\\\"bar.example" 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone_quote() ( - $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep "^a.foo\"bar.example" dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 "a.foo\"bar.example" a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep "^a.foo\"bar.example" dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone_quote || ret=1 n=$((n + 1)) @@ -216,7 +216,7 @@ status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone normal.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone normal.example >rndc.out.ns2.$n expected='zone "normal.example" { type primary; file "normal.db"; };' [ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 n=$((n + 1)) @@ -225,7 +225,7 @@ status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded zone with trailing dot ($n)" ret=0 -$RNDCCMD 10.53.0.2 showzone finaldot.example > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 showzone finaldot.example >rndc.out.ns2.$n expected='zone "finaldot.example." { type primary; file "normal.db"; };' [ "$(cat rndc.out.ns2.$n)" = "$expected" ] || ret=1 n=$((n + 1)) @@ -234,7 +234,7 @@ status=$((status + ret)) echo_i "checking rndc showzone with a normally-loaded redirect zone ($n)" ret=0 -$RNDCCMD 10.53.0.1 showzone -redirect > rndc.out.ns1.$n +$RNDCCMD 10.53.0.1 showzone -redirect >rndc.out.ns1.$n expected='zone "." { type redirect; file "redirect.db"; };' [ "$(cat rndc.out.ns1.$n)" = "$expected" ] || ret=1 n=$((n + 1)) @@ -243,9 +243,9 @@ status=$((status + ret)) echo_i "checking rndc zonestatus with a normally-loaded redirect zone ($n)" ret=0 -$RNDCCMD 10.53.0.1 zonestatus -redirect > rndc.out.ns1.$n -grep "type: redirect" rndc.out.ns1.$n > /dev/null || ret=1 -grep "serial: 0" rndc.out.ns1.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 zonestatus -redirect >rndc.out.ns1.$n +grep "type: redirect" rndc.out.ns1.$n >/dev/null || ret=1 +grep "serial: 0" rndc.out.ns1.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -254,7 +254,7 @@ echo_i "checking rndc reload with a normally-loaded redirect zone ($n)" ret=0 sleep 1 cp -f ns1/redirect.db.2 ns1/redirect.db -$RNDCCMD 10.53.0.1 reload -redirect > rndc.out.ns1.$n +$RNDCCMD 10.53.0.1 reload -redirect >rndc.out.ns1.$n retry_quiet 5 check_zonestatus 1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -262,13 +262,13 @@ status=$((status + ret)) echo_i "delete a normally-loaded zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone normal.example > rndc.out.ns2.$n 2>&1 -grep "is no longer active and will be deleted" rndc.out.ns2.$n > /dev/null || ret=11 -grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n > /dev/null || ret=1 -grep "must also be removed from named.conf." rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 delzone normal.example >rndc.out.ns2.$n 2>&1 +grep "is no longer active and will be deleted" rndc.out.ns2.$n >/dev/null || ret=11 +grep "To keep it from returning when the server is restarted" rndc.out.ns2.$n >/dev/null || ret=1 +grep "must also be removed from named.conf." rndc.out.ns2.$n >/dev/null || ret=1 _check_delete_normally_loaded_zone() ( - $DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.normal.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_delete_normally_loaded_zone || ret=1 @@ -279,9 +279,9 @@ status=$((status + ret)) echo_i "attempting to add primary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inline.example { type primary; file "inline.db"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_add_primary_zone_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inline.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inline.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inline.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inline.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_add_primary_zone_with_inline || ret=1 n=$((n + 1)) @@ -290,8 +290,8 @@ status=$((status + ret)) echo_i "attempting to add primary zone with inline signing and missing file ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2> rndc.out.ns2.$n && ret=1 -grep "file not found" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'inlinemissing.example { type primary; file "missing.db"; inline-signing yes; };' 2>rndc.out.ns2.$n && ret=1 +grep "file not found" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -299,9 +299,9 @@ status=$((status + ret)) echo_i "attempting to add secondary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_add_secondary_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_add_secondary_with_inline || ret=1 n=$((n + 1)) @@ -311,14 +311,16 @@ status=$((status + ret)) echo_i "attempting to delete secondary zone with inline signing ($n)" ret=0 retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 -$RNDCCMD 10.53.0.2 delzone inlinesec.example > rndc.out2.test$n 2>&1 || ret=1 -test -f inlinesec.bk || -grep '^inlinesec.bk$' rndc.out2.test$n > /dev/null || { - echo_i "failed to report inlinesec.bk"; ret=1; +$RNDCCMD 10.53.0.2 delzone inlinesec.example >rndc.out2.test$n 2>&1 || ret=1 +test -f inlinesec.bk \ + || grep '^inlinesec.bk$' rndc.out2.test$n >/dev/null || { + echo_i "failed to report inlinesec.bk" + ret=1 } -test ! -f inlinesec.bk.signed || -grep '^inlinesec.bk.signed$' rndc.out2.test$n > /dev/null || { - echo_i "failed to report inlinesec.bk.signed"; ret=1; +test ! -f inlinesec.bk.signed \ + || grep '^inlinesec.bk.signed$' rndc.out2.test$n >/dev/null || { + echo_i "failed to report inlinesec.bk.signed" + ret=1 } n=$((n + 1)) status=$((status + ret)) @@ -326,9 +328,9 @@ status=$((status + ret)) echo_i "restoring secondary zone with inline signing ($n)" $RNDCCMD 10.53.0.2 addzone 'inlinesec.example { type secondary; primaries { 10.53.0.1; }; file "inlinesec.bk"; inline-signing yes; };' 2>&1 | sed 's/^/I:ns2 /' _check_restoring_secondary_with_inline() ( - $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a > dig.out.ns2.$n && - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null && - grep '^a.inlinesec.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.2 a.inlinesec.example a >dig.out.ns2.$n \ + && grep 'status: NOERROR' dig.out.ns2.$n >/dev/null \ + && grep '^a.inlinesec.example' dig.out.ns2.$n >/dev/null ) retry_quiet 5 _check_restoring_secondary_with_inline || ret=1 n=$((n + 1)) @@ -338,7 +340,7 @@ status=$((status + ret)) echo_i "deleting secondary zone with automatic zone file removal ($n)" ret=0 retry_quiet 10 test -f ns2/inlinesec.bk.signed -a -f ns2/inlinesec.bk || ret=1 -$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example > /dev/null 2>&1 +$RNDCCMD 10.53.0.2 delzone -clean inlinesec.example >/dev/null 2>&1 retry_quiet 10 test ! -f ns2/inlinesec.bk.signed -a ! -f ns2/inlinesec.bk n=$((n + 1)) status=$((status + ret)) @@ -346,38 +348,38 @@ status=$((status + ret)) echo_i "modifying zone configuration ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'mod.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/ns2 /' | cat_i -$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.1.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 modzone 'mod.example { type primary; file "added.db"; allow-query { none; }; };' 2>&1 | sed 's/^/ns2 /' | cat_i -$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns > dig.out.ns2.2.$n || ret=1 -$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' > /dev/null 2>&1 || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 mod.example ns >dig.out.ns2.2.$n || ret=1 +$RNDCCMD 10.53.0.2 showzone mod.example | grep 'allow-query { "none"; };' >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that adding a 'stub' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone 'stub.example { type stub; primaries { 1.2.3.4; }; file "stub.example.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that adding a 'static-stub' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone 'static-stub.example { type static-stub; server-addresses { 1.2.3.4; }; };' >rndc.out.ns2.$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that adding a 'primary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone '"." { type redirect; file "redirect.db"; };' >rndc.out.ns2.$n 2>&1 || ret=1 _check_add_primary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 && - grep "type redirect;" showzone.out.ns2.$n > /dev/null && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 0" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \ + && grep "type redirect;" showzone.out.ns2.$n >/dev/null \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 0" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_add_primary_redirect || ret=1 n=$((n + 1)) @@ -388,7 +390,7 @@ echo_i "check that reloading a added 'primary redirect' zone works ($n)" ret=0 sleep 1 cp -f ns2/redirect.db.2 ns2/redirect.db -$RNDCCMD 10.53.0.2 reload -redirect > rndc.out.ns2.$n +$RNDCCMD 10.53.0.2 reload -redirect >rndc.out.ns2.$n retry_quiet 10 check_zonestatus 2 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -396,17 +398,17 @@ status=$((status + ret)) echo_i "check that retransfer of a added 'primary redirect' zone fails ($n)" ret=0 -$RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && ret=1 +$RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that deleting a 'primary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1 _check_deleting_primary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true - grep 'not found' showzone.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true + grep 'not found' showzone.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_primary_redirect || ret=1 n=$((n + 1)) @@ -415,13 +417,13 @@ status=$((status + ret)) echo_i "check that adding a 'secondary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 addzone '"." { type redirect; primaries { 10.53.0.3;}; file "redirect.bk"; };' >rndc.out.ns2.$n 2>&1 || ret=1 _check_adding_secondary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 && - grep "type redirect;" showzone.out.ns2.$n > /dev/null && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 0" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 \ + && grep "type redirect;" showzone.out.ns2.$n >/dev/null \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 0" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_adding_secondary_redirect || ret=1 n=$((n + 1)) @@ -431,12 +433,12 @@ status=$((status + ret)) echo_i "check that retransfering a added 'secondary redirect' zone works ($n)" ret=0 cp -f ns3/redirect.db.2 ns3/redirect.db -$RNDCCMD 10.53.0.3 reload . > showzone.out.ns3.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 reload . >showzone.out.ns3.$n 2>&1 || ret=1 _check_retransfering_secondary_redirect() ( - $RNDCCMD 10.53.0.2 retransfer -redirect > rndc.out.ns2.$n 2>&1 && - $RNDCCMD 10.53.0.2 zonestatus -redirect > zonestatus.out.ns2.$n 2>&1 && - grep "type: redirect" zonestatus.out.ns2.$n > /dev/null && - grep "serial: 1" zonestatus.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 retransfer -redirect >rndc.out.ns2.$n 2>&1 \ + && $RNDCCMD 10.53.0.2 zonestatus -redirect >zonestatus.out.ns2.$n 2>&1 \ + && grep "type: redirect" zonestatus.out.ns2.$n >/dev/null \ + && grep "serial: 1" zonestatus.out.ns2.$n >/dev/null ) retry_quiet 10 _check_retransfering_secondary_redirect || ret=1 n=$((n + 1)) @@ -445,10 +447,10 @@ status=$((status + ret)) echo_i "check that deleting a 'secondary redirect' zone works ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone -redirect > rndc.out.ns2.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 delzone -redirect >rndc.out.ns2.$n 2>&1 || ret=1 _check_deleting_secondary_redirect() ( - $RNDCCMD 10.53.0.2 showzone -redirect > showzone.out.ns2.$n 2>&1 || true - grep 'not found' showzone.out.ns2.$n > /dev/null + $RNDCCMD 10.53.0.2 showzone -redirect >showzone.out.ns2.$n 2>&1 || true + grep 'not found' showzone.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_secondary_redirect || ret=1 n=$((n + 1)) @@ -457,32 +459,32 @@ status=$((status + ret)) echo_i "check that zone type 'hint' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone '"." { type hint; file "hints.db"; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that zone type 'forward' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'forward.example { type forward; forwarders { 1.2.3.4; }; forward only; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that zone type 'delegation-only' is properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'delegation-only.example { type delegation-only; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'in-view' zones are properly rejected ($n)" ret=0 -$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' > rndc.out.ns2.$n 2>&1 && ret=1 -grep "zones not supported by addzone" rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'in-view.example { in-view "_default"; };' >rndc.out.ns2.$n 2>&1 && ret=1 +grep "zones not supported by addzone" rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -500,48 +502,48 @@ echo_i "adding new zone to external view ($n)" # the zone does not exist because a) it has not yet been loaded, b) # it failed to load, or c) it has been deleted. ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if ! $FEATURETEST --with-lmdb; then - echo_i "checking new NZF file has comment ($n)" - ret=0 - hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l) - [ $hcount -eq 1 ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "checking new NZF file has comment ($n)" + ret=0 + hcount=$(grep "^# New zone file for view: external" ns2/external.nzf | wc -l) + [ $hcount -eq 1 ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi if $FEATURETEST --with-lmdb; then - echo_i "verifying added.example in external view created an external.nzd DB ($n)" - ret=0 - [ -e ns2/external.nzd ] || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "verifying added.example in external view created an external.nzd DB ($n)" + ret=0 + [ -e ns2/external.nzd ] || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking rndc reload causes named to reload the external view's new zone config ($n)" ret=0 $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i _check_rndc_reload_external_view_config() ( - $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n && - grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null && - $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n && - grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null + $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \ + && grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \ + && $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \ + && grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null ) retry_quiet 10 _check_rndc_reload_external_view_config || ret=1 n=$((n + 1)) @@ -550,15 +552,15 @@ status=$((status + ret)) echo_i "checking rndc showzone with newly added zone ($n)" _check_rndc_showzone_newly_added() ( - if ! $FEATURETEST --with-lmdb; then - expected='zone "added.example" in external { type primary; file "added.db"; };' - else - expected='zone "added.example" { type primary; file "added.db"; };' - fi - $RNDCCMD 10.53.0.2 showzone added.example in external > rndc.out.ns2.$n 2>/dev/null && - [ "$(cat rndc.out.ns2.$n)" = "$expected" ] + if ! $FEATURETEST --with-lmdb; then + expected='zone "added.example" in external { type primary; file "added.db"; };' + else + expected='zone "added.example" { type primary; file "added.db"; };' + fi + $RNDCCMD 10.53.0.2 showzone added.example in external >rndc.out.ns2.$n 2>/dev/null \ + && [ "$(cat rndc.out.ns2.$n)" = "$expected" ] ) -retry_quiet 10 _check_rndc_showzone_newly_added || ret=1 +retry_quiet 10 _check_rndc_showzone_newly_added || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -567,9 +569,9 @@ echo_i "deleting newly added zone ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' _check_deleting_newly_added_zone() ( - $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n && - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null && - ! grep '^a.added.example' dig.out.ns2.$n > /dev/null + $DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n \ + && grep 'status: REFUSED' dig.out.ns2.$n >/dev/null \ + && ! grep '^a.added.example' dig.out.ns2.$n >/dev/null ) retry_quiet 10 _check_deleting_newly_added_zone || ret=1 n=$((n + 1)) @@ -578,22 +580,22 @@ status=$((status + ret)) echo_i "attempting to add zone to internal view ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.pre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.pre.$n > /dev/null || ret=1 -$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2> rndc.out.ns2.$n && ret=1 -grep "permission denied" rndc.out.ns2.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.pre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.pre.$n >/dev/null || ret=1 +$RNDCCMD 10.53.0.2 addzone 'added.example in internal { type primary; file "added.db"; };' 2>rndc.out.ns2.$n && ret=1 +grep "permission denied" rndc.out.ns2.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "attempting to delete a policy zone ($n)" ret=0 -$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2> rndc.out.ns2.$n >&1 && ret=1 -grep 'cannot be deleted' rndc.out.ns2.$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 delzone 'policy in internal' 2>rndc.out.ns2.$n >&1 && ret=1 +grep 'cannot be deleted' rndc.out.ns2.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -602,11 +604,11 @@ echo_i "adding new zone again to external view ($n)" ret=0 $RNDCCMD 10.53.0.2 addzone 'added.example in external { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' _check_adding_new_zone_again_external() ( - $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n && - grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null && - $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n && - grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null && - grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null + $DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n \ + && grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null \ + && $DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n \ + && grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null \ + && grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null ) retry_quiet 10 _check_adding_new_zone_again_external || ret=1 n=$((n + 1)) @@ -620,9 +622,9 @@ rndc_reconfig ns2 10.53.0.2 echo_i "checking new zone is still loaded after dir change ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.ext.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.ext.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.ext.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.ext.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -630,39 +632,39 @@ status=$((status + ret)) echo_i "deleting newly added zone from external ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in external' 2>&1 | sed 's/^/I:ns2 /' -$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "adding new zone to directory view ($n)" ret=0 -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.intpre.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.intpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.extpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.extpre.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dirpre.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.dirpre.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.intpre.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.intpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.extpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.extpre.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dirpre.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.dirpre.$n >/dev/null || ret=1 $RNDCCMD 10.53.0.2 addzone 'added.example in directory { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns2 /' -$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a > dig.out.ns2.int.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.int.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a > dig.out.ns2.ext.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.ext.$n > /dev/null || ret=1 -$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.dir.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.dir.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.dir.$n > /dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.added.example a >dig.out.ns2.int.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.int.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.4 -b 10.53.0.4 a.added.example a >dig.out.ns2.ext.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.ext.$n >/dev/null || ret=1 +$DIG +norec $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.dir.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.dir.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.dir.$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if $FEATURETEST --with-lmdb; then - echo_i "checking NZD file was created in new-zones-directory ($n)" - expect=ns2/new-zones/directory.nzd + echo_i "checking NZD file was created in new-zones-directory ($n)" + expect=ns2/new-zones/directory.nzd else - echo_i "checking NZF file was created in new-zones-directory ($n)" - expect=ns2/new-zones/directory.nzf + echo_i "checking NZF file was created in new-zones-directory ($n)" + expect=ns2/new-zones/directory.nzf fi $RNDCCMD 10.53.0.2 sync 'added.example IN directory' 2>&1 | sed 's/^/I:ns2 /' sleep 2 @@ -674,9 +676,9 @@ status=$((status + ret)) echo_i "deleting newly added zone from directory ($n)" ret=0 $RNDCCMD 10.53.0.2 delzone 'added.example in directory' 2>&1 | sed 's/^/I:ns2 /' -$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.added.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.5 -b 10.53.0.5 a.added.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.added.example' dig.out.ns2.$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -684,70 +686,69 @@ status=$((status + ret)) echo_i "ensure the configuration context is cleaned up correctly ($n)" ret=0 rndc_reconfig ns2 10.53.0.2 -$RNDCCMD 10.53.0.2 status > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 status >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check delzone after reconfig failure ($n)" ret=0 -$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone 'inlinesec.example. IN { type secondary; file "inlinesec.db"; masterfile-format text; primaries { test; }; };' >/dev/null 2>&1 || ret=1 copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 -$RNDCCMD 10.53.0.3 delzone inlinesec.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 delzone inlinesec.example >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if ! $FEATURETEST --with-lmdb -then - echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)" - ret=0 - $RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 - $RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' > /dev/null 2>&1 && ret=1 - $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 - $RNDCCMD 10.53.0.3 delzone "test3.baz" > /dev/null 2>&1 || ret=1 - grep test2.baz ns3/_default.nzf > /dev/null && ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if ! $FEATURETEST --with-lmdb; then + echo_i "check that addzone is fully reversed on failure (--with-lmdb=no) ($n)" + ret=0 + $RNDCCMD 10.53.0.3 addzone "test1.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 + $RNDCCMD 10.53.0.3 addzone "test2.baz" '{ type primary; file "dne.db"; };' >/dev/null 2>&1 && ret=1 + $RNDCCMD 10.53.0.3 addzone "test3.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 + $RNDCCMD 10.53.0.3 delzone "test3.baz" >/dev/null 2>&1 || ret=1 + grep test2.baz ns3/_default.nzf >/dev/null && ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi _check_version_bind() ( - $DIG $DIGOPTS @10.53.0.3 version.bind txt ch > dig.out.test$n && - grep "status: NOERROR" dig.out.test$n > /dev/null + $DIG $DIGOPTS @10.53.0.3 version.bind txt ch >dig.out.test$n \ + && grep "status: NOERROR" dig.out.test$n >/dev/null ) echo_i "check that named restarts with multiple added zones ($n)" ret=0 -$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone "test4.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone "test5.baz" '{ type primary; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test/.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\".baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\\.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\032.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 addzone '"test\010.baz"' '{ type primary; check-names ignore; file "e.db"; };' >/dev/null 2>&1 || ret=1 stop_server ns3 start_server --noclean --restart --port ${PORT} ns3 || ret=1 retry_quiet 10 _check_version_bind || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' > dig.out.3.test$n || ret=1 -grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.3.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' > dig.out.4.test$n || ret=1 -grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.4.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' > dig.out.5.test$n || ret=1 -grep "status: NOERROR" dig.out.5.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.5.test$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' > dig.out.6.test$n || ret=1 -grep "status: NOERROR" dig.out.6.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA "test4.baz" >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA "test5.baz" >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test/.baz' >dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.3.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\\.baz' >dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.4.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\032.baz' >dig.out.5.test$n || ret=1 +grep "status: NOERROR" dig.out.5.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.5.test$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 SOA 'test\010.baz' >dig.out.6.test$n || ret=1 +grep "status: NOERROR" dig.out.6.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) diff --git a/bin/tests/system/addzone/tests_rndc_deadlock.py b/bin/tests/system/addzone/tests_rndc_deadlock.py index bd21d62..fefcc2d 100755 --- a/bin/tests/system/addzone/tests_rndc_deadlock.py +++ b/bin/tests/system/addzone/tests_rndc_deadlock.py @@ -22,7 +22,7 @@ def run_rndc(server, rndc_command): rndc = os.getenv("RNDC") port = os.getenv("CONTROLPORT") - cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server] + cmdline = [rndc, "-c", "../_common/rndc.conf", "-p", port, "-s", server] cmdline.extend(rndc_command) subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10) diff --git a/bin/tests/system/allow-query/ns2/named01.conf.in b/bin/tests/system/allow-query/ns2/named01.conf.in index 3069010..fec3ddd 100644 --- a/bin/tests/system/allow-query/ns2/named01.conf.in +++ b/bin/tests/system/allow-query/ns2/named01.conf.in @@ -24,7 +24,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named02.conf.in b/bin/tests/system/allow-query/ns2/named02.conf.in index 678c417..95a78b2 100644 --- a/bin/tests/system/allow-query/ns2/named02.conf.in +++ b/bin/tests/system/allow-query/ns2/named02.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named03.conf.in b/bin/tests/system/allow-query/ns2/named03.conf.in index cdc64ff..fd6add2 100644 --- a/bin/tests/system/allow-query/ns2/named03.conf.in +++ b/bin/tests/system/allow-query/ns2/named03.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named04.conf.in b/bin/tests/system/allow-query/ns2/named04.conf.in index 0544662..f6d231d 100644 --- a/bin/tests/system/allow-query/ns2/named04.conf.in +++ b/bin/tests/system/allow-query/ns2/named04.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named05.conf.in b/bin/tests/system/allow-query/ns2/named05.conf.in index 6f92049..fe6cc0c 100644 --- a/bin/tests/system/allow-query/ns2/named05.conf.in +++ b/bin/tests/system/allow-query/ns2/named05.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named06.conf.in b/bin/tests/system/allow-query/ns2/named06.conf.in index 261c75b..1f78f13 100644 --- a/bin/tests/system/allow-query/ns2/named06.conf.in +++ b/bin/tests/system/allow-query/ns2/named06.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named07.conf.in b/bin/tests/system/allow-query/ns2/named07.conf.in index 8050fa2..15dca8f 100644 --- a/bin/tests/system/allow-query/ns2/named07.conf.in +++ b/bin/tests/system/allow-query/ns2/named07.conf.in @@ -27,7 +27,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named08.conf.in b/bin/tests/system/allow-query/ns2/named08.conf.in index ffa4cdc..c2eed2d 100644 --- a/bin/tests/system/allow-query/ns2/named08.conf.in +++ b/bin/tests/system/allow-query/ns2/named08.conf.in @@ -27,7 +27,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named09.conf.in b/bin/tests/system/allow-query/ns2/named09.conf.in index 49166e6..248da9e 100644 --- a/bin/tests/system/allow-query/ns2/named09.conf.in +++ b/bin/tests/system/allow-query/ns2/named09.conf.in @@ -27,7 +27,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in index d684c2d..774dace 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -30,7 +30,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in index 59b9e0e..c860aed 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -36,7 +36,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in index a8e9107..1d9c5d5 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -30,7 +30,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named21.conf.in b/bin/tests/system/allow-query/ns2/named21.conf.in index c6204a3..b120f2a 100644 --- a/bin/tests/system/allow-query/ns2/named21.conf.in +++ b/bin/tests/system/allow-query/ns2/named21.conf.in @@ -26,7 +26,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named22.conf.in b/bin/tests/system/allow-query/ns2/named22.conf.in index 454f24a..37ccedc 100644 --- a/bin/tests/system/allow-query/ns2/named22.conf.in +++ b/bin/tests/system/allow-query/ns2/named22.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named23.conf.in b/bin/tests/system/allow-query/ns2/named23.conf.in index f62337b..c43e232 100644 --- a/bin/tests/system/allow-query/ns2/named23.conf.in +++ b/bin/tests/system/allow-query/ns2/named23.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named24.conf.in b/bin/tests/system/allow-query/ns2/named24.conf.in index 1e277a9..6cdbeec 100644 --- a/bin/tests/system/allow-query/ns2/named24.conf.in +++ b/bin/tests/system/allow-query/ns2/named24.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named25.conf.in b/bin/tests/system/allow-query/ns2/named25.conf.in index 0548af2..51e247c 100644 --- a/bin/tests/system/allow-query/ns2/named25.conf.in +++ b/bin/tests/system/allow-query/ns2/named25.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named26.conf.in b/bin/tests/system/allow-query/ns2/named26.conf.in index 40e5dfd..a72136c 100644 --- a/bin/tests/system/allow-query/ns2/named26.conf.in +++ b/bin/tests/system/allow-query/ns2/named26.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named27.conf.in b/bin/tests/system/allow-query/ns2/named27.conf.in index 92fa1f8..4c3f958 100644 --- a/bin/tests/system/allow-query/ns2/named27.conf.in +++ b/bin/tests/system/allow-query/ns2/named27.conf.in @@ -30,7 +30,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named28.conf.in b/bin/tests/system/allow-query/ns2/named28.conf.in index 2ecac7c..8db4555 100644 --- a/bin/tests/system/allow-query/ns2/named28.conf.in +++ b/bin/tests/system/allow-query/ns2/named28.conf.in @@ -30,7 +30,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named29.conf.in b/bin/tests/system/allow-query/ns2/named29.conf.in index 9a6c9e5..2031a6e 100644 --- a/bin/tests/system/allow-query/ns2/named29.conf.in +++ b/bin/tests/system/allow-query/ns2/named29.conf.in @@ -30,7 +30,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in index f7084c8..e57b7ab 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -33,7 +33,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in index d6a7af5..776cbb7 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -40,7 +40,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in index b7d7ee4..35dfb6e 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -33,7 +33,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named33.conf.in b/bin/tests/system/allow-query/ns2/named33.conf.in index be31b72..3721e62 100644 --- a/bin/tests/system/allow-query/ns2/named33.conf.in +++ b/bin/tests/system/allow-query/ns2/named33.conf.in @@ -29,7 +29,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named34.conf.in b/bin/tests/system/allow-query/ns2/named34.conf.in index 165ff06..09125ef 100644 --- a/bin/tests/system/allow-query/ns2/named34.conf.in +++ b/bin/tests/system/allow-query/ns2/named34.conf.in @@ -29,7 +29,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in index b7a8746..10e0818 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -38,7 +38,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named53.conf.in b/bin/tests/system/allow-query/ns2/named53.conf.in index bd0af28..d3463b2 100644 --- a/bin/tests/system/allow-query/ns2/named53.conf.in +++ b/bin/tests/system/allow-query/ns2/named53.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named54.conf.in b/bin/tests/system/allow-query/ns2/named54.conf.in index a6ca424..5dddf89 100644 --- a/bin/tests/system/allow-query/ns2/named54.conf.in +++ b/bin/tests/system/allow-query/ns2/named54.conf.in @@ -25,7 +25,7 @@ include "controls.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named55.conf.in b/bin/tests/system/allow-query/ns2/named55.conf.in index 6bcba07..4a0880f 100644 --- a/bin/tests/system/allow-query/ns2/named55.conf.in +++ b/bin/tests/system/allow-query/ns2/named55.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named56.conf.in b/bin/tests/system/allow-query/ns2/named56.conf.in index d89a5fb..564063b 100644 --- a/bin/tests/system/allow-query/ns2/named56.conf.in +++ b/bin/tests/system/allow-query/ns2/named56.conf.in @@ -28,7 +28,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns2/named57.conf.in b/bin/tests/system/allow-query/ns2/named57.conf.in index bcc3a85..db5f3d0 100644 --- a/bin/tests/system/allow-query/ns2/named57.conf.in +++ b/bin/tests/system/allow-query/ns2/named57.conf.in @@ -27,7 +27,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "normal.example" { diff --git a/bin/tests/system/allow-query/ns3/named1.conf.in b/bin/tests/system/allow-query/ns3/named1.conf.in index 74b9885..bc42246 100644 --- a/bin/tests/system/allow-query/ns3/named1.conf.in +++ b/bin/tests/system/allow-query/ns3/named1.conf.in @@ -31,5 +31,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/allow-query/ns3/named2.conf.in b/bin/tests/system/allow-query/ns3/named2.conf.in index c4a4e8f..53e73ad 100644 --- a/bin/tests/system/allow-query/ns3/named2.conf.in +++ b/bin/tests/system/allow-query/ns3/named2.conf.in @@ -34,5 +34,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/allow-query/ns3/named3.conf.in b/bin/tests/system/allow-query/ns3/named3.conf.in index 0e1f7b0..36b5f77 100644 --- a/bin/tests/system/allow-query/ns3/named3.conf.in +++ b/bin/tests/system/allow-query/ns3/named3.conf.in @@ -34,5 +34,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/allow-query/ns3/named4.conf.in b/bin/tests/system/allow-query/ns3/named4.conf.in index 36ff911..f9e88d4 100644 --- a/bin/tests/system/allow-query/ns3/named4.conf.in +++ b/bin/tests/system/allow-query/ns3/named4.conf.in @@ -34,5 +34,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/allow-query/setup.sh b/bin/tests/system/allow-query/setup.sh index c85676e..886c8ac 100644 --- a/bin/tests/system/allow-query/setup.sh +++ b/bin/tests/system/allow-query/setup.sh @@ -13,7 +13,7 @@ . ../conf.sh -copy_setports ../common/controls.conf.in ns2/controls.conf -copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named01.conf.in ns2/named.conf -copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ../_common/controls.conf.in ns2/controls.conf +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named01.conf.in ns2/named.conf +copy_setports ns3/named1.conf.in ns3/named.conf diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh index 3a1b8b4..cb82370 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -61,15 +61,15 @@ DIGOPTS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +dnss status=0 n=0 -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null # Test 1 - default, query allowed n=$((n + 1)) echo_i "test $n: default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -80,9 +80,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -93,11 +93,11 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -nextpart ns2/named.run | grep 'recursion not enabled for view' > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 +nextpart ns2/named.run | grep 'recursion not enabled for view' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -106,10 +106,10 @@ DIGNOEDNS="+tcp +nosea +nostat +nocmd +norec +noques +noauth +noadd +nostats +no echo_i "test $n: none - query refused (no edns)" ret=0 -$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null && ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGNOEDNS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null && ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -120,9 +120,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -133,10 +133,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -147,10 +147,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -161,9 +161,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -174,14 +174,13 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - # Test 9 - acl disallowed, query refused n=$((n + 1)) copy_setports ns2/named09.conf.in ns2/named.conf @@ -189,10 +188,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -203,9 +202,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -216,10 +215,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -230,10 +229,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -247,9 +246,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -260,9 +259,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -273,10 +272,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -287,9 +286,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -300,10 +299,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -314,10 +313,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -328,9 +327,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -341,10 +340,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -355,10 +354,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -369,9 +368,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -382,10 +381,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -396,10 +395,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -410,9 +409,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -423,10 +422,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -441,9 +440,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: zone default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -451,9 +450,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.any.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -461,10 +460,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.none.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -472,9 +471,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -482,10 +481,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -493,10 +492,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.addrdisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -504,9 +503,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.aclallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -514,10 +513,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.aclnotallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -525,10 +524,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.acldisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -536,9 +535,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -546,10 +545,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keyallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -557,10 +556,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.keydisallow.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -571,9 +570,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -584,10 +583,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views over options, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -598,9 +597,9 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -611,10 +610,10 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -625,13 +624,13 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: zones over views, allow-query-on" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.1.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.1.$n > /dev/null || ret=1 -grep '^a.normal.example' dig.out.ns2.1.$n > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.2.$n || ret=1 -grep 'status: REFUSED' dig.out.ns2.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n > /dev/null || ret=1 -grep '^a.aclnotallow.example' dig.out.ns2.2.$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a >dig.out.ns2.1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.1.$n >/dev/null || ret=1 +grep '^a.normal.example' dig.out.ns2.1.$n >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a >dig.out.ns2.2.$n || ret=1 +grep 'status: REFUSED' dig.out.ns2.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns2.2.$n >/dev/null || ret=1 +grep '^a.aclnotallow.example' dig.out.ns2.2.$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -639,13 +638,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: default allow-recursion configuration" ret=0 -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n -grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 -$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1 +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a >dig.out.ns3.1.$n +grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a >dig.out.ns3.2.$n +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -653,12 +652,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test $n: default allow-query-cache configuration" ret=0 -$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . > dig.out.ns3.1.$n -grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1 -$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 ns . >dig.out.ns3.1.$n +grep 'status: NOERROR' dig.out.ns3.1.$n >/dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . >dig.out.ns3.2.$n +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -670,14 +669,14 @@ rndc_reload ns3 10.53.0.3 echo_i "test $n: block recursion-on, allow query-cache-on" ret=0 # this should query the cache, and an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'recursion requested but not available' dig.out.ns3.1.$n > /dev/null || ret=1 -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'recursion requested but not available' dig.out.ns3.1.$n >/dev/null || ret=1 +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should require recursion and therefore can't get an answer -$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 b.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'ANSWER: 0' dig.out.ns3.2.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -689,22 +688,22 @@ rndc_reload ns3 10.53.0.3 echo_i "test $n: inheritance of allow-query-cache-on" ret=0 # this should query the cache, an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should be refused due to allow-recursion-on/allow-query-cache-on -$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 # this should require recursion and should be allowed -$DIG -p ${PORT} @10.53.0.3 c.normal.example a > dig.out.ns3.3.$n -grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 c.normal.example a >dig.out.ns3.3.$n +grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 # this should require recursion and be refused -$DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n -grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 d.normal.example a >dig.out.ns3.4.$n +grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -716,22 +715,22 @@ rndc_reload ns3 10.53.0.3 echo_i "test $n: inheritance of allow-recursion-on" ret=0 # this should query the cache, an answer should already be there -$DIG -p ${PORT} @10.53.0.3 a.normal.example a > dig.out.ns3.1.$n -grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a.normal.example a >dig.out.ns3.1.$n +grep 'ANSWER: 1' dig.out.ns3.1.$n >/dev/null || ret=1 # this should be refused due to allow-recursion-on/allow-query-cache-on -$DIG -p ${PORT} @10.53.1.2 a.normal.example a > dig.out.ns3.2.$n -grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 a.normal.example a >dig.out.ns3.2.$n +grep 'recursion requested but not available' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.2.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n >/dev/null || ret=1 # this should require recursion and should be allowed -$DIG -p ${PORT} @10.53.0.3 e.normal.example a > dig.out.ns3.3.$n -grep 'ANSWER: 1' dig.out.ns3.3.$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 e.normal.example a >dig.out.ns3.3.$n +grep 'ANSWER: 1' dig.out.ns3.3.$n >/dev/null || ret=1 # this should require recursion and be refused -$DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n -grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1 -grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1 -nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.1.2 f.normal.example a >dig.out.ns3.4.$n +grep 'recursion requested but not available' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'status: REFUSED' dig.out.ns3.4.$n >/dev/null || ret=1 +grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n >/dev/null || ret=1 +nextpart ns3/named.run | grep 'allow-recursion-on did not match' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/allow-query/tests_sh_allowquery.py b/bin/tests/system/allow-query/tests_sh_allow_query.py index ce20d79..7b22ee2 100644 --- a/bin/tests/system/allow-query/tests_sh_allowquery.py +++ b/bin/tests/system/allow-query/tests_sh_allow_query.py @@ -10,5 +10,5 @@ # information regarding copyright ownership. -def test_allowquery(run_tests_sh): +def test_allow_query(run_tests_sh): run_tests_sh() diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh index 6cd4a27..a1f5c73 100644 --- a/bin/tests/system/auth/tests.sh +++ b/bin/tests/system/auth/tests.sh @@ -22,13 +22,11 @@ n=0 n=$((n + 1)) echo_i "wait for zones to finish transferring to ns2 ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do +for i in 1 2 3 4 5 6 7 8 9 10; do ret=0 - for zone in example.com example.net - do - $DIG $DIGOPTS @10.53.0.2 soa $zone > dig.out.test$n || ret=1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 + for zone in example.com example.net; do + $DIG $DIGOPTS @10.53.0.2 soa $zone >dig.out.test$n || ret=1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 @@ -43,44 +41,44 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +norec @10.53.0.1 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=1/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +rec @10.53.0.1 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +rec @10.53.0.1 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that cross-zone CNAME record does not return target data (rd=0/ra=1) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.2 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +norec @10.53.0.2 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that cross-zone CNAME records return target data (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 www.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 -grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n > /dev/null || ret=1 -grep "server.example.net.*A.*10.53.0.100" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 www.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1 +grep "www.example.com.*CNAME.*server.example.net" dig.out.test$n >/dev/null || ret=1 +grep "server.example.net.*A.*10.53.0.100" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -90,100 +88,100 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=0/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records returns target data (rd=1/ra=0) ($n)" ret=0 -$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +rec @10.53.0.1 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=0/ra=1) ($n)" ret=0 -$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa ra;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa ra;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records return target data (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 inzone.example.com > dig.out.test$n || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "flags: qr aa rd ra;" dig.out.test$n > /dev/null || ret=1 -grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n > /dev/null || ret=1 -grep "a.example.com.*A.*10.53.0.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 inzone.example.com >dig.out.test$n || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "flags: qr aa rd ra;" dig.out.test$n >/dev/null || ret=1 +grep "inzone.example.com.*CNAME.*a.example.com" dig.out.test$n >/dev/null || ret=1 +grep "a.example.com.*A.*10.53.0.1" dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone CNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 1,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 1,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone DNAME records does not return target data when QTYPE is CNAME (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 -grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t cname inzone.dname.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com\..*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1 +grep 'a\.example\.com\..*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that in-zone DNAME records does not return target data when QTYPE is ANY (rd=1/ra=1) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com > dig.out.test$n || ret=1 -grep 'ANSWER: 2,' dig.out.test$n > /dev/null || ret=1 -grep 'flags: qr aa rd ra;' dig.out.test$n > /dev/null || ret=1 -grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n > /dev/null || ret=1 -grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n > /dev/null && ret=1 -grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 -t any inzone.dname.example.com >dig.out.test$n || ret=1 +grep 'ANSWER: 2,' dig.out.test$n >/dev/null || ret=1 +grep 'flags: qr aa rd ra;' dig.out.test$n >/dev/null || ret=1 +grep 'dname\.example\.com\..*DNAME.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.dname\.example\.com\..*CNAME.inzone\.example\.com\.' dig.out.test$n >/dev/null || ret=1 +grep 'inzone\.example\.com.*CNAME.a\.example\.com\.' dig.out.test$n >/dev/null && ret=1 +grep 'a\.example\.com.*A.10\.53\.0\.1' dig.out.test$n >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check that CHAOS addresses are compared correctly ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos > dig.out.test$n -lines=$(wc -l < dig.out.test$n) +$DIG $DIGOPTS @10.53.0.1 +noall +answer ch test.example.chaos >dig.out.test$n +lines=$(wc -l <dig.out.test$n) [ ${lines:-0} -eq 2 ] || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index 6b969c3..fd01208 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -17,9 +17,9 @@ zone=. zonefile=root.db infile=root.db.in -(cd ../ns2 && $SHELL keygen.sh ) +(cd ../ns2 && $SHELL keygen.sh) -cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. > $zonefile +cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. >$zonefile zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) @@ -34,20 +34,20 @@ rm $zsknopriv.private ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone) kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone) -keyfile_to_static_ds $ksksby > trusted.conf +keyfile_to_static_ds $ksksby >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf -keyfile_to_static_ds $kskrev > trusted.conf +keyfile_to_static_ds $kskrev >trusted.conf cp trusted.conf ../ns5/trusted.conf -echo $zskact > ../active.key -echo $zskvanish > ../vanishing.key -echo $zskdel > ../del.key -echo $zskinact > ../inact.key -echo $zskunpub > ../unpub.key -echo $zsknopriv > ../nopriv.key -echo $zsksby > ../standby.key -echo $zskactnowpub1d > ../activate-now-publish-1day.key -$REVOKE -R $kskrev > ../rev.key +echo $zskact >../active.key +echo $zskvanish >../vanishing.key +echo $zskdel >../del.key +echo $zskinact >../inact.key +echo $zskunpub >../unpub.key +echo $zsknopriv >../nopriv.key +echo $zsksby >../standby.key +echo $zskactnowpub1d >../activate-now-publish-1day.key +$REVOKE -R $kskrev >../rev.key diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 9b7c31d..c6fd69d 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -14,52 +14,50 @@ . ../../conf.sh # Have the child generate subdomain keys and pass DS sets to us. -( cd ../ns3 && $SHELL keygen.sh ) +(cd ../ns3 && $SHELL keygen.sh) for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \ - nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ - cdnskey-delete -do - cp ../ns3/dsset-$subdomain.example. . + nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ + cdnskey-delete; do + cp ../ns3/dsset-$subdomain.example. . done # Create keys and pass the DS to the parent. zone=example zonefile="${zone}.db" infile="${zonefile}.in" -cat $infile dsset-*.example. > $zonefile +cat $infile dsset-*.example. >$zonefile kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null -$DSFROMKEY $kskname.key > dsset-${zone}. +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null +$DSFROMKEY $kskname.key >dsset-${zone}. # Create keys for a private secure zone. zone=private.secure.example zonefile="${zone}.db" infile="${zonefile}.in" ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null -keyfile_to_static_ds $ksk > private.conf +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null +keyfile_to_static_ds $ksk >private.conf cp private.conf ../ns4/private.conf -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >/dev/null # Extract saved keys for the revoke-to-duplicate-key test zone=bar zonefile="${zone}.db" infile="${zonefile}.in" -cat $infile > $zonefile +cat $infile >$zonefile for i in Xbar.+013+59973.key Xbar.+013+59973.private \ - Xbar.+013+60101.key Xbar.+013+60101.private -do - cp $i $(echo $i | sed s/X/K/) + Xbar.+013+60101.key Xbar.+013+60101.private; do + cp $i $(echo $i | sed s/X/K/) done -$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null -$DSFROMKEY Kbar.+013+60101.key > dsset-bar. +$KEYGEN -a ECDSAP256SHA256 -q $zone >/dev/null +$DSFROMKEY Kbar.+013+60101.key >dsset-bar. # a zone with empty non-terminals. zone=optout-with-ent zonefile=optout-with-ent.db infile=optout-with-ent.db.in -cat $infile > $zonefile +cat $infile >$zonefile kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) -$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone >/dev/null diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in index c155a3b..a134019 100644 --- a/bin/tests/system/autosign/ns2/named.conf.in +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -38,7 +38,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 96158b3..b59cb50 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -15,43 +15,43 @@ SYSTESTDIR=autosign -dumpit () { - echo_d "${debug}: dumping ${1}" - cat "${1}" | cat_d +dumpit() { + echo_d "${debug}: dumping ${1}" + cat "${1}" | cat_d } -setup () { - echo_i "setting up zone: $1" - debug="$1" - zone="$1" - zonefile="${zone}.db" - infile="${zonefile}.in" - n=$((${n:-0} + 1)) +setup() { + echo_i "setting up zone: $1" + debug="$1" + zone="$1" + zonefile="${zone}.db" + infile="${zonefile}.in" + n=$((${n:-0} + 1)) } setup secure.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC3/NSEC test zone # setup secure.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC3/NSEC3 test zone # setup nsec3.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Jitter/NSEC3 test zone @@ -59,10 +59,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}. setup jitter.nsec3.example cp $infile $zonefile count=1 -while [ $count -le 1000 ] -do - echo "label${count} IN TXT label${count}" >> $zonefile - count=$((count + 1)) +while [ $count -le 1000 ]; do + echo "label${count} IN TXT label${count}" >>$zonefile + count=$((count + 1)) done # Don't create keys just yet, because the scenario we want to test # is an unsigned zone that has a NSEC3PARAM record added with @@ -73,98 +72,100 @@ done # setup optout.nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A nsec3 zone (non-optout). # setup nsec3.example -cat $infile dsset-*.${zone}. > $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile dsset-*.${zone}. >$zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # An NSEC3 zone, with NSEC3 parameters set prior to signing # setup autonsec3.example -cat $infile > $zonefile -ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../autoksk.key -zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../autozsk.key -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile >$zonefile +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../autoksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../autozsk.key +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/NSEC test zone # setup secure.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/NSEC3 test zone # setup nsec3.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # OPTOUT/OPTOUT test zone # setup optout.optout.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A optout nsec3 zone. # setup optout.example -cat $infile dsset-*.${zone}. > $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +cat $infile dsset-*.${zone}. >$zonefile +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A RSASHA256 zone. # setup rsasha256.example cp $infile $zonefile -ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a RSASHA256 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA256 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A RSASHA512 zone. # setup rsasha512.example cp $infile $zonefile -ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a RSASHA512 -b 2048 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a RSASHA512 -b 2048 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # NSEC-only zone. A zone using NSEC-only DNSSEC algorithms. # None of these algorithms are supported for signing in FIPS mode # as they are MD5 and SHA1 based. # -if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) -then - setup nsec-only.example - cp $infile $zonefile - ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out) || dumpit kg.out - $KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out - $DSFROMKEY $ksk.key > dsset-${zone}. +if ( + cd .. + $SHELL ../testcrypto.sh -q RSASHA1 +); then + setup nsec-only.example + cp $infile $zonefile + ksk=$($KEYGEN -q -a RSASHA1 -fk $zone 2>kg.out) || dumpit kg.out + $KEYGEN -q -a RSASHA1 $zone >kg.out 2>&1 || dumpit kg.out + $DSFROMKEY $ksk.key >dsset-${zone}. else - echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" + echo_i "skip: nsec-only.example - signing with RSASHA1 not supported" fi # @@ -174,52 +175,59 @@ fi setup oldsigs.example cp $infile $zonefile count=1 -while [ $count -le 1000 ] -do - echo "label${count} IN TXT label${count}" >> $zonefile - count=$((count + 1)) +while [ $count -le 1000 ]; do + echo "label${count} IN TXT label${count}" >>$zonefile + count=$((count + 1)) done -$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile >s.out || dumpit s.out mv $zonefile.signed $zonefile # # NSEC3->NSEC transition test zone. # setup nsec3-to-nsec.example -$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out + +# +# NSEC3->NSEC3 transition test zone. +# +setup nsec3-to-nsec3.example +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile >s.out || dumpit s.out # # secure-to-insecure transition test zone; used to test removal of # keys via nsupdate # setup secure-to-insecure.example -$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -q $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -o $zone -f $zonefile $infile >s.out || dumpit s.out # # another secure-to-insecure transition test zone; used to test # removal of keys on schedule. # setup secure-to-insecure2.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../del1.key -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../del2.key -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../del1.key +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../del2.key +$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out # # Introducing a pre-published key test. # setup prepub.example infile="secure-to-insecure2.example.db.in" -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$SIGNER -S -3 beef -o $zone -f $zonefile $infile >s.out || dumpit s.out # # Key TTL tests. @@ -227,46 +235,46 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # no default key TTL; DNSKEY should get SOA TTL setup ttl1.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # default key TTL should be used setup ttl2.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # mismatched key TTLs, should use shortest setup ttl3.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone >kg.out 2>&1 || dumpit kg.out cp $infile $zonefile # existing DNSKEY RRset, should retain TTL setup ttl4.example -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out -cat ${infile} K${zone}.+*.key > $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone >kg.out 2>&1 || dumpit kg.out +cat ${infile} K${zone}.+*.key >$zonefile +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone >kg.out 2>&1 || dumpit kg.out # # A zone with a DNSKEY RRset that is published before it's activated # setup delay.example -ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -echo $ksk > ../delayksk.key -zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -echo $zsk > ../delayzsk.key +ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +echo $ksk >../delayksk.key +zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +echo $zsk >../delayzsk.key # # A zone with signatures that are already expired, and the private KSK # is missing. # setup noksk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../noksk-ksk.key +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../noksk-ksk.key rm -f ${ksk}.private # @@ -274,11 +282,11 @@ rm -f ${ksk}.private # is missing. # setup nozsk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../nozsk-ksk.key -echo $zsk > ../nozsk-zsk.key +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../nozsk-ksk.key +echo $zsk >../nozsk-zsk.key rm -f ${zsk}.private # @@ -286,77 +294,77 @@ rm -f ${zsk}.private # is inactive. # setup inaczsk.example -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out -$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out -echo $ksk > ../inaczsk-ksk.key -echo $zsk > ../inaczsk-zsk.key -$SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +zsk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2>kg.out) || dumpit kg.out +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in >s.out || dumpit s.out +echo $ksk >../inaczsk-ksk.key +echo $zsk >../inaczsk-zsk.key +$SETTIME -I now $zsk >st.out 2>&1 || dumpit st.out # # A zone that is set to 'auto-dnssec maintain' during a reconfig # setup reconf.example cp secure.example.db.in $zonefile -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out # # A zone which generates CDS and CDNSEY RRsets automatically # setup sync.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. -echo ns3/$ksk > ../sync.key +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. +echo ns3/$ksk >../sync.key # # A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly # setup kskonly.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that has a published inactive key that is autosigned. # setup inacksk2.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that has a published inactive key that is autosigned. # setup inaczsk2.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inacksk3.example cp $infile $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone >kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inaczsk3.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # A zone that starts with an active KSK + ZSK and an inactive ZSK, with the @@ -364,28 +372,28 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup delzsk.example cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone >kg.out 2>&1 || dumpit kg.out zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out -echo $zsk > ../delzsk.key +echo $zsk >../delzsk.key # # Check that NSEC3 are correctly signed and returned from below a DNAME # setup dname-at-apex-nsec3.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Check that dynamically added CDS (DELETE) is kept in the zone after signing. # setup cds-delete.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. # # Check that dynamically added CDNSKEY (DELETE) is kept in the zone after @@ -393,6 +401,6 @@ $DSFROMKEY $ksk.key > dsset-${zone}. # setup cdnskey-delete.example cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. +ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2>kg.out) || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone >kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key >dsset-${zone}. diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 64196a1..cbdf8f7 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -42,7 +42,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { @@ -167,6 +167,7 @@ zone "nsec3-to-nsec.example" { type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; + max-journal-size 10M; auto-dnssec maintain; }; @@ -185,6 +186,14 @@ zone "secure-to-insecure2.example" { dnssec-secure-to-insecure yes; }; +zone "nsec3-to-nsec3.example" { + type primary; + file "nsec3-to-nsec3.example.db"; + allow-update { any; }; + inline-signing no; + max-journal-size 10M; +}; + zone "oldsigs.example" { type primary; file "oldsigs.example.db"; diff --git a/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in new file mode 100644 index 0000000..0b11a00 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nsec3-to-nsec3.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns4/named.conf.in b/bin/tests/system/autosign/ns4/named.conf.in index b46ce91..13a8e89 100644 --- a/bin/tests/system/autosign/ns4/named.conf.in +++ b/bin/tests/system/autosign/ns4/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns5/named.conf.in b/bin/tests/system/autosign/ns5/named.conf.in index 710dfa8..e0927da 100644 --- a/bin/tests/system/autosign/ns5/named.conf.in +++ b/bin/tests/system/autosign/ns5/named.conf.in @@ -27,7 +27,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index ad23c22..5789fe7 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -19,18 +19,18 @@ status=0 n=0 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # convert private-type records to readable form # $1 is the zone # $2 is the server # $3 is ignored # $4 is the alternate type -showprivate () { - echo "-- $@ --" - $DIG $DIGOPTS +nodnssec +short @$2 -t ${4:-type65534} $1 | cut -f3 -d' ' | - while read record; do - $PERL -e 'my $rdata = pack("H*", @ARGV[0]); +showprivate() { + echo "-- $@ --" + $DIG $DIGOPTS +nodnssec +short @$2 -t ${4:-type65534} $1 | cut -f3 -d' ' \ + | while read record; do + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); my $action = "signing"; @@ -38,107 +38,103 @@ showprivate () { my $state = " (incomplete)"; $state = " (complete)" if $complete; print ("$action: alg: $alg, key: $key$state\n");' $record - done + done } # check that signing records are marked as complete # if $3 is 1 then we are expecting "(incomplete)" # if $3 is 2 then we are not expecting either "(complete)" or "(incomplete)" # if $4 is present then that specifies any alternate type to check -checkprivate () { - _ret=0 - expected="${3:-0}" - x=$(showprivate "$@") - echo $x | grep "(complete)" > /dev/null || _ret=2 - echo $x | grep "(incomplete)" > /dev/null && _ret=1 - - if [ $_ret = $expected ]; then - return 0 - fi - - echo "$x" - echo_i "failed" - return 1 +checkprivate() { + _ret=0 + expected="${3:-0}" + x=$(showprivate "$@") + echo $x | grep "(complete)" >/dev/null || _ret=2 + echo $x | grep "(incomplete)" >/dev/null && _ret=1 + + if [ $_ret = $expected ]; then + return 0 + fi + + echo "$x" + echo_i "failed" + return 1 } # wait until notifies for zone $1 are sent by server $2. This is an indication # that the zone is signed with the active keys, and the changes have been # committed. -wait_for_notifies () { - wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1 +wait_for_notifies() { + wait_for_log 10 "zone ${1}/IN: sending notifies" "${2}/named.run" || return 1 } freq() { - _file=$1 - # remove first and last line that has incomplete set and skews the distribution - awk '$4 == "RRSIG" {print substr($9,1,8)}' < "$_file" | sort | uniq -c | sed '1d;$d' + _file=$1 + # remove first and last line that has incomplete set and skews the distribution + awk '$4 == "RRSIG" {print substr($9,1,8)}' <"$_file" | sort | uniq -c | sed '1d;$d' } # Check the signatures expiration times. First check how many signatures # there are in total ($rrsigs). Then see what the distribution of signature # expiration times is ($expiretimes). Ignore the time part for a better # modelled distribution. -checkjitter () { - _file=$1 - _ret=0 - - if ! command -v bc >/dev/null 2>&1; then - echo_i "skip: bc not available" - return 0 - fi - - freq "$_file" | cat_i - _expiretimes=$(freq "$_file" | awk '{print $1}') - - _count=0 - # Check if we have at least 4 days - # This number has been tuned for `sig-validity-interval 10 2`, as - # 1 signature expiration dates should be spread out across at most 8 (10-2) days - # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days - # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) - for _num in $_expiretimes - do - _count=$((_count+1)) - done - if [ "$_count" -lt 4 ]; then - echo_i "error: not enough categories" - return 1 - fi - - # Calculate mean - _total=0 - for _num in $_expiretimes - do - _total=$((_total+_num)) - done - _mean=$(($_total / $_count)) - - # Calculate stddev - _stddev=0 - for _num in $_expiretimes - do - _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc) - done - _stddev=$(echo "sqrt($_stddev/$_count)" | bc) - - # We expect the number of signatures not to exceed the mean +- 3 * stddev. - _limit=$((_stddev*3)) - _low=$((_mean-_limit)) - _high=$((_mean+_limit)) - # Find outliers. - echo_i "checking whether all frequencies fall into <$_low;$_high> range" - for _num in $_expiretimes - do - if [ $_num -gt $_high ]; then - echo_i "error: too many RRSIG records ($_num) in expiration bucket" - _ret=1 - fi - if [ $_num -lt $_low ]; then - echo_i "error: too few RRSIG records ($_num) in expiration bucket" - _ret=1 - fi - done - - return $_ret +checkjitter() { + _file=$1 + _ret=0 + + if ! command -v bc >/dev/null 2>&1; then + echo_i "skip: bc not available" + return 0 + fi + + freq "$_file" | cat_i + _expiretimes=$(freq "$_file" | awk '{print $1}') + + _count=0 + # Check if we have at least 4 days + # This number has been tuned for `sig-validity-interval 10 2`, as + # 1 signature expiration dates should be spread out across at most 8 (10-2) days + # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days + # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) + for _num in $_expiretimes; do + _count=$((_count + 1)) + done + if [ "$_count" -lt 4 ]; then + echo_i "error: not enough categories" + return 1 + fi + + # Calculate mean + _total=0 + for _num in $_expiretimes; do + _total=$((_total + _num)) + done + _mean=$(($_total / $_count)) + + # Calculate stddev + _stddev=0 + for _num in $_expiretimes; do + _stddev=$(echo "$_stddev + (($_num - $_mean) * ($_num - $_mean))" | bc) + done + _stddev=$(echo "sqrt($_stddev/$_count)" | bc) + + # We expect the number of signatures not to exceed the mean +- 3 * stddev. + _limit=$((_stddev * 3)) + _low=$((_mean - _limit)) + _high=$((_mean + _limit)) + # Find outliers. + echo_i "checking whether all frequencies fall into <$_low;$_high> range" + for _num in $_expiretimes; do + if [ $_num -gt $_high ]; then + echo_i "error: too many RRSIG records ($_num) in expiration bucket" + _ret=1 + fi + if [ $_num -lt $_low ]; then + echo_i "error: too few RRSIG records ($_num) in expiration bucket" + _ret=1 + fi + done + + return $_ret } # @@ -149,34 +145,30 @@ checkjitter () { # echo_i "waiting for autosign changes to take effect" i=0 -while [ $i -lt 30 ] -do - ret=0 - # - # Wait for the root DNSKEY RRset to be fully signed. - # - $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 - grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1 - for z in . - do - $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 - grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 - done - for z in bar. example. private.secure.example. optout-with-ent. - do - $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 - grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 - done - for z in bar. example. inacksk2.example. inacksk3.example \ - inaczsk2.example. inaczsk3.example noksk.example nozsk.example - do - $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 - grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 - done - i=$((i + 1)) - if [ $ret = 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 2 +while [ $i -lt 30 ]; do + ret=0 + # + # Wait for the root DNSKEY RRset to be fully signed. + # + $DIG $DIGOPTS . @10.53.0.1 dnskey >dig.out.ns1.test$n || ret=1 + grep "ANSWER: 10," dig.out.ns1.test$n >/dev/null || ret=1 + for z in .; do + $DIG $DIGOPTS $z @10.53.0.1 nsec >dig.out.ns1.test$n || ret=1 + grep "NS SOA" dig.out.ns1.test$n >/dev/null || ret=1 + done + for z in bar. example. private.secure.example. optout-with-ent.; do + $DIG $DIGOPTS $z @10.53.0.2 nsec >dig.out.ns2.test$n || ret=1 + grep "NS SOA" dig.out.ns2.test$n >/dev/null || ret=1 + done + for z in bar. example. inacksk2.example. inacksk3.example \ + inaczsk2.example. inaczsk3.example noksk.example nozsk.example; do + $DIG $DIGOPTS $z @10.53.0.3 nsec >dig.out.ns3.test$n || ret=1 + grep "NS SOA" dig.out.ns3.test$n >/dev/null || ret=1 + done + i=$((i + 1)) + if [ $ret = 0 ]; then break; fi + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "done"; fi @@ -185,21 +177,21 @@ status=$((status + ret)) echo_i "Convert optout-with-ent from nsec to nsec3" ($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +echo_i "Convert nsec3-to-nsec3.example from having salt 'beef' to no salt" +($RNDCCMD 10.53.0.3 signing -nsec3param 1 1 1 - nsec3-to-nsec3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 + echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" -for z in . -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in .; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done -for z in bar. example. private.secure.example. -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in bar. example. private.secure.example.; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done -for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example -do - echo_i zone $z - $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i +for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example; do + echo_i zone $z + $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done # Set logfile offset for wait_for_log usage. @@ -213,14 +205,14 @@ echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY" echo_ic "is initially signed with a KSK and not a ZSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1 +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n >/dev/null || ret=1 pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null && ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "DNSKEY" { count++ } @@ -236,7 +228,7 @@ awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }' id=$(awk "${awk}" dig.out.ns3.test$n) keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") -$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 +$SETTIME -D now+5 "${keyfile}" >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 n=$((n + 1)) @@ -250,11 +242,11 @@ echo_i "check that zone with active and inactive ZSK and active KSK is properly" echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone" echo_ic "is initially signed with a ZSK and not a KSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1 -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}') +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n >/dev/null || ret=1 +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null && ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "CNAME" { count++ } END {print count}' dig.out.ns3.test$n) @@ -266,7 +258,7 @@ test $count -eq 3 || ret=1 id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n) keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") -$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 +$SETTIME -D now+5 "${keyfile}" >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -275,24 +267,24 @@ status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion prerequisites ($n)" ret=0 # these commands should result in an empty file: -$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion prerequisites ($n)" ret=0 -$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "converting zones from nsec to nsec3" -$NSUPDATE > /dev/null 2>&1 <<END || status=1 +$NSUPDATE >/dev/null 2>&1 <<END || status=1 server 10.53.0.3 ${PORT} zone nsec3.nsec3.example. update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF @@ -317,51 +309,50 @@ update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF send END -if $SHELL ../testcrypto.sh -q RSASHA1 -then - # try to convert nsec-only.example; this should fail due to - # non-NSEC3 compatible keys - echo_i "preset nsec3param in unsigned zone via nsupdate ($n)" - ret=0 - $NSUPDATE > nsupdate.out 2>&1 <<END && ret=1 +if $SHELL ../testcrypto.sh -q RSASHA1; then + # try to convert nsec-only.example; this should fail due to + # non-NSEC3 compatible keys + echo_i "preset nsec3param in unsigned zone via nsupdate ($n)" + ret=0 + $NSUPDATE >nsupdate.out 2>&1 <<END && ret=1 server 10.53.0.3 ${PORT} zone nsec-only.example. update add nsec-only.example. 3600 NSEC3PARAM 1 0 10 BEEF send END - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking for nsec3param in unsigned zone ($n)" ret=0 -$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking for nsec3param signing record ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 -grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 signing -list autonsec3.example. >signing.out.test$n 2>&1 +grep "Pending NSEC3 chain 1 0 20 DEAF" signing.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "resetting nsec3param via rndc signing ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. >/dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. >/dev/null 2>&1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 - grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 - num=$(grep "Pending " signing.out.test$n | wc -l) - [ $num -eq 1 ] || ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $RNDCCMD 10.53.0.3 signing -list autonsec3.example. >signing.out.test$n 2>&1 + grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n >/dev/null || ret=1 + num=$(grep "Pending " signing.out.test$n | wc -l) + [ $num -eq 1 ] || ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -370,15 +361,15 @@ status=$((status + ret)) echo_i "signing preset nsec3 zone" zsk=$(cat autozsk.key) ksk=$(cat autoksk.key) -$SETTIME -K ns3 -P now -A now $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -P now -A now $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -P now -A now $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now -A now $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys autonsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 echo_i "converting zone from nsec3 to nsec" -$NSUPDATE > /dev/null 2>&1 << END || status=1 +$NSUPDATE >/dev/null 2>&1 <<END || status=1 server 10.53.0.3 ${PORT} zone nsec3-to-nsec.example. update delete nsec3-to-nsec.example. NSEC3PARAM @@ -391,8 +382,8 @@ sleep 3 missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)") echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)" ret=0 -$JOURNALPRINT ns3/noksk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1 +$JOURNALPRINT ns3/noksk.example.db.jnl \ + | awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -401,10 +392,10 @@ missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)") ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)") echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)" ret=0 -$JOURNALPRINT ns3/nozsk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1 -$JOURNALPRINT ns3/nozsk.example.db.jnl | \ - awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 +$JOURNALPRINT ns3/nozsk.example.db.jnl \ + | awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1 +$JOURNALPRINT ns3/nozsk.example.db.jnl \ + | awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -413,10 +404,10 @@ inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)") ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)") echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)" ret=0 -$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ - awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1 -$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ - awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 +$JOURNALPRINT ns3/inaczsk.example.db.jnl \ + | awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1 +$JOURNALPRINT ns3/inaczsk.example.db.jnl \ + | awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -446,20 +437,20 @@ echo_i "dumping zone files" now="$(TZ=UTC date +%Y%m%d%H%M%S)" check_expiry() ( - $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 > dig.out.test$n - nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)" - if [ "$nearest_expiration" -le "$now" ]; then - echo_i "failed: $nearest_expiration <= $now" - return 1 - fi + $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 >dig.out.test$n + nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' <dig.out.test$n | sort -n | head -1)" + if [ "$nearest_expiration" -le "$now" ]; then + echo_i "failed: $nearest_expiration <= $now" + return 1 + fi ) echo_i "checking expired signatures were updated ($n)" retry 10 check_expiry || ret=1 -$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -467,7 +458,7 @@ status=$((status + ret)) # Check jitter distribution. echo_i "checking expired signatures were jittered correctly ($n)" ret=0 -$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 checkjitter dig.out.ns3.test$n || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -475,38 +466,37 @@ status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" ret=0 -$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.ok.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.ok.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking direct NSEC3 autosigning succeeded ($n)" ret=0 -$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1 -[ -s dig.out.ns3.ok.test$n ] || ret=1 -grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.ok.test$n || ret=1 +[ -s dig.out.ns3.ok.test$n ] || ret=1 +grep "NSEC3PARAM" dig.out.ns3.ok.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)" ret=0 -if $SHELL ../testcrypto.sh -q RSASHA1 -then - grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1 +if $SHELL ../testcrypto.sh -q RSASHA1; then + grep "failed: REFUSED" nsupdate.out >/dev/null || ret=1 else - echo_i "skip: RSASHA1 not supported" + echo_i "skip: RSASHA1 not supported" fi n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -515,39 +505,39 @@ status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion succeeded ($n)" ret=0 # this command should result in an empty file: -$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1 -grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 >dig.out.ns3.nx.test$n || ret=1 +grep "NSEC3PARAM" dig.out.ns3.nx.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 signing -nsec3param none autonsec3.example. >/dev/null 2>&1 # this command should result in an empty file: no_nsec3param() ( - $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || return 1 - grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && return 1 - return 0 + $DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 >dig.out.ns3.nx.test$n || return 1 + grep "NSEC3PARAM" dig.out.ns3.nx.test$n >/dev/null && return 1 + return 0 ) retry_quiet 10 no_nsec3param || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (no default) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 300 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -556,7 +546,7 @@ status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (with default) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 60 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -565,7 +555,7 @@ status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (mismatched) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -574,7 +564,7 @@ status=$((status + ret)) echo_i "checking TTLs of imported DNSKEYs (existing RRset) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 [ -s dig.out.ns3.test$n ] || ret=1 (awk 'BEGIN {r=0} $2 != 30 {r=1; print "found TTL " $2} END {exit r}' dig.out.ns3.test$n | cat_i) || ret=1 n=$((n + 1)) @@ -583,10 +573,10 @@ status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -594,11 +584,11 @@ status=$((status + ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -606,22 +596,22 @@ status=$((status + ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -629,12 +619,12 @@ status=$((status + ret)) echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth q.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth q.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -642,25 +632,25 @@ status=$((status + ret)) echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth q.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth q.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking negative validation NODATA NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -668,13 +658,13 @@ status=$((status + ret)) echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -682,13 +672,13 @@ status=$((status + ret)) echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -697,12 +687,12 @@ status=$((status + ret)) echo_i "checking 1-server insecurity proof NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -710,13 +700,13 @@ status=$((status + ret)) echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -726,12 +716,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -739,12 +729,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -752,12 +742,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -765,12 +755,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -778,12 +768,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -791,12 +781,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -804,12 +794,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.secure.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.secure.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -817,12 +807,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.nsec3.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -830,12 +820,12 @@ status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth a.optout.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth a.optout.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -843,11 +833,11 @@ status=$((status + ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 $DIG $DIGOPTS +noauth empty.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +noauth empty.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -858,13 +848,13 @@ status=$((status + ret)) echo_i "checking 2-server insecurity proof ($n)" ret=0 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -873,43 +863,43 @@ status=$((status + ret)) echo_i "checking 2-server insecurity proof with a negative answer ($n)" ret=0 -$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ - || ret=1 -$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ - || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ + || ret=1 +$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking security root query ($n)" ret=0 -$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 -$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -917,12 +907,12 @@ status=$((status + ret)) echo_i "checking that positive validation in a privately secure zone works ($n)" ret=0 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -930,22 +920,22 @@ status=$((status + ret)) echo_i "checking that negative validation in a privately secure zone works ($n)" ret=0 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking privately secure to nxdomain works ($n)" ret=0 -$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -955,9 +945,9 @@ status=$((status + ret)) echo_i "checking that validation returns insecure due to revoked trusted key ($n)" ret=0 -$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1 -grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1 +$DIG $DIGOPTS example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "flags:.*; QUERY" dig.out.ns5.test$n >/dev/null || ret=1 +grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -965,8 +955,8 @@ status=$((status + ret)) echo_i "checking that revoked key is present ($n)" ret=0 id=$(cat rev.key) -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -974,8 +964,8 @@ status=$((status + ret)) echo_i "checking that revoked key self-signs ($n)" ret=0 id=$(cat rev.key) -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -983,8 +973,8 @@ status=$((status + ret)) echo_i "checking for unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat unpub.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -992,8 +982,8 @@ status=$((status + ret)) echo_i "checking for activated but unpublished key ($n)" ret=0 id=$(keyfile_to_key_id "$(cat activate-now-publish-1day.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1001,8 +991,8 @@ status=$((status + ret)) echo_i "checking that standby key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat standby.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1010,8 +1000,8 @@ status=$((status + ret)) echo_i "checking that deactivated key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat inact.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1021,7 +1011,7 @@ ret=0 id=$(keyfile_to_key_id "$(cat nopriv.key)") file="ns1/$(cat nopriv.key).key" keydata=$(grep DNSKEY $file) -$NSUPDATE > /dev/null 2>&1 <<END || status=1 +$NSUPDATE >/dev/null 2>&1 <<END || status=1 server 10.53.0.1 ${PORT} zone . ttl 3600 @@ -1029,8 +1019,8 @@ update add $keydata send END sleep 1 -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1038,27 +1028,27 @@ status=$((status + ret)) echo_i "checking key deletion ($n)" ret=0 id=$(keyfile_to_key_id "$(cat del.key)") -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking secure-to-insecure transition, nsupdate ($n)" ret=0 -$NSUPDATE > /dev/null 2>&1 <<END || status=1 +$NSUPDATE >/dev/null 2>&1 <<END || status=1 server 10.53.0.3 ${PORT} zone secure-to-insecure.example update delete secure-to-insecure.example dnskey send END for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 - grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 + grep -E '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n >/dev/null && ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1067,17 +1057,17 @@ status=$((status + ret)) echo_i "checking secure-to-insecure transition, scheduled ($n)" ret=0 file="ns3/$(cat del1.key).key" -$SETTIME -I now -D now $file > settime.out.test$n.1 || ret=1 +$SETTIME -I now -D now $file >settime.out.test$n.1 || ret=1 file="ns3/$(cat del2.key).key" -$SETTIME -I now -D now $file > settime.out.test$n.2 || ret=1 +$SETTIME -I now -D now $file >settime.out.test$n.2 || ret=1 ($RNDCCMD 10.53.0.3 sign secure-to-insecure2.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 - grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 + ret=0 + $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 + grep -E '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n >/dev/null && ret=1 + [ $ret -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1086,7 +1076,7 @@ status=$((status + ret)) echo_i "checking jitter in a newly signed NSEC3 zone ($n)" ret=0 # Use DNS UPDATE to add an NSEC3PARAM record into the zone. -$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1 +$NSUPDATE >nsupdate.out.test$n 2>&1 <<END || ret=1 server 10.53.0.3 ${PORT} zone jitter.nsec3.example. update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF @@ -1094,19 +1084,19 @@ send END [ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed" # Create DNSSEC keys in the zone directory. -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example > /dev/null +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example >/dev/null # Trigger zone signing. ($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 # Wait until zone has been signed. check_if_nsec3param_exists() { - $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 > dig.out.ns3.1.test$n || return 1 - grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1 + $DIG $DIGOPTS NSEC3PARAM jitter.nsec3.example @10.53.0.3 >dig.out.ns3.1.test$n || return 1 + grep -q "^jitter\.nsec3\.example\..*NSEC3PARAM" dig.out.ns3.1.test$n || return 1 } retry_quiet 40 check_if_nsec3param_exists || { - echo_i "error: NSEC3PARAM not present yet" - ret=1 + echo_i "error: NSEC3PARAM not present yet" + ret=1 } -$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 +$DIG $DIGOPTS AXFR jitter.nsec3.example @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 # Check jitter distribution. checkjitter dig.out.ns3.2.test$n || ret=1 n=$((n + 1)) @@ -1118,17 +1108,16 @@ ret=0 oldserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}') oldinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example >/dev/null ($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 newserial=$oldserial try=0 -while [ $oldserial -eq $newserial -a $try -lt 42 ] -do - newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | - awk '$0 !~ /SOA/ {print $3}') - sleep 1 - try=$((try + 1)) +while [ $oldserial -eq $newserial -a $try -lt 42 ]; do + newserial=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 \ + | awk '$0 !~ /SOA/ {print $3}') + sleep 1 + try=$((try + 1)) done newinception=$($DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u) #echo "$oldserial : $newserial" @@ -1151,8 +1140,8 @@ oldfile=$(cat active.key) oldid=$(keyfile_to_key_id "$(cat active.key)") newfile=$(cat standby.key) newid=$(keyfile_to_key_id "$(cat standby.key)") -$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1 -$SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1 +$SETTIME -K ns1 -I now+2s -D now+25 $oldfile >settime.out.test$n.1 || ret=1 +$SETTIME -K ns1 -i 0 -S $oldfile $newfile >settime.out.test$n.2 || ret=1 # note previous zone serial number oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') @@ -1161,7 +1150,7 @@ oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') sleep 4 echo_i "revoking key to duplicated key ID" -$SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1 +$SETTIME -R now -K ns2 Kbar.+013+59973.key >settime.out.test$n.3 || ret=1 ($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 @@ -1170,17 +1159,17 @@ sleep 5 echo_i "checking former standby key $newid is now active ($n)" ret=0 -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking former standby key has only signed incrementally ($n)" ret=0 -$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 -grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null && ret=1 +grep 'RRSIG.*'" $oldid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1189,15 +1178,15 @@ echo_i "checking that signing records have been marked as complete ($n)" ret=0 checkprivate . 10.53.0.1 || ret=1 checkprivate bar 10.53.0.2 || ret=1 -checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280 +checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280 checkprivate private.secure.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1 checkprivate nsec3.optout.example 10.53.0.3 || ret=1 -checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed -if $SHELL ../testcrypto.sh -q RSASHA1 -then - checkprivate nsec-only.example 10.53.0.3 || ret=1 +checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed +checkprivate nsec3-to-nsec3.example 10.53.0.3 2 || ret=1 # automatically removed +if $SHELL ../testcrypto.sh -q RSASHA1; then + checkprivate nsec-only.example 10.53.0.3 || ret=1 fi checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate optout.example 10.53.0.3 || ret=1 @@ -1209,8 +1198,8 @@ checkprivate rsasha512.example 10.53.0.3 || ret=1 checkprivate secure.example 10.53.0.3 || ret=1 checkprivate secure.nsec3.example 10.53.0.3 || ret=1 checkprivate secure.optout.example 10.53.0.3 || ret=1 -checkprivate secure-to-insecure2.example 10.53.0.3 2|| ret=1 # automatically removed -checkprivate secure-to-insecure.example 10.53.0.3 2 || ret=1 # automatically removed +checkprivate secure-to-insecure2.example 10.53.0.3 2 || ret=1 # automatically removed +checkprivate secure-to-insecure.example 10.53.0.3 2 || ret=1 # automatically removed checkprivate ttl1.example 10.53.0.3 || ret=1 checkprivate ttl2.example 10.53.0.3 || ret=1 checkprivate ttl3.example 10.53.0.3 || ret=1 @@ -1226,8 +1215,8 @@ sleep 5 echo_i "checking former standby key has now signed fully ($n)" ret=0 -$DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1245,11 +1234,11 @@ ret=0 zsk=$(cat delayzsk.key) ksk=$(cat delayksk.key) # publication and activation times should be unset -$SETTIME -K ns3 -pA -pP $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -pA -pP $zsk >settime.out.test$n.zsk || ret=1 grep -v UNSET settime.out.test$n.zsk >/dev/null && ret=1 -$SETTIME -K ns3 -pA -pP $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -pA -pP $ksk >settime.out.test$n.ksk || ret=1 grep -v UNSET settime.out.test$n.ksk >/dev/null && ret=1 -$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 # DNSKEY not expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 n=$((n + 1)) @@ -1260,14 +1249,14 @@ echo_i "checking scheduled key publication, not activation ($n)" ret=0 # Ensure initial zone is loaded. wait_for_notifies "delay.example" "ns3" || ret=1 -$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -P now+3s -A none $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now+3s -A none $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 wait_for_notifies "delay.example" "ns3" || ret=1 -$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.test$n || ret=1 # DNSKEY expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1 # RRSIG not expected: @@ -1278,19 +1267,19 @@ status=$((status + ret)) echo_i "checking scheduled key activation ($n)" ret=0 -$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1 +$SETTIME -K ns3 -A now+3s $zsk >settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -A now+3s $ksk >settime.out.test$n.ksk || ret=1 ($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 3 wait_for_log_re 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run check_is_signed() { - $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1 + $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 >dig.out.ns3.1.test$n || return 1 # DNSKEY expected: awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1 # RRSIG expected: awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.1.test$n || return 1 - $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 > dig.out.ns3.2.test$n || return 1 + $DIG $DIGOPTS +noall +answer a a.delay.example. @10.53.0.3 >dig.out.ns3.2.test$n || return 1 # A expected: awk 'BEGIN {r=1} $4=="A" {r=0} END {exit r}' dig.out.ns3.2.test$n || return 1 # RRSIG expected: @@ -1310,12 +1299,15 @@ echo_i "checking former active key was removed ($n)" now=$($PERL -e 'print time(), "\n";') sleep=$((starttime + 29 - now)) case $sleep in --*|0);; -*) echo_i "waiting for timer to have activated"; sleep $sleep;; + -* | 0) ;; + *) + echo_i "waiting for timer to have activated" + sleep $sleep + ;; esac ret=0 -$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '; key id = '"$oldid"'$' dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1323,8 +1315,8 @@ status=$((status + ret)) echo_i "checking private key file removal caused no immediate harm ($n)" ret=0 id=$(keyfile_to_key_id "$(cat vanishing.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey . @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1333,12 +1325,12 @@ echo_i "checking revoked key with duplicate key ID ($n)" ret=0 id=59973 rid=60101 -$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns2.test$n >/dev/null && ret=1 keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l) test $keys -eq 2 || ret=1 -$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS dnskey bar @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1356,10 +1348,10 @@ status=$((status + ret)) # this confirms that key events are never scheduled more than # 'dnssec-loadkeys-interval' minutes in the future, and that the # event scheduled is within 10 seconds of expected interval. -check_interval () { - awk '/next key event/ {print $2 ":" $9}' $1/named.run | - sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' | - awk -F: ' +check_interval() { + awk '/next key event/ {print $2 ":" $9}' $1/named.run \ + | sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' \ + | awk -F: ' { x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000); # abs(x) < 1000 ms treat as 'now' @@ -1377,7 +1369,7 @@ check_interval () { exit (1); } END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 || return $? - return 0 + return 0 } echo_i "checking automatic key reloading interval ($n)" @@ -1403,8 +1395,8 @@ echo_i "forcing full sign with unreadable keys ($n)" ret=0 chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1 ($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 -$DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS . @10.53.0.1 dnskey >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1419,12 +1411,12 @@ rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) ($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 rndc_reconfig ns3 10.53.0.3 for i in 0 1 2 3 4 5 6 7 8 9; do - lret=0 - rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) - [ "$rekey_calls" -gt 0 ] || lret=1 - if [ "$lret" -eq 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 1 + lret=0 + rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) + [ "$rekey_calls" -gt 0 ] || lret=1 + if [ "$lret" -eq 0 ]; then break; fi + echo_i "waiting ... ($i)" + sleep 1 done n=$((n + 1)) if [ "$lret" != 0 ]; then ret=$lret; fi @@ -1433,19 +1425,19 @@ status=$((status + ret)) echo_i "test CDS and CDNSKEY auto generation ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n -grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n > /dev/null || ret=1 -grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n +grep -i "sync.example.*in.cds.*[1-9][0-9]* " dig.out.ns3.cdstest$n >/dev/null || ret=1 +grep -i "sync.example.*in.cdnskey.*257 " dig.out.ns3.cdnskeytest$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n -$DIG $DIGOPTS @10.53.0.3 sync.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 sync.example dnskey >dig.out.ns3.dnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cdnskey >dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 sync.example cds >dig.out.ns3.cdstest$n lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 2 || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) @@ -1458,9 +1450,9 @@ status=$((status + ret)) echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n -$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n -$DIG $DIGOPTS @10.53.0.3 kskonly.example cds > dig.out.ns3.cdstest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey >dig.out.ns3.dnskeytest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey >dig.out.ns3.cdnskeytest$n +$DIG $DIGOPTS @10.53.0.3 kskonly.example cds >dig.out.ns3.cdstest$n lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.ns3.dnskeytest$n | wc -l) test ${lines:-0} -eq 1 || ret=1 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.ns3.cdnskeytest$n | wc -l) @@ -1472,16 +1464,16 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" -$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -D sync now $(cat sync.key) >settime.out.test$n || ret=1 ($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 echo_i "checking that the CDS and CDNSKEY are deleted ($n)" ret=0 ensure_cds_and_cdnskey_are_deleted() { - $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 - $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 + $DIG $DIGOPTS @10.53.0.3 sync.example. CDS >dig.out.ns3.cdstest$n || return 1 + awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 + $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY >dig.out.ns3.cdnskeytest$n || return 1 + awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 } retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 n=$((n + 1)) @@ -1490,7 +1482,7 @@ status=$((status + ret)) echo_i "check that dnssec-settime -p Dsync works ($n)" ret=0 -$SETTIME -p Dsync $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -p Dsync $(cat sync.key) >settime.out.test$n || ret=1 grep "SYNC Delete:" settime.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1498,7 +1490,7 @@ status=$((status + ret)) echo_i "check that dnssec-settime -p Psync works ($n)" ret=0 -$SETTIME -p Psync $(cat sync.key) > settime.out.test$n || ret=1 +$SETTIME -p Psync $(cat sync.key) >settime.out.test$n || ret=1 grep "SYNC Publish:" settime.out.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1506,17 +1498,17 @@ status=$((status + ret)) echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ) +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null || ret=1 -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ) +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1524,8 +1516,8 @@ status=$((status + ret)) echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n -grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example >dig.out.ns3.test$n +grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1538,12 +1530,12 @@ echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY" echo_ic "is now signed with the ZSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example >dig.out.ns3.test$n -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ) +zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 +grep "${pattern}" dig.out.ns3.test$n >/dev/null || ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "DNSKEY" { count++ } @@ -1566,10 +1558,10 @@ echo_i "check that zone with active and inactive ZSK and active KSK is properly" echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone" echo_ic "is now signed with the KSK. ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example >dig.out.ns3.test$n +kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}') +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null || ret=1 count=$(awk 'BEGIN { count = 0 } $4 == "RRSIG" && $5 == "CNAME" { count++ } END {print count}' dig.out.ns3.test$n) @@ -1585,45 +1577,54 @@ status=$((status + ret)) echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)" ret=0 # Switch the zone over to NSEC3 and wait until the transition is complete. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. >signing.out.1.test$n 2>&1 || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1 - { grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -eq 0 ]; then - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1 - { grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then - _ret=0 - break - fi - fi - sleep 1 + _ret=1 + $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 >dig.out.ns3.1.test$n 2>&1 || ret=1 + { + grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n >/dev/null 2>&1 + rc=$? + } || true + if [ $rc -eq 0 ]; then + $RNDCCMD 10.53.0.3 signing -list delzsk.example >signing.out.2.test$n 2>&1 + { + grep "Creating NSEC3 chain " signing.out.2.test$n >/dev/null 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + _ret=0 + break + fi + fi + sleep 1 done if [ $_ret -ne 0 ]; then - echo_i "timed out waiting for NSEC3 chain creation" - ret=1 + echo_i "timed out waiting for NSEC3 chain creation" + ret=1 fi # Mark the inactive ZSK as pending removal. file="ns3/$(cat delzsk.key).key" -$SETTIME -D now-1h $file > settime.out.test$n || ret=1 +$SETTIME -D now-1h $file >settime.out.test$n || ret=1 # Trigger removal of the inactive ZSK and wait until its completion. ($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1 - { grep "Signing " signing.out.3.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then - if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then - _ret=0 - break - fi - fi - sleep 1 + _ret=1 + $RNDCCMD 10.53.0.3 signing -list delzsk.example >signing.out.3.test$n 2>&1 + { + grep "Signing " signing.out.3.test$n >/dev/null 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then + _ret=0 + break + fi + fi + sleep 1 done if [ $_ret -ne 0 ]; then - echo_i "timed out waiting for key removal" - ret=1 + echo_i "timed out waiting for key removal" + ret=1 fi # Check whether key removal caused NSEC3 records to be erroneously created for # glue records due to a secure delegation already being signed by the active key @@ -1634,26 +1635,26 @@ fi # $ nsec3hash 12345678 1 10 ns.sub.delzsk.example. # 589R358VSPJUFVAJU949JPVF74D9PTGH (salt=12345678, hash=1, iterations=10) # -$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 > dig.out.ns3.3.test$n || ret=1 -grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS delzsk.example AXFR @10.53.0.3 >dig.out.ns3.3.test$n || ret=1 +grep "589R358VSPJUFVAJU949JPVF74D9PTGH" dig.out.ns3.3.test$n >/dev/null 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)" ret=0 -$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that DNAME is not treated as a delegation when signing ($n)" ret=0 -$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n > /dev/null 2>&1 || ret=1 -$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS dname-and-txt.secure.example. DNAME @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "dname-and-txt.secure.example.*RRSIG.*DNAME" dig.out.ns3.1.test$n >/dev/null 2>&1 || ret=1 +$DIG $DIGOPTS dname-and-txt.secure.example. TXT @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "dname-and-txt.secure.example.*RRSIG.*TXT" dig.out.ns3.2.test$n >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1677,7 +1678,7 @@ status=$((status + ret)) echo_i "checking that CDS (DELETE) persists after zone sign ($n)" echo_i "update add cds-delete.example. CDS 0 0 00" ret=0 -$NSUPDATE > nsupdate.out 2>&1 <<END +$NSUPDATE >nsupdate.out 2>&1 <<END server 10.53.0.3 ${PORT} zone cds-delete.example. update add cds-delete.example. 3600 CDS 0 0 0 00 @@ -1685,14 +1686,14 @@ send END _cds_delete() ( - $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n >/dev/null 2>&1 || return 1 + return 0 ) _cdnskey_delete_nx() { - $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n >/dev/null 2>&1 && return 1 + return 0 } echo_i "query cds-delete.example. CDS" @@ -1702,7 +1703,7 @@ retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 echo_i "sign cds-delete.example." nextpart ns3/named.run >/dev/null -$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 sign cds-delete.example >/dev/null 2>&1 || ret=1 wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run # The CDS (DELETE) record should still be here. echo_i "query cds-delete.example. CDS" @@ -1718,7 +1719,7 @@ status=$((status + ret)) echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)" echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA==" ret=0 -$NSUPDATE > nsupdate.out 2>&1 <<END +$NSUPDATE >nsupdate.out 2>&1 <<END server 10.53.0.3 ${PORT} zone cdnskey-delete.example. update add cdnskey-delete.example. 3600 CDNSKEY 0 3 0 AA== @@ -1726,14 +1727,14 @@ send END _cds_delete_nx() ( - $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n >/dev/null 2>&1 && return 1 + return 0 ) _cdnskey_delete() { - $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 - return 0 + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 >dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n >/dev/null 2>&1 || return 1 + return 0 } echo_i "query cdnskey-delete.example. CDNSKEY" @@ -1743,7 +1744,7 @@ retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 echo_i "sign cdsnskey-delete.example." nextpart ns3/named.run >/dev/null -$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 sign cdnskey-delete.example >/dev/null 2>&1 || ret=1 wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run # The CDNSKEY (DELETE) record should still be here. echo_i "query cdnskey-delete.example. CDNSKEY" @@ -1761,40 +1762,80 @@ ret=0 zone=optout-with-ent hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL # check that NSEC3 for ENT is present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.pre.ns2.test$n >/dev/null || ret=1 # remove first delegation of two delegations, NSEC3 for ENT should remain. ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update del sub1.ent.$zone NS -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update del sub1.ent.$zone NS + echo send ) | $NSUPDATE # check that NSEC3 for ENT is still present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.mid.ns2.test$n grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.mid.ns2.test$n >/dev/null || ret=1 # remove second delegation of two delegations, NSEC3 for ENT should be deleted. ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update del sub2.ent.$zone NS -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update del sub2.ent.$zone NS + echo send ) | $NSUPDATE # check that NSEC3 for ENT is gone present -$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" >dig.out.post.ns2.test$n grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 -grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1 -$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n -grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n >/dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.post.ns2.test$n >/dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" >dig.out.axfr.ns2.test$n +grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) + +echo_i "check that the startup change from NSEC3 to NSEC is properly signed ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \ + | awk 'BEGIN { private=0; rrsig=0; ok=0 } +$1 == "del" && $5 == "SOA" { if (private || rrsig) { if (private == rrsig) { exit(0); } else { exit(1); } } } +$1 == "add" && $5 == "TYPE65534" { private=1 } +$1 == "add" && $5 == "RRSIG" && $6 == "TYPE65534" { rrsig=1 } +END { if (private || rrsig) { if (private == rrsig) { exit(0); } else { exit(1); } } else { exit (1); } } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that NSEC3 to NSEC builds the NSEC chain first ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \ + | awk 'BEGIN { nsec3param=0; nsec=0 } +$1 == "del" && $5 == "SOA" { if (nsec3param || nsec) { if (nsec3param && !nsec) { exit(1); } else { exit(0); } } } +$1 == "del" && $5 == "NSEC3PARAM" { nsec3param=1 } +$1 == "add" && $2 == "nsec3-to-nsec.example." && $5 == "NSEC" { nsec=1 } +END { if (nsec3param || nsec) { if (nsec3param && !nsec) { exit(1); } else { exit(0); } } else { exit(1); } } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "check that NSEC3 to NSEC3 builds the new NSEC3 chain first ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec3.example.db.jnl \ + | awk 'BEGIN { addnsec3param=0; delnsec3param=0; nsec3=0 } +$1 == "del" && $5 == "SOA" { if (delnsec3param || nsec3 || addnsec3param) { if (delnsec3param && (!nsec3 || !addnsec3param)) { exit(1); } else { exit(0); } } } +$1 == "del" && $5 == "NSEC3PARAM" { delnsec3param=1 } +$1 == "add" && $5 == "NSEC3PARAM" { addnsec3param=1 } +$1 == "add" && $5 == "NSEC3" { nsec3=1 } +END { if (delnsec3param || nsec3 || addnsec3param) { if (delnsec3param && (!nsec3 || !addnsec3param)) { exit(1); } else { exit(0); } } else { exit(1); } } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/builtin/ns1/named.conf.in b/bin/tests/system/builtin/ns1/named.conf.in index 723e6b2..d2abad7 100644 --- a/bin/tests/system/builtin/ns1/named.conf.in +++ b/bin/tests/system/builtin/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/builtin/ns2/named.conf.in b/bin/tests/system/builtin/ns2/named.conf.in index 38b95f0..64327db 100644 --- a/bin/tests/system/builtin/ns2/named.conf.in +++ b/bin/tests/system/builtin/ns2/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/builtin/ns3/named.conf.in b/bin/tests/system/builtin/ns3/named.conf.in index df538db..c3a1372 100644 --- a/bin/tests/system/builtin/ns3/named.conf.in +++ b/bin/tests/system/builtin/ns3/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/builtin/tests.sh b/bin/tests/system/builtin/tests.sh index 9151fc3..cd3df75 100644 --- a/bin/tests/system/builtin/tests.sh +++ b/bin/tests/system/builtin/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 @@ -126,41 +126,47 @@ n=$((n + 1)) ret=0 count=0 echo_i "Checking expected empty zones were configured ($n)" -for zone in ${emptyzones} -do - grep "automatic empty zone: $zone" ns1/named.run > /dev/null || { - echo_i "failed (empty zone $zone missing)" - ret=1 - } - count=$((count + 1)) +for zone in ${emptyzones}; do + grep "automatic empty zone: $zone" ns1/named.run >/dev/null || { + echo_i "failed (empty zone $zone missing)" + ret=1 + } + count=$((count + 1)) done lines=$(grep "automatic empty zone: " ns1/named.run | wc -l) test $count -eq $lines -a $count -eq 99 || { - ret=1; echo_i "failed (count mismatch)"; + ret=1 + echo_i "failed (count mismatch)" } -if [ $ret != 0 ] ; then status=$((status + ret)); fi +if [ $ret != 0 ]; then status=$((status + ret)); fi n=$((n + 1)) echo_i "Checking that reconfiguring empty zones is silent ($n)" $RNDCCMD 10.53.0.1 reconfig ret=0 -grep "automatic empty zone" ns1/named.run > /dev/null || ret=1 -grep "received control channel command 'reconfig'" ns1/named.run > /dev/null || ret=1 -grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 +grep "automatic empty zone" ns1/named.run >/dev/null || ret=1 +grep "received control channel command 'reconfig'" ns1/named.run >/dev/null || ret=1 +grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1 sleep 1 -grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "Checking that reloading empty zones is silent ($n)" rndc_reload ns1 10.53.0.1 ret=0 -grep "automatic empty zone" ns1/named.run > /dev/null || ret=1 -grep "received control channel command 'reload'" ns1/named.run > /dev/null || ret=1 -grep "reloading configuration succeeded" ns1/named.run > /dev/null || ret=1 +grep "automatic empty zone" ns1/named.run >/dev/null || ret=1 +grep "received control channel command 'reload'" ns1/named.run >/dev/null || ret=1 +grep "reloading configuration succeeded" ns1/named.run >/dev/null || ret=1 sleep 1 -grep "zone serial (0) unchanged." ns1/named.run > /dev/null && ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +grep "zone serial (0) unchanged." ns1/named.run >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi HOST_NAME=$($FEATURETEST --gethostname) BIND_VERSION_STRING=$($NAMED -V | head -1) @@ -169,80 +175,113 @@ BIND_VERSION=$($NAMED -V | sed -ne 's/^BIND \([^ ]*\).*/\1/p') n=$((n + 1)) ret=0 echo_i "Checking that default version works for rndc ($n)" -$RNDCCMD 10.53.0.1 status > rndc.status.ns1.$n 2>&1 -grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$RNDCCMD 10.53.0.1 status >rndc.status.ns1.$n 2>&1 +grep -F "version: $BIND_VERSION_STRING" rndc.status.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom version works for rndc ($n)" -$RNDCCMD 10.53.0.3 status > rndc.status.ns3.$n 2>&1 -grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$RNDCCMD 10.53.0.3 status >rndc.status.ns3.$n 2>&1 +grep -F "version: $BIND_VERSION_STRING (this is a test of version)" rndc.status.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that default version works for query ($n)" -$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 -grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1 +grep "^\"$BIND_VERSION\"$" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom version works for query ($n)" -$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 -grep "^\"this is a test of version\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short version.bind txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1 +grep "^\"this is a test of version\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that default hostname works for query ($n)" -$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 -grep "^\"$HOST_NAME\"$" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1 +grep "^\"$HOST_NAME\"$" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom hostname works for query ($n)" -$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 -grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short hostname.bind txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1 +grep "^\"this.is.a.test.of.hostname\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that default server-id is none for query ($n)" -$DIG $DIGOPTS id.server txt ch @10.53.0.1 > dig.out.ns1.$n || ret=1 -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns1.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS id.server txt ch @10.53.0.1 >dig.out.ns1.$n || ret=1 +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that server-id hostname works for query ($n)" -$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 > dig.out.ns2.$n || ret=1 -grep "^\"$HOST_NAME\"$" dig.out.ns2.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short id.server txt ch @10.53.0.2 >dig.out.ns2.$n || ret=1 +grep "^\"$HOST_NAME\"$" dig.out.ns2.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that server-id hostname works for EDNS name server ID request ($n)" -$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 > dig.out.ns2.$n || ret=1 -grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +norec +nsid foo @10.53.0.2 >dig.out.ns2.$n || ret=1 +grep "^; NSID: .* (\"$HOST_NAME\")$" dig.out.ns2.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom server-id works for query ($n)" -$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 > dig.out.ns3.$n || ret=1 -grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +short id.server txt ch @10.53.0.3 >dig.out.ns3.$n || ret=1 +grep "^\"this.is.a.test.of.server-id\"$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) ret=0 echo_i "Checking that custom server-id works for EDNS name server ID request ($n)" -$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 > dig.out.ns3.$n || ret=1 -grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS +norec +nsid foo @10.53.0.3 >dig.out.ns3.$n || ret=1 +grep "^; NSID: .* (\"this.is.a.test.of.server-id\")$" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/cacheclean/ns2/named.conf.in b/bin/tests/system/cacheclean/ns2/named.conf.in index 0b5cd29..6ffa073 100644 --- a/bin/tests/system/cacheclean/ns2/named.conf.in +++ b/bin/tests/system/cacheclean/ns2/named.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "flushtest.example" { diff --git a/bin/tests/system/cacheclean/tests.sh b/bin/tests/system/cacheclean/tests.sh index 387ce86..141716a 100755 --- a/bin/tests/system/cacheclean/tests.sh +++ b/bin/tests/system/cacheclean/tests.sh @@ -18,17 +18,17 @@ set -e status=0 n=0 -RNDCOPTS="-c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" +RNDCOPTS="-c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm \ +nostat @10.53.0.2 -p ${PORT}" # fill the cache with nodes from flushtest.example zone -load_cache () { - # empty all existing cache data - $RNDC $RNDCOPTS flush +load_cache() { + # empty all existing cache data + $RNDC $RNDCOPTS flush - # load the positive cache entries - $DIG $DIGOPTS -f - << EOF > /dev/null 2>&1 + # load the positive cache entries + $DIG $DIGOPTS -f - <<EOF >/dev/null 2>&1 txt top1.flushtest.example txt second1.top1.flushtest.example txt third1.second1.top1.flushtest.example @@ -47,42 +47,42 @@ txt third2.second2.top3.flushtest.example txt second3.top3.flushtest.example EOF - # load the negative cache entries - # nxrrset: - $DIG $DIGOPTS a third1.second1.top1.flushtest.example > /dev/null - # nxdomain: - $DIG $DIGOPTS txt top4.flushtest.example > /dev/null - # empty nonterminal: - $DIG $DIGOPTS txt second2.top3.flushtest.example > /dev/null + # load the negative cache entries + # nxrrset: + $DIG $DIGOPTS a third1.second1.top1.flushtest.example >/dev/null + # nxdomain: + $DIG $DIGOPTS txt top4.flushtest.example >/dev/null + # empty nonterminal: + $DIG $DIGOPTS txt second2.top3.flushtest.example >/dev/null - # sleep 2 seconds ensure the TTLs will be lower on cached data - sleep 2 + # sleep 2 seconds ensure the TTLs will be lower on cached data + sleep 2 } -dump_cache () { - rndc_dumpdb ns2 -cache _default +dump_cache() { + rndc_dumpdb ns2 -cache _default } -clear_cache () { - $RNDC $RNDCOPTS flush +clear_cache() { + $RNDC $RNDCOPTS flush } -in_cache () { - ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}') - [ -z "$ttl" ] && { - ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}') - [ "$ttl" -ge 3599 ] && return 1 - return 0 - } - [ "$ttl" -ge 3599 ] && return 1 - return 0 +in_cache() { + ttl=$($DIG $DIGOPTS "$@" | awk '{print $2}') + [ -z "$ttl" ] && { + ttl=$($DIG $DIGOPTS +noanswer +auth "$@" | awk '{print $2}') + [ "$ttl" -ge 3599 ] && return 1 + return 0 + } + [ "$ttl" -ge 3599 ] && return 1 + return 0 } # Extract records at and below name "$1" from the cache dump in file "$2". -filter_tree () { - tree="$1" - file="$2" - perl -n -e ' +filter_tree() { + tree="$1" + file="$2" + perl -n -e ' next if /^;/; if (/'"$tree"'/ || (/^\t/ && $print)) { $print = 1; @@ -95,7 +95,7 @@ filter_tree () { n=$((n + 1)) echo_i "check correctness of routine cache cleaning ($n)" -$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch > dig.out.ns2 || status=1 +$DIG $DIGOPTS +tcp +keepopen -b 10.53.0.7 -f dig.batch >dig.out.ns2 || status=1 digcomp --lc dig.out.ns2 knowngood.dig.out || status=1 @@ -103,7 +103,10 @@ n=$((n + 1)) echo_i "only one tcp socket was used ($n)" tcpclients=$(awk '$3 == "client" && $5 ~ /10.53.0.7#[0-9]*:/ {print $5}' ns2/named.run | sort | uniq -c | wc -l) -test $tcpclients -eq 1 || { status=1; echo_i "failed"; } +test $tcpclients -eq 1 || { + status=1 + echo_i "failed" +} n=$((n + 1)) echo_i "reset and check that records are correctly cached initially ($n)" @@ -111,7 +114,10 @@ ret=0 load_cache dump_cache nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l) -[ $nrecords -eq 18 ] || { ret=1; echo_i "found $nrecords records expected 18"; } +[ $nrecords -eq 18 ] || { + ret=1 + echo_i "found $nrecords records expected 18" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -205,7 +211,10 @@ echo_i "check the number of cached records remaining ($n)" ret=0 dump_cache nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -v '^;' | grep -E '(TXT|ANY)' | wc -l) -[ $nrecords -eq 17 ] || { ret=1; echo_i "found $nrecords records expected 17"; } +[ $nrecords -eq 17 ] || { + ret=1 + echo_i "found $nrecords records expected 17" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -223,7 +232,10 @@ echo_i "check the number of cached records remaining ($n)" ret=0 dump_cache nrecords=$(filter_tree flushtest.example ns2/named_dump.db.test$n | grep -E '(TXT|ANY)' | wc -l) -[ $nrecords -eq 1 ] || { ret=1; echo_i "found $nrecords records expected 1"; } +[ $nrecords -eq 1 ] || { + ret=1 + echo_i "found $nrecords records expected 1" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -234,34 +246,34 @@ load_cache dump_cache mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.a sed -n '/plain success\/timeout/,/Unassociated entries/p' \ - ns2/named_dump.db.test$n.a > sed.out.$n.a -grep 'plain success/timeout' sed.out.$n.a > /dev/null 2>&1 || ret=1 -grep 'Unassociated entries' sed.out.$n.a > /dev/null 2>&1 || ret=1 -grep 'ns.flushtest.example' sed.out.$n.a > /dev/null 2>&1 || ret=1 + ns2/named_dump.db.test$n.a >sed.out.$n.a +grep 'plain success/timeout' sed.out.$n.a >/dev/null 2>&1 || ret=1 +grep 'Unassociated entries' sed.out.$n.a >/dev/null 2>&1 || ret=1 +grep 'ns.flushtest.example' sed.out.$n.a >/dev/null 2>&1 || ret=1 $RNDC $RNDCOPTS flushtree flushtest.example || ret=1 dump_cache mv ns2/named_dump.db.test$n ns2/named_dump.db.test$n.b sed -n '/plain success\/timeout/,/Unassociated entries/p' \ - ns2/named_dump.db.test$n.b > sed.out.$n.b -grep 'plain success/timeout' sed.out.$n.b > /dev/null 2>&1 || ret=1 -grep 'Unassociated entries' sed.out.$n.b > /dev/null 2>&1 || ret=1 -grep 'ns.flushtest.example' sed.out.$n.b > /dev/null 2>&1 && ret=1 + ns2/named_dump.db.test$n.b >sed.out.$n.b +grep 'plain success/timeout' sed.out.$n.b >/dev/null 2>&1 || ret=1 +grep 'Unassociated entries' sed.out.$n.b >/dev/null 2>&1 || ret=1 +grep 'ns.flushtest.example' sed.out.$n.b >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check expire option returned from primary zone ($n)" ret=0 -$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1 -grep EXPIRE: dig.out.expire > /dev/null || ret=1 +$DIG @10.53.0.1 -p ${PORT} +expire soa expire-test >dig.out.expire || ret=1 +grep EXPIRE: dig.out.expire >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check expire option returned from secondary zone ($n)" ret=0 -$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test > dig.out.expire || ret=1 -grep EXPIRE: dig.out.expire > /dev/null || ret=1 +$DIG @10.53.0.2 -p ${PORT} +expire soa expire-test >dig.out.expire || ret=1 +grep EXPIRE: dig.out.expire >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/case/tests.sh b/bin/tests/system/case/tests.sh index 6b40574..c5bc0e7 100644 --- a/bin/tests/system/case/tests.sh +++ b/bin/tests/system/case/tests.sh @@ -18,9 +18,9 @@ set -e DIGOPTS="+tcp +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" wait_for_serial() ( - $DIG $DIGOPTS "@$1" "$2" SOA > "$4" - serial=$(awk '$4 == "SOA" { print $7 }' "$4") - [ "$3" -eq "${serial:--1}" ] + $DIG $DIGOPTS "@$1" "$2" SOA >"$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] ) status=0 @@ -29,25 +29,23 @@ n=0 n=$((n + 1)) echo_i "waiting for zone transfer to complete ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS soa example. @10.53.0.2 > dig.ns2.test$n || true - grep SOA dig.ns2.test$n > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS soa example. @10.53.0.2 >dig.ns2.test$n || true + grep SOA dig.ns2.test$n >/dev/null && break + sleep 1 done -for i in 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS soa dynamic. @10.53.0.2 > dig.ns2.test$n || true - grep SOA dig.ns2.test$n > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS soa dynamic. @10.53.0.2 >dig.ns2.test$n || true + grep SOA dig.ns2.test$n >/dev/null && break + sleep 1 done n=$((n + 1)) echo_i "testing case preserving responses - no acl ($n)" ret=0 -$DIG $DIGOPTS mx example. @10.53.0.1 > dig.ns1.test$n || ret=1 -grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 -grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. @10.53.0.1 >dig.ns1.test$n || ret=1 +grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1 +grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1 test $ret -eq 0 || echo_i "failed" status=$((status + ret)) @@ -56,14 +54,14 @@ echo_i "testing no-case-compress acl '{ 10.53.0.2; }' ($n)" ret=0 # check that we preserve zone case for non-matching query (10.53.0.1) -$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 > dig.ns1.test$n || ret=1 -grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1 -grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 >dig.ns1.test$n || ret=1 +grep "0.mail.eXaMpLe" dig.ns1.test$n >/dev/null || ret=1 +grep "mAiL.example" dig.ns1.test$n >/dev/null || ret=1 # check that we don't preserve zone case for match (10.53.0.2) -$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 > dig.ns2.test$n || ret=1 -grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1 -grep "mail.example" dig.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 >dig.ns2.test$n || ret=1 +grep "0.mail.example" dig.ns2.test$n >/dev/null || ret=1 +grep "mail.example" dig.ns2.test$n >/dev/null || ret=1 test $ret -eq 0 || echo_i "failed" status=$((status + ret)) @@ -71,7 +69,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing load of dynamic zone with various \$ORIGIN values ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n dynamic.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -80,7 +78,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "transfer of dynamic zone with various \$ORIGIN values ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n dynamic.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -88,13 +86,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "change SOA owner case via update ($n)" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.1 ${PORT} zone dynamic update add dYNAMIc 0 SOA mname1. . 2000042408 20 20 1814400 3600 send EOF -$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n postupdate.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -111,7 +109,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check SOA owner case is transferred to secondary ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n postupdate.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -120,13 +118,13 @@ status=$((status + ret)) #update delete Ns1.DyNaMIC. 300 IN A 10.53.0.1 n=$((n + 1)) echo_i "change A record owner case via update ($n)" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.1 ${PORT} zone dynamic update add Ns1.DyNaMIC. 300 IN A 10.53.0.1 send EOF -$DIG $DIGOPTS axfr dynamic @10.53.0.1 > dig.ns1.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.1 >dig.ns1.test$n || ret=1 digcomp dig.ns1.test$n postns1.good || ret=1 test $ret -eq 0 || echo_i "failed" @@ -143,7 +141,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check A owner case is transferred to secondary ($n)" ret=0 -$DIG $DIGOPTS axfr dynamic @10.53.0.2 > dig.ns2.test$n || ret=1 +$DIG $DIGOPTS axfr dynamic @10.53.0.2 >dig.ns2.test$n || ret=1 digcomp dig.ns2.test$n postns1.good || ret=1 status=$((status + ret)) diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index bcfc68a..1f4ee99 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index 3169abb..882a4ba 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in index b5be974..51d72dc 100644 --- a/bin/tests/system/catz/ns2/named2.conf.in +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/ns3/named.conf.in b/bin/tests/system/catz/ns3/named.conf.in index fb82379..47c4ed7 100644 --- a/bin/tests/system/catz/ns3/named.conf.in +++ b/bin/tests/system/catz/ns3/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/ns4/named.conf.in b/bin/tests/system/catz/ns4/named.conf.in index 2f43c25..3ac60b2 100644 --- a/bin/tests/system/catz/ns4/named.conf.in +++ b/bin/tests/system/catz/ns4/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 4965e20..8e54e0c 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -17,339 +17,339 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" -p "${PORT}" "$@" + "$DIG" -p "${PORT}" "$@" } rndccmd() ( - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" ) _wait_for_message() ( - nextpartpeek "$1" > wait_for_message.$n - grep -F "$2" wait_for_message.$n >/dev/null + nextpartpeek "$1" >wait_for_message.$n + grep -F "$2" wait_for_message.$n >/dev/null ) wait_for_message() ( - retry_quiet 20 _wait_for_message "$@" + retry_quiet 20 _wait_for_message "$@" ) _wait_for_rcode() ( - rcode="$1" - qtype="$2" - ns="$3" - qname="$4" - file="$5" - shift 5 - dig_with_opts "$ns" "$qtype" "$qname" "$@" >"$file" || return 1 - grep "status: $rcode" "$file" >/dev/null + rcode="$1" + qtype="$2" + ns="$3" + qname="$4" + file="$5" + shift 5 + dig_with_opts "$ns" "$qtype" "$qname" "$@" >"$file" || return 1 + grep "status: $rcode" "$file" >/dev/null ) wait_for_rcode() ( - retry_quiet 10 _wait_for_rcode "$@" + retry_quiet 10 _wait_for_rcode "$@" ) wait_for_soa() ( - wait_for_rcode NOERROR SOA "$@" + wait_for_rcode NOERROR SOA "$@" ) wait_for_a() ( - wait_for_rcode NOERROR A "$@" + wait_for_rcode NOERROR A "$@" ) wait_for_no_soa() { - wait_for_rcode REFUSED SOA "$@" + wait_for_rcode REFUSED SOA "$@" } _wait_for_zonefile() ( - # shellcheck disable=SC2234 - [ -f "$1" ] + # shellcheck disable=SC2234 + [ -f "$1" ] ) wait_for_zonefile() ( - retry_quiet 10 _wait_for_zonefile "$@" + retry_quiet 10 _wait_for_zonefile "$@" ) _wait_for_no_zonefile() ( - # shellcheck disable=SC2234 - [ ! -f "$1" ] + # shellcheck disable=SC2234 + [ ! -f "$1" ] ) wait_for_no_zonefile() ( - retry_quiet 10 _wait_for_no_zonefile "$@" + retry_quiet 10 _wait_for_no_zonefile "$@" ) status=0 n=0 ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad1.example (with no version) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "catz: zone 'catalog-bad1.example' has no 'version' record" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad1.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "catz: zone 'catalog-bad1.example' has no 'version' record" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad1.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad2.example (with unsupported version) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "catz: zone 'catalog-bad2.example' unsupported version '99'" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad2.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "catz: zone 'catalog-bad2.example' unsupported version '99'" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad2.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad3.example (with two supported version records) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "catz: 'version' property TXT RRset contains more than one record, which is invalid" && -wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad3.example IN TXT (failure) - ignoring" && -wait_for_message ns2/named.run "catz: zone 'catalog-bad3.example' version is not set" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad3.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "catz: 'version' property TXT RRset contains more than one record, which is invalid" \ + && wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad3.example IN TXT (failure) - ignoring" \ + && wait_for_message ns2/named.run "catz: zone 'catalog-bad3.example' version is not set" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad3.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad4.example (with only spurious type A version record) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad4.example IN A (failure) - ignoring" && -wait_for_message ns2/named.run "catz: zone 'catalog-bad4.example' version is not set" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad4.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad4.example IN A (failure) - ignoring" \ + && wait_for_message ns2/named.run "catz: zone 'catalog-bad4.example' version is not set" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad4.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that catalog-bad5.example (non-IN class) has failed to load ($n)" ret=0 -wait_for_message ns2/named.run "'catalog-zones' option is only supported for views with class IN" && -wait_for_message ns2/named.run "all zones loaded" || ret=1 +wait_for_message ns2/named.run "'catalog-zones' option is only supported for views with class IN" \ + && wait_for_message ns2/named.run "all zones loaded" || ret=1 grep -F "catz: dns_catz_add_zone catalog-bad5.example" ns2/named.run && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null ########################################################################## echo_i "Testing adding/removing of domain in catalog zone" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom1.example. to primary via RNDC ($n)" ret=0 # enough initial content for IXFR response when TXT record is added below -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom1.example.db -echo "@ 3600 IN NS invalid." >> ns1/dom1.example.db -echo "foo 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "bar 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "xxx 3600 IN TXT some content here" >> ns1/dom1.example.db -echo "yyy 3600 IN TXT some content here" >> ns1/dom1.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom1.example.db +echo "@ 3600 IN NS invalid." >>ns1/dom1.example.db +echo "foo 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "bar 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "xxx 3600 IN TXT some content here" >>ns1/dom1.example.db +echo "yyy 3600 IN TXT some content here" >>ns1/dom1.example.db rndccmd 10.53.0.1 addzone dom1.example. in default '{ type primary; file "dom1.example.db"; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom1.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN PTR dom1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom1.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom1.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that zone-directory is populated ($n)" ret=0 wait_for_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "update dom1.example. ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom1.example 0 IN TXT added record send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to be updated ($n)" ret=0 wait_for_txt() { - dig_with_opts @10.53.0.2 TXT dom1.example. > dig.out.test$n || return 1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "IN.TXT." dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 TXT dom1.example. >dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "IN.TXT." dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_txt || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that journal was created for cleanup test ($n)" ret=0 test -f ns2/zonedir/__catz__default_catalog1.example_dom1.example.db.jnl || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "update catalog zone serial ($n)" ret=0 # default minimum update rate is once / 5 seconds sleep 5 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add catalog1.example 3600 SOA . . 20 86400 3600 86400 3600 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for catalog zone to transfer ($n)" ret=0 wait_for_soa_equal_20() { - dig_with_opts @10.53.0.2 SOA catalog1.example. > dig.out.test$n || return 1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep 'IN.SOA.\. \. 20 ' dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 SOA catalog1.example. >dig.out.test$n || return 1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep 'IN.SOA.\. \. 20 ' dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_soa_equal_20 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "update dom1.example. again ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add foo.dom1.example 0 IN TXT added record send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to be updated again ($n)" ret=0 wait_for_txt() { - dig_with_opts @10.53.0.2 TXT foo.dom1.example. > dig.out.test$n || return 1 - grep "ANSWER: 2," dig.out.test$n > /dev/null || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "IN.TXT." dig.out.test$n > /dev/null || return 1 + dig_with_opts @10.53.0.2 TXT foo.dom1.example. >dig.out.test$n || return 1 + grep "ANSWER: 2," dig.out.test$n >/dev/null || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "IN.TXT." dig.out.test$n >/dev/null || return 1 } retry_quiet 10 wait_for_txt || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom1.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "zone_shutdown: zone dom1.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom1.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that zone-directory is emptied ($n)" ret=0 wait_for_no_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db" || ret=1 wait_for_no_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db.jnl" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null ########################################################################## echo_i "Testing various simple operations on domains, including using multiple catalog zones and garbage in zone" -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom2.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom2.example.db -echo "@ IN NS invalid." >> ns1/dom2.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom2.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom2.example.db +echo "@ IN NS invalid." >>ns1/dom2.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom2.example.db rndccmd 10.53.0.1 addzone dom2.example. in default '{type primary; file "dom2.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom2.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom2.example.db -echo "@ IN NS invalid." >> ns3/dom2.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom2.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom2.example.db +echo "@ IN NS invalid." >>ns3/dom2.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom2.example.db rndccmd 10.53.0.3 addzone dom2.example. '{type primary; file "dom2.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom4.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom4.example.db -echo "@ IN NS invalid." >> ns1/dom4.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom4.example.db +echo "@ IN NS invalid." >>ns1/dom4.example.db rndccmd 10.53.0.1 addzone dom4.example. in default '{type primary; file "dom4.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom2.example, dom3.example. and some garbage to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. update add coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "catalog2.example." @@ -366,197 +366,197 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom4.example. to catalog2 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" && -wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom4.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: updating catalog zone 'catalog2.example' with serial 2670950425" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom4.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom4.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom4.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom3.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom3.example.db -echo "@ IN NS invalid." >> ns1/dom3.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom3.example.db +echo "@ IN NS invalid." >>ns1/dom3.example.db rndccmd 10.53.0.1 addzone dom3.example. in default '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is served by primary ($n)" ret=0 -wait_for_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 +wait_for_soa @10.53.0.1 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom3.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" \ + && wait_for_message ns2/named.run "transfer of 'dom3.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # The member zone's PTR RRset must have only one record in it. # Check that adding a second record to the RRset is caught and such a # catalog zone is not processed. -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom4-reused-label.example. to catalog2 zone, reusing a label ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4-reused-label.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up, and checking that the reused label has been caught ($n)" ret=0 -wait_for_message ns2/named.run "de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example IN PTR (failure)" && -wait_for_message ns2/named.run "catz: new catalog zone 'catalog2.example' is broken and will not be processed" || ret=1 +wait_for_message ns2/named.run "de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example IN PTR (failure)" \ + && wait_for_message ns2/named.run "catz: new catalog zone 'catalog2.example' is broken and will not be processed" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom4-reused-label.example. from catalog2 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4-reused-label.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # Test zone associated state reset. -n=$((n+1)) +n=$((n + 1)) echo_i "renaming the label of domain dom4.example. in catalog2 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4.example. update add dom4-renamed-label.zones.catalog2.example. 3600 IN PTR dom4.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up, and checking that the zone has been reset ($n)" ret=0 -wait_for_message ns2/named.run "catz: zone 'dom4.example' unique label has changed, reset state" && -wait_for_message ns2/named.run "catz: deleting zone 'dom4.example' from catalog 'catalog2.example' - success" && -wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example' - success" || ret=1 +wait_for_message ns2/named.run "catz: zone 'dom4.example' unique label has changed, reset state" \ + && wait_for_message ns2/named.run "catz: deleting zone 'dom4.example' from catalog 'catalog2.example' - success" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example' - success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom2.example. to catalog2 zone to test change of ownership ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add dom2-without-coo.zones.catalog2.example. 3600 IN PTR dom2.example. update add primaries.dom2-without-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that unpermitted change of ownership did not happen ($n)" ret=0 wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom2.example' will not be added because another catalog zone already contains an entry with that zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom2.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding change of ownership permission record for dom2.example. into catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR catalog2.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: updating catalog zone 'catalog1.example'" && -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: updating catalog zone 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "updating catalog2 zone to initiate a zone transfer ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete dom2-without-coo.zones.catalog2.example. 3600 IN PTR dom2.example. update delete primaries.dom2-without-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 @@ -565,291 +565,291 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up and checking that the change of ownership was successful ($n)" ret=0 -wait_for_message ns2/named.run "catz: zone 'dom2.example' change of ownership from 'catalog1.example' to 'catalog2.example'" && -wait_for_message ns2/named.run "catz: deleting zone 'dom2.example' from catalog 'catalog1.example' - success" && -wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: zone 'dom2.example' change of ownership from 'catalog1.example' to 'catalog2.example'" \ + && wait_for_message ns2/named.run "catz: deleting zone 'dom2.example' from catalog 'catalog1.example' - success" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom2.example. is served by secondary and that it's now the one from ns3 ($n)" ret=0 wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 -grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom2.example. and its change of ownership permission record from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. update delete coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR catalog2.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: update_from_db: iteration finished" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding change of ownership permission record for dom2.example. into catalog2 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add coo.dom2-with-coo.zones.catalog2.example. 3600 IN PTR catalog1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: update_from_db: iteration finished" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding back dom2.example. into catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that the change of ownership did not happen because version '1' catalog2 zone does not support the 'coo' property ($n)" ret=0 wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom2.example' will not be added because another catalog zone already contains an entry with that zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom2.example. is still served by secondary and that it's still the one from ns3 ($n)" ret=0 wait_for_a @10.53.0.2 dom2.example. dig.out.test$n || ret=1 -grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # GL #3060 -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)" ret=0 -sed -e "s/^#T3//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T3//" <ns2/named1.conf.in >ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking again that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null # GL #3911 -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)" ret=0 -sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T4//" <ns2/named1.conf.in >ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # catalog zone update can be deferred sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "checking again that dom3.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom-existing.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing.example.db -echo "@ IN NS invalid." >> ns1/dom-existing.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom-existing.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom-existing.example.db +echo "@ IN NS invalid." >>ns1/dom-existing.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom-existing.example.db rndccmd 10.53.0.1 addzone dom-existing.example. in default '{type primary; file "dom-existing.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing.example. is served by primary ($n)" ret=0 wait_for_a @10.53.0.1 dom-existing.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom-existing.example. to catalog1 zone to test that existing zones don't get overwritten ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom-existing.zones.catalog1.example. 3600 IN PTR dom-existing.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom-existing.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom-existing.example' will not be added because it is an explicitly configured zone" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom-existing.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom-existing.example' will not be added because it is an explicitly configured zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing.example. is served by secondary and that it's not the one from the primary ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom-existing.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null && ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom-existing-forward.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing-forward.example.db -echo "@ IN NS invalid." >> ns1/dom-existing-forward.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom-existing-forward.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom-existing-forward.example.db +echo "@ IN NS invalid." >>ns1/dom-existing-forward.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom-existing-forward.example.db rndccmd 10.53.0.1 addzone dom-existing-forward.example. in default '{type primary; file "dom-existing-forward.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing-forward.example. is served by primary ($n)" ret=0 wait_for_a @10.53.0.1 dom-existing-forward.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom-existing-forward.example. to catalog1 zone to test that existing forward zones don't get overwritten ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom-existing-forward.zones.catalog1.example. 3600 IN PTR dom-existing-forward.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom-existing-forward.example' will not be processed because of the explicitly configured forwarding for that zone" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz_addmodzone_taskaction: zone 'dom-existing-forward.example' will not be processed because of the explicitly configured forwarding for that zone" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing-forward.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom-existing-forward.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom-existing-forward-off.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing-forward-off.example.db -echo "@ IN NS invalid." >> ns1/dom-existing-forward-off.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom-existing-forward-off.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom-existing-forward-off.example.db +echo "@ IN NS invalid." >>ns1/dom-existing-forward-off.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom-existing-forward-off.example.db rndccmd 10.53.0.1 addzone dom-existing-forward-off.example. in default '{type primary; file "dom-existing-forward-off.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing-forward-off.example. is served by primary ($n)" ret=0 wait_for_a @10.53.0.1 dom-existing-forward-off.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom-existing-forward-off.example. to catalog1 zone to test that a zone with turned off forwarding can be used in a catalog zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom-existing-forward-off.zones.catalog1.example. 3600 IN PTR dom-existing-forward-off.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward-off.example' from catalog 'catalog1.example'" && -if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +wait_for_message ns2/named.run "catz: adding zone 'dom-existing-forward-off.example' from catalog 'catalog1.example'" \ + && if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom-existing-forward-off.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom-existing-forward-off.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing all records from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. update delete coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "catalog2.example." @@ -869,12 +869,12 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing all records from catalog2 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete dom2-with-coo.zones.catalog2.example. 3600 IN PTR dom2.example. update delete primaries.dom2-with-coo.zones.catalog2.example. 3600 IN A 10.53.0.3 @@ -883,70 +883,69 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing primaries suboption and random labels" -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom5.example. with a valid primaries suboption (IP without TSIG) and a random label ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. update add primaries.ext.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom5.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom5.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom5.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom5.example. ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete somerandomlabel.zones.catalog1.example. 3600 IN PTR dom5.example. update delete primaries.somerandomlabel.zones.catalog1.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom5.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom5.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) ########################################################################## echo_i "Testing primaries global option" -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom6.example. and a valid global primaries option (IP without TSIG) ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add primaries.ext.catalog1.example. 3600 IN A 10.53.0.3 update add primaries.ext.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 @@ -954,27 +953,27 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom6.example/IN/default' from " > /dev/null || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom6.example/IN/default' from " >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom6.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom6.example. ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete primaries.ext.catalog1.example. 3600 IN A 10.53.0.3 update delete primaries.ext.catalog1.example. 3600 IN AAAA fd92:7065:b8e:ffff::3 @@ -982,142 +981,142 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom6.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom6.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom6.example. and an invalid global primaries option (TSIG without IP) ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add label1.primaries.ext.catalog1.example. 3600 IN TXT "tsig_key" update add 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom6.example'" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom6.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing dom6.example. ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete label1.primaries.ext.catalog1.example. 3600 IN TXT "tsig_key" update delete 4346f565b4d63ddb99e5d2497ff22d04e878e8f8.zones.catalog1.example. 3600 IN PTR dom6.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" > /dev/null || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom6.example' from catalog 'catalog1.example' - success" >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "Checking that a missing zone directory forces in-memory ($n)" ret=0 -grep "'nonexistent' not found; zone files will not be saved" ns2/named.run > /dev/null || ret=1 +grep "'nonexistent' not found; zone files will not be saved" ns2/named.run >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing allow-query and allow-transfer ACLs" -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom7.example. and dom8.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom7.example.db -echo "@ IN NS invalid." >> ns1/dom7.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom7.example.db +echo "@ IN NS invalid." >>ns1/dom7.example.db rndccmd 10.53.0.1 addzone dom7.example. in default '{type primary; file "dom7.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom8.example.db -echo "@ IN NS invalid." >> ns1/dom8.example.db +status=$((status + ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom8.example.db +echo "@ IN NS invalid." >>ns1/dom8.example.db rndccmd 10.53.0.1 addzone dom8.example. in default '{type primary; file "dom8.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom7.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom7.example. to catalog1 zone with an allow-query statement ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN PTR dom7.example. update add allow-query.ext.78833ec3c0059fd4540fee81c7eaddce088e7cd7.zones.catalog1.example. 3600 IN APL 1:10.53.0.1/32 !1:10.53.0.0/30 1:0.0.0.0/0 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" > /dev/null && -wait_for_message ns2/named.run "transfer of 'dom7.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" >/dev/null \ + && wait_for_message ns2/named.run "transfer of 'dom7.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is not accessible from 10.53.0.2 ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is accessible from 10.53.0.5 ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.5 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding dom8.example. domain and global allow-query and allow-transfer ACLs ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add cba95222e308baba42417be6021026fdf20827b6.zones.catalog1.example. 3600 IN PTR dom8.example update add allow-query.ext.catalog1.example. 3600 IN APL 1:10.53.0.1/32 @@ -1125,118 +1124,117 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" && -wait_for_message ns2/named.run "transfer of 'dom8.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" \ + && wait_for_message ns2/named.run "transfer of 'dom8.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is not accessible from 10.53.0.2 ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is not AXFR accessible from 10.53.0.1 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n || ret=1 -grep "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 >dig.out.test$n || ret=1 +grep "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n || ret=1 -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 >dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting global allow-query and allow-domain ACLs ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete allow-query.ext.catalog1.example. 3600 IN APL 1:10.53.0.1/32 update delete allow-transfer.ext.catalog1.example. 3600 IN APL 1:10.53.0.2/32 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.1 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is accessible from 10.53.0.2 ($n)" ret=0 wait_for_soa @10.53.0.2 dom8.example. dig.out.test$n -b 10.53.0.2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.1 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 > dig.out.test$n || ret=1 -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.1 >dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom8.example. is AXFR accessible from 10.53.0.2 ($n)" ret=0 -dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 > dig.out.test$n || ret=1 -grep -v "Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.2 axfr dom8.example. -b 10.53.0.2 >dig.out.test$n || ret=1 +grep -v "Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) ########################################################################## echo_i "Testing TSIG keys for primaries set per-domain" -n=$((n+1)) +n=$((n + 1)) echo_i "adding a domain dom9.example. to primary via RNDC, with transfers allowed only with TSIG key ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom9.example.db -echo "@ IN NS invalid." >> ns1/dom9.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom9.example.db +echo "@ IN NS invalid." >>ns1/dom9.example.db rndccmd 10.53.0.1 addzone dom9.example. in default '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom9.example. to catalog1 zone with a valid primaries suboption (IP with TSIG) ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -1244,77 +1242,77 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom9.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom9.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is accessible on secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "change TSIG key name on primary ($n)" ret=0 rndccmd 10.53.0.1 modzone dom9.example. in default '{type primary; notify yes; file "dom9.example.db"; allow-transfer { key next_key; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update TSIG key name in catalog zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update del label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "update zone contents and reload ($n)" ret=0 -echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" > ns1/dom9.example.db -echo "@ IN NS ns2" >> ns1/dom9.example.db -echo "ns2 IN A 10.53.0.2" >> ns1/dom9.example.db +echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" >ns1/dom9.example.db +echo "@ IN NS ns2" >>ns1/dom9.example.db +echo "ns2 IN A 10.53.0.2" >>ns1/dom9.example.db rndccmd 10.53.0.1 reload dom9.example. || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for primary to update zone ($n)" ret=0 wait_for_a @10.53.0.1 ns2.dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for secondary to update zone ($n)" ret=0 wait_for_a @10.53.0.2 ns2.dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom9.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -1322,675 +1320,672 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example' - success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom9.example. is no longer accessible on secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domain dom9.example. to catalog1 zone with an invalid primaries suboption (TSIG without IP) ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom9.example'" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "error \"failure\" while trying to generate config for zone 'dom9.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom9.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing catalog entries that can't be represented as filenames" # note: we need 4 backslashes in the shell to get 2 backslashes in DNS # presentation format, which is 1 backslash on the wire. for special in \ - this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ - this.zone/domain.has.a.slash.dom10.example \ - this.zone\\\\domain.has.backslash.dom10.example \ - this.zone:domain.has.a.colon.dom.10.example -do - # hashes below are generated by: - # python ${TOP}/contrib/scripts/catzhash.py "${special}" - - case "$special" in + this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example \ + this.zone/domain.has.a.slash.dom10.example \ + this.zone\\\\domain.has.backslash.dom10.example \ + this.zone:domain.has.a.colon.dom.10.example; do + # hashes below are generated by: + # python ${TOP}/contrib/scripts/catzhash.py "${special}" + + case "$special" in this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example) - hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 - db=__catz__a35e0a044ff9f37436068e1e83e9b99fb9da51b0fe7b699bdb404f7755d68276.db - ;; + hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 + db=__catz__a35e0a044ff9f37436068e1e83e9b99fb9da51b0fe7b699bdb404f7755d68276.db + ;; this.zone/domain.has.a.slash.dom10.example) - hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa - db=__catz__765197c8050c794f4ec5bbf5dbdf64d0551459c08a91a4217768fcd16cd3b7ce.db - ;; + hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa + db=__catz__765197c8050c794f4ec5bbf5dbdf64d0551459c08a91a4217768fcd16cd3b7ce.db + ;; this.zone\\\\domain.has.backslash.dom10.example) - hash=91e27e02153d38cf656a9b376d7747fbcd19f985 - db=__catz__0f2f3beaf2ef70e0086063ae28a69444cdf3847cb85e668bfe52c89f7f756b29.db - ;; + hash=91e27e02153d38cf656a9b376d7747fbcd19f985 + db=__catz__0f2f3beaf2ef70e0086063ae28a69444cdf3847cb85e668bfe52c89f7f756b29.db + ;; this.zone:domain.has.a.colon.dom.10.example) - hash=8b7238bf4c34045834c573ba4116557ebb24d33c - db=__catz__ba75ab860533508a62b0937c5c6b8537e4186e4d5e7685161287260d07418251.db - ;; - esac - - n=$((n+1)) - echo_i "checking that ${special}. is not served by primary ($n)" - ret=0 - wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "Adding a domain ${special}. to primary via RNDC ($n)" - ret=0 - echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db - echo "@ IN NS invalid." >> ns1/dom10.example.db - rndccmd 10.53.0.1 addzone '"'"${special}"'"' in default '{type primary; file "dom10.example.db";};' || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is now served by primary ($n)" - ret=0 - wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - nextpart ns2/named.run >/dev/null - - n=$((n+1)) - echo_i "Adding domain ${special}. to catalog1 zone ($n)" - ret=0 - $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + hash=8b7238bf4c34045834c573ba4116557ebb24d33c + db=__catz__ba75ab860533508a62b0937c5c6b8537e4186e4d5e7685161287260d07418251.db + ;; + esac + + n=$((n + 1)) + echo_i "checking that ${special}. is not served by primary ($n)" + ret=0 + wait_for_no_soa @10.53.0.1 "${special}" dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "Adding a domain ${special}. to primary via RNDC ($n)" + ret=0 + echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom10.example.db + echo "@ IN NS invalid." >>ns1/dom10.example.db + rndccmd 10.53.0.1 addzone '"'"${special}"'"' in default '{type primary; file "dom10.example.db";};' || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is now served by primary ($n)" + ret=0 + wait_for_soa @10.53.0.1 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + nextpart ns2/named.run >/dev/null + + n=$((n + 1)) + echo_i "Adding domain ${special}. to catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add ${hash}.zones.catalog1.example 3600 IN PTR ${special}. send END - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "waiting for secondary to sync up ($n)" - ret=0 - wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" && - wait_for_message ns2/named.run "transfer of '$special/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is served by secondary ($n)" - ret=0 - wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that zone-directory is populated with a hashed filename ($n)" - ret=0 - wait_for_zonefile "ns2/zonedir/$db" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "removing domain ${special}. from catalog1 zone ($n)" - ret=0 - $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of '$special/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is served by secondary ($n)" + ret=0 + wait_for_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that zone-directory is populated with a hashed filename ($n)" + ret=0 + wait_for_zonefile "ns2/zonedir/$db" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "removing domain ${special}. from catalog1 zone ($n)" + ret=0 + $NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete ${hash}.zones.catalog1.example send END - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "waiting for secondary to sync up ($n)" - ret=0 - wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN/default: shutting down" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that ${special}. is not served by secondary ($n)" - ret=0 - wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking that zone-directory is emptied ($n)" - ret=0 - wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 - wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1 - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "waiting for secondary to sync up ($n)" + ret=0 + wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN/default: shutting down" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that ${special}. is not served by secondary ($n)" + ret=0 + wait_for_no_soa @10.53.0.2 "${special}." dig.out.test$n || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that zone-directory is emptied ($n)" + ret=0 + wait_for_no_zonefile "ns2/zonedir/$db" || ret=1 + wait_for_no_zonefile "ns2/zonedir/$db.jnl" || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done ########################################################################## echo_i "Testing adding a domain and a subdomain of it" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom11.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom11.example.db -echo "@ IN NS invalid." >> ns1/dom11.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom11.example.db +echo "@ IN NS invalid." >>ns1/dom11.example.db rndccmd 10.53.0.1 addzone dom11.example. in default '{type primary; file "dom11.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom11.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example. 3600 IN PTR dom11.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is not served by primary ($n)" ret=0 wait_for_rcode NXDOMAIN SOA @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain subdomain.of.dom11.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/subdomain.of.dom11.example.db -echo "@ IN NS invalid." >> ns1/subdomain.of.dom11.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/subdomain.of.dom11.example.db +echo "@ IN NS invalid." >>ns1/subdomain.of.dom11.example.db rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. in default '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain subdomain.of.dom11.example. to catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example. 3600 IN PTR subdomain.of.dom11.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom11.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 0580d70e769c86c8b951a488d8b776627f427d7a.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom11.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is still served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 subdomain.of.dom11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain subdomain.of.dom11.example. from catalog1 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 25557e0bdd10cb3710199bb421b776df160f241e.zones.catalog1.example send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that subdomain.of.dom11.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 subdomain.of.d11.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing adding a catalog zone at runtime with rndc reconfig" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom12.example. to primary via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom12.example.db -echo "@ IN NS invalid." >> ns1/dom12.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom12.example.db +echo "@ IN NS invalid." >>ns1/dom12.example.db rndccmd 10.53.0.1 addzone dom12.example. in default '{type primary; file "dom12.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom12.example. to catalog4 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)" ret=0 -sed -e "s/^#T1//g" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T1//g" <ns2/named1.conf.in >ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" && -wait_for_message ns2/named.run "transfer of 'dom12.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom12.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom7.example. is still served by secondary after reconfiguration ($n)" ret=0 wait_for_soa @10.53.0.2 dom7.example. dig.out.test$n -b 10.53.0.1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "checking that dom12.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)" ret=0 -sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp +sed -e "s/^#T2//" <ns2/named1.conf.in >ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig >/dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom12.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom12.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "removing domain dom12.example. from catalog4 zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 871d51e5433543c0f6fb263c40f359fbc152c8ae.zones.catalog4.example. 3600 IN PTR dom12.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing having a zone in two different catalogs" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom13.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom13.example.db -echo "@ IN NS invalid." >> ns1/dom13.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom13.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom13.example.db +echo "@ IN NS invalid." >>ns1/dom13.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom13.example.db rndccmd 10.53.0.1 addzone dom13.example. in default '{type primary; file "dom13.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom13.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom13.example.db -echo "@ IN NS invalid." >> ns3/dom13.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom13.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom13.example.db +echo "@ IN NS invalid." >>ns3/dom13.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom13.example.db rndccmd 10.53.0.3 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom13.example. to catalog1 zone with ns1 as primary ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. update add primaries.ext.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom13.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom13.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom13.example. to catalog2 zone with ns3 as primary ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. update add primaries.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom13.example. from catalog2 ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN PTR dom13.example. update delete primaries.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom13.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom13.example. from catalog1 ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN PTR dom13.example. update delete primaries.ext.8d7989c746b3f92b3bba2479e72afd977198363f.zones.catalog1.example. 3600 IN A 10.53.0.2 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom13.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom13.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing recreation of a manually deleted zone after a reload" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom16.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom16.example.db -echo "@ IN NS invalid." >> ns1/dom16.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom16.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom16.example.db +echo "@ IN NS invalid." >>ns1/dom16.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom16.example.db rndccmd 10.53.0.1 addzone dom16.example. in default '{type primary; file "dom16.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom16.example. to catalog1 zone with ns1 as primary ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. update add masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom16.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom16.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null @@ -1998,14 +1993,14 @@ echo_i "Deleting dom16.example. from secondary ns2 via RNDC ($n)" ret=0 rndccmd 10.53.0.2 delzone dom16.example. in default >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null @@ -2013,353 +2008,353 @@ echo_i "Reloading secondary ns2 via RNDC ($n)" ret=0 rndccmd 10.53.0.2 reload >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom16.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom16.example. from catalog1 ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN PTR dom16.example. update delete masters.efe725d0cf430ffb113b9bcf59266f066a21216b.zones.catalog1.example. 3600 IN A 10.53.0.1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom16.example. is no longer served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing having a regular zone and a zone in catalog zone of the same name" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom14.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom14.example.db -echo "@ IN NS invalid." >> ns1/dom14.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom14.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom14.example.db +echo "@ IN NS invalid." >>ns1/dom14.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom14.example.db rndccmd 10.53.0.1 addzone dom14.example. in default '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom14.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom14.example.db -echo "@ IN NS invalid." >> ns3/dom14.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom14.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom14.example.db +echo "@ IN NS invalid." >>ns3/dom14.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom14.example.db rndccmd 10.53.0.3 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom14.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom14.example. with rndc with ns1 as primary ($n)" ret=0 rndccmd 10.53.0.2 addzone dom14.example. in default '{type secondary; primaries {10.53.0.1;};};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "transfer of 'dom14.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom14.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain dom14.example. to catalog2 zone with ns3 as primary ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. update add primaries.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Deleting domain dom14.example. from catalog2 ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete 45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN PTR dom14.example. update delete primaries.45e3d45ea5f7bd01c395ccbde6ae2e750a3ee8ab.zones.catalog2.example. 3600 IN A 10.53.0.3 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom14.example. is served by secondary and that it's still the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom14.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing changing label for a member zone" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain dom15.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom15.example.db -echo "@ IN NS invalid." >> ns1/dom15.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom15.example.db +echo "@ IN NS invalid." >>ns1/dom15.example.db rndccmd 10.53.0.1 addzone dom15.example. in default '{type primary; file "dom15.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null echo_i "Adding domain dom15.example. to catalog1 zone with 'dom15label1' label ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 3 -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Changing label of domain dom15.example. from 'dom15label1' to 'dom15label2' ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete dom15label1.zones.catalog1.example. 3600 IN PTR dom15.example. update add dom15label2.zones.catalog1.example. 3600 IN PTR dom15.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 +wait_for_message ns2/named.run "catz: update_from_db: new zone merged" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom15.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.2 dom15.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "Testing custom properties version '1' and version '2' syntaxes" -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is not served by primary ($n)" ret=0 wait_for_no_soa @10.53.0.1 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom17.example. and dom18.example. to primary ns1 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom17.example.db -echo "@ IN NS invalid." >> ns1/dom17.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom17.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom17.example.db +echo "@ IN NS invalid." >>ns1/dom17.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom17.example.db rndccmd 10.53.0.1 addzone dom17.example. in default '{type primary; file "dom17.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom18.example.db -echo "@ IN NS invalid." >> ns1/dom18.example.db -echo "@ IN A 192.0.2.1" >> ns1/dom18.example.db +status=$((status + ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom18.example.db +echo "@ IN NS invalid." >>ns1/dom18.example.db +echo "@ IN A 192.0.2.1" >>ns1/dom18.example.db rndccmd 10.53.0.1 addzone dom18.example. in default '{type primary; file "dom18.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is now served by primary ns1 ($n)" ret=0 wait_for_soa @10.53.0.1 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is not served by primary ns3 ($n)" ret=0 wait_for_no_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is not served by primary ns3 ($n)" ret=0 wait_for_no_soa @10.53.0.3 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom17.example. and dom18.example. to primary ns3 via RNDC ($n)" ret=0 -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom17.example.db -echo "@ IN NS invalid." >> ns3/dom17.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom17.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom17.example.db +echo "@ IN NS invalid." >>ns3/dom17.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom17.example.db rndccmd 10.53.0.3 addzone dom17.example. '{type primary; file "dom17.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns3/dom18.example.db -echo "@ IN NS invalid." >> ns3/dom18.example.db -echo "@ IN A 192.0.2.2" >> ns3/dom18.example.db +status=$((status + ret)) +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns3/dom18.example.db +echo "@ IN NS invalid." >>ns3/dom18.example.db +echo "@ IN A 192.0.2.2" >>ns3/dom18.example.db rndccmd 10.53.0.3 addzone dom18.example. '{type primary; file "dom18.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is now served by primary ns3 ($n)" ret=0 wait_for_soa @10.53.0.3 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom17.example. and dom18.example. to catalog1 zone with ns3 as custom primary using different custom properties syntax ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add dom17.zones.catalog1.example. 3600 IN PTR dom17.example. update add dom18.zones.catalog1.example. 3600 IN PTR dom18.example. @@ -2368,49 +2363,49 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.dom17.zones.catalog1.example IN A (failure) - ignoring" && -wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.dom17.zones.catalog1.example IN A (failure) - ignoring" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" \ + && wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The "primaries" custom property for dom17.example. was added using the legacy # syntax into a version 2 catalog1 zone, so we expect that it was ignored, no # override of the default setting happened, and dom17.example. was transferred # from the ns1 primary (the default). -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom17.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The "primaries" custom property for dom18.example. was added using a supported # syntax into a version 2 catalog1 zone, so we expect that it was processed, # will override the default setting, and dom18.example. was transferred # from the ns3 primary. -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is served by secondary and that it's the one from ns3 ($n)" ret=0 wait_for_a @10.53.0.2 dom18.example. dig.out.test$n || ret=1 -grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom17.example. and dom18.example. from catalog1 ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete dom17.zones.catalog1.example. 3600 IN PTR dom17.example. update delete dom18.zones.catalog1.example. 3600 IN PTR dom18.example. @@ -2419,38 +2414,38 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog1.example' - success" && -wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog1.example' - success" && -wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" && -wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog1.example' - success" \ + && wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog1.example' - success" \ + && wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" \ + && wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "adding domains dom17.example. and dom18.example. to catalog2 zone with ns3 as custom primary using different custom properties syntax ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update add dom17.zones.catalog2.example. 3600 IN PTR dom17.example. update add dom18.zones.catalog2.example. 3600 IN PTR dom18.example. @@ -2459,49 +2454,49 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.ext.dom18.zones.catalog2.example IN A (failure) - ignoring" && -wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.ext.dom18.zones.catalog2.example IN A (failure) - ignoring" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog2.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" \ + && wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The "primaries" custom property for dom17.example. was added using a supported # syntax into a version 1 catalog1 zone, so we expect that it was processed, # will override the default setting, and dom17.example. was transferred # from the ns3 primary. -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is served by secondary and that it's the one from ns3 ($n)" ret=0 wait_for_a @10.53.0.2 dom17.example. dig.out.test$n || ret=1 -grep "192.0.2.2" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The "primaries" custom property for dom18.example. was added using the new # syntax into a version 1 catalog1 zone, so we expect that it was ignored, no # override of the default setting happened, and dom18.example. was transferred # from the ns1 primary (the default). -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is served by secondary and that it's the one from ns1 ($n)" ret=0 wait_for_a @10.53.0.2 dom18.example. dig.out.test$n || ret=1 -grep "192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "192.0.2.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "deleting domain dom17.example. and dom18.example. from catalog2 ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} update delete dom17.zones.catalog2.example. 3600 IN PTR dom17.example. update delete dom18.zones.catalog2.example. 3600 IN PTR dom18.example. @@ -2510,34 +2505,34 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog2.example' - success" && -wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog2.example' - success" && -wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" && -wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 +wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog2.example' - success" \ + && wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog2.example' - success" \ + && wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" \ + && wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom17.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom17.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that dom18.example. is not served by secondary ($n)" ret=0 wait_for_no_soa @10.53.0.2 dom18.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "checking that reconfig can delete and restore catalog zone configuration ($n)" ret=0 copy_setports ns2/named2.conf.in ns2/named.conf @@ -2545,30 +2540,30 @@ rndccmd 10.53.0.2 reconfig || ret=1 copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ######################################################################### nextpart ns2/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a dom19.example. to primary via RNDC ($n)" ret=0 # enough initial content for IXFR response when TXT record is added below -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom19.example.db -echo "@ 3600 IN NS invalid." >> ns1/dom19.example.db -echo "foo 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "bar 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "xxx 3600 IN TXT some content here" >> ns1/dom19.example.db -echo "yyy 3600 IN TXT some content here" >> ns1/dom19.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom19.example.db +echo "@ 3600 IN NS invalid." >>ns1/dom19.example.db +echo "foo 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "bar 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "xxx 3600 IN TXT some content here" >>ns1/dom19.example.db +echo "yyy 3600 IN TXT some content here" >>ns1/dom19.example.db rndccmd 10.53.0.1 addzone dom19.example. in default '{ type primary; file "dom19.example.db"; allow-transfer { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "add an entry to the restored catalog zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN PTR dom19.example. update add label1.primaries.ext.09da0a318e5333a9a7f6c14c385d69f6933e8b72.zones.catalog1.example. 3600 IN A 10.53.0.1 @@ -2576,82 +2571,82 @@ $NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom19.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "catz: adding zone 'dom19.example' from catalog 'catalog1.example'" \ + && wait_for_message ns2/named.run "transfer of 'dom19.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## -n=$((n+1)) +n=$((n + 1)) echo_i "Adding a domain tls1.example. to primary via RNDC ($n)" ret=0 # enough initial content for IXFR response when TXT record is added below -echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/tls1.example.db -echo "@ 3600 IN NS invalid." >> ns1/tls1.example.db -echo "foo 3600 IN TXT some content here" >> ns1/tls1.example.db -echo "bar 3600 IN TXT some content here" >> ns1/tls1.example.db -echo "xxx 3600 IN TXT some content here" >> ns1/tls1.example.db -echo "yyy 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/tls1.example.db +echo "@ 3600 IN NS invalid." >>ns1/tls1.example.db +echo "foo 3600 IN TXT some content here" >>ns1/tls1.example.db +echo "bar 3600 IN TXT some content here" >>ns1/tls1.example.db +echo "xxx 3600 IN TXT some content here" >>ns1/tls1.example.db +echo "yyy 3600 IN TXT some content here" >>ns1/tls1.example.db rndccmd 10.53.0.1 addzone tls1.example. in default '{ type primary; file "tls1.example.db"; allow-transfer transport tls { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that tls1.example. is now served by primary ($n)" ret=0 wait_for_soa @10.53.0.1 tls1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns4/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain tls1.example. to catalog-tls zone ($n)" ret=0 -$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog-tls.example. 3600 IN PTR tls1.example. send END if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" && -wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1 +wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" \ + && wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that tls1.example. is served by secondary ($n)" ret=0 wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## # GL #3777 nextpart ns4/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)" ret=0 -echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db +echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >>ns4/catalog-self.example.db rndccmd 10.53.0.4 reload || ret=1 -n=$((n+1)) +n=$((n + 1)) echo_i "Issuing another rndc reload command after 1 second ($n)" sleep 1 rndccmd 10.53.0.4 reload || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################################## echo_i "exit status: $status" diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh index 6de5de5..27474bc 100644 --- a/bin/tests/system/cds/setup.sh +++ b/bin/tests/system/cds/setup.sh @@ -39,22 +39,22 @@ id2=$id2 EOF tac() { - $PERL -e 'print reverse <>' + $PERL -e 'print reverse <>' } convert() { - key=$1 - n=$2 - $DSFROMKEY -12 $key >DS.$n - grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 - grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 - sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n - sed 's/ IN DS / IN CDS /' <DS.$n-1 >>CDS.$n-1 - sed 's/ IN DS / IN CDS /' <DS.$n-2 >>CDS.$n-2 - sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n - sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n - sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n - tac <DS.$n >DS.rev$n + key=$1 + n=$2 + $DSFROMKEY -12 $key >DS.$n + grep " ${DEFAULT_ALGORITHM_NUMBER} 1 " DS.$n >DS.$n-1 + grep " ${DEFAULT_ALGORITHM_NUMBER} 2 " DS.$n >DS.$n-2 + sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n + sed 's/ IN DS / IN CDS /' <DS.$n-1 >>CDS.$n-1 + sed 's/ IN DS / IN CDS /' <DS.$n-2 >>CDS.$n-2 + sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n + sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n + sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n + tac <DS.$n >DS.rev$n } convert $key1 1 convert $key2 2 @@ -86,9 +86,9 @@ cat UP.add2 UP.del1 | sed 3d >UP.swap sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl sign() { - cat >db.$1 - $SIGNER >/dev/null \ - -S -O full -o $Z -f sig.$1 db.$1 + cat >db.$1 + $SIGNER >/dev/null \ + -S -O full -o $Z -f sig.$1 db.$1 } sign null <<EOF @@ -121,18 +121,18 @@ cat db.null CDS.2-1 | sign cds.2.sha1 cat db.null CDS.2-1 CDNSKEY.2 | sign cds.cdnskey.2.sha1 $mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \ - <sig.cds.1 >brk.rrsig.cds.zsk + <sig.cds.1 >brk.rrsig.cds.zsk $mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \ - <sig.cds.1 >brk.rrsig.cds.ksk + <sig.cds.1 >brk.rrsig.cds.ksk -$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 | -sign cds-mangled +$mangle " IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 " <db.cds.1 \ + | sign cds-mangled bad=$($PERL -le "print ($id1 ^ 255);") -sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 | -sign bad-digests +sed "s/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} 1 /IN CDS $bad ${DEFAULT_ALGORITHM_NUMBER} 1 /" <db.cds.1 \ + | sign bad-digests -sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 | -sign bad-algos +sed "/IN CDS $id1 ${DEFAULT_ALGORITHM_NUMBER} /p;s//IN CDS $bad $ALTERNATIVE_ALGORITHM_NUMBER /" <db.cds.1 \ + | sign bad-algos rm -f dsset-* diff --git a/bin/tests/system/cds/tests.sh b/bin/tests/system/cds/tests.sh index 2eb092f..0453881 100644 --- a/bin/tests/system/cds/tests.sh +++ b/bin/tests/system/cds/tests.sh @@ -18,49 +18,53 @@ set -e status=0 n=0 fail() { - echo_i "failed" - status=$((status + 1)) + echo_i "failed" + status=$((status + 1)) } runcmd() { - ("$@" 1> out.$n 2> err.$n; echo $?) || true + ( + "$@" 1>out.$n 2>err.$n + echo $? + ) || true } testcase() { - n=$((n + 1)) - echo_i "$name ($n)" - expect=$1 - shift - result=$(runcmd "$@") - check_stdout - check_stderr - if [ "$expect" -ne "$result" ]; then - echo_d "exit status does not match $expect" - fail - fi - unset name err out + n=$((n + 1)) + echo_i "$name ($n)" + expect=$1 + shift + result=$(runcmd "$@") + check_stdout + check_stderr + if [ "$expect" -ne "$result" ]; then + echo_d "exit status does not match $expect" + fail + fi + unset name err out } check_stderr() { - if [ -n "${err:=}" ]; then - grep -E "$err" err.$n >/dev/null && return 0 - echo_d "stderr did not match '$err'" - else - [ -s err.$n ] || return 0 - fi - cat err.$n | cat_d - fail + if [ -n "${err:=}" ]; then + grep -E "$err" err.$n >/dev/null && return 0 + echo_d "stderr did not match '$err'" + else + [ -s err.$n ] || return 0 + fi + cat err.$n | cat_d + fail } check_stdout() { - diff out.$n "${out:-empty}" >/dev/null && return - echo_d "stdout did not match '$out'" - ( echo "wanted" - cat "$out" - echo "got" - cat out.$n - ) | cat_d - fail + diff out.$n "${out:-empty}" >/dev/null && return + echo_d "stdout did not match '$out'" + ( + echo "wanted" + cat "$out" + echo "got" + cat out.$n + ) | cat_d + fail } Z=cds.test diff --git a/bin/tests/system/chain/ans3/ans.pl b/bin/tests/system/chain/ans3/ans.pl index 271b2a4..e42240b 100644 --- a/bin/tests/system/chain/ans3/ans.pl +++ b/bin/tests/system/chain/ans3/ans.pl @@ -22,9 +22,14 @@ my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; print $pidf "$$\n" or die "cannot write pid file: $!"; $pidf->close or die "cannot close pid file: $!"; sub rmpid { unlink "ans.pid"; exit 1; }; +sub term { }; $SIG{INT} = \&rmpid; -$SIG{TERM} = \&rmpid; +if ($Net::DNS::VERSION > 1.41) { + $SIG{TERM} = \&term; +} else { + $SIG{TERM} = \&rmpid; +} my $localaddr = "10.53.0.3"; @@ -128,4 +133,11 @@ my $ns = Net::DNS::Nameserver->new( Verbose => $verbose, ); -$ns->main_loop; +if ($Net::DNS::VERSION >= 1.42) { + $ns->start_server(); + select(undef, undef, undef, undef); + $ns->stop_server(); + unlink "ans.pid"; +} else { + $ns->main_loop; +} diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh index 90d1912..f2b9e12 100644 --- a/bin/tests/system/chain/ns2/sign.sh +++ b/bin/tests/system/chain/ns2/sign.sh @@ -19,7 +19,7 @@ signedfile=example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-secure.example. zonefile=wildcard-secure.db @@ -27,7 +27,7 @@ signedfile=wildcard-secure.example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec.example. zonefile=wildcard.db @@ -35,7 +35,7 @@ signedfile=wildcard-nsec.example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec3.example. zonefile=wildcard.db @@ -43,7 +43,7 @@ signedfile=wildcard-nsec3.example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -3 - -H 0 -o $zone -f $signedfile $zonefile >/dev/null zone=wildcard-nsec3-optout.example. zonefile=wildcard.db @@ -51,4 +51,4 @@ signedfile=wildcard-nsec3-optout.example.db.signed ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} $zone) -$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile > /dev/null +$SIGNER -S -3 - -H 0 -A -o $zone -f $signedfile $zonefile >/dev/null diff --git a/bin/tests/system/chain/ns5/named.conf.in b/bin/tests/system/chain/ns5/named.conf.in index 86bbf26..ba8cc6f 100644 --- a/bin/tests/system/chain/ns5/named.conf.in +++ b/bin/tests/system/chain/ns5/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "sub5.example" { diff --git a/bin/tests/system/chain/prereq.sh b/bin/tests/system/chain/prereq.sh new file mode 100644 index 0000000..fe84055 --- /dev/null +++ b/bin/tests/system/chain/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS::Nameserver -e ''; then + echo_i "perl Net::DNS::Nameserver module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh index 3ad8e31..4957fe7 100644 --- a/bin/tests/system/chain/tests.sh +++ b/bin/tests/system/chain/tests.sh @@ -16,10 +16,10 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" sendcmd() { - send 10.53.0.4 "${EXTRAPORT1}" + send 10.53.0.4 "${EXTRAPORT1}" } status=0 @@ -28,8 +28,8 @@ n=0 n=$((n + 1)) echo_i "checking short DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a > dig.out.ns2.short || ret=1 -grep "status: NOERROR" dig.out.ns2.short > /dev/null || ret=1 +$DIG $DIGOPTS a.short-dname.example @10.53.0.2 a >dig.out.ns2.short || ret=1 +grep "status: NOERROR" dig.out.ns2.short >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -37,16 +37,16 @@ n=$((n + 1)) echo_i "checking short DNAME from recursive ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a > dig.out.ns4.short || ret=1 -grep "status: NOERROR" dig.out.ns4.short > /dev/null || ret=1 +$DIG $DIGOPTS a.short-dname.example @10.53.0.7 a >dig.out.ns4.short || ret=1 +grep "status: NOERROR" dig.out.ns4.short >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking long DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a > dig.out.ns2.long || ret=1 -grep "status: NOERROR" dig.out.ns2.long > /dev/null || ret=1 +$DIG $DIGOPTS a.long-dname.example @10.53.0.2 a >dig.out.ns2.long || ret=1 +grep "status: NOERROR" dig.out.ns2.long >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -54,16 +54,16 @@ n=$((n + 1)) echo_i "checking long DNAME from recursive ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a > dig.out.ns4.long || ret=1 -grep "status: NOERROR" dig.out.ns4.long > /dev/null || ret=1 +$DIG $DIGOPTS a.long-dname.example @10.53.0.7 a >dig.out.ns4.long || ret=1 +grep "status: NOERROR" dig.out.ns4.long >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking (too) long DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a > dig.out.ns2.toolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.2 a >dig.out.ns2.toolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns2.toolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -71,9 +71,9 @@ n=$((n + 1)) echo_i "checking (too) long DNAME from recursive with cached DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a > dig.out.ns4.cachedtoolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1 -grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.7 a >dig.out.ns4.cachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong >/dev/null || ret=1 +grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -81,50 +81,50 @@ n=$((n + 1)) echo_i "checking (too) long DNAME from recursive without cached DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a > dig.out.ns4.uncachedtoolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1 -grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1 +$DIG $DIGOPTS 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.7 a >dig.out.ns4.uncachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong >/dev/null || ret=1 +grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) find_records() { - owner_name="$1" - rr_type="$2" - file="$3" - awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' < "$file" + owner_name="$1" + rr_type="$2" + file="$3" + awk '$1 == "'"$owner_name"'" && $4 == "'"$rr_type"'" { print }' <"$file" } count_records() { - owner_name="$1" - rr_type="$2" - file="$3" - find_records "$owner_name" "$rr_type" "$file" | wc -l + owner_name="$1" + rr_type="$2" + file="$3" + find_records "$owner_name" "$rr_type" "$file" | wc -l } exactly_one_record_exists_for() { - owner_name="$1" - rr_type="$2" - file="$3" - test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1 + owner_name="$1" + rr_type="$2" + file="$3" + test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 1 } no_records_exist_for() { - owner_name="$1" - rr_type="$2" - file="$3" - test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0 + owner_name="$1" + rr_type="$2" + file="$3" + test "$(count_records "$owner_name" "$rr_type" "$file")" -eq 0 } ensure_no_ds_in_bitmap() { - owner_name="$1" - rr_type="$2" - file="$3" - case "$rr_type" in - NSEC) start_index=6 ;; - NSEC3) start_index=10 ;; - *) exit 1 ;; - esac - find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }' + owner_name="$1" + rr_type="$2" + file="$3" + case "$rr_type" in + NSEC) start_index=6 ;; + NSEC3) start_index=10 ;; + *) exit 1 ;; + esac + find_records "$owner_name" "$rr_type" "$file" | awk '{ for (i='"$start_index"'; i<=NF; i++) if ($i == "DS") exit 1 }' } n=$((n + 1)) @@ -132,7 +132,7 @@ echo_i "checking secure delegation prepared using CNAME chaining ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # DS RRset. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains the expected NS and DS RRsets. exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 @@ -144,7 +144,7 @@ echo_i "checking secure delegation prepared using wildcard expansion + CNAME cha ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset, an # NSEC record proving nonexistence of QNAME, and a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-secure.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains the expected NS and DS RRsets. exactly_one_record_exists_for "delegation.wildcard-secure.example." NS dig.out.2.$n || ret=1 exactly_one_record_exists_for "delegation.wildcard-secure.example." DS dig.out.2.$n || ret=1 @@ -161,7 +161,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -183,7 +183,7 @@ ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC records are different. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -206,7 +206,7 @@ ret=0 # NSEC records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec.example." NS dig.out.2.$n || ret=1 @@ -247,7 +247,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 ($n)" ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -269,7 +269,7 @@ ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -292,7 +292,7 @@ ret=0 # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 a-nonexistent-name.wildcard-nsec3.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3.example." NS dig.out.2.$n || ret=1 @@ -336,7 +336,7 @@ echo_i "checking insecure delegation prepared using CNAME chaining, NSEC3 with o ret=0 # QNAME exists, so the AUTHORITY section should only contain an NS RRset and a # single NSEC3 record proving nonexistence of a DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 cname.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -357,7 +357,7 @@ ret=0 # QNAME does not exist, so the AUTHORITY section should contain an NS RRset and # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, these two NSEC3 records are different. -$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 b-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -379,7 +379,7 @@ ret=0 # NSEC3 records proving nonexistence of both QNAME and a DS RRset at the zone # cut. In this test case, the same NSEC3 record proves nonexistence of both the # QNAME and the DS RRset at the zone cut. -$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec > dig.out.2.$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 z-nonexistent-name.wildcard-nsec3-optout.example A +norec +dnssec >dig.out.2.$n 2>&1 || ret=1 # Ensure that the AUTHORITY section contains an NS RRset without an associated # DS RRset. exactly_one_record_exists_for "delegation.wildcard-nsec3-optout.example." NS dig.out.2.$n || ret=1 @@ -397,8 +397,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking CNAME to DNAME from authoritative ($n)" ret=0 -$DIG $DIGOPTS cname.example @10.53.0.2 a > dig.out.ns2.cname -grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1 +$DIG $DIGOPTS cname.example @10.53.0.2 a >dig.out.ns2.cname +grep "status: NOERROR" dig.out.ns2.cname >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -406,12 +406,12 @@ n=$((n + 1)) echo_i "checking CNAME to DNAME from recursive" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS cname.example @10.53.0.7 a > dig.out.ns4.cname -grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1 -grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 -grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 +$DIG $DIGOPTS cname.example @10.53.0.7 a >dig.out.ns4.cname +grep "status: NOERROR" dig.out.ns4.cname >/dev/null || ret=1 +grep '^cname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^a.cnamedname.example.' dig.out.ns4.cname >/dev/null || ret=1 +grep '^a.target.example.' dig.out.ns4.cname >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -419,10 +419,10 @@ n=$((n + 1)) echo_i "checking DNAME is returned with synthesized CNAME before DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 -grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 name.synth-then-dname.example.broken A >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1 +grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -430,11 +430,11 @@ n=$((n + 1)) echo_i "checking DNAME is returned with CNAME to synthesized CNAME before DNAME ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1 -grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 -grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 cname-to-synth2-then-dname.example.broken A >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n >/dev/null || ret=1 +grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n >/dev/null || ret=1 +grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -442,9 +442,9 @@ n=$((n + 1)) echo_i "checking CNAME loops are detected ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 17" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 17" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -452,9 +452,9 @@ n=$((n + 1)) echo_i "checking CNAME to external delegated zones is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 a.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 a.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -462,9 +462,9 @@ n=$((n + 1)) echo_i "checking CNAME to internal delegated zones is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 b.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 b.example >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -472,8 +472,8 @@ n=$((n + 1)) echo_i "checking CNAME to signed external delegation is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 c.example > dig.out.$n -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 c.example >dig.out.$n +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -481,8 +481,8 @@ n=$((n + 1)) echo_i "checking CNAME to signed internal delegation is handled ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 d.example > dig.out.$n -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 d.example >dig.out.$n +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -491,39 +491,39 @@ echo_i "checking CNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,1,2,2,3,4,s4,s3,s1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|2,1,3,4,s3,s1,s2,s4" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 4 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.4.$n 2>&1 -grep 'status: NOERROR' dig.out.4.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.4.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.4.$n 2>&1 +grep 'status: NOERROR' dig.out.4.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.4.$n >/dev/null 2>&1 || ret=1 echo "cname,cname,cname|4,3,2,1,s4,s3,s2,s1" | sendcmd $RNDCCMD 10.53.0.7 null --- start test$n - step 5 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.5.$n 2>&1 -grep 'status: NOERROR' dig.out.5.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.5.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.5.$n 2>&1 +grep 'status: NOERROR' dig.out.5.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.5.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 6 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|4,3,3,3,s1,s1,1,3,4" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.6.$n 2>&1 -grep 'status: NOERROR' dig.out.6.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.6.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.6.$n 2>&1 +grep 'status: NOERROR' dig.out.6.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.6.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -533,9 +533,9 @@ ret=0 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "cname,cname,cname|1,2,3,4,s1,s2,s3,s4" | sendcmd $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 sleep 1 -$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil > dig.out.2.$n 2>&1 +$DIG $DIGOPTS +noall +answer @10.53.0.7 cname1.domain.nil >dig.out.2.$n 2>&1 ttl=$(awk '{print $2}' dig.out.2.$n) [ "$ttl" -eq 86400 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -547,21 +547,21 @@ ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|5,4,3,2,1,s5,s4,s3,s2,s1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "dname,dname|2,3,s1,s2,s3,s4,1" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: NOERROR' dig.out.3.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: NOERROR' dig.out.3.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -571,20 +571,20 @@ echo_i "checking external CNAME/DNAME chains in various orders ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n - step 1 --- 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|1,2,3,4,s1,s2,s3,s4" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.1.$n 2>&1 -grep 'status: NOERROR' dig.out.1.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.1.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.1.$n 2>&1 +grep 'status: NOERROR' dig.out.1.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.1.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 2 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|s2,2,s1,1,4,s4,3" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 2' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 2' dig.out.2.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 null --- start test$n - step 3 --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i echo "xname,dname|s2,2,2,2" | sendcmd -$DIG $DIGOPTS @10.53.0.7 test.domain.nil > dig.out.3.$n 2>&1 -grep 'status: SERVFAIL' dig.out.3.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 test.domain.nil >dig.out.3.$n 2>&1 +grep 'status: SERVFAIL' dig.out.3.$n >/dev/null 2>&1 || ret=1 $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -593,8 +593,8 @@ n=$((n + 1)) echo_i "checking explicit DNAME query ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 dname short-dname.example >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -603,8 +603,8 @@ echo_i "checking DNAME via ANY query ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 any short-dname.example >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -612,8 +612,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DNAME resolution via itself (authoritative) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. > dig.out.2.$n 2>&1 -grep 'status: NOERROR' dig.out.2.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.2 DNAME self.domain0.self.domain0.nil. >dig.out.2.$n 2>&1 +grep 'status: NOERROR' dig.out.2.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -621,8 +621,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DNAME resolution via itself (recursive) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. > dig.out.7.$n 2>&1 -grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.7 DNAME self.example.self.example.dname. >dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index bd6e0c2..d66dfa8 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -31,6 +31,9 @@ options { tkey-dhkey "server" 12345; root-delegation-only exclude { "them"; }; + + resolver-nonbackoff-tries 3; + resolver-retry-interval 800; }; trusted-keys { diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 8d82f92..dc7854b 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -23,17 +23,17 @@ mkdir -p keys n=$((n + 1)) echo_i "checking that named-checkconf handles a known good config ($n)" ret=0 -$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 +$CHECKCONF good.conf >checkconf.out$n 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf prints a known good config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf >good.conf.in [ -s good.conf.in ] || ret=1 -$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +$CHECKCONF -p good.conf.in >checkconf.out$n || ret=1 +grep -v '^good.conf.in:' <checkconf.out$n >good.conf.out 2>&1 || ret=1 cmp good.conf.in good.conf.out || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -42,102 +42,119 @@ n=$((n + 1)) echo_i "checking that named-checkconf -x removes secrets ($n)" ret=0 # ensure there is a secret and that it is not the check string. -grep 'secret "' good.conf.in > /dev/null || ret=1 -grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 -$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 -grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 +grep 'secret "' good.conf.in >/dev/null || ret=1 +grep 'secret "????????????????"' good.conf.in >/dev/null 2>&1 && ret=1 +$CHECKCONF -p -x good.conf.in >checkconf.out$n || ret=1 +grep -v '^good.conf.in:' <checkconf.out$n >good.conf.out 2>&1 || ret=1 +grep 'secret "????????????????"' good.conf.out >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -for bad in bad-*.conf -do - n=$((n + 1)) - echo_i "checking that named-checkconf detects error in $bad ($n)" - ret=0 - { $CHECKCONF $bad > checkconf.out$n 2>&1; rc=$?; } || true - if [ $rc -ne 1 ]; then ret=1; fi - grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 - case $bad in +for bad in bad-*.conf; do + n=$((n + 1)) + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + { + $CHECKCONF $bad >checkconf.out$n 2>&1 + rc=$? + } || true + if [ $rc -ne 1 ]; then ret=1; fi + grep "^$bad:[0-9]*: " <checkconf.out$n >/dev/null || ret=1 + case $bad in bad-update-policy[123].conf) - pat="identity and name fields are not the same" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - bad-update-policy[4589].conf|bad-update-policy1[01].conf) - pat="name field not set to placeholder value" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - bad-update-policy[67].conf|bad-update-policy1[2345789].conf|bad-update-policy20.conf) - pat="missing name field type '.*' found" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - esac - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + pat="identity and name fields are not the same" + grep "$pat" <checkconf.out$n >/dev/null || ret=1 + ;; + bad-update-policy[4589].conf | bad-update-policy1[01].conf) + pat="name field not set to placeholder value" + grep "$pat" <checkconf.out$n >/dev/null || ret=1 + ;; + bad-update-policy[67].conf | bad-update-policy1[2345789].conf | bad-update-policy20.conf) + pat="missing name field type '.*' found" + grep "$pat" <checkconf.out$n >/dev/null || ret=1 + ;; + esac + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for good in good-*.conf -do - n=$((n + 1)) - echo_i "checking that named-checkconf detects no error in $good ($n)" - ret=0 - if ! $FEATURETEST --with-libnghttp2 - then - case $good in - good-doh-*.conf) continue;; - good-dot-*.conf) continue;; - esac - fi - { $CHECKCONF $good > checkconf.out$n 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi - status=$((status + ret)) +for good in good-*.conf; do + n=$((n + 1)) + echo_i "checking that named-checkconf detects no error in $good ($n)" + ret=0 + if ! $FEATURETEST --with-libnghttp2; then + case $good in + good-doh-*.conf) continue ;; + good-dot-*.conf) continue ;; + esac + fi + { + $CHECKCONF $good >checkconf.out$n 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + echo_i "failed" + ret=1 + fi + status=$((status + ret)) done -for lmdb in lmdb-*.conf -do - n=$((n + 1)) - ret=0 - - if $FEATURETEST --with-lmdb; then - echo_i "checking that named-checkconf detects no error in $lmdb ($n)" - { $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi - else - echo_i "checking that named-checkconf detects error in $lmdb ($n)" - { $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true - if [ $rc -eq 0 ]; then echo_i "failed"; ret=1; fi - fi - status=$((status + ret)) +for lmdb in lmdb-*.conf; do + n=$((n + 1)) + ret=0 + + if $FEATURETEST --with-lmdb; then + echo_i "checking that named-checkconf detects no error in $lmdb ($n)" + { + $CHECKCONF $lmdb >checkconf.out$n 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + echo_i "failed" + ret=1 + fi + else + echo_i "checking that named-checkconf detects error in $lmdb ($n)" + { + $CHECKCONF $lmdb >checkconf.out$n 2>&1 + rc=$? + } || true + if [ $rc -eq 0 ]; then + echo_i "failed" + ret=1 + fi + fi + status=$((status + ret)) done n=$((n + 1)) echo_i "checking that ancient options report a fatal error ($n)" ret=0 -$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 -grep "no longer exists" ancient.out > /dev/null || ret=1 +$CHECKCONF ancient.conf >ancient.out 2>&1 && ret=1 +grep "no longer exists" ancient.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z catches missing hint file ($n)" ret=0 -$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 -grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 +$CHECKCONF -z hint-nofile.conf >hint-nofile.out 2>&1 && ret=1 +grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf catches range errors ($n)" ret=0 -$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 +$CHECKCONF range.conf >checkconf.out$n 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" ret=0 -$CHECKCONF notify.conf > checkconf.out$n 2>&1 -warnings=$(grep "'notify' is disabled" < checkconf.out$n | wc -l) +$CHECKCONF notify.conf >checkconf.out$n 2>&1 +warnings=$(grep "'notify' is disabled" <checkconf.out$n | wc -l) [ $warnings -eq 3 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -146,55 +163,57 @@ n=$((n + 1)) echo_i "checking named-checkconf dnssec warnings ($n)" ret=0 # dnssec.1: auto-dnssec warning -$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 && ret=1 -grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF dnssec.1 >checkconf.out$n.1 2>&1 && ret=1 +grep 'auto-dnssec may only be ' <checkconf.out$n.1 >/dev/null || ret=1 # dnssec.2: should have no warnings (other than deprecation warning) -$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 || ret=1 -grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n.2") +$CHECKCONF dnssec.2 >checkconf.out$n.2 2>&1 || ret=1 +grep "option 'auto-dnssec' is deprecated" <checkconf.out$n.2 >/dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n.2") if [ $lines != 1 ]; then ret=1; fi # dnssec.3: should have specific deprecation warning -$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 && ret=1 -grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1 +$CHECKCONF dnssec.3 >checkconf.out$n.3 2>&1 && ret=1 +grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" <checkconf.out$n.3 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf deprecate warnings ($n)" ret=0 -$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 -grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'tkey-dhkey' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 +grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'use-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'use-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'avoid-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'avoid-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'delegation-only' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'tkey-dhkey' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'root-delegation-only' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "'type delegation-only' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'dialup' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'heartbeat-interval' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'resolver-nonbackoff-tries' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'resolver-retry-interval' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'dnssec-must-be-secure' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "token 'port' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) # set -i to ignore deprecate warnings -$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1 -grep '.*' < checkconf.out$n.2 > /dev/null && ret=1 +$CHECKCONF -i deprecated.conf >checkconf.out$n.2 2>&1 +grep '.*' <checkconf.out$n.2 >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf servestale warnings ($n)" ret=0 -$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1 -grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1 +$CHECKCONF servestale.stale-refresh-time.0.conf >checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) ret=0 -$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1 -grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF servestale.stale-refresh-time.29.conf >checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -202,38 +221,62 @@ n=$((n + 1)) echo_i "range checking fields that do not allow zero ($n)" ret=0 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do - cat > badzero.conf << EOF + cat >badzero.conf <<EOF options { $field 0; }; EOF - { $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1; rc=$?; } || true - [ $rc -eq 1 ] || { echo_i "options $field failed" ; ret=1; } - cat > badzero.conf << EOF + { + $CHECKCONF badzero.conf >checkconf.out$n.1 2>&1 + rc=$? + } || true + [ $rc -eq 1 ] || { + echo_i "options $field failed" + ret=1 + } + cat >badzero.conf <<EOF view dummy { $field 0; }; EOF - { $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1; rc=$?; } || true - [ $rc -eq 1 ] || { echo_i "view $field failed" ; ret=1; } - cat > badzero.conf << EOF + { + $CHECKCONF badzero.conf >checkconf.out$n.2 2>&1 + rc=$? + } || true + [ $rc -eq 1 ] || { + echo_i "view $field failed" + ret=1 + } + cat >badzero.conf <<EOF options { $field 0; }; view dummy { }; EOF - { $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1; rc=$?; } || true - [ $rc -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } - cat > badzero.conf << EOF + { + $CHECKCONF badzero.conf >checkconf.out$n.3 2>&1 + rc=$? + } || true + [ $rc -eq 1 ] || { + echo_i "options + view $field failed" + ret=1 + } + cat >badzero.conf <<EOF zone dummy { type secondary; primaries { 0.0.0.0; }; $field 0; }; EOF - { $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1; rc=$?; } || true - [ $rc -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } + { + $CHECKCONF badzero.conf >checkconf.out$n.4 2>&1 + rc=$? + } || true + [ $rc -eq 1 ] || { + echo_i "zone $field failed" + ret=1 + } done if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -241,28 +284,28 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking options allowed in inline-signing secondaries ($n)" ret=0 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 && ret=1 -l=$(grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l) +$CHECKCONF bad-dnssec.conf >checkconf.out$n.1 2>&1 && ret=1 +l=$(grep "dnssec-dnskey-kskonly.*requires inline" <checkconf.out$n.1 | wc -l) [ $l -eq 1 ] || ret=1 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1 -l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l) +$CHECKCONF bad-dnssec.conf >checkconf.out$n.2 2>&1 && ret=1 +l=$(grep "dnssec-loadkeys-interval.*requires inline" <checkconf.out$n.2 | wc -l) [ $l -eq 1 ] || ret=1 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 && ret=1 -l=$(grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l) +$CHECKCONF bad-dnssec.conf >checkconf.out$n.3 2>&1 && ret=1 +l=$(grep "update-check-ksk.*requires inline" <checkconf.out$n.3 | wc -l) [ $l -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check file + inline-signing for secondary zones ($n)" -$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 && ret=1 -l=$(grep "missing 'file' entry" < checkconf.out$n.1 | wc -l) +$CHECKCONF inline-no.conf >checkconf.out$n.1 2>&1 && ret=1 +l=$(grep "missing 'file' entry" <checkconf.out$n.1 | wc -l) [ $l -eq 0 ] || ret=1 -$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 || ret=1 -l=$(grep "missing 'file' entry" < checkconf.out$n.2 | wc -l) +$CHECKCONF inline-good.conf >checkconf.out$n.2 2>&1 || ret=1 +l=$(grep "missing 'file' entry" <checkconf.out$n.2 | wc -l) [ $l -eq 0 ] || ret=1 -$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 && ret=1 -l=$(grep "missing 'file' entry" < checkconf.out$n.3 | wc -l) +$CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 && ret=1 +l=$(grep "missing 'file' entry" <checkconf.out$n.3 | wc -l) [ $l -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -270,8 +313,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf DLZ warnings ($n)" ret=0 -$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 && ret=1 -grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF dlz-bad.conf >checkconf.out$n 2>&1 && ret=1 +grep "'dlz' and 'database'" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -279,17 +322,17 @@ n=$((n + 1)) echo_i "checking for missing key directory warning ($n)" ret=0 rm -rf test.keydir -$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 -l=$(grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l) +$CHECKCONF warn-keydir.conf >checkconf.out$n.1 2>&1 +l=$(grep "'test.keydir' does not exist" <checkconf.out$n.1 | wc -l) [ $l -eq 1 ] || ret=1 touch test.keydir -$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1 -l=$(grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l) +$CHECKCONF warn-keydir.conf >checkconf.out$n.2 2>&1 +l=$(grep "'test.keydir' is not a directory" <checkconf.out$n.2 | wc -l) [ $l -eq 1 ] || ret=1 rm -f test.keydir mkdir test.keydir -$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1 -l=$(grep "key-directory" < checkconf.out$n.3 | wc -l) +$CHECKCONF warn-keydir.conf >checkconf.out$n.3 2>&1 +l=$(grep "key-directory" <checkconf.out$n.3 | wc -l) [ $l -eq 0 ] || ret=1 rm -rf test.keydir if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -297,238 +340,316 @@ if [ $ret -ne 0 ]; then echo_i "failed"; fi n=$((n + 1)) echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" ret=0 -$CHECKCONF -z max-ttl.conf > check.out 2>&1 && ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z max-ttl.conf >check.out 2>&1 && ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" ret=0 -$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z max-ttl-bad.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" ret=0 -$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" ret=0 -$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z altdlz.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" ret=0 -$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z view-class-any1.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" ret=0 -$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z view-class-any2.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z passes on view with IN class ($n)" ret=0 -$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z view-class-in1.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" ret=0 -$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z view-class-in2.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-names fails as configured ($n)" ret=0 -$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-names-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "near '_underscore': bad name (check-names)" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-names/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-mx fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "near '10.0.0.1': MX is an address" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-dup-records fails as configured ($n)" ret=0 -$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-dup-records-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "has semantically identical records" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-dup-records/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-mx fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "failed: MX is an address" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-mx-cname fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-mx-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "MX.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that check-srv-cname fails as configured ($n)" ret=0 -$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-srv-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "SRV.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf -p properly print a port range ($n)" ret=0 -$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "range 8610 8614;" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf -z handles in-view ($n)" ret=0 -$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z in-view-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "zone shared.example/IN: loaded serial" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" ret=0 -$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-missing-zone.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)" ret=0 -$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -p max-cache-size-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "max-cache-size 60%;" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that named-checkconf -l prints out the zone list ($n)" ret=0 -$CHECKCONF -l good.conf | -grep -v "is deprecated" | -grep -v "is not implemented" | -grep -v "is not recommended" | -grep -v "no longer exists" | -grep -v "is obsolete" > checkconf.out$n || ret=1 -diff good.zonelist checkconf.out$n > diff.out$n || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -l good.conf \ + | grep -v "is deprecated" \ + | grep -v "is not implemented" \ + | grep -v "is not recommended" \ + | grep -v "no longer exists" \ + | grep -v "is obsolete" >checkconf.out$n || ret=1 +diff good.zonelist checkconf.out$n >diff.out$n || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-2010.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] || ret=1 -grep "key without the updated" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +grep "key without the updated" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-both.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-2017.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that a static root key generates a warning ($n)" ret=0 -$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF check-root-static-key.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that a static root DS trust anchor generates a warning ($n)" ret=0 -$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF check-root-static-ds.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that a trusted-keys entry for root generates a warning ($n)" ret=0 -$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that using trust-anchors and managed-keys generates an error ($n)" ret=0 -$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 -grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1 +grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp errors ($n)" ret=0 -$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 -grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 -grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-and-other-dnssec-options.conf >checkconf.out$n 2>&1 && ret=1 +grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" <checkconf.out$n >/dev/null || ret=1 +grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "update-check-ksk: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n") +$CHECKCONF kasp-bad-nsec3-iter.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: nsec3 iterations value 151 out of range" <checkconf.out$n >/dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n") if [ $lines -ne 3 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -536,26 +657,26 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp key errors ($n)" ret=0 -$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-bad-keylen.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp signatures refresh errors ($n)" ret=0 -$CHECKCONF kasp-bad-signatures-refresh.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" < checkconf.out$n > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n") +$CHECKCONF kasp-bad-signatures-refresh.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" <checkconf.out$n >/dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n") if [ $lines -ne 2 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -563,8 +684,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp key lifetime errors ($n)" ret=0 -$CHECKCONF kasp-bad-lifetime.conf > checkconf.out$n 2>&1 && ret=1 -lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" < checkconf.out$n | wc -l) || ret=1 +$CHECKCONF kasp-bad-lifetime.conf >checkconf.out$n 2>&1 && ret=1 +lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" <checkconf.out$n | wc -l) || ret=1 if [ $lines -ne 3 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -572,21 +693,21 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp predefined key length ($n)" ret=0 -$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1 -grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-ignore-keylen.conf >checkconf.out$n 2>&1 || ret=1 +grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf kasp warns about weird policies ($n)" ret=0 -$CHECKCONF kasp-warning.conf > checkconf.out$n 2>&1 || ret=1 -grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-policy: key lifetime is shorter than 30 days" < checkconf.out$n > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n") +$CHECKCONF kasp-warning.conf >checkconf.out$n 2>&1 || ret=1 +grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-policy: key lifetime is shorter than 30 days" <checkconf.out$n >/dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n") if [ $lines -ne 5 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -594,16 +715,16 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that a good 'kasp' configuration is accepted ($n)" ret=0 -$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF good-kasp.conf >checkconf.out$n 2>/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that named-checkconf prints a known good kasp config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf >good-kasp.conf.in [ -s good-kasp.conf.in ] || ret=1 -$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1 +$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' >good-kasp.conf.out 2>&1 || ret=1 cmp good-kasp.conf.in good-kasp.conf.out || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -611,53 +732,71 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" ret=0 -$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF warn-maxratio1.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "exceeds 100%" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that *-source options with specified port generate warnings ($n)" ret=0 -$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" <checkconf.out$n >/dev/null || ret=1 +$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" <checkconf.out$n >/dev/null || ret=1 +$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" ret=0 -$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF warn-kasp-max-zone-ttl.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" <checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check obsolete options generate warnings ($n)" ret=0 -$CHECKCONF warn-random-device.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'random-device' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF warn-random-device.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'random-device' is obsolete and should be removed" <checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" ret=0 -$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1 -grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-wildcard-no.conf >checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check that 'check-wildcard yes;' warns as configured ($n)" ret=0 -$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1 -grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +$CHECKCONF -z check-wildcard.conf >checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) echo_i "exit status: $status" diff --git a/bin/tests/system/checkds/ns1/setup.sh b/bin/tests/system/checkds/ns1/setup.sh index 537fb42..92e7442 100644 --- a/bin/tests/system/checkds/ns1/setup.sh +++ b/bin/tests/system/checkds/ns1/setup.sh @@ -31,16 +31,16 @@ cp "$zsk.key" "../ns10/" cp "$ksk.private" "../ns10/" cp "$zsk.private" "../ns10/" -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 ( - cd ../ns10 - cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" - "$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 + cd ../ns10 + cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 ) # Configure the resolving server with a static key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns8/trusted.conf diff --git a/bin/tests/system/checkds/ns2/named.conf.in b/bin/tests/system/checkds/ns2/named.conf.in index 48e675c..2698082 100644 --- a/bin/tests/system/checkds/ns2/named.conf.in +++ b/bin/tests/system/checkds/ns2/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "checkds" { diff --git a/bin/tests/system/checkds/ns2/setup.sh b/bin/tests/system/checkds/ns2/setup.sh index 3701948..6327a3d 100644 --- a/bin/tests/system/checkds/ns2/setup.sh +++ b/bin/tests/system/checkds/ns2/setup.sh @@ -17,20 +17,19 @@ echo_i "ns2/setup.sh" for subdomain in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished \ - resolver-dspublished \ - dswithdrawn missing-dswithdrawn bad-dswithdrawn \ - multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \ - resolver-dswithdrawn -do - cp "../ns9/dsset-$subdomain.checkds." . + multiple-dspublished incomplete-dspublished bad2-dspublished \ + resolver-dspublished \ + dswithdrawn missing-dswithdrawn bad-dswithdrawn \ + multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \ + resolver-dswithdrawn; do + cp "../ns9/dsset-$subdomain.checkds." . done zone="checkds" infile="checkds.db.infile" zonefile="checkds.db" -CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 +CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1 diff --git a/bin/tests/system/checkds/ns3/named.conf.in b/bin/tests/system/checkds/ns3/named.conf.in index 54bfc99..3d54e11 100644 --- a/bin/tests/system/checkds/ns3/named.conf.in +++ b/bin/tests/system/checkds/ns3/named.conf.in @@ -35,7 +35,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/checkds/ns5/named.conf.in b/bin/tests/system/checkds/ns5/named.conf.in index b7226fe..227b562 100644 --- a/bin/tests/system/checkds/ns5/named.conf.in +++ b/bin/tests/system/checkds/ns5/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "checkds" { diff --git a/bin/tests/system/checkds/ns5/setup.sh b/bin/tests/system/checkds/ns5/setup.sh index 79d7b71..9f569c7 100644 --- a/bin/tests/system/checkds/ns5/setup.sh +++ b/bin/tests/system/checkds/ns5/setup.sh @@ -20,7 +20,7 @@ zone="checkds" infile="checkds.db.infile" zonefile="checkds.db" -CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1 +CSK=$($KEYGEN -k default $zone 2>keygen.out.$zone) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile >signer.out.$zone 2>&1 diff --git a/bin/tests/system/checkds/ns6/named.conf.in b/bin/tests/system/checkds/ns6/named.conf.in index cc226fb..814caca 100644 --- a/bin/tests/system/checkds/ns6/named.conf.in +++ b/bin/tests/system/checkds/ns6/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "foo" { diff --git a/bin/tests/system/checkds/ns7/named.conf.in b/bin/tests/system/checkds/ns7/named.conf.in index 57460c8..f4a3524 100644 --- a/bin/tests/system/checkds/ns7/named.conf.in +++ b/bin/tests/system/checkds/ns7/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "checkds" { diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index 74a5130..b964e8c 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -41,7 +41,7 @@ parental-agents "ns2" port @PORT@ { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; /* diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh index e4d1586..5641e24 100644 --- a/bin/tests/system/checkds/ns9/setup.sh +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -17,11 +17,11 @@ echo_i "ns9/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - echo "$zone" >> zones + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >>zones } # Short environment variable names for key states and times. @@ -34,30 +34,28 @@ Y="now-1y" # DS Publication. for zn in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished -do - setup "${zn}.checkds" - cp template.db.in "$zonefile" - keytimes="-P $T -P sync $T -A $T" - CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) - $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 - cat template.db.in "${CSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished; do + setup "${zn}.checkds" + cp template.db.in "$zonefile" + keytimes="-P $T -P sync $T -A $T" + CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone) + $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" >settime.out.$zone 2>&1 + cat template.db.in "${CSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 done # DS Withdrawal. for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \ - incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn -do - setup "${zn}.checkds" - cp template.db.in "$zonefile" - keytimes="-P $Y -P sync $Y -A $Y" - CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone) - $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 - cat template.db.in "${CSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn; do + setup "${zn}.checkds" + cp template.db.in "$zonefile" + keytimes="-P $Y -P sync $Y -A $Y" + CSK=$($KEYGEN -k default $keytimes $zone 2>keygen.out.$zone) + $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" >settime.out.$zone 2>&1 + cat template.db.in "${CSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 done diff --git a/bin/tests/system/checkds/setup.sh b/bin/tests/system/checkds/setup.sh index 828b2e6..848f0c8 100644 --- a/bin/tests/system/checkds/setup.sh +++ b/bin/tests/system/checkds/setup.sh @@ -31,18 +31,18 @@ copy_setports ns10/named.conf.in ns10/named.conf # Setup zones ( - cd ns9 - $SHELL setup.sh + cd ns9 + $SHELL setup.sh ) ( - cd ns5 - $SHELL setup.sh + cd ns5 + $SHELL setup.sh ) ( - cd ns2 - $SHELL setup.sh + cd ns2 + $SHELL setup.sh ) ( - cd ns1 - $SHELL setup.sh + cd ns1 + $SHELL setup.sh ) diff --git a/bin/tests/system/checknames/tests.sh b/bin/tests/system/checknames/tests.sh index 47ba801..143727b 100644 --- a/bin/tests/system/checknames/tests.sh +++ b/bin/tests/system/checknames/tests.sh @@ -20,18 +20,18 @@ n=1 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -wait_for_record () { - $DIG $DIGOPTS "$1" "$2" "$3" > "$4" || return 1 - grep NOERROR "$4" > /dev/null || return 1 - return 0 +wait_for_record() { + $DIG $DIGOPTS "$1" "$2" "$3" >"$4" || return 1 + grep NOERROR "$4" >/dev/null || return 1 + return 0 } # Entry should exist. echo_i "check for failure from on zone load for 'check-names fail;' ($n)" ret=0 -$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1 -grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS fail.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep SERVFAIL dig.out.ns1.test$n >/dev/null || ret=1 +grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -39,7 +39,7 @@ n=$((n + 1)) # Entry should exist. echo_i "check for warnings from on zone load for 'check-names warn;' ($n)" ret=0 -grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1 +grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -55,10 +55,10 @@ n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response warn;' works ($n)" ret=0 -$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS +noauth yy_yy.ignore.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 digcomp dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 -grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1 +grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -66,11 +66,11 @@ n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response (owner) fails;' works ($n)" ret=0 -$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 -grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1 -grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1 +$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 +grep REFUSED dig.out.ns3.test$n >/dev/null || ret=1 +grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -78,11 +78,11 @@ n=$((n + 1)) # Entry should exist echo_i "check that 'check-names response (rdata) fails;' works ($n)" ret=0 -$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1 -$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 -grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1 -grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1 +$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX >dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX >dig.out.ns3.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 +grep SERVFAIL dig.out.ns3.test$n >/dev/null || ret=1 +grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -90,31 +90,31 @@ n=$((n + 1)) echo_i "check that updates to 'check-names fail;' are rejected ($n)" ret=0 not=1 -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || not=0 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || not=0 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.fail.update. 600 A 10.10.10.1 send END if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 -grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1 +grep NXDOMAIN dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that updates to 'check-names warn;' succeed and are logged ($n)" ret=0 -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1|| ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.warn.update. 600 A 10.10.10.1 send END -$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run >/dev/null || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -122,16 +122,16 @@ n=$((n + 1)) echo_i "check that updates to 'check-names ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.1 ${PORT} update add xxx_xxx.ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0 +grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1 -grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A >dig.out.ns1.test$n || ret=1 +grep NOERROR dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -139,16 +139,16 @@ n=$((n + 1)) echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.4 ${PORT} update add xxx_xxx.primary-ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run > /dev/null || not=0 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns4/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A > dig.out.ns4.test$n || ret=1 -grep NOERROR dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.primary-ignore.update @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +grep NOERROR dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -156,26 +156,26 @@ n=$((n + 1)) echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" ret=0 not=1 -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 check-names off server 10.53.0.5 ${PORT} update add xxx_xxx.master-ignore.update. 600 A 10.10.10.1 send END -grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run > /dev/null || not=0 +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns5/named.run >/dev/null || not=0 if [ $not != 0 ]; then ret=1; fi -$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A > dig.out.ns5.test$n || ret=1 -grep NOERROR dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS xxx_xxx.master-ignore.update @10.53.0.5 A >dig.out.ns5.test$n || ret=1 +grep NOERROR dig.out.ns5.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "check that updates to 'check-names secondary ignore;' succeed and are not logged ($n)" ret=0 # takes a while for the transfer to succeed as ns5 (primary) is started after ns4 (secondary) # and the zone is still loading when we get to this point. retry_quiet 35 wait_for_record xxx_xxx.master-ignore.update @10.53.0.4 A dig.out.ns4.test$n || ret=1 -grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run > /dev/null && ret=1 +grep "xxx_xxx.master-ignore.update/A.*(check-names)" ns4/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -183,10 +183,10 @@ n=$((n + 1)) echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)" ret=0 retry_quiet 35 wait_for_record xxx_xxx.primary-ignore.update @10.53.0.5 A dig.out.ns5.test$n || ret=1 -grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run > /dev/null && ret=1 +grep "xxx_xxx.primary-ignore.update/A.*(check-names)" ns5/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkzone/setup.sh b/bin/tests/system/checkzone/setup.sh index 4518c56..a48aa59 100644 --- a/bin/tests/system/checkzone/setup.sh +++ b/bin/tests/system/checkzone/setup.sh @@ -16,6 +16,6 @@ ln -s $CHECKZONE named-compilezone ./named-compilezone -D -F raw -o good1.db.raw example \ - zones/good1.db > /dev/null 2>&1 + zones/good1.db >/dev/null 2>&1 copy_setports zones/bad-tsig.db.in zones/bad-tsig.db diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh index 169e411..ab15260 100644 --- a/bin/tests/system/checkzone/tests.sh +++ b/bin/tests/system/checkzone/tests.sh @@ -18,121 +18,119 @@ set -e status=0 n=1 -for db in zones/good*.db -do - echo_i "checking $db ($n)" - ret=0 - case $db in - zones/good-gc-msdcs.db|zones/good-spf-exception.db) - $CHECKZONE -k fail -i local example $db > test.out.$n 2>&1 || ret=1 - ;; - zones/good-dns-sd-reverse.db) - $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || ret=1 - ;; - *) - $CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1 - ;; - esac - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +for db in zones/good*.db; do + echo_i "checking $db ($n)" + ret=0 + case $db in + zones/good-gc-msdcs.db | zones/good-spf-exception.db) + $CHECKZONE -k fail -i local example $db >test.out.$n 2>&1 || ret=1 + ;; + zones/good-dns-sd-reverse.db) + $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || ret=1 + ;; + *) + $CHECKZONE -i local example $db >test.out.$n 2>&1 || ret=1 + ;; + esac + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for db in zones/bad*.db -do - echo_i "checking $db ($n)" - ret=0 v=0 - case $db in - zones/bad-dns-sd-reverse.db|zones/bad-svcb-servername.db) - $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db > test.out.$n 2>&1 || v=$? - ;; - *) - $CHECKZONE -i local example $db > test.out.$n 2>&1 || v=$? - ;; - esac - test $v = 1 || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +for db in zones/bad*.db; do + echo_i "checking $db ($n)" + ret=0 v=0 + case $db in + zones/bad-dns-sd-reverse.db | zones/bad-svcb-servername.db) + $CHECKZONE -k fail -i local 0.0.0.0.in-addr.arpa $db >test.out.$n 2>&1 || v=$? + ;; + *) + $CHECKZONE -i local example $db >test.out.$n 2>&1 || v=$? + ;; + esac + test $v = 1 || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "checking with journal file ($n)" ret=0 -$CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1 -$CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -o test.orig.db test zones/test1.db >/dev/null 2>&1 || ret=1 +$CHECKZONE -D -o test.changed.db test zones/test2.db >/dev/null 2>&1 || ret=1 $MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1 jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l) [ $jlines = 3 ] || ret=1 -$CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -j -o test.out1.db test test.orig.db >/dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out1.db || ret=1 mv -f test.orig.db.jnl test.journal -$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1 +$CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db >/dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out2.db || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with spf warnings ($n)" ret=0 -$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1 -$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1 -grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1 -grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1 -grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1 -grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1 -grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1 -grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1 -n=$((n+1)) +$CHECKZONE example zones/spf.db >test.out1.$n 2>&1 || ret=1 +$CHECKZONE -T ignore example zones/spf.db >test.out2.$n 2>&1 || ret=1 +grep "'x.example' found type SPF" test.out1.$n >/dev/null && ret=1 +grep "'y.example' found type SPF" test.out1.$n >/dev/null || ret=1 +grep "'example' found type SPF" test.out1.$n >/dev/null && ret=1 +grep "'x.example' found type SPF" test.out2.$n >/dev/null && ret=1 +grep "'y.example' found type SPF" test.out2.$n >/dev/null && ret=1 +grep "'example' found type SPF" test.out2.$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with max ttl (text) ($n)" ret=0 -$CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1 -$CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1 -n=$((n+1)) +$CHECKZONE -l 300 example zones/good1.db >test.out1.$n 2>&1 && ret=1 +$CHECKZONE -l 600 example zones/good1.db >test.out2.$n 2>&1 || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking with max ttl (raw) ($n)" ret=0 -$CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1 -$CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1 -n=$((n+1)) +$CHECKZONE -f raw -l 300 example good1.db.raw >test.out1.$n 2>&1 && ret=1 +$CHECKZONE -f raw -l 600 example good1.db.raw >test.out2.$n 2>&1 || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no new \$ORIGIN ($n)" ret=0 -$CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null && ret=1 -n=$((n+1)) +$CHECKZONE example zones/nowarn.inherited.owner.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)" ret=0 -$CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=$((n+1)) +$CHECKZONE example zones/warn.inherit.origin.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)" ret=0 -$CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 -grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=$((n+1)) +$CHECKZONE example zones/warn.inherited.owner.db >test.out1.$n 2>&1 || ret=1 +grep "inherited.owner" test.out1.$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that raw zone with bad class is handled ($n)" ret=0 -$CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1 +$CHECKZONE -f raw example zones/bad-badclass.raw >test.out.$n 2>&1 && ret=1 grep "failed: bad class" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that expirations that loop using serial arithmetic are handled ($n)" ret=0 @@ -159,56 +157,56 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 -$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1 +$CHECKZONE example.com zones/ns-address-below-dname.db >test.out.$n 2>&1 && ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 -$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1 +$CHECKZONE example.com zones/delegating-ns-address-below-dname.db >test.out.$n 2>&1 || ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named-compilezone works when reading input from stdin ($n)" ret=0 # Step 1: take raw input from stdin and convert it to text/relative format. # Last argument "-" is optional, but it says more explicitly that we're reading from stdin. cat zones/zone1.db | ./named-compilezone -f text -F text -s relative \ - -o zones/zone1_stdin.txt zone1.com - > /dev/null || ret=1 -status=$((status+ret)) + -o zones/zone1_stdin.txt zone1.com - >/dev/null || ret=1 +status=$((status + ret)) ret=0 # Step 2: take raw input from file and convert it to text format. ./named-compilezone -f text -F text -s relative -o zones/zone1_file.txt \ - zone1.com zones/zone1.db > /dev/null || ret=1 -status=$((status+ret)) + zone1.com zones/zone1.db >/dev/null || ret=1 +status=$((status + ret)) ret=0 # Step 3: Ensure that output conversion from stdin is the same as the output conversion from a file. diff zones/zone1_file.txt zones/zone1_stdin.txt >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "checking integer overflow is prevented in \$GENERATE ($n)" -$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1 +$CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1 lines=$(grep -c CNAME test.out.$n) echo $lines [ "$lines" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/ckdnsrps.sh b/bin/tests/system/ckdnsrps.sh index afc405d..19eb054 100644 --- a/bin/tests/system/ckdnsrps.sh +++ b/bin/tests/system/ckdnsrps.sh @@ -18,7 +18,6 @@ set -e # Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf # and differ from dnsrpz.conf which is used by dnsrpzd. - . ../conf.sh DNSRPS_CMD=../rpz/dnsrps @@ -29,57 +28,64 @@ MCONF=dnsrps.conf SCONF=dnsrps-secondary.conf USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]" while getopts "xADM:S:" c; do - case $c in - x) set -x; DEBUG=-x;; - A) AS_NS=yes;; - D) TEST_DNSRPS=yes;; - M) MCONF="$OPTARG";; - S) SCONF="$OPTARG";; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ;; + A) AS_NS=yes ;; + D) TEST_DNSRPS=yes ;; + M) MCONF="$OPTARG" ;; + S) SCONF="$OPTARG" ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $(expr $OPTIND - 1 || true) if [ "$#" -ne 0 ]; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # erase any existing conf files -cat /dev/null > $MCONF -cat /dev/null > $SCONF +cat /dev/null >$MCONF +cat /dev/null >$SCONF -add_conf () { - echo "$*" >>$MCONF - echo "$*" >>$SCONF +add_conf() { + echo "$*" >>$MCONF + echo "$*" >>$SCONF } if ! $FEATURETEST --enable-dnsrps; then - if [ -n "$TEST_DNSRPS" ]; then - add_conf "## DNSRPS disabled at compile time" - fi - add_conf "#skip" - exit 0 + if [ -n "$TEST_DNSRPS" ]; then + add_conf "## DNSRPS disabled at compile time" + fi + add_conf "#skip" + exit 0 fi if [ -z "$TEST_DNSRPS" ]; then - add_conf "## testing with native RPZ" - add_conf '#skip' - exit 0 + add_conf "## testing with native RPZ" + add_conf '#skip' + exit 0 else - add_conf "## testing with DNSRPS" + add_conf "## testing with DNSRPS" fi if [ ! -x "$DNSRPS_CMD" ]; then - add_conf "## make $DNSRPS_CMD to test DNSRPS" - add_conf '#skip' - exit 0 + add_conf "## make $DNSRPS_CMD to test DNSRPS" + add_conf '#skip' + exit 0 fi -if $DNSRPS_CMD -a >/dev/null; then : +if $DNSRPS_CMD -a >/dev/null; then + : else - add_conf "## DNSRPS provider library is not available" - add_conf '#skip' - exit 0 + add_conf "## DNSRPS provider library is not available" + add_conf '#skip' + exit 0 fi CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf @@ -90,7 +96,7 @@ CMN=" dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf PRIMARY="$CMN" if [ -n "$AS_NS" ]; then - PRIMARY="$PRIMARY + PRIMARY="$PRIMARY qname-as-ns yes ip-as-ns yes" fi @@ -106,7 +112,6 @@ $CMN dnsrpzd '' }; # do not start dnsrpzd EOF - # DNSRPS is available. # The test should fail if the license is bad. add_conf "dnsrps-enable yes;" @@ -117,49 +122,49 @@ ALT_L=alt-dnsrpzd-license.conf # try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist [ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf if [ -s $ALT_L ]; then - SRC_L=$ALT_L - USE_ALT= + SRC_L=$ALT_L + USE_ALT= else - SRC_L=../rpz/dnsrpzd-license.conf - USE_ALT="## consider installing alt-dnsrpzd-license.conf" + SRC_L=../rpz/dnsrpzd-license.conf + USE_ALT="## consider installing alt-dnsrpzd-license.conf" fi cp $SRC_L $CUR_L # parse $CUR_L for the license zone name, primary IP addresses, and optional # transfer-source IP addresses -eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\ - -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ - -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ - -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ - -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ - $CUR_L` +eval $(sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' \ + -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p' \ + -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p' \ + -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p' \ + -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p' \ + $CUR_L) if [ -z "$NAME" ]; then - add_conf "## no DNSRPS tests; no license domain name in $SRC_L" - add_conf '#fail' - exit 0 + add_conf "## no DNSRPS tests; no license domain name in $SRC_L" + add_conf '#fail' + exit 0 fi if [ -z "$IPV4" ]; then - IPV4=license1.fastrpz.com - TS4= + IPV4=license1.fastrpz.com + TS4= fi if [ -z "$IPV6" ]; then - IPV6=license1.fastrpz.com - TS6= + IPV6=license1.fastrpz.com + TS6= fi # This TSIG key is common and NOT a secret KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1' # Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems -if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 +if $($DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4 \ + | grep -i "^$NAME.*TXT" >/dev/null); then + exit 0 fi -if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ - | grep -i "^$NAME.*TXT" >/dev/null`; then - exit 0 +if $($DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6 \ + | grep -i "^$NAME.*TXT" >/dev/null); then + exit 0 fi add_conf "## DNSRPS lacks a valid license via $SRC_L" diff --git a/bin/tests/system/cleanall.sh b/bin/tests/system/cleanall.sh index 79a8434..a7e48ad 100644 --- a/bin/tests/system/cleanall.sh +++ b/bin/tests/system/cleanall.sh @@ -17,20 +17,17 @@ . ./conf.sh - find . -type f \( \ - -name '*~' -o -name 'core' -o -name '*.core' \ - -o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \ - -o -name named.run -o -name ans.run \ - -o -name '*-valgrind-*.log' \) -print | xargs rm -f + -name '*~' -o -name 'core' -o -name '*.core' \ + -o -name '*.log' -o -name '*.pid' -o -name '*.keyset' \ + -o -name named.run -o -name ans.run \) -print | xargs rm -f status=0 rm -f ../random.data -for d in $SUBDIRS -do - test ! -f $d/clean.sh || ( cd $d && $SHELL clean.sh ) - rm -f test.output.$d - test -d $d && find $d -type d -exec rmdir '{}' \; 2> /dev/null +for d in $SUBDIRS; do + test ! -f $d/clean.sh || (cd $d && $SHELL clean.sh) + rm -f test.output.$d + test -d $d && find $d -type d -exec rmdir '{}' \; 2>/dev/null done diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index 90059dd..d2fc635 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -296,7 +296,7 @@ send() { eval "$($PYTHON "$TOP_SRCDIR/bin/tests/system/get_algorithms.py")" # Default HMAC algorithm. -# also update common/rndc.conf and common/rndc.key when updating DEFAULT_HMAC +# also update _common/rndc.conf and _common/rndc.key when updating DEFAULT_HMAC export DEFAULT_HMAC=hmac-sha256 # @@ -609,12 +609,12 @@ _times() { } rndc_reload() { - $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' + $RNDC -c ../_common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' # reloading single zone is synchronous, if we're reloading whole server # we need to wait for reload to finish if [ -z "$3" ]; then for _ in $(_times 10); do - $RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break + $RNDC -c ../_common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break sleep 1 done fi @@ -622,9 +622,9 @@ rndc_reload() { rndc_reconfig() { seconds=${3:-10} - $RNDC -c ../common/rndc.conf -s "$2" -p "${CONTROLPORT}" reconfig 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' + $RNDC -c ../_common/rndc.conf -s "$2" -p "${CONTROLPORT}" reconfig 2>&1 | sed 's/^/'"I:$SYSTESTDIR:$1"' /' for _ in $(_times "$seconds"); do - "$RNDC" -c ../common/rndc.conf -s "$2" -p "${CONTROLPORT}" status | grep "reload/reconfig in progress" > /dev/null || break + "$RNDC" -c ../_common/rndc.conf -s "$2" -p "${CONTROLPORT}" status | grep "reload/reconfig in progress" > /dev/null || break sleep 1 done } @@ -636,7 +636,7 @@ rndc_reconfig() { # arguments, if any, are appended to the rndc command line after "dumpdb". # # Control channel configuration for the name server instance to send the -# command to must match the contents of bin/tests/system/common/rndc.conf. +# command to must match the contents of bin/tests/system/_common/rndc.conf. # # rndc output is stored in a file called rndc.out.test${n}; the "n" variable is # required to be set by the calling tests.sh script. @@ -651,7 +651,7 @@ rndc_dumpdb() { __ip="10.53.0.$(echo "${__server}" | tr -c -d "0-9")" shift - ${RNDC} -c ../common/rndc.conf -p "${CONTROLPORT}" -s "${__ip}" dumpdb "$@" > "rndc.out.test${n}" 2>&1 || __ret=1 + ${RNDC} -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "${__ip}" dumpdb "$@" > "rndc.out.test${n}" 2>&1 || __ret=1 for _ in 0 1 2 3 4 5 6 7 8 9 do diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 1a2fe73..3608f7f 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -27,12 +27,12 @@ export ARPANAME=$TOP_BUILDDIR/bin/tools/arpaname export CDS=$TOP_BUILDDIR/bin/dnssec/dnssec-cds export CHECKCONF=$TOP_BUILDDIR/bin/check/named-checkconf export CHECKZONE=$TOP_BUILDDIR/bin/check/named-checkzone -if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 - export DELV=$TOP_BUILDDIR/bin/delv/delv - export RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve +if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 + export DELV=$TOP_BUILDDIR/bin/delv/delv + export RESOLVE=$TOP_BUILDDIR/bin/tests/system/resolve else - export DELV=: - export RESOLVE=: + export DELV=: + export RESOLVE=: fi export DIG=$TOP_BUILDDIR/bin/dig/dig export DNSTAPREAD=$TOP_BUILDDIR/bin/tools/dnstap-read @@ -88,13 +88,13 @@ export PYTEST=@PYTEST@ # export PERL=$(command -v "@PERL@" || true) if ! test -x "$PERL"; then - echo "Perl interpreter is required for system tests." - exit 77 + echo "Perl interpreter is required for system tests." + exit 77 fi export PYTHON=$(command -v "@PYTHON@" || true) if ! test -x "$PYTHON"; then - echo "Python interpreter is required for system tests." - exit 77 + echo "Python interpreter is required for system tests." + exit 77 fi # Load common values diff --git a/bin/tests/system/conftest.py b/bin/tests/system/conftest.py index 50510a0..034b2c8 100644 --- a/bin/tests/system/conftest.py +++ b/bin/tests/system/conftest.py @@ -9,631 +9,642 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +from functools import partial import logging import os +from pathlib import Path +import re +import shutil +import subprocess +import tempfile +import time +from typing import Any, Dict, List, Optional + import pytest -# ======================= LEGACY=COMPATIBLE FIXTURES ========================= -# The following fixtures are designed to work with both pytest system test -# runner and the legacy system test framework. -# -# FUTURE: Rewrite the individual port fixtures to re-use the `ports` fixture. +pytest.register_assert_rewrite("isctest") + + +# Silence warnings caused by passing a pytest fixture to another fixture. +# pylint: disable=redefined-outer-name + + +# ----------------- Older pytest / xdist compatibility ------------------- +# As of 2023-01-11, the minimal supported pytest / xdist versions are +# determined by what is available in EL8/EPEL8: +# - pytest 3.4.2 +# - pytest-xdist 1.24.1 +_pytest_ver = pytest.__version__.split(".") +_pytest_major_ver = int(_pytest_ver[0]) +if _pytest_major_ver < 7: + # pytest.Stash/pytest.StashKey mechanism has been added in 7.0.0 + # for older versions, use regular dictionary with string keys instead + FIXTURE_OK = "fixture_ok" # type: Any +else: + FIXTURE_OK = pytest.StashKey[bool]() # pylint: disable=no-member + +# ----------------------- Globals definition ----------------------------- + +LOG_FORMAT = "%(asctime)s %(levelname)7s:%(name)s %(message)s" +XDIST_WORKER = os.environ.get("PYTEST_XDIST_WORKER", "") +FILE_DIR = os.path.abspath(Path(__file__).parent) +ENV_RE = re.compile(b"([^=]+)=(.*)") +PORT_MIN = 5001 +PORT_MAX = 32767 +PORTS_PER_TEST = 20 +PRIORITY_TESTS = [ + # Tests that are scheduled first. Speeds up parallel execution. + "dupsigs/", + "rpz/", + "rpzrecurse/", + "serve-stale/", + "timeouts/", + "upforwd/", +] +PRIORITY_TESTS_RE = re.compile("|".join(PRIORITY_TESTS)) +CONFTEST_LOGGER = logging.getLogger("conftest") +SYSTEM_TEST_DIR_GIT_PATH = "bin/tests/system" +SYSTEM_TEST_NAME_RE = re.compile(f"{SYSTEM_TEST_DIR_GIT_PATH}" + r"/([^/]+)") +SYMLINK_REPLACEMENT_RE = re.compile(r"/tests(_.*)\.py") + +# ---------------------- Module initialization --------------------------- + + +def init_pytest_conftest_logger(conftest_logger): + """ + This initializes the conftest logger which is used for pytest setup + and configuration before tests are executed -- aka any logging in this + file that is _not_ module-specific. + """ + conftest_logger.setLevel(logging.DEBUG) + file_handler = logging.FileHandler("pytest.conftest.log.txt") + file_handler.setLevel(logging.DEBUG) + file_handler.setFormatter(logging.Formatter(LOG_FORMAT)) + conftest_logger.addHandler(file_handler) + + +init_pytest_conftest_logger(CONFTEST_LOGGER) + + +def avoid_duplicated_logs(): + """ + Remove direct root logger output to file descriptors. + This default is causing duplicates because all our messages go through + regular logging as well and are thus displayed twice. + """ + todel = [] + for handler in logging.root.handlers: + if handler.__class__ == logging.StreamHandler: + # Beware: As for pytest 7.2.2, LiveLogging and LogCapture + # handlers inherit from logging.StreamHandler + todel.append(handler) + for handler in todel: + logging.root.handlers.remove(handler) + + +def parse_env(env_bytes): + """Parse the POSIX env format into Python dictionary.""" + out = {} + for line in env_bytes.splitlines(): + match = ENV_RE.match(line) + if match: + # EL8+ workaround for https://access.redhat.com/solutions/6994985 + # FUTURE: can be removed when we no longer need to parse env vars + if match.groups()[0] in [b"which_declare", b"BASH_FUNC_which%%"]: + continue + out[match.groups()[0]] = match.groups()[1] + return out + + +def get_env_bytes(cmd): + try: + proc = subprocess.run( + [cmd], + shell=True, + check=True, + cwd=FILE_DIR, + stdout=subprocess.PIPE, + ) + except subprocess.CalledProcessError as exc: + CONFTEST_LOGGER.error("failed to get shell env: %s", exc) + raise exc + env_bytes = proc.stdout + return parse_env(env_bytes) + + +# Read common environment variables for running tests from conf.sh. +# FUTURE: Remove conf.sh entirely and define all variables in pytest only. +CONF_ENV = get_env_bytes(". ./conf.sh && env") +os.environb.update(CONF_ENV) +CONFTEST_LOGGER.debug("variables in env: %s", ", ".join([str(key) for key in CONF_ENV])) + +# --------------------------- pytest hooks ------------------------------- + + +def pytest_addoption(parser): + parser.addoption( + "--noclean", + action="store_true", + default=False, + help="don't remove the temporary test directories with artifacts", + ) + + +def pytest_configure(config): + # Ensure this hook only runs on the main pytest instance if xdist is + # used to spawn other workers. + if not XDIST_WORKER: + if config.pluginmanager.has_plugin("xdist") and config.option.numprocesses: + # system tests depend on module scope for setup & teardown + # enforce use "loadscope" scheduler or disable paralelism + try: + import xdist.scheduler.loadscope # pylint: disable=unused-import + except ImportError: + CONFTEST_LOGGER.debug( + "xdist is too old and does not have " + "scheduler.loadscope, disabling parallelism" + ) + config.option.dist = "no" + else: + config.option.dist = "loadscope" + + +def pytest_ignore_collect(path): + # System tests are executed in temporary directories inside + # bin/tests/system. These temporary directories contain all files + # needed for the system tests - including tests_*.py files. Make sure to + # ignore these during test collection phase. Otherwise, test artifacts + # from previous runs could mess with the runner. Also ignore the + # convenience symlinks to those test directories. In both of those + # cases, the system test name (directory) contains an underscore, which + # is otherwise and invalid character for a system test name. + match = SYSTEM_TEST_NAME_RE.search(str(path)) + if match is None: + CONFTEST_LOGGER.warning("unexpected test path: %s (ignored)", path) + return True + system_test_name = match.groups()[0] + return "_" in system_test_name + + +def pytest_collection_modifyitems(items): + """Schedule long-running tests first to get more benefit from parallelism.""" + priority = [] + other = [] + for item in items: + if PRIORITY_TESTS_RE.search(item.nodeid): + priority.append(item) + else: + other.append(item) + items[:] = priority + other + + +class NodeResult: + def __init__(self, report=None): + self.outcome = None + self.messages = [] + if report is not None: + self.update(report) + + def update(self, report): + if self.outcome is None or report.outcome != "passed": + self.outcome = report.outcome + if report.longreprtext: + self.messages.append(report.longreprtext) + + +@pytest.hookimpl(tryfirst=True, hookwrapper=True) +def pytest_runtest_makereport(item): + """Hook that is used to expose test results to session (for use in fixtures).""" + # execute all other hooks to obtain the report object + outcome = yield + report = outcome.get_result() + + # Set the test outcome in session, so we can access it from module-level + # fixture using nodeid. Note that this hook is called three times: for + # setup, call and teardown. We only care about the overall result so we + # merge the results together and preserve the information whether a test + # passed. + test_results = {} + try: + test_results = getattr(item.session, "test_results") + except AttributeError: + setattr(item.session, "test_results", test_results) + node_result = test_results.setdefault(item.nodeid, NodeResult()) + node_result.update(report) + + +# --------------------------- Fixtures ----------------------------------- + + +@pytest.fixture(scope="session") +def modules(): + """ + Sorted list of ALL modules. + + The list includes even test modules that are not tested in the current + session. It is used to determine port distribution. Using a complete + list of all possible test modules allows independent concurrent pytest + invocations. + """ + mods = [] + for dirpath, _dirs, files in os.walk(FILE_DIR): + for file in files: + if file.startswith("tests_") and file.endswith(".py"): + mod = f"{dirpath}/{file}" + if not pytest_ignore_collect(mod): + mods.append(mod) + return sorted(mods) + + +@pytest.fixture(scope="session") +def module_base_ports(modules): + """ + Dictionary containing assigned base port for every module. + + The port numbers are deterministically assigned before any testing + starts. This fixture MUST return the same value when called again + during the same test session. When running tests in parallel, this is + exactly what happens - every worker thread will call this fixture to + determine test ports. + """ + port_min = PORT_MIN + port_max = PORT_MAX - len(modules) * PORTS_PER_TEST + if port_max < port_min: + raise RuntimeError("not enough ports to assign unique port set to each module") + + # Rotate the base port value over time to detect possible test issues + # with using random ports. This introduces a very slight race condition + # risk. If this value changes between pytest invocation and spawning + # worker threads, multiple tests may have same port values assigned. If + # these tests are then executed simultaneously, the test results will + # be misleading. + base_port = int(time.time() // 3600) % (port_max - port_min) + port_min + + return {mod: base_port + i * PORTS_PER_TEST for i, mod in enumerate(modules)} @pytest.fixture(scope="module") -def named_port(): - return int(os.environ.get("PORT", default=5300)) +def base_port(request, module_base_ports): + """Start of the port range assigned to a particular test module.""" + port = module_base_ports[request.fspath] + return port @pytest.fixture(scope="module") -def named_tlsport(): - return int(os.environ.get("TLSPORT", default=8853)) +def ports(base_port): + """Dictionary containing port names and their assigned values.""" + return { + "PORT": base_port, + "TLSPORT": base_port + 1, + "HTTPPORT": base_port + 2, + "HTTPSPORT": base_port + 3, + "EXTRAPORT1": base_port + 4, + "EXTRAPORT2": base_port + 5, + "EXTRAPORT3": base_port + 6, + "EXTRAPORT4": base_port + 7, + "EXTRAPORT5": base_port + 8, + "EXTRAPORT6": base_port + 9, + "EXTRAPORT7": base_port + 10, + "EXTRAPORT8": base_port + 11, + "CONTROLPORT": base_port + 12, + } @pytest.fixture(scope="module") -def named_httpsport(): - return int(os.environ.get("HTTPSPORT", default=4443)) +def named_port(ports): + return ports["PORT"] @pytest.fixture(scope="module") -def control_port(): - return int(os.environ.get("CONTROLPORT", default=9953)) +def named_tlsport(ports): + return ports["TLSPORT"] -if os.getenv("LEGACY_TEST_RUNNER", "0") != "0": +@pytest.fixture(scope="module") +def named_httpsport(ports): + return ports["HTTPSPORT"] - @pytest.fixture - def logger(request): - """Logging facility specific to a particular test.""" - return logging.getLogger(request.node.name) -else: - # ======================= PYTEST SYSTEM TEST RUNNER ========================== - # From this point onward, any setting, fixtures or functions only apply to the - # new pytest runner. Ideally, these would be in a separate file. However, due - # to how pytest works and how it's used by the legacy runner, the best approach - # is to have everything in this file to avoid duplication and set the - # LEGACY_TEST_RUNNER if pytest is executed from the legacy framework. - # - # FUTURE: Once legacy runner is no longer supported, remove the env var and - # don't branch the code. - - from functools import partial - from pathlib import Path - import re - import shutil - import subprocess - import tempfile - import time - from typing import Any, Dict, List, Optional - - # Silence warnings caused by passing a pytest fixture to another fixture. - # pylint: disable=redefined-outer-name - - # ----------------- Older pytest / xdist compatibility ------------------- - # As of 2023-01-11, the minimal supported pytest / xdist versions are - # determined by what is available in EL8/EPEL8: - # - pytest 3.4.2 - # - pytest-xdist 1.24.1 - _pytest_ver = pytest.__version__.split(".") - _pytest_major_ver = int(_pytest_ver[0]) - if _pytest_major_ver < 7: - # pytest.Stash/pytest.StashKey mechanism has been added in 7.0.0 - # for older versions, use regular dictionary with string keys instead - FIXTURE_OK = "fixture_ok" # type: Any - else: - FIXTURE_OK = pytest.StashKey[bool]() # pylint: disable=no-member - - # ----------------------- Globals definition ----------------------------- - - LOG_FORMAT = "%(asctime)s %(levelname)7s:%(name)s %(message)s" - XDIST_WORKER = os.environ.get("PYTEST_XDIST_WORKER", "") - FILE_DIR = os.path.abspath(Path(__file__).parent) - ENV_RE = re.compile(b"([^=]+)=(.*)") - PORT_MIN = 5001 - PORT_MAX = 32767 - PORTS_PER_TEST = 20 - PRIORITY_TESTS = [ - # Tests that are scheduled first. Speeds up parallel execution. - "dupsigs/", - "rpz/", - "rpzrecurse/", - "serve-stale/", - "timeouts/", - "upforwd/", - ] - PRIORITY_TESTS_RE = re.compile("|".join(PRIORITY_TESTS)) - CONFTEST_LOGGER = logging.getLogger("conftest") - SYSTEM_TEST_DIR_GIT_PATH = "bin/tests/system" - SYSTEM_TEST_NAME_RE = re.compile(f"{SYSTEM_TEST_DIR_GIT_PATH}" + r"/([^/]+)") - SYMLINK_REPLACEMENT_RE = re.compile(r"/tests(_sh(?=_))?(.*)\.py") - - # ---------------------- Module initialization --------------------------- - - def init_pytest_conftest_logger(conftest_logger): - """ - This initializes the conftest logger which is used for pytest setup - and configuration before tests are executed -- aka any logging in this - file that is _not_ module-specific. - """ - conftest_logger.setLevel(logging.DEBUG) - file_handler = logging.FileHandler("pytest.conftest.log.txt") - file_handler.setLevel(logging.DEBUG) - file_handler.setFormatter(logging.Formatter(LOG_FORMAT)) - conftest_logger.addHandler(file_handler) - - init_pytest_conftest_logger(CONFTEST_LOGGER) - - def avoid_duplicated_logs(): - """ - Remove direct root logger output to file descriptors. - This default is causing duplicates because all our messages go through - regular logging as well and are thus displayed twice. - """ - todel = [] - for handler in logging.root.handlers: - if handler.__class__ == logging.StreamHandler: - # Beware: As for pytest 7.2.2, LiveLogging and LogCapture - # handlers inherit from logging.StreamHandler - todel.append(handler) - for handler in todel: - logging.root.handlers.remove(handler) - - def parse_env(env_bytes): - """Parse the POSIX env format into Python dictionary.""" - out = {} - for line in env_bytes.splitlines(): - match = ENV_RE.match(line) - if match: - # EL8+ workaround for https://access.redhat.com/solutions/6994985 - # FUTURE: can be removed when we no longer need to parse env vars - if match.groups()[0] in [b"which_declare", b"BASH_FUNC_which%%"]: - continue - out[match.groups()[0]] = match.groups()[1] - return out - - def get_env_bytes(cmd): - try: - proc = subprocess.run( - [cmd], - shell=True, - check=True, - cwd=FILE_DIR, - stdout=subprocess.PIPE, - ) - except subprocess.CalledProcessError as exc: - CONFTEST_LOGGER.error("failed to get shell env: %s", exc) - raise exc - env_bytes = proc.stdout - return parse_env(env_bytes) - - # Read common environment variables for running tests from conf.sh. - # FUTURE: Remove conf.sh entirely and define all variables in pytest only. - CONF_ENV = get_env_bytes(". ./conf.sh && env") - os.environb.update(CONF_ENV) - CONFTEST_LOGGER.debug( - "variables in env: %s", ", ".join([str(key) for key in CONF_ENV]) - ) +@pytest.fixture(scope="module") +def control_port(ports): + return ports["CONTROLPORT"] - # --------------------------- pytest hooks ------------------------------- - def pytest_addoption(parser): - parser.addoption( - "--noclean", - action="store_true", - default=False, - help="don't remove the temporary test directories with artifacts", - ) +@pytest.fixture(scope="module") +def env(ports): + """Dictionary containing environment variables for the test.""" + env = os.environ.copy() + for portname, portnum in ports.items(): + env[portname] = str(portnum) + env["builddir"] = f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" + env["srcdir"] = f"{env['TOP_SRCDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" + return env - def pytest_configure(config): - # Ensure this hook only runs on the main pytest instance if xdist is - # used to spawn other workers. - if not XDIST_WORKER: - if config.pluginmanager.has_plugin("xdist") and config.option.numprocesses: - # system tests depend on module scope for setup & teardown - # enforce use "loadscope" scheduler or disable paralelism - try: - import xdist.scheduler.loadscope # pylint: disable=unused-import - except ImportError: - CONFTEST_LOGGER.debug( - "xdist is too old and does not have " - "scheduler.loadscope, disabling parallelism" - ) - config.option.dist = "no" - else: - config.option.dist = "loadscope" - - def pytest_ignore_collect(path): - # System tests are executed in temporary directories inside - # bin/tests/system. These temporary directories contain all files - # needed for the system tests - including tests_*.py files. Make sure to - # ignore these during test collection phase. Otherwise, test artifacts - # from previous runs could mess with the runner. Also ignore the - # convenience symlinks to those test directories. In both of those - # cases, the system test name (directory) contains an underscore, which - # is otherwise and invalid character for a system test name. - match = SYSTEM_TEST_NAME_RE.search(str(path)) - if match is None: - CONFTEST_LOGGER.warning("unexpected test path: %s (ignored)", path) - return True - system_test_name = match.groups()[0] - return "_" in system_test_name - - def pytest_collection_modifyitems(items): - """Schedule long-running tests first to get more benefit from parallelism.""" - priority = [] - other = [] - for item in items: - if PRIORITY_TESTS_RE.search(item.nodeid): - priority.append(item) - else: - other.append(item) - items[:] = priority + other - - class NodeResult: - def __init__(self, report=None): - self.outcome = None - self.messages = [] - if report is not None: - self.update(report) - - def update(self, report): - if self.outcome is None or report.outcome != "passed": - self.outcome = report.outcome - if report.longreprtext: - self.messages.append(report.longreprtext) - - @pytest.hookimpl(tryfirst=True, hookwrapper=True) - def pytest_runtest_makereport(item): - """Hook that is used to expose test results to session (for use in fixtures).""" - # execute all other hooks to obtain the report object - outcome = yield - report = outcome.get_result() - - # Set the test outcome in session, so we can access it from module-level - # fixture using nodeid. Note that this hook is called three times: for - # setup, call and teardown. We only care about the overall result so we - # merge the results together and preserve the information whether a test - # passed. - test_results = {} + +@pytest.fixture(scope="module") +def system_test_name(request): + """Name of the system test directory.""" + path = Path(request.fspath) + return path.parent.name + + +@pytest.fixture(scope="module") +def mlogger(system_test_name): + """Logging facility specific to this test module.""" + avoid_duplicated_logs() + return logging.getLogger(system_test_name) + + +@pytest.fixture +def logger(request, system_test_name): + """Logging facility specific to a particular test.""" + return logging.getLogger(f"{system_test_name}.{request.node.name}") + + +@pytest.fixture(scope="module") +def system_test_dir( + request, env, system_test_name, mlogger +): # pylint: disable=too-many-statements,too-many-locals + """ + Temporary directory for executing the test. + + This fixture is responsible for creating (and potentially removing) a + copy of the system test directory which is used as a temporary + directory for the test execution. + + FUTURE: This removes the need to have clean.sh scripts. + """ + + def get_test_result(): + """Aggregate test results from all individual tests from this module + into a single result: failed > skipped > passed.""" try: - test_results = getattr(item.session, "test_results") + all_test_results = request.session.test_results except AttributeError: - setattr(item.session, "test_results", test_results) - node_result = test_results.setdefault(item.nodeid, NodeResult()) - node_result.update(report) - - # --------------------------- Fixtures ----------------------------------- - - @pytest.fixture(scope="session") - def modules(): - """Sorted list of all modules. Used to determine port distribution.""" - mods = [] - for dirpath, _dirs, files in os.walk(os.getcwd()): - for file in files: - if file.startswith("tests_") and file.endswith(".py"): - mod = f"{dirpath}/{file}" - mods.append(mod) - return sorted(mods) - - @pytest.fixture(scope="session") - def module_base_ports(modules): - """ - Dictionary containing assigned base port for every module. - - Note that this is a session-wide fixture. The port numbers are - deterministically assigned before any testing starts. This fixture MUST - return the same value when called again during the same test session. - When running tests in parallel, this is exactly what happens - every - worker thread will call this fixture to determine test ports. - """ - port_min = PORT_MIN - port_max = PORT_MAX - len(modules) * PORTS_PER_TEST - if port_max < port_min: - raise RuntimeError( - "not enough ports to assign unique port set to each module" + # This may happen if pytest execution is interrupted and + # pytest_runtest_makereport() is never called. + mlogger.debug("can't obtain test results, test run was interrupted") + return "error" + test_results = { + node.nodeid: all_test_results[node.nodeid] + for node in request.node.collect() + if node.nodeid in all_test_results + } + assert len(test_results) + messages = [] + for node, result in test_results.items(): + mlogger.debug("%s %s", result.outcome.upper(), node) + messages.extend(result.messages) + for message in messages: + mlogger.debug("\n" + message) + failed = any(res.outcome == "failed" for res in test_results.values()) + skipped = any(res.outcome == "skipped" for res in test_results.values()) + if failed: + return "failed" + if skipped: + return "skipped" + assert all(res.outcome == "passed" for res in test_results.values()) + return "passed" + + def unlink(path): + try: + path.unlink() # missing_ok=True isn't available on Python 3.6 + except FileNotFoundError: + pass + + # Create a temporary directory with a copy of the original system test dir contents + system_test_root = Path(f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}") + testdir = Path( + tempfile.mkdtemp(prefix=f"{system_test_name}_tmp_", dir=system_test_root) + ) + shutil.rmtree(testdir) + shutil.copytree(system_test_root / system_test_name, testdir) + + # Create a convenience symlink with a stable and predictable name + module_name = SYMLINK_REPLACEMENT_RE.sub(r"\1", request.node.name) + symlink_dst = system_test_root / module_name + unlink(symlink_dst) + symlink_dst.symlink_to(os.path.relpath(testdir, start=system_test_root)) + + # Configure logger to write to a file inside the temporary test directory + mlogger.handlers.clear() + mlogger.setLevel(logging.DEBUG) + handler = logging.FileHandler(testdir / "pytest.log.txt", mode="w") + formatter = logging.Formatter(LOG_FORMAT) + handler.setFormatter(formatter) + mlogger.addHandler(handler) + + # System tests are meant to be executed from their directory - switch to it. + old_cwd = os.getcwd() + os.chdir(testdir) + mlogger.debug("switching to tmpdir: %s", testdir) + try: + yield testdir # other fixtures / tests will execute here + finally: + os.chdir(old_cwd) + mlogger.debug("changed workdir to: %s", old_cwd) + + result = get_test_result() + + # Clean temporary dir unless it should be kept + keep = False + if request.config.getoption("--noclean"): + mlogger.debug( + "--noclean requested, keeping temporary directory %s", testdir ) + keep = True + elif result == "failed": + mlogger.debug( + "test failure detected, keeping temporary directory %s", testdir + ) + keep = True + elif not request.node.stash[FIXTURE_OK]: + mlogger.debug( + "test setup/teardown issue detected, keeping temporary directory %s", + testdir, + ) + keep = True - # Rotate the base port value over time to detect possible test issues - # with using random ports. This introduces a very slight race condition - # risk. If this value changes between pytest invocation and spawning - # worker threads, multiple tests may have same port values assigned. If - # these tests are then executed simultaneously, the test results will - # be misleading. - base_port = int(time.time() // 3600) % (port_max - port_min) + port_min - - return {mod: base_port + i * PORTS_PER_TEST for i, mod in enumerate(modules)} - - @pytest.fixture(scope="module") - def base_port(request, module_base_ports): - """Start of the port range assigned to a particular test module.""" - port = module_base_ports[request.fspath] - return port - - @pytest.fixture(scope="module") - def ports(base_port): - """Dictionary containing port names and their assigned values.""" - return { - "PORT": str(base_port), - "TLSPORT": str(base_port + 1), - "HTTPPORT": str(base_port + 2), - "HTTPSPORT": str(base_port + 3), - "EXTRAPORT1": str(base_port + 4), - "EXTRAPORT2": str(base_port + 5), - "EXTRAPORT3": str(base_port + 6), - "EXTRAPORT4": str(base_port + 7), - "EXTRAPORT5": str(base_port + 8), - "EXTRAPORT6": str(base_port + 9), - "EXTRAPORT7": str(base_port + 10), - "EXTRAPORT8": str(base_port + 11), - "CONTROLPORT": str(base_port + 12), - } + if keep: + mlogger.info( + "test artifacts in: %s", symlink_dst.relative_to(system_test_root) + ) + else: + mlogger.debug("deleting temporary directory") + handler.flush() + handler.close() + shutil.rmtree(testdir) + unlink(symlink_dst) + + +def _run_script( # pylint: disable=too-many-arguments + env, + mlogger, + system_test_dir: Path, + interpreter: str, + script: str, + args: Optional[List[str]] = None, +): + """Helper function for the shell / perl script invocations (through fixtures below).""" + if args is None: + args = [] + path = Path(script) + if not path.is_absolute(): + # make sure relative paths are always relative to system_dir + path = system_test_dir.parent / path + script = str(path) + cwd = os.getcwd() + if not path.exists(): + raise FileNotFoundError(f"script {script} not found in {cwd}") + mlogger.debug("running script: %s %s %s", interpreter, script, " ".join(args)) + mlogger.debug(" workdir: %s", cwd) + returncode = 1 + + cmd = [interpreter, script] + args + with subprocess.Popen( + cmd, + env=env, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + bufsize=1, + universal_newlines=True, + errors="backslashreplace", + ) as proc: + if proc.stdout: + for line in proc.stdout: + mlogger.info(" %s", line.rstrip("\n")) + proc.communicate() + returncode = proc.returncode + if returncode: + raise subprocess.CalledProcessError(returncode, cmd) + mlogger.debug(" exited with %d", returncode) - @pytest.fixture(scope="module") - def env(ports): - """Dictionary containing environment variables for the test.""" - env = os.environ.copy() - env.update(ports) - env["builddir"] = f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" - env["srcdir"] = f"{env['TOP_SRCDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}" - return env - - @pytest.fixture(scope="module") - def system_test_name(request): - """Name of the system test directory.""" - path = Path(request.fspath) - return path.parent.name - - @pytest.fixture(scope="module") - def mlogger(system_test_name): - """Logging facility specific to this test module.""" - avoid_duplicated_logs() - return logging.getLogger(system_test_name) - - @pytest.fixture - def logger(request, system_test_name): - """Logging facility specific to a particular test.""" - return logging.getLogger(f"{system_test_name}.{request.node.name}") - - @pytest.fixture(scope="module") - def system_test_dir( - request, env, system_test_name, mlogger - ): # pylint: disable=too-many-statements,too-many-locals - """ - Temporary directory for executing the test. - - This fixture is responsible for creating (and potentially removing) a - copy of the system test directory which is used as a temporary - directory for the test execution. - - FUTURE: This removes the need to have clean.sh scripts. - """ - - def get_test_result(): - """Aggregate test results from all individual tests from this module - into a single result: failed > skipped > passed.""" - try: - all_test_results = request.session.test_results - except AttributeError: - # This may happen if pytest execution is interrupted and - # pytest_runtest_makereport() is never called. - mlogger.debug("can't obtain test results, test run was interrupted") - return "error" - test_results = { - node.nodeid: all_test_results[node.nodeid] - for node in request.node.collect() - if node.nodeid in all_test_results - } - assert len(test_results) - messages = [] - for node, result in test_results.items(): - mlogger.debug("%s %s", result.outcome.upper(), node) - messages.extend(result.messages) - for message in messages: - mlogger.debug("\n" + message) - failed = any(res.outcome == "failed" for res in test_results.values()) - skipped = any(res.outcome == "skipped" for res in test_results.values()) - if failed: - return "failed" - if skipped: - return "skipped" - assert all(res.outcome == "passed" for res in test_results.values()) - return "passed" - - def unlink(path): - try: - path.unlink() # missing_ok=True isn't available on Python 3.6 - except FileNotFoundError: - pass - - # Create a temporary directory with a copy of the original system test dir contents - system_test_root = Path(f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}") - testdir = Path( - tempfile.mkdtemp(prefix=f"{system_test_name}_tmp_", dir=system_test_root) - ) - shutil.rmtree(testdir) - shutil.copytree(system_test_root / system_test_name, testdir) - - # Create a convenience symlink with a stable and predictable name - module_name = SYMLINK_REPLACEMENT_RE.sub(r"\2", request.node.name) - symlink_dst = system_test_root / module_name - unlink(symlink_dst) - symlink_dst.symlink_to(os.path.relpath(testdir, start=system_test_root)) - - # Configure logger to write to a file inside the temporary test directory - mlogger.handlers.clear() - mlogger.setLevel(logging.DEBUG) - handler = logging.FileHandler(testdir / "pytest.log.txt", mode="w") - formatter = logging.Formatter(LOG_FORMAT) - handler.setFormatter(formatter) - mlogger.addHandler(handler) - - # System tests are meant to be executed from their directory - switch to it. - old_cwd = os.getcwd() - os.chdir(testdir) - mlogger.debug("switching to tmpdir: %s", testdir) - try: - yield testdir # other fixtures / tests will execute here - finally: - os.chdir(old_cwd) - mlogger.debug("changed workdir to: %s", old_cwd) - - result = get_test_result() - - # Clean temporary dir unless it should be kept - keep = False - if request.config.getoption("--noclean"): - mlogger.debug( - "--noclean requested, keeping temporary directory %s", testdir - ) - keep = True - elif result == "failed": - mlogger.debug( - "test failure detected, keeping temporary directory %s", testdir - ) - keep = True - elif not request.node.stash[FIXTURE_OK]: - mlogger.debug( - "test setup/teardown issue detected, keeping temporary directory %s", - testdir, - ) - keep = True - if keep: - mlogger.info( - "test artifacts in: %s", symlink_dst.relative_to(system_test_root) - ) - else: - mlogger.debug("deleting temporary directory") - handler.flush() - handler.close() - shutil.rmtree(testdir) - unlink(symlink_dst) - - def _run_script( # pylint: disable=too-many-arguments - env, - mlogger, - system_test_dir: Path, - interpreter: str, - script: str, - args: Optional[List[str]] = None, - ): - """Helper function for the shell / perl script invocations (through fixtures below).""" - if args is None: - args = [] - path = Path(script) - if not path.is_absolute(): - # make sure relative paths are always relative to system_dir - path = system_test_dir.parent / path - script = str(path) - cwd = os.getcwd() - if not path.exists(): - raise FileNotFoundError(f"script {script} not found in {cwd}") - mlogger.debug("running script: %s %s %s", interpreter, script, " ".join(args)) - mlogger.debug(" workdir: %s", cwd) - returncode = 1 - - cmd = [interpreter, script] + args - with subprocess.Popen( - cmd, - env=env, - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - bufsize=1, - universal_newlines=True, - errors="backslashreplace", - ) as proc: - if proc.stdout: - for line in proc.stdout: - mlogger.info(" %s", line.rstrip("\n")) - proc.communicate() - returncode = proc.returncode - if returncode: - raise subprocess.CalledProcessError(returncode, cmd) - mlogger.debug(" exited with %d", returncode) - - @pytest.fixture(scope="module") - def shell(env, system_test_dir, mlogger): - """Function to call a shell script with arguments.""" - return partial(_run_script, env, mlogger, system_test_dir, env["SHELL"]) - - @pytest.fixture(scope="module") - def perl(env, system_test_dir, mlogger): - """Function to call a perl script with arguments.""" - return partial(_run_script, env, mlogger, system_test_dir, env["PERL"]) - - @pytest.fixture(scope="module") - def run_tests_sh(system_test_dir, shell): - """Utility function to execute tests.sh as a python test.""" - - def run_tests(): - shell(f"{system_test_dir}/tests.sh") - - return run_tests - - @pytest.fixture(scope="module", autouse=True) - def system_test( # pylint: disable=too-many-arguments,too-many-statements - request, - env: Dict[str, str], - mlogger, - system_test_dir, - shell, - perl, - ): - """ - Driver of the test setup/teardown process. Used automatically for every test module. - - This is the most important one-fixture-to-rule-them-all. Note the - autouse=True which causes this fixture to be loaded by every test - module without the need to explicitly specify it. - - When this fixture is used, it utilizes other fixtures, such as - system_test_dir, which handles the creation of the temporary test - directory. - - Afterwards, it checks the test environment and takes care of starting - the servers. When everything is ready, that's when the actual tests are - executed. Once that is done, this fixture stops the servers and checks - for any artifacts indicating an issue (e.g. coredumps). - - Finally, when this fixture reaches an end (or encounters an exception, - which may be caused by fail/skip invocations), any fixtures which is - used by this one are finalized - e.g. system_test_dir performs final - checks and cleans up the temporary test directory. - """ - - def check_net_interfaces(): - try: - perl("testsock.pl", ["-p", env["PORT"]]) - except subprocess.CalledProcessError as exc: - mlogger.error("testsock.pl: exited with code %d", exc.returncode) - pytest.skip("Network interface aliases not set up.") +@pytest.fixture(scope="module") +def shell(env, system_test_dir, mlogger): + """Function to call a shell script with arguments.""" + return partial(_run_script, env, mlogger, system_test_dir, env["SHELL"]) - def check_prerequisites(): - try: - shell(f"{system_test_dir}/prereq.sh") - except FileNotFoundError: - pass # prereq.sh is optional - except subprocess.CalledProcessError: - pytest.skip("Prerequisites missing.") - def setup_test(): - try: - shell(f"{system_test_dir}/setup.sh") - except FileNotFoundError: - pass # setup.sh is optional - except subprocess.CalledProcessError as exc: - mlogger.error("Failed to run test setup") - pytest.fail(f"setup.sh exited with {exc.returncode}") - - def start_servers(): - try: - perl("start.pl", ["--port", env["PORT"], system_test_dir.name]) - except subprocess.CalledProcessError as exc: - mlogger.error("Failed to start servers") - pytest.fail(f"start.pl exited with {exc.returncode}") +@pytest.fixture(scope="module") +def perl(env, system_test_dir, mlogger): + """Function to call a perl script with arguments.""" + return partial(_run_script, env, mlogger, system_test_dir, env["PERL"]) - def stop_servers(): - try: - perl("stop.pl", [system_test_dir.name]) - except subprocess.CalledProcessError as exc: - mlogger.error("Failed to stop servers") - get_core_dumps() - pytest.fail(f"stop.pl exited with {exc.returncode}") - def get_core_dumps(): - try: - shell("get_core_dumps.sh", [system_test_dir.name]) - except subprocess.CalledProcessError as exc: - mlogger.error("Found core dumps or sanitizer reports") - pytest.fail(f"get_core_dumps.sh exited with {exc.returncode}") - - os.environ.update(env) # Ensure pytests have the same env vars as shell tests. - mlogger.info(f"test started: {request.node.name}") - port = int(env["PORT"]) - mlogger.info("using port range: <%d, %d>", port, port + PORTS_PER_TEST - 1) - - if not hasattr(request.node, "stash"): # compatibility with pytest<7.0.0 - request.node.stash = {} # use regular dict instead of pytest.Stash - request.node.stash[FIXTURE_OK] = True +@pytest.fixture(scope="module") +def run_tests_sh(system_test_dir, shell): + """Utility function to execute tests.sh as a python test.""" + + def run_tests(): + shell(f"{system_test_dir}/tests.sh") + + return run_tests + + +@pytest.fixture(scope="module", autouse=True) +def system_test( # pylint: disable=too-many-arguments,too-many-statements + request, + env: Dict[str, str], + mlogger, + system_test_dir, + shell, + perl, +): + """ + Driver of the test setup/teardown process. Used automatically for every test module. + + This is the most important one-fixture-to-rule-them-all. Note the + autouse=True which causes this fixture to be loaded by every test + module without the need to explicitly specify it. + + When this fixture is used, it utilizes other fixtures, such as + system_test_dir, which handles the creation of the temporary test + directory. + + Afterwards, it checks the test environment and takes care of starting + the servers. When everything is ready, that's when the actual tests are + executed. Once that is done, this fixture stops the servers and checks + for any artifacts indicating an issue (e.g. coredumps). + + Finally, when this fixture reaches an end (or encounters an exception, + which may be caused by fail/skip invocations), any fixtures which is + used by this one are finalized - e.g. system_test_dir performs final + checks and cleans up the temporary test directory. + """ + + def check_net_interfaces(): + try: + perl("testsock.pl", ["-p", env["PORT"]]) + except subprocess.CalledProcessError as exc: + mlogger.error("testsock.pl: exited with code %d", exc.returncode) + pytest.skip("Network interface aliases not set up.") - # Perform checks which may skip this test. - check_net_interfaces() - check_prerequisites() + def check_prerequisites(): + try: + shell(f"{system_test_dir}/prereq.sh") + except FileNotFoundError: + pass # prereq.sh is optional + except subprocess.CalledProcessError: + pytest.skip("Prerequisites missing.") - # Store the fact that this fixture hasn't successfully finished yet. - # This is checked before temporary directory teardown to decide whether - # it's okay to remove the directory. - request.node.stash[FIXTURE_OK] = False + def setup_test(): + try: + shell(f"{system_test_dir}/setup.sh") + except FileNotFoundError: + pass # setup.sh is optional + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to run test setup") + pytest.fail(f"setup.sh exited with {exc.returncode}") + + def start_servers(): + try: + perl("start.pl", ["--port", env["PORT"], system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to start servers") + pytest.fail(f"start.pl exited with {exc.returncode}") - setup_test() + def stop_servers(): try: - start_servers() - mlogger.debug("executing test(s)") - yield - finally: - mlogger.debug("test(s) finished") - stop_servers() + perl("stop.pl", [system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Failed to stop servers") get_core_dumps() - request.node.stash[FIXTURE_OK] = True + pytest.fail(f"stop.pl exited with {exc.returncode}") + + def get_core_dumps(): + try: + shell("get_core_dumps.sh", [system_test_dir.name]) + except subprocess.CalledProcessError as exc: + mlogger.error("Found core dumps or sanitizer reports") + pytest.fail(f"get_core_dumps.sh exited with {exc.returncode}") + + os.environ.update(env) # Ensure pytests have the same env vars as shell tests. + mlogger.info(f"test started: {request.node.name}") + port = int(env["PORT"]) + mlogger.info("using port range: <%d, %d>", port, port + PORTS_PER_TEST - 1) + + if not hasattr(request.node, "stash"): # compatibility with pytest<7.0.0 + request.node.stash = {} # use regular dict instead of pytest.Stash + request.node.stash[FIXTURE_OK] = True + + # Perform checks which may skip this test. + check_net_interfaces() + check_prerequisites() + + # Store the fact that this fixture hasn't successfully finished yet. + # This is checked before temporary directory teardown to decide whether + # it's okay to remove the directory. + request.node.stash[FIXTURE_OK] = False + + setup_test() + try: + start_servers() + mlogger.debug("executing test(s)") + yield + finally: + mlogger.debug("test(s) finished") + stop_servers() + get_core_dumps() + request.node.stash[FIXTURE_OK] = True diff --git a/bin/tests/system/convert-junit-to-trs.py b/bin/tests/system/convert-junit-to-trs.py new file mode 100755 index 0000000..b3d44b5 --- /dev/null +++ b/bin/tests/system/convert-junit-to-trs.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# Convert JUnit pytest output to automake .trs files + +import argparse +import sys +from xml.etree import ElementTree + + +def junit_to_trs(junit_xml): + root = ElementTree.fromstring(junit_xml) + testcases = root.findall("./testsuite/testcase") + + if len(testcases) < 1: + print(":test-result: ERROR convert-junit-to-trs.py") + return 99 + + has_fail = False + has_error = False + has_skipped = False + for testcase in testcases: + filename = f"{testcase.attrib['classname'].replace('.', '/')}.py" + name = f"{filename}::{testcase.attrib['name']}" + res = "PASS" + for node in testcase: + if node.tag == "failure": + res = "FAIL" + has_fail = True + elif node.tag == "error": + res = "ERROR" + has_error = True + elif node.tag == "skipped": + if node.attrib.get("type") == "pytest.xfail": + res = "XFAIL" + else: + res = "SKIP" + has_skipped = True + print(f":test-result: {res} {name}") + + if has_error: + return 99 + if has_fail: + return 1 + if has_skipped: + return 77 + return 0 + + +def main(): + parser = argparse.ArgumentParser( + description="Convert JUnit XML to Automake TRS and exit with " + "the appropriate Automake-compatible exit code." + ) + parser.add_argument( + "junit_file", + type=argparse.FileType("r", encoding="utf-8"), + help="junit xml result file", + ) + args = parser.parse_args() + + junit_xml = args.junit_file.read() + sys.exit(junit_to_trs(junit_xml)) + + +if __name__ == "__main__": + main() diff --git a/bin/tests/system/cookie/prereq.sh b/bin/tests/system/cookie/prereq.sh new file mode 100644 index 0000000..b6b005f --- /dev/null +++ b/bin/tests/system/cookie/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh index 489a248..24984a3 100755 --- a/bin/tests/system/cookie/tests.sh +++ b/bin/tests/system/cookie/tests.sh @@ -16,87 +16,85 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 getcookie() { - awk '$2 == "COOKIE:" { + awk '$2 == "COOKIE:" { print $3; - }' < $1 + }' <$1 } fullcookie() { - awk 'BEGIN { n = 0 } + awk 'BEGIN { n = 0 } // { v[n++] = length(); } END { print (v[1] == v[2]); }' } havetc() { - grep 'flags:.* tc[^;]*;' $1 > /dev/null + grep 'flags:.* tc[^;]*;' $1 >/dev/null } -for bad in bad*.conf -do - n=$((n + 1)) - echo_i "checking that named-checkconf detects error in $bad ($n)" - ret=0 - $CHECKCONF $bad > /dev/null 2>&1 && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for bad in bad*.conf; do + n=$((n + 1)) + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + $CHECKCONF $bad >/dev/null 2>&1 && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for good in good*.conf -do - n=$((n + 1)) - echo_i "checking that named-checkconf detects accepts $good ($n)" - ret=0 - $CHECKCONF $good > /dev/null 2>&1 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for good in good*.conf; do + n=$((n + 1)) + echo_i "checking that named-checkconf detects accepts $good ($n)" + ret=0 + $CHECKCONF $good >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done n=$((n + 1)) echo_i "checking RCODE=FORMERR to query without question section and without COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 -grep COOKIE: dig.out.test$n > /dev/null && ret=1 -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +header-only +nocookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 +grep COOKIE: dig.out.test$n >/dev/null && ret=1 +grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RCODE=NOERROR to query without question section and with COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 -grep COOKIE: dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +header-only +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 +grep COOKIE: dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking COOKIE token is returned to empty COOKIE option ($n)" ret=0 -$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n || ret=1 -grep COOKIE: dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 >dig.out.test$n || ret=1 +grep COOKIE: dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking COOKIE is not returned when answer-cookie is false ($n)" ret=0 -$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n || ret=1 -grep COOKIE: dig.out.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 >dig.out.test$n || ret=1 +grep COOKIE: dig.out.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking response size without COOKIE ($n)" ret=0 -$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 +$DIG $DIGOPTS large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 havetc dig.out.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -104,36 +102,36 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking response size without valid COOKIE ($n)" ret=0 -$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 havetc dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking response size with COOKIE ($n)" ret=0 -$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 > dig.out.test$n.l || ret=1 +$DIG $DIGOPTS +cookie large.example txt @10.53.0.1 >dig.out.test$n.l || ret=1 cookie=$(getcookie dig.out.test$n.l) -$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 +$DIG $DIGOPTS +qr +cookie=$cookie large.example txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 havetc dig.out.test$n && ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking response size with COOKIE recursive ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore > dig.out.test$n || ret=1 +$DIG $DIGOPTS +qr +cookie=$cookie large.xxx txt @10.53.0.1 +ignore >dig.out.test$n || ret=1 havetc dig.out.test$n && ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking COOKIE is learnt for TCP retry ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 > dig.out.test$n || ret=1 +$DIG $DIGOPTS +qr +cookie large.example txt @10.53.0.1 >dig.out.test$n || ret=1 linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 3 ]; then ret=1; fi checkfull=$(getcookie dig.out.test$n | fullcookie) @@ -145,15 +143,15 @@ n=$((n + 1)) echo_i "checking for COOKIE value in adb ($n)" ret=0 rndc_dumpdb ns1 -grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "10.53.0.2.*\[cookie=" ns1/named_dump.db.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking require-server-cookie default (no) ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 > dig.out.test$n || ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.1 >dig.out.test$n || ret=1 +grep BADCOOKIE dig.out.test$n >/dev/null && ret=1 linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi @@ -162,10 +160,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking require-server-cookie yes ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 -grep "flags: qr[^;]* aa[ ;]" dig.out.test$n > /dev/null && ret=1 -grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 +grep "flags: qr[^;]* aa[ ;]" dig.out.test$n >/dev/null && ret=1 +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 +grep BADCOOKIE dig.out.test$n >/dev/null || ret=1 linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi @@ -174,7 +172,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking +qr +showbadcookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 +$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) @@ -191,7 +189,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking +showbadcookie ($n)" ret=0 -$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n || ret=1 +$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 >dig.out.test$n || ret=1 noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) @@ -208,9 +206,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking require-server-cookie yes with rate-limit ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n || ret=1 -grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1 -grep BADCOOKIE dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 >dig.out.test$n || ret=1 +grep "flags: qr[^;]* ad[ ;]" dig.out.test$n >/dev/null && ret=1 +grep BADCOOKIE dig.out.test$n >/dev/null || ret=1 linecount=$(getcookie dig.out.test$n | wc -l) if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi @@ -219,24 +217,24 @@ status=$((status + ret)) n=$((n + 1)) echo_i "send undersized cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 > dig.out.test$n || ret=1 -grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +cookie=000000 soa @10.53.0.1 >dig.out.test$n || ret=1 +grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "send oversized for named cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 > dig.out.test$n || ret=1 -grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.1 >dig.out.test$n || ret=1 +grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "send oversized for named cookie with server requiring a good cookie ($n)" ret=0 -$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 > dig.out.test$n || ret=1 -grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +qr +cookie=${cookie}00 soa @10.53.0.3 >dig.out.test$n || ret=1 +grep "COOKIE: [a-f0-9]* (good)" dig.out.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -260,8 +258,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "get NS4 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.4 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 ns4cookie=$(getcookie dig.out.test$n) test -n "$ns4cookie" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -270,8 +268,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "get NS5 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.5 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 ns5cookie=$(getcookie dig.out.test$n) test -n "$ns5cookie" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -280,8 +278,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "get NS6 cookie for cross server checking ($n)" ret=0 -$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie -b 10.53.0.4 soa . @10.53.0.6 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 ns6cookie=$(getcookie dig.out.test$n) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -289,54 +287,54 @@ status=$((status + ret)) n=$((n + 1)) echo_i "test NS4 cookie on NS5 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS4 cookie on NS6 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns4cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS5 cookie on NS4 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS5 cookie on NS6 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns5cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.6 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS6 cookie on NS4 (expect badcookie) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: BADCOOKIE," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: BADCOOKIE," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test NS6 cookie on NS5 (expect success) ($n)" ret=0 -$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 > dig.out.test$n || ret=1 -grep "; COOKIE:.*(good)" dig.out.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.5 >dig.out.test$n || ret=1 +grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -345,62 +343,62 @@ echo_i "check that test server is correctly configured ($n)" ret=0 pat="; COOKIE: ................................ (good)" #UDP -$DIG $DIGOPTS @10.53.0.9 +notcp tld > dig.out.test$n.1 || ret=1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld > dig.out.test$n.2 || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld > dig.out.test$n.3 || ret=1 -grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld > dig.out.test$n.4 || ret=1 -grep "status: NOERROR" dig.out.test$n.4 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.4 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.4 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.4 > /dev/null || ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.9 +notcp tld >dig.out.test$n.1 || ret=1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.1 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp tcponly.tld >dig.out.test$n.2 || ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp nocookie.tld >dig.out.test$n.3 || ret=1 +grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +notcp withtsig.tld >dig.out.test$n.4 || ret=1 +grep "status: NOERROR" dig.out.test$n.4 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.4 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.4 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.4 >/dev/null || ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.4 >/dev/null || ret=1 #TCP -$DIG $DIGOPTS @10.53.0.9 +tcp tld > dig.out.test$n.5 || ret=1 -grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld > dig.out.test$n.6 -grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld > dig.out.test$n.7 -grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 -grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 > /dev/null && ret=1 - -$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld > dig.out.test$n.8 -grep "status: NOERROR" dig.out.test$n.8 > /dev/null || ret=1 -grep "$pat" dig.out.test$n.8 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.8 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.8 > /dev/null && ret=1 -grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.9 +tcp tld >dig.out.test$n.5 || ret=1 +grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.5 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp tcponly.tld >dig.out.test$n.6 +grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.6 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp nocookie.tld >dig.out.test$n.7 +grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1 +grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.1 >/dev/null && ret=1 + +$DIG $DIGOPTS @10.53.0.9 +tcp withtsig.tld >dig.out.test$n.8 +grep "status: NOERROR" dig.out.test$n.8 >/dev/null || ret=1 +grep "$pat" dig.out.test$n.8 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.8 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.8 >/dev/null && ret=1 +grep ";; TSIG PSEUDOSECTION:" dig.out.test$n.8 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -411,17 +409,17 @@ ret=0 msg="missing expected cookie from" pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # spoofed response contains 10.53.0.10 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 tcponly.tld > dig.out.test$n.2 || ret=1 +$DIG $DIGOPTS @10.53.0.1 tcponly.tld >dig.out.test$n.2 || ret=1 wait_for_log 5 "$msg" ns1/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -431,17 +429,17 @@ ret=0 msg="missing expected cookie from" pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # check the disabled server response nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 nocookie.tld > dig.out.test$n.2 +$DIG $DIGOPTS @10.53.0.1 nocookie.tld >dig.out.test$n.2 wait_for_log 5 "$msg" ns1/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -450,17 +448,17 @@ echo_i "check that spoofed response with a TSIG is dropped when we have a server ret=0 pat='10\.53\.0\.9 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state -$DIG $DIGOPTS @10.53.0.1 tld > dig.out.test$n.1 || ret=1 -grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 tld >dig.out.test$n.1 || ret=1 +grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 -grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 +grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # spoofed response contains 10.53.0.10 nextpart ns1/named.run >/dev/null -$DIG $DIGOPTS @10.53.0.1 withtsig.tld > dig.out.test$n.2 || ret=1 -grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 -grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null && ret=1 -nextpart ns1/named.run > named.run.test$n +$DIG $DIGOPTS @10.53.0.1 withtsig.tld >dig.out.test$n.2 || ret=1 +grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 +grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null && ret=1 +nextpart ns1/named.run >named.run.test$n count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) test $count -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -470,56 +468,55 @@ if $PYTHON -c ' import dns.version, sys; if dns.version.MAJOR > 1: sys.exit(0); if dns.version.MAJOR == 1 and dns.version.MINOR >= 16: sys.exit(0); -sys.exit(1)' -then +sys.exit(1)'; then n=$((n + 1)) echo_i "check that TSIG test server is correctly configured ($n)" ret=0 pat="; COOKIE: ................................ (good)" key=hmac-sha256:foo:aaaaaaaaaaaa #UDP - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. > dig.out.test$n.1 || ret=1 - grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.1 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.1 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.1 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig > dig.out.test$n.2 || ret=1 - grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.2 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig > dig.out.test$n.3 || ret=1 - grep "status: NOERROR" dig.out.test$n.3 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.3 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.3 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.3 > /dev/null || ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tsig. >dig.out.test$n.1 || ret=1 + grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.1 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.1 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.1 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp tcponly.tsig >dig.out.test$n.2 || ret=1 + grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.2 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +notcp nocookie.tsig >dig.out.test$n.3 || ret=1 + grep "status: NOERROR" dig.out.test$n.3 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.3 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.3 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.3 >/dev/null || ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 #TCP - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. > dig.out.test$n.5 || ret=1 - grep "status: NOERROR" dig.out.test$n.5 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.5 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.5 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.5 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig > dig.out.test$n.6 || ret=1 - grep "status: NOERROR" dig.out.test$n.6 > /dev/null || ret=1 - grep "$pat" dig.out.test$n.6 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.6 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.6 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 - - $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig > dig.out.test$n.7 || ret=1 - grep "status: NOERROR" dig.out.test$n.7 > /dev/null || ret=1 - grep "; COOKIE:" dig.out.test$n.7 > /dev/null && ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.7 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.7 > /dev/null && ret=1 - grep 'TSIG.*NOERROR' dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tsig. >dig.out.test$n.5 || ret=1 + grep "status: NOERROR" dig.out.test$n.5 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.5 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.5 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.5 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp tcponly.tsig >dig.out.test$n.6 || ret=1 + grep "status: NOERROR" dig.out.test$n.6 >/dev/null || ret=1 + grep "$pat" dig.out.test$n.6 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.6 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.6 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 + + $DIG $DIGOPTS @10.53.0.10 -y $key +tcp nocookie.tsig >dig.out.test$n.7 || ret=1 + grep "status: NOERROR" dig.out.test$n.7 >/dev/null || ret=1 + grep "; COOKIE:" dig.out.test$n.7 >/dev/null && ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.7 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.7 >/dev/null && ret=1 + grep 'TSIG.*NOERROR' dig.out.test$n.1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -529,17 +526,17 @@ then ret=0 pat='10\.53\.0\.10 .*\[cookie=................................\] \[ttl' # prime EDNS COOKIE state - $DIG $DIGOPTS @10.53.0.1 tsig. > dig.out.test$n.1 - grep "status: NOERROR" dig.out.test$n.1 > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.1 tsig. >dig.out.test$n.1 + grep "status: NOERROR" dig.out.test$n.1 >/dev/null || ret=1 rndc_dumpdb ns1 - grep "$pat" ns1/named_dump.db.test$n > /dev/null || ret=1 + grep "$pat" ns1/named_dump.db.test$n >/dev/null || ret=1 # check the disabled server response nextpart ns1/named.run >/dev/null - $DIG $DIGOPTS @10.53.0.1 nocookie.tsig > dig.out.test$n.2 - grep "status: NOERROR" dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.9' dig.out.test$n.2 > /dev/null || ret=1 - grep 'A.10\.53\.0\.10' dig.out.test$n.2 > /dev/null || ret=1 - nextpart ns1/named.run > named.run.test$n + $DIG $DIGOPTS @10.53.0.1 nocookie.tsig >dig.out.test$n.2 + grep "status: NOERROR" dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.9' dig.out.test$n.2 >/dev/null || ret=1 + grep 'A.10\.53\.0\.10' dig.out.test$n.2 >/dev/null || ret=1 + nextpart ns1/named.run >named.run.test$n count=$(grep -c ') [0-9][0-9]* NOERROR 0' named.run.test$n) test $count -eq 2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/custom-test-driver b/bin/tests/system/custom-test-driver index 7499aa0..a986dd8 100755 --- a/bin/tests/system/custom-test-driver +++ b/bin/tests/system/custom-test-driver @@ -2,7 +2,7 @@ # test-driver - basic testsuite driver script. -scriptversion=2021-09-20.08; # UTC +scriptversion=2021-09-20.08 # UTC # Copyright (C) 2011-2020 Free Software Foundation, Inc. # @@ -34,15 +34,13 @@ scriptversion=2021-09-20.08; # UTC # helps a lot in preventing typo-related bugs. set -u -usage_error () -{ +usage_error() { echo "$0: $*" >&2 print_usage >&2 exit 2 } -print_usage () -{ +print_usage() { cat <<END Usage: test-driver --test-name=NAME --log-file=PATH --trs-file=PATH @@ -53,37 +51,67 @@ The '--test-name', '--log-file' and '--trs-file' options are mandatory. END } -test_name= # Used for reporting. -log_file= # Where to save the output of the test script. -trs_file= # Where to save the metadata of the test run. -status_file= # Where to save the status of the test run. +test_name= # Used for reporting. +log_file= # Where to save the output of the test script. +trs_file= # Where to save the metadata of the test run. +junit_file= # Where to save pytest junit output. expect_failure=no color_tests=no enable_hard_errors=yes verbose=no while test $# -gt 0; do case $1 in - --help) print_usage; exit $?;; - --version) echo "test-driver $scriptversion"; exit $?;; - --test-name) test_name=$2; shift;; - --log-file) log_file=$2; shift;; - --trs-file) trs_file=$2; shift;; - --status-file) status_file=$2; shift;; - --color-tests) color_tests=$2; shift;; - --expect-failure) expect_failure=$2; shift;; - --enable-hard-errors) enable_hard_errors=$2; shift;; - --verbose) verbose=$2; shift;; - --) shift; break;; - -*) usage_error "invalid option: '$1'";; - *) break;; + --help) + print_usage + exit $? + ;; + --version) + echo "test-driver $scriptversion" + exit $? + ;; + --test-name) + test_name=$2 + shift + ;; + --log-file) + log_file=$2 + shift + ;; + --trs-file) + trs_file=$2 + junit_file=$(echo $trs_file | sed 's/\.trs$/\.xml/') + shift + ;; + --color-tests) + color_tests=$2 + shift + ;; + --expect-failure) + expect_failure=$2 + shift + ;; + --enable-hard-errors) + enable_hard_errors=$2 + shift + ;; + --verbose) + verbose=$2 + shift + ;; + --) + shift + break + ;; + -*) usage_error "invalid option: '$1'" ;; + *) break ;; esac shift done missing_opts= test x"$test_name" = x && missing_opts="$missing_opts --test-name" -test x"$log_file" = x && missing_opts="$missing_opts --log-file" -test x"$trs_file" = x && missing_opts="$missing_opts --trs-file" +test x"$log_file" = x && missing_opts="$missing_opts --log-file" +test x"$trs_file" = x && missing_opts="$missing_opts --trs-file" if test x"$missing_opts" != x; then usage_error "the following mandatory options are missing:$missing_opts" fi @@ -104,22 +132,22 @@ else red= grn= lgn= blu= mgn= std= fi -do_exit='rm -f $log_file $trs_file $status_file; (exit $st); exit $st' +do_exit='rm -f $log_file $trs_file $junit_file; (exit $st); exit $st' trap "st=129; $do_exit" 1 trap "st=130; $do_exit" 2 trap "st=141; $do_exit" 13 trap "st=143; $do_exit" 15 -# Set default -test x"$status_file" = x && status_file=$(mktemp ./custom-test-runner.XXXXXX) # Test script is run here. if test $verbose = yes; then - ("$@" 2>&1; echo $? > "$status_file") | tee $log_file + "$@" --junit-xml $PWD/$junit_file 2>&1 | tee $log_file else - "$@" >$log_file 2>&1; echo $? > "$status_file" + "$@" --junit-xml $PWD/$junit_file >$log_file 2>&1 fi -read -r estatus < "$status_file" -rm "$status_file" + +# Run junit to trs converter script. +./convert-junit-to-trs.py $junit_file >$trs_file +estatus=$? if test $enable_hard_errors = no && test $estatus -eq 99; then tweaked_estatus=1 @@ -128,12 +156,12 @@ else fi case $tweaked_estatus:$expect_failure in - 0:yes) col=$red res=XPASS recheck=yes gcopy=yes;; - 0:*) col=$grn res=PASS recheck=no gcopy=no;; - 77:*) col=$blu res=SKIP recheck=no gcopy=yes;; - 99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;; - *:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;; - *:*) col=$red res=FAIL recheck=yes gcopy=yes;; + 0:yes) col=$red res=XPASS recheck=yes gcopy=yes ;; + 0:*) col=$grn res=PASS recheck=no gcopy=no ;; + 77:*) col=$blu res=SKIP recheck=no gcopy=yes ;; + 99:*) col=$mgn res=ERROR recheck=yes gcopy=yes ;; + *:yes) col=$lgn res=XFAIL recheck=no gcopy=yes ;; + *:*) col=$red res=FAIL recheck=yes gcopy=yes ;; esac # Report the test outcome and exit status in the logs, so that one can @@ -145,11 +173,10 @@ echo "$res $test_name (exit status: $estatus)" >>$log_file # Report outcome to console. echo "${col}${res}${std}: $test_name" -# Register the test result, and other relevant metadata. -echo ":test-result: $res" > $trs_file -echo ":global-test-result: $res" >> $trs_file -echo ":recheck: $recheck" >> $trs_file -echo ":copy-in-global-log: $gcopy" >> $trs_file +# Register other relevant test metadata. +echo ":global-test-result: $res" >>$trs_file +echo ":recheck: $recheck" >>$trs_file +echo ":copy-in-global-log: $gcopy" >>$trs_file # Local Variables: # mode: shell-script diff --git a/bin/tests/system/database/tests.sh b/bin/tests/system/database/tests.sh index 408b094..efd352c 100644 --- a/bin/tests/system/database/tests.sh +++ b/bin/tests/system/database/tests.sh @@ -21,14 +21,14 @@ n=0 rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" -RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../common/rndc.conf" +RNDCCMD="$RNDC -s 10.53.0.1 -p ${CONTROLPORT} -c ../_common/rndc.conf" # Check the example. domain echo_i "checking pre reload zone ($n)" ret=0 -$DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "hostmaster\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "hostmaster\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -39,14 +39,13 @@ $RNDCCMD reload 2>&1 >/dev/null echo_i "checking post reload zone ($n)" ret=1 try=0 -while test $try -lt 6 -do - sleep 1 - ret=0 - $DIG $DIGOPTS soa database. @10.53.0.1 > dig.out.ns1.test$n || ret=1 - grep "marka\.isc\.org" dig.out.ns1.test$n > /dev/null || ret=1 - try=$((try + 1)) - test $ret -eq 0 && break +while test $try -lt 6; do + sleep 1 + ret=0 + $DIG $DIGOPTS soa database. @10.53.0.1 >dig.out.ns1.test$n || ret=1 + grep "marka\.isc\.org" dig.out.ns1.test$n >/dev/null || ret=1 + try=$((try + 1)) + test $ret -eq 0 && break done n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/dialup/tests.sh b/bin/tests/system/dialup/tests.sh index b68c71e..943c8fb 100644 --- a/bin/tests/system/dialup/tests.sh +++ b/bin/tests/system/dialup/tests.sh @@ -23,21 +23,19 @@ DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}" # Check the example. domain -$DIG $DIGOPTS example. @10.53.0.1 soa > dig.out.ns1.test || ret=1 +$DIG $DIGOPTS example. @10.53.0.1 soa >dig.out.ns1.test || ret=1 echo_i "checking that first zone transfer worked" ret=0 try=0 -while test $try -lt 120 -do - $DIG $DIGOPTS example. @10.53.0.2 soa > dig.out.ns2.test || ret=1 - if grep SERVFAIL dig.out.ns2.test > /dev/null - then - try=$((try + 1)) - sleep 1 - else - digcomp dig.out.ns1.test dig.out.ns2.test || ret=1 - break; - fi +while test $try -lt 120; do + $DIG $DIGOPTS example. @10.53.0.2 soa >dig.out.ns2.test || ret=1 + if grep SERVFAIL dig.out.ns2.test >/dev/null; then + try=$((try + 1)) + sleep 1 + else + digcomp dig.out.ns1.test dig.out.ns2.test || ret=1 + break + fi done echo_i "try $try" if [ $ret != 0 ]; then echo_i "failed"; fi @@ -46,17 +44,15 @@ status=$((status + ret)) echo_i "checking that second zone transfer worked" ret=0 try=0 -while test $try -lt 120 -do - $DIG $DIGOPTS example. @10.53.0.3 soa > dig.out.ns3.test || ret=1 - if grep SERVFAIL dig.out.ns3.test > /dev/null - then - try=$((try + 1)) - sleep 1 - else - digcomp dig.out.ns1.test dig.out.ns3.test || ret=1 - break; - fi +while test $try -lt 120; do + $DIG $DIGOPTS example. @10.53.0.3 soa >dig.out.ns3.test || ret=1 + if grep SERVFAIL dig.out.ns3.test >/dev/null; then + try=$((try + 1)) + sleep 1 + else + digcomp dig.out.ns1.test dig.out.ns3.test || ret=1 + break + fi done echo_i "try $try" if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/digdelv/ns2/named.conf.in b/bin/tests/system/digdelv/ns2/named.conf.in index 1391b73..0aa42a3 100644 --- a/bin/tests/system/digdelv/ns2/named.conf.in +++ b/bin/tests/system/digdelv/ns2/named.conf.in @@ -25,7 +25,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh index c8564b2..1dd513c 100644 --- a/bin/tests/system/digdelv/ns2/sign.sh +++ b/bin/tests/system/digdelv/ns2/sign.sh @@ -20,10 +20,10 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.) cp example.db.in example.db -"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1 +"$SIGNER" -Sz -f example.db -o example example.db.in >/dev/null 2>&1 -keyfile_to_key_id "$ksk" > keyid -grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata +keyfile_to_key_id "$ksk" >keyid +grep -Ev '^;' <"$ksk.key" | cut -f 7- -d ' ' >keydata -keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey -keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds +keyfile_to_initial_keys "$ksk" >../ns3/anchor.dnskey +keyfile_to_initial_ds "$ksk" >../ns3/anchor.ds diff --git a/bin/tests/system/digdelv/ns3/named.conf.in b/bin/tests/system/digdelv/ns3/named.conf.in index 66bb748..90a3fa3 100644 --- a/bin/tests/system/digdelv/ns3/named.conf.in +++ b/bin/tests/system/digdelv/ns3/named.conf.in @@ -24,5 +24,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/digdelv/prereq.sh b/bin/tests/system/digdelv/prereq.sh new file mode 100644 index 0000000..32889aa --- /dev/null +++ b/bin/tests/system/digdelv/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index dceced6..39b2b54 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -20,15 +20,15 @@ status=0 n=0 sendcmd() { - send "${1}" "$EXTRAPORT1" + send "${1}" "$EXTRAPORT1" } dig_with_opts() { - "$DIG" -p "$PORT" "$@" + "$DIG" -p "$PORT" "$@" } mdig_with_opts() { - "$MDIG" -p "$PORT" "$@" + "$MDIG" -p "$PORT" "$@" } # Check if response in file $1 has the correct TTL range. @@ -37,211 +37,216 @@ mdig_with_opts() { # the second word on the line. TTL position can be adjusted with # setting the position $4, but that requires updating this function. check_ttl_range() { - file=$1 - pos=$4 + file=$1 + pos=$4 - case "$pos" in + case "$pos" in "3") - { awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file; result=$?; } || true - ;; + { + awk -v rrtype="$2" -v ttl="$3" '($4 == "IN" || $4 == "CLASS1" ) && $5 == rrtype { if ($3 <= ttl) { ok=1 } } END { exit(ok?0:1) }' <$file + result=$? + } || true + ;; *) - { awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' < $file; result=$?; } || true - ;; - esac - - [ $result -eq 0 ] || echo_i "ttl check failed" - return $result + { + awk -v rrtype="$2" -v ttl="$3" '($3 == "IN" || $3 == "CLASS1" ) && $4 == rrtype { if ($2 <= ttl) { ok=1 } } END { exit(ok?0:1) }' <$file + result=$? + } || true + ;; + esac + + [ $result -eq 0 ] || echo_i "ttl check failed" + return $result } # using delv insecure mode as not testing dnssec here delv_with_opts() { - "$DELV" +noroot -p "$PORT" "$@" + "$DELV" +noroot -p "$PORT" "$@" } KEYID="$(cat ns2/keyid)" -KEYDATA="$(< ns2/keydata sed -e 's/+/[+]/g')" -NOSPLIT="$(< ns2/keydata sed -e 's/+/[+]/g' -e 's/ //g')" +KEYDATA="$(sed <ns2/keydata -e 's/+/[+]/g')" +NOSPLIT="$(sed <ns2/keydata -e 's/+/[+]/g' -e 's/ //g')" HAS_PYYAML=0 -if [ -x "$PYTHON" ] ; then - $PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1 +if [ -x "$PYTHON" ]; then + $PYTHON -c "import yaml" 2>/dev/null && HAS_PYYAML=1 fi # # test whether ans7/ans.pl will be able to send a UPDATE response. # if it can't, we will log that below. # -if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' > /dev/null 2>&1 -then - checkupdate=1 +if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet; my $p = new Net::DNS::Packet; $p->header->opcode(5);' >/dev/null 2>&1; then + checkupdate=1 else - checkupdate=0 + checkupdate=0 fi -if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ] ; then +if [ -x "$NSLOOKUP" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check nslookup handles UPDATE response ($n)" ret=0 - "$NSLOOKUP" -q=CNAME -timeout=1 "-port=$PORT" foo.bar 10.53.0.7 > nslookup.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" nslookup.out.test$n > /dev/null || ret=1 + "$NSLOOKUP" -q=CNAME -timeout=1 "-port=$PORT" foo.bar 10.53.0.7 >nslookup.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" nslookup.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$HOST" -a $checkupdate -eq 1 ] ; then +if [ -x "$HOST" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check host handles UPDATE response ($n)" ret=0 - "$HOST" -W 1 -t CNAME -p $PORT foo.bar 10.53.0.7 > host.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" host.out.test$n > /dev/null || ret=1 + "$HOST" -W 1 -t CNAME -p $PORT foo.bar 10.53.0.7 >host.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" host.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ] ; then +if [ -x "$NSUPDATE" -a $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check nsupdate handles UPDATE response to QUERY ($n)" ret=0 res=0 - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || res=$? + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || res=$? server 10.53.0.7 ${PORT} add x.example.com 300 in a 1.2.3.4 send EOF test $res -eq 1 || ret=1 - grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n > /dev/null || ret=1 + grep "invalid OPCODE in response to SOA query" nsupdate.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi -if [ -x "$DIG" ] ; then +if [ -x "$DIG" ]; then - if [ $checkupdate -eq 1 ] ; then + if [ $checkupdate -eq 1 ]; then - n=$((n+1)) + n=$((n + 1)) echo_i "check dig handles UPDATE response ($n)" ret=0 - dig_with_opts @10.53.0.7 +tries=1 +timeout=1 cname foo.bar > dig.out.test$n 2>&1 && ret=1 - grep "Opcode mismatch" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.7 +tries=1 +timeout=1 cname foo.bar >dig.out.test$n 2>&1 && ret=1 + grep "Opcode mismatch" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "Skipped UPDATE handling test" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig short form works ($n)" ret=0 - dig_with_opts @10.53.0.3 +short a a.example > dig.out.test$n || ret=1 - test "$(wc -l < dig.out.test$n)" -eq 1 || ret=1 + dig_with_opts @10.53.0.3 +short a a.example >dig.out.test$n || ret=1 + test "$(wc -l <dig.out.test$n)" -eq 1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig split width works ($n)" ret=0 - dig_with_opts @10.53.0.3 +split=4 -t sshfp foo.example > dig.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +split=4 -t sshfp foo.example >dig.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +unknownformat works ($n)" ret=0 - dig_with_opts @10.53.0.3 +unknownformat a a.example > dig.out.test$n || ret=1 - grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +unknownformat a a.example >dig.out.test$n || ret=1 + grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "TYPE1" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig with reverse lookup works ($n)" ret=0 - dig_with_opts @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 -x 127.0.0.1 >dig.out.test$n 2>&1 || ret=1 # doesn't matter if has answer - grep -i "127\\.in-addr\\.arpa\\." < dig.out.test$n > /dev/null || ret=1 + grep -i "127\\.in-addr\\.arpa\\." <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 86400 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig over TCP works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1 - grep "10\\.0\\.0\\.1$" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 a a.example >dig.out.test$n || ret=1 + grep "10\\.0\\.0\\.1$" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1 - grep "; serial" dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example >dig.out.test$n || ret=1 + grep "; serial" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" <dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +nosplit works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > dig.out.test$n || ret=1 - grep "$NOSPLIT" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example >dig.out.test$n || ret=1 + grep "$NOSPLIT" <dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" <dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig multi flag is local($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +nomulti > dig.out.nn.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti > dig.out.mn.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi > dig.out.nm.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi > dig.out.mm.$n || ret=1 - lcnn=$(wc -l < dig.out.nn.$n) - lcmn=$(wc -l < dig.out.mn.$n) - lcnm=$(wc -l < dig.out.nm.$n) - lcmm=$(wc -l < dig.out.mm.$n) + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +nomulti >dig.out.nn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti >dig.out.mn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi >dig.out.nm.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi >dig.out.mm.$n || ret=1 + lcnn=$(wc -l <dig.out.nn.$n) + lcmn=$(wc -l <dig.out.mn.$n) + lcnm=$(wc -l <dig.out.nm.$n) + lcmm=$(wc -l <dig.out.mm.$n) test "$lcmm" -ge "$lcnm" || ret=1 test "$lcmm" -ge "$lcmn" || ret=1 test "$lcnm" -ge "$lcnn" || ret=1 @@ -251,797 +256,794 @@ if [ -x "$DIG" ] ; then check_ttl_range dig.out.nm.$n "DNSKEY" 300 || ret=1 check_ttl_range dig.out.mm.$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +noheader-only works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +noheader-only A example > dig.out.test$n || ret=1 - grep "Got answer:" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +noheader-only A example >dig.out.test$n || ret=1 + grep "Got answer:" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +short +rrcomments works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >dig.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" <dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +header-only works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +header-only example > dig.out.test$n || ret=1 - grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +header-only example >dig.out.test$n || ret=1 + grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," <dig.out.test$n >/dev/null || ret=1 + grep "^;; QUESTION SECTION:" <dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +raflag works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +raflag +qr example > dig.out.test$n || ret=1 - grep "^;; flags: rd ra ad; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +raflag +qr example >dig.out.test$n || ret=1 + grep "^;; flags: rd ra ad; QUERY: 1, ANSWER: 0," <dig.out.test$n >/dev/null || ret=1 + grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +tcflag works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +tcflag +qr example > dig.out.test$n || ret=1 - grep "^;; flags: tc rd ad; QUERY: 1, ANSWER: 0" < dig.out.test$n > /dev/null || ret=1 - grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +tcflag +qr example >dig.out.test$n || ret=1 + grep "^;; flags: tc rd ad; QUERY: 1, ANSWER: 0" <dig.out.test$n >/dev/null || ret=1 + grep "^;; flags: qr rd ra; QUERY: 1, ANSWER: 0," <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +header-only works (with class and type set) ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +header-only -c IN -t A example > dig.out.test$n || ret=1 - grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," < dig.out.test$n > /dev/null || ret=1 - grep "^;; QUESTION SECTION:" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.3 +header-only -c IN -t A example >dig.out.test$n || ret=1 + grep "^;; flags: qr rd; QUERY: 0, ANSWER: 0," <dig.out.test$n >/dev/null || ret=1 + grep "^;; QUESTION SECTION:" <dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +zflag works, and that BIND properly ignores it ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +zflag +qr A example > dig.out.test$n || ret=1 - sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" > /dev/null || ret=1 - sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.3 +zflag +qr A example >dig.out.test$n || ret=1 + sed -n '/Sending:/,/Got answer:/p' dig.out.test$n | grep "^;; flags: rd ad; MBZ: 0x4;" >/dev/null || ret=1 + sed -n '/Got answer:/,/AUTHORITY SECTION:/p' dig.out.test$n | grep "^;; flags: qr rd ra; QUERY: 1" >/dev/null || ret=1 check_ttl_range dig.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +qr +ednsopt=08 does not cause an INSIST failure ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=08 +qr a a.example > dig.out.test$n || ret=1 - grep "INSIST" < dig.out.test$n > /dev/null && ret=1 - grep "FORMERR" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=08 +qr a a.example >dig.out.test$n || ret=1 + grep "INSIST" <dig.out.test$n >/dev/null && ret=1 + grep "FORMERR" <dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ttlunits works ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ttlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 3w" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A days.example > dig.out.test$n || ret=1 - grep "^days.example. 3d" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A hours.example > dig.out.test$n || ret=1 - grep "^hours.example. 3h" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A minutes.example > dig.out.test$n || ret=1 - grep "^minutes.example. 45m" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +ttlunits A seconds.example > dig.out.test$n || ret=1 - grep "^seconds.example. 45s" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 3w" <dig.out.test$n >/dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A days.example >dig.out.test$n || ret=1 + grep "^days.example. 3d" <dig.out.test$n >/dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A hours.example >dig.out.test$n || ret=1 + grep "^hours.example. 3h" <dig.out.test$n >/dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A minutes.example >dig.out.test$n || ret=1 + grep "^minutes.example. 45m" <dig.out.test$n >/dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits A seconds.example >dig.out.test$n || ret=1 + grep "^seconds.example. 45s" <dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig respects precedence of options with +ttlunits ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ttlunits +nottlid A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. IN" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +nottlid +ttlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 3w" < dig.out.test$n > /dev/null || ret=1 - dig_with_opts +tcp @10.53.0.2 +nottlid +nottlunits A weeks.example > dig.out.test$n || ret=1 - grep "^weeks.example. 1814400" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ttlunits +nottlid A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. IN" <dig.out.test$n >/dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +nottlid +ttlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 3w" <dig.out.test$n >/dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +nottlid +nottlunits A weeks.example >dig.out.test$n || ret=1 + grep "^weeks.example. 1814400" <dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig preserves origin on TCP retries ($n)" ret=0 # Ask ans4 to still accept TCP connections, but not respond to queries echo "//" | sendcmd 10.53.0.4 - dig_with_opts -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo > dig.out.test$n 2>&1 && ret=1 + dig_with_opts -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo >dig.out.test$n 2>&1 && ret=1 test "$(grep -c "trying origin bar" dig.out.test$n)" -eq 2 || ret=1 - grep "using root origin" < dig.out.test$n > /dev/null && ret=1 + grep "using root origin" <dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig -6 -4 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 -4 -6 A a.example > dig.out.test$n 2>&1 && ret=1 - grep "only one of -4 and -6 allowed" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 -4 -6 A a.example >dig.out.test$n 2>&1 && ret=1 + grep "only one of -4 and -6 allowed" <dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig @IPv6addr -4 A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +tcp @fd92:7065:b8e:ffff::2 -4 A a.example > dig.out.test$n 2>&1 && ret=1 - grep "address family not supported" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @fd92:7065:b8e:ffff::2 -4 A a.example >dig.out.test$n 2>&1 && ret=1 + grep "address family not supported" <dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +tcp @IPv4addr -6 A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +tcp @10.53.0.2 -6 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +tcp @10.53.0.2 -6 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" <dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +notcp @IPv4addr -6 A a.example ($n)" - if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::2 2>/dev/null; then ret=0 - dig_with_opts +notcp @10.53.0.2 -6 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "SERVER: ::ffff:10.53.0.2#$PORT" < dig.out.test$n > /dev/null && ret=1 + dig_with_opts +notcp @10.53.0.2 -6 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "SERVER: ::ffff:10.53.0.2#$PORT" <dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.1 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "CLIENT-SUBNET: 127.0.0.1/32/0" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet +subnet ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "CLIENT-SUBNET: 127.0.0.1/32/0" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=127.0.0.0 +subnet=127.0.0.1 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "CLIENT-SUBNET: 127.0.0.1/32/0" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet with various prefix lengths ($n)" ret=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24; do - dig_with_opts +tcp @10.53.0.2 +subnet=255.255.255.255/$i A a.example > dig.out.$i.test$n 2>&1 || ret=1 - case $i in - 1|9|17) octet=128 ;; - 2|10|18) octet=192 ;; - 3|11|19) octet=224 ;; - 4|12|20) octet=240 ;; - 5|13|21) octet=248 ;; - 6|14|22) octet=252 ;; - 7|15|23) octet=254 ;; - 8|16|24) octet=255 ;; - esac - case $i in - 1|2|3|4|5|6|7|8) addr="${octet}.0.0.0";; - 9|10|11|12|13|14|15|16) addr="255.${octet}.0.0";; - 17|18|19|20|21|22|23|24) addr="255.255.${octet}.0" ;; - esac - grep "FORMERR" < dig.out.$i.test$n > /dev/null && ret=1 - grep "CLIENT-SUBNET: $addr/$i/0" < dig.out.$i.test$n > /dev/null || ret=1 - check_ttl_range dig.out.$i.test$n "A" 300 || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=255.255.255.255/$i A a.example >dig.out.$i.test$n 2>&1 || ret=1 + case $i in + 1 | 9 | 17) octet=128 ;; + 2 | 10 | 18) octet=192 ;; + 3 | 11 | 19) octet=224 ;; + 4 | 12 | 20) octet=240 ;; + 5 | 13 | 21) octet=248 ;; + 6 | 14 | 22) octet=252 ;; + 7 | 15 | 23) octet=254 ;; + 8 | 16 | 24) octet=255 ;; + esac + case $i in + 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8) addr="${octet}.0.0.0" ;; + 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16) addr="255.${octet}.0.0" ;; + 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24) addr="255.255.${octet}.0" ;; + esac + grep "FORMERR" <dig.out.$i.test$n >/dev/null && ret=1 + grep "CLIENT-SUBNET: $addr/$i/0" <dig.out.$i.test$n >/dev/null || ret=1 + check_ttl_range dig.out.$i.test$n "A" 300 || ret=1 done if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=0/0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=0/0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=0/0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" <dig.out.test$n >/dev/null || ret=1 + grep "CLIENT-SUBNET: 0.0.0.0/0/0" <dig.out.test$n >/dev/null || ret=1 + grep "10.0.0.1" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0.0.0.0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" <dig.out.test$n >/dev/null || ret=1 + grep "CLIENT-SUBNET: 0.0.0.0/0/0" <dig.out.test$n >/dev/null || ret=1 + grep "10.0.0.1" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet=::/0 ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +subnet=::/0 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: ::/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=::/0 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" <dig.out.test$n >/dev/null || ret=1 + grep "CLIENT-SUBNET: ::/0/0" <dig.out.test$n >/dev/null || ret=1 + grep "10.0.0.1" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt=8:00000000 (family=0, source=0, scope=0) ($n)" ret=0 - dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: NOERROR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 0/0/0" < dig.out.test$n > /dev/null || ret=1 - grep "10.0.0.1" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: NOERROR" <dig.out.test$n >/dev/null || ret=1 + grep "CLIENT-SUBNET: 0/0/0" <dig.out.test$n >/dev/null || ret=1 + grep "10.0.0.1" <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt=8:00030000 (family=3, source=0, scope=0) ($n)" ret=0 - dig_with_opts +qr +tcp @10.53.0.2 +ednsopt=8:00030000 A a.example > dig.out.test$n 2>&1 || ret=1 - grep "status: FORMERR" < dig.out.test$n > /dev/null || ret=1 - grep "CLIENT-SUBNET: 00 03 00 00" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts +qr +tcp @10.53.0.2 +ednsopt=8:00030000 A a.example >dig.out.test$n 2>&1 || ret=1 + grep "status: FORMERR" <dig.out.test$n >/dev/null || ret=1 + grep "CLIENT-SUBNET: 00 03 00 00" <dig.out.test$n >/dev/null || ret=1 test "$(grep -c "CLIENT-SUBNET: 00 03 00 00" dig.out.test$n)" -eq 1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +subnet with prefix lengths between byte boundaries ($n)" ret=0 for p in 9 10 11 12 13 14 15; do - dig_with_opts +tcp @10.53.0.2 +subnet=10.53/$p A a.example > dig.out.test.$p.$n 2>&1 || ret=1 - grep "FORMERR" < dig.out.test.$p.$n > /dev/null && ret=1 - grep "CLIENT-SUBNET.*/$p/0" < dig.out.test.$p.$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.2 +subnet=10.53/$p A a.example >dig.out.test.$p.$n 2>&1 || ret=1 + grep "FORMERR" <dig.out.test.$p.$n >/dev/null && ret=1 + grep "CLIENT-SUBNET.*/$p/0" <dig.out.test.$p.$n >/dev/null || ret=1 check_ttl_range dig.out.test.$p.$n "A" 300 || ret=1 done if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +sp works as an abbreviated form of split ($n)" ret=0 - dig_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example > dig.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example >dig.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " <dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig -c works ($n)" ret=0 - dig_with_opts @10.53.0.3 -c CHAOS -t txt version.bind > dig.out.test$n || ret=1 - grep "version.bind. 0 CH TXT" < dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 -c CHAOS -t txt version.bind >dig.out.test$n || ret=1 + grep "version.bind. 0 CH TXT" <dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt with option number ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=3 a.example > dig.out.test$n 2>&1 || ret=1 - grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=3 a.example >dig.out.test$n 2>&1 || ret=1 + grep 'NSID: .* ("ns3")' dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking dig +ednsopt with option name ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=nsid a.example > dig.out.test$n 2>&1 || ret=1 - grep 'NSID: .* ("ns3")' dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=nsid a.example >dig.out.test$n 2>&1 || ret=1 + grep 'NSID: .* ("ns3")' dig.out.test$n >/dev/null || ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking ednsopt LLQ prints as expected ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=llq:0001000200001234567812345678fefefefe +qr a.example >dig.out.test$n 2>&1 || ret=1 pat='LLQ: Version: 1, Opcode: 2, Error: 0, Identifier: 1311768465173141112, Lifetime: 4278124286$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking that dig warns about .local queries ($n)" ret=0 - dig_with_opts @10.53.0.3 local soa > dig.out.test$n 2>&1 || ret=1 - grep ";; WARNING: .local is reserved for Multicast DNS" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 local soa >dig.out.test$n 2>&1 || ret=1 + grep ";; WARNING: .local is reserved for Multicast DNS" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag and FORMERR is returned ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: *$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: *$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag:<value-list> ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: 1, 2$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag:00010002 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: 1, 2$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 check_ttl_range dig.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=key-tag:<malformed-value-list> and FORMERR is returned ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=key-tag:0001000201 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; KEY-TAG: 00 01 00 02 01" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=key-tag:0001000201 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; KEY-TAG: 00 01 00 02 01" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=client-tag:value ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG: 1$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:0001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG: 1$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too short client-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:01 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too long client-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=client-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; CLIENT-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=client-tag:000001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; CLIENT-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig processes +ednsopt=server-tag:value ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:0001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG: 1$" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null && ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:0001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG: 1$" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too short server-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:01 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:01 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that FORMERR is returned for a too long server-tag ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=server-tag:000001 a.example +qr > dig.out.test$n 2>&1 || ret=1 - grep "; SERVER-TAG" dig.out.test$n > /dev/null || ret=1 - grep "status: FORMERR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=server-tag:000001 a.example +qr >dig.out.test$n 2>&1 || ret=1 + grep "; SERVER-TAG" dig.out.test$n >/dev/null || ret=1 + grep "status: FORMERR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 0 is printed correctly ($n)" # First defined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0000666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 0 (Other): (foo)$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 24 is printed correctly ($n)" # Last defined EDE code, no additional text. - dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0018 a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 24 (Invalid Data)$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that Extended DNS Error 25 is printed correctly ($n)" # First undefined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:0019666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 25: (foo)$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)" # EDE payload is too short - dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE:$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that invalid Extended DNS Error (length 1) is printed ($n)" # EDE payload is too short - dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=ede:00 a.example +qr >dig.out.test$n 2>&1 || ret=1 pat='^; EDE: 00 (".")$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check that +yaml Extended DNS Error 0 is printed correctly ($n)" # First defined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0000666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0000666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "0 (Other)" ] || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "foo" ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that +yaml Extended DNS Error 24 is printed correctly ($n)" # Last defined EDE code, no additional text. - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0018 a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0018 a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "24 (Invalid Data)" ] || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 && ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that +yaml Extended DNS Error 25 is printed correctly ($n)" # First undefined EDE code, additional text "foo". - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0019666f6f a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:0019666f6f a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE INFO-CODE >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "25" ] || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE EXTRA-TEXT >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "foo" ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that invalid Extended DNS Error (length 0) is printed ($n)" # EDE payload is too short - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "None" ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that invalid +yaml Extended DNS Error (length 1) is printed ($n)" # EDE payload is too short - dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:00 a.example +qr > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts @10.53.0.3 +yaml +ednsopt=ede:00 a.example +qr >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data OPT_PSEUDOSECTION EDNS EDE >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = '00 (".")' ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig handles malformed option '+ednsopt=:' gracefully ($n)" ret=0 - dig_with_opts @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1 - grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +ednsopt=: a.example >dig.out.test$n 2>&1 && ret=1 + grep "ednsopt no code point specified" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig gracefully handles bad escape in domain name ($n)" ret=0 digstatus=0 - dig_with_opts @10.53.0.3 '\0.' > dig.out.test$n 2>&1 || digstatus=$? - echo digstatus=$digstatus >> dig.out.test$n + dig_with_opts @10.53.0.3 '\0.' >dig.out.test$n 2>&1 || digstatus=$? + echo digstatus=$digstatus >>dig.out.test$n test $digstatus -eq 10 || ret=1 - grep REQUIRE dig.out.test$n > /dev/null && ret=1 - grep "is not a legal name (bad escape)" dig.out.test$n > /dev/null || ret=1 + grep REQUIRE dig.out.test$n >/dev/null && ret=1 + grep "is not a legal name (bad escape)" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -q -m works ($n)" ret=0 - dig_with_opts @10.53.0.3 -q -m > dig.out.test$n 2>&1 + dig_with_opts @10.53.0.3 -q -m >dig.out.test$n 2>&1 pat='^;-m\..*IN.*A$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 - grep "Dump of all outstanding memory allocations" dig.out.test$n > /dev/null && ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 + grep "Dump of all outstanding memory allocations" dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> immediate) ($n)" ret=0 echo "no_response no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> partial AXFR) ($n)" ret=0 echo "partial_axfr partial_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> partial AXFR) ($n)" ret=0 echo "no_response partial_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> immediate) ($n)" ret=0 echo "partial_axfr no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 2 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (immediate -> complete AXFR) ($n)" ret=0 echo "no_response complete_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 || ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking exit code for a retry upon TCP EOF (partial AXFR -> complete AXFR) ($n)" ret=0 echo "partial_axfr complete_axfr" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=2 > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=2 >dig.out.test$n 2>&1 || ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking +tries=1 won't retry twice upon TCP EOF ($n)" ret=0 echo "no_response no_response" | sendcmd 10.53.0.5 - dig_with_opts @10.53.0.5 example AXFR +tries=1 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +tries=1 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking +retry=0 won't retry twice upon TCP EOF ($n)" ret=0 - dig_with_opts @10.53.0.5 example AXFR +retry=0 > dig.out.test$n 2>&1 && ret=1 + dig_with_opts @10.53.0.5 example AXFR +retry=0 >dig.out.test$n 2>&1 && ret=1 # Sanity check: ensure ans5 behaves as expected. [ $(grep "communications error.*end of file" dig.out.test$n | wc -l) -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +expandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:0b8e:ffff:0000:0000:0000:0002" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +expandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:0b8e:ffff:0000:0000:0000:0002" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +noexpandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +noexpandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 +noexpandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig default for +[no]expandaaa (+noexpandaaaa) works ($n)" ret=0 - dig_with_opts @10.53.0.3 AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 - grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 + grep "ns2.example.*fd92:7065:b8e:ffff::2" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +short +expandaaaa works ($n)" ret=0 - dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 +short +expandaaaa AAAA ns2.example >dig.out.test$n 2>&1 || ret=1 pat='^fd92:7065:0b8e:ffff:0000:0000:0000:0002$' - grep "$pat" dig.out.test$n > /dev/null || ret=1 + grep "$pat" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check dig +yaml output ($n)" ret=0 - dig_with_opts +qr +yaml @10.53.0.3 any ns2.example > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message query_message_data status > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts +qr +yaml @10.53.0.3 any ns2.example >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message query_message_data status >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "NOERROR" ] || ret=1 - $PYTHON yamlget.py dig.out.test$n 1 message response_message_data status > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 1 message response_message_data status >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "NOERROR" ] || ret=1 - $PYTHON yamlget.py dig.out.test$n 1 message response_message_data QUESTION_SECTION 0 > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 1 message response_message_data QUESTION_SECTION 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "ns2.example. IN ANY" ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check dig +yaml output of an IPv6 address ending in zeroes ($n)" ret=0 - dig_with_opts +qr +yaml @10.53.0.3 aaaa d.example > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 1 message response_message_data ANSWER_SECTION 0 > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + dig_with_opts +qr +yaml @10.53.0.3 aaaa d.example >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 1 message response_message_data ANSWER_SECTION 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "d.example. 300 IN AAAA fd92:7065:b8e:ffff::0" ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +bufsize=0 just sets the buffer size to 0 ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example +bufsize=0 +qr > dig.out.test$n 2>&1 || ret=1 - grep "EDNS:" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +qr >dig.out.test$n 2>&1 || ret=1 + grep "EDNS:" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +bufsize restores default bufsize ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 a.example +bufsize=0 +bufsize +qr >dig.out.test$n 2>&1 || ret=1 lines=$(grep "EDNS:.* udp:" dig.out.test$n | wc -l) lines1232=$(grep "EDNS:.* udp: 1232" dig.out.test$n | wc -l) test $lines -eq 2 || ret=1 test $lines1232 -eq 2 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig without -u displays 'Query time' in millseconds ($n)" ret=0 - dig_with_opts @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep ';; Query time: [0-9][0-9]* msec' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -u displays 'Query time' in microseconds ($n)" ret=0 - dig_with_opts -u @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts -u @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep ';; Query time: [0-9][0-9]* usec' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig +yaml without -u displays timestamps in milliseconds ($n)" ret=0 - dig_with_opts +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +yaml @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep 'query_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1 grep 'response_time: !!timestamp ....-..-..T..:..:..\....Z' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig -u +yaml displays timestamps in microseconds ($n)" ret=0 - dig_with_opts -u +yaml @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts -u +yaml @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 grep 'query_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1 grep 'response_time: !!timestamp ....-..-..T..:..:..\.......Z' dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) # See [GL #3020] for more information - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig handles UDP timeout followed by a SERVFAIL correctly ($n)" # Ask ans8 to be in "unstable" mode (switching between "silent" and "servfail" modes) echo "unstable" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +timeout=1 +nofail @10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 +nofail @10.53.0.8 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig handles TCP timeout followed by a SERVFAIL correctly ($n)" # Ask ans8 to be in "unstable" mode (switching between "silent" and "servfail" modes) echo "unstable" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +timeout=1 +nofail +tcp @10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 +nofail +tcp @10.53.0.8 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a UDP socket network unreachable error ($n)" ret=0 - dig_with_opts @192.0.2.128 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts @192.0.2.128 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" -e "host unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a TCP socket network unreachable error ($n)" ret=0 - dig_with_opts +tcp @192.0.2.128 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +tcp @192.0.2.128 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" -e "host unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a UDP socket read error ($n)" ret=0 - dig_with_opts @10.53.0.99 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.99 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a TCP socket read error ($n)" # Ask ans8 to be in "close" mode, which closes the connection after accepting it echo "close" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +tcp @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +tcp @10.53.0.8 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) # Note that we combine TCP socket "connection error" and "timeout" cases in # one, because it is not trivial to simulate the timeout case in a system test @@ -1049,351 +1051,349 @@ if [ -x "$DIG" ] ; then # the connection establishment time does not differentiate between timeout and # other types of errors (unlike during reading), so this one check should be # sufficient for both cases. - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after a TCP socket connection error/timeout ($n)" ret=0 - dig_with_opts +tcp @10.53.0.99 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 + dig_with_opts +tcp @10.53.0.99 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after UDP socket read timeouts ($n)" # Ask ans8 to be in "silent" mode echo "silent" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +timeout=1 @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 @10.53.0.8 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig tries the next server after TCP socket read timeouts ($n)" # Ask ans8 to be in "silent" mode echo "silent" | sendcmd 10.53.0.8 ret=0 - dig_with_opts +timeout=1 +tcp @10.53.0.8 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 +tcp @10.53.0.8 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) # See [GL #3248] for more information - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig correctly refuses to use a server with a IPv4 mapped IPv6 address after failing with a regular IP address ($n)" ret=0 - dig_with_opts @10.53.0.8 @::ffff:10.53.0.8 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F ";; Skipping mapped address" dig.out.test$n > /dev/null || ret=1 - grep -F ";; No acceptable nameservers" dig.out.test$n > /dev/null || ret=1 + dig_with_opts @10.53.0.8 @::ffff:10.53.0.8 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F ";; Skipping mapped address" dig.out.test$n >/dev/null || ret=1 + grep -F ";; No acceptable nameservers" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) # See [GL #3244] for more information - n=$((n+1)) + n=$((n + 1)) echo_i "check that dig handles printing query information with +qr and +y when multiple queries are involved (including a failed query) ($n)" ret=0 - dig_with_opts +timeout=1 +qr +y @127.0.0.1 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - grep -F "IN A 10.0.0.1" dig.out.test$n > /dev/null || ret=1 + dig_with_opts +timeout=1 +qr +y @127.0.0.1 @10.53.0.3 a.example >dig.out.test$n 2>&1 || ret=1 + grep -F "IN A 10.0.0.1" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "$DIG is needed, so skipping these dig tests" fi -if [ -x "$MDIG" ] ; then - n=$((n+1)) +if [ -x "$MDIG" ]; then + n=$((n + 1)) echo_i "check that mdig handles malformed option '+ednsopt=:' gracefully ($n)" ret=0 - mdig_with_opts @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1 - grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1 + mdig_with_opts @10.53.0.3 +ednsopt=: a.example >dig.out.test$n 2>&1 && ret=1 + grep "ednsopt no code point specified" dig.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking mdig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example >dig.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking mdig +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example > dig.out.test$n || ret=1 - grep "; serial" < dig.out.test$n > /dev/null && ret=1 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t SOA example >dig.out.test$n || ret=1 + grep "; serial" <dig.out.test$n >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check mdig +yaml output ($n)" ret=0 - mdig_with_opts +yaml @10.53.0.3 -t any ns2.example > dig.out.test$n 2>&1 || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message response_message_data status > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + mdig_with_opts +yaml @10.53.0.3 -t any ns2.example >dig.out.test$n 2>&1 || ret=1 + $PYTHON yamlget.py dig.out.test$n 0 message response_message_data status >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "NOERROR" ] || ret=1 - $PYTHON yamlget.py dig.out.test$n 0 message response_message_data QUESTION_SECTION 0 > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py dig.out.test$n 0 message response_message_data QUESTION_SECTION 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "ns2.example. IN ANY" ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi else echo_i "$MDIG is needed, so skipping these mdig tests" fi -if [ -x "$DELV" ] ; then - n=$((n+1)) +if [ -x "$DELV" ]; then + n=$((n + 1)) echo_i "checking delv short form works ($n)" ret=0 - delv_with_opts @10.53.0.3 +short a a.example > delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + delv_with_opts @10.53.0.3 +short a a.example >delv.out.test$n || ret=1 + test "$(wc -l <delv.out.test$n)" -eq 1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv split width works ($n)" ret=0 - delv_with_opts @10.53.0.3 +split=4 -t sshfp foo.example > delv.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +split=4 -t sshfp foo.example >delv.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +unknownformat works ($n)" ret=0 - delv_with_opts @10.53.0.3 +unknownformat a a.example > delv.out.test$n || ret=1 - grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +unknownformat a a.example >delv.out.test$n || ret=1 + grep "CLASS1[ ][ ]*TYPE1[ ][ ]*\\\\# 4 0A000001" <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n "TYPE1" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv -4 -6 ($n)" ret=0 - delv_with_opts @10.53.0.3 -4 -6 A a.example > delv.out.test$n 2>&1 && ret=1 - grep "only one of -4 and -6 allowed" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -4 -6 A a.example >delv.out.test$n 2>&1 && ret=1 + grep "only one of -4 and -6 allowed" <delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with IPv6 on IPv4 does not work ($n)" - if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null; then ret=0 # following should fail because @IPv4 overrides earlier @IPv6 above # and -6 forces IPv6 so this should fail, with a message # "Use of IPv4 disabled by -6" - delv_with_opts @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example > delv.out.test$n 2>&1 && ret=1 + delv_with_opts @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example >delv.out.test$n 2>&1 && ret=1 # it should have no results but error output - grep "testing" < delv.out.test$n > /dev/null && ret=1 - grep "Use of IPv4 disabled by -6" delv.out.test$n > /dev/null || ret=1 + grep "testing" <delv.out.test$n >/dev/null && ret=1 + grep "Use of IPv4 disabled by -6" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with IPv4 on IPv6 does not work ($n)" - if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null - then + if testsock6 fd92:7065:b8e:ffff::3 2>/dev/null; then ret=0 # following should fail because @IPv6 overrides earlier @IPv4 above # and -4 forces IPv4 so this should fail, with a message # "Use of IPv6 disabled by -4" - delv_with_opts @10.53.0.3 @fd92:7065:b8e:ffff::3 -4 -t txt foo.example > delv.out.test$n 2>&1 && ret=1 + delv_with_opts @10.53.0.3 @fd92:7065:b8e:ffff::3 -4 -t txt foo.example >delv.out.test$n 2>&1 && ret=1 # it should have no results but error output - grep "testing" delv.out.test$n > /dev/null && ret=1 - grep "Use of IPv6 disabled by -4" delv.out.test$n > /dev/null || ret=1 + grep "testing" delv.out.test$n >/dev/null && ret=1 + grep "Use of IPv6 disabled by -4" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) else echo_i "IPv6 unavailable; skipping" fi - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv with reverse lookup works ($n)" ret=0 - delv_with_opts @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1 + delv_with_opts @10.53.0.3 -x 127.0.0.1 >delv.out.test$n 2>&1 || ret=1 # doesn't matter if has answer - grep -i "127\\.in-addr\\.arpa\\." < delv.out.test$n > /dev/null || ret=1 + grep -i "127\\.in-addr\\.arpa\\." <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n '\\-ANY' 10800 3 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv over TCP works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 a a.example > delv.out.test$n || ret=1 - grep "10\\.0\\.0\\.1$" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 a a.example >delv.out.test$n || ret=1 + grep "10\\.0\\.0\\.1$" <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" <delv.out.test$n >/dev/null && ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +multi +norrcomments works for SOA (when default is rrcomments)($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments SOA example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" <delv.out.test$n >/dev/null && ret=1 check_ttl_range delv.out.test$n "SOA" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" <delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +short +rrcomments works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 - grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example >delv.out.test$n || ret=1 + grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" <delv.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +short +nosplit works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > delv.out.test$n || ret=1 - grep -q "$NOSPLIT" < delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 - test "$(awk '{print NF}' < delv.out.test$n)" -eq 14 || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example >delv.out.test$n || ret=1 + grep -q "$NOSPLIT" <delv.out.test$n || ret=1 + test "$(wc -l <delv.out.test$n)" -eq 1 || ret=1 + test "$(awk '{print NF}' <delv.out.test$n)" -eq 14 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +short +nosplit +norrcomments works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY example > delv.out.test$n || ret=1 - grep -q "$NOSPLIT\$" < delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 - test "$(awk '{print NF}' < delv.out.test$n)" -eq 4 || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY example >delv.out.test$n || ret=1 + grep -q "$NOSPLIT\$" <delv.out.test$n || ret=1 + test "$(wc -l <delv.out.test$n)" -eq 1 || ret=1 + test "$(awk '{print NF}' <delv.out.test$n)" -eq 4 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +sp works as an abbriviated form of split ($n)" ret=0 - delv_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example > delv.out.test$n || ret=1 - grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 +sp=4 -t sshfp foo.example >delv.out.test$n || ret=1 + grep " 9ABC DEF6 7890 " <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n "SSHFP" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv +sh works as an abbriviated form of short ($n)" ret=0 - delv_with_opts @10.53.0.3 +sh a a.example > delv.out.test$n || ret=1 - test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 + delv_with_opts @10.53.0.3 +sh a a.example >delv.out.test$n || ret=1 + test "$(wc -l <delv.out.test$n)" -eq 1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv -c IN works ($n)" ret=0 - delv_with_opts @10.53.0.3 -c IN -t a a.example > delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c IN -t a a.example >delv.out.test$n || ret=1 + grep "a.example." <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv -c CH is ignored, and treated like IN ($n)" ret=0 - delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c CH -t a a.example >delv.out.test$n || ret=1 + grep "a.example." <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "checking delv H is ignored, and treated like IN ($n)" ret=0 - delv_with_opts @10.53.0.3 -c CH -t a a.example > delv.out.test$n || ret=1 - grep "a.example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -c CH -t a a.example >delv.out.test$n || ret=1 + grep "a.example." <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n "A" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv -q -m works ($n)" ret=0 - delv_with_opts @10.53.0.3 -q -m > delv.out.test$n 2>&1 || ret=1 - grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n > /dev/null || ret=1 - grep "^add " delv.out.test$n > /dev/null && ret=1 - grep "^del " delv.out.test$n > /dev/null && ret=1 + delv_with_opts @10.53.0.3 -q -m >delv.out.test$n 2>&1 || ret=1 + grep '^; -m\..*[0-9]*.*IN.*ANY.*;' delv.out.test$n >/dev/null || ret=1 + grep "^add " delv.out.test$n >/dev/null && ret=1 + grep "^del " delv.out.test$n >/dev/null && ret=1 check_ttl_range delv.out.test$n '\\-ANY' 300 3 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv -t ANY works ($n)" ret=0 - delv_with_opts @10.53.0.3 -t ANY example > delv.out.test$n 2>&1 || ret=1 - grep "^example." < delv.out.test$n > /dev/null || ret=1 + delv_with_opts @10.53.0.3 -t ANY example >delv.out.test$n 2>&1 || ret=1 + grep "^example." <delv.out.test$n >/dev/null || ret=1 check_ttl_range delv.out.test$n NS 300 || ret=1 check_ttl_range delv.out.test$n SOA 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv loads key-style trust anchors ($n)" ret=0 - delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 - grep "fully validated" delv.out.test$n > /dev/null || ret=1 + delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example >delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - n=$((n+1)) + n=$((n + 1)) echo_i "check that delv loads DS-style trust anchors ($n)" ret=0 - delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 - grep "fully validated" delv.out.test$n > /dev/null || ret=1 + delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example >delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - if [ $HAS_PYYAML -ne 0 ] ; then - n=$((n+1)) + if [ $HAS_PYYAML -ne 0 ]; then + n=$((n + 1)) echo_i "check delv +yaml output ($n)" ret=0 - delv_with_opts +yaml @10.53.0.3 any ns2.example > delv.out.test$n || ret=1 - $PYTHON yamlget.py delv.out.test$n status > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + delv_with_opts +yaml @10.53.0.3 any ns2.example >delv.out.test$n || ret=1 + $PYTHON yamlget.py delv.out.test$n status >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "success" ] || ret=1 - $PYTHON yamlget.py delv.out.test$n query_name > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n + $PYTHON yamlget.py delv.out.test$n query_name >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n [ "$value" = "ns2.example" ] || ret=1 - $PYTHON yamlget.py delv.out.test$n records 0 answer_not_validated 0 > yamlget.out.test$n 2>&1 || ret=1 - read -r value < yamlget.out.test$n - count=$(echo $value | wc -w ) + $PYTHON yamlget.py delv.out.test$n records 0 answer_not_validated 0 >yamlget.out.test$n 2>&1 || ret=1 + read -r value <yamlget.out.test$n + count=$(echo $value | wc -w) [ ${count:-0} -eq 5 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) fi else echo_i "$DELV is needed, so skipping these delv tests" diff --git a/bin/tests/system/dispatch/ns2/named.conf.in b/bin/tests/system/dispatch/ns2/named.conf.in index 50f2c34..895f40d 100644 --- a/bin/tests/system/dispatch/ns2/named.conf.in +++ b/bin/tests/system/dispatch/ns2/named.conf.in @@ -41,7 +41,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/dlzexternal/driver/Makefile.in b/bin/tests/system/dlzexternal/driver/Makefile.in index 8a26cb9..d900571 100644 --- a/bin/tests/system/dlzexternal/driver/Makefile.in +++ b/bin/tests/system/dlzexternal/driver/Makefile.in @@ -103,11 +103,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/tests/system/dlzexternal/prereq.sh b/bin/tests/system/dlzexternal/prereq.sh index 066a74e..f7591d7 100644 --- a/bin/tests/system/dlzexternal/prereq.sh +++ b/bin/tests/system/dlzexternal/prereq.sh @@ -14,8 +14,8 @@ . ../conf.sh $FEATURETEST --tsan && { - echo_i "TSAN - skipping dlzexternal test" - exit 255 + echo_i "TSAN - skipping dlzexternal test" + exit 255 } exit 0 diff --git a/bin/tests/system/dlzexternal/setup.sh b/bin/tests/system/dlzexternal/setup.sh index dda16df..2dfa3d6 100644 --- a/bin/tests/system/dlzexternal/setup.sh +++ b/bin/tests/system/dlzexternal/setup.sh @@ -13,6 +13,6 @@ . ../conf.sh -$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key +$TSIGKEYGEN ddns-key.example.nil >ns1/ddns.key copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh index a86ea7e..031f76a 100644 --- a/bin/tests/system/dlzexternal/tests.sh +++ b/bin/tests/system/dlzexternal/tests.sh @@ -19,42 +19,42 @@ status=0 n=0 DIGOPTS="@10.53.0.1 -p ${PORT} +nocookie" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" newtest() { - n=$((n + 1)) - echo_i "${1} (${n})" - ret=0 + n=$((n + 1)) + echo_i "${1} (${n})" + ret=0 } test_update() { - host="$1" - type="$2" - cmd="$3" - digout="$4" - should_fail="$5" + host="$1" + type="$2" + cmd="$3" + digout="$4" + should_fail="$5" - cat <<EOF > ns1/update.txt + cat <<EOF >ns1/update.txt server 10.53.0.1 ${PORT} update add $host $cmd send EOF - newtest "testing update for $host $type $cmd${comment:+ }$comment" - $NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed for $host $type $cmd" - return 1 - } - - out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host") - lines=$(echo "$out" | grep "$digout" | wc -l) - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - return 0 + newtest "testing update for $host $type $cmd${comment:+ }$comment" + $NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed for $host $type $cmd" + return 1 + } + + out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^$host") + lines=$(echo "$out" | grep "$digout" | wc -l) + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 } test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 @@ -70,19 +70,19 @@ test_update deny.example.nil. TXT "86400 TXT helloworld" "helloworld" should_fai status=$((status + ret)) newtest "testing nxrrset" -$DIG $DIGOPTS testdc1.example.nil AAAA > dig.out.$n || ret=1 -grep "status: NOERROR" dig.out.$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS testdc1.example.nil AAAA >dig.out.$n || ret=1 +grep "status: NOERROR" dig.out.$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.$n >/dev/null || ret=1 status=$((status + ret)) newtest "testing prerequisites are checked correctly" -cat > ns1/update.txt << EOF +cat >ns1/update.txt <<EOF server 10.53.0.1 ${PORT} prereq nxdomain testdc3.example.nil update add testdc3.example.nil 86500 in a 10.53.0.12 send EOF -$NSUPDATE -k ns1/ddns.key ns1/update.txt > /dev/null 2>&1 && ret=1 +$NSUPDATE -k ns1/ddns.key ns1/update.txt >/dev/null 2>&1 && ret=1 out=$($DIG $DIGOPTS +short a testdc3.example.nil) [ "$out" = "10.53.0.12" ] && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" @@ -98,10 +98,10 @@ status=$((status + ret)) newtest "testing DLZ driver is cleaned up on reload" rndc_reload ns1 10.53.0.1 for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - grep 'dlz_example: shutting down zone example.nil' ns1/named.run > /dev/null 2>&1 || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + grep 'dlz_example: shutting down zone example.nil' ns1/named.run >/dev/null 2>&1 || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -111,53 +111,53 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 status=$((status + ret)) newtest "testing AXFR from DLZ drivers" -$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1 +$DIG $DIGOPTS +noall +answer axfr example.nil >dig.out.example.ns1.test$n || ret=1 lines=$(cat dig.out.example.ns1.test$n | wc -l) [ ${lines:-0} -eq 4 ] || ret=1 -$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1 +$DIG $DIGOPTS +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n || ret=1 lines=$(cat dig.out.alternate.ns1.test$n | wc -l) [ ${lines:-0} -eq 5 ] || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing AXFR denied from DLZ drivers" -$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n || ret=1 -grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n || ret=1 -grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil >dig.out.example.ns1.test$n || ret=1 +grep "; Transfer failed" dig.out.example.ns1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil >dig.out.alternate.ns1.test$n || ret=1 +grep "; Transfer failed" dig.out.alternate.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing AXFR denied based on view ACL" # 10.53.0.1 should be disallowed -$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1 || ret=1 -grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org >dig.out.example.ns1.test$n.1 || ret=1 +grep "; Transfer failed" dig.out.example.ns1.test$n.1 >/dev/null || ret=1 # 10.53.0.2 should be allowed -$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2 || ret=1 -grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1 +$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org >dig.out.example.ns1.test$n.2 || ret=1 +grep "; Transfer failed" dig.out.example.ns1.test$n.2 >/dev/null && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing unsearched/unregistered DLZ zone is not found" -$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n || ret=1 -grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +noall +answer ns other.nil >dig.out.ns1.test$n || ret=1 +grep "3600.IN.NS.other.nil." dig.out.ns1.test$n >/dev/null && ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing unsearched/registered DLZ zone is found" -$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1 -grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n || ret=1 +grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing unsearched/registered DLZ zone is found" -$DIG $DIGOPTS +noall +answer ns zone.nil > dig.out.ns1.test$n || ret=1 -grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noall +answer ns zone.nil >dig.out.ns1.test$n || ret=1 +grep "3600.IN.NS.zone.nil." dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing correct behavior with findzone returning ISC_R_NOMORE" -$DIG $DIGOPTS +noall a test.example.com > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +noall a test.example.com >/dev/null 2>&1 || ret=1 # we should only find one logged lookup per searched DLZ database lines=$(grep "dlz_findzonedb.*test\.example\.com.*example.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 @@ -167,13 +167,13 @@ lines=$(grep "dlz_findzonedb.*test\.example\.com.*alternate.nil" ns1/named.run | status=$((status + ret)) newtest "testing findzone can return different results per client" -$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS -b 10.53.0.1 +noall a test.example.net >/dev/null 2>&1 || ret=1 # we should only find one logged lookup per searched DLZ database lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l) [ $lines -eq 1 ] || ret=1 -$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS -b 10.53.0.2 +noall a test.example.net >/dev/null 2>&1 || ret=1 # we should find several logged lookups this time lines=$(grep "dlz_findzonedb.*example\.net.*example.nil" ns1/named.run | wc -l) [ $lines -gt 2 ] || ret=1 @@ -183,47 +183,47 @@ lines=$(grep "dlz_findzonedb.*example\.net.*alternate.nil" ns1/named.run | wc -l status=$((status + ret)) newtest "testing zone returning oversized data" -$DIG $DIGOPTS txt too-long.example.nil > dig.out.ns1.test$n 2>&1 || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt too-long.example.nil >dig.out.ns1.test$n 2>&1 || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "testing zone returning oversized data at zone origin" -$DIG $DIGOPTS txt bigcname.domain > dig.out.ns1.test$n 2>&1 || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS txt bigcname.domain >dig.out.ns1.test$n 2>&1 || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test$n >/dev/null || ret=1 [ "$ret" -eq 0 ] || echo_i "failed" status=$((status + ret)) newtest "checking redirected lookup for nonexistent name" -$DIG $DIGOPTS @10.53.0.1 unexists a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 unexists a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^unexists.*A.*100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "checking no redirected lookup for nonexistent type" -$DIG $DIGOPTS @10.53.0.1 exists aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 exists aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "checking redirected lookup for a long nonexistent name" -$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 long.name.is.not.there a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^long.name.*A.*100.100.100.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns1.test$n >/dev/null || ret=1 lookups=$(grep "lookup #.*\.not\.there" ns1/named.run | wc -l) [ "$lookups" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "checking ECS data is passed to driver in clientinfo" -$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt > dig.out.ns1.test$n.1 || ret=1 -grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 > /dev/null || ret=1 -$DIG $DIGOPTS +short source-addr.example.nil txt > dig.out.ns1.test$n.2 || ret=1 -grep "not.*present" dig.out.ns1.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS +short +subnet=192.0/16 source-addr.example.nil txt >dig.out.ns1.test$n.1 || ret=1 +grep "192.0.0.0/16/0" dig.out.ns1.test$n.1 >/dev/null || ret=1 +$DIG $DIGOPTS +short source-addr.example.nil txt >dig.out.ns1.test$n.2 || ret=1 +grep "not.*present" dig.out.ns1.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/dns64/ns1/named.conf1.in b/bin/tests/system/dns64/ns1/named.conf1.in index aaf7aab..41950d9 100644 --- a/bin/tests/system/dns64/ns1/named.conf1.in +++ b/bin/tests/system/dns64/ns1/named.conf1.in @@ -13,7 +13,7 @@ // NS1 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/dns64/ns1/named.conf2.in b/bin/tests/system/dns64/ns1/named.conf2.in index f3fc40f..ff39dd1 100644 --- a/bin/tests/system/dns64/ns1/named.conf2.in +++ b/bin/tests/system/dns64/ns1/named.conf2.in @@ -13,7 +13,7 @@ // NS1 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/dns64/ns1/named.conf3.in b/bin/tests/system/dns64/ns1/named.conf3.in index cb6237b..a44c258 100644 --- a/bin/tests/system/dns64/ns1/named.conf3.in +++ b/bin/tests/system/dns64/ns1/named.conf3.in @@ -13,7 +13,7 @@ // NS1 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/dns64/ns1/sign.sh b/bin/tests/system/dns64/ns1/sign.sh index 348ca8a..1a0acfd 100644 --- a/bin/tests/system/dns64/ns1/sign.sh +++ b/bin/tests/system/dns64/ns1/sign.sh @@ -20,6 +20,6 @@ zonefile=signed.db key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM $zone) key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null diff --git a/bin/tests/system/dns64/ns2/named.conf.in b/bin/tests/system/dns64/ns2/named.conf.in index be92d1a..263cc8a 100644 --- a/bin/tests/system/dns64/ns2/named.conf.in +++ b/bin/tests/system/dns64/ns2/named.conf.in @@ -62,7 +62,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "rpz" { diff --git a/bin/tests/system/dns64/tests.sh b/bin/tests/system/dns64/tests.sh index 4ee42dc..231e825 100644 --- a/bin/tests/system/dns64/tests.sh +++ b/bin/tests/system/dns64/tests.sh @@ -22,273 +22,271 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -for conf in conf/good*.conf -do - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/good*.conf; do + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done # Check the example. domain echo_i "checking non-excluded AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default exclude acl ignores mapped A records (all mapped) ($n)" ret=0 -$DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::1.2.3.5" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default exclude acl ignores mapped A records (some mapped) ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::4" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::ffff:1.2.3.4" dig.out.ns2.test$n > /dev/null && ret=1 -grep "::ffff:1.2.3.5" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a-and-aaaa-and-mapped.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::4" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::ffff:1.2.3.4" dig.out.ns2.test$n >/dev/null && ret=1 +grep "::ffff:1.2.3.5" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default exclude acl works with AAAA only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default exclude acl A only lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup works ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -297,212 +295,212 @@ status=$((status + ret)) echo_i "checking non-excluded AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::1.2.3.4" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:304" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:bbbb::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:bbbb::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works, recursive only ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -511,220 +509,220 @@ status=$((status + ret)) echo_i "checking non-excluded AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially excluded only AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec partially-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded AAAA and non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec partially-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking partially-excluded only AAAA and mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee:" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec partially-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee:" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-excluded-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-excluded-bad-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-excluded-good-a.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-aaaa-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-a-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-a-and-aaaa.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-a-not-mapped.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-mx-only.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup works, recursive only +norec ($n)" ret=0 -$DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec cname-non-existent.example. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -733,181 +731,181 @@ status=$((status + ret)) echo_i "checking non-excluded AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-bad-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-good-a.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-and-aaaa.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-not-mapped.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.example." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-mx-only.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.example." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME from non-client lookup works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-non-existent.example. @10.53.0.2 -b 10.53.0.3 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -916,181 +914,181 @@ status=$((status + ret)) echo_i "checking non-excluded AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:304" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:304" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:304" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.signed." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup is signed zone works ($n)" ret=0 -$DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1098,227 +1096,225 @@ status=$((status + ret)) # Check the signed. domain echo_i "checking non-excluded AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-excluded AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-excluded-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded AAAA and non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-excluded-bad-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking excluded only AAAA and mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:eeee::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-excluded-good-a.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:eeee::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA only via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::2" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-aaaa-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::2" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A only via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:aaaa::102:305" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +dnssec cname-a-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:aaaa::102:305" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A and AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001::1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-a-and-aaaa.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001::1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-mapped A via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-a-not-mapped.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME a-not-mapped.signed." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking NODATA AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 -grep "CNAME mx-only.signed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-mx-only.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 +grep "CNAME mx-only.signed." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking non-existent AAAA via CNAME lookup is signed zone works with +dnssec ($n)" ret=0 -$DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec cname-non-existent.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking reverse mapping ($n)" ret=0 -$DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -x 2001:aaaa::10.0.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep -i "CNAME.1.0.0.10.IN-ADDR.ARPA.$" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) list=$($DIG $DIGOPTS -b 10.53.0.6 @10.53.0.2 +short aaaa a-only.example | sort) -for a in $list -do - ret=0 - echo_i "checking reverse mapping of $a ($n)" - $DIG $DIGOPTS -x $a @10.53.0.2 > dig.out.ns2.test$n || ret=1 - grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n > /dev/null || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for a in $list; do + ret=0 + echo_i "checking reverse mapping of $a ($n)" + $DIG $DIGOPTS -x $a @10.53.0.2 >dig.out.ns2.test$n || ret=1 + grep -i "CNAME.5.3.2.1.IN-ADDR.ARPA." dig.out.ns2.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done rev=$($ARPANAME 2001:aaaa::10.0.0.1) regex='..\(.*.IP6.ARPA\)' rev=$(expr "${rev}" : "${regex}") fin=$(expr "${rev}" : "............${regex}") -while test "${rev}" != "${fin}" -do - ret=0 - echo_i "checking $rev ($n)" - $DIG $DIGOPTS $rev ptr @10.53.0.2 > dig.out.ns2.test$n || ret=1 - grep -i "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 - grep -i "ANSWER: 0," dig.out.ns2.test$n > /dev/null || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - rev=$(expr "${rev}" : "${regex}") +while test "${rev}" != "${fin}"; do + ret=0 + echo_i "checking $rev ($n)" + $DIG $DIGOPTS $rev ptr @10.53.0.2 >dig.out.ns2.test$n || ret=1 + grep -i "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 + grep -i "ANSWER: 0," dig.out.ns2.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + rev=$(expr "${rev}" : "${regex}") done echo_i "checking dns64-server and dns64-contact ($n)" ret=0 -$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1326,7 +1322,7 @@ status=$((status + ret)) echo_i "checking TTL less than 600 from zone ($n)" ret=0 #expect 500 -$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1335,7 +1331,7 @@ status=$((status + ret)) echo_i "checking TTL more than 600 from zone ($n)" ret=0 #expect 700 -$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1344,7 +1340,7 @@ status=$((status + ret)) echo_i "checking TTL less than minimum from zone ($n)" ret=0 #expect 1100 -$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1353,7 +1349,7 @@ status=$((status + ret)) echo_i "checking TTL limited to minimum from zone ($n)" ret=0 #expect 1200 -$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 >dig.out.ns1.test$n || ret=1 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1362,7 +1358,7 @@ status=$((status + ret)) echo_i "checking TTL less than 600 via cache ($n)" ret=0 #expect 500 -$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns1.test$n || ret=1 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1371,7 +1367,7 @@ status=$((status + ret)) echo_i "checking TTL more than 600 via cache ($n)" ret=0 #expect 700 -$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1380,7 +1376,7 @@ status=$((status + ret)) echo_i "checking TTL less than minimum via cache ($n)" ret=0 #expect 1100 -$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1389,7 +1385,7 @@ status=$((status + ret)) echo_i "checking TTL limited to minimum via cache ($n)" ret=0 #expect 1200 -$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1397,16 +1393,16 @@ status=$((status + ret)) echo_i "checking synthesis of AAAA from RPZ-remapped A ($n)" ret=0 -$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking 'dig +dns64prefix' ($n)" -$DIG $DIGOPTS +dns64prefix @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '^2001:bbbb::/96$' dig.out.ns1.test$n > /dev/null || ret=1 -test $(wc -l < dig.out.ns1.test$n) -eq 1 || ret=1 +$DIG $DIGOPTS +dns64prefix @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '^2001:bbbb::/96$' dig.out.ns1.test$n >/dev/null || ret=1 +test $(wc -l <dig.out.ns1.test$n) -eq 1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1415,10 +1411,10 @@ copy_setports ns1/named.conf2.in ns1/named.conf rndc_reload ns1 10.53.0.1 echo_i "checking 'dig +dns64prefix' with multiple prefixes ($n)" -$DIG $DIGOPTS +dns64prefix @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep '^2001:bbbb::/96$' dig.out.ns1.test$n > /dev/null || ret=1 -grep '2001:aaaa::/64' dig.out.ns1.test$n > /dev/null || ret=1 -test $(wc -l < dig.out.ns1.test$n) -eq 2 || ret=1 +$DIG $DIGOPTS +dns64prefix @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep '^2001:bbbb::/96$' dig.out.ns1.test$n >/dev/null || ret=1 +grep '2001:aaaa::/64' dig.out.ns1.test$n >/dev/null || ret=1 +test $(wc -l <dig.out.ns1.test$n) -eq 2 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1427,15 +1423,15 @@ copy_setports ns1/named.conf3.in ns1/named.conf rndc_reload ns1 10.53.0.1 echo_i "checking 'dig +dns64prefix' with no prefixes ($n)" -$DIG $DIGOPTS +dns64prefix @10.53.0.1 > dig.out.ns1.test$n || ret=1 -test $(wc -l < dig.out.ns1.test$n) -eq 0 || ret=1 +$DIG $DIGOPTS +dns64prefix @10.53.0.1 >dig.out.ns1.test$n || ret=1 +test $(wc -l <dig.out.ns1.test$n) -eq 0 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking synthesis of AAAA from builtin ipv4only.arpa ($n)" ret=0 -$DIG $DIGOPTS aaaa ipv4only.arpa -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS aaaa ipv4only.arpa -b 10.53.0.7 @10.53.0.2 >dig.out.ns2.test$n || ret=1 grep -i 'ipv4only.arpa.*IN.AAAA.2001:96::c000:aa' dig.out.ns2.test$n >/dev/null || ret=1 grep -i 'ipv4only.arpa.*IN.AAAA.2001:96::c000:ab' dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) @@ -1444,8 +1440,8 @@ status=$((status + ret)) echo_i "checking reverse of dns64 mapped ipv4only.arpa addresses returns ipv4only.arpa ($n)" ret=0 -$DIG $DIGOPTS ptr -x 2001:96::192.0.0.170 -b 10.53.0.7 @10.53.0.2 > dig.out.170.ns2.test$n || ret=1 -$DIG $DIGOPTS ptr -x 2001:96::192.0.0.171 -b 10.53.0.7 @10.53.0.2 > dig.out.171.ns2.test$n || ret=1 +$DIG $DIGOPTS ptr -x 2001:96::192.0.0.170 -b 10.53.0.7 @10.53.0.2 >dig.out.170.ns2.test$n || ret=1 +$DIG $DIGOPTS ptr -x 2001:96::192.0.0.171 -b 10.53.0.7 @10.53.0.2 >dig.out.171.ns2.test$n || ret=1 grep "ip6\.arpa\..*PTR.*ipv4only\.arpa\." dig.out.170.ns2.test$n >/dev/null || ret=1 grep "ip6\.arpa\..*PTR.*ipv4only\.arpa\." dig.out.171.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 21c6d71..32a1736 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -20,9 +20,9 @@ zone=. infile=root.db.in zonefile=root.db -(cd ../ns2 && $SHELL sign.sh ) -(cd ../ns6 && $SHELL sign.sh ) -(cd ../ns7 && $SHELL sign.sh ) +(cd ../ns2 && $SHELL sign.sh) +(cd ../ns6 && $SHELL sign.sh) +(cd ../ns7 && $SHELL sign.sh) echo_i "ns1/sign.sh" @@ -30,18 +30,18 @@ cp "../ns2/dsset-example." . cp "../ns2/dsset-in-addr.arpa." . cp "../ns2/dsset-too-many-iterations." . -grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." > "dsset-algroll." +grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll." cp "../ns6/dsset-optout-tld." . ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 # Configure the resolving server with a staitc key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf @@ -49,14 +49,14 @@ cp trusted.conf ../ns6/trusted.conf cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf -keyfile_to_trusted_keys "$ksk" > trusted.keys +keyfile_to_trusted_keys "$ksk" >trusted.keys # ...or with an initializing key. -keyfile_to_initial_ds "$ksk" > managed.conf +keyfile_to_initial_ds "$ksk" >managed.conf cp managed.conf ../ns4/managed.conf # # Save keyid for managed key id test. # -keyfile_to_key_id "$ksk" > managed.key.id +keyfile_to_key_id "$ksk" >managed.key.id diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 94928c1..a854a08 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "trusted" { diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 47248a4..05e8293 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -17,15 +17,14 @@ set -e # Sign child zones (served by ns3). -( cd ../ns3 && $SHELL sign.sh ) +(cd ../ns3 && $SHELL sign.sh) echo_i "ns2/sign.sh" # Get the DS records for the "trusted." and "managed." zones. -for subdomain in secure unsupported disabled enabled -do - cp "../ns3/dsset-$subdomain.managed." . - cp "../ns3/dsset-$subdomain.trusted." . +for subdomain in secure unsupported disabled enabled; do + cp "../ns3/dsset-$subdomain.managed." . + cp "../ns3/dsset-$subdomain.trusted." . done # Sign the "trusted." and "managed." zones. @@ -36,9 +35,9 @@ zonefile=managed.db keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 zone=trusted. infile=key.db.in @@ -47,9 +46,9 @@ zonefile=trusted.db keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # The "example." zone. zone=example. @@ -58,23 +57,22 @@ zonefile=example.db # Get the DS records for the "example." zone. for subdomain in secure badds bogus dynamic keyless nsec3 optout \ - nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ - kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ - ttlpatch split-dnssec split-smart expired expiring upper lower \ - dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ - dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded -do - cp "../ns3/dsset-$subdomain.example." . + nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ + kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ + ttlpatch split-dnssec split-smart expired expiring upper lower \ + dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ + dnskey-nsec3-unknown managed-future revkey \ + dname-at-apex-nsec3 occluded; do + cp "../ns3/dsset-$subdomain.example." . done # Sign the "example." zone. keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # lower/uppercase the signature bits with the exception of the last characters @@ -82,8 +80,8 @@ cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" # zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 -"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | -awk ' +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | awk ' tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" { for (i = 1; i <= NF; i++ ) { if (i <= 12) { @@ -122,7 +120,7 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" { next; } -{ print; }' > "$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" +{ print; }' >"$zonefiletmp" && mv "$zonefiletmp" "$zonefile.signed" # # signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned. @@ -134,8 +132,8 @@ zonefile=in-addr.arpa.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # Sign the badparam secure file @@ -146,11 +144,11 @@ zonefile=badparam.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 -sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad" +sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" >"$zonefile.bad" # Sign the single-nsec3 secure zone with optout @@ -161,9 +159,9 @@ zonefile=single-nsec3.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1 +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null 2>&1 # # algroll has just has the old DNSKEY records removed and is waiting @@ -179,9 +177,9 @@ keyold2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zon keynew1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" +cat "$infile" "$keynew1.key" "$keynew2.key" >"$zonefile" -"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1 +"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" >/dev/null 2>&1 # # Make a zone big enough that it takes several seconds to generate a new @@ -189,7 +187,7 @@ cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile" # zone=nsec3chain-test zonefile=nsec3chain-test.db -cat > "$zonefile" << EOF +cat >"$zonefile" <<EOF \$TTL 10 @ 10 SOA ns2 hostmaster 0 3600 1200 864000 1200 @ 10 NS ns2 @@ -199,22 +197,22 @@ ns3 10 A 10.53.0.3 EOF i=1 while [ $i -le 300 ]; do - echo "host$i 10 IN NS ns.elsewhere" - i=$((i+1)) -done >> "$zonefile" + echo "host$i 10 IN NS ns.elsewhere" + i=$((i + 1)) +done >>"$zonefile" key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$key1.key" "$key2.key" >> "$zonefile" -"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1 +cat "$key1.key" "$key2.key" >>"$zonefile" +"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" >/dev/null 2>&1 zone=cds.secure infile=cds.secure.db.in zonefile=cds.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-x.secure infile=cds.secure.db.in @@ -222,43 +220,43 @@ zonefile=cds-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -"$DSFROMKEY" -C "$key2.key" > "$key2.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile" -"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +"$DSFROMKEY" -C "$key2.key" >"$key2.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" >"$zonefile" +"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-update.secure infile=cds-update.secure.db.in zonefile=cds-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cds-kskonly.secure infile=cds-kskonly.secure.db.in zonefile=cds-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cds-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cds-kskonly.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in zonefile=cds-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=cdnskey.secure infile=cdnskey.secure.db.in zonefile=cdnskey.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-x.secure infile=cdnskey.secure.db.in @@ -266,34 +264,34 @@ zonefile=cdnskey-x.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile" -"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1 +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" >"$zonefile" +"$SIGNER" -g -x -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-update.secure infile=cdnskey-update.secure.db.in zonefile=cdnskey-update.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 zone=cdnskey-kskonly.secure infile=cdnskey-kskonly.secure.db.in zonefile=cdnskey-kskonly.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +keyfile_to_key_id "$key1" >cdnskey-kskonly.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in zonefile=cdnskey-auto.secure.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" zone=updatecheck-kskonly.secure infile=template.secure.db.in @@ -301,14 +299,14 @@ zonefile=${zone}.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") # Save key id's for checking active key usage -keyfile_to_key_id "$key1" > $zone.ksk.id -keyfile_to_key_id "$key2" > $zone.zsk.id -echo "${key1}" > $zone.ksk.key -echo "${key2}" > $zone.zsk.key +keyfile_to_key_id "$key1" >$zone.ksk.id +keyfile_to_key_id "$key2" >$zone.zsk.id +echo "${key1}" >$zone.ksk.key +echo "${key2}" >$zone.zsk.key # Add CDS and CDNSKEY records -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" +sed 's/DNSKEY/CDNSKEY/' "$key1.key" >"$key1.cdnskey" +"$DSFROMKEY" -C "$key1.key" >"$key1.cds" +cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" >"$zonefile" # Don't sign, let auto-dnssec maintain do it. mv $zonefile "$zonefile.signed" @@ -317,8 +315,8 @@ infile=hours-vs-days.db.in zonefile=hours-vs-days.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -$SETTIME -P sync now "$key1" > /dev/null -cat "$infile" > "$zonefile.signed" +$SETTIME -P sync now "$key1" >/dev/null +cat "$infile" >"$zonefile.signed" # # Negative result from this zone should come back as insecure. @@ -328,5 +326,5 @@ infile=too-many-iterations.db.in zonefile=too-many-iterations.db key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1 +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index cdc6e02..680cff5 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index ec39308..883e067 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -47,3 +47,8 @@ rrsigonly A 10.0.0.29 cnameandkey CNAME @ cnamenokey CNAME @ dnameandkey DNAME @ + +mixedcase A 10.0.0.30 +mixedCASE TXT "mixed case" +MIXEDcase AAAA 2002:: +mIxEdCaSe LOC 37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index f56edb2..14fc709 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -19,61 +19,60 @@ set -e echo_i "ns3/sign.sh" infile=key.db.in -for tld in managed trusted -do - # A secure zone to test. - zone=secure.${tld} - zonefile=${zone}.db - - keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname1.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor that matches disabled algorithm. - zone=disabled.${tld} - zonefile=${zone}.db - - keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") - cat "$infile" "$keyname2.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor that has disabled algorithm for other domain. - zone=enabled.${tld} - zonefile=${zone}.db - - keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") - cat "$infile" "$keyname3.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - # Zone to test trust anchor with unsupported algorithm. - zone=unsupported.${tld} - zonefile=${zone}.db - - keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname4.key" > "$zonefile" - "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null - awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed - - # Make trusted-keys and managed keys conf sections for ns8. - mv ${keyname4}.key ${keyname4}.tmp - awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key - - # Zone to test trust anchor that is revoked. - zone=revoked.${tld} - zonefile=${zone}.db - - keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") - cat "$infile" "$keyname5.key" > "$zonefile" - "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null - - case $tld in - "managed") - keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf - ;; - "trusted") - keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf - ;; - esac +for tld in managed trusted; do + # A secure zone to test. + zone=secure.${tld} + zonefile=${zone}.db + + keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname1.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor that matches disabled algorithm. + zone=disabled.${tld} + zonefile=${zone}.db + + keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname2.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor that has disabled algorithm for other domain. + zone=enabled.${tld} + zonefile=${zone}.db + + keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone") + cat "$infile" "$keyname3.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + # Zone to test trust anchor with unsupported algorithm. + zone=unsupported.${tld} + zonefile=${zone}.db + + keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname4.key" >"$zonefile" + "$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null + awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed + + # Make trusted-keys and managed keys conf sections for ns8. + mv ${keyname4}.key ${keyname4}.tmp + awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp >${keyname4}.key + + # Zone to test trust anchor that is revoked. + zone=revoked.${tld} + zonefile=${zone}.db + + keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + cat "$infile" "$keyname5.key" >"$zonefile" + "$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" >/dev/null + + case $tld in + "managed") + keyfile_to_initial_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/managed.conf + ;; + "trusted") + keyfile_to_static_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 >../ns8/trusted.conf + ;; + esac done echo_i "ns3/sign.sh: example zones" @@ -86,9 +85,11 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone") keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile" +cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null +cat "$zonefile" "$zonefile".signed >"$zonefile".tmp +mv "$zonefile".tmp "$zonefile".signed zone=bogus.example. infile=bogus.example.db.in @@ -96,9 +97,9 @@ zonefile=bogus.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null zone=dynamic.example. infile=dynamic.example.db.in @@ -107,9 +108,9 @@ zonefile=dynamic.example.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -o "$zone" "$zonefile" >/dev/null zone=keyless.example. infile=generic.example.db.in @@ -117,16 +118,16 @@ zonefile=keyless.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # Change the signer field of the a.b.keyless.example RRSIG A # to point to a provably nonexistent DNSKEY record. zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 mv "$zonefile.signed" "$zonefiletmp" -<"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/ - if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed" +"$PERL" <"$zonefiletmp" -p -e 's/ keyless.example/ b.keyless.example/ + if /^a.b.keyless.example/../A RRSIG NSEC/;' >"$zonefile.signed" rm -f "$zonefiletmp" # @@ -138,9 +139,9 @@ zonefile=secure.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # # NSEC3/NSEC3 test zone @@ -151,9 +152,9 @@ zonefile=nsec3.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC3 test zone @@ -164,9 +165,9 @@ zonefile=optout.nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null # # A nsec3 zone (non-optout). @@ -177,9 +178,9 @@ zonefile=nsec3.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC test zone @@ -190,9 +191,9 @@ zonefile=secure.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null # # OPTOUT/NSEC3 test zone @@ -203,9 +204,9 @@ zonefile=nsec3.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" "$zonefile" >/dev/null # # OPTOUT/OPTOUT test zone @@ -216,9 +217,9 @@ zonefile=optout.optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null # # A optout nsec3 zone. @@ -229,9 +230,9 @@ zonefile=optout.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" >/dev/null # # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U). @@ -242,9 +243,9 @@ zonefile=nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" >/dev/null # # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U). @@ -255,9 +256,9 @@ zonefile=optout-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" >/dev/null # # A zone that is signed with an unknown DNSKEY algorithm. @@ -269,14 +270,14 @@ zonefile=dnskey-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A zone that is signed with an unsupported DNSKEY algorithm (3). @@ -288,14 +289,14 @@ zonefile=dnskey-unsupported.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A zone with a published unsupported DNSKEY algorithm (Reserved). @@ -308,9 +309,9 @@ zonefile=dnskey-unsupported-2.example.db ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile" -"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null +"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -322,14 +323,14 @@ zonefile=dnskey-nsec3-unknown.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null +"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" >/dev/null -awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp >${zonefile}.signed DSFILE="dsset-${zone}." -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE" # # A multiple parameter nsec3 zone. @@ -340,20 +341,20 @@ zonefile=multiple.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC -"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3 -"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null -awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3 -"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null -cat NSEC NSEC3 >> "$zonefile".signed +"$SIGNER" -z -O full -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed >NSEC +"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >NSEC3 +"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" >/dev/null +awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >>NSEC3 +"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" >/dev/null +cat NSEC NSEC3 >>"$zonefile".signed # # A RSASHA256 zone. @@ -364,9 +365,9 @@ zonefile=rsasha256.example.db keyname=$("$KEYGEN" -q -a RSASHA256 -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A RSASHA512 zone. @@ -377,9 +378,9 @@ zonefile=rsasha512.example.db keyname=$("$KEYGEN" -q -a RSASHA512 -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A zone with the DNSKEY set only signed by the KSK @@ -390,8 +391,8 @@ zonefile=kskonly.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -x -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -x -o "$zone" "$zonefile" >/dev/null # # A zone with the expired signatures @@ -402,8 +403,8 @@ zonefile=expired.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" -s -1d -e +1h "$zonefile" >/dev/null rm -f "$kskname.*" "$zskname.*" # @@ -415,8 +416,8 @@ zonefile=update-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # A NSEC signed zone that will have auto-dnssec enabled and @@ -430,8 +431,8 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # A NSEC3 signed zone that will have auto-dnssec enabled and @@ -445,8 +446,8 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone" zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # Secure below cname test zone. @@ -455,8 +456,8 @@ zone=secure.below-cname.example. infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$keyname.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # Patched TTL test zone. @@ -468,11 +469,11 @@ signedfile=ttlpatch.example.db.signed patchedfile=ttlpatch.example.db.patched keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" > /dev/null -$CHECKZONE -D -s full "$zone" $signedfile 2> /dev/null | \ - awk '{$2 = "3600"; print}' > $patchedfile +"$SIGNER" -P -f $signedfile -o "$zone" "$zonefile" >/dev/null +$CHECKZONE -D -s full "$zone" $signedfile 2>/dev/null \ + | awk '{$2 = "3600"; print}' >$patchedfile # # Separate DNSSEC records. @@ -483,10 +484,10 @@ zonefile=split-dnssec.example.db signedfile=split-dnssec.example.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" -echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" -: > "$signedfile" -"$SIGNER" -P -D -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$keyname.key" >"$zonefile" +echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" +: >"$signedfile" +"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null # # Separate DNSSEC records smart signing. @@ -499,9 +500,9 @@ signedfile=split-smart.example.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cp "$infile" "$zonefile" # shellcheck disable=SC2016 -echo "\$INCLUDE \"$signedfile\"" >> "$zonefile" -: > "$signedfile" -"$SIGNER" -P -S -D -o "$zone" "$zonefile" > /dev/null +echo "\$INCLUDE \"$signedfile\"" >>"$zonefile" +: >"$signedfile" +"$SIGNER" -P -S -D -o "$zone" "$zonefile" >/dev/null # # Zone with signatures about to expire, but no private key to replace them @@ -513,7 +514,7 @@ signedfile="expiring.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -e now+1mi -o "$zone" "$zonefile" >/dev/null mv -f "${zskname}.private" "${zskname}.private.moved" mv -f "${kskname}.private" "${kskname}.private.moved" @@ -528,9 +529,9 @@ signedfile="upper.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" > /dev/null -$CHECKZONE -D upper.example $lower 2>/dev/null | \ - sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile +"$SIGNER" -P -S -o "$zone" -f $lower "$zonefile" >/dev/null +$CHECKZONE -D upper.example $lower 2>/dev/null \ + | sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' >$signedfile # # Check that the signer's name is in lower case when zone name is in @@ -543,7 +544,7 @@ signedfile="lower.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -S -o "$zone" "$zonefile" >/dev/null # # Zone with signatures about to expire, and dynamic, but configured @@ -556,11 +557,11 @@ signedfile="nosign.example.db.signed" kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" >/dev/null # preserve a normalized copy of the NS RRSIG for comparison later -$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ - awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ - sed 's/[ ][ ]*/ /g'> ../nosign.before +$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null \ + | awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' \ + | sed 's/[ ][ ]*/ /g' >../nosign.before # # An inline signing zone @@ -581,7 +582,7 @@ kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -S -o "$zone" "$zonefile" >/dev/null # # A zone which will change its sig-validity-interval @@ -603,10 +604,10 @@ zonefile=badds.example.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example. +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null +sed -e 's/bogus/badds/g' <dsset-bogus.example. >dsset-badds.example. # # A zone with future signatures. @@ -616,8 +617,8 @@ infile=future.example.db.in zonefile=future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null cp -f "$kskname.key" trusted-future.key # @@ -628,8 +629,8 @@ infile=managed-future.example.db.in zonefile=managed-future.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" -"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" > /dev/null +cat "$infile" "$kskname.key" "$zskname.key" >"$zonefile" +"$SIGNER" -P -s +3600 -o "$zone" "$zonefile" >/dev/null # # A zone with a revoked key @@ -643,8 +644,8 @@ ksk1=$("$REVOKE" "$ksk1") ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3fk "$zone") zsk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -3 "$zone") -cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" > "$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null +cat "$infile" "${ksk1}.key" "${ksk2}.key" "${zsk1}.key" >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null # # Check that NSEC3 are correctly signed and returned from below a DNAME @@ -656,7 +657,7 @@ zonefile=dname-at-apex-nsec3.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -3 "$zone") cat "$infile" "${kskname}.key" "${zskname}.key" >"$zonefile" -"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null +"$SIGNER" -P -3 - -o "$zone" "$zonefile" >/dev/null # # A NSEC zone with occuded data at the delegation @@ -668,7 +669,7 @@ kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" "$zone") dnskeyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -fk "delegation.$zone") keyname=$("$KEYGEN" -q -a DH -b 1024 -n HOST -T KEY "delegation.$zone") -$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}." +$DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}." cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ - "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" -"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null + "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" +"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index 280217e..113e3bb 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -50,7 +50,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "corp" { diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index b01979b..56bdfe4 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -38,5 +38,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index 3a64e9d..e160d37 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 5d3bf3f..d192ceb 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -48,7 +48,7 @@ view rec { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone secure.example { diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in index ccb3de9..ef371e1 100644 --- a/bin/tests/system/dnssec/ns5/named1.conf.in +++ b/bin/tests/system/dnssec/ns5/named1.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index df0b208..65105d0 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -25,15 +25,15 @@ zonefile=root.db.signed keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") # copy the KSK out first, then revoke it -keyfile_to_initial_ds "$keyname" > revoked.conf +keyfile_to_initial_ds "$keyname" >revoked.conf -"$SETTIME" -R now "${keyname}.key" > /dev/null +"$SETTIME" -R now "${keyname}.key" >/dev/null # create a current set of keys, and sign the root zone -"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone > /dev/null -"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone > /dev/null -"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" > /dev/null 2>&1 +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" $zone >/dev/null +"$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK $zone >/dev/null +"$SIGNER" -S -o "$zone" -f "$zonefile" "$infile" >/dev/null 2>&1 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in index 4bdc79c..2818b79 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.in +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "optout-tld" { diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 6102e52..e3ff2d2 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -24,6 +24,6 @@ zonefile=optout-tld.db keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.in index 55cbec9..b352846 100644 --- a/bin/tests/system/dnssec/ns7/named.conf.in +++ b/bin/tests/system/dnssec/ns7/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "nsec3.example" { diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh index 551b217..5e30050 100644 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -25,7 +25,7 @@ zonefile=split-rrsig.db k1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$k1.key" "$k2.key" > "$zonefile" +cat "$infile" "$k1.key" "$k2.key" >"$zonefile" # The awk script below achieves two goals: # @@ -37,8 +37,8 @@ cat "$infile" "$k1.key" "$k2.key" > "$zonefile" # - it places a copy of one of the RRSIG(SOA) records somewhere else than at the # zone apex; the test then checks whether such signatures are automatically # removed from the zone after it is loaded. -"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" >/dev/null 2>&1 awk 'BEGIN { r = ""; } $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } { print } - END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed" + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" >"$zonefile.signed" diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.in index d0278ca..2590de1 100644 --- a/bin/tests/system/dnssec/ns8/named.conf.in +++ b/bin/tests/system/dnssec/ns8/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "managed.conf"; diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh new file mode 100644 index 0000000..32889aa --- /dev/null +++ b/bin/tests/system/dnssec/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 6aa0cd0..db0913d 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -32,21 +32,21 @@ copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf ( - cd ns1 - $SHELL sign.sh - { - echo "a.bogus.example. A 10.0.0.22" - echo "b.bogus.example. A 10.0.0.23" - echo "c.bogus.example. A 10.0.0.23" - } >>../ns3/bogus.example.db.signed + cd ns1 + $SHELL sign.sh + { + echo "a.bogus.example. A 10.0.0.22" + echo "b.bogus.example. A 10.0.0.23" + echo "c.bogus.example. A 10.0.0.23" + } >>../ns3/bogus.example.db.signed ) ( - cd ns3 - cp -f siginterval1.conf siginterval.conf + cd ns3 + cp -f siginterval1.conf siginterval.conf ) ( - cd ns5 - $SHELL sign.sh + cd ns5 + $SHELL sign.sh ) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 97bffb5..02040b9 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -22,41 +22,41 @@ n=1 rm -f dig.out.* dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } dig_with_additionalopts() { - "$DIG" +noall +additional +dnssec -p "$PORT" "$@" + "$DIG" +noall +additional +dnssec -p "$PORT" "$@" } dig_with_answeropts() { - "$DIG" +noall +answer +dnssec -p "$PORT" "$@" + "$DIG" +noall +answer +dnssec -p "$PORT" "$@" } delv_with_opts() { - "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" + "$DELV" -a ns1/trusted.conf -p "$PORT" "$@" } rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # TODO: Move loadkeys_on to conf.sh.common dnssec_loadkeys_on() { - nsidx=$1 - zone=$2 - nextpart ns${nsidx}/named.run > /dev/null - rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run >/dev/null + rndccmd 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" ns${nsidx}/named.run || return 1 } # convert private-type records to readable form -showprivate () { - echo "-- $* --" - dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' | - while read -r record; do - # shellcheck disable=SC2016 - $PERL -e 'my $rdata = pack("H*", @ARGV[0]); +showprivate() { + echo "-- $* --" + dig_with_opts +nodnssec +short "@$2" -t type65534 "$1" | cut -f3 -d' ' \ + | while read -r record; do + # shellcheck disable=SC2016 + $PERL -e 'my $rdata = pack("H*", @ARGV[0]); die "invalid record" unless length($rdata) == 5; my ($alg, $key, $remove, $complete) = unpack("CnCC", $rdata); my $action = "signing"; @@ -64,40 +64,40 @@ showprivate () { my $state = " (incomplete)"; $state = " (complete)" if $complete; print ("$action: alg: $alg, key: $key$state\n");' "$record" - done + done } # check that signing records are marked as complete -checkprivate () { - for i in 1 2 3 4 5 6 7 8 9 10; do - showprivate "$@" | grep -q incomplete || return 0 - sleep 1 - done - echo_d "$1 signing incomplete" - return 1 +checkprivate() { + for i in 1 2 3 4 5 6 7 8 9 10; do + showprivate "$@" | grep -q incomplete || return 0 + sleep 1 + done + echo_d "$1 signing incomplete" + return 1 } # check that a zone file is raw format, version 0 -israw0 () { - # shellcheck disable=SC2016 - < "$1" $PERL -e 'binmode STDIN; +israw0() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); exit 1 if ($style != 2 || $version != 0);' || return $? } # check that a zone file is raw format, version 1 -israw1 () { - # shellcheck disable=SC2016 - < "$1" $PERL -e 'binmode STDIN; +israw1() { + # shellcheck disable=SC2016 + $PERL <"$1" -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); exit 1 if ($style != 2 || $version != 1);' || return $? } # strip NS and RRSIG NS from input -stripns () { - awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" +stripns() { + awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' "$1" } # @@ -106,8 +106,8 @@ stripns () { # "Negative trust anchors:". # Ensure there is not a blank line before "Secure roots:". # -check_secroots_layout () { - awk '$0 == "" { if (empty) exit(1); empty=1; next } +check_secroots_layout() { + awk '$0 == "" { if (empty) exit(1); empty=1; next } /Start view/ { if (!empty) exit(1) } /Secure roots:/ { if (empty) exit(1) } /Negative trust anchors:/ { if (!empty) exit(1) } @@ -119,781 +119,803 @@ check_secroots_layout () { # in the additional section echo_i "checking that additional glue is returned for unsigned delegation ($n)" ret=0 -$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +$DIG +tcp +dnssec -p "$PORT" a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ns\\.insecure\\.example\\..*A.10\\.53\\.0\\.3" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Check the example. domain echo_i "checking that zone transfer worked ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 - dig_with_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 + dig_with_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done -digcomp dig.out.ns2.test$n dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +digcomp dig.out.ns2.test$n dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # test AD bit: # - dig +adflag asks for authentication (ad in response) echo_i "checking AD bit asking for validation ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +adflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # test AD bit: # - dig +noadflag echo_i "checking that AD is not set without +adflag or +dnssec ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +noadd +nodnssec +noadflag a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking for AD in authoritative answer ($n)" ret=0 -dig_with_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" ret=0 -grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1 -grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1 -grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - ret=0 - echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" - "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example > delv.out$n || ret=1 - grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1 +grep "fetch: example/DS" ns4/named.run >/dev/null && ret=1 +grep "validating example/DS: starting" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.example >delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + ret=0 + echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" + "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example >delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive validation NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 - grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 + grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive validation OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) SP="[[:space:]]+" -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 - grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.optout.example >delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""A""$SP""10.0.0.1" delv.out$n || ret=1 + grep -Eq "^a\\.optout\\.example\\.""$SP""[0-9]+""$SP""IN""$SP""RRSIG""$SP""A""$SP""$DEFAULT_ALGORITHM_NUMBER""$SP""3""$SP""300" delv.out$n || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard validation NSEC ($n)" ret=0 -dig_with_opts a.wild.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +dig_with_opts a.wild.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n > /dev/null || ret=1 -grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1 - grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 - grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "\\*\\.wild\\.example\\..*RRSIG NSEC" dig.out.ns4.test$n >/dev/null || ret=1 +grep "\\*\\.wild\\.example\\..*NSEC z\\.example" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.example >delv.out$n || ret=1 + grep "a.wild.example..*10.0.0.27" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive wildcard answer NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 4," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive wildcard validation NSEC3 ($n)" ret=0 -dig_with_opts a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n +dig_with_opts a.wild.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts a.wild.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 - grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.nsec3.example >delv.out$n || ret=1 + grep -E "a.wild.nsec3.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 + grep -E "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking positive wildcard validation OPTOUT ($n)" ret=0 dig_with_opts a.wild.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts a.wild.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n -stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +stripns dig.out.ns3.test$n >dig.out.ns3.stripped.test$n +stripns dig.out.ns4.test$n >dig.out.ns4.stripped.test$n digcomp dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 - grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.wild.optout.example >delv.out$n || ret=1 + grep "a.wild.optout.example..*10.0.0.6" delv.out$n >/dev/null || ret=1 + grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NXDOMAIN NSEC ($n)" ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi +echo_i "checking RRSIG covered type in negative cache entry ($n)" +ret=0 +rndc_dumpdb ns4 +grep -F '; example. RRSIG NSEC ...' ns4/named_dump.db.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking negative validation NXDOMAIN NSEC3 ($n)" ret=0 dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth q.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NXDOMAIN OPTOUT ($n)" ret=0 dig_with_opts +noauth q.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth q.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative validation NODATA OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt a.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation NSEC ($n)" ret=0 -dig_with_opts b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -dig_with_opts b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +dig_with_opts b.wild.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation NSEC3 ($n)" ret=0 -dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 +dig_with_opts b.wild.nsec3.example. @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.wild.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking negative wildcard validation OPTOUT ($n)" ret=0 dig_with_opts b.wild.optout.example. \ - @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 + @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 dig_with_opts b.wild.optout.example. \ - @10.53.0.4 txt > dig.out.ns4.test$n || ret=1 + @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxrrset" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 txt b.optout.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxrrset" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi # Check the insecure.example domain echo_i "checking 1-server insecurity proof NSEC ($n)" ret=0 -dig_with_opts +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 - grep "a.insecure.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.example >delv.out$n || ret=1 + grep "a.insecure.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server insecurity proof NSEC3 ($n)" ret=0 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.nsec3.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 - grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.nsec3.example >delv.out$n || ret=1 + grep "a.insecure.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server insecurity proof OPTOUT ($n)" ret=0 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.insecure.optout.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 - grep "a.insecure.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.insecure.optout.example >delv.out$n || ret=1 + grep "a.insecure.optout.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof NSEC ($n)" ret=0 dig_with_opts q.insecure.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof NSEC3 ($n)" ret=0 dig_with_opts q.insecure.nsec3.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.nsec3.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.nsec3.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof OPTOUT ($n)" ret=0 dig_with_opts q.insecure.optout.example. a @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts q.insecure.optout.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" - delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: ncache nxdomain" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" + delv_with_opts @10.53.0.4 a q.insecure.optout.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: ncache nxdomain" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking 1-server negative insecurity proof with SOA hack NSEC ($n)" ret=0 dig_with_opts r.insecure.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof with SOA hack NSEC3 ($n)" ret=0 dig_with_opts r.insecure.nsec3.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.nsec3.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 1-server negative insecurity proof with SOA hack OPTOUT ($n)" ret=0 dig_with_opts r.insecure.optout.example. soa @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 + >dig.out.ns3.test$n || ret=1 dig_with_opts r.insecure.optout.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "0 IN SOA" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "0 IN SOA" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the secure.example domain echo_i "checking multi-stage positive validation NSEC/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) + +echo_i "checking mixed-case positive validation ($n)" +ret=0 +for type in a txt aaaa loc; do + dig_with_opts +noauth mixedcase.secure.example. \ + @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1 + dig_with_opts +noauth mixedcase.secure.example. \ + @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1 + digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1 + grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1 + grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1 +done +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation NSEC3/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC ($n)" ret=0 dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.secure.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking multi-stage positive validation OPTOUT/OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking empty NODATA OPTOUT ($n)" ret=0 dig_with_opts +noauth empty.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth empty.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 #grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the bogus domain echo_i "checking failed validation ($n)" ret=0 -dig_with_opts a.bogus.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.bogus.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking failed validation using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: RRSIG failed to verify" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking failed validation using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.bogus.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: RRSIG failed to verify" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi # Try validating with a bad trusted key. @@ -901,69 +923,69 @@ fi echo_i "checking that validation fails with a misconfigured trusted key ($n)" ret=0 -dig_with_opts example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" ret=0 -dig_with_opts example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" ret=0 -dig_with_opts a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation fails when key record is missing ($n)" ret=0 -dig_with_opts a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking that validation fails when key record is missing using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: insecurity proof failed" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking that validation fails when key record is missing using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 a a.b.keyless.example >delv.out$n 2>&1 || ret=1 + grep "resolution failed: insecurity proof failed" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "checking that validation succeeds when a revoked key is encountered ($n)" ret=0 -dig_with_opts revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -if [ -x "${DELV}" ] ; then - ret=0 - echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" - delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 - grep "fully validated" delv.out$n > /dev/null || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +dig_with_opts revkey.example soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags: .* ad" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" + delv_with_opts +cd @10.53.0.4 soa revkey.example >delv.out$n 2>&1 || ret=1 + grep "fully validated" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi echo_i "Checking that a bad CNAME signature is caught after a +CD query ($n)" ret=0 #prime -dig_with_opts +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd bad-cname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="a.example. 10.0.0.1" @@ -971,16 +993,16 @@ ans=$(dig_with_opts +cd +nodnssec +short bad-cname.example. @10.53.0.4) || ret=1 test "$ans" = "$expect" || ret=1 test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +nodnssec bad-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "Checking that a bad DNAME signature is caught after a +CD query ($n)" ret=0 #prime -dig_with_opts +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1 +dig_with_opts +cd a.bad-dname.example. @10.53.0.4 >dig.out.ns4.prime$n || ret=1 #check: requery with +CD. pending data should be returned even if it's bogus expect="example. a.example. @@ -989,436 +1011,435 @@ ans=$(dig_with_opts +cd +nodnssec +short a.bad-dname.example. @10.53.0.4) || ret test "$ans" = "$expect" || ret=1 test "$ret" -eq 0 || echo_i "failed, got '$ans', expected '$expect'" #check: requery without +CD. bogus cached data should be rejected. -dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +nodnssec a.bad-dname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check the insecure.secure.example domain (insecurity proof) echo_i "checking 2-server insecurity proof ($n)" ret=0 dig_with_opts +noauth a.insecure.secure.example. @10.53.0.2 a \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth a.insecure.secure.example. @10.53.0.4 a \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check a negative response in insecure.secure.example echo_i "checking 2-server insecurity proof with a negative answer ($n)" ret=0 -dig_with_opts q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ - || ret=1 -dig_with_opts q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ - || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.2 a >dig.out.ns2.test$n \ + || ret=1 +dig_with_opts q.insecure.secure.example. @10.53.0.4 a >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking 2-server insecurity proof with a negative answer and SOA hack ($n)" ret=0 -dig_with_opts r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \ - || ret=1 -dig_with_opts r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \ - || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.2 soa >dig.out.ns2.test$n \ + || ret=1 +dig_with_opts r.insecure.secure.example. @10.53.0.4 soa >dig.out.ns4.test$n \ + || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the query for a security root is successful and has ad set echo_i "checking security root query ($n)" ret=0 -dig_with_opts . @10.53.0.4 key > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts . @10.53.0.4 key >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the setting the cd bit works echo_i "checking cd bit on a positive answer ($n)" ret=0 dig_with_opts +noauth example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a negative answer ($n)" ret=0 -dig_with_opts q.example. soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 +dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking insecurity proof works using negative cache ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_opts +cd @10.53.0.4 insecure.example. ds > dig.out.ns4.test$n.1 || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts @10.53.0.4 nonexistent.insecure.example. > dig.out.ns4.test$n.2 || ret=1 - if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then - break - fi - sleep 1 +dig_with_opts +cd @10.53.0.4 insecure.example. ds >dig.out.ns4.test$n.1 || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + dig_with_opts @10.53.0.4 nonexistent.insecure.example. >dig.out.ns4.test$n.2 || ret=1 + if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then + break + fi + sleep 1 done grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha256.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation RSASHA512 NSEC ($n)" ret=0 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha512.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation with KSK-only DNSKEY signature ($n)" ret=0 -dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.kskonly.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a query that should fail ($n)" ret=0 dig_with_opts a.bogus.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on an insecurity proof ($n)" ret=0 dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cd bit on a negative insecurity proof ($n)" ret=0 dig_with_opts q.insecure.example. a @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ - > dig.out.ns5.test$n || ret=1 + >dig.out.ns5.test$n || ret=1 digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 # Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query works ($n)" ret=0 -dig_with_opts +noauth foo.example. any @10.53.0.2 > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth foo.example. any @10.53.0.4 > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth foo.example. any @10.53.0.4 >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # 2 records in the zone, 1 NXT, 3 SIGs -grep "ANSWER: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 6" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of a query returning a CNAME works ($n)" ret=0 dig_with_opts +noauth cname1.example. txt @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth cname1.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # the CNAME & its sig, the TXT and its SIG -grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of a query returning a DNAME works ($n)" ret=0 dig_with_opts +noauth foo.dname1.example. txt @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.dname1.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # The DNAME & its sig, the TXT and its SIG, and the synthesized CNAME. # It would be nice to test that the CNAME is being synthesized by the # recursive server and not cached, but I don't know how. -grep "ANSWER: 5" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 5" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query returning a CNAME works ($n)" ret=0 dig_with_opts +noauth cname2.example. any @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth cname2.example. any @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 # The CNAME, NXT, and their SIGs -grep "ANSWER: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that validation of an ANY query returning a DNAME works ($n)" ret=0 dig_with_opts +noauth foo.dname2.example. any @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.dname2.example. any @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 + >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that lookups succeed after disabling an algorithm ($n)" ret=0 dig_with_opts +noauth example. SOA @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 + >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth example. SOA @10.53.0.6 \ - > dig.out.ns6.test$n || ret=1 + >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 # Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns6.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking a non-cachable NODATA works ($n)" ret=0 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.7 \ - > dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 + >dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 dig_with_opts +noauth a.nosoa.secure.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking a non-cachable NXDOMAIN works ($n)" ret=0 dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.7 \ - > dig.out.ns7.test$n || ret=1 -grep "AUTHORITY: 0" dig.out.ns7.test$n > /dev/null || ret=1 + >dig.out.ns7.test$n || ret=1 +grep "AUTHORITY: 0" dig.out.ns7.test$n >/dev/null || ret=1 dig_with_opts +noauth b.nosoa.secure.example. txt @10.53.0.4 \ - > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can load a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.2 \ - > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can transfer a rfc2535 signed zone ($n)" ret=0 dig_with_opts rfc2535.example. SOA @10.53.0.3 \ - > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "basic dnssec-signzone checks:" echo_ic "two DNSKEYs ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test1.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test1.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "one non-KSK DNSKEY ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test2.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test2.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "one KSK DNSKEY ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test3.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test3.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "three DNSKEY ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test4.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test4.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "three DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test5.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test5.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "four DNSKEY ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test6.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test6.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "two DNSKEY, both private keys missing ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test7.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test7.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "two DNSKEY, one private key missing ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -o example.com. test8.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -o example.com. test8.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "check that dnssec-signzone rejects excessive NSEC3 iterations ($n)" ret=0 ( -cd signer/general || exit 0 -rm -f signed.zone -$SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 0 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 151 -o example.com. test9.zone >signer.out.$n + test -f signed.zone ) && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_ic "check that dnssec-signzone accepts maximum NSEC3 iterations ($n)" ret=0 ( -cd signer/general || exit 1 -rm -f signed.zone -$SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone > signer.out.$n -test -f signed.zone + cd signer/general || exit 1 + rm -f signed.zone + $SIGNER -f signed.zone -3 - -H 150 -o example.com. test9.zone >signer.out.$n + test -f signed.zone ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) get_default_algorithm_key_ids_from_sigs() { - zone=$1 + zone=$1 - awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' + awk -v alg=$DEFAULT_ALGORITHM_NUMBER ' NF < 8 { next } $(NF-5) != "RRSIG" { next } $(NF-3) != alg { next } @@ -1441,64 +1462,64 @@ zsk2=$("$KEYGEN" -K signer -q -a $DEFAULT_ALGORITHM -n zone "$zone") zskid1=$(keyfile_to_key_id "$zsk1") zskid2=$(keyfile_to_key_id "$zsk2") ( -cd signer || exit 1 -# Set times such that the current set of keys are introduced 60 days ago and -# start signing now. The successor key is prepublished now and will be active -# next day. -$SETTIME -P now-60d -A now $ksk > /dev/null -$SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 > /dev/null -$SETTIME -S $zsk1 -i 1h $zsk2.key > /dev/null -$SETTIME -P now -A now+1d $zsk2.key > /dev/null -# Sign the zone with initial keys and prepublish successor. The zone signatures -# are valid for 30 days and the DNSKEY signature is valid for 60 days. -cp -f $zone.db.in $zone.db -$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null -echo "\$INCLUDE \"$zone.db.signed\"" >> $zone.db + cd signer || exit 1 + # Set times such that the current set of keys are introduced 60 days ago and + # start signing now. The successor key is prepublished now and will be active + # next day. + $SETTIME -P now-60d -A now $ksk >/dev/null + $SETTIME -P now-60d -A now -I now+1d -D now+60d $zsk1 >/dev/null + $SETTIME -S $zsk1 -i 1h $zsk2.key >/dev/null + $SETTIME -P now -A now+1d $zsk2.key >/dev/null + # Sign the zone with initial keys and prepublish successor. The zone signatures + # are valid for 30 days and the DNSKEY signature is valid for 60 days. + cp -f $zone.db.in $zone.db + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null + echo "\$INCLUDE \"$zone.db.signed\"" >>$zone.db ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed: missing signatures from key $zskid1" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-signzone retains signatures of predecessor zsk ($n)" ret=0 zone=prepub ( -cd signer || exit 1 -# Roll the ZSK. The predecessor is inactive from now on and the successor is -# activated. The zone signatures are valid for 30 days and the DNSKEY -# signature is valid for 60 days. Because of the predecessor/successor -# relationship, the signatures of the predecessor are retained and no new -# signatures with the successor should be generated. -$SETTIME -A now-30d -I now -D now+30d $zsk1 > /dev/null -$SETTIME -A now $zsk2 > /dev/null -$SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db > /dev/null + cd signer || exit 1 + # Roll the ZSK. The predecessor is inactive from now on and the successor is + # activated. The zone signatures are valid for 30 days and the DNSKEY + # signature is valid for 60 days. Because of the predecessor/successor + # relationship, the signatures of the predecessor are retained and no new + # signatures with the successor should be generated. + $SETTIME -A now-30d -I now -D now+30d $zsk1 >/dev/null + $SETTIME -A now $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -o $zone $zone.db >/dev/null ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null && ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-signzone swaps zone signatures after interval ($n)" ret=0 zone=prepub ( -cd signer || exit 1 -# After some time the signatures should be replaced. When signing, set the -# interval to 30 days plus one second, meaning all predecessor signatures -# are within the refresh interval and should be replaced with successor -# signatures. -$SETTIME -A now-50d -I now-20d -D now+10d $zsk1 > /dev/null -$SETTIME -A now-20d $zsk2 > /dev/null -$SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db > /dev/null + cd signer || exit 1 + # After some time the signatures should be replaced. When signing, set the + # interval to 30 days plus one second, meaning all predecessor signatures + # are within the refresh interval and should be replaced with successor + # signatures. + $SETTIME -A now-50d -I now-20d -D now+10d $zsk1 >/dev/null + $SETTIME -A now-20d $zsk2 >/dev/null + $SIGNER -SDx -e +2592000 -X +5184000 -i 2592001 -o $zone $zone.db >/dev/null ) -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid1$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$zskid2$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" ret=0 @@ -1506,40 +1527,40 @@ zone=example # If dnssec-keygen fails, the test script will exit immediately. Prevent that # from happening, and also trigger a test failure if dnssec-keygen unexpectedly # succeeds, by using "&& ret=1". -$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1 +$KEYGEN -a 255 $zone >dnssectools.out.test$n 2>&1 && ret=1 grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a DS record cannot be generated for a key using an unsupported algorithm ($n)" ret=0 zone=example # Fake an unsupported algorithm key unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key # If dnssec-dsfromkey fails, the test script will exit immediately. Prevent # that from happening, and also trigger a test failure if dnssec-dsfromkey # unexpectedly succeeds, by using "&& ret=1". -$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +$DSFROMKEY ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" ret=0 ret=0 -cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db +cat signer/example.db.in "${unsupportedkey}.key" >signer/example.db # If dnssec-signzone fails, the test script will exit immediately. Prevent that # from happening, and also trigger a test failure if dnssec-signzone # unexpectedly succeeds, by using "&& ret=1". -$SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +$SIGNER -o example signer/example.db ${unsupportedkey} >dnssectools.out.test$n 2>&1 && ret=1 grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can sign a zone with out-of-zone records ($n)" ret=0 @@ -1547,13 +1568,13 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db example.db > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db example.db >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)" ret=0 @@ -1561,10 +1582,10 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null -awk '/^IQF9LQTLK/ { + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -3 - -H 10 -o example -f example.db example.db >/dev/null + awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { if (getline <= 0) @@ -1572,13 +1593,13 @@ awk '/^IQF9LQTLK/ { printf (" %s", $0); } printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out -grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)" ret=0 @@ -1586,11 +1607,11 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example3.db -echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >> example3.db -$SIGNER -3 - -A -H 10 -o example -f example3.db example3.db > /dev/null -awk '/^IQF9LQTLK/ { + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example3.db + echo "some.empty.nonterminal.nodes.example 60 IN NS ns.example.tld" >>example3.db + $SIGNER -3 - -A -H 10 -o example -f example3.db example3.db >/dev/null + awk '/^IQF9LQTLK/ { printf("%s", $0); while (!index($0, ")")) { if (getline <= 0) @@ -1598,13 +1619,13 @@ awk '/^IQF9LQTLK/ { printf (" %s", $0); } printf("\n"); - }' example.db | sed 's/[ ][ ]*/ /g' > nsec3param.out + }' example.db | sed 's/[ ][ ]*/ /g' >nsec3param.out -grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out > /dev/null + grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - ( IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM )" nsec3param.out >/dev/null ) || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)" ret=0 @@ -1612,16 +1633,16 @@ zone=example key1=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) key2=$($KEYGEN -K signer -q -f KSK -a $DEFAULT_ALGORITHM -n zone $zone) ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -o example -f example.db.before example.db > /dev/null -sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed -$SIGNER -o example -f example.db.after example.db.changed > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -o example -f example.db.before example.db >/dev/null + sed 's/60.IN.SOA./50 IN SOA /' example.db.before >example.db.changed + $SIGNER -o example -f example.db.after example.db.changed >/dev/null ) -grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after > /dev/null || ret=1 -n=$((n+1)) +grep "SOA $DEFAULT_ALGORITHM_NUMBER 1 50" signer/example.db.after >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)" ret=0 @@ -1632,160 +1653,160 @@ keyid2=$(keyfile_to_key_id "$key2") key3=$($KEYGEN -K signer -q -a $DEFAULT_ALGORITHM -n zone $zone) keyid3=$(keyfile_to_key_id "$key3") ( -cd signer || exit 1 -cat example.db.in "$key1.key" "$key2.key" > example.db -$SIGNER -D -o example example.db > /dev/null - -# now switch out key2 for key3 and resign the zone -cat example.db.in "$key1.key" "$key3.key" > example.db -echo "\$INCLUDE \"example.db.signed\"" >> example.db -$SIGNER -D -o example example.db > /dev/null + cd signer || exit 1 + cat example.db.in "$key1.key" "$key2.key" >example.db + $SIGNER -D -o example example.db >/dev/null + + # now switch out key2 for key3 and resign the zone + cat example.db.in "$key1.key" "$key3.key" >example.db + echo "\$INCLUDE \"example.db.signed\"" >>example.db + $SIGNER -D -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -R purges signatures from removed keys ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -RD -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -RD -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone keeps valid signatures from inactive keys ($n)" ret=0 zone=example ( -cd signer || exit 1 -cp -f example.db.in example.db -$SIGNER -SD -o example example.db > /dev/null -echo "\$INCLUDE \"example.db.signed\"" >> example.db -# now retire key2 and resign the zone -$SETTIME -I now "$key2" > /dev/null 2>&1 -$SIGNER -SD -o example example.db > /dev/null + cd signer || exit 1 + cp -f example.db.in example.db + $SIGNER -SD -o example example.db >/dev/null + echo "\$INCLUDE \"example.db.signed\"" >>example.db + # now retire key2 and resign the zone + $SETTIME -I now "$key2" >/dev/null 2>&1 + $SIGNER -SD -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null || ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -Q purges signatures from inactive keys ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -SDQ -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -SDQ -o example example.db >/dev/null ) || ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" > /dev/null && ret=1 -get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" > /dev/null || ret=1 -n=$((n+1)) +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid2$" >/dev/null && ret=1 +get_default_algorithm_key_ids_from_sigs $zone | grep "^$keyid3$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone retains unexpired signatures ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -Sxt -o example example.db > signer.out.1 -$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 + cd signer || exit 1 + $SIGNER -Sxt -o example example.db >signer.out.1 + $SIGNER -Sxt -o example -f example.db.signed example.db.signed >signer.out.2 ) || ret=1 gen1=$(awk '/generated/ {print $3}' signer/signer.out.1) retain1=$(awk '/retained/ {print $3}' signer/signer.out.1) gen2=$(awk '/generated/ {print $3}' signer/signer.out.2) retain2=$(awk '/retained/ {print $3}' signer/signer.out.2) drop2=$(awk '/dropped/ {print $3}' signer/signer.out.2) -[ "$retain2" -eq $((gen1+retain1)) ] || ret=1 +[ "$retain2" -eq $((gen1 + retain1)) ] || ret=1 [ "$gen2" -eq 0 ] || ret=1 [ "$drop2" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) ($n)" ret=0 ( -cd signer || exit 1 -# remove NSEC-only keys -rm -f Kexample.+005* -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + # remove NSEC-only keys + rm -f Kexample.+005* + cp -f example.db.in example2.db + cat <<EOF >>example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -touch example2.db.signed -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 ( -cd signer || exit 1 -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + cp -f example.db.in example2.db + cat <<EOF >>example2.db sub1.example. IN NS sub1.example. sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=$((n+1)) +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) ($n)" ret=0 ( -cd signer || exit 1 -rm -f example2.db.signed -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + rm -f example2.db.signed + cp -f example.db.in example2.db + cat <<EOF >>example2.db sub1.example. IN A 10.53.0.1 ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -touch example2.db.signed -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + touch example2.db.signed + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 || ret=1 +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 || ret=1 ( -cd signer || exit 1 -cp -f example.db.in example2.db -cat << EOF >> example2.db + cd signer || exit 1 + cp -f example.db.in example2.db + cat <<EOF >>example2.db sub1.example. IN NS sub1.example. sub1.example. IN A 10.53.0.1 sub2.example. IN NS ns.sub2.example. ns.sub2.example. IN A 10.53.0.2 EOF -echo "\$INCLUDE \"example2.db.signed\"" >> example2.db -$SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db > /dev/null + echo "\$INCLUDE \"example2.db.signed\"" >>example2.db + $SIGNER -DS -3 feedabee -O full -f example2.db.signed -o example example2.db >/dev/null ) || ret=1 -grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed > /dev/null 2>&1 && ret=1 -n=$((n+1)) +grep "^sub1\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +grep "^ns\\.sub2\\.example\\..*RRSIG[ ]A[ ]" signer/example2.db.signed >/dev/null 2>&1 && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone output format ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -O full -f - -Sxt -o example example.db > signer.out.3 2> /dev/null -$SIGNER -O text -f - -Sxt -o example example.db > signer.out.4 2> /dev/null -$SIGNER -O raw -f signer.out.5 -Sxt -o example example.db > /dev/null -$SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null -$SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null + cd signer || exit 1 + $SIGNER -O full -f - -Sxt -o example example.db >signer.out.3 2>/dev/null + $SIGNER -O text -f - -Sxt -o example example.db >signer.out.4 2>/dev/null + $SIGNER -O raw -f signer.out.5 -Sxt -o example example.db >/dev/null + $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db >/dev/null + $SIGNER -O raw -f - -Sxt -o example example.db >signer.out.7 2>/dev/null ) || ret=1 awk 'BEGIN { found = 0; } $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } @@ -1796,46 +1817,46 @@ awk 'BEGIN { found = 0; } israw1 signer/signer.out.5 || ret=1 israw0 signer/signer.out.6 || ret=1 israw1 signer/signer.out.7 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking TTLs are capped by dnssec-signzone -M ($n)" ret=0 ( -cd signer || exit 1 -$SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db > /dev/null + cd signer || exit 1 + $SIGNER -O full -f signer.out.8 -S -M 30 -o example example.db >/dev/null ) || ret=1 awk '/^;/ { next; } $2 > 30 { exit 1; }' signer/signer.out.8 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking dnssec-signzone -N date ($n)" ret=0 ( -cd signer || exit 1 -TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db > /dev/null + cd signer || exit 1 + TZ=UTC $SIGNER -O full -f signer.out.9 -S -N date -o example example2.db >/dev/null ) || ret=1 # shellcheck disable=SC2016 now=$(TZ=UTC $PERL -e '@lt=localtime(); printf "%.4d%0.2d%0.2d00\n",$lt[5]+1900,$lt[4]+1,$lt[3];') serial=$(awk '/^;/ { next; } $4 == "SOA" { print $7 }' signer/signer.out.9) [ "$now" -eq "$serial" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validated data are not cached longer than originalttl ($n)" ret=0 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1 -grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "3600.IN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "300.IN" dig.out.ns3.test$n >/dev/null && ret=1 +grep "300.IN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "3600.IN" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Test that "rndc secroots" is able to dump trusted keys echo_i "checking rndc secroots ($n)" @@ -1846,27 +1867,27 @@ cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 linecount=$(grep -c "./$DEFAULT_ALGORITHM/$keyid ; static" named.secroots.test$n || true) [ "$linecount" -eq 1 ] || ret=1 -linecount=$(< named.secroots.test$n wc -l) +linecount=$(wc <named.secroots.test$n -l) [ "$linecount" -eq 10 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check direct query for RRSIG. If we first ask for normal (non RRSIG) # record, the corresponding RRSIG should be cached and subsequent query # for RRSIG will be returned with the cached record. echo_i "checking RRSIG query from cache ($n)" ret=0 -dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1 +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a >/dev/null || ret=1 ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1 -expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ) || ret=1 +expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A') || ret=1 test "$ans" = "$expect" || ret=1 # also check that RA is set -dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check direct query for RRSIG: If it's not cached with other records, # it should result in an empty response. @@ -1875,70 +1896,70 @@ ret=0 ans=$(dig_with_opts +short rrsigonly.secure.example. @10.53.0.4 rrsig) || ret=1 test -z "$ans" || ret=1 # also check that RA is cleared -dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig > dig.out.ns4.test$n || ret=1 -grep "flags:.*ra.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts rrsigonly.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1 +grep "flags:.*ra.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # RT21868 regression test. # echo_i "checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters ($n)" ret=0 -dig_with_opts non-exist.badparam. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts non-exist.badparam. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # RT22007 regression test. # echo_i "checking optout NSEC3 referral with only insecure delegations ($n)" ret=0 -dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec delegation.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)" ret=0 -dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec nonexist.single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking optout NSEC3 nodata with only insecure delegations ($n)" ret=0 -dig_with_opts +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +norec single-nsec3. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a zone finishing the transition from $ALTERNATIVE_ALGORITHM to $DEFAULT_ALGORITHM validates secure ($n)" ret=0 -dig_with_opts ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts ns algroll. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validate-except in an insecure local domain ($n)" ret=0 -dig_with_opts ns www.corp @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts ns www.corp @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive and negative validation with negative trust anchors ($n)" ret=0 @@ -1946,16 +1967,16 @@ ret=0 # # check correct initial behavior # -dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking initial state"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -1965,48 +1986,48 @@ rndccmd 10.53.0.4 nta -f -l 20s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i # reconfig should maintain NTAs rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 +lines=$(wc -l <rndc.out.ns4.test$n.1) [ "$lines" -eq 3 ] || ret=1 rndccmd 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i # reload should maintain NTAs rndc_reload ns4 10.53.0.4 -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 -lines=$(wc -l < rndc.out.ns4.test$n.2) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 +lines=$(wc -l <rndc.out.ns4.test$n.2) [ "$lines" -eq 5 ] || ret=1 # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if [ "$ret" -ne 0 ]; then echo_i "failed - adding NTA's failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check behavior with NTA's in place # -dig_with_opts a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1 -dig_with_opts a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1 +dig_with_opts a.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 >/dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.6 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.6 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 >/dev/null && ret=1 +dig_with_opts a.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.7 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 >/dev/null && ret=1 echo_i "dumping secroots" rndccmd 10.53.0.4 secroots | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -grep "bogus.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "badds.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 -grep "fakenode.secure.example: expiry" named.secroots.test$n > /dev/null || ret=1 +grep "bogus.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "badds.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 +grep "fakenode.secure.example: expiry" named.secroots.test$n >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - with NTA's in place failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "waiting for NTA rechecks/expirations" @@ -2020,18 +2041,18 @@ echo_i "waiting for NTA rechecks/expirations" # # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' -dig_with_opts b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1 -dig_with_opts b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1 -dig_with_opts badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1 +dig_with_opts b.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.8 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.8 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 >/dev/null || ret=1 +dig_with_opts b.fakenode.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.9 || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n.9 >/dev/null || ret=1 +dig_with_opts badds.example. soa @10.53.0.4 >dig.out.ns4.test$n.10 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.10 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 >/dev/null && ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to recheck"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -2042,22 +2063,22 @@ ret=0 # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check nta table -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n._11 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n._11 lines=$(grep -c " expiry " rndc.out.ns4.test$n._11 || true) [ "$lines" -le 2 ] || ret=1 -grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null || ret=1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 > /dev/null && ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1 -dig_with_opts c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null || ret=1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n._11 >/dev/null && ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.11 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.11 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.12 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.12 >/dev/null || ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 >/dev/null && ret=1 +dig_with_opts c.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.13 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.13 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed - checking that default nta's were lifted due to lifetime"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # @@ -2066,87 +2087,87 @@ ret=0 # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # check correct behavior after bogus.example expiry -dig_with_opts d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1 -dig_with_opts c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1 +dig_with_opts d.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.14 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.14 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 >/dev/null || ret=1 +dig_with_opts c.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.15 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.15 >/dev/null || ret=1 # check nta table has been cleaned up now -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 lines=$(grep -c " expiry " rndc.out.ns4.test$n.3 || true) [ "$lines" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed - checking that all nta's have been lifted"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "testing NTA removals ($n)" rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1 -grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1 -rndccmd 10.53.0.4 nta -remove badds.example > rndc.out.ns4.test$n.2 -grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1 -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.1 >/dev/null || ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.1 >/dev/null && ret=1 +grep "^a.badds.example." dig.out.ns4.test$n.1 >/dev/null || ret=1 +rndccmd 10.53.0.4 nta -remove badds.example >rndc.out.ns4.test$n.2 +grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 >/dev/null || ret=1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 +grep "badds.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "remove non-existent NTA three times" -rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.4 2>&1 -rndccmd 10.53.0.4 nta -remove foo > rndc.out.ns4.test$n.5 2>&1 -rndccmd 10.53.0.4 nta -r foo > rndc.out.ns4.test$n.6 2>&1 -grep "not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.4 2>&1 +rndccmd 10.53.0.4 nta -remove foo >rndc.out.ns4.test$n.5 2>&1 +rndccmd 10.53.0.4 nta -r foo >rndc.out.ns4.test$n.6 2>&1 +grep "not found" rndc.out.ns4.test$n.6 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing NTA with bogus lifetimes ($n)" echo_i "check with no nta lifetime specified" -rndccmd 10.53.0.4 nta -l "" foo > rndc.out.ns4.test$n.1 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l "" foo >rndc.out.ns4.test$n.1 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.1 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "check with bad nta lifetime" -rndccmd 10.53.0.4 nta -l garbage foo > rndc.out.ns4.test$n.2 2>&1 || true -grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l garbage foo >rndc.out.ns4.test$n.2 2>&1 || true +grep "'nta' failed: bad ttl" rndc.out.ns4.test$n.2 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "check with too long nta lifetime" -rndccmd 10.53.0.4 nta -l 7d1h foo > rndc.out.ns4.test$n.3 2>&1 || true -grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1 +rndccmd 10.53.0.4 nta -l 7d1h foo >rndc.out.ns4.test$n.3 2>&1 || true +grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check NTA persistence across restarts # -n=$((n+1)) +n=$((n + 1)) echo_i "testing NTA persistence across restarts ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 lines=$(grep -c " expiry " rndc.out.ns4.test$n.1 || true) [ "$lines" -eq 0 ] || ret=1 rndccmd 10.53.0.4 nta -f -l 30s bogus.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta -f -l 10s badds.example 2>&1 | sed 's/^/ns4 /' | cat_i -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.2 lines=$(grep -c " expiry " rndc.out.ns4.test$n.2 || true) [ "$lines" -eq 2 ] || ret=1 # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: adding NTA's failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 echo_i "killing ns4 with SIGTERM" @@ -2162,12 +2183,12 @@ echo_i "waiting till 14s have passed since NTAs were added before restarting ns4 $PERL -e 'my $delay = '"$start"' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2179,37 +2200,37 @@ sleep 4 # startup (as it had already expired), the fact that it's ignored should # be logged. # -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 -lines=$(wc -l < rndc.out.ns4.test$n.3) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.3 +lines=$(wc -l <rndc.out.ns4.test$n.3) [ "$lines" -eq 2 ] || ret=1 -grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1 -dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1 -dig_with_opts a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1 -grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1 +grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 >/dev/null || ret=1 +dig_with_opts b.bogus.example. a @10.53.0.4 >dig.out.ns4.test$n.4 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.4 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 >/dev/null && ret=1 +dig_with_opts a.badds.example. a @10.53.0.4 >dig.out.ns4.test$n.5 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.5 >/dev/null || ret=1 +grep "ignoring expired NTA at badds.example" ns4/named.run >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove bogus.example > rndc.out.ns4.test$n.6 +rndccmd 10.53.0.4 nta -remove bogus.example >rndc.out.ns4.test$n.6 if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: restoring NTA failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check "regular" attribute in NTA file works as expected at named # startup. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading regular attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l <rndc.out.ns4.test$n.1) [ "$lines" -eq 1 ] || ret=1 # initially, secure.example. validates with AD=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 echo_i "killing ns4 with SIGTERM" kill -TERM "$(cat ns4/named.pid)" @@ -2222,18 +2243,18 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the regular attribute and some future timestamp. # -future="$(($(date +%Y)+20))0101010000" -echo "secure.example. regular $future" > ns4/_default.nta +future="$(($(date +%Y) + 20))0101010000" +echo "secure.example. regular $future" >ns4/_default.nta # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 9s, so at t=12 the NTAs for @@ -2244,30 +2265,30 @@ $PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $del # secure.example. should now return an AD=1 answer (still validates) as # the NTA has been lifted. -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading regular NTAs failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check "forced" attribute in NTA file works as expected at named # startup. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading forced attribute from NTA file ($n)" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l <rndc.out.ns4.test$n.1) [ "$lines" -eq 1 ] || ret=1 # initially, secure.example. validates with AD=1 -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.2 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 >/dev/null || ret=1 echo_i "killing ns4 with SIGTERM" kill -TERM "$(cat ns4/named.pid)" @@ -2280,16 +2301,16 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with the forced attribute and some future timestamp. # -echo "secure.example. forced $future" > ns4/_default.nta +echo "secure.example. forced $future" >ns4/_default.nta start=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi # nta-recheck is configured as 9s, but even at t=12 the NTAs for @@ -2300,21 +2321,21 @@ $PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $del # secure.example. should now return an AD=0 answer (non-authenticated) # as the NTA is still there. -dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1 -grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1 +dig_with_opts a.secure.example. a @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n.3 >/dev/null && ret=1 +grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 >/dev/null && ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.4 2>/dev/null if [ "$ret" -ne 0 ]; then echo_i "failed - NTA persistence: loading forced NTAs failed"; fi -status=$((status+ret)) +status=$((status + ret)) ret=0 # # check that NTA lifetime read from file is clamped to 1 week. # -n=$((n+1)) +n=$((n + 1)) echo_i "testing loading out of bounds lifetime from NTA file ($n)" echo_i "killing ns4 with SIGTERM" @@ -2328,16 +2349,16 @@ sleep 4 # ns4 has now shutdown. add NTA for secure.example. directly into the # _default.nta file with a lifetime well into the future. # -echo "secure.example. forced $future" > ns4/_default.nta +echo "secure.example. forced $future" >ns4/_default.nta added=$($PERL -e 'print time()."\n";') if - start_server --noclean --restart --port "$PORT" ns4 + start_server --noclean --restart --port "$PORT" ns4 then - echo_i "restarted server ns4" + echo_i "restarted server ns4" else - echo_i "could not restart server ns4" - exit 1 + echo_i "could not restart server ns4" + exit 1 fi echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" @@ -2345,101 +2366,102 @@ sleep 4 # dump the NTA to a file (omit validate-except entries) echo_i "testing 'rndc nta -d' with NTA" -rndccmd 10.53.0.4 nta -d | grep -v ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null +rndccmd 10.53.0.4 nta -d | grep -v ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be # removed by the grep -v above. only "secure.example" should appear in # the dump. -lines=$(wc -l < rndc.out.ns4.test$n.1) +lines=$(wc -l <rndc.out.ns4.test$n.1) [ "$lines" -eq 1 ] || ret=1 -grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1 -ts=$(awk '{print $3" "$4}' < rndc.out.ns4.test$n.1) +grep 'secure.example' rndc.out.ns4.test$n.1 >/dev/null || ret=1 +ts=$(awk '{print $3" "$4}' <rndc.out.ns4.test$n.1) # rndc nta outputs localtime, so append the timezone ts_with_zone="$ts $(date +%z)" -echo "ts=$ts" > rndc.out.ns4.test$n.2 -echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2 -echo "added=$added" >> rndc.out.ns4.test$n.2 -if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null -then - # ntadiff.pl computes $ts_with_zone - ($added + 1week) - d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") - echo "d=$d" >> rndc.out.ns4.test$n.2 - # diff from $added(now) + 1week to the clamped NTA lifetime should be - # less than a few seconds (handle daylight saving changes by adding 3600). - [ "$d" -lt 3610 ] || ret=1 +echo "ts=$ts" >rndc.out.ns4.test$n.2 +echo "ts_with_zone=$ts_with_zone" >>rndc.out.ns4.test$n.2 +echo "added=$added" >>rndc.out.ns4.test$n.2 +if $PERL -e 'use Time::Piece; use Time::Seconds;' 2>/dev/null; then + # ntadiff.pl computes $ts_with_zone - ($added + 1week) + d=$($PERL ./ntadiff.pl "$ts_with_zone" "$added") + echo "d=$d" >>rndc.out.ns4.test$n.2 + # diff from $added(now) + 1week to the clamped NTA lifetime should be + # less than a few seconds (handle daylight saving changes by adding 3600). + [ "$d" -lt 3610 ] || ret=1 else - echo_i "skipped ntadiff test; install PERL module Time::Piece" + echo_i "skipped ntadiff test; install PERL module Time::Piece" fi echo_i "testing 'rndc nta' lifetime clamping" -rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null +rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be # the only entry in the dump. -lines=$(wc -l < rndc.out.ns4.test$n.1) +lines=$(wc -l <rndc.out.ns4.test$n.1) [ "$lines" -eq 1 ] || ret=1 -grep 'corp/_default' rndc.out.ns4.test$n.1 > /dev/null || ret=1 +grep 'corp/_default' rndc.out.ns4.test$n.1 >/dev/null || ret=1 # cleanup -rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null +rndccmd 10.53.0.4 nta -remove secure.example >rndc.out.ns4.test$n.3 2>/dev/null -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing 'rndc nta -d' displays validate-except entries" -rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null -lines=$(wc -l < rndc.out.ns4.test$n.1) +rndccmd 10.53.0.4 nta -d | grep ": permanent" >rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l <rndc.out.ns4.test$n.1) [ "$lines" -eq 1 ] || ret=1 -grep 'corp/_default' rndc.out.ns4.test$n.1 > /dev/null || ret=1 -n=$((n+1)) +grep 'corp/_default' rndc.out.ns4.test$n.1 >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" ret=0 # Sanity check behavior without an NTA in place. -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.1 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.1 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.1 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 > /dev/null && ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.1 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.1 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.1 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.1 >/dev/null && ret=1 # Add an NTA, expecting that to cause resolution to succeed. -rndccmd 10.53.0.9 nta badds.example > rndc.out.ns9.test$n.1 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.2 || ret=1 -grep "NOERROR" dig.out.ns9.test$n.2 > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns9.test$n.2 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 > /dev/null && ret=1 +rndccmd 10.53.0.9 nta badds.example >rndc.out.ns9.test$n.1 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.2 || ret=1 +grep "NOERROR" dig.out.ns9.test$n.2 >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns9.test$n.2 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.2 >/dev/null && ret=1 # Remove the NTA, expecting that to cause resolution to fail again. -rndccmd 10.53.0.9 nta -remove badds.example > rndc.out.ns9.test$n.2 2>&1 || ret=1 -dig_with_opts @10.53.0.9 badds.example. SOA > dig.out.ns9.test$n.3 || ret=1 -grep "SERVFAIL" dig.out.ns9.test$n.3 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns9.test$n.3 > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 > /dev/null && ret=1 +rndccmd 10.53.0.9 nta -remove badds.example >rndc.out.ns9.test$n.2 2>&1 || ret=1 +dig_with_opts @10.53.0.9 badds.example. SOA >dig.out.ns9.test$n.3 || ret=1 +grep "SERVFAIL" dig.out.ns9.test$n.3 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns9.test$n.3 >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;].*QUERY" dig.out.ns9.test$n.3 >/dev/null && ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "completed NTA tests" # Run a minimal update test if possible. This is really just # a regression test for RT #2399; more tests should be added. -if $PERL -e 'use Net::DNS;' 2>/dev/null -then - echo_i "running DNSSEC update test" - ret=0 - { output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.); rc=$?; } || true - test "$rc" -eq 0 || ret=1 - echo "$output" | cat_i - [ $ret -eq 1 ] && status=1 +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + echo_i "running DNSSEC update test" + ret=0 + { + output=$($PERL dnssec_update_test.pl -s 10.53.0.3 -p "$PORT" dynamic.example.) + rc=$? + } || true + test "$rc" -eq 0 || ret=1 + echo "$output" | cat_i + [ $ret -eq 1 ] && status=1 else - echo_i "The DNSSEC update test requires the Net::DNS library." >&2 + echo_i "The DNSSEC update test requires the Net::DNS library." >&2 fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking managed key maintenance has not started yet ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Reconfigure caching server to use "dnssec-validation auto", and repeat # some of the DNSSEC validation tests to ensure that it works correctly. @@ -2454,133 +2476,133 @@ sleep 5 echo_i "checking managed key maintenance timer has now started ($n)" ret=0 [ -f "ns4/managed-keys.bind.jnl" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC ($n)" ret=0 -dig_with_opts +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth a.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation NSEC3 ($n)" ret=0 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.nsec3.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking positive validation OPTOUT ($n)" ret=0 dig_with_opts +noauth a.optout.example. \ - @10.53.0.3 a > dig.out.ns3.test$n || ret=1 + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth a.optout.example. \ - @10.53.0.4 a > dig.out.ns4.test$n || ret=1 + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking negative validation ($n)" ret=0 -dig_with_opts +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -dig_with_opts +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth q.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that root DS queries validate ($n)" ret=0 -dig_with_opts +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1 -dig_with_opts +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.1 ds >dig.out.ns1.test$n || ret=1 +dig_with_opts +noauth . @10.53.0.4 ds >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns1.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that DS at a RFC 1918 empty zone lookup succeeds ($n)" ret=0 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth 10.in-addr.arpa ds @10.53.0.4 >dig.out.ns6.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns6.test$n || ret=1 -grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)" ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 -grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth expired.example. +dnssec @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 +grep "RRSIG.SOA" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking expired signatures do not validate ($n)" ret=0 -dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -grep "expired.example/.*: RRSIG has expired" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( -cd ns3 || exit 1 -kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) -( -echo zone update-nsec3.example -echo server 10.53.0.3 "$PORT" -grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' -echo send -) | $NSUPDATE + cd ns3 || exit 1 + kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) + ( + echo zone update-nsec3.example + echo server 10.53.0.3 "$PORT" + grep DNSKEY "${kskname}.key" | sed -e 's/^/update add /' -e 's/IN/300 IN/' + echo send + ) | $NSUPDATE ) -dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "IN.NSEC[^3].* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" ret=0 -dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +grep "IN.NSEC3 .* DNSKEY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 @@ -2589,177 +2611,177 @@ checkprivate update-nsec3.example 10.53.0.3 || ret=1 checkprivate auto-nsec3.example 10.53.0.3 || ret=1 checkprivate expiring.example 10.53.0.3 || ret=1 checkprivate auto-nsec.example 10.53.0.3 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing' without arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -list' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -list > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -list >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -clear' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -clear > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -clear >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -clear all' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -clear all > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -clear all >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param none >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - >/dev/null 2>&1 && ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "FFFF" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "FFFF" ]; then + break + fi + echo_i "sleeping ...." + sleep 1 +done [ "$salt" = "FFFF" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "-" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + if [ "$salt" = "-" ]; then + break + fi + echo_i "sleeping ...." + sleep 1 +done [ "$salt" = "-" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "-" ] && break - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ "$salt" != "-" ] && [ "${#salt}" -eq 16 ] && break + echo_i "sleeping ...." + sleep 1 +done [ "$salt" != "-" ] || ret=1 [ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" ret=0 oldsalt=$salt -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break - echo_i "sleeping ...." - sleep 1 -done; +rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.3 status >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') + [ "$salt" != "$oldsalt" ] && [ "${#salt}" -eq 16 ] && break + echo_i "sleeping ...." + sleep 1 +done [ "$salt" != "$oldsalt" ] || ret=1 [ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check rndc signing -list output ($n)" ret=0 -{ rndccmd 10.53.0.3 signing -list dynamic.example > signing.out; } 2>&1 +{ rndccmd 10.53.0.3 signing -list dynamic.example >signing.out; } 2>&1 grep -q "No signing records found" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i + ret=1 + sed 's/^/ns3 /' signing.out | cat_i } -{ rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 +{ rndccmd 10.53.0.3 signing -list update-nsec3.example >signing.out; } 2>&1 grep -q "Done signing with key .*/$DEFAULT_ALGORITHM" signing.out || { - ret=1 - sed 's/^/ns3 /' signing.out | cat_i + ret=1 + sed 's/^/ns3 /' signing.out | cat_i } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "clear signing records ($n)" -{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example > /dev/null; } 2>&1 || ret=1 +{ rndccmd 10.53.0.3 signing -clear all update-nsec3.example >/dev/null; } 2>&1 || ret=1 check_no_signing_record_found() { - { rndccmd 10.53.0.3 signing -list update-nsec3.example > signing.out; } 2>&1 + { rndccmd 10.53.0.3 signing -list update-nsec3.example >signing.out; } 2>&1 grep -q "No signing records found" signing.out || { sed 's/^/ns3 /' signing.out | cat_i return 1 @@ -2767,110 +2789,105 @@ check_no_signing_record_found() { return 0 } retry_quiet 5 check_no_signing_record_found || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a insecure zone beneath a cname resolves ($n)" ret=0 -dig_with_opts soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa insecure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a secure zone beneath a cname resolves ($n)" ret=0 -dig_with_opts soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa secure.below-cname.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) my_dig() { - "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" + "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "$PORT" @10.53.0.4 "$@" } echo_i "checking DNSKEY query with no data still gets put in cache ($n)" ret=0 -firstVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') +firstVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') sleep 1 -secondVal=$(my_dig insecure.example. dnskey| awk '$1 != ";;" { print $2 }') -if [ "${firstVal:-0}" -eq "${secondVal:-0}" ] -then - sleep 1 - thirdVal=$(my_dig insecure.example. dnskey|awk '$1 != ";;" { print $2 }') - if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ] - then - echo_i "cannot confirm query answer still in cache" - ret=1 - fi +secondVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') +if [ "${firstVal:-0}" -eq "${secondVal:-0}" ]; then + sleep 1 + thirdVal=$(my_dig insecure.example. dnskey | awk '$1 != ";;" { print $2 }') + if [ "${firstVal:-0}" -eq "${thirdVal:-0}" ]; then + echo_i "cannot confirm query answer still in cache" + ret=1 + fi fi -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a split dnssec dnssec-signzone work ($n)" ret=0 -dig_with_opts soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa split-dnssec.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a smart split dnssec dnssec-signzone work ($n)" ret=0 -dig_with_opts soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts soa split-smart.example. @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that NOTIFY is sent at the end of NSEC3 chain generation ($n)" ret=0 ( -echo zone nsec3chain-test -echo server 10.53.0.2 "$PORT" -echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 -echo send + echo zone nsec3chain-test + echo server 10.53.0.2 "$PORT" + echo update add nsec3chain-test. 0 nsec3param 1 0 1 123456 + echo send ) | $NSUPDATE -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 -do - dig_with_opts nsec3param nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 - if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null - then - break; - fi - echo_i "sleeping ...." - sleep 3 +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do + dig_with_opts nsec3param nsec3chain-test @10.53.0.2 >dig.out.ns2.test$n || ret=1 + if grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null; then + break + fi + echo_i "sleeping ...." + sleep 3 done -grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 +grep "ANSWER: 3," dig.out.ns2.test$n >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "nsec3 chain generation not complete"; fi -dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 +dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.2 >dig.out.ns2.test$n || ret=1 s2=$(awk '$4 == "SOA" { print $7}' dig.out.ns2.test$n) -for i in 1 2 3 4 5 6 7 8 9 10 -do - dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 > dig.out.ns3.test$n || ret=1 - s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) - test "$s2" = "$s3" && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + dig_with_opts +noauth +nodnssec soa nsec3chain-test @10.53.0.3 >dig.out.ns3.test$n || ret=1 + s3=$(awk '$4 == "SOA" { print $7}' dig.out.ns3.test$n) + test "$s2" = "$s3" && break + sleep 1 done digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-dsfromkey from stdin ($n)" ret=0 -dig_with_opts dnskey algroll. @10.53.0.2 | \ - $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 +dig_with_opts dnskey algroll. @10.53.0.2 \ + | $DSFROMKEY -f - algroll. >dig.out.ns2.test$n || ret=1 NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) [ "${NF}" = 7 ] || ret=1 # make canonical @@ -2878,16 +2895,16 @@ awk '{ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < dig.out.ns2.test$n > canonical1.$n || ret=1 +}' <dig.out.ns2.test$n >canonical1.$n || ret=1 awk '{ for (i=1;i<7;i++) printf("%s ", $i); for (i=7;i<=NF;i++) printf("%s", $i); printf("\n"); -}' < ns1/dsset-algroll. > canonical2.$n || ret=1 -diff -b canonical1.$n canonical2.$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) +}' <ns1/dsset-algroll. >canonical2.$n || ret=1 +diff -b canonical1.$n canonical2.$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Intentionally strip ".key" from keyfile name to ensure the error message # includes it anyway to avoid confusion (RT #21731) @@ -2895,157 +2912,157 @@ echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)" ret=0 key=$($KEYGEN -a $DEFAULT_ALGORITHM -q example.) || ret=1 mv "$key.key" "$key" -$DSFROMKEY "$key" > dsfromkey.out.$n 2>&1 && ret=1 -grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1 -n=$((n+1)) +$DSFROMKEY "$key" >dsfromkey.out.$n 2>&1 && ret=1 +grep "$key.key: file not found" dsfromkey.out.$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dnssec-dsfromkey with revoked key ($n)" ret=0 -dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK -grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK -grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK +dig_with_opts revkey.example dnskey @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "DNSKEY.256 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # ZSK +grep "DNSKEY.385 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # revoked KSK +grep "DNSKEY.257 3 13" dig.out.ns4.test$n >/dev/null || ret=1 # KSK test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 -$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1 -test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1 -n=$((n+1)) +$DSFROMKEY -f dig.out.ns4.test$n revkey.example. >dsfromkey.out.test$n || ret=1 +test $(wc -l <dsfromkey.out.test$n) -eq 1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" ret=0 -dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG >dig.out.ns3.test$n 2>&1 # there must be a signature here [ -s dig.out.ns3.test$n ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing new records are signed with 'no-resign' ($n)" ret=0 ( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add new.nosign.example 300 in txt "hi there" -echo send + echo zone nosign.example + echo server 10.53.0.3 "$PORT" + echo update add new.nosign.example 300 in txt "hi there" + echo send ) | $NSUPDATE sleep 1 dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 -grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) + >dig.out.ns3.test$n 2>&1 +grep RRSIG dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" ret=0 -dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \ - grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 +dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 \ + | grep RRSIG | sed 's/[ ][ ]*/ /g' >dig.out.ns3.test$n 2>&1 # the NS RRSIG should not be changed -diff nosign.before dig.out.ns3.test$n > /dev/null|| ret=1 -n=$((n+1)) +diff nosign.before dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates fail with no private key ($n)" ret=0 rm -f ns3/Knosign.example.*.private ( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add fail.nosign.example 300 in txt "reject me" -echo send -) | $NSUPDATE > /dev/null 2>&1 && ret=1 + echo zone nosign.example + echo server 10.53.0.3 "$PORT" + echo update add fail.nosign.example 300 in txt "reject me" + echo send +) | $NSUPDATE >/dev/null 2>&1 && ret=1 dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 + >dig.out.ns3.test$n 2>&1 [ -s dig.out.ns3.test$n ] && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing legacy upper case signer name validation ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 -grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n 2>&1 || ret=1 +grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.*SOA.* UPPER\\.EXAMPLE\\. " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing that we lower case signer name ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa LOWER.EXAMPLE @10.53.0.4 \ - > dig.out.ns4.test$n 2>&1 || ret=1 -grep "flags:.* ad;" dig.out.ns4.test$n > /dev/null || ret=1 -grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) + >dig.out.ns4.test$n 2>&1 || ret=1 +grep "flags:.* ad;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "RRSIG.*SOA.* lower\\.example\\. " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time ($n)" ret=0 rndccmd 10.53.0.3 freeze expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i ( -cd ns3 || exit 1 -for file in K*.moved; do - mv "$file" "$(basename "$file" .moved)" -done -$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null + cd ns3 || exit 1 + for file in K*.moved; do + mv "$file" "$(basename "$file" .moved)" + done + $SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db >/dev/null ) || ret=1 rndc_reload ns3 10.53.0.3 expiring.example rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "${ttl}" -eq 300 ] || ret=1 + [ "${ttl}" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "${ttl}" -le 60 ] || ret=1 + [ "${ttl}" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -dig_with_additionalopts +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example ns @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example ns @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 60 ] || ret=1 + [ "$ttl" -le 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) copy_setports ns4/named3.conf.in ns4/named.conf rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i @@ -3054,205 +3071,202 @@ sleep 3 echo_i "testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_answeropts +cd expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expiring.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expiring.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)" ret=0 -dig_with_answeropts +cd expired.example soa @10.53.0.4 > dig.out.ns4.1.$n -dig_with_answeropts expired.example soa @10.53.0.4 > dig.out.ns4.2.$n +dig_with_answeropts +cd expired.example soa @10.53.0.4 >dig.out.ns4.1.$n +dig_with_answeropts expired.example soa @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-0}; do - [ "$ttl" -eq 300 ] || ret=1 + [ "$ttl" -eq 300 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -eq 120 ] || ret=1 + [ "$ttl" -eq 120 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -dig_with_additionalopts +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -dig_with_additionalopts expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +dig_with_additionalopts +cd expiring.example mx @10.53.0.4 >dig.out.ns4.1.$n +dig_with_additionalopts expiring.example mx @10.53.0.4 >dig.out.ns4.2.$n ttls=$(awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n) ttls2=$(awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n) for ttl in ${ttls:-300}; do - [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 + [ "$ttl" -le 300 ] && [ "$ttl" -gt 240 ] || ret=1 done for ttl in ${ttls2:-0}; do - [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 + [ "$ttl" -le 120 ] && [ "$ttl" -gt 60 ] || ret=1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing DNSKEY lookup via CNAME ($n)" ret=0 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 + @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 + @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup at CNAME (present) ($n)" ret=0 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnameandkey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup at CNAME (not present) ($n)" ret=0 dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts +noauth cnamenokey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing DNSKEY lookup via DNAME ($n)" ret=0 dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 + @10.53.0.3 dnskey >dig.out.ns3.test$n || ret=1 dig_with_opts a.dnameandkey.secure.example. \ - @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 + @10.53.0.4 dnskey >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n >/dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "testing KEY lookup via DNAME ($n)" ret=0 dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.3 key > dig.out.ns3.test$n || ret=1 + @10.53.0.3 key >dig.out.ns3.test$n || ret=1 dig_with_opts b.dnameandkey.secure.example. \ - @10.53.0.4 key > dig.out.ns4.test$n || ret=1 + @10.53.0.4 key >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that named doesn't loop when all private keys are not available ($n)" ret=0 lines=$(grep -c "reading private key file expiring.example" ns3/named.run || true) test "${lines:-1000}" -lt 15 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check against against missing nearest provable proof ($n)" dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 ds > dig.out.ds.ns6.test$n || ret=1 + @10.53.0.6 ds >dig.out.ds.ns6.test$n || ret=1 nsec3=$(grep -c "IN.NSEC3" dig.out.ds.ns6.test$n || true) [ "$nsec3" -eq 2 ] || ret=1 dig_with_opts +norec b.c.d.optout-tld. \ - @10.53.0.6 A > dig.out.ns6.test$n || ret=1 + @10.53.0.6 A >dig.out.ns6.test$n || ret=1 nsec3=$(grep -c "IN.NSEC3" dig.out.ns6.test$n || true) [ "$nsec3" -eq 1 ] || ret=1 dig_with_opts optout-tld. \ - @10.53.0.4 SOA > dig.out.soa.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n > /dev/null || ret=1 + @10.53.0.4 SOA >dig.out.soa.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.soa.ns4.test$n >/dev/null || ret=1 dig_with_opts b.c.d.optout-tld. \ - @10.53.0.4 A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) + @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that key id are logged when dumping the cache ($n)" ret=0 rndc_dumpdb ns4 -grep "; key id = " ns4/named_dump.db.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "; key id = " ns4/named_dump.db.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check KEYDATA records are printed in human readable form in key zone ($n)" # force the managed-keys zone to be written out rndccmd 10.53.0.4 managed-keys sync 2>&1 | sed 's/^/ns4 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - if test -f ns4/managed-keys.bind - then - grep KEYDATA ns4/managed-keys.bind > /dev/null && - grep "next refresh:" ns4/managed-keys.bind > /dev/null && - break - fi - ret=1 - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + if test -f ns4/managed-keys.bind; then + grep KEYDATA ns4/managed-keys.bind >/dev/null \ + && grep "next refresh:" ns4/managed-keys.bind >/dev/null \ + && break + fi + ret=1 + sleep 1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check dig's +nocrypto flag ($n)" ret=0 dig_with_opts +norec +nocrypto DNSKEY . \ - @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 -grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 -grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + @10.53.0.1 >dig.out.dnskey.ns1.test$n || ret=1 +grep -E "256 [0-9]+ $DEFAULT_ALGORITHM_NUMBER \\[key id = [1-9][0-9]*]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 +grep -E "RRSIG.* \\[omitted]" dig.out.dnskey.ns1.test$n >/dev/null || ret=1 dig_with_opts +norec +nocrypto DS example \ - @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 -grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n > /dev/null || ret=1 -n=$((n+1)) + @10.53.0.1 >dig.out.ds.ns1.test$n || ret=1 +grep -E "DS.* [0-9]+ [12] \[omitted]" dig.out.ds.ns1.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" ret=0 cnt=0 -while : -do -dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n -keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) -test "$keys" -gt 2 && break -cnt=$((cnt+1)) -test "$cnt" -gt 120 && break -sleep 1 +while :; do + dig_with_opts publish-inactive.example @10.53.0.3 dnskey >dig.out.ns3.test$n + keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) + test "$keys" -gt 2 && break + cnt=$((cnt + 1)) + test "$cnt" -gt 120 && break + sleep 1 done test "$keys" -gt 2 || ret=1 sigs=$(grep -c RRSIG dig.out.ns3.test$n || true) -n=$((n+1)) +n=$((n + 1)) test "$sigs" -eq 2 || ret=1 -if test "$ret" -ne 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test "$ret" -ne 0; then echo_i "failed"; fi +status=$((status + ret)) echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" ret=0 @@ -3261,41 +3275,44 @@ cp ns3/siginterval2.conf ns3/siginterval.conf rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i i=10 while [ "$i" -ge 0 ]; do -after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) -test "$before" != "$after" && break -sleep 1 -i=$((i-1)) + after=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) + test "$before" != "$after" && break + sleep 1 + i=$((i - 1)) done -n=$((n+1)) -if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi -status=$((status+ret)) +n=$((n + 1)) +if test "$before" = "$after"; then + echo_i "failed" + ret=1 +fi +status=$((status + ret)) if [ -x "$PYTHON" ]; then - echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" - ret=0 - rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i - # convert expiry date to a comma-separated list of integers python can - # use as input to date(). strip leading 0s in months and days so - # python3 will recognize them as integers. - $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example > dig.out.soa.test$n || ret=1 - soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n | - sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g') - $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example > dig.out.dnskey.test$n || ret=1 - dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n | - sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' | - sed 's/ 0/ /g') - $PYTHON > python.out.$n <<EOF + echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" + ret=0 + rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i + # convert expiry date to a comma-separated list of integers python can + # use as input to date(). strip leading 0s in months and days so + # python3 will recognize them as integers. + $DIG +dnssec +short -p "$PORT" @10.53.0.3 soa siginterval.example >dig.out.soa.test$n || ret=1 + soaexpire=$(awk '$1 ~ /SOA/ { print $5 }' dig.out.soa.test$n \ + | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ + | sed 's/ 0/ /g') + $DIG +dnssec +short -p "$PORT" @10.53.0.3 dnskey siginterval.example >dig.out.dnskey.test$n || ret=1 + dnskeyexpire=$(awk '$1 ~ /DNSKEY/ { print $5; exit 0 }' dig.out.dnskey.test$n \ + | sed 's/\(....\)\(..\)\(..\).*/\1, \2, \3/' \ + | sed 's/ 0/ /g') + $PYTHON >python.out.$n <<EOF from datetime import date; ke=date($dnskeyexpire) se=date($soaexpire) print((ke-se).days); EOF - diff=$(cat python.out.$n) - [ "$diff" -ge 55 ] || ret=1 - n=$((n+1)) - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + diff=$(cat python.out.$n) + [ "$diff" -ge 55 ] || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) fi copy_setports ns4/named4.conf.in ns4/named.conf @@ -3305,14 +3322,14 @@ sleep 3 echo_i "check insecure delegation between static-stub zones ($n)" ret=0 dig_with_opts ns insecure.secure.example \ - @10.53.0.4 > dig.out.ns4.1.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1 + @10.53.0.4 >dig.out.ns4.1.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.1.test$n >/dev/null && ret=1 dig_with_opts ns secure.example \ - @10.53.0.4 > dig.out.ns4.2.test$n || ret=1 -grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1 -n=$((n+1)) + @10.53.0.4 >dig.out.ns4.2.test$n || ret=1 +grep "SERVFAIL" dig.out.ns4.2.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check the acceptance of seconds as inception and expiration times ($n)" ret=0 @@ -3322,14 +3339,14 @@ exp="NSEC 8 0 86400 20140118000000 20140110230000 33655 . NYWjZYBV1b+h4j0yu/SmPO out=$(echo "IN RRSIG $in" | $RRCHECKER -p | sed 's/^IN.RRSIG.//') [ "$out" = "$exp" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check the correct resigning time is reported in zonestatus ($n)" ret=0 rndccmd 10.53.0.3 \ - zonestatus secure.example > rndc.out.ns3.test$n + zonestatus secure.example >rndc.out.ns3.test$n # next resign node: secure.example/DNSKEY qname=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,/.*,,') qtype=$(awk '/next resign node:/ { print $4 }' rndc.out.ns3.test$n | sed 's,.*/,,') @@ -3339,194 +3356,194 @@ time=$(awk 'BEGIN { m["Jan"] = "01"; m["Feb"] = "02"; m["Mar"] = "03"; m["Jul"] = "07"; m["Aug"] = "08"; m["Sep"] = "09"; m["Oct"] = "10"; m["Nov"] = "11"; m["Dec"] = "12";} /next resign time:/ { printf "%d%s%02d%s\n", $7, m[$6], $5, $8 }' rndc.out.ns3.test$n | sed 's/://g') -dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 > dig.out.test$n +dig_with_opts +noall +answer "$qname" "$qtype" @10.53.0.3 >dig.out.test$n expire=$(awk '$4 == "RRSIG" { print $9 }' dig.out.test$n) inception=$(awk '$4 == "RRSIG" { print $10 }' dig.out.test$n) $PERL -e 'exit(0) if ("'"$time"'" lt "'"$expire"'" && "'"$time"'" gt "'"$inception"'"); exit(1);' || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that split rrsigs are handled ($n)" ret=0 -dig_with_opts split-rrsig soa @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig soa @10.53.0.7 >dig.out.test$n || ret=1 awk 'BEGIN { ok=0; } $4 == "SOA" { if ($7 > 1) ok=1; } END { if (!ok) exit(1); }' dig.out.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)" ret=0 -dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1 +dig_with_opts split-rrsig AXFR @10.53.0.7 >dig.out.test$n || ret=1 grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" ret=0 alg=1 -until test $alg -eq 256 -do - zone="keygen-$alg." - case $alg in - 2) # Diffie Helman - alg=$((alg+1)) - continue;; - 157|160|161|162|163|164|165) # private - non standard - alg=$((alg+1)) - continue;; - 1|5|7|8|10) # RSA algorithms - key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2> "keygen-$alg.err" || true) - ;; - 15|16) - key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - ;; - *) - key1=$($KEYGEN -a "$alg" -n zone "$zone" 2> "keygen-$alg.err" || true) - esac - if grep "unsupported algorithm" "keygen-$alg.err" > /dev/null - then - alg=$((alg+1)) - continue - fi - if test -z "$key1" - then - echo_i "'$KEYGEN -a $alg': failed" - cat "keygen-$alg.err" - ret=1 - alg=$((alg+1)) - continue - fi - $SETTIME -I now+4d "$key1.private" > /dev/null - key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2> /dev/null) - test -f "$key2.key" -a -f "$key2.private" || { - ret=1 - echo_i "'dnssec-keygen -S' failed for algorithm: $alg" - } - alg=$((alg+1)) +until test $alg -eq 256; do + zone="keygen-$alg." + case $alg in + 2) # Diffie Helman + alg=$((alg + 1)) + continue + ;; + 157 | 160 | 161 | 162 | 163 | 164 | 165) # private - non standard + alg=$((alg + 1)) + continue + ;; + 1 | 5 | 7 | 8 | 10) # RSA algorithms + key1=$($KEYGEN -a "$alg" -b "1024" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + 15 | 16) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + *) + key1=$($KEYGEN -a "$alg" -n zone "$zone" 2>"keygen-$alg.err" || true) + ;; + esac + if grep "unsupported algorithm" "keygen-$alg.err" >/dev/null; then + alg=$((alg + 1)) + continue + fi + if test -z "$key1"; then + echo_i "'$KEYGEN -a $alg': failed" + cat "keygen-$alg.err" + ret=1 + alg=$((alg + 1)) + continue + fi + $SETTIME -I now+4d "$key1.private" >/dev/null + key2=$($KEYGEN -v 10 -i 3d -S "$key1.private" 2>/dev/null) + test -f "$key2.key" -a -f "$key2.private" || { + ret=1 + echo_i "'dnssec-keygen -S' failed for algorithm: $alg" + } + alg=$((alg + 1)) done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK by dnssec-signzone ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that positive unknown NSEC3 hash algorithm does validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example SOA >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example SOA >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a CDS deletion record is accepted ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo update add cds-update.secure 0 CDS 0 0 0 00 -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo update add cds-update.secure 0 CDS 0 0 0 00 + echo send +) | $NSUPDATE >nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cds-kskonly.secure.id) ( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure | -sed "s/^/update add /" -echo send + echo zone cds-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-kskonly.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDS deletion records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cds-kskonly.secure.id) ( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo update add cds-kskonly.secure 0 CDS 0 0 0 00 -echo send + echo zone cds-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-kskonly.secure CDS + echo update add cds-kskonly.secure 0 CDS 0 0 0 00 + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) @@ -3535,125 +3552,125 @@ lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" && $5 == "0" && $6 == "0" && $7 == "0" && $8 == "00" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example SOA >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example SOA >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a non matching CDS record is accepted with a matching CDS record ($n)" ret=0 ( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-update.secure | -sed "s/^/update add /" -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | -$DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send + echo zone cds-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cds-update.secure CDS + echo send + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" \ + | $DSFROMKEY -12 -C -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure \ + | grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' \ + | $DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure \ + | sed "s/^/update add /" + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 4 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative unknown NSEC3 hash algorithm does not validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 nsec3-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 nsec3-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 optout-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 optout-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)" ret=0 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unknown DNSKEY algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY >dig.out.test$n +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # TODO: test case for GL #1689. # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) @@ -3665,86 +3682,86 @@ status=$((status+ret)) echo_i "check that a CDNSKEY deletion record is accepted ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + echo update add cdnskey-update.secure 0 CDNSKEY 0 3 0 AA== + echo send +) | $NSUPDATE >nsupdate.out.test$n 2>&1 +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)" ret=0 -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n -dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-nsec3-unknown.example A >dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-nsec3-unknown.example A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send + echo zone cdnskey-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-kskonly.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that CDNSKEY deletion records are signed only using KSK when added by" echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" ret=0 keyid=$(cat ns2/cdnskey-kskonly.secure.id) ( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== -echo send + echo zone cdnskey-kskonly.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-kskonly.secure CDNSKEY + echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) @@ -3753,184 +3770,188 @@ lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking initialization with a revoked managed key ($n)" ret=0 copy_setports ns5/named2.conf.in ns5/named.conf rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i sleep 3 -dig_with_opts +dnssec @10.53.0.5 SOA . > dig.out.ns5.test$n -grep "status: SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n +grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" ret=0 ( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' -echo send + echo zone cdnskey-update.secure + echo server 10.53.0.2 "$PORT" + echo update delete cdnskey-update.secure CDNSKEY + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' + dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure \ + | sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' + echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure >dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer || exit 1 -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove > /dev/null -$KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove > /dev/null -echo > remove.db.signed -$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n + cd signer || exit 1 + $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fK remove >/dev/null + $KEYGEN -q -a $DEFAULT_ALGORITHM -33 remove >/dev/null + echo >remove.db.signed + $SIGNER -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null || { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer || exit 1 -$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n + cd signer || exit 1 + $SIGNER -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null && { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 ($n)" ret=0 # generate signed zone with MX and AAAA records at apex. ( -cd signer || exit 1 -echo > remove.db.signed -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n + cd signer || exit 1 + echo >remove.db.signed + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in >signer.out.1.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null || { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.pre$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null || { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.pre$n } # re-generate signed zone without MX and AAAA records at apex. ( -cd signer || exit 1 -$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n + cd signer || exit 1 + $SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in >signer.out.2.$n ) -grep "RRSIG MX" signer/remove.db.signed > /dev/null && { - ret=1 ; cp signer/remove.db.signed signer/remove.db.signed.post$n; +grep "RRSIG MX" signer/remove.db.signed >/dev/null && { + ret=1 + cp signer/remove.db.signed signer/remove.db.signed.post$n } -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that a named managed zone that was signed 'in-the-future' is re-signed when loaded ($n)" ret=0 -dig_with_opts managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts managed-future.example. @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns6/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1 -n=$((n+1)) +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 -grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run >/dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run >/dev/null && ret=1 stop_server ns1 || ret=1 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns1 || ret=1 -n=$(($n+1)) +n=$(($n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "waiting for root server to finish reloading ($n)" ret=0 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -n=$(($n+1)) +n=$(($n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 -grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 -n=$((n+1)) +grep "view rec: *validat" ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)" ret=0 -dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts txt dname-at-apex-nsec3.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "RRSIG.NSEC3 $DEFAULT_ALGORITHM_NUMBER 3 600" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "check that DNSKEY and other occluded data are excluded from the delegating bitmap ($n)" ret=0 -dig_with_opts axfr occluded.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts axfr occluded.example @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^delegation.occluded.example..*NSEC.*NS KEY DS RRSIG NSEC$" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^delegation.occluded.example..*DNSKEY.*" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^delegation.occluded.example..*AAAA.*" dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)" ret=0 -dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1 -dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1 +dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1 +dig_with_opts any zz.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1 # DNSKEY+RRSIG, NSEC+RRSIG -grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # DNSSEC tests related to unsupported, disabled and revoked trust anchors. @@ -3950,9 +3971,9 @@ grep -q "ignoring static-key for 'revoked\.trusted\.': bad key type" ns8/named.r grep -q "ignoring initial-key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1 grep -q "ignoring initial-key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1 grep -q "ignoring initial-key for 'revoked\.managed\.': bad key type" ns8/named.run || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two tests are fairly normal DNSSEC queries to signed zones with a # default algorithm. First, a query is made against the server that is @@ -3961,25 +3982,25 @@ status=$((status+ret)) # return an authentic data positive response. echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.secure.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using a supported algorithm validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.secure.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.secure.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY with an unsupported # algorithm will yield insecure positive responses. These trust anchors in ns8 are @@ -3987,25 +4008,25 @@ status=$((status+ret)) # in the response. echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.unsupported.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.unsupported.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.unsupported.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY that the nameserver # has a disabled algorithm match for will yield insecure positive responses. @@ -4013,25 +4034,25 @@ status=$((status+ret)) # The AD bit should not be set in the response. echo_i "checking that a trusted key using a disabled algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.disabled.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.disabled.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using a disabled algorithm validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.disabled.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.disabled.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.disabled.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.disabled.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # The next two queries ensure that a zone signed with a DNSKEY that the # nameserver has a disabled algorithm for, but for a different domain, will @@ -4041,50 +4062,50 @@ status=$((status+ret)) # bit set. echo_i "checking that a trusted key using an algorithm disabled for another domain validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.enabled.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.enabled.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key using an algorithm disabled for another domain validates as secure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.enabled.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.enabled.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.enabled.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.enabled.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # A configured revoked trust anchor is ignored and thus the two queries below # should result in insecure responses, since no trust points for the # "revoked.trusted." and "revoked.managed." zones are created. echo_i "checking that a trusted key that is revoked validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.revoked.trusted A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.trusted A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.revoked.trusted A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.trusted A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that a managed key that is revoked validates as insecure ($n)" ret=0 -dig_with_opts @10.53.0.3 a.revoked.managed A > dig.out.ns3.test$n -dig_with_opts @10.53.0.8 a.revoked.managed A > dig.out.ns8.test$n -grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 -grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts @10.53.0.3 a.revoked.managed A >dig.out.ns3.test$n +dig_with_opts @10.53.0.8 a.revoked.managed A >dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n >/dev/null && ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ### ### Additional checks for when the KSK is offline. @@ -4102,59 +4123,58 @@ echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" # Print IDs of keys used for generating RRSIG records for RRsets of type $1 # found in dig output file $2. get_keys_which_signed() { - qtype=$1 - output=$2 - # The key ID is the 11th column of the RRSIG record line. - awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$output" + qtype=$1 + output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$output" } # Basic checks to make sure everything is fine before the KSK is made offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 -dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n +dig_with_opts $SECTIONS @10.53.0.2 soa $zone >dig.out.test$n lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 -get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" > /dev/null || ret=1 -n=$((n+1)) +get_keys_which_signed "SOA" dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 +get_keys_which_signed "SOA" dig.out.test$n | grep "^$ZSK_ID$" >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Roll the ZSK. zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 +keyfile_to_key_id "$zsk2" >ns2/$zone.zsk.id2 ZSK_ID2=$(cat ns2/$zone.zsk.id2) echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" ret=0 dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Make new ZSK active. echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" ret=0 -$SETTIME -I now -K ns2 $ZSK > /dev/null -$SETTIME -A now -K ns2 $zsk2 > /dev/null +$SETTIME -I now -K ns2 $ZSK >/dev/null +$SETTIME -A now -K ns2 $zsk2 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" @@ -4164,41 +4184,39 @@ mv ns2/$KSK.private ns2/$KSK.private.bak # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me" + echo send ) | $NSUPDATE # Redo the tests now that the zone is updated and the KSK is offline. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done # Put back the KSK. @@ -4208,18 +4226,18 @@ mv ns2/$KSK.private.bak ns2/$KSK.private # Roll the ZSK again. zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") -keyfile_to_key_id "$zsk3" > ns2/$zone.zsk.id3 +keyfile_to_key_id "$zsk3" >ns2/$zone.zsk.id3 ZSK_ID3=$(cat ns2/$zone.zsk.id3) # Schedule the new ZSK (ZSK3) to become active. echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -D now -K ns2 $ZSK > /dev/null -$SETTIME -I +3600 -K ns2 $zsk2 > /dev/null -$SETTIME -A +3600 -K ns2 $zsk3 > /dev/null +$SETTIME -D now -K ns2 $ZSK >/dev/null +$SETTIME -I +3600 -K ns2 $zsk2 >/dev/null +$SETTIME -A +3600 -K ns2 $zsk3 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" @@ -4229,110 +4247,106 @@ mv ns2/$KSK.private ns2/$KSK.private.bak # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me again" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me again" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me again" + echo send ) | $NSUPDATE # Redo the tests now that the ZSK roll has deleted the old key. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -I +1 -K ns2 $zsk2 > /dev/null -$SETTIME -A +1 -K ns2 $zsk3 > /dev/null +$SETTIME -I +1 -K ns2 $zsk2 >/dev/null +$SETTIME -A +1 -K ns2 $zsk3 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Wait for newest ZSK to become active. echo_i "wait until new ZSK $ZSK_ID3 active and ZSK $ZSK_ID2 inactive" for i in 1 2 3 4 5 6 7 8 9 10; do - ret=0 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run > /dev/null || ret=1 - grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run > /dev/null || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID3 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me one more time" ( -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me one more time" -echo send + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me one more time" + echo send ) | $NSUPDATE -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Redo the tests one more time. -for qtype in "DNSKEY" "CDNSKEY" "CDS" -do +for qtype in "DNSKEY" "CDNSKEY" "CDS"; do echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null && ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null || ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null && ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done -for qtype in "SOA" "TXT" -do +for qtype in "SOA" "TXT"; do echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)" ret=0 - dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone >dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" > /dev/null && ret=1 - get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" > /dev/null || ret=1 - n=$((n+1)) + get_keys_which_signed $qtype dig.out.test$n | grep "^$KSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID2$" >/dev/null && ret=1 + get_keys_which_signed $qtype dig.out.test$n | grep "^$ZSK_ID3$" >/dev/null || ret=1 + n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + status=$((status + ret)) done echo_i "checking secroots output with multiple views ($n)" @@ -4340,89 +4354,89 @@ ret=0 rndccmd 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i cp ns4/named.secroots named.secroots.test$n check_secroots_layout named.secroots.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking sig-validity-interval second field hours vs days ($n)" ret=0 # zone configured with 'sig-validity-interval 500 499;' # 499 days in the future w/ a 20 minute runtime to now allowance min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') -dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n +dig_with_opts @10.53.0.2 hours-vs-days AXFR >dig.out.ns2.test$n awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking validation succeeds during transition to signed ($n)" ret=0 -dig_with_opts @10.53.0.4 inprogress A > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.4 inprogress A >dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)" ret=0 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1 -n=$((n+1)) +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that the validating resolver will fallback to insecure if the answer # contains NSEC3 records with high iteration count. echo_i "checking fallback to insecure when NSEC3 iterations is too high (nxdomain) ($n)" ret=0 -dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 does-not-exist.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (nodata) ($n)" ret=0 -dig_with_opts @10.53.0.2 a.too-many-iterations txt > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 a.too-many-iterations txt > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 a.too-many-iterations txt >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 a.too-many-iterations txt >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard) ($n)" ret=0 -dig_with_opts @10.53.0.2 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep 'wild\.a\.too-many-iterations\..*A.10\.0\.0\.3' dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 2, AUTHORITY: 4" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking fallback to insecure when NSEC3 iterations is too high (wildcard nodata) ($n)" ret=0 -dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations > dig.out.ns2.test$n || ret=1 -dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations > dig.out.ns4.test$n || ret=1 +dig_with_opts @10.53.0.2 type100 wild.a.too-many-iterations >dig.out.ns2.test$n || ret=1 +dig_with_opts @10.53.0.4 type100 wild.a.too-many-iterations >dig.out.ns4.test$n || ret=1 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n > /dev/null || ret=1 -n=$((n+1)) +grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Check that a query against a validating resolver succeeds when there is # a negative cache entry with trust level "pending" for the DS. Prime @@ -4430,17 +4444,17 @@ status=$((status+ret)) # query that uses that entry as part of the validation process. [GL #3279] echo_i "check that pending negative DS cache entry validates ($n)" ret=0 -dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds >dig.out.prime.ns4.test$n || ret=1 grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1 -dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n >/dev/null || ret=1 +dig_with_opts @10.53.0.4 a.insecure2.example. a >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n >/dev/null || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnstap/ns2/named.conf.in b/bin/tests/system/dnstap/ns2/named.conf.in index badc225..cc05db0 100644 --- a/bin/tests/system/dnstap/ns2/named.conf.in +++ b/bin/tests/system/dnstap/ns2/named.conf.in @@ -43,7 +43,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/dnstap/ns3/named.conf.in b/bin/tests/system/dnstap/ns3/named.conf.in index a5ee2ed..1626030 100644 --- a/bin/tests/system/dnstap/ns3/named.conf.in +++ b/bin/tests/system/dnstap/ns3/named.conf.in @@ -46,5 +46,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnstap/ns4/named.conf.in b/bin/tests/system/dnstap/ns4/named.conf.in index e2a9207..4a1debf 100644 --- a/bin/tests/system/dnstap/ns4/named.conf.in +++ b/bin/tests/system/dnstap/ns4/named.conf.in @@ -45,5 +45,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/dnstap/prereq.sh b/bin/tests/system/dnstap/prereq.sh index f0748f3..747f448 100644 --- a/bin/tests/system/dnstap/prereq.sh +++ b/bin/tests/system/dnstap/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --enable-dnstap || { - echo_i "This test requires dnstap support." >&2 - exit 255 + echo_i "This test requires dnstap support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/dnstap/tests.sh b/bin/tests/system/dnstap/tests.sh index c5d4f0a..ac40a38 100644 --- a/bin/tests/system/dnstap/tests.sh +++ b/bin/tests/system/dnstap/tests.sh @@ -16,44 +16,53 @@ set -e . ../conf.sh DIGOPTS="+short -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf" status=0 # dnstap_data_ready <fstrm_capture_PID> <capture_file> <min_file_size> # Flushes capture_file and checks wheter its size is >= min_file_size. dnstap_data_ready() { - # Process id of running fstrm_capture. - fstrm_capture_pid=$1 - # Output file provided to fstrm_capture via -w switch. - capture_file=$2 - # Minimum expected file size. - min_size_expected=$3 - - kill -HUP $fstrm_capture_pid - file_size=$(wc -c < "$capture_file" | tr -d ' ') - if [ $file_size -lt $min_size_expected ]; then - return 1 - fi -} - - -for bad in bad-*.conf -do - ret=0 - echo_i "checking that named-checkconf detects error in $bad" - { $CHECKCONF $bad > /dev/null 2>&1; rc=$?; } || true - if [ $rc != 1 ]; then echo_i "failed"; ret=1; fi - status=$((status + ret)) + # Process id of running fstrm_capture. + fstrm_capture_pid=$1 + # Output file provided to fstrm_capture via -w switch. + capture_file=$2 + # Minimum expected file size. + min_size_expected=$3 + + kill -HUP $fstrm_capture_pid + file_size=$(wc -c <"$capture_file" | tr -d ' ') + if [ $file_size -lt $min_size_expected ]; then + return 1 + fi +} + +for bad in bad-*.conf; do + ret=0 + echo_i "checking that named-checkconf detects error in $bad" + { + $CHECKCONF $bad >/dev/null 2>&1 + rc=$? + } || true + if [ $rc != 1 ]; then + echo_i "failed" + ret=1 + fi + status=$((status + ret)) done -for good in good-*.conf -do - ret=0 - echo_i "checking that named-checkconf detects no error in $good" - { $CHECKCONF $good > /dev/null 2>&1; rc=$?; } || true - if [ $rc != 0 ]; then echo_i "failed"; ret=1; fi - status=$((status + ret)) +for good in good-*.conf; do + ret=0 + echo_i "checking that named-checkconf detects no error in $good" + { + $CHECKCONF $good >/dev/null 2>&1 + rc=$? + } || true + if [ $rc != 0 ]; then + echo_i "failed" + ret=1 + fi + status=$((status + ret)) done echo_i "wait for servers to finish loading" @@ -71,7 +80,7 @@ status=$((status + ret)) echo_i "prime cache" ret=0 -$DIG $DIGOPTS @10.53.0.3 a.example > dig.out || true +$DIG $DIGOPTS @10.53.0.3 a.example >dig.out || true wait_for_log 20 "(.): reset client" ns1/named.run || true if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -81,15 +90,15 @@ status=$((status + ret)) mv ns1/dnstap.out ns1/dnstap.out.save mv ns2/dnstap.out ns2/dnstap.out.save -if [ -n "$FSTRM_CAPTURE" ] ; then - ret=0 - echo_i "starting fstrm_capture" - $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ - -w dnstap.out > fstrm_capture.out.1 2>&1 & - fstrm_capture_pid=$! - wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -n "$FSTRM_CAPTURE" ]; then + ret=0 + echo_i "starting fstrm_capture" + $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ + -w dnstap.out >fstrm_capture.out.1 2>&1 & + fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "reopen/roll capture streams" @@ -101,10 +110,10 @@ $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i echo_i "send test traffic" ret=0 -$DIG $DIGOPTS @10.53.0.3 a.example > dig.out || ret=1 +$DIG $DIGOPTS @10.53.0.3 a.example >dig.out || ret=1 # send an UPDATE to ns2 -$NSUPDATE <<- EOF +$NSUPDATE <<-EOF server 10.53.0.2 ${PORT} zone example update add b.example 3600 in a 10.10.10.10 @@ -161,16 +170,16 @@ ur3=$($DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 [ $udp1 -eq 0 ] || { - echo_i "ns1 $udp1 expected 0" - ret=1 + echo_i "ns1 $udp1 expected 0" + ret=1 } [ $udp2 -eq 2 ] || { - echo_i "ns2 $udp2 expected 2" - ret=1 + echo_i "ns2 $udp2 expected 2" + ret=1 } [ $udp3 -eq 4 ] || { - echo_i "ns3 $udp3 expected 4" - ret=1 + echo_i "ns3 $udp3 expected 4" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -178,16 +187,16 @@ status=$((status + ret)) echo_i "checking TCP message counts" ret=0 [ $tcp1 -eq 6 ] || { - echo_i "ns1 $tcp1 expected 6" - ret=1 + echo_i "ns1 $tcp1 expected 6" + ret=1 } [ $tcp2 -eq 2 ] || { - echo_i "ns2 $tcp2 expected 2" - ret=1 + echo_i "ns2 $tcp2 expected 2" + ret=1 } [ $tcp3 -eq 6 ] || { - echo_i "ns3 $tcp3 expected 6" - ret=1 + echo_i "ns3 $tcp3 expected 6" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -195,16 +204,16 @@ status=$((status + ret)) echo_i "checking AUTH_QUERY message counts" ret=0 [ $aq1 -eq 3 ] || { - echo_i "ns1 $aq1 exepcted 3" - ret=1 + echo_i "ns1 $aq1 exepcted 3" + ret=1 } [ $aq2 -eq 2 ] || { - echo_i "ns2 $aq2 expected 2" - ret=1 + echo_i "ns2 $aq2 expected 2" + ret=1 } [ $aq3 -eq 1 ] || { - echo_i "ns3 $aq3 expected 1" - ret=1 + echo_i "ns3 $aq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -212,16 +221,16 @@ status=$((status + ret)) echo_i "checking AUTH_RESPONSE message counts" ret=0 [ $ar1 -eq 2 ] || { - echo_i "ns1 $ar1 expected 2" - ret=1 + echo_i "ns1 $ar1 expected 2" + ret=1 } [ $ar2 -eq 1 ] || { - echo_i "ns2 $ar2 expected 1" - ret=1 + echo_i "ns2 $ar2 expected 1" + ret=1 } [ $ar3 -eq 0 ] || { - echo_i "ns3 $ar3 expected 0" - ret=1 + echo_i "ns3 $ar3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -229,16 +238,16 @@ status=$((status + ret)) echo_i "checking CLIENT_QUERY message counts" ret=0 [ $cq1 -eq 0 ] || { - echo_i "ns1 $cq1 expected 0" - ret=1 + echo_i "ns1 $cq1 expected 0" + ret=1 } [ $cq2 -eq 0 ] || { - echo_i "ns2 $cq2 expected 0" - ret=1 + echo_i "ns2 $cq2 expected 0" + ret=1 } [ $cq3 -eq 1 ] || { - echo_i "ns3 $cq3 expected 1" - ret=1 + echo_i "ns3 $cq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -246,16 +255,16 @@ status=$((status + ret)) echo_i "checking CLIENT_RESPONSE message counts" ret=0 [ $cr1 -eq 1 ] || { - echo_i "ns1 $cr1 expected 1" - ret=1 + echo_i "ns1 $cr1 expected 1" + ret=1 } [ $cr2 -eq 1 ] || { - echo_i "ns2 $cr2 expected 1" - ret=1 + echo_i "ns2 $cr2 expected 1" + ret=1 } [ $cr3 -eq 2 ] || { - echo_i "ns3 $cr3 expected 2" - ret=1 + echo_i "ns3 $cr3 expected 2" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -263,16 +272,16 @@ status=$((status + ret)) echo_i "checking RESOLVER_QUERY message counts" ret=0 [ $rq1 -eq 0 ] || { - echo_i "ns1 $rq1 expected 0" - ret=1 + echo_i "ns1 $rq1 expected 0" + ret=1 } [ $rq2 -eq 0 ] || { - echo_i "ns2 $rq2 expected 0" - ret=1 + echo_i "ns2 $rq2 expected 0" + ret=1 } [ $rq3 -eq 3 ] || { - echo_i "ns3 $rq3 expected 3" - ret=1 + echo_i "ns3 $rq3 expected 3" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -280,16 +289,16 @@ status=$((status + ret)) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 [ $rr1 -eq 0 ] || { - echo_i "ns1 $rr1 expected 0" - ret=1 + echo_i "ns1 $rr1 expected 0" + ret=1 } [ $rr2 -eq 0 ] || { - echo_i "ns2 $rr2 expected 0" - ret=1 + echo_i "ns2 $rr2 expected 0" + ret=1 } [ $rr3 -eq 3 ] || { - echo_i "ns3 $rr3 expected 3" - ret=1 + echo_i "ns3 $rr3 expected 3" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -297,16 +306,16 @@ status=$((status + ret)) echo_i "checking UPDATE_QUERY message counts" ret=0 [ $uq1 -eq 0 ] || { - echo_i "ns1 $uq1 expected 0" - ret=1 + echo_i "ns1 $uq1 expected 0" + ret=1 } [ $uq2 -eq 0 ] || { - echo_i "ns2 $uq2 expected 0" - ret=1 + echo_i "ns2 $uq2 expected 0" + ret=1 } [ $uq3 -eq 0 ] || { - echo_i "ns3 $uq3 expected 0" - ret=1 + echo_i "ns3 $uq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -314,16 +323,16 @@ status=$((status + ret)) echo_i "checking UPDATE_RESPONSE message counts" ret=0 [ $ur1 -eq 0 ] || { - echo_i "ns1 $ur1 expected 0" - ret=1 + echo_i "ns1 $ur1 expected 0" + ret=1 } [ $ur2 -eq 0 ] || { - echo_i "ns2 $ur2 expected 0" - ret=1 + echo_i "ns2 $ur2 expected 0" + ret=1 } [ $ur3 -eq 0 ] || { - echo_i "ns3 $ur3 expected 0" - ret=1 + echo_i "ns3 $ur3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -366,16 +375,16 @@ ur3=$($DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l) echo_i "checking UDP message counts" ret=0 [ $udp1 -eq 0 ] || { - echo_i "ns1 $udp1 expected 0" - ret=1 + echo_i "ns1 $udp1 expected 0" + ret=1 } [ $udp2 -eq 2 ] || { - echo_i "ns2 $udp2 expected 2" - ret=1 + echo_i "ns2 $udp2 expected 2" + ret=1 } [ $udp3 -eq 2 ] || { - echo_i "ns3 $udp3 expected 2" - ret=1 + echo_i "ns3 $udp3 expected 2" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -383,16 +392,16 @@ status=$((status + ret)) echo_i "checking TCP message counts" ret=0 [ $tcp1 -eq 0 ] || { - echo_i "ns1 $tcp1 expected 0" - ret=1 + echo_i "ns1 $tcp1 expected 0" + ret=1 } [ $tcp2 -eq 0 ] || { - echo_i "ns2 $tcp2 expected 0" - ret=1 + echo_i "ns2 $tcp2 expected 0" + ret=1 } [ $tcp3 -eq 0 ] || { - echo_i "ns3 $tcp3 expected 0" - ret=1 + echo_i "ns3 $tcp3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -400,16 +409,16 @@ status=$((status + ret)) echo_i "checking AUTH_QUERY message counts" ret=0 [ $aq1 -eq 0 ] || { - echo_i "ns1 $aq1 exepcted 0" - ret=1 + echo_i "ns1 $aq1 exepcted 0" + ret=1 } [ $aq2 -eq 0 ] || { - echo_i "ns2 $aq2 expected 0" - ret=1 + echo_i "ns2 $aq2 expected 0" + ret=1 } [ $aq3 -eq 0 ] || { - echo_i "ns3 $aq3 expected 0" - ret=1 + echo_i "ns3 $aq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -417,16 +426,16 @@ status=$((status + ret)) echo_i "checking AUTH_RESPONSE message counts" ret=0 [ $ar1 -eq 0 ] || { - echo_i "ns1 $ar1 expected 0" - ret=1 + echo_i "ns1 $ar1 expected 0" + ret=1 } [ $ar2 -eq 0 ] || { - echo_i "ns2 $ar2 expected 0" - ret=1 + echo_i "ns2 $ar2 expected 0" + ret=1 } [ $ar3 -eq 0 ] || { - echo_i "ns3 $ar3 expected 0" - ret=1 + echo_i "ns3 $ar3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -434,16 +443,16 @@ status=$((status + ret)) echo_i "checking CLIENT_QUERY message counts" ret=0 [ $cq1 -eq 0 ] || { - echo_i "ns1 $cq1 expected 0" - ret=1 + echo_i "ns1 $cq1 expected 0" + ret=1 } [ $cq2 -eq 0 ] || { - echo_i "ns2 $cq2 expected 0" - ret=1 + echo_i "ns2 $cq2 expected 0" + ret=1 } [ $cq3 -eq 1 ] || { - echo_i "ns3 $cq3 expected 1" - ret=1 + echo_i "ns3 $cq3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -451,16 +460,16 @@ status=$((status + ret)) echo_i "checking CLIENT_RESPONSE message counts" ret=0 [ $cr1 -eq 0 ] || { - echo_i "ns1 $cr1 expected 0" - ret=1 + echo_i "ns1 $cr1 expected 0" + ret=1 } [ $cr2 -eq 0 ] || { - echo_i "ns2 $cr2 expected 0" - ret=1 + echo_i "ns2 $cr2 expected 0" + ret=1 } [ $cr3 -eq 1 ] || { - echo_i "ns3 $cr3 expected 1" - ret=1 + echo_i "ns3 $cr3 expected 1" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -468,16 +477,16 @@ status=$((status + ret)) echo_i "checking RESOLVER_QUERY message counts" ret=0 [ $rq1 -eq 0 ] || { - echo_i "ns1 $rq1 expected 0" - ret=1 + echo_i "ns1 $rq1 expected 0" + ret=1 } [ $rq2 -eq 0 ] || { - echo_i "ns2 $rq2 expected 0" - ret=1 + echo_i "ns2 $rq2 expected 0" + ret=1 } [ $rq3 -eq 0 ] || { - echo_i "ns3 $rq3 expected 0" - ret=1 + echo_i "ns3 $rq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -485,16 +494,16 @@ status=$((status + ret)) echo_i "checking RESOLVER_RESPONSE message counts" ret=0 [ $rr1 -eq 0 ] || { - echo_i "ns1 $rr1 expected 0" - ret=1 + echo_i "ns1 $rr1 expected 0" + ret=1 } [ $rr2 -eq 0 ] || { - echo_i "ns2 $rr2 expected 0" - ret=1 + echo_i "ns2 $rr2 expected 0" + ret=1 } [ $rr3 -eq 0 ] || { - echo_i "ns3 $rr3 expected 0" - ret=1 + echo_i "ns3 $rr3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -502,16 +511,16 @@ status=$((status + ret)) echo_i "checking UPDATE_QUERY message counts" ret=0 [ $uq1 -eq 0 ] || { - echo_i "ns1 $uq1 expected 0" - ret=1 + echo_i "ns1 $uq1 expected 0" + ret=1 } [ $uq2 -eq 1 ] || { - echo_i "ns2 $uq2 expected 1" - ret=1 + echo_i "ns2 $uq2 expected 1" + ret=1 } [ $uq3 -eq 0 ] || { - echo_i "ns3 $uq3 expected 0" - ret=1 + echo_i "ns3 $uq3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -519,16 +528,16 @@ status=$((status + ret)) echo_i "checking UPDATE_RESPONSE message counts" ret=0 [ $ur1 -eq 0 ] || { - echo_i "ns1 $ur1 expected 0" - ret=1 + echo_i "ns1 $ur1 expected 0" + ret=1 } [ $ur2 -eq 1 ] || { - echo_i "ns2 $ur2 expected 1" - ret=1 + echo_i "ns2 $ur2 expected 1" + ret=1 } [ $ur3 -eq 0 ] || { - echo_i "ns3 $ur3 expected 0" - ret=1 + echo_i "ns3 $ur3 expected 0" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -540,271 +549,271 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) HAS_PYYAML=0 -if [ -x "$PYTHON" ] ; then - $PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1 +if [ -x "$PYTHON" ]; then + $PYTHON -c "import yaml" 2>/dev/null && HAS_PYYAML=1 fi -if [ $HAS_PYYAML -ne 0 ] ; then - echo_i "checking dnstap-read YAML output" - ret=0 - { - $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" > ydump.out || ret=1 - } | cat_i - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ $HAS_PYYAML -ne 0 ]; then + echo_i "checking dnstap-read YAML output" + ret=0 + { + $PYTHON ydump.py "$DNSTAPREAD" "ns3/dnstap.out.save" >ydump.out || ret=1 + } | cat_i + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking dnstap-read hex output" ret=0 hex=$($DNSTAPREAD -x ns3/dnstap.out | tail -1) -echo $hex | $WIRETEST > dnstap.hex -grep 'status: NOERROR' dnstap.hex > /dev/null 2>&1 || ret=1 -grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex > /dev/null 2>&1 || ret=1 +echo $hex | $WIRETEST >dnstap.hex +grep 'status: NOERROR' dnstap.hex >/dev/null 2>&1 || ret=1 +grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -n "$FSTRM_CAPTURE" ] ; then - $DIG $DIGOPTS @10.53.0.4 a.example > dig.out +if [ -n "$FSTRM_CAPTURE" ]; then + $DIG $DIGOPTS @10.53.0.4 a.example >dig.out - # send an UPDATE to ns4 - $NSUPDATE <<- EOF > nsupdate.out 2>&1 && ret=1 + # send an UPDATE to ns4 + $NSUPDATE <<-EOF >nsupdate.out 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone example update add b.example 3600 in a 10.10.10.10 send EOF - grep "update failed: NOTAUTH" nsupdate.out > /dev/null || ret=1 - - echo_i "checking unix socket message counts" - sleep 2 - retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || { - echo_i "dnstap output file smaller than expected" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - kill $fstrm_capture_pid - wait - udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) - tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) - aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) - ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) - cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) - cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) - rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) - rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) - uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) - ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) - - echo_i "checking UDP message counts" - ret=0 - [ $udp4 -eq 4 ] || { - echo_i "ns4 $udp4 expected 4" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking TCP message counts" - ret=0 - [ $tcp4 -eq 0 ] || { - echo_i "ns4 $tcp4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking AUTH_QUERY message counts" - ret=0 - [ $aq4 -eq 0 ] || { - echo_i "ns4 $aq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking AUTH_RESPONSE message counts" - ret=0 - [ $ar4 -eq 0 ] || { - echo_i "ns4 $ar4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking CLIENT_QUERY message counts" - ret=0 - [ $cq4 -eq 1 ] || { - echo_i "ns4 $cq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking CLIENT_RESPONSE message counts" - ret=0 - [ $cr4 -eq 1 ] || { - echo_i "ns4 $cr4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking RESOLVER_QUERY message counts" - ret=0 - [ $rq4 -eq 0 ] || { - echo_i "ns4 $rq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking RESOLVER_RESPONSE message counts" - ret=0 - [ $rr4 -eq 0 ] || { - echo_i "ns4 $rr4 expected 0" - ret=1 - } - - echo_i "checking UPDATE_QUERY message counts" - ret=0 - [ $uq4 -eq 1 ] || { - echo_i "ns4 $uq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking UPDATE_RESPONSE message counts" - ret=0 - [ $ur4 -eq 1 ] || { - echo_i "ns4 $ur4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - mv dnstap.out dnstap.out.save - - echo_i "restarting fstrm_capture" - $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ - -w dnstap.out > fstrm_capture.out.2 2>&1 & - fstrm_capture_pid=$! - wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || { - echo_i "failed" - ret=1 - } - $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i - $DIG $DIGOPTS @10.53.0.4 a.example > dig.out - - echo_i "checking reopened unix socket message counts" - sleep 2 - retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || { - echo_i "dnstap output file smaller than expected" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - kill $fstrm_capture_pid - wait - udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) - tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) - aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) - ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) - cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) - cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) - rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) - rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) - uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) - ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) - - echo_i "checking UDP message counts" - ret=0 - [ $udp4 -eq 2 ] || { - echo_i "ns4 $udp4 expected 2" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking TCP message counts" - ret=0 - [ $tcp4 -eq 0 ] || { - echo_i "ns4 $tcp4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking AUTH_QUERY message counts" - ret=0 - [ $aq4 -eq 0 ] || { - echo_i "ns4 $aq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking AUTH_RESPONSE message counts" - ret=0 - [ $ar4 -eq 0 ] || { - echo_i "ns4 $ar4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking CLIENT_QUERY message counts" - ret=0 - [ $cq4 -eq 1 ] || { - echo_i "ns4 $cq4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking CLIENT_RESPONSE message counts" - ret=0 - [ $cr4 -eq 1 ] || { - echo_i "ns4 $cr4 expected 1" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking RESOLVER_QUERY message counts" - ret=0 - [ $rq4 -eq 0 ] || { - echo_i "ns4 $rq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking RESOLVER_RESPONSE message counts" - ret=0 - [ $rr4 -eq 0 ] || { - echo_i "ns4 $rr4 expected 0" - ret=1 - } - - echo_i "checking UPDATE_QUERY message counts" - ret=0 - [ $uq4 -eq 0 ] || { - echo_i "ns4 $uq4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - echo_i "checking UPDATE_RESPONSE message counts" - ret=0 - [ $ur4 -eq 0 ] || { - echo_i "ns4 $ur4 expected 0" - ret=1 - } - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + grep "update failed: NOTAUTH" nsupdate.out >/dev/null || ret=1 + + echo_i "checking unix socket message counts" + sleep 2 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 450 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + kill $fstrm_capture_pid + wait + udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) + tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) + aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) + ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) + cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) + cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) + rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) + rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) + uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) + ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) + + echo_i "checking UDP message counts" + ret=0 + [ $udp4 -eq 4 ] || { + echo_i "ns4 $udp4 expected 4" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking TCP message counts" + ret=0 + [ $tcp4 -eq 0 ] || { + echo_i "ns4 $tcp4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking AUTH_QUERY message counts" + ret=0 + [ $aq4 -eq 0 ] || { + echo_i "ns4 $aq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking AUTH_RESPONSE message counts" + ret=0 + [ $ar4 -eq 0 ] || { + echo_i "ns4 $ar4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking CLIENT_QUERY message counts" + ret=0 + [ $cq4 -eq 1 ] || { + echo_i "ns4 $cq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking CLIENT_RESPONSE message counts" + ret=0 + [ $cr4 -eq 1 ] || { + echo_i "ns4 $cr4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking RESOLVER_QUERY message counts" + ret=0 + [ $rq4 -eq 0 ] || { + echo_i "ns4 $rq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking RESOLVER_RESPONSE message counts" + ret=0 + [ $rr4 -eq 0 ] || { + echo_i "ns4 $rr4 expected 0" + ret=1 + } + + echo_i "checking UPDATE_QUERY message counts" + ret=0 + [ $uq4 -eq 1 ] || { + echo_i "ns4 $uq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking UPDATE_RESPONSE message counts" + ret=0 + [ $ur4 -eq 1 ] || { + echo_i "ns4 $ur4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + mv dnstap.out dnstap.out.save + + echo_i "restarting fstrm_capture" + $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ + -w dnstap.out >fstrm_capture.out.2 2>&1 & + fstrm_capture_pid=$! + wait_for_log 10 "socket path ns4/dnstap.out" fstrm_capture.out.2 || { + echo_i "failed" + ret=1 + } + $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i + $DIG $DIGOPTS @10.53.0.4 a.example >dig.out + + echo_i "checking reopened unix socket message counts" + sleep 2 + retry_quiet 5 dnstap_data_ready $fstrm_capture_pid dnstap.out 270 || { + echo_i "dnstap output file smaller than expected" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + kill $fstrm_capture_pid + wait + udp4=$($DNSTAPREAD dnstap.out | grep "UDP " | wc -l) + tcp4=$($DNSTAPREAD dnstap.out | grep "TCP " | wc -l) + aq4=$($DNSTAPREAD dnstap.out | grep "AQ " | wc -l) + ar4=$($DNSTAPREAD dnstap.out | grep "AR " | wc -l) + cq4=$($DNSTAPREAD dnstap.out | grep "CQ " | wc -l) + cr4=$($DNSTAPREAD dnstap.out | grep "CR " | wc -l) + rq4=$($DNSTAPREAD dnstap.out | grep "RQ " | wc -l) + rr4=$($DNSTAPREAD dnstap.out | grep "RR " | wc -l) + uq4=$($DNSTAPREAD dnstap.out | grep "UQ " | wc -l) + ur4=$($DNSTAPREAD dnstap.out | grep "UR " | wc -l) + + echo_i "checking UDP message counts" + ret=0 + [ $udp4 -eq 2 ] || { + echo_i "ns4 $udp4 expected 2" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking TCP message counts" + ret=0 + [ $tcp4 -eq 0 ] || { + echo_i "ns4 $tcp4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking AUTH_QUERY message counts" + ret=0 + [ $aq4 -eq 0 ] || { + echo_i "ns4 $aq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking AUTH_RESPONSE message counts" + ret=0 + [ $ar4 -eq 0 ] || { + echo_i "ns4 $ar4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking CLIENT_QUERY message counts" + ret=0 + [ $cq4 -eq 1 ] || { + echo_i "ns4 $cq4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking CLIENT_RESPONSE message counts" + ret=0 + [ $cr4 -eq 1 ] || { + echo_i "ns4 $cr4 expected 1" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking RESOLVER_QUERY message counts" + ret=0 + [ $rq4 -eq 0 ] || { + echo_i "ns4 $rq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking RESOLVER_RESPONSE message counts" + ret=0 + [ $rr4 -eq 0 ] || { + echo_i "ns4 $rr4 expected 0" + ret=1 + } + + echo_i "checking UPDATE_QUERY message counts" + ret=0 + [ $uq4 -eq 0 ] || { + echo_i "ns4 $uq4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "checking UPDATE_RESPONSE message counts" + ret=0 + [ $ur4 -eq 0 ] || { + echo_i "ns4 $ur4 expected 0" + ret=1 + } + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi echo_i "checking large packet printing" @@ -817,30 +826,28 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) _test_dnstap_roll() ( - ip="$1" - ns="$2" - n="$3" + ip="$1" + ns="$2" + n="$3" - $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i && - files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) && - test "$files" -eq "${n}" && test "$files" -ge "1" || return 1 + $RNDCCMD -s "${ip}" dnstap -roll "${n}" | sed "s/^/${ns} /" | cat_i \ + && files=$(find "$ns" -name "dnstap.out.[0-9]" | wc -l) \ + && test "$files" -eq "${n}" && test "$files" -ge "1" || return 1 ) - test_dnstap_roll() { - echo_i "checking 'rndc -roll $4' ($1)" - ret=0 - - try=0 - while test $try -lt 12 - do - touch "$3/dnstap.out.$try" - try=$((try + 1)) - done - - _repeat 10 _test_dnstap_roll $2 $3 $4 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + echo_i "checking 'rndc -roll $4' ($1)" + ret=0 + + try=0 + while test $try -lt 12; do + touch "$3/dnstap.out.$try" + try=$((try + 1)) + done + + _repeat 10 _test_dnstap_roll $2 $3 $4 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } start_server --noclean --restart --port "${PORT}" ns3 diff --git a/bin/tests/system/dnstap/tests_dnstap.py b/bin/tests/system/dnstap/tests_dnstap.py index ca687b0..0dbf2aa 100644 --- a/bin/tests/system/dnstap/tests_dnstap.py +++ b/bin/tests/system/dnstap/tests_dnstap.py @@ -28,7 +28,7 @@ def run_rndc(server, rndc_command): rndc = os.getenv("RNDC") port = os.getenv("CONTROLPORT") - cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server] + cmdline = [rndc, "-c", "../_common/rndc.conf", "-p", port, "-s", server] cmdline.extend(rndc_command) subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10) diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in index 500675f..6a8bcdb 100644 --- a/bin/tests/system/doth/ns1/named.conf.in +++ b/bin/tests/system/doth/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -89,6 +89,7 @@ options { listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.1; }; // DoT listen-on port @EXTRAPORT5@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; }; // DoT listen-on port @EXTRAPORT6@ tls tls-forward-secrecy-mutual-tls http local { 10.53.0.1; }; // DoH + listen-on port @EXTRAPORT7@ tls tls-forward-secrecy { 10.53.0.1; }; // DoT recursion no; notify explicit; also-notify { 10.53.0.2 port @PORT@; }; @@ -170,3 +171,27 @@ zone "example11" { file "example.db"; allow-transfer port @EXTRAPORT5@ transport tls { any; }; }; + +zone "example12" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example13" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example14" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; + +zone "example15" { + type primary; + file "example.db"; + allow-transfer port @EXTRAPORT7@ transport tls { any; }; +}; diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in index 3cb2042..e533f47 100644 --- a/bin/tests/system/doth/ns2/named.conf.in +++ b/bin/tests/system/doth/ns2/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -55,7 +55,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-example-primary { diff --git a/bin/tests/system/doth/ns3/named.conf.in b/bin/tests/system/doth/ns3/named.conf.in index 74d3957..cd1ab9c 100644 --- a/bin/tests/system/doth/ns3/named.conf.in +++ b/bin/tests/system/doth/ns3/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -48,7 +48,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-v1.2-pfs { diff --git a/bin/tests/system/doth/ns4/named.conf.in b/bin/tests/system/doth/ns4/named.conf.in index 077226a..c7c6c91 100644 --- a/bin/tests/system/doth/ns4/named.conf.in +++ b/bin/tests/system/doth/ns4/named.conf.in @@ -18,7 +18,7 @@ # startup/reconfiguration was known to cause timeout issues in the CI # system, where many tests run in parallel. -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -56,7 +56,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; tls tls-v1.2-pfs { diff --git a/bin/tests/system/doth/ns5/named.conf.in b/bin/tests/system/doth/ns5/named.conf.in new file mode 100644 index 0000000..6808618 --- /dev/null +++ b/bin/tests/system/doth/ns5/named.conf.in @@ -0,0 +1,83 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# We need a separate instance for the "rndc reconfig" test in order to +# ensure that it does not use ephemeral keys (these are costly to +# generate) and creates a minimal amount of TLS contexts, reducing the +# time needed for startup/reconfiguration. Long +# startup/reconfiguration was known to cause timeout issues in the CI +# system, where many tests run in parallel. + +include "../../_common/rndc.key"; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + tls-port @TLSPORT@; + https-port @HTTPSPORT@; + http-port @HTTPPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + notify no; + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +# Let's reuse the same entry multiple times to see if transfers will succeed + +tls tls-v1.2 { + protocols { TLSv1.2; }; + prefer-server-ciphers yes; +}; + +zone "example12" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example12.db"; + allow-transfer { any; }; +}; + +zone "example13" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example13.db"; + allow-transfer { any; }; +}; + +zone "example14" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example14.db"; + allow-transfer { any; }; +}; + +zone "example15" { + type secondary; + primaries { 10.53.0.1 port @EXTRAPORT7@ tls tls-v1.2; }; + file "example15.db"; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/doth/prereq.sh b/bin/tests/system/doth/prereq.sh index 36a8e37..c745136 100644 --- a/bin/tests/system/doth/prereq.sh +++ b/bin/tests/system/doth/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --with-libnghttp2 || { - echo_i "This test requires libnghttp2 support." >&2 - exit 255 + echo_i "This test requires libnghttp2 support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/doth/setup.sh b/bin/tests/system/doth/setup.sh index c50c31f..775dd33 100644 --- a/bin/tests/system/doth/setup.sh +++ b/bin/tests/system/doth/setup.sh @@ -15,18 +15,19 @@ $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 >ns1/example.db -echo '; huge answer' >> ns1/example.db +echo '; huge answer' >>ns1/example.db x=1 while [ $x -le 50 ]; do - y=1 - while [ $y -le 50 ]; do - printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >> ns1/example.db - y=$((y+1)) - done - x=$((x+1)) + y=1 + while [ $y -le 50 ]; do + printf 'biganswer\t\tA\t\t10.10.%d.%d\n' $x $y >>ns1/example.db + y=$((y + 1)) + done + x=$((x + 1)) done copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf diff --git a/bin/tests/system/doth/stress_http_quota.py b/bin/tests/system/doth/stress_http_quota.py index 12e29c8..05ad043 100755 --- a/bin/tests/system/doth/stress_http_quota.py +++ b/bin/tests/system/doth/stress_http_quota.py @@ -161,12 +161,12 @@ class SubDIG: # and examining their statuses in one logical operation. class MultiDIG: def __init__(self, numdigs, http_secure=None, extra_args=None): - assert int(numdigs) > 0 + assert int(numdigs) > 0, f"numdigs={numdigs}" digs = [] for _ in range(1, int(numdigs) + 1): digs.append(SubDIG(http_secure=http_secure, extra_args=extra_args)) self.digs = digs - assert len(self.digs) == int(numdigs) + assert len(self.digs) == int(numdigs), f"len={len(self.digs)} numdigs={numdigs}" def run(self): for p in self.digs: diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index a95bd8c..aad2352 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -23,9 +23,9 @@ msg_peer_verification_failed=";; TLS peer certificate verification" ca_file="./CA/CA.pem" if [ -x "$PYTHON" ]; then - OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py") - OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1) - OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2) + OPENSSL_VERSION=$("$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/get_openssl_version.py") + OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 1) + OPENSSL_VERSION_MINOR=$(echo "$OPENSSL_VERSION" | cut -d ' ' -f 2) fi # According to the RFC 8310, Section 8.1, Subject field MUST @@ -44,91 +44,91 @@ fi # ignore the tests checking the correct handling of absence of # SubjectAltName. if [ -n "$OPENSSL_VERSION" ]; then - if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then - run_san_tests=1 - elif [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then - run_san_tests=1 - fi + if [ $OPENSSL_VERSION_MAJOR -gt 1 ]; then + run_san_tests=1 + elif [ $OPENSSL_VERSION_MAJOR -eq 1 ] && [ $OPENSSL_VERSION_MINOR -ge 1 ]; then + run_san_tests=1 + fi fi dig_with_tls_opts() { - # shellcheck disable=SC2086 - "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@" } dig_with_https_opts() { - # shellcheck disable=SC2086 - "$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +https $common_dig_options -p "${HTTPSPORT}" "$@" } dig_with_http_opts() { - # shellcheck disable=SC2086 - "$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" +http-plain $common_dig_options -p "${HTTPPORT}" "$@" } dig_with_opts() { - # shellcheck disable=SC2086 - "$DIG" $common_dig_options -p "${PORT}" "$@" + # shellcheck disable=SC2086 + "$DIG" $common_dig_options -p "${PORT}" "$@" } wait_for_tls_xfer() ( - srv_number="$1" - shift - zone_name="$1" - shift - # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces - dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR > "dig.out.ns$srv_number.${zone_name}.test$n" || return 1 - grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" > /dev/null && return 1 - return 0 + srv_number="$1" + shift + zone_name="$1" + shift + # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces + dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1 + grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1 + return 0 ) status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig) ($n)" ret=0 -dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 +dig_with_tls_opts example. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 grep "^;" dig.out.ns1.test$n | cat_i digcomp example.axfr.good dig.out.ns1.test$n || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example; then - digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns2.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) if [ -n "$run_san_tests" ]; then - n=$((n + 1)) - echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)" - ret=0 - if retry_quiet 10 wait_for_tls_xfer 2 example3; then - ret=1 - else - echo_i "timed out waiting for zone transfer" - fi - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + n=$((n + 1)) + echo_i "testing incoming XoT functionality (from the first secondary, no SubjectAltName, failure expected) ($n)" + ret=0 + if retry_quiet 10 wait_for_tls_xfer 2 example3; then + ret=1 + else + echo_i "timed out waiting for zone transfer" + fi + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via implicit IP) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example4; then - retry_quiet 5 test -f "ns2/example4.db" || ret=1 + retry_quiet 5 test -f "ns2/example4.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example4.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example4.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -137,11 +137,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv4) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example5; then - retry_quiet 5 test -f "ns2/example5.db" || ret=1 + retry_quiet 5 test -f "ns2/example5.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example5.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example5.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -150,11 +150,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, StrictTLS via specified IPv6) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example6; then - retry_quiet 5 test -f "ns2/example6.db" || ret=1 + retry_quiet 5 test -f "ns2/example6.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example6.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example6.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -163,9 +163,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, wrong hostname, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example7; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -174,9 +174,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, expired certificate, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example8; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -185,11 +185,11 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example9; then - retry_quiet 5 test -f "ns2/example9.db" || ret=1 + retry_quiet 5 test -f "ns2/example9.db" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns2.example9.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns2.example9.test$n" | cat_i + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -198,9 +198,9 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, no client cert, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example10; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -209,96 +209,96 @@ n=$((n + 1)) echo_i "testing incoming XoT functionality (from the first secondary, MutualTLS, expired client cert, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 2 example11; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the second secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 3 example; then - digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns3.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns3.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns3.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the second secondary, mismatching ciphers, failure expected) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 3 example2; then - ret=1 + ret=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incoming XoT functionality (from the third secondary) ($n)" ret=0 if retry_quiet 10 wait_for_tls_xfer 4 example; then - digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1 + digcomp example.axfr.good "dig.out.ns4.example.test$n" || ret=1 else - echo_i "timed out waiting for zone transfer" - grep "^;" "dig.out.ns4.example.test$n" | cat_i - ret=1 + echo_i "timed out waiting for zone transfer" + grep "^;" "dig.out.ns4.example.test$n" | cat_i + ret=1 fi -if test $ret != 0 ; then echo_i "failed"; fi -status=$((status+ret)) +if test $ret != 0; then echo_i "failed"; fi +status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (ephemeral key) ($n)" ret=0 -dig_with_tls_opts @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query via IPv6 (ephemeral key) ($n)" ret=0 -dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (static key) ($n)" ret=0 -dig_with_tls_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query via IPv6 (static key) ($n)" ret=0 -dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts -6 @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT XFR ($n)" ret=0 -dig_with_tls_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # zone transfers are allowed only via TLS -n=$((n+1)) +n=$((n + 1)) echo_i "testing zone transfer over Do53 server functionality (using dig, failure expected) ($n)" ret=0 -dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 +dig_with_opts example. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +grep "; Transfer failed." dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -306,8 +306,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking Do53 query ($n)" ret=0 -dig_with_opts @10.53.0.1 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.1 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -321,8 +321,8 @@ n=$((n + 1)) echo_i "checking DoT XFR with wrong ALPN token (h2, failure expected) ($n)" ret=0 # shellcheck disable=SC2086 -"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR > dig.out.test$n -grep "$msg_xfrs_not_allowed" dig.out.test$n > /dev/null || ret=1 +"$DIG" +tls $common_dig_options -p "${HTTPSPORT}" +comm @10.53.0.1 . AXFR >dig.out.test$n +grep "$msg_xfrs_not_allowed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -332,279 +332,279 @@ n=$((n + 1)) echo_i "checking DoH query when ALPN is expected to fail (dot, failure expected) ($n)" ret=0 # shellcheck disable=SC2086 -"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "ALPN for HTTP/2 failed." dig.out.test$n > /dev/null || ret=1 +"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "ALPN for HTTP/2 failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) ($n)" ret=0 -dig_with_https_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST) ($n)" ret=0 -dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat -6 @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, static key) ($n)" ret=0 -dig_with_https_opts @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, static key) ($n)" ret=0 -dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts +https=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https=/alter @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https=/alter @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tries=1 +time=1 +https=/fake @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (POST, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +tries=1 +time=1 +https=/fake @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH XFR (POST) (failure expected) ($n)" ret=0 -dig_with_https_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET) ($n)" ret=0 -dig_with_https_opts +stat +https-get @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +stat +https-get @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET) ($n)" ret=0 -dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTPS-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +stat +https-get @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTPS-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, static key) ($n)" ret=0 -dig_with_https_opts +https-get @10.53.0.2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get @10.53.0.2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, static key) ($n)" ret=0 -dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::2 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get=/alter @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, nonstandard endpoint) ($n)" ret=0 -dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get=/alter @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (GET, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tries=1 +time=1 +https-get=/fake @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 (GET, undefined endpoint, failure expected) ($n)" ret=0 -dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n && ret=1 -grep "communications error" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +tries=1 +time=1 +https-get=/fake @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n && ret=1 +grep "communications error" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH XFR (GET) (failure expected) ($n)" ret=0 -dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query (POST) ($n)" ret=0 -dig_with_http_opts +stat @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +stat @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 (POST) ($n)" ret=0 -dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +stat @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query (GET) ($n)" ret=0 -dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +stat +http-plain-get @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 (GET) ($n)" ret=0 -dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep -F "(HTTP-GET)" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +stat +http-plain-get @fd92:7065:b8e:ffff::1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep -F "(HTTP-GET)" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH XFR (failure expected) ($n)" ret=0 -dig_with_http_opts +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 -grep "; Transfer failed." dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 +grep "; Transfer failed." dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query for a large answer (POST) ($n)" ret=0 -dig_with_https_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 for a large answer (POST) ($n)" ret=0 -dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query for a large answer (GET) ($n)" ret=0 -dig_with_https_opts +https-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https-get @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query via IPv6 for a large answer (GET) ($n)" ret=0 -dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts -6 +https-get @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query for a large answer (POST) ($n)" ret=0 -dig_with_http_opts @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 for a large answer (POST) ($n)" ret=0 -dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query for a large answer (GET) ($n)" ret=0 -dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts +http-plain-get @10.53.0.1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking unencrypted DoH query via IPv6 for a large answer (GET) ($n)" ret=0 -dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1 +dig_with_http_opts -6 +http-plain-get @fd92:7065:b8e:ffff::1 biganswer.example A >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2500" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -wait_for_tlsctx_update_ns4 () { - grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run > /dev/null || return 1 - grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run > /dev/null || return 1 - return 0 +wait_for_tlsctx_update_ns4() { + grep "updating TLS context on 10.53.0.4#${HTTPSPORT}" ns4/named.run >/dev/null || return 1 + grep "updating TLS context on 10.53.0.4#${TLSPORT}" ns4/named.run >/dev/null || return 1 + return 0 } n=$((n + 1)) @@ -618,16 +618,16 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query after a reconfiguration ($n)" ret=0 -dig_with_tls_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) after a reconfiguration ($n)" ret=0 -dig_with_https_opts @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -635,7 +635,7 @@ n=$((n + 1)) echo_i "doing rndc reconfig to see if HTTP endpoints have gotten reconfigured ($n)" ret=0 # 'sed -i ...' is not portable. Sigh... -sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" > "ns4/named.conf.sed" +sed 's/\/dns-query/\/dns-query-test/g' "ns4/named.conf" >"ns4/named.conf.sed" mv -f "ns4/named.conf.sed" "ns4/named.conf" rndc_reconfig ns4 10.53.0.4 60 retry_quiet 15 wait_for_tlsctx_update_ns4 || ret=1 @@ -645,40 +645,40 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (POST) to verify HTTP endpoint reconfiguration ($n)" ret=0 -dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https='/dns-query-test' @10.53.0.4 example SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification enabled) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (with TLS verification enabled, self-signed cert, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification using the system's CA store, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (with TLS verification using the system's CA store, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca +tls-hostname="srv01.crt01.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -687,30 +687,30 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (with TLS verification, hostname is not specified, IP address is used instead) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null && ret=1 +dig_with_tls_opts +tls-ca="$ca_file" @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if [ -n "$run_san_tests" ]; then - # SubjectAltName is required for DoT as according to RFC 8310, Subject - # field MUST NOT be inspected when verifying hostname for DoT. - n=$((n + 1)) - echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)" - ret=0 - dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA > dig.out.test$n || ret=1 - grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)" - ret=0 - # shellcheck disable=SC2086 - dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR > dig.out.test$n || ret=1 - grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + # SubjectAltName is required for DoT as according to RFC 8310, Subject + # field MUST NOT be inspected when verifying hostname for DoT. + n=$((n + 1)) + echo_i "checking DoT query (with TLS verification enabled when SubjectAltName is not set, failure expected) ($n)" + ret=0 + dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" @10.53.0.1 . SOA >dig.out.test$n || ret=1 + grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking DoT XFR over a TLS port where SubjectAltName is not set (failure expected) ($n)" + ret=0 + # shellcheck disable=SC2086 + dig_with_tls_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT2}" +comm @10.53.0.1 . AXFR >dig.out.test$n || ret=1 + grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # SubjectAltName is not required for HTTPS. Having a properly set @@ -718,48 +718,48 @@ fi n=$((n + 1)) echo_i "checking DoH query (when SubjectAltName is not set) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +tls-ca="$ca_file" +tls-hostname="srv01.crt02-no-san.example.com" -p "${EXTRAPORT3}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (expired certificate, Opportunistic TLS) ($n)" ret=0 -dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoT query (expired certificate, Strict TLS, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "$msg_peer_verification_failed" dig.out.test$n > /dev/null || ret=1 +dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT4}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "$msg_peer_verification_failed" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig, client certificate required, failure expected) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -grep "; Transfer failed." dig.out.ns1.test$n > /dev/null || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi +dig_with_tls_opts +tls-ca="$ca_file" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +grep "; Transfer failed." dig.out.ns1.test$n >/dev/null || ret=1 +if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing XoT server functionality (using dig, client certificate used) ($n)" ret=0 -dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr > dig.out.ns1.test$n || ret=1 -digcomp dig.out.ns1.test$n example8.axfr.good > /dev/null || ret=1 -if test $ret != 0 ; then echo_i "failed"; fi +dig_with_tls_opts +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT5}" example8. -b 10.53.0.10 @10.53.0.1 axfr >dig.out.ns1.test$n || ret=1 +digcomp dig.out.ns1.test$n example8.axfr.good >/dev/null || ret=1 +if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking DoH query (client certificate required, failure expected) ($n)" ret=0 -dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n && ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 +dig_with_https_opts +tls-ca="$ca_file" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA >dig.out.test$n && ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -767,8 +767,8 @@ n=$((n + 1)) echo_i "checking DoH query (client certificate used) ($n)" ret=0 # shellcheck disable=SC2086 -dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -777,64 +777,63 @@ n=$((n + 1)) echo_i "checking DoH query (client certificate used - session resumption when using Mutual TLS) ($n)" ret=0 # shellcheck disable=SC2086 -dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA > dig.out.test$n || ret=1 -grep "TLS error" dig.out.test$n > /dev/null && ret=1 +dig_with_https_opts +https +tls-ca="$ca_file" +tls-certfile="./CA/certs/srv01.client01.example.com.pem" +tls-keyfile="./CA/certs/srv01.client01.example.com.key" -p "${EXTRAPORT6}" +comm @10.53.0.1 . SOA . SOA >dig.out.test$n || ret=1 +grep "TLS error" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) test_opcodes() { - EXPECT_STATUS="$1" - shift - for op in "$@"; - do - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH for opcode $op ($n)" - ret=0 - dig_with_https_opts +https @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)" - ret=0 - dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)" - ret=0 - dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)" - ret=0 - dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoT for opcode $op ($n)" - ret=0 - dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)" - ret=0 - dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" > dig.out.test$n || ret=1 - grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - done + EXPECT_STATUS="$1" + shift + for op in "$@"; do + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH for opcode $op ($n)" + ret=0 + dig_with_https_opts +https @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 for opcode $op ($n)" + ret=0 + dig_with_https_opts -6 +https @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoH via IPv6 without encryption for opcode $op ($n)" + ret=0 + dig_with_http_opts -6 +http-plain @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT for opcode $op ($n)" + ret=0 + dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking unexpected opcode query over DoT via IPv6 for opcode $op ($n)" + ret=0 + dig_with_tls_opts -6 +tls @fd92:7065:b8e:ffff::1 +opcode="$op" >dig.out.test$n || ret=1 + grep "status: $EXPECT_STATUS" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + done } test_opcodes NOERROR 0 @@ -845,45 +844,77 @@ n=$((n + 1)) echo_i "checking server quotas for both encrypted and unencrypted HTTP ($n)" ret=0 if [ -x "$PYTHON" ]; then - BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$? + BINDHOST="10.53.0.1" "$PYTHON" "$TOP_SRCDIR/bin/tests/system/doth/stress_http_quota.py" || ret=$? else - echo_i "Python is not available. Skipping the test..." + echo_i "Python is not available. Skipping the test..." fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # check whether we can use curl for sending test queries. -if [ -x "${CURL}" ] ; then - CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)" - - if [ -n "$CURL_HTTP2" ]; then - testcurl=1 - else - echo_i "The available version of CURL does not have HTTP/2 support" - fi +if [ -x "${CURL}" ]; then + CURL_HTTP2="$(${CURL} --version | grep -E '^Features:.* HTTP2( |$)' || true)" + + if [ -n "$CURL_HTTP2" ]; then + testcurl=1 + else + echo_i "The available version of CURL does not have HTTP/2 support" + fi fi # Note: see README.curl for information on how to generate curl # queries. if [ -n "$testcurl" ]; then - n=$((n + 1)) - echo_i "checking max-age for positive answer ($n)" - ret=0 - # use curl to query for 'example/SOA' - $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" > /dev/null 2>&1 || ret=1 - grep "cache-control: max-age=86400" headers.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n + 1)) - echo_i "checking max-age for negative answer ($n)" - ret=0 - # use curl to query for 'fake.example/TXT' - $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" > /dev/null 2>&1 || ret=1 - grep "cache-control: max-age=3600" headers.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + n=$((n + 1)) + echo_i "checking max-age for positive answer ($n)" + ret=0 + # use curl to query for 'example/SOA' + $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ" >/dev/null 2>&1 || ret=1 + grep "cache-control: max-age=86400" headers.$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking max-age for negative answer ($n)" + ret=0 + # use curl to query for 'fake.example/TXT' + $CURL -kD headers.$n "https://10.53.0.1:${HTTPSPORT}/dns-query?dns=AAEAAAABAAAAAAAABGZha2UHZXhhbXBsZQAAEAAB" >/dev/null 2>&1 || ret=1 + grep "cache-control: max-age=3600" headers.$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example12\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example12 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example13\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example13 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example14\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example14 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking Do53 query to NS5 for zone \"example15\" (verifying successful client TLS context reuse by the NS5 server instance during XoT) ($n)" +ret=0 +dig_with_opts +comm @10.53.0.5 example15 SOA >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dsdigest/ns1/sign.sh b/bin/tests/system/dsdigest/ns1/sign.sh index d7efd9a..a4abccc 100644 --- a/bin/tests/system/dsdigest/ns1/sign.sh +++ b/bin/tests/system/dsdigest/ns1/sign.sh @@ -25,12 +25,12 @@ cp ../ns2/dsset-bad. . key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $key2 > trusted.conf +keyfile_to_static_ds $key2 >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/dsdigest/ns2/named.conf.in b/bin/tests/system/dsdigest/ns2/named.conf.in index d3fd750..b20a027 100644 --- a/bin/tests/system/dsdigest/ns2/named.conf.in +++ b/bin/tests/system/dsdigest/ns2/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "good" { diff --git a/bin/tests/system/dsdigest/ns2/sign.sh b/bin/tests/system/dsdigest/ns2/sign.sh index 5bb4fce..37456fe 100644 --- a/bin/tests/system/dsdigest/ns2/sign.sh +++ b/bin/tests/system/dsdigest/ns2/sign.sh @@ -28,16 +28,15 @@ keyname22=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone2) cat $infile1 $keyname11.key $keyname12.key >$zonefile1 cat $infile2 $keyname21.key $keyname22.key >$zonefile2 -$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null -$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null +$SIGNER -P -g -o $zone1 $zonefile1 >/dev/null +$SIGNER -P -g -o $zone2 $zonefile2 >/dev/null DSFILENAME1=dsset-${zone1}. DSFILENAME2=dsset-${zone2}. -$DSFROMKEY -a SHA-256 $keyname12 > $DSFILENAME1 -$DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2 +$DSFROMKEY -a SHA-256 $keyname12 >$DSFILENAME1 +$DSFROMKEY -a SHA-256 $keyname22 >$DSFILENAME2 algo=SHA-384 -$DSFROMKEY -a $algo $keyname12 >> $DSFILENAME1 -$DSFROMKEY -a $algo $keyname22 > $DSFILENAME2 - +$DSFROMKEY -a $algo $keyname12 >>$DSFILENAME1 +$DSFROMKEY -a $algo $keyname22 >$DSFILENAME2 diff --git a/bin/tests/system/dsdigest/ns3/named.conf.in b/bin/tests/system/dsdigest/ns3/named.conf.in index a2b105c..bd4eb83 100644 --- a/bin/tests/system/dsdigest/ns3/named.conf.in +++ b/bin/tests/system/dsdigest/ns3/named.conf.in @@ -33,7 +33,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/ns4/named.conf.in b/bin/tests/system/dsdigest/ns4/named.conf.in index e43763b..74e8960 100644 --- a/bin/tests/system/dsdigest/ns4/named.conf.in +++ b/bin/tests/system/dsdigest/ns4/named.conf.in @@ -31,7 +31,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/dsdigest/tests.sh b/bin/tests/system/dsdigest/tests.sh index 3650f4a..9d9b966 100644 --- a/bin/tests/system/dsdigest/tests.sh +++ b/bin/tests/system/dsdigest/tests.sh @@ -25,9 +25,9 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" echo_i "checking that validation with enabled digest types works" ret=0 -$DIG $DIGOPTS a.good. @10.53.0.3 a > dig.out.good || ret=1 -grep "status: NOERROR" dig.out.good > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.good > /dev/null || ret=1 +$DIG $DIGOPTS a.good. @10.53.0.3 a >dig.out.good || ret=1 +grep "status: NOERROR" dig.out.good >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.good >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -35,19 +35,19 @@ status=$((status + ret)) echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL" ret=0 -$DIG $DIGOPTS a.bad. @10.53.0.3 a > dig.out.bad || ret=1 -grep "SERVFAIL" dig.out.bad > /dev/null || ret=1 +$DIG $DIGOPTS a.bad. @10.53.0.3 a >dig.out.bad || ret=1 +grep "SERVFAIL" dig.out.bad >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that validation with no supported digest algorithms results in insecure" ret=0 -$DIG $DIGOPTS bad. @10.53.0.4 ds > dig.out.ds || ret=1 -grep "NOERROR" dig.out.ds > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.ds > /dev/null || ret=1 -$DIG $DIGOPTS a.bad. @10.53.0.4 a > dig.out.insecure || ret=1 -grep "NOERROR" dig.out.insecure > /dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.insecure > /dev/null && ret=1 +$DIG $DIGOPTS bad. @10.53.0.4 ds >dig.out.ds || ret=1 +grep "NOERROR" dig.out.ds >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.ds >/dev/null || ret=1 +$DIG $DIGOPTS a.bad. @10.53.0.4 a >dig.out.insecure || ret=1 +grep "NOERROR" dig.out.insecure >/dev/null || ret=1 +grep "flags:[^;]* ad[ ;]" dig.out.insecure >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "exit status: $status" diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh index 6f96c6a..b6aa8da 100644 --- a/bin/tests/system/dupsigs/ns1/reset_keys.sh +++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh @@ -18,7 +18,7 @@ rm -rf keys/signing.test mkdir -p keys/signing.test timetodnssec() { - $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]); + $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]); printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1} } @@ -37,9 +37,8 @@ ZSK8=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) ZSK9=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone) # clear all times on all keys -for FILEN in keys/signing.test/*.key -do - $SETTIME -P none -A none -R none -I none -D none $FILEN +for FILEN in keys/signing.test/*.key; do + $SETTIME -P none -A none -R none -I none -D none $FILEN done BASE=$(date +%s) diff --git a/bin/tests/system/dupsigs/setup.sh b/bin/tests/system/dupsigs/setup.sh index 4ac8a8d..563de43 100644 --- a/bin/tests/system/dupsigs/setup.sh +++ b/bin/tests/system/dupsigs/setup.sh @@ -20,4 +20,7 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE copy_setports ns1/named.conf.in ns1/named.conf cp -f ns1/signing.test.db.in ns1/signing.test.db -(cd ns1; $SHELL ./reset_keys.sh) +( + cd ns1 + $SHELL ./reset_keys.sh +) diff --git a/bin/tests/system/dupsigs/tests.sh b/bin/tests/system/dupsigs/tests.sh index 4ab3a73..939ff2d 100644 --- a/bin/tests/system/dupsigs/tests.sh +++ b/bin/tests/system/dupsigs/tests.sh @@ -26,20 +26,20 @@ status=0 # - 2 x 500 signatures for a{0000-0499}.signing.test. # # for a total of 1008. -fully_signed () { - $DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr" - awk 'BEGIN { lines = 0 } +fully_signed() { + $DIG axfr signing.test -p ${PORT} @10.53.0.1 >"dig.out.ns1.axfr" + awk 'BEGIN { lines = 0 } $4 == "RRSIG" {lines++} - END { if (lines != 1008) exit(1) }' < "dig.out.ns1.axfr" + END { if (lines != 1008) exit(1) }' <"dig.out.ns1.axfr" } # Wait for the last NSEC record in the zone to be signed. This is a lightweight # alternative to avoid many AXFR requests while waiting for the zone to be # fully signed. _wait_for_last_nsec_signed() { - $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1 - grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1 - return 0 + $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec >"dig.out.ns1.wait" || return 1 + grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" >/dev/null || return 1 + return 0 } echo_i "wait for the zone to be fully signed" @@ -52,19 +52,18 @@ now=$start end=$((start + 140)) while [ $now -lt $end ] && [ $status -eq 0 ]; do - et=$((now - start)) - echo_i "............... $et ............" - $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i - $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et - awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i - lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l) - if [ ${et} -ne 0 -a ${lines} -ne 1008 ] - then - echo_i "failed" - status=$((status + 1)) - fi - sleep 5 - now=$(date +%s) + et=$((now - start)) + echo_i "............... $et ............" + $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i + $DIG axfr signing.test -p ${PORT} @10.53.0.1 >dig.out.at$et + awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i + lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l) + if [ ${et} -ne 0 -a ${lines} -ne 1008 ]; then + echo_i "failed" + status=$((status + 1)) + fi + sleep 5 + now=$(date +%s) done echo_i "exit status: $status" diff --git a/bin/tests/system/dyndb/driver/Makefile.in b/bin/tests/system/dyndb/driver/Makefile.in index ccfad1d..d760fb2 100644 --- a/bin/tests/system/dyndb/driver/Makefile.in +++ b/bin/tests/system/dyndb/driver/Makefile.in @@ -103,11 +103,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/tests/system/dyndb/prereq.sh b/bin/tests/system/dyndb/prereq.sh index 19e0467..3bab2a6 100644 --- a/bin/tests/system/dyndb/prereq.sh +++ b/bin/tests/system/dyndb/prereq.sh @@ -13,9 +13,9 @@ . ../conf.sh -$FEATURETEST --tsan && { - echo_i "TSAN - skipping dyndb test" - exit 255 +$FEATURETEST --tsan && { + echo_i "TSAN - skipping dyndb test" + exit 255 } exit 0 diff --git a/bin/tests/system/dyndb/tests.sh b/bin/tests/system/dyndb/tests.sh index ef02dea..dc6c3d0 100644 --- a/bin/tests/system/dyndb/tests.sh +++ b/bin/tests/system/dyndb/tests.sh @@ -19,102 +19,100 @@ status=0 n=0 DIGOPTS="@10.53.0.1 -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" newtest() { - n=$((n + 1)) - echo_i "${1} (${n})" - ret=0 + n=$((n + 1)) + echo_i "${1} (${n})" + ret=0 } test_add() { - host="$1" - type="$2" - ip="$3" + host="$1" + type="$2" + ip="$3" - cat <<EOF > ns1/update.txt + cat <<EOF >ns1/update.txt server 10.53.0.1 ${PORT} ttl 86400 update add $host $type $ip send EOF - newtest "adding $host $type $ip" - $NSUPDATE ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed for $host $type $ip" - return 1 - } - - out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) - echo $out > added.a.out.$n - lines=$(echo "$out" | grep "$ip" | wc -l) - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - - for i in 1 2 3 4 5 6 7 8 9 10 - do - out=$($DIG $DIGOPTS +noall +answer -x $ip) - echo $out > added.ptr.out.$n - lines=$(echo "$out" | grep "$host" | wc -l) - [ $lines -eq 1 ] && break; - $PERL -e 'select(undef, undef, undef, 0.1);' - done - [ $lines -eq 1 ] || { - [ "$should_fail" ] || \ - echo_i "dig reverse output incorrect for $host $type $cmd: $out" - return 1 - } - - return 0 + newtest "adding $host $type $ip" + $NSUPDATE ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed for $host $type $ip" + return 1 + } + + out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) + echo $out >added.a.out.$n + lines=$(echo "$out" | grep "$ip" | wc -l) + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + + for i in 1 2 3 4 5 6 7 8 9 10; do + out=$($DIG $DIGOPTS +noall +answer -x $ip) + echo $out >added.ptr.out.$n + lines=$(echo "$out" | grep "$host" | wc -l) + [ $lines -eq 1 ] && break + $PERL -e 'select(undef, undef, undef, 0.1);' + done + [ $lines -eq 1 ] || { + [ "$should_fail" ] \ + || echo_i "dig reverse output incorrect for $host $type $cmd: $out" + return 1 + } + + return 0 } test_del() { - host="$1" - type="$2" + host="$1" + type="$2" - ip=$($DIG $DIGOPTS +short $host $type) + ip=$($DIG $DIGOPTS +short $host $type) - cat <<EOF > ns1/update.txt + cat <<EOF >ns1/update.txt server 10.53.0.1 ${PORT} update del $host $type send EOF - newtest "deleting $host $type (was $ip)" - $NSUPDATE ns1/update.txt > /dev/null 2>&1 || { - [ "$should_fail" ] || \ - echo_i "update failed deleting $host $type" - return 1 - } - - out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) - echo $out > deleted.a.out.$n - lines=$(echo "$out" | grep "$ip" | wc -l) - [ $lines -eq 0 ] || { - [ "$should_fail" ] || \ - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - - for i in 1 2 3 4 5 6 7 8 9 10 - do - out=$($DIG $DIGOPTS +noall +answer -x $ip) - echo $out > deleted.ptr.out.$n - lines=$(echo "$out" | grep "$host" | wc -l) - [ $lines -eq 0 ] && break - $PERL -e 'select(undef, undef, undef, 0.1);' - done - [ $lines -eq 0 ] || { - [ "$should_fail" ] || \ - echo_i "dig reverse output incorrect for $host $type $cmd: $out" - return 1 - } - - return 0 + newtest "deleting $host $type (was $ip)" + $NSUPDATE ns1/update.txt >/dev/null 2>&1 || { + [ "$should_fail" ] \ + || echo_i "update failed deleting $host $type" + return 1 + } + + out=$($DIG $DIGOPTS +noall +answer -t $type -q $host) + echo $out >deleted.a.out.$n + lines=$(echo "$out" | grep "$ip" | wc -l) + [ $lines -eq 0 ] || { + [ "$should_fail" ] \ + || echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + + for i in 1 2 3 4 5 6 7 8 9 10; do + out=$($DIG $DIGOPTS +noall +answer -x $ip) + echo $out >deleted.ptr.out.$n + lines=$(echo "$out" | grep "$host" | wc -l) + [ $lines -eq 0 ] && break + $PERL -e 'select(undef, undef, undef, 0.1);' + done + [ $lines -eq 0 ] || { + [ "$should_fail" ] \ + || echo_i "dig reverse output incorrect for $host $type $cmd: $out" + return 1 + } + + return 0 } test_add test1.ipv4.example.nil. A "10.53.0.10" || ret=1 @@ -142,8 +140,8 @@ test_del test4.ipv6.example.nil. AAAA || ret=1 status=$((status + ret)) newtest "checking parameter logging" -grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run > /dev/null || ret=1 -grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run > /dev/null || ret=1 +grep "loading params for dyndb 'sample' from .*named.conf:" ns1/named.run >/dev/null || ret=1 +grep "loading params for dyndb 'sample2' from .*named.conf:" ns1/named.run >/dev/null || ret=1 [ $ret -eq 1 ] && echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh index f922225..b773344 100644 --- a/bin/tests/system/ecdsa/ns1/sign.sh +++ b/bin/tests/system/ecdsa/ns1/sign.sh @@ -24,34 +24,34 @@ echo_i "ns1/sign.sh" cp $infile $zonefile if [ -f ../ecdsa256-supported.file ]; then - zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") - ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") - cat "$ksk256.key" "$zsk256.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256 + zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone") + ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone") + cat "$ksk256.key" "$zsk256.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk256.key" >>dsset-256 fi if [ -f ../ecdsa384-supported.file ]; then - zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") - ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") - cat "$ksk384.key" "$zsk384.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256 + zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone") + ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone") + cat "$ksk384.key" "$zsk384.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk384.key" >>dsset-256 fi # Configure the resolving server with a static key. if [ -f ../ecdsa256-supported.file ]; then - keyfile_to_static_ds $ksk256 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk256 >trusted.conf + cp trusted.conf ../ns2/trusted.conf else - keyfile_to_static_ds $ksk384 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk384 >trusted.conf + cp trusted.conf ../ns2/trusted.conf fi if [ -f ../ecdsa384-supported.file ]; then - keyfile_to_static_ds $ksk384 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk384 >trusted.conf + cp trusted.conf ../ns3/trusted.conf else - keyfile_to_static_ds $ksk256 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk256 >trusted.conf + cp trusted.conf ../ns3/trusted.conf fi -$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/ecdsa/ns2/named.conf.in b/bin/tests/system/ecdsa/ns2/named.conf.in index fd125d3..bb8a89c 100644 --- a/bin/tests/system/ecdsa/ns2/named.conf.in +++ b/bin/tests/system/ecdsa/ns2/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/ns3/named.conf.in b/bin/tests/system/ecdsa/ns3/named.conf.in index f1a80b6..0053898 100644 --- a/bin/tests/system/ecdsa/ns3/named.conf.in +++ b/bin/tests/system/ecdsa/ns3/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh index 86cd1cf..466d015 100644 --- a/bin/tests/system/ecdsa/setup.sh +++ b/bin/tests/system/ecdsa/setup.sh @@ -16,17 +16,17 @@ set -e . ../conf.sh if $SHELL ../testcrypto.sh ecdsap256sha256; then - echo "yes" > ecdsa256-supported.file + echo "yes" >ecdsa256-supported.file fi if $SHELL ../testcrypto.sh ecdsap384sha384; then - echo "yes" > ecdsa384-supported.file + echo "yes" >ecdsa384-supported.file fi copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) diff --git a/bin/tests/system/ecdsa/tests.sh b/bin/tests/system/ecdsa/tests.sh index f1210ec..f596fbf 100644 --- a/bin/tests/system/ecdsa/tests.sh +++ b/bin/tests/system/ecdsa/tests.sh @@ -19,35 +19,35 @@ status=0 n=0 dig_with_opts() { - "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } if [ -f ecdsa256-supported.file ]; then - n=$((n+1)) - echo_i "checking that ECDSA256 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + echo_i "checking that ECDSA256 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm ECDSA256 not supported, skipping test" + echo_i "algorithm ECDSA256 not supported, skipping test" fi if [ -f ecdsa384-supported.file ]; then - n=$((n+1)) - echo_i "checking that ECDSA384 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + echo_i "checking that ECDSA384 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm ECDSA384 not supported, skipping test" + echo_i "algorithm ECDSA384 not supported, skipping test" fi echo_i "exit status: $status" diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh index 9bf07f0..f2df328 100644 --- a/bin/tests/system/eddsa/ns1/sign.sh +++ b/bin/tests/system/eddsa/ns1/sign.sh @@ -24,34 +24,34 @@ echo_i "ns1/sign.sh" cp $infile $zonefile if [ -f ../ed25519-supported.file ]; then - zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") - ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") - cat "$ksk25519.key" "$zsk25519.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk25519.key" >> dsset-256 + zsk25519=$($KEYGEN -q -a ED25519 -n zone "$zone") + ksk25519=$($KEYGEN -q -a ED25519 -n zone -f KSK "$zone") + cat "$ksk25519.key" "$zsk25519.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk25519.key" >>dsset-256 fi if [ -f ../ed448-supported.file ]; then - zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") - ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") - cat "$ksk448.key" "$zsk448.key" >> "$zonefile" - $DSFROMKEY -a sha-256 "$ksk448.key" >> dsset-256 + zsk448=$($KEYGEN -q -a ED448 -n zone "$zone") + ksk448=$($KEYGEN -q -a ED448 -n zone -f KSK "$zone") + cat "$ksk448.key" "$zsk448.key" >>"$zonefile" + $DSFROMKEY -a sha-256 "$ksk448.key" >>dsset-256 fi # Configure the resolving server with a static key. if [ -f ../ed25519-supported.file ]; then - keyfile_to_static_ds $ksk25519 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk25519 >trusted.conf + cp trusted.conf ../ns2/trusted.conf else - keyfile_to_static_ds $ksk448 > trusted.conf - cp trusted.conf ../ns2/trusted.conf + keyfile_to_static_ds $ksk448 >trusted.conf + cp trusted.conf ../ns2/trusted.conf fi if [ -f ../ed448-supported.file ]; then - keyfile_to_static_ds $ksk448 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk448 >trusted.conf + cp trusted.conf ../ns3/trusted.conf else - keyfile_to_static_ds $ksk25519 > trusted.conf - cp trusted.conf ../ns3/trusted.conf + keyfile_to_static_ds $ksk25519 >trusted.conf + cp trusted.conf ../ns3/trusted.conf fi -$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -g -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns2/named.conf.in b/bin/tests/system/eddsa/ns2/named.conf.in index fd125d3..bb8a89c 100644 --- a/bin/tests/system/eddsa/ns2/named.conf.in +++ b/bin/tests/system/eddsa/ns2/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh index 6c1c479..04322fd 100644 --- a/bin/tests/system/eddsa/ns2/sign.sh +++ b/bin/tests/system/eddsa/ns2/sign.sh @@ -27,12 +27,11 @@ cp $infile $zonefile if [ -f ../ed25519-supported.file ]; then - for i in Xexample.com.+015+03613 Xexample.com.+015+35217 - do - cp "$i.key" "$(echo $i.key | sed s/X/K/)" - cp "$i.private" "$(echo $i.private | sed s/X/K/)" - cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" - done + for i in Xexample.com.+015+03613 Xexample.com.+015+35217; do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile" + done fi -$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/ns3/named.conf.in b/bin/tests/system/eddsa/ns3/named.conf.in index f1a80b6..0053898 100644 --- a/bin/tests/system/eddsa/ns3/named.conf.in +++ b/bin/tests/system/eddsa/ns3/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/eddsa/ns3/sign.sh b/bin/tests/system/eddsa/ns3/sign.sh index e501923..7c625bc 100644 --- a/bin/tests/system/eddsa/ns3/sign.sh +++ b/bin/tests/system/eddsa/ns3/sign.sh @@ -26,12 +26,11 @@ echo_i "ns3/sign.sh" cp $infile $zonefile if [ -f ../ed448-supported.file ]; then - for i in Xexample.com.+016+09713 Xexample.com.+016+38353 - do - cp "$i.key" "$(echo $i.key | sed s/X/K/)" - cp "$i.private" "$(echo $i.private | sed s/X/K/)" - cat "$(echo $i.key | sed s/X/K/)" >> "$zonefile" - done + for i in Xexample.com.+016+09713 Xexample.com.+016+38353; do + cp "$i.key" "$(echo $i.key | sed s/X/K/)" + cp "$i.private" "$(echo $i.private | sed s/X/K/)" + cat "$(echo $i.key | sed s/X/K/)" >>"$zonefile" + done fi -$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err +$SIGNER -P -z -s "$starttime" -e "$endtime" -o "$zone" "$zonefile" >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/eddsa/prereq.sh b/bin/tests/system/eddsa/prereq.sh index 5b1385b..98ed032 100644 --- a/bin/tests/system/eddsa/prereq.sh +++ b/bin/tests/system/eddsa/prereq.sh @@ -17,10 +17,10 @@ set -e supported=0 if $SHELL ../testcrypto.sh ed25519; then - supported=1 + supported=1 fi if $SHELL ../testcrypto.sh ed448; then - supported=1 + supported=1 fi [ "$supported" -eq 1 ] || exit 1 diff --git a/bin/tests/system/eddsa/setup.sh b/bin/tests/system/eddsa/setup.sh index a0d95a9..cad2756 100644 --- a/bin/tests/system/eddsa/setup.sh +++ b/bin/tests/system/eddsa/setup.sh @@ -16,11 +16,11 @@ set -e . ../conf.sh if $SHELL ../testcrypto.sh ed25519; then - echo "yes" > ed25519-supported.file + echo "yes" >ed25519-supported.file fi if $SHELL ../testcrypto.sh ed448; then - echo "yes" > ed448-supported.file + echo "yes" >ed448-supported.file fi copy_setports ns1/named.conf.in ns1/named.conf @@ -28,14 +28,14 @@ copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) ( - cd ns2 - $SHELL sign.sh + cd ns2 + $SHELL sign.sh ) ( - cd ns3 - $SHELL sign.sh + cd ns3 + $SHELL sign.sh ) diff --git a/bin/tests/system/eddsa/tests.sh b/bin/tests/system/eddsa/tests.sh index 4fe0a0c..93cf5cb 100644 --- a/bin/tests/system/eddsa/tests.sh +++ b/bin/tests/system/eddsa/tests.sh @@ -19,68 +19,68 @@ status=0 n=0 dig_with_opts() { - "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } if [ -f ed25519-supported.file ]; then - # Check the example. domain - n=$((n+1)) - echo_i "checking that Ed25519 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + # Check the example. domain + n=$((n + 1)) + echo_i "checking that Ed25519 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.2 soa >dig.out.ns2.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) - # Check test vectors (RFC 8080 + errata) - n=$((n+1)) - echo_i "checking that Ed25519 test vectors match ($n)" - ret=0 - grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed > /dev/null || ret=1 - grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + # Check test vectors (RFC 8080 + errata) + n=$((n + 1)) + echo_i "checking that Ed25519 test vectors match ($n)" + ret=0 + grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'zXQ0bkYgQTEFyfLyi9QoiY6D8ZdYo4wyUhVi' ns2/example.com.db.signed >/dev/null || ret=1 + grep 'R0O7KuI5k2pcBg==' ns2/example.com.db.signed >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm Ed25519 not supported, skipping vectors match test" + echo_i "algorithm Ed25519 not supported, skipping vectors match test" fi -n=$((n+1)) +n=$((n + 1)) ret=0 if [ -f ed448-supported.file ]; then - # Check the example. domain - n=$((n+1)) - echo_i "checking that Ed448 positive validation works ($n)" - ret=0 - dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1 - dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 - $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + # Check the example. domain + n=$((n + 1)) + echo_i "checking that Ed448 positive validation works ($n)" + ret=0 + dig_with_opts . @10.53.0.1 soa >dig.out.ns1.test$n || ret=1 + dig_with_opts . @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 + $PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) - # Check test vectors (RFC 8080 + errata) - n=$((n+1)) - echo_i "checking that Ed448 test vectors match ($n)" - ret=0 - grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'WKsJlwEA' ns3/example.com.db.signed > /dev/null || ret=1 + # Check test vectors (RFC 8080 + errata) + n=$((n + 1)) + echo_i "checking that Ed448 test vectors match ($n)" + ret=0 + grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'WKsJlwEA' ns3/example.com.db.signed >/dev/null || ret=1 - grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed > /dev/null || ret=1 - grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed > /dev/null || ret=1 - grep 'ZmQ0YQUA' ns3/example.com.db.signed > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns3/example.com.db.signed >/dev/null || ret=1 + grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns3/example.com.db.signed >/dev/null || ret=1 + grep 'ZmQ0YQUA' ns3/example.com.db.signed >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "algorithm Ed448 not supported, skipping vectors match test" + echo_i "algorithm Ed448 not supported, skipping vectors match test" fi echo_i "exit status: $status" diff --git a/bin/tests/system/ednscompliance/tests.sh b/bin/tests/system/ednscompliance/tests.sh index 0c630f4..515951a 100644 --- a/bin/tests/system/ednscompliance/tests.sh +++ b/bin/tests/system/ednscompliance/tests.sh @@ -24,88 +24,163 @@ zone=. n=$((n + 1)) echo_i "check +edns=100 sets version 100 ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone > dig.out$n || ret=1 -grep "EDNS: version: 100," dig.out$n > /dev/null || { ret=1; reason="version"; } +$DIG $DIGOPTS @10.53.0.1 +qr +edns=100 soa $zone >dig.out$n || ret=1 +grep "EDNS: version: 100," dig.out$n >/dev/null || { + ret=1 + reason="version" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) ret=0 reason= echo_i "check +ednsopt=100 adds option 100 ($n)" -$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone > dig.out$n || ret=1 -grep "; OPT=100" dig.out$n > /dev/null || { ret=1; reason="option"; } +$DIG $DIGOPTS @10.53.0.1 +qr +ednsopt=100 soa $zone >dig.out$n || ret=1 +grep "; OPT=100" dig.out$n >/dev/null || { + ret=1 + reason="option" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check +ednsflags=0x80 sets flags to 0x0080 ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone > dig.out$n || ret=1 -grep "MBZ: 0x0080," dig.out$n > /dev/null || { ret=1; reason="flags"; } +$DIG $DIGOPTS @10.53.0.1 +qr +ednsflags=0x80 soa $zone >dig.out$n || ret=1 +grep "MBZ: 0x0080," dig.out$n >/dev/null || { + ret=1 + reason="flags" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS version ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n || ret=1 -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone >dig.out$n || ret=1 +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS option ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone > dig.out$n || ret=1 -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } -grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +$DIG $DIGOPTS @10.53.0.1 +ednsopt=100 soa $zone >dig.out$n || ret=1 +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "; OPT=100" dig.out$n >/dev/null && { + ret=1 + reason="option" +} +grep "IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="nosoa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS version + option ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone > dig.out$n || ret=1 -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "; OPT=100" dig.out$n > /dev/null && { ret=1; reason="option"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsopt=100 soa $zone >dig.out$n || ret=1 +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "; OPT=100" dig.out$n >/dev/null && { + ret=1 + reason="option" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed: $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS flag ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone > dig.out$n || ret=1 -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } -grep ".IN.SOA." dig.out$n > /dev/null || { ret=1; reason="nosoa"; } +$DIG $DIGOPTS @10.53.0.1 +ednsflags=0x80 soa $zone >dig.out$n || ret=1 +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && { + ret=1 + reason="mbz" +} +grep ".IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="nosoa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "Unknown EDNS version + flag ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone > dig.out$n || ret=1 -grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "EDNS:.*MBZ" dig.out$n > /dev/null > /dev/null && { ret=1; reason="mbz"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsneg +ednsflags=0x80 soa $zone >dig.out$n || ret=1 +grep "status: BADVERS," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "EDNS:.*MBZ" dig.out$n >/dev/null >/dev/null && { + ret=1 + reason="mbz" +} +grep "IN.SOA." dig.out$n >/dev/null && { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) echo_i "DiG's EDNS negotiation ($n)" ret=0 reason= -$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone > dig.out$n || ret=1 -grep "status: NOERROR," dig.out$n > /dev/null || { ret=1; reason="status"; } -grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "IN.SOA." dig.out$n > /dev/null || { ret=1; reason="soa"; } +$DIG $DIGOPTS @10.53.0.1 +edns=100 soa $zone >dig.out$n || ret=1 +grep "status: NOERROR," dig.out$n >/dev/null || { + ret=1 + reason="status" +} +grep "EDNS: version: 0," dig.out$n >/dev/null || { + ret=1 + reason="version" +} +grep "IN.SOA." dig.out$n >/dev/null || { + ret=1 + reason="soa" +} if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=$((status + ret)) n=$((n + 1)) diff --git a/bin/tests/system/emptyzones/tests.sh b/bin/tests/system/emptyzones/tests.sh index c968d51..af9c88e 100644 --- a/bin/tests/system/emptyzones/tests.sh +++ b/bin/tests/system/emptyzones/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 @@ -27,18 +27,18 @@ ret=0 rndc_reload ns1 10.53.0.1 copy_setports ns1/named2.conf.in ns1/named.conf -$RNDCCMD 10.53.0.1 reload > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 reload >/dev/null || ret=1 sleep 5 -$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 > /dev/null || ret=1 +$DIG $DIGOPTS +vc version.bind txt ch @10.53.0.1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that allow-transfer { none; } works ($n)" ret=0 -$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all > dig.out.test$n || ret=1 -grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS axfr 10.in-addr.arpa @10.53.0.1 +all >dig.out.test$n || ret=1 +grep "status: REFUSED" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/enginepkcs11/prereq.sh b/bin/tests/system/enginepkcs11/prereq.sh index 296452b..5372924 100644 --- a/bin/tests/system/enginepkcs11/prereq.sh +++ b/bin/tests/system/enginepkcs11/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then - exit 0 + exit 0 fi echo_i "skip: softhsm2-util not available" diff --git a/bin/tests/system/enginepkcs11/setup.sh b/bin/tests/system/enginepkcs11/setup.sh index 49988ad..7cae90d 100644 --- a/bin/tests/system/enginepkcs11/setup.sh +++ b/bin/tests/system/enginepkcs11/setup.sh @@ -18,102 +18,99 @@ set -e softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' -printf '%s' "${HSMPIN:-1234}" > pin +printf '%s' "${HSMPIN:-1234}" >pin PWD=$(pwd) copy_setports ns1/named.conf.in ns1/named.conf keygen() { - type="$1" - bits="$2" - zone="$3" - id="$4" - - label="${id}-${zone}" - p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') - pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id 2> pkcs11-tool.err.$zone.$id || return 1 + type="$1" + bits="$2" + zone="$3" + id="$4" + + label="${id}-${zone}" + p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id 2>pkcs11-tool.err.$zone.$id || return 1 } keyfromlabel() { - alg="$1" - zone="$2" - id="$3" - dir="$4" - shift 4 - - $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2> keyfromlabel.err.$zone.$id || return 1 - cat keyfromlabel.out.$zone.$id + alg="$1" + zone="$2" + id="$3" + dir="$4" + shift 4 + + $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 + cat keyfromlabel.out.$zone.$id } - # Setup ns1. dir="ns1" infile="${dir}/template.db.in" for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ - ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 - # Edwards curves are not yet supported by OpenSC - # ed25519:EC:edwards25519 ed448:EC:edwards448 -do - alg=$(echo "$algtypebits" | cut -f 1 -d :) - type=$(echo "$algtypebits" | cut -f 2 -d :) - bits=$(echo "$algtypebits" | cut -f 3 -d :) - - if $SHELL ../testcrypto.sh $alg; then - zone="$alg.example" - zonefile="zone.$alg.example.db" - ret=0 - - echo_i "Generate keys $alg $type:$bits for zone $zone" - keygen $type $bits $zone enginepkcs11-zsk || ret=1 - keygen $type $bits $zone enginepkcs11-ksk || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Get ZSK $alg $zone $type:$bits" - zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) - test -z "$zsk1" && exit 1 - - echo_i "Get KSK $alg $zone $type:$bits" - ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) - test -z "$ksk1" && exit 1 - - ( - cd $dir - zskid1=$(keyfile_to_key_id $zsk1) - kskid1=$(keyfile_to_key_id $ksk1) - echo "$zskid1" > $zone.zskid1 - echo "$kskid1" > $zone.kskid1 - ) - - echo_i "Sign zone with $ksk1 $zsk1" - cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}" - $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Generate successor keys $alg $type:$bits for zone $zone" - keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 - keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 - test "$ret" -eq 0 || exit 1 - - echo_i "Get ZSK $alg $id-$zone $type:$bits" - zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) - test -z "$zsk2" && exit 1 - - echo_i "Get KSK $alg $id-$zone $type:$bits" - ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) - test -z "$ksk2" && exit 1 - - ( - cd $dir - zskid2=$(keyfile_to_key_id $zsk2) - kskid2=$(keyfile_to_key_id $ksk2) - echo "$zskid2" > $zone.zskid2 - echo "$kskid2" > $zone.kskid2 - cp "${zsk2}.key" "${zsk2}.zsk2" - cp "${ksk2}.key" "${ksk2}.ksk2" - ) - - echo_i "Add zone $zone to named.conf" - cat >> "${dir}/named.conf" <<EOF + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + + if $SHELL ../testcrypto.sh $alg; then + zone="$alg.example" + zonefile="zone.$alg.example.db" + ret=0 + + echo_i "Generate keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk || ret=1 + keygen $type $bits $zone enginepkcs11-ksk || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $zone $type:$bits" + zsk1=$(keyfromlabel $alg $zone enginepkcs11-zsk $dir) + test -z "$zsk1" && exit 1 + + echo_i "Get KSK $alg $zone $type:$bits" + ksk1=$(keyfromlabel $alg $zone enginepkcs11-ksk $dir -f KSK) + test -z "$ksk1" && exit 1 + + ( + cd $dir + zskid1=$(keyfile_to_key_id $zsk1) + kskid1=$(keyfile_to_key_id $ksk1) + echo "$zskid1" >$zone.zskid1 + echo "$kskid1" >$zone.kskid1 + ) + + echo_i "Sign zone with $ksk1 $zsk1" + cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}" + $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Generate successor keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone enginepkcs11-zsk2 || ret=1 + keygen $type $bits $zone enginepkcs11-ksk2 || ret=1 + test "$ret" -eq 0 || exit 1 + + echo_i "Get ZSK $alg $id-$zone $type:$bits" + zsk2=$(keyfromlabel $alg $zone enginepkcs11-zsk2 $dir) + test -z "$zsk2" && exit 1 + + echo_i "Get KSK $alg $id-$zone $type:$bits" + ksk2=$(keyfromlabel $alg $zone enginepkcs11-ksk2 $dir -f KSK) + test -z "$ksk2" && exit 1 + + ( + cd $dir + zskid2=$(keyfile_to_key_id $zsk2) + kskid2=$(keyfile_to_key_id $ksk2) + echo "$zskid2" >$zone.zskid2 + echo "$kskid2" >$zone.kskid2 + cp "${zsk2}.key" "${zsk2}.zsk2" + cp "${ksk2}.key" "${ksk2}.ksk2" + ) + + echo_i "Add zone $zone to named.conf" + cat >>"${dir}/named.conf" <<EOF zone "$zone" { type primary; file "${zonefile}.signed"; @@ -121,5 +118,5 @@ zone "$zone" { }; EOF - fi + fi done diff --git a/bin/tests/system/enginepkcs11/tests.sh b/bin/tests/system/enginepkcs11/tests.sh index f8f0317..b518c79 100644 --- a/bin/tests/system/enginepkcs11/tests.sh +++ b/bin/tests/system/enginepkcs11/tests.sh @@ -23,65 +23,62 @@ ret=0 n=0 dig_with_opts() ( - $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" ) # Perform tests inside ns1 dir cd ns1 for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ - ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 - # Edwards curves are not yet supported by OpenSC - # ed25519:EC:edwards25519 ed448:EC:edwards448 -do - alg=$(echo "$algtypebits" | cut -f 1 -d :) - type=$(echo "$algtypebits" | cut -f 2 -d :) - bits=$(echo "$algtypebits" | cut -f 3 -d :) - zone="${alg}.example" - zonefile="zone.${zone}.db.signed" - - if [ ! -f $zonefile ]; then - echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}" - continue - fi - - # Basic checks if setup was successful. - n=$((n+1)) - ret=0 - echo_i "Test key generation was successful for $zone ($n)" - count=$(ls K*.key | grep "K${zone}" | wc -l) - test "$count" -eq 4 || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test zone signing was successful for $zone ($n)" - $VERIFY -z -o $zone "${zonefile}" > verify.out.$zone.$n 2>&1 || ret=1 - test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" - status=$((status+ret)) - - # Test inline signing with keys stored in engine. - zskid1=$(cat "${zone}.zskid1") - zskid2=$(cat "${zone}.zskid2") - - n=$((n+1)) - ret=0 - echo_i "Test inline signing for $zone ($n)" - dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || ret=1 - awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 1 || return 1 - grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" - status=$((status+ret)) - - - n=$((n+1)) - ret=0 - echo_i "Dynamically update $zone, add new zsk ($n)" - zsk2=$(grep -v ';' K${zone}.*.zsk2) - cat > "update.cmd.zsk.$zone.$n" <<EOF + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + zone="${alg}.example" + zonefile="zone.${zone}.db.signed" + + if [ ! -f $zonefile ]; then + echo_i "skipping test for ${alg}:${type}:${bits}, no signed zone file ${zonefile}" + continue + fi + + # Basic checks if setup was successful. + n=$((n + 1)) + ret=0 + echo_i "Test key generation was successful for $zone ($n)" + count=$(ls K*.key | grep "K${zone}" | wc -l) + test "$count" -eq 4 || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 4 keys, got $count)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test zone signing was successful for $zone ($n)" + $VERIFY -z -o $zone "${zonefile}" >verify.out.$zone.$n 2>&1 || ret=1 + test "$ret" -eq 0 || echo_i "failed (dnssec-verify failed)" + status=$((status + ret)) + + # Test inline signing with keys stored in engine. + zskid1=$(cat "${zone}.zskid1") + zskid2=$(cat "${zone}.zskid2") + + n=$((n + 1)) + ret=0 + echo_i "Test inline signing for $zone ($n)" + dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || ret=1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 1 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + test "$ret" -eq 0 || echo_i "failed (SOA RRset not signed with key $zskid1)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Dynamically update $zone, add new zsk ($n)" + zsk2=$(grep -v ';' K${zone}.*.zsk2) + cat >"update.cmd.zsk.$zone.$n" <<EOF server 10.53.0.1 $PORT ttl 300 zone $zone @@ -89,47 +86,47 @@ update add $zsk2 send EOF - $NSUPDATE -v > "update.log.zsk.$zone.$n" < "update.cmd.zsk.$zone.$n" || ret=1 - test "$ret" -eq 0 || echo_i "failed (update failed)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test DNSKEY response for $zone after inline signing ($n)" - _dig_dnskey() ( - dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 - count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) - test $count -eq 3 - ) - retry_quiet 10 _dig_dnskey || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test SOA response for $zone after inline signing ($n)" - _dig_soa() ( - dig_with_opts "$zone" @10.53.0.1 SOA > dig.out.soa.$zone.$n || return 1 - awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 2 || return 1 - grep -w "$zskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - grep -w "$zskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 - return 0 - ) - retry_quiet 10 _dig_soa || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" - status=$((status+ret)) - - # Test inline signing with keys stored in engine (key signing). - kskid1=$(cat "${zone}.kskid1") - kskid2=$(cat "${zone}.kskid2") - - n=$((n+1)) - ret=0 - echo_i "Dynamically update $zone, add new ksk ($n)" - ksk2=$(grep -v ';' K${zone}.*.ksk2) - cat > "update.cmd.ksk.$zone.$n" <<EOF + $NSUPDATE -v >"update.log.zsk.$zone.$n" <"update.cmd.zsk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing ($n)" + _dig_dnskey() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 3 + ) + retry_quiet 10 _dig_dnskey || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 3 DNSKEY records)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test SOA response for $zone after inline signing ($n)" + _dig_soa() ( + dig_with_opts "$zone" @10.53.0.1 SOA >dig.out.soa.$zone.$n || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.soa.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$zskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + grep -w "$zskid2" dig.out.keyids.$zone.$n >/dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_soa || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 2 SOA RRSIG records)" + status=$((status + ret)) + + # Test inline signing with keys stored in engine (key signing). + kskid1=$(cat "${zone}.kskid1") + kskid2=$(cat "${zone}.kskid2") + + n=$((n + 1)) + ret=0 + echo_i "Dynamically update $zone, add new ksk ($n)" + ksk2=$(grep -v ';' K${zone}.*.ksk2) + cat >"update.cmd.ksk.$zone.$n" <<EOF server 10.53.0.1 $PORT ttl 300 zone $zone @@ -137,40 +134,40 @@ update add $ksk2 send EOF - $NSUPDATE -v > "update.log.ksk.$zone.$n" < "update.cmd.ksk.$zone.$n" || ret=1 - test "$ret" -eq 0 || echo_i "failed (update failed)" - status=$((status+ret)) - - n=$((n+1)) - ret=0 - echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" - _dig_dnskey_ksk() ( - dig_with_opts "$zone" @10.53.0.1 DNSKEY > dig.out.dnskey.$zone.$n || return 1 - count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) - test $count -eq 4 || return 1 - awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n > dig.out.keyids.$zone.$n || return 1 - numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) - test $numsigs -eq 2 || return 1 - grep -w "$kskid1" dig.out.keyids.$zone.$n > /dev/null || return 1 - grep -w "$kskid2" dig.out.keyids.$zone.$n > /dev/null || return 1 - return 0 - ) - retry_quiet 10 _dig_dnskey_ksk || ret=1 - test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" - status=$((status+ret)) + $NSUPDATE -v >"update.log.ksk.$zone.$n" <"update.cmd.ksk.$zone.$n" || ret=1 + test "$ret" -eq 0 || echo_i "failed (update failed)" + status=$((status + ret)) + + n=$((n + 1)) + ret=0 + echo_i "Test DNSKEY response for $zone after inline signing (key signing) ($n)" + _dig_dnskey_ksk() ( + dig_with_opts "$zone" @10.53.0.1 DNSKEY >dig.out.dnskey.$zone.$n || return 1 + count=$(awk 'BEGIN { count = 0 } $4 == "DNSKEY" { count++ } END {print count}' dig.out.dnskey.$zone.$n) + test $count -eq 4 || return 1 + awk '$4 == "RRSIG" { print $11 }' dig.out.dnskey.$zone.$n >dig.out.keyids.$zone.$n || return 1 + numsigs=$(cat dig.out.keyids.$zone.$n | wc -l) + test $numsigs -eq 2 || return 1 + grep -w "$kskid1" dig.out.keyids.$zone.$n >/dev/null || return 1 + grep -w "$kskid2" dig.out.keyids.$zone.$n >/dev/null || return 1 + return 0 + ) + retry_quiet 10 _dig_dnskey_ksk || ret=1 + test "$ret" -eq 0 || echo_i "failed (expected 4 DNSKEY records, 2 KSK signatures)" + status=$((status + ret)) done # Go back to main test dir. cd .. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "Checking for assertion failure in pk11_numbits()" $PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt -dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1 +dig_with_opts @10.53.0.1 version.bind. CH TXT >dig.out.pk11_numbits || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/fetchlimit/prereq.sh b/bin/tests/system/fetchlimit/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/fetchlimit/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/fetchlimit/tests.sh b/bin/tests/system/fetchlimit/tests.sh index a16659d..6e3f749 100644 --- a/bin/tests/system/fetchlimit/tests.sh +++ b/bin/tests/system/fetchlimit/tests.sh @@ -18,44 +18,44 @@ set -e DIGCMD="$DIG @10.53.0.3 -p ${PORT} +tcp +tries=1 +time=1" rndccmd() ( - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" ) burst() { - server=${1} - num=${4:-20} - rm -f burst.input.$$ - while [ $num -gt 0 ]; do - num=$((num-1)) - if [ "${5}" = "dup" ]; then - # burst with duplicate queries - echo "${2}${3}.lamesub.example A" >> burst.input.$$ - else - # burst with unique queries - echo "${num}${2}${3}.lamesub.example A" >> burst.input.$$ - fi - done - $PERL ../ditch.pl -p ${PORT} -s ${server} burst.input.$$ - rm -f burst.input.$$ + server=${1} + num=${4:-20} + rm -f burst.input.$$ + while [ $num -gt 0 ]; do + num=$((num - 1)) + if [ "${5}" = "dup" ]; then + # burst with duplicate queries + echo "${2}${3}.lamesub.example A" >>burst.input.$$ + else + # burst with unique queries + echo "${num}${2}${3}.lamesub.example A" >>burst.input.$$ + fi + done + $PERL ../ditch.pl -p ${PORT} -s ${server} burst.input.$$ + rm -f burst.input.$$ } stat() { - clients=$(rndccmd ${1} status | grep "recursive clients" | - sed 's;.*: \([^/][^/]*\)/.*;\1;') - echo_i "clients: $clients" - [ "$clients" = "" ] && return 1 - [ "$clients" -ge $2 ] || return 1 - [ "$clients" -le $3 ] || return 1 - return 0 + clients=$(rndccmd ${1} status | grep "recursive clients" \ + | sed 's;.*: \([^/][^/]*\)/.*;\1;') + echo_i "clients: $clients" + [ "$clients" = "" ] && return 1 + [ "$clients" -ge $2 ] || return 1 + [ "$clients" -le $3 ] || return 1 + return 0 } _wait_for_message() ( - nextpartpeek "$1" > wait_for_message.$n - grep -F "$2" wait_for_message.$n >/dev/null + nextpartpeek "$1" >wait_for_message.$n + grep -F "$2" wait_for_message.$n >/dev/null ) wait_for_message() ( - retry_quiet 20 _wait_for_message "$@" + retry_quiet 20 _wait_for_message "$@" ) n=0 @@ -68,17 +68,17 @@ ret=0 rndccmd 10.53.0.3 flush touch ans4/norespond for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - burst 10.53.0.3 a $try - # fetches-per-server is at 400, but at 20qps against a lame server, - # we'll reach 200 at the tenth second, and the quota should have been - # tuned to less than that by then. - [ $try -le 5 ] && low=$((try*10)) - stat 10.53.0.3 20 200 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst 10.53.0.3 a $try + # fetches-per-server is at 400, but at 20qps against a lame server, + # we'll reach 200 at the tenth second, and the quota should have been + # tuned to less than that by then. + [ $try -le 5 ] && low=$((try * 10)) + stat 10.53.0.3 20 200 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "dumping ADB data ($n)" @@ -90,7 +90,7 @@ set -- $info quota=$4 [ ${4:-200} -lt 200 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking servfail statistics ($n)" @@ -98,8 +98,8 @@ ret=0 rm -f ns3/named.stats rndccmd 10.53.0.3 stats for try in 1 2 3 4 5; do - [ -f ns3/named.stats ] && break - sleep 1 + [ -f ns3/named.stats ] && break + sleep 1 done sspill=$(grep 'spilled due to server' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/') [ -z "$sspill" ] && sspill=0 @@ -107,20 +107,20 @@ fails=$(grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9 [ -z "$fails" ] && fails=0 [ "$fails" -ge "$sspill" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking lame server recovery ($n)" ret=0 test -f ans4/norespond && rm -f ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.3 b $try - stat 10.53.0.3 0 200 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst 10.53.0.3 b $try + stat 10.53.0.3 0 200 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "dumping ADB data ($n)" @@ -132,19 +132,19 @@ set -- $info [ ${4:-${quota}} -lt $quota ] || ret=1 quota=$4 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking lame server recovery (continued) ($n)" ret=0 for try in 1 2 3 4 5 6 7 8 9 10; do - burst 10.53.0.3 c $try - stat 10.53.0.3 0 20 || ret=1 - [ $ret -eq 1 ] && break - sleep 1 + burst 10.53.0.3 c $try + stat 10.53.0.3 0 20 || ret=1 + [ $ret -eq 1 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "dumping ADB data ($n)" @@ -156,7 +156,7 @@ set -- $info [ ${4:-${quota}} -gt $quota ] || ret=1 quota=$4 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -168,20 +168,20 @@ fail=0 success=0 touch ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.3 b $try 300 - $DIGCMD a ${try}.example > dig.out.ns3.$n.$try - grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \ - success=$((success+1)) - grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \ - fail=$(($fail+1)) - stat 10.53.0.3 30 50 || ret=1 - [ $ret -eq 1 ] && break - rndccmd 10.53.0.3 recursing 2>&1 | sed 's/^/ns3 /' | cat_i - sleep 1 + burst 10.53.0.3 b $try 300 + $DIGCMD a ${try}.example >dig.out.ns3.$n.$try + grep "status: NOERROR" dig.out.ns3.$n.$try >/dev/null 2>&1 \ + && success=$((success + 1)) + grep "status: SERVFAIL" dig.out.ns3.$n.$try >/dev/null 2>&1 \ + && fail=$(($fail + 1)) + stat 10.53.0.3 30 50 || ret=1 + [ $ret -eq 1 ] && break + rndccmd 10.53.0.3 recursing 2>&1 | sed 's/^/ns3 /' | cat_i + sleep 1 done echo_i "$success successful valid queries, $fail SERVFAIL" if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking drop statistics ($n)" @@ -189,8 +189,8 @@ ret=0 rm -f ns3/named.stats rndccmd 10.53.0.3 stats for try in 1 2 3 4 5; do - [ -f ns3/named.stats ] && break - sleep 1 + [ -f ns3/named.stats ] && break + sleep 1 done zspill=$(grep 'spilled due to zone' ns3/named.stats | sed 's/\([0-9][0-9]*\) spilled.*/\1/') [ -z "$zspill" ] && zspill=0 @@ -198,7 +198,7 @@ drops=$(grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries. [ -z "$drops" ] && drops=0 [ "$drops" -ge "$zspill" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) copy_setports ns3/named3.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -211,23 +211,32 @@ exceeded=0 success=0 touch ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.3 b $try 400 - $DIGCMD +time=2 a ${try}.example > dig.out.ns3.$n.$try - stat 10.53.0.3 1 400 || exceeded=$((exceeded + 1)) - grep "status: NOERROR" dig.out.ns3.$n.$try > /dev/null 2>&1 && \ - success=$((success+1)) - grep "status: SERVFAIL" dig.out.ns3.$n.$try > /dev/null 2>&1 && \ - fail=$(($fail+1)) - sleep 1 + burst 10.53.0.3 b $try 400 + $DIGCMD +time=2 a ${try}.example >dig.out.ns3.$n.$try + stat 10.53.0.3 1 400 || exceeded=$((exceeded + 1)) + grep "status: NOERROR" dig.out.ns3.$n.$try >/dev/null 2>&1 \ + && success=$((success + 1)) + grep "status: SERVFAIL" dig.out.ns3.$n.$try >/dev/null 2>&1 \ + && fail=$(($fail + 1)) + sleep 1 done echo_i "$success successful valid queries (expected 5)" -[ "$success" -eq 5 ] || { echo_i "failed"; ret=1; } +[ "$success" -eq 5 ] || { + echo_i "failed" + ret=1 +} echo_i "$fail SERVFAIL responses (expected 0)" -[ "$fail" -eq 0 ] || { echo_i "failed"; ret=1; } +[ "$fail" -eq 0 ] || { + echo_i "failed" + ret=1 +} echo_i "clients count exceeded 400 on $exceeded trials (expected 0)" -[ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; } +[ "$exceeded" -eq 0 ] || { + echo_i "failed" + ret=1 +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking drop statistics ($n)" @@ -239,7 +248,7 @@ wait_for_log 5 "queries dropped due to recursive client limit" ns3/named.stats | drops=$(grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/') [ "${drops:-0}" -ne 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) nextpart ns5/named.run >/dev/null @@ -248,12 +257,12 @@ echo_i "checking clients are dropped at the clients-per-query limit ($n)" ret=0 test -f ans4/norespond && rm -f ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.5 latency $try 20 "dup" - sleep 1 + burst 10.53.0.5 latency $try 20 "dup" + sleep 1 done wait_for_message ns5/named.run "clients-per-query increased to 10" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking drop statistics ($n)" @@ -261,8 +270,8 @@ ret=0 rm -f ns5/named.stats rndccmd 10.53.0.5 stats for try in 1 2 3 4 5; do - [ -f ns5/named.stats ] && break - sleep 1 + [ -f ns5/named.stats ] && break + sleep 1 done zspill=$(grep 'spilled due to clients per query' ns5/named.stats | sed 's/ *\([0-9][0-9]*\) spilled.*/\1/') [ -z "$zspill" ] && zspill=0 @@ -276,7 +285,7 @@ expected=55 [ "$zspill" -eq "$expected" ] || ret=1 echo_i "$zspill clients spilled (expected $expected)" if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "stop ns5" stop_server --use-rndc --port ${CONTROLPORT} ns5 @@ -291,12 +300,12 @@ echo_i "checking clients are dropped at the clients-per-query limit with stale-a ret=0 test -f ans4/norespond && rm -f ans4/norespond for try in 1 2 3 4 5; do - burst 10.53.0.5 latency $try 20 "dup" - sleep 1 + burst 10.53.0.5 latency $try 20 "dup" + sleep 1 done wait_for_message ns5/named.run "clients-per-query increased to 10" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) n=$((n + 1)) echo_i "checking drop statistics ($n)" @@ -304,8 +313,8 @@ ret=0 rm -f ns5/named.stats rndccmd 10.53.0.5 stats for try in 1 2 3 4 5; do - [ -f ns5/named.stats ] && break - sleep 1 + [ -f ns5/named.stats ] && break + sleep 1 done zspill=$(grep 'spilled due to clients per query' ns5/named.stats | sed 's/ *\([0-9][0-9]*\) spilled.*/\1/') [ -z "$zspill" ] && zspill=0 @@ -319,7 +328,7 @@ expected=55 [ "$zspill" -eq "$expected" ] || ret=1 echo_i "$zspill clients spilled (expected $expected)" if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh index bf6f458..c29dcfa 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -20,15 +20,15 @@ infile=signed.db.in zonefile=signed.db.signed outfile=signed.db.signed -$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i -$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > keygen.out | cat_i +$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i +$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >keygen.out | cat_i keyname=$(cat keygen.out) rm -f keygen.out -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns5/trusted.conf -$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err +$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err echo_i "signed zone '$zone'" diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh index b9ce09f..2a819b3 100755 --- a/bin/tests/system/filter-aaaa/ns4/sign.sh +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -20,8 +20,8 @@ infile=signed.db.in zonefile=signed.db.signed outfile=signed.db.signed -$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i -$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 > /dev/null | cat_i +$KEYGEN -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i +$KEYGEN -f KSK -a $DEFAULT_ALGORITHM $zone 2>&1 >/dev/null | cat_i -$SIGNER -S -o $zone -f $outfile $infile > /dev/null 2> signer.err || cat signer.err +$SIGNER -S -o $zone -f $outfile $infile >/dev/null 2>signer.err || cat signer.err echo_i "signed zone '$zone'" diff --git a/bin/tests/system/filter-aaaa/tests.sh b/bin/tests/system/filter-aaaa/tests.sh index 5ed97eb..e6cca52 100644 --- a/bin/tests/system/filter-aaaa/tests.sh +++ b/bin/tests/system/filter-aaaa/tests.sh @@ -21,26 +21,24 @@ n=0 rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" - -for conf in conf/good*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done # @@ -51,175 +49,173 @@ done n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::5 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::5 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0," dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0," dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::1 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::1; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 + grep 2001:db8::6 dig.out.ns1.test$n >/dev/null || ret=1 + grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::1 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -grep "AUTHORITY: 1," dig.out.ns1.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::1; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 + grep "AUTHORITY: 1," dig.out.ns1.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi # @@ -230,169 +226,166 @@ fi n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "AUTHORITY: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep ::5 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "AUTHORITY: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep ::5 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "AUTHORITY: 0," dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "AUTHORITY: 0," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::4 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::4; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 + grep 2001:db8::6 dig.out.ns4.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::4 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::4; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi - # # Recursive tests against: # filter-aaaa-on-v4 yes; @@ -401,146 +394,145 @@ fi n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep ::5 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep ::5 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive ($n)" -if testsock6 fd92:7065:b8e:ffff::2 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::2; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 + grep 2001:db8::6 dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -550,25 +542,24 @@ ret=0 # we need to prime the cache with addresses for the MX, since additional # section data won't be included unless it's validated, and that doesn't # necessarily happen otherwise. -$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 > /dev/null -$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 > /dev/null -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +dnssec mx.signed @10.53.0.2 >/dev/null +$DIG $DIGOPTS +dnssec mx.signed aaaa @10.53.0.2 >/dev/null +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, recursive, over IPv6 ($n)" -if testsock6 fd92:7065:b8e:ffff::2 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::2; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi # @@ -579,175 +570,172 @@ fi n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep ::5 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep ::5 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::3 -then -ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::3; then + ret=0 + $DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 + grep 2001:db8::6 dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv6, recursive with break-dnssec ($n)" -if testsock6 fd92:7065:b8e:ffff::3 -then -ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +if testsock6 fd92:7065:b8e:ffff::3; then + ret=0 + $DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 + grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else -echo_i "skipped." + echo_i "skipped." fi -if ! testsock6 fd92:7065:b8e:ffff::1 -then - echo_i "IPv6 address not configured; skipping IPv6 query tests" - echo_i "exit status: $status" - exit $status +if ! testsock6 fd92:7065:b8e:ffff::1; then + echo_i "IPv6 address not configured; skipping IPv6 query tests" + echo_i "exit status: $status" + exit $status fi # Reconfiguring for IPv6 tests @@ -771,155 +759,154 @@ rndc_reconfig ns4 10.53.0.4 n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::2 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::2 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::5 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::5 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns1.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns1.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep 2001:db8::6 dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 >dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - # # Authoritative tests against: # filter-aaaa-on-v6 break-dnssec; @@ -928,156 +915,155 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep ::2 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep ::2 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep ::5 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep ::5 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns4.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns4.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns4.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4 with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep 2001:db8::6 dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 >dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - # # Recursive tests against: # filter-aaaa-on-v6 yes; @@ -1086,162 +1072,161 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep ::5 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep ::5 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns2.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns2.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep 2001:db8::6 dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, signed ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 >dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4 ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - # # Recursive tests against: # filter-aaaa-on-v6 yes; @@ -1250,157 +1235,157 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::2 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::2 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep ::5 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep ::5 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS aaaa dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::3" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::3" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1 -grep ::3 dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.signed +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.3" dig.out.ns3.test$n >/dev/null || ret=1 +grep ::3 dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1 -grep "::6" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS any dual.unsigned +dnssec -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "1.0.0.6" dig.out.ns3.test$n >/dev/null || ret=1 +grep "::6" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1 -grep ::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS any dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep 1.0.0.6 dig.out.ns3.test$n >/dev/null || ret=1 +grep ::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv4, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep 2001:db8::6 dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 -grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec ns unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1 -grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +$DIG $DIGOPTS +add +dnssec mx signed -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that AAAA is included in additional section, qtype=MX, unsigned, over IPv4, recursive with break-dnssec ($n)" ret=0 -$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1411,8 +1396,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking filter-aaaa with dns64 ($n)" ret=0 -$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/formerr/tests.sh b/bin/tests/system/formerr/tests.sh index 75f4cc0..1d1aeaf 100644 --- a/bin/tests/system/formerr/tests.sh +++ b/bin/tests/system/formerr/tests.sh @@ -18,29 +18,29 @@ set -e status=0 echo_i "test name too long" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong > nametoolong.out +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} nametoolong >nametoolong.out ans=$(grep got: nametoolong.out) -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=$((status + 1)); +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "two questions" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions > twoquestions.out +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} twoquestions >twoquestions.out ans=$(grep got: twoquestions.out) -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=$((status + 1)); +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$((status + 1)) fi # this would be NOERROR if it included a COOKIE option, # but is a FORMERR without one. echo_i "empty question section (and no COOKIE option)" -$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions > noquestions.out +$PERL formerr.pl -a 10.53.0.1 -p ${PORT} noquestions >noquestions.out ans=$(grep got: noquestions.out) -if [ "${ans}" != "got: 000080010000000000000000" ]; -then - echo_i "failed"; status=$((status + 1)); +if [ "${ans}" != "got: 000080010000000000000000" ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "exit status: $status" diff --git a/bin/tests/system/forward/ns1/sign.sh b/bin/tests/system/forward/ns1/sign.sh index 0888c5f..5e85fd5 100644 --- a/bin/tests/system/forward/ns1/sign.sh +++ b/bin/tests/system/forward/ns1/sign.sh @@ -25,10 +25,10 @@ echo_i "ns1/sign.sh" ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -g -o "$zone" "$zonefile" >/dev/null 2>&1 # Configure the resolving server with a static key. -keyfile_to_static_ds "$ksk" > trusted.conf +keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns3/trusted.conf diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh new file mode 100644 index 0000000..32889aa --- /dev/null +++ b/bin/tests/system/forward/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh index 09624ca..33d33cc 100644 --- a/bin/tests/system/forward/setup.sh +++ b/bin/tests/system/forward/setup.sh @@ -25,6 +25,6 @@ copy_setports ns9/named1.conf.in ns9/named.conf copy_setports ns10/named.conf.in ns10/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index 4037f22..b942699 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -17,15 +17,15 @@ set -e . ../conf.sh dig_with_opts() ( - "$DIG" -p "$PORT" "$@" + "$DIG" -p "$PORT" "$@" ) sendcmd() ( - send "$1" "$EXTRAPORT1" + send "$1" "$EXTRAPORT1" ) rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } root=10.53.0.1 @@ -36,156 +36,156 @@ f2=10.53.0.4 status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone overrides global forwarders ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example1. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward first zone no forwarders recurses ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward only zone no forwarders fails ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.root dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that global forwarders work ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example4. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts +noadd +noauth txt.example4. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example4. txt @$f1 >dig.out.$n.f1 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone works ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that forwarding doesn't spontaneously happen ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example2. txt @$root > dig.out.$n.root || ret=1 -dig_with_opts +noadd +noauth txt.example2. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$root >dig.out.$n.root || ret=1 +dig_with_opts +noadd +noauth txt.example2. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.root dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward zone with no specified policy works ($n)" ret=0 -dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1 -dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1 +dig_with_opts +noadd +noauth txt.example3. txt @$hidden >dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example3. txt @$f2 >dig.out.$n.f2 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forward only doesn't recurse ($n)" ret=0 -dig_with_opts txt.example5. txt @$f2 > dig.out.$n.f2 || ret=1 -grep "SERVFAIL" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts txt.example5. txt @$f2 >dig.out.$n.f2 || ret=1 +grep "SERVFAIL" dig.out.$n.f2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking for negative caching of forwarder response ($n)" # prime the cache, shutdown the forwarder then check that we can # get the answer from the cache. restart forwarder. ret=0 -dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 -grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1 +grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1 stop_server ns4 || ret=1 -dig_with_opts nonexist. txt @10.53.0.5 > dig.out.$n.f2 || ret=1 -grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null || ret=1 +dig_with_opts nonexist. txt @10.53.0.5 >dig.out.$n.f2 || ret=1 +grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null || ret=1 start_server --restart --noclean --port "${PORT}" ns4 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) check_override() ( - dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && - grep "status: NOERROR" dig.out.$n.f2 > /dev/null && - dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && - grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null + dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \ + && grep "status: NOERROR" dig.out.$n.f2 >/dev/null \ + && dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 >dig.out.$n.f2 \ + && grep "status: NXDOMAIN" dig.out.$n.f2 >/dev/null ) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that forward only zone overrides empty zone ($n)" ret=0 # retry loop in case the server restart above causes transient failure retry_quiet 10 check_override || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that DS lookups for grafting forward zones are isolated ($n)" ret=0 -dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q1 || ret=1 -dig_with_opts grafted DS @10.53.0.4 > dig.out.$n.q2 || ret=1 -dig_with_opts grafted A @10.53.0.4 > dig.out.$n.q3 || ret=1 -dig_with_opts grafted AAAA @10.53.0.4 > dig.out.$n.q4 || ret=1 -grep "status: NOERROR" dig.out.$n.q1 > /dev/null || ret=1 -grep "status: NXDOMAIN" dig.out.$n.q2 > /dev/null || ret=1 -grep "status: NOERROR" dig.out.$n.q3 > /dev/null || ret=1 -grep "status: NOERROR" dig.out.$n.q4 > /dev/null || ret=1 +dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q1 || ret=1 +dig_with_opts grafted DS @10.53.0.4 >dig.out.$n.q2 || ret=1 +dig_with_opts grafted A @10.53.0.4 >dig.out.$n.q3 || ret=1 +dig_with_opts grafted AAAA @10.53.0.4 >dig.out.$n.q4 || ret=1 +grep "status: NOERROR" dig.out.$n.q1 >/dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.$n.q2 >/dev/null || ret=1 +grep "status: NOERROR" dig.out.$n.q3 >/dev/null || ret=1 +grep "status: NOERROR" dig.out.$n.q4 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that rfc1918 inherited 'forward first;' zones are warned about ($n)" ret=0 $CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1 $CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that ULA inherited 'forward first;' zones are warned about ($n)" ret=0 $CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1 $CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) count_sent() ( - logfile="$1" - start_pattern="$2" - pattern="$3" - nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" + logfile="$1" + start_pattern="$2" + pattern="$3" + nextpartpeek "$logfile" | sed -n "/$start_pattern/,/^\$/p" | grep -c "$pattern" ) check_sent() ( - expected="$1" - shift - count=$(count_sent "$@") - [ "$expected" = "$count" ] + expected="$1" + shift + count=$(count_sent "$@") + [ "$expected" = "$count" ] ) wait_for_log() ( - nextpartpeek "$1" | grep "$2" >/dev/null + nextpartpeek "$1" | grep "$2" >/dev/null ) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that a forwarder timeout prevents it from being reused in the same fetch context ($n)" ret=0 # Make ans6 receive queries without responding to them. @@ -195,19 +195,19 @@ echo "//" | sendcmd 10.53.0.6 # when a delegation is encountered after falling back to full recursive # resolution. nextpart ns3/named.run >/dev/null -dig_with_opts txt.example7. txt @$f1 > dig.out.$n.f1 || ret=1 +dig_with_opts txt.example7. txt @$f1 >dig.out.$n.f1 || ret=1 # The forwarder for the "example7" zone should only be queried once. start_pattern="sending packet to 10\.53\.0\.6" retry_quiet 5 wait_for_log ns3/named.run "$start_pattern" check_sent 1 ns3/named.run "$start_pattern" ";txt\.example7\.[[:space:]]*IN[[:space:]]*TXT$" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that priming queries are not forwarded ($n)" ret=0 nextpart ns7/named.run >/dev/null -dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.$n.f7 || ret=1 +dig_with_opts +noadd +noauth txt.example1. txt @10.53.0.7 >dig.out.$n.f7 || ret=1 received_pattern="received packet from 10\.53\.0\.1" start_pattern="sending packet to 10\.53\.0\.1" retry_quiet 5 wait_for_log ns7/named.run "$received_pattern" || ret=1 @@ -217,30 +217,30 @@ sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run || tr sent=$(grep -c "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run || true) [ "$sent" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking recovery from forwarding to a non-recursive server ($n)" ret=0 -dig_with_opts xxx.sld.tld txt @10.53.0.8 > dig.out.$n.f8 || ret=1 -grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1 +dig_with_opts xxx.sld.tld txt @10.53.0.8 >dig.out.$n.f8 || ret=1 +grep "status: NOERROR" dig.out.$n.f8 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that rebinding protection works in forward only mode ($n)" ret=0 # 10.53.0.5 will forward target.malicious. query to 10.53.0.4 # which in turn will return a CNAME for subdomain.rebind. # to honor the option deny-answer-aliases { "rebind"; }; # ns5 should return a SERVFAIL to avoid potential rebinding attacks -dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1 -grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 +dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. >dig.out.$n || ret=1 +grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Prepare ans6 for the chasing DS tests. -sendcmd 10.53.0.6 << EOF +sendcmd 10.53.0.6 <<EOF /ns1.sld.tld/A/ 300 A 10.53.0.2 /sld.tld/NS/ @@ -248,88 +248,88 @@ sendcmd 10.53.0.6 << EOF /sld.tld/ EOF -n=$((n+1)) +n=$((n + 1)) echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)" ret=0 copy_setports ns3/named2.conf.in ns3/named.conf rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 nextpart ns3/named.run >/dev/null -dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1 -grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 +dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1 +grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # See [GL #3129]. # Enable silent mode for ans11. echo "1" | sendcmd 10.53.0.11 -n=$((n+1)) +n=$((n + 1)) echo_i "checking the handling of hung DS fetch while chasing DS ($n)" ret=0 copy_setports ns3/named2.conf.in ns3/tmp -sed 's/root.db/root2.db/' ns3/tmp > ns3/named.conf +sed 's/root.db/root2.db/' ns3/tmp >ns3/named.conf rm -f ns3/tmp rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i rndccmd 10.53.0.3 flush 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 nextpart ns3/named.run >/dev/null -dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1 -grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 +dig_with_opts @$f1 xxx.yyy.sld.tld ds >dig.out.$n.f1 || ret=1 +grep "status: SERVFAIL" dig.out.$n.f1 >/dev/null || ret=1 # Disable silent mode for ans11. echo "0" | sendcmd 10.53.0.11 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Check various spoofed response scenarios. The same tests will be # run twice, with "forward first" and "forward only" configurations. # -run_spooftests () { - n=$((n+1)) - echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 - # check 'net' is not poisoned. - dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 - grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 - # check 'sub.local.net' is not poisoned. - dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 - grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 - # check that net2/DNAME is not cached - dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 - grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 - grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - n=$((n+1)) - echo_i "checking spoofed response scenario 3 - extra answer ($n)" - ret=0 - # prime - dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 - # check extra net3 records are not cached - rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i - for try in 1 2 3 4 5; do - lines=$(grep "net3" ns9/named_dump.db | wc -l) - if [ ${lines} -eq 0 ]; then - sleep 1 - continue - fi - [ ${lines} -eq 1 ] || ret=1 - grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 - grep -q '^local.net3' ns9/named_dump.db && ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +run_spooftests() { + n=$((n + 1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net >/dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 >/dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 >dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } echo_i "checking spoofed response scenarios with forward first zones" @@ -353,31 +353,31 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 attackSecureDomain.net >dig.out.$n.prime || ret=1 # check 'net' is poisoned. -dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +dig_with_opts @10.53.0.9 diditwork.net. TXT >dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net >/dev/null || ret=1 # check 'sub.local.net' is poisoned. -dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +dig_with_opts @10.53.0.9 sub.local.net TXT >dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 attackSecureDomain.net2 >dig.out.$n.prime || ret=1 # check that net2/DNAME is cached -dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 -grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +dig_with_opts @10.53.0.9 net2. DNAME >dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 >/dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # This test doesn't use any forwarder clauses but is here because it @@ -390,17 +390,17 @@ rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "checking sibling glue below zone ($n)" ret=0 # prime -dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +dig_with_opts @10.53.0.9 sibling.tld >dig.out.$n.prime || ret=1 # check for glue A record for sub.local.tld is not used -dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 -grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 -grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +dig_with_opts @10.53.0.9 sub.local.tld TXT >dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub >/dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh index f436559..f6b40c2 100644 --- a/bin/tests/system/genzone.sh +++ b/bin/tests/system/genzone.sh @@ -33,9 +33,8 @@ cat <<EOF 3600 ) EOF -for n -do - cat <<EOF +for n; do + cat <<EOF @ NS ns${n} ns${n} A 10.53.0.${n} EOF diff --git a/bin/tests/system/geoip2/prereq.sh b/bin/tests/system/geoip2/prereq.sh index c06d752..942888e 100644 --- a/bin/tests/system/geoip2/prereq.sh +++ b/bin/tests/system/geoip2/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --have-geoip2 || { - echo_i "This test requires GeoIP support." >&2 - exit 255 + echo_i "This test requires GeoIP support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/geoip2/setup.sh b/bin/tests/system/geoip2/setup.sh index 646388f..a0eaaf7 100644 --- a/bin/tests/system/geoip2/setup.sh +++ b/bin/tests/system/geoip2/setup.sh @@ -18,6 +18,6 @@ $SHELL clean.sh copy_setports ns2/named1.conf.in ns2/named.conf for i in 1 2 3 4 5 6 7 other bogus; do - cp ns2/example.db.in ns2/example${i}.db - echo "@ IN TXT \"$i\"" >> ns2/example$i.db + cp ns2/example.db.in ns2/example${i}.db + echo "@ IN TXT \"$i\"" >>ns2/example$i.db done diff --git a/bin/tests/system/geoip2/tests.sh b/bin/tests/system/geoip2/tests.sh index b72a870..ac1df74 100644 --- a/bin/tests/system/geoip2/tests.sh +++ b/bin/tests/system/geoip2/tests.sh @@ -22,26 +22,24 @@ rm -f dig.out.* DIGOPTS="+tcp +short -p ${PORT} @10.53.0.2" DIGOPTS6="+tcp +short -p ${PORT} @fd92:7065:b8e:ffff::2 -6" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" - -for conf in conf/good*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done n=$((n + 1)) @@ -49,23 +47,22 @@ echo_i "checking Country database by code using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Country database by code using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -88,26 +85,25 @@ echo_i "checking Country database with nested ACLs using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Country database with nested ACLs using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -127,23 +123,22 @@ echo_i "checking Country database by name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Country database by name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -167,24 +162,23 @@ ret=0 lret=0 # deliberately skipping 4 and 6 as they have duplicate continents for i in 1 2 3 5 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Country database by continent code using IPv6 ($n)" ret=0 lret=0 # deliberately skipping 4 and 6 as they have duplicate continents for i in 1 2 3 5 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -208,24 +202,23 @@ ret=0 lret=0 # skipping 2 on purpose here; it has the same region code as 1 for i in 1 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking City database by region code using IPv6 ($n)" ret=0 lret=0 -# skipping 2 on purpose here; it has the same region code as 1 + # skipping 2 on purpose here; it has the same region code as 1 for i in 1 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -249,23 +242,22 @@ echo_i "checking City database by city name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking City database by city name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 j=$(cat dig.out.ns2.test$n.$i | tr -d '"') [ "$i" = "$j" ] || lret=1 [ $lret -eq 1 ] && break @@ -288,26 +280,25 @@ echo_i "checking ISP database using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking ISP database using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -327,26 +318,25 @@ echo_i "checking ASN database by org name using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking ASN database by org name using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -366,26 +356,25 @@ echo_i "checking GeoIP6 ASN database, ASNNNN only, using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking ASN database, ASNNNN only, using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -405,26 +394,25 @@ echo_i "checking GeoIP6 ASN database, NNNN only, using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking ASN database, NNNN only, using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -444,26 +432,25 @@ echo_i "checking Domain database using IPv4 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS txt example -b 10.53.0.$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -if testsock6 fd92:7065:b8e:ffff::3 -then +if testsock6 fd92:7065:b8e:ffff::3; then n=$((n + 1)) echo_i "checking Domain database using IPv6 ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i > dig.out.ns2.test$n.$i || lret=1 - j=$(cat dig.out.ns2.test$n.$i | tr -d '"') - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break + $DIG $DIGOPTS6 txt example -b fd92:7065:b8e:ffff::$i >dig.out.ns2.test$n.$i || lret=1 + j=$(cat dig.out.ns2.test$n.$i | tr -d '"') + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break done [ $lret -eq 1 ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -481,8 +468,8 @@ sleep 3 n=$((n + 1)) echo_i "checking geoip blackhole ACL ($n)" ret=0 -$DIG $DIGOPTS txt example -b 10.53.0.7 > dig.out.ns2.test$n || ret=1 -$RNDCCMD 10.53.0.2 status 2>&1 > rndc.out.ns2.test$n || ret=1 +$DIG $DIGOPTS txt example -b 10.53.0.7 >dig.out.ns2.test$n || ret=1 +$RNDCCMD 10.53.0.2 status 2>&1 >rndc.out.ns2.test$n || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/get_core_dumps.sh b/bin/tests/system/get_core_dumps.sh index d4f6ec7..1469c3c 100755 --- a/bin/tests/system/get_core_dumps.sh +++ b/bin/tests/system/get_core_dumps.sh @@ -20,51 +20,51 @@ status=0 export SYSTESTDIR="${TOP_BUILDDIR}/bin/tests/system/${systest}" get_core_dumps() { - find "$SYSTESTDIR/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort + find "$SYSTESTDIR/" \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.gz' ! -name '*.txt' | sort } core_dumps=$(get_core_dumps | tr '\n' ' ') if [ -n "$core_dumps" ]; then - status=1 - echoinfo "I:$systest:Core dump(s) found: $core_dumps" - get_core_dumps | while read -r coredump; do - echoinfo "D:$systest:backtrace from $coredump:" - echoinfo "D:$systest:--------------------------------------------------------------------------------" - binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p") - if [ ! -f "${binary}" ]; then - binary=$(find "${TOP_BUILDDIR}" -path "*/.libs/${binary}" -type f) - fi - "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ - -batch \ - -ex bt \ - -core="$coredump" \ - -- \ - "$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d - echoinfo "D:$systest:--------------------------------------------------------------------------------" - coredump_backtrace="${coredump}-backtrace.txt" - echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace" - "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ - -batch \ - -command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \ - -core="$coredump" \ - -- \ - "$binary" > "$coredump_backtrace" 2>&1 - echoinfo "D:$systest:core dump $coredump archived as $coredump.gz" - gzip -1 "${coredump}" - done + status=1 + echoinfo "I:$systest:Core dump(s) found: $core_dumps" + get_core_dumps | while read -r coredump; do + echoinfo "D:$systest:backtrace from $coredump:" + echoinfo "D:$systest:--------------------------------------------------------------------------------" + binary=$(gdb --batch --core="$coredump" 2>/dev/null | sed -ne "s|Core was generated by \`\([^' ]*\)[' ].*|\1|p") + if [ ! -f "${binary}" ]; then + binary=$(find "${TOP_BUILDDIR}" -path "*/.libs/${binary}" -type f) + fi + "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ + -batch \ + -ex bt \ + -core="$coredump" \ + -- \ + "$binary" 2>/dev/null | sed -n '/^Core was generated by/,$p' | cat_d + echoinfo "D:$systest:--------------------------------------------------------------------------------" + coredump_backtrace="${coredump}-backtrace.txt" + echoinfo "D:$systest:full backtrace from $coredump saved in $coredump_backtrace" + "${TOP_BUILDDIR}/libtool" --mode=execute gdb \ + -batch \ + -command="${TOP_SRCDIR}/bin/tests/system/run.gdb" \ + -core="$coredump" \ + -- \ + "$binary" >"$coredump_backtrace" 2>&1 + echoinfo "D:$systest:core dump $coredump archived as $coredump.gz" + gzip -1 "${coredump}" + done fi assertion_failures=$(find "$SYSTESTDIR/" -name named.run -exec grep "assertion failure" {} + | wc -l) if [ "$assertion_failures" -ne 0 ]; then - status=1 - echoinfo "I:$systest:$assertion_failures assertion failure(s) found" + status=1 + echoinfo "I:$systest:$assertion_failures assertion failure(s) found" fi tsan_failures=$(find "$SYSTESTDIR/" -name 'tsan.*' | wc -l) if [ "$tsan_failures" -ne 0 ]; then - status=1 - echoinfo "I:$systest:$tsan_failures TSAN sanitizer report(s) found" - find "$SYSTESTDIR/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d + status=1 + echoinfo "I:$systest:$tsan_failures TSAN sanitizer report(s) found" + find "$SYSTESTDIR/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d fi exit $status diff --git a/bin/tests/system/get_ports.sh b/bin/tests/system/get_ports.sh index b44e3ef..96201f1 100755 --- a/bin/tests/system/get_ports.sh +++ b/bin/tests/system/get_ports.sh @@ -15,7 +15,7 @@ # individual system subtests, so every test is given a unique port range. get_sorted_test_names() { - find . -maxdepth 2 -mindepth 2 -type f \( -name "tests.sh" -o -name "tests*.py" \) | cut -d/ -f2 | sort -u + find . -maxdepth 2 -mindepth 2 -type f \( -name "tests.sh" -o -name "tests*.py" \) | cut -d/ -f2 | sort -u } total_tests=$(get_sorted_test_names | wc -l) @@ -27,30 +27,33 @@ port_max=$((32767 - (total_tests * ports_per_test))) baseport=0 test_index=0 while getopts "p:t:-:" OPT; do - if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then - OPT="${OPTARG%%=*}" - OPTARG="${OPTARG#$OPT}" - OPTARG="${OPTARG#=}" - fi + if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then + OPT="${OPTARG%%=*}" + OPTARG="${OPTARG#$OPT}" + OPTARG="${OPTARG#=}" + fi - # shellcheck disable=SC2214 - case "$OPT" in - p | port) baseport=$OPTARG ;; - t | test) - test_index=$(get_sorted_test_names | awk "/^${OPTARG}\$/ { print NR }") - if [ -z "${test_index}" ]; then - echo "Test '${OPTARG}' not found" >&2 - exit 1 - fi - ;; - -) break ;; - *) echo "invalid option" >&2; exit 1 ;; - esac + # shellcheck disable=SC2214 + case "$OPT" in + p | port) baseport=$OPTARG ;; + t | test) + test_index=$(get_sorted_test_names | awk "/^${OPTARG}\$/ { print NR }") + if [ -z "${test_index}" ]; then + echo "Test '${OPTARG}' not found" >&2 + exit 1 + fi + ;; + -) break ;; + *) + echo "invalid option" >&2 + exit 1 + ;; + esac done port_pool_size=$((port_max - port_min)) if [ "${baseport}" -eq 0 ]; then - baseport="$((($(date +%s) / 3600 % port_pool_size) + port_min + (test_index * ports_per_test)))" + baseport="$((($(date +%s) / 3600 % port_pool_size) + port_min + (test_index * ports_per_test)))" fi echo "export PORT=$((baseport))" diff --git a/bin/tests/system/glue/tests.sh b/bin/tests/system/glue/tests.sh index 2dcacbf..0bfae45 100644 --- a/bin/tests/system/glue/tests.sh +++ b/bin/tests/system/glue/tests.sh @@ -28,7 +28,7 @@ $DIG $DIGOPTS @10.53.0.1 foo.bar.fi. A >dig.out || status=1 digcomp --lc fi.good dig.out || status=1 echo_i "testing that we don't find out-of-zone glue" -$DIG $DIGOPTS @10.53.0.1 example.net. a > dig.out || status=1 +$DIG $DIGOPTS @10.53.0.1 example.net. a >dig.out || status=1 digcomp noglue.good dig.out || status=1 echo_i "exit status: $status" diff --git a/bin/tests/system/hooks/driver/Makefile.in b/bin/tests/system/hooks/driver/Makefile.in index f97a712..30c40be 100644 --- a/bin/tests/system/hooks/driver/Makefile.in +++ b/bin/tests/system/hooks/driver/Makefile.in @@ -103,11 +103,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_gcc_func_attribute.m4 \ $(top_srcdir)/m4/ax_jemalloc.m4 \ $(top_srcdir)/m4/ax_lib_lmdb.m4 \ - $(top_srcdir)/m4/ax_perl_module.m4 \ $(top_srcdir)/m4/ax_posix_shell.m4 \ $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ $(top_srcdir)/m4/ax_pthread.m4 \ - $(top_srcdir)/m4/ax_python_module.m4 \ $(top_srcdir)/m4/ax_restore_flags.m4 \ $(top_srcdir)/m4/ax_save_flags.m4 $(top_srcdir)/m4/ax_tls.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ diff --git a/bin/tests/system/host/tests.sh b/bin/tests/system/host/tests.sh index c640a40..4bc3bf9 100644 --- a/bin/tests/system/host/tests.sh +++ b/bin/tests/system/host/tests.sh @@ -19,54 +19,54 @@ set -e status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "Check A only lookup ($n)" ret=0 -$HOST -p ${PORT} a-only.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} a-only.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l <host.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Address:" host.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c a-only.example.net host.out${n}) test $lines -eq 1 || ret=1 -grep "1.2.3.4" host.out${n} > /dev/null || ret=1 +grep "1.2.3.4" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check AAAA only lookup ($n)" ret=0 -$HOST -p ${PORT} aaaa-only.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} aaaa-only.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l <host.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Address:" host.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c aaaa-only.example.net host.out${n}) test $lines -eq 1 || ret=1 -grep "2001::ffff" host.out${n} > /dev/null || ret=1 +grep "2001::ffff" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check dual A + AAAA lookup ($n)" ret=0 -$HOST -p ${PORT} dual.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} dual.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l <host.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Address:" host.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c dual.example.net host.out${n}) test $lines -eq 2 || ret=1 -grep "1.2.3.4" host.out${n} > /dev/null || ret=1 -grep "2001::ffff" host.out${n} > /dev/null || ret=1 +grep "1.2.3.4" host.out${n} >/dev/null || ret=1 +grep "2001::ffff" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to A only lookup ($n)" ret=0 -$HOST -p ${PORT} cname-a-only.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} cname-a-only.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l <host.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Address:" host.out${n}) test $lines -eq 1 || ret=1 @@ -74,15 +74,15 @@ lines=$(grep -c "cname-a-only.example.net is an alias for a-only.example.net" ho test $lines -eq 1 || ret=1 lines=$(grep a-only.example.net host.out${n} | grep -cv "is an alias for") test $lines -eq 1 || ret=1 -grep "1.2.3.4" host.out${n} > /dev/null || ret=1 +grep "1.2.3.4" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to AAAA only lookup ($n)" ret=0 -$HOST -p ${PORT} cname-aaaa-only.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} cname-aaaa-only.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l <host.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Address:" host.out${n}) test $lines -eq 1 || ret=1 @@ -90,15 +90,15 @@ lines=$(grep -c "cname-aaaa-only.example.net is an alias for aaaa-only.example.n test $lines -eq 1 || ret=1 lines=$(grep aaaa-only.example.net host.out${n} | grep -cv "is an alias for") test $lines -eq 1 || ret=1 -grep "2001::ffff" host.out${n} > /dev/null || ret=1 +grep "2001::ffff" host.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to dual A + AAAA lookup ($n)" ret=0 -$HOST -p ${PORT} cname-dual.example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 -lines=$(wc -l < host.err${n}) +$HOST -p ${PORT} cname-dual.example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 +lines=$(wc -l <host.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Address:" host.out${n}) test $lines -eq 1 || ret=1 @@ -109,12 +109,12 @@ test $lines -eq 1 || ret=1 lines=$(grep -c "dual.example.net has IPv6 address 2001::ffff" host.out${n}) test $lines -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check ANY lookup ($n)" ret=0 -$HOST -p ${PORT} -t ANY example.net 10.53.0.1 2> host.err${n} > host.out${n} || ret=1 +$HOST -p ${PORT} -t ANY example.net 10.53.0.1 2>host.err${n} >host.out${n} || ret=1 lines=$(grep -c 'Address:.10\.53\.0\.1#'"${PORT}" host.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c 'example.net has SOA record ns1.example.net. hostmaster.example.net. 1397051952 5 5 1814400 3600' host.out${n}) @@ -122,7 +122,7 @@ test $lines -eq 1 || ret=1 lines=$(grep -c 'example.net name server ns1.example.net.' host.out${n}) test $lines -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh index 5f525d6..398b7e1 100644 --- a/bin/tests/system/idna/tests.sh +++ b/bin/tests/system/idna/tests.sh @@ -18,9 +18,9 @@ set -e # Set known locale for the tests if locale -a | grep -qE "^C\\.(UTF-8|utf8)"; then - LC_ALL="C.UTF-8" + LC_ALL="C.UTF-8" elif locale -a | grep -qE "^en_US\\.(UTF-8|utf8)"; then - LC_ALL="en_US.UTF-8" + LC_ALL="en_US.UTF-8" fi export LC_ALL @@ -71,7 +71,6 @@ DIGCMD="$DIG -i -p ${PORT} @10.53.0.1" n=0 status=0 - # Function for extracting the qname from the response # # This is the first field in the line after the line starting @@ -80,10 +79,10 @@ status=0 # The string returned includes the trailing period. qname() { - awk 'BEGIN { qs = 0; } \ + awk 'BEGIN { qs = 0; } \ /;; QUESTION SECTION:/ { qs = 1; next; } \ qs == 1 {sub(";", "", $1) ; print $1; exit 0; }' \ - $1 + $1 } # Function for performing a test where "dig" is expected to succeed. @@ -96,26 +95,29 @@ qname() { # parameter should have that period as well. idna_test() { - n=$((n+1)) - description=$1 - if [ "$2" != "" ]; then - description="${description}: $2" - fi - echo_i "$description ($n)" - - ret=0 - { $DIGCMD $2 $3 > dig.out.$n 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then - echo_i "failed: dig command returned non-zero status" - ret=1 - else - actual=$(qname dig.out.$n) - if [ "$4" != "$actual" ]; then - echo_i "failed: expected answer $4, actual result $actual" - ret=1 - fi + n=$((n + 1)) + description=$1 + if [ "$2" != "" ]; then + description="${description}: $2" + fi + echo_i "$description ($n)" + + ret=0 + { + $DIGCMD $2 $3 >dig.out.$n 2>&1 + rc=$? + } || true + if [ $rc -ne 0 ]; then + echo_i "failed: dig command returned non-zero status" + ret=1 + else + actual=$(qname dig.out.$n) + if [ "$4" != "$actual" ]; then + echo_i "failed: expected answer $4, actual result $actual" + ret=1 fi - status=$((status+ret)) + fi + status=$((status + ret)) } # Function for performing a test where "dig" is expected to fail @@ -125,20 +127,23 @@ idna_test() { # $3 - Name being queried idna_fail() { - n=$((n+1)) - description=$1 - if [ "$2" != "" ]; then - description="${description}: $2" - fi - echo_i "$description ($n)" - - ret=0 - { $DIGCMD $2 $3 > dig.out.$n 2>&1; rc=$?; } || true - if [ $rc -eq 0 ]; then - echo_i "failed: dig command unexpectedly succeeded" - ret=1 - fi - status=$((status+ret)) + n=$((n + 1)) + description=$1 + if [ "$2" != "" ]; then + description="${description}: $2" + fi + echo_i "$description ($n)" + + ret=0 + { + $DIGCMD $2 $3 >dig.out.$n 2>&1 + rc=$? + } || true + if [ $rc -eq 0 ]; then + echo_i "failed: dig command unexpectedly succeeded" + ret=1 + fi + status=$((status + ret)) } # Function to check that case is preserved for an all-ASCII label. @@ -159,235 +164,226 @@ idna_fail() { # as the qname. ascii_case_preservation_test() { - text="Checking valid ASCII label" - idna_test "$text" "" LocalhosT LocalhosT. - idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT. - idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT. - idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT. - idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT. + text="Checking valid ASCII label" + idna_test "$text" "" LocalhosT LocalhosT. + idna_test "$text" "+noidnin +noidnout" LocalhosT LocalhosT. + idna_test "$text" "+noidnin +idnout" LocalhosT LocalhosT. + idna_test "$text" "+idnin +noidnout" LocalhosT LocalhosT. + idna_test "$text" "+idnin +idnout" LocalhosT LocalhosT. } # Function to perform the tests if IDNA is enabled. idna_enabled_test() { - echo_i "IDNA is enabled, all IDNA tests will be performed" - # Check that case is preserved on an ASCII label. - - ascii_case_preservation_test - - - # Test of a valid U-label - # - # +noidnin +noidnout: The label is sent as a unicode octet stream and dig - # will display the string in the \nnn format. - # +noidnin +idnout: As for the previous case. - # +idnin +noidnout: The label is converted to the xn-- format. "dig" - # displays the returned xn-- text. - # +idnin +idnout: The label is converted to the xn-- format. "dig" - # converts the returned xn-- string back to the original - # unicode text. - # - # Note that ASCII characters are converted to lower-case. - - text="Checking valid non-ASCII label" - idna_test "$text" "" "München" "M\195\188nchen." - idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen." - idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen." - idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya." - idna_test "$text" "+idnin +idnout" "München" "münchen." - - - # Tests of transitional processing of a valid U-label - # - # IDNA2003 introduced national character sets but, unfortunately, didn't - # support several characters properly. One of those was the German - # character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss". - # So the domain “faß.de” domain (for example) was processed as “fass.de”. - # - # This was corrected in IDNA2008, although some vendors that adopted this - # standard chose to keep the existing IDNA2003 translation for this - # character to prevent problems (e.g. people visiting www.faß.example would, - # under IDNA2003, go to www.fass.example but under IDNA2008 would end up at - # www.fa\195\159.example - a different web site). - # - # BIND has adopted a hard transition, so this test checks that these - # transitional mapping is not used. The tests are essentially the same as - # for the valid U-label. - - text="Checking that non-transitional IDNA processing is used" - idna_test "$text" "" "faß.de" "fa\195\159.de." - idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de." - idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de." - idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de." - idna_test "$text" "+idnin +idnout" "faß.de" "faß.de." - - # Another problem character. The final character in the first label mapped - # onto the Greek sigma character ("σ") in IDNA2003. - - text="Second check that non-transitional IDNA processing is used" - idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." - idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com." - idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com." - - - - # Tests of a valid A-label (i.e. starting xn--) - # - # +noidnout: The string is sent as-is to the server and the returned qname - # is displayed in the same form. - # +idnout: The string is sent as-is to the server and the returned qname - # is displayed as the corresponding U-label. - # - # The "+[no]idnin" flag has no effect in these cases. - - text="Checking valid A-label" - idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." - idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." - - # Test of valid A-label in locale that cannot display it - # - # +noidnout: The string is sent as-is to the server and the returned qname - # is displayed in the same form. - # +idnout: The string is sent as-is to the server and the returned qname - # is displayed as the corresponding A-label. - # - # The "+[no]idnout" flag has no effect in these cases. - saved_LC_ALL="${LC_ALL}" - LC_ALL="C" - text="Checking valid A-label in C locale" - label="xn--nxasmq6b.com" - if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then - idna_test "$text" "" "$label" "$label." - idna_test "$text" "+noidnin +noidnout" "$label" "$label." - idna_test "$text" "+noidnin +idnout" "$label" "$label." - idna_test "$text" "+idnin +noidnout" "$label" "$label." - idna_test "$text" "+idnin +idnout" "$label" "$label." - idna_test "$text" "+noidnin +idnout" "$label" "$label." - fi - LC_ALL="${saved_LC_ALL}" - - - - # Tests of invalid A-labels - # - # +noidnin: The label is sent as-is to the server and dig will display the - # returned fake A-label in the same form. - # +idnin: "dig" should report that the label is not correct. - # - # +[no]idnout: If the label makes it to the server (via +noidnin), "dig" - # should report an error if +idnout is specified. - - # The minimum length of a punycode A-label is 7 characters. Check that - # a shorter label is detected and rejected. - - text="Checking punycode label shorter than minimum valid length" - idna_test "$text" "" "xn--xx" "xn--xx." - idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx." - idna_fail "$text" "+noidnin +idnout" "xn--xx" - idna_fail "$text" "+idnin +noidnout" "xn--xx" - idna_fail "$text" "+idnin +idnout" "xn--xx" - - # Fake A-label - the string does not translate to anything. - - text="Checking fake A-label" - idna_test "$text" "" "xn--ahahah" "xn--ahahah." - idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." - idna_fail "$text" "+noidnin +idnout" "xn--ahahah" - idna_fail "$text" "+idnin +noidnout" "xn--ahahah" - idna_fail "$text" "+idnin +idnout" "xn--ahahah" - - # Too long a label. The punycode string is too long (at 64 characters). - # BIND rejects such labels: with +idnin - - label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" - text="Checking punycode label longer than maximum valid length" - idna_fail "$text" "" "$label" - idna_fail "$text" "+noidnin +noidnout" "$label" - idna_fail "$text" "+noidnin +idnout" "$label" - idna_fail "$text" "+idnin +noidnout" "$label" - idna_fail "$text" "+idnin +idnout" "$label" - - # Tests of a valid unicode string but an invalid U-label (input) - # - # Symbols are not valid IDNA2008 names. Check whether dig rejects them - # when they are supplied on the command line to ensure no IDNA2003 - # fallbacks are in place. - # - # +noidnin: "dig" should send unicode octets to the server and display the - # returned qname in the same form. - # +idnin: "dig" should generate an error. - # - # The +[no]idnout options should not have any effect on the test. - - text="Checking invalid input U-label" - idna_test "$text" "" "√.com" "\226\136\154.com." - idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com." - idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com." - idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com." - idna_test "$text" "+idnin +idnout" "√.com" "√.com." - - # Tests of a valid unicode string but an invalid U-label (output) - # - # Symbols are not valid IDNA2008 names. Check whether dig rejects them - # when they are received in DNS responses to ensure no IDNA2003 fallbacks - # are in place. - # - # Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses - # Punycode more strictly than older versions and thus dig fails with that - # combination of options with libidn2 2.2.0+ but succeeds with older - # versions. - # - # +noidnout: "dig" should send the ACE string to the server and display the - # returned qname. - # +idnout: "dig" should generate an error. - # - # The +[no]idnin options should not have any effect on the test. - - text="Checking invalid output U-label" - idna_test "$text" "" "xn--19g" "xn--19g." - idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." - idna_test "$text" "+noidnin +idnout" "xn--19g" "√." - idna_test "$text" "+idnin +idnout" "xn--19g" "√." - - - # Test that non-letter characters are preserved in the output. When - # UseSTD3ASCIIRules are enabled, it would mangle non-letter characters like - # `_` (underscore) and `*` (wildcard. - - text="Checking valid non-letter characters" - idna_test "$text" "" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." - idna_test "$text" "+noidnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." - idna_test "$text" "+noidnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." - idna_test "$text" "+idnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." - idna_test "$text" "+idnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." - - idna_test "$text" "" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." - idna_test "$text" "+noidnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." - idna_test "$text" "+noidnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." - idna_test "$text" "+idnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." - idna_test "$text" "+idnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." + echo_i "IDNA is enabled, all IDNA tests will be performed" + # Check that case is preserved on an ASCII label. + + ascii_case_preservation_test + + # Test of a valid U-label + # + # +noidnin +noidnout: The label is sent as a unicode octet stream and dig + # will display the string in the \nnn format. + # +noidnin +idnout: As for the previous case. + # +idnin +noidnout: The label is converted to the xn-- format. "dig" + # displays the returned xn-- text. + # +idnin +idnout: The label is converted to the xn-- format. "dig" + # converts the returned xn-- string back to the original + # unicode text. + # + # Note that ASCII characters are converted to lower-case. + + text="Checking valid non-ASCII label" + idna_test "$text" "" "München" "M\195\188nchen." + idna_test "$text" "+noidnin +noidnout" "München" "M\195\188nchen." + idna_test "$text" "+noidnin +idnout" "München" "M\195\188nchen." + idna_test "$text" "+idnin +noidnout" "München" "xn--mnchen-3ya." + idna_test "$text" "+idnin +idnout" "München" "münchen." + + # Tests of transitional processing of a valid U-label + # + # IDNA2003 introduced national character sets but, unfortunately, didn't + # support several characters properly. One of those was the German + # character "ß" (the "Eszett" or "sharp s"), which was interpreted as "ss". + # So the domain “faß.de” domain (for example) was processed as “fass.de”. + # + # This was corrected in IDNA2008, although some vendors that adopted this + # standard chose to keep the existing IDNA2003 translation for this + # character to prevent problems (e.g. people visiting www.faß.example would, + # under IDNA2003, go to www.fass.example but under IDNA2008 would end up at + # www.fa\195\159.example - a different web site). + # + # BIND has adopted a hard transition, so this test checks that these + # transitional mapping is not used. The tests are essentially the same as + # for the valid U-label. + + text="Checking that non-transitional IDNA processing is used" + idna_test "$text" "" "faß.de" "fa\195\159.de." + idna_test "$text" "+noidnin +noidnout" "faß.de" "fa\195\159.de." + idna_test "$text" "+noidnin +idnout" "faß.de" "fa\195\159.de." + idna_test "$text" "+idnin +noidnout" "faß.de" "xn--fa-hia.de." + idna_test "$text" "+idnin +idnout" "faß.de" "faß.de." + + # Another problem character. The final character in the first label mapped + # onto the Greek sigma character ("σ") in IDNA2003. + + text="Second check that non-transitional IDNA processing is used" + idna_test "$text" "" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+noidnin +noidnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+noidnin +idnout" "βόλος.com" "\206\178\207\140\206\187\206\191\207\130.com." + idna_test "$text" "+idnin +noidnout" "βόλος.com" "xn--nxasmm1c.com." + idna_test "$text" "+idnin +idnout" "βόλος.com" "βόλος.com." + + # Tests of a valid A-label (i.e. starting xn--) + # + # +noidnout: The string is sent as-is to the server and the returned qname + # is displayed in the same form. + # +idnout: The string is sent as-is to the server and the returned qname + # is displayed as the corresponding U-label. + # + # The "+[no]idnin" flag has no effect in these cases. + + text="Checking valid A-label" + idna_test "$text" "" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." + + # Test of valid A-label in locale that cannot display it + # + # +noidnout: The string is sent as-is to the server and the returned qname + # is displayed in the same form. + # +idnout: The string is sent as-is to the server and the returned qname + # is displayed as the corresponding A-label. + # + # The "+[no]idnout" flag has no effect in these cases. + saved_LC_ALL="${LC_ALL}" + LC_ALL="C" + text="Checking valid A-label in C locale" + label="xn--nxasmq6b.com" + if command -v idn2 >/dev/null && ! idn2 -d "$label" >/dev/null 2>/dev/null; then + idna_test "$text" "" "$label" "$label." + idna_test "$text" "+noidnin +noidnout" "$label" "$label." + idna_test "$text" "+noidnin +idnout" "$label" "$label." + idna_test "$text" "+idnin +noidnout" "$label" "$label." + idna_test "$text" "+idnin +idnout" "$label" "$label." + idna_test "$text" "+noidnin +idnout" "$label" "$label." + fi + LC_ALL="${saved_LC_ALL}" + + # Tests of invalid A-labels + # + # +noidnin: The label is sent as-is to the server and dig will display the + # returned fake A-label in the same form. + # +idnin: "dig" should report that the label is not correct. + # + # +[no]idnout: If the label makes it to the server (via +noidnin), "dig" + # should report an error if +idnout is specified. + + # The minimum length of a punycode A-label is 7 characters. Check that + # a shorter label is detected and rejected. + + text="Checking punycode label shorter than minimum valid length" + idna_test "$text" "" "xn--xx" "xn--xx." + idna_test "$text" "+noidnin +noidnout" "xn--xx" "xn--xx." + idna_fail "$text" "+noidnin +idnout" "xn--xx" + idna_fail "$text" "+idnin +noidnout" "xn--xx" + idna_fail "$text" "+idnin +idnout" "xn--xx" + + # Fake A-label - the string does not translate to anything. + + text="Checking fake A-label" + idna_test "$text" "" "xn--ahahah" "xn--ahahah." + idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." + idna_fail "$text" "+noidnin +idnout" "xn--ahahah" + idna_fail "$text" "+idnin +noidnout" "xn--ahahah" + idna_fail "$text" "+idnin +idnout" "xn--ahahah" + + # Too long a label. The punycode string is too long (at 64 characters). + # BIND rejects such labels: with +idnin + + label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" + text="Checking punycode label longer than maximum valid length" + idna_fail "$text" "" "$label" + idna_fail "$text" "+noidnin +noidnout" "$label" + idna_fail "$text" "+noidnin +idnout" "$label" + idna_fail "$text" "+idnin +noidnout" "$label" + idna_fail "$text" "+idnin +idnout" "$label" + + # Tests of a valid unicode string but an invalid U-label (input) + # + # Symbols are not valid IDNA2008 names. Check whether dig rejects them + # when they are supplied on the command line to ensure no IDNA2003 + # fallbacks are in place. + # + # +noidnin: "dig" should send unicode octets to the server and display the + # returned qname in the same form. + # +idnin: "dig" should generate an error. + # + # The +[no]idnout options should not have any effect on the test. + + text="Checking invalid input U-label" + idna_test "$text" "" "√.com" "\226\136\154.com." + idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com." + idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com." + idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com." + idna_test "$text" "+idnin +idnout" "√.com" "√.com." + + # Tests of a valid unicode string but an invalid U-label (output) + # + # Symbols are not valid IDNA2008 names. Check whether dig rejects them + # when they are received in DNS responses to ensure no IDNA2003 fallbacks + # are in place. + # + # Note that "+idnin +noidnout" is not tested because libidn2 2.2.0+ parses + # Punycode more strictly than older versions and thus dig fails with that + # combination of options with libidn2 2.2.0+ but succeeds with older + # versions. + # + # +noidnout: "dig" should send the ACE string to the server and display the + # returned qname. + # +idnout: "dig" should generate an error. + # + # The +[no]idnin options should not have any effect on the test. + + text="Checking invalid output U-label" + idna_test "$text" "" "xn--19g" "xn--19g." + idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." + idna_test "$text" "+noidnin +idnout" "xn--19g" "√." + idna_test "$text" "+idnin +idnout" "xn--19g" "√." + + # Test that non-letter characters are preserved in the output. When + # UseSTD3ASCIIRules are enabled, it would mangle non-letter characters like + # `_` (underscore) and `*` (wildcard. + + text="Checking valid non-letter characters" + idna_test "$text" "" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." + + idna_test "$text" "" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." } - # Function to perform tests if IDNA is not enabled. idna_disabled_test() { - echo_i "IDNA is disabled, only case mapping tests will be performed" - ascii_case_preservation_test + echo_i "IDNA is disabled, only case mapping tests will be performed" + ascii_case_preservation_test } - # Main test begins here if $FEATURETEST --with-libidn2; then - idna_enabled_test + idna_enabled_test else - idna_disabled_test + idna_disabled_test fi exit $status diff --git a/bin/tests/system/ifconfig.sh.in b/bin/tests/system/ifconfig.sh.in index ed84fd1..9b9acd5 100755 --- a/bin/tests/system/ifconfig.sh.in +++ b/bin/tests/system/ifconfig.sh.in @@ -35,187 +35,187 @@ sys=$(@SHELL@ "$top_srcdir/config.guess") use_ip= case "$sys" in - *-*-linux*) - if type ip > /dev/null; then - use_ip=yes - elif type ifconfig > /dev/null; then - : - else - echo "$0: can't find ip or ifconfig" >&2 - exit 1 - fi - ;; + *-*-linux*) + if type ip >/dev/null; then + use_ip=yes + elif type ifconfig >/dev/null; then + : + else + echo "$0: can't find ip or ifconfig" >&2 + exit 1 + fi + ;; esac up() { - case "$sys" in - *-pc-solaris2.5.1) - [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up - ;; - *-sun-solaris2.[6-7]) - [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up - ;; - *-*-solaris2.[8-9]|*-*-solaris2.10) - [ "$a" ] && { - /sbin/ifconfig lo0:$int plumb - /sbin/ifconfig lo0:$int $a up - /sbin/ifconfig lo0:$int mtu 1500 - } - [ "$aaaa" ] && { - /sbin/ifconfig lo0:$int inet6 plumb - /sbin/ifconfig lo0:$int inet6 $aaaa up - } - ;; - *-*-solaris2.1[1-9]) - [ "$a" ] && { - /sbin/ipadm create-addr -t -T static \ - -a $a lo0/bind9v4$int || - echo failed lo0/bind9v4$int - } - [ "$aaaa" ] && { - /sbin/ipadm create-addr -t -T static \ - -a $aaaa lo0/bind9v6$int || - echo failed lo0/bind9v6$int - } - ;; - *-*-linux*) - if [ "$use_ip" ]; then - ip address add $a/24 dev lo:$int - ip link set dev lo:$int mtu 1500 - [ "$aaaa" ] && ip address add $aaaa/64 dev lo - else - ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500 - [ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64 - fi - ;; - *-unknown-freebsd*) - [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500 - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*) - [ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500 - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *-*-bsdi[3-5].*) - [ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0 - ;; - *-dec-osf[4-5].*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-sgi-irix6.*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) - [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff - ;; - *-ibm-aix4.*|*-ibm-aix5.*) - [ "$a" ] && ifconfig lo0 alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64 - ;; - hpux) - [ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up - [ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up - ;; - *-sco3.2v*) - [ "$a" ] && ifconfig lo0 alias $a - ;; - *-darwin*) - [ "$a" ] && ifconfig lo0 alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias - ;; - *) - echo "Don't know how to set up interface. Giving up." - exit 1 - ;; - esac + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-*-solaris2.[8-9] | *-*-solaris2.10) + [ "$a" ] && { + /sbin/ifconfig lo0:$int plumb + /sbin/ifconfig lo0:$int $a up + /sbin/ifconfig lo0:$int mtu 1500 + } + [ "$aaaa" ] && { + /sbin/ifconfig lo0:$int inet6 plumb + /sbin/ifconfig lo0:$int inet6 $aaaa up + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $a lo0/bind9v4$int \ + || echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $aaaa lo0/bind9v6$int \ + || echo failed lo0/bind9v6$int + } + ;; + *-*-linux*) + if [ "$use_ip" ]; then + ip address add $a/24 dev lo:$int + ip link set dev lo:$int mtu 1500 + [ "$aaaa" ] && ip address add $aaaa/64 dev lo + else + ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-unknown-dragonfly* | *-unknown-netbsd* | *-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0 + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-*-sysv5uw7* | *-*-sysv*UnixWare* | *-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff + ;; + *-ibm-aix4.* | *-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up + [ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-darwin*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *) + echo "Don't know how to set up interface. Giving up." + exit 1 + ;; + esac } down() { - case "$sys" in - *-pc-solaris2.5.1) - [ "$a" ] && ifconfig lo0:$int 0.0.0.0 down - ;; - *-sun-solaris2.[6-7]) - [ "$a" ] && ifconfig lo0:$int $a down - ;; - *-*-solaris2.[8-9]|*-*-solaris2.10) - [ "$a" ] && { - ifconfig lo0:$int $a down - ifconfig lo0:$int $a unplumb - } - [ "$aaaa" ] && { - ifconfig lo0:$int inet6 down - ifconfig lo0:$int inet6 unplumb - } - ;; - *-*-solaris2.1[1-9]) - [ "$a" ] && { - ipadm delete-addr lo0/bind9v4$int || - echo failed lo0/bind9v4$int - } - [ "$aaaa" ] && { - ipadm delete-addr lo0/bind9v6$int || - echo failed lo0/bind9v6$int - } - ;; + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 down + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a down + ;; + *-*-solaris2.[8-9] | *-*-solaris2.10) + [ "$a" ] && { + ifconfig lo0:$int $a down + ifconfig lo0:$int $a unplumb + } + [ "$aaaa" ] && { + ifconfig lo0:$int inet6 down + ifconfig lo0:$int inet6 unplumb + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + ipadm delete-addr lo0/bind9v4$int \ + || echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + ipadm delete-addr lo0/bind9v6$int \ + || echo failed lo0/bind9v6$int + } + ;; - *-*-linux*) - if [ "$use_ip" ]; then - [ "$a" ] && ip address del $a/24 dev lo:$int - [ "$aaaa" ] && ip address del $aaaa/64 dev lo - else - [ "$a" ] && ifconfig lo:$int $a down - [ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64 - fi - ;; - *-unknown-freebsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-unknown-netbsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-unknown-openbsd*) - [ "$a" ] && ifconfig lo0 $a delete - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *-*-bsdi[3-5].*) - [ "$a" ] && ifconfig lo0 remove $a - ;; - *-dec-osf[4-5].*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-sgi-irix6.*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *-ibm-aix4.*|*-ibm-aix5.*) - [ "$a" ] && ifconfig lo0 delete $a - [ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64 - ;; - hpux) - [ "$a" ] && ifconfig lo0:$int 0.0.0.0 - [ "$aaaa" ] && ifconfig lo0:$int inet6 :: - ;; - *-sco3.2v*) - [ "$a" ] && ifconfig lo0 -alias $a - ;; - *darwin*) - [ "$a" ] && ifconfig lo0 -alias $a - [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete - ;; - *) - echo "Don't know how to destroy interface. Giving up." - exit 1 - ;; - esac + *-*-linux*) + if [ "$use_ip" ]; then + [ "$a" ] && ip address del $a/24 dev lo:$int + [ "$aaaa" ] && ip address del $aaaa/64 dev lo + else + [ "$a" ] && ifconfig lo:$int $a down + [ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-netbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 remove $a + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-*-sysv5uw7* | *-*-sysv*UnixWare* | *-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-ibm-aix4.* | *-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 delete $a + [ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 + [ "$aaaa" ] && ifconfig lo0:$int inet6 :: + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *darwin*) + [ "$a" ] && ifconfig lo0 -alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *) + echo "Don't know how to destroy interface. Giving up." + exit 1 + ;; + esac } sequence() ( - awk -v s=$1 -v e=$2 ' + awk -v s=$1 -v e=$2 ' BEGIN { for (i = s ; i <= e; i++) { print i; } exit; @@ -239,30 +239,28 @@ sequence() ( # max=11 case $1 in - start|up|stop|down) - for i in $(sequence 0 2) - do - case $i in - 0) ipv6="ff" ;; - 1) ipv6="99" ;; - 2) ipv6="00" ;; - *) ipv6="" ;; - esac - for ns in $(sequence 1 $max) - do - [ $i -gt 0 -a $ns -gt 2 ] && break - int=$((i * max + ns)) - a=10.53.$i.$ns - aaaa=fd92:7065:b8e:${ipv6}ff::$ns - case "$1" in - start|up) up;; - stop|down) down;; - esac - done - done - ;; - *) - echo "Usage: $0 { up | down }" - exit 1 - ;; + start | up | stop | down) + for i in $(sequence 0 2); do + case $i in + 0) ipv6="ff" ;; + 1) ipv6="99" ;; + 2) ipv6="00" ;; + *) ipv6="" ;; + esac + for ns in $(sequence 1 $max); do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=$((i * max + ns)) + a=10.53.$i.$ns + aaaa=fd92:7065:b8e:${ipv6}ff::$ns + case "$1" in + start | up) up ;; + stop | down) down ;; + esac + done + done + ;; + *) + echo "Usage: $0 { up | down }" + exit 1 + ;; esac diff --git a/bin/tests/system/include-multiplecfg/setup.sh b/bin/tests/system/include-multiplecfg/setup.sh index 064fb01..643e872 100644 --- a/bin/tests/system/include-multiplecfg/setup.sh +++ b/bin/tests/system/include-multiplecfg/setup.sh @@ -15,4 +15,4 @@ $SHELL clean.sh -copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/include-multiplecfg/tests.sh b/bin/tests/system/include-multiplecfg/tests.sh index 65b4001..8422417 100644 --- a/bin/tests/system/include-multiplecfg/tests.sh +++ b/bin/tests/system/include-multiplecfg/tests.sh @@ -26,9 +26,9 @@ n=0 n=$((n + 1)) echo_i "checking glob include of zone1 config ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 zone1.com. a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^zone1.com.' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 zone1.com. a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^zone1.com.' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -36,9 +36,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking glob include of zone2 config ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 zone2.com. a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^zone2.com.' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 zone2.com. a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^zone2.com.' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -46,9 +46,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking include of standard file path config ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 mars.com. a > dig.out.ns2.$n || ret=1 -grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 -grep '^mars.com.' dig.out.ns2.$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 mars.com. a >dig.out.ns2.$n || ret=1 +grep 'status: NOERROR' dig.out.ns2.$n >/dev/null || ret=1 +grep '^mars.com.' dig.out.ns2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -56,7 +56,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking named-checkconf with glob include ($n)" ret=0 -(cd ns2; $CHECKCONF named.conf) || ret=1 +( + cd ns2 + $CHECKCONF named.conf +) || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index 79f3774..aa0e3fa 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -12,16 +12,16 @@ # information regarding copyright ownership. rm -rf ./*/*.jbk \ - ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \ - ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \ - ./*/trusted.conf \ - ./K* ./*/K* \ - ./checkecdsa \ - ./freeze.test* thaw.test* \ - ./import.key \ - ././ns*/managed-keys.bind* ./ns*/*.mkeys* \ - ./*/dsset-* ./*/nzf-* \ - ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ - ./*.out ./*.out* ./*/*.out ./*/*.out* \ - ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ - ns3/a-file ns3/removedkeys + ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \ + ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \ + ./*/trusted.conf \ + ./K* ./*/K* \ + ./checkecdsa \ + ./freeze.test* thaw.test* \ + ./import.key \ + ././ns*/managed-keys.bind* ./ns*/*.mkeys* \ + ./*/dsset-* ./*/nzf-* \ + ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \ + ./*.out ./*.out* ./*/*.out ./*/*.out* \ + ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \ + ns3/a-file ns3/removedkeys diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh index c231713..e55f5e7 100644 --- a/bin/tests/system/inline/ns1/sign.sh +++ b/bin/tests/system/inline/ns1/sign.sh @@ -18,8 +18,8 @@ rm -f K.+*+*.key rm -f K.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out +$SIGNER -S -x -T 1200 -o ${zone} root.db >signer.out [ $? = 0 ] || cat signer.out -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns6/trusted.conf diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in index 38e6e90..44b7127 100644 --- a/bin/tests/system/inline/ns2/named.conf.in +++ b/bin/tests/system/inline/ns2/named.conf.in @@ -13,7 +13,7 @@ // NS2 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in index 6b3b3cd..a74a9be 100644 --- a/bin/tests/system/inline/ns3/named.conf.in +++ b/bin/tests/system/inline/ns3/named.conf.in @@ -13,7 +13,7 @@ // NS3 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index f17a8ad..0962193 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -15,7 +15,7 @@ # Fake an unsupported key unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported) -awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key >${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key zone=bits @@ -23,36 +23,36 @@ rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=noixfr rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=primary rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=dynamic rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=updated rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db +$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null cp primary2.db.in updated.db # signatures are expired and should be regenerated on startup @@ -61,28 +61,28 @@ rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db +$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null zone=retransfer rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=nsec3 rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=retransfer3 rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=inactiveksk rm -f K${zone}.+*+*.key @@ -91,7 +91,7 @@ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=inactivezsk rm -f K${zone}.+*+*.key @@ -100,7 +100,7 @@ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone) -$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +$DSFROMKEY -T 1200 $keyname >>../ns1/root.db zone=delayedkeys rm -f K${zone}.+*+*.key @@ -122,38 +122,35 @@ rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) -for s in a c d h k l m q z -do - zone=test-$s - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +for s in a c d h k l m q z; do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) done -for s in b f i o p t v -do - zone=test-$s - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) - keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) +for s in b f i o p t v; do + zone=test-$s + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone) done zone=externalkey rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM} -do - k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) - k2=$($KEYGEN -q -a $alg -n zone $zone) - k3=$($KEYGEN -q -a $alg -n zone $zone) - k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) - $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db - - # Convert k1 and k2 in to External Keys. - rm -f $k1.private - mv $k1.key a-file - $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) - rm -f $k2.private - mv $k2.key a-file - $IMPORTKEY -f a-file $zone > /dev/null 2>&1 || - ( echo_i "importkey failed: $alg" ) +for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM}; do + k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + k2=$($KEYGEN -q -a $alg -n zone $zone) + k3=$($KEYGEN -q -a $alg -n zone $zone) + k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone) + $DSFROMKEY -T 1200 $k4 >>../ns1/root.db + + # Convert k1 and k2 in to External Keys. + rm -f $k1.private + mv $k1.key a-file + $IMPORTKEY -P now -D now+3600 -f a-file $zone >/dev/null 2>&1 \ + || (echo_i "importkey failed: $alg") + rm -f $k2.private + mv $k2.key a-file + $IMPORTKEY -f a-file $zone >/dev/null 2>&1 \ + || (echo_i "importkey failed: $alg") done diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post index f454b35..169c2bb 100644 --- a/bin/tests/system/inline/ns5/named.conf.post +++ b/bin/tests/system/inline/ns5/named.conf.post @@ -13,7 +13,7 @@ // NS5 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns5/named.conf.pre b/bin/tests/system/inline/ns5/named.conf.pre index 91844ac..2018289 100644 --- a/bin/tests/system/inline/ns5/named.conf.pre +++ b/bin/tests/system/inline/ns5/named.conf.pre @@ -13,7 +13,7 @@ // NS5 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns6/named.conf.in b/bin/tests/system/inline/ns6/named.conf.in index 8237f31..05de001 100644 --- a/bin/tests/system/inline/ns6/named.conf.in +++ b/bin/tests/system/inline/ns6/named.conf.in @@ -13,7 +13,7 @@ // NS6 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -35,7 +35,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in index 3a0cf86..4e99dab 100644 --- a/bin/tests/system/inline/ns7/named.conf.in +++ b/bin/tests/system/inline/ns7/named.conf.in @@ -27,7 +27,7 @@ * one it was meant for. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in index 47bb991..a16bcad 100644 --- a/bin/tests/system/inline/ns8/named.conf.in +++ b/bin/tests/system/inline/ns8/named.conf.in @@ -13,7 +13,7 @@ // NS8 -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh index d9b95e4..56d097d 100755 --- a/bin/tests/system/inline/ns8/sign.sh +++ b/bin/tests/system/inline/ns8/sign.sh @@ -14,16 +14,15 @@ . ../../conf.sh for zone in example01.com example02.com example03.com example04.com \ - example05.com example06.com example07.com example08.com \ - example09.com example10.com example11.com example12.com \ - example13.com example14.com example15.com example16.com -do + example05.com example06.com example07.com example08.com \ + example09.com example10.com example11.com example12.com \ + example13.com example14.com example15.com example16.com; do rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone) cp example.com.db.in ${zone}.db - $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 + $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db >/dev/null 2>&1 done for zone in example unsigned-serial-test; do diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index 84233c8..7956a84 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -50,7 +50,19 @@ copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf -(cd ns3; $SHELL -e sign.sh) -(cd ns1; $SHELL -e sign.sh) -(cd ns7; $SHELL -e sign.sh) -(cd ns8; $SHELL -e sign.sh) +( + cd ns3 + $SHELL -e sign.sh +) +( + cd ns1 + $SHELL -e sign.sh +) +( + cd ns7 + $SHELL -e sign.sh +) +( + cd ns8 + $SHELL -e sign.sh +) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index e9c4554..91d0f43 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -16,36 +16,38 @@ set -e . ../conf.sh DIGOPTS="+tcp +dnssec -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" dig_with_opts() { - $DIG $DIGOPTS "$@" + $DIG $DIGOPTS "$@" } rndccmd() { - $RNDCCMD "$@" + $RNDCCMD "$@" } wait_for_serial() ( - $DIG $DIGOPTS "@$1" "$2" SOA > "$4" - serial=$(awk '$4 == "SOA" { print $7 }' "$4") - [ "$3" -eq "${serial:--1}" ] + $DIG $DIGOPTS "@$1" "$2" SOA >"$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] ) status=0 n=0 ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 >/dev/null 2>&1 || ret=1 -for i in 1 2 3 4 5 6 7 8 9 0 -do - nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1 - test "$nsec3param" = "1 0 0 -" && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1 + test "$nsec3param" = "1 0 0 -" && break + sleep 1 done -if [ $ret != 0 ]; then echo_i "pre-condition failed, test aborted"; exit 1; fi +if [ $ret != 0 ]; then + echo_i "pre-condition failed, test aborted" + exit 1 +fi n=$((n + 1)) echo_i "checking that an unsupported algorithm is not used for signing ($n)" @@ -57,22 +59,21 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that rrsigs are replaced with ksk only ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr nsec3. | - awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr nsec3. \ + | awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -80,7 +81,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking expired signatures are updated on load ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA >dig.out.ns3.test$n || ret=1 expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n) [ "$expiry" = "20110101000000" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -89,20 +90,19 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of private type record via 'rndc signing -clear' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 || ret=1 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do - $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1 - break; # We only want to remove 1 record for now. -done 2>&1 |sed 's/^/ns3 /' | cat_i - -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 - num=$(grep "Done signing with" signing.out.test$n | wc -l) - [ $num = 1 ] && break - sleep 1 + $RNDCCMD 10.53.0.3 signing -clear ${key} bits >/dev/null || ret=1 + break # We only want to remove 1 record for now. +done 2>&1 | sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 || ret=1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -112,9 +112,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking private type was properly signed ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1 -grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 >dig.out.ns6.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -122,15 +122,14 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 signing -clear all bits >/dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1 - grep "No signing records found" signing.out.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list bits >signing.out.test$n 2>&1 || ret=1 + grep "No signing records found" signing.out.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -141,10 +140,10 @@ n=$((n + 1)) echo_i "checking negative private type response was properly signed ($n)" ret=0 sleep 1 -$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1 -grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 >dig.out.ns6.test$n || ret=1 +grep "status: NOERROR" dig.out.ns6.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns6.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -153,30 +152,29 @@ n=$((n + 1)) echo_i "checking that the record is added on the hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone bits server 10.53.0.2 ${PORT} update add added.bits 0 A 1.2.3.4 send EOF -$DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 added.bits A >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that update has been transferred and has been signed ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 added.bits A >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -185,31 +183,30 @@ n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone bits server 10.53.0.2 ${PORT} update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600 send EOF -$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2011072400" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -217,14 +214,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that the zone is signed on initial transfer, noixfr ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list noixfr >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -233,30 +229,29 @@ n=$((n + 1)) echo_i "checking that the record is added on the hidden primary, noixfr ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone noixfr server 10.53.0.4 ${PORT} update add added.noixfr 0 A 1.2.3.4 send EOF -$DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 added.noixfr A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that update has been transferred and has been signed, noixfr ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 added.noixfr A >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -265,31 +260,30 @@ n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone noixfr server 10.53.0.4 ${PORT} update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600 send EOF -$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep "2011072400" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -297,14 +291,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking that the primary zone signed on initial load ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list primary >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -312,20 +305,19 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -list primary >signing.out.test$n 2>&1 || ret=1 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n) for key in $keys; do - $RNDCCMD 10.53.0.3 signing -clear ${key} primary > /dev/null || ret=1 - break; # We only want to remove 1 record for now. -done 2>&1 |sed 's/^/ns3 /' | cat_i - -for i in 1 2 3 4 5 6 7 8 9 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 - num=$(grep "Done signing with" signing.out.test$n | wc -l) - [ $num = 1 ] && break - sleep 1 + $RNDCCMD 10.53.0.3 signing -clear ${key} primary >/dev/null || ret=1 + break # We only want to remove 1 record for now. +done 2>&1 | sed 's/^/ns3 /' | cat_i + +for i in 1 2 3 4 5 6 7 8 9; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list primary >signing.out.test$n 2>&1 || ret=1 + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num = 1 ] && break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -335,9 +327,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking private type was properly signed (primary) ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.6 primary TYPE65534 > dig.out.ns6.test$n || ret=1 -grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 primary TYPE65534 >dig.out.ns6.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -345,14 +337,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -clear all primary > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $RNDCCMD 10.53.0.3 signing -list primary > signing.out.test$n 2>&1 || ret=1 - grep "No signing records found" signing.out.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +$RNDCCMD 10.53.0.3 signing -clear all primary >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $RNDCCMD 10.53.0.3 signing -list primary >signing.out.test$n 2>&1 || ret=1 + grep "No signing records found" signing.out.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 @@ -364,14 +355,13 @@ echo_i "check adding of record to unsigned primary ($n)" ret=0 cp ns3/primary2.db.in ns3/primary.db rndc_reload ns3 10.53.0.3 primary -for i in 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 e.primary A > dig.out.ns3.test$n || ret=1 - grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 e.primary A >dig.out.ns3.test$n || ret=1 + grep "10.0.0.5" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -380,11 +370,11 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check adding record fails when SOA serial not changed ($n)" ret=0 -echo "c A 10.0.0.3" >> ns3/primary.db +echo "c A 10.0.0.3" >>ns3/primary.db rndc_reload ns3 10.53.0.3 sleep 1 -$DIG $DIGOPTS @10.53.0.3 c.primary A > dig.out.ns3.test$n || ret=1 -grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 c.primary A >dig.out.ns3.test$n || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -393,14 +383,13 @@ echo_i "check adding record works after updating SOA serial ($n)" ret=0 cp ns3/primary3.db.in ns3/primary.db $RNDCCMD 10.53.0.3 reload primary 2>&1 | sed 's/^/ns3 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 c.primary A > dig.out.ns3.test$n || ret=1 - grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 c.primary A >dig.out.ns3.test$n || ret=1 + grep "10.0.0.3" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -409,24 +398,23 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check the added record was properly signed ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 e.primary A > dig.out.ns6.test$n || ret=1 -grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 -grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 -grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 +$DIG $DIGOPTS @10.53.0.3 e.primary A >dig.out.ns6.test$n || ret=1 +grep "10.0.0.5" dig.out.ns6.test$n >/dev/null || ans=1 +grep "ANSWER: 2," dig.out.ns6.test$n >/dev/null || ans=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n >/dev/null || ans=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that the dynamic primary zone signed on initial load ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys = 2 ] || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $RNDCCMD 10.53.0.3 signing -list dynamic >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -439,9 +427,9 @@ serial=$(awk '{print $3}' dig.out.ns2.soa.test$n) # serial should have changed [ "$serial" = "2000042407" ] && ret=1 # e.updated should exist and should be signed -$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 e.updated A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 # updated.db.signed.jnl should exist, should have the source serial # of primary2.db, and should show a minimal diff: no more than 8 added # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records @@ -449,7 +437,7 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 $JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n || ret=1 serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n) [ "$serial" = "2000042408" ] || ret=1 -diffsize=$(wc -l < journalprint.out.test$n) +diffsize=$(wc -l <journalprint.out.test$n) [ "$diffsize" -le 13 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -458,28 +446,37 @@ n=$((n + 1)) echo_i "checking adding of record to unsigned primary using UPDATE ($n)" ret=0 -[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo_i "journal exists (pretest)" ; } +[ -f ns3/dynamic.db.jnl ] && { + ret=1 + echo_i "journal exists (pretest)" +} -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone dynamic server 10.53.0.3 ${PORT} update add e.dynamic 0 A 1.2.3.4 send EOF -[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo_i "journal does not exist (posttest)" ; } - -for i in 1 2 3 4 5 6 7 8 9 10 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +[ -f ns3/dynamic.db.jnl ] || { + ret=1 + echo_i "journal does not exist (posttest)" +} + +for i in 1 2 3 4 5 6 7 8 9 10; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 e.dynamic >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + grep "1.2.3.4" dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done -[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; } +[ $ans = 0 ] || { + ret=1 + echo_i "signed record not found" + cat dig.out.ns3.test$n +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -502,31 +499,30 @@ n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone bits server 10.53.0.2 ${PORT} update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600 send EOF -$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2011072450" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -535,31 +531,30 @@ n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone noixfr server 10.53.0.4 ${PORT} update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600 send EOF -$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep "2011072450" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -568,31 +563,30 @@ n=$((n + 1)) echo_i "checking forwarded update on hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone bits server 10.53.0.3 ${PORT} update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600 send EOF -$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 -grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 bits SOA >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 +grep "2011072460" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking forwarded update on signed zone ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 bits SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -601,31 +595,30 @@ n=$((n + 1)) echo_i "checking forwarded update on hidden primary, noixfr ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone noixfr server 10.53.0.3 ${PORT} update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600 send EOF -$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1 -grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 noixfr SOA >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns4.test$n >/dev/null || ret=1 +grep "2011072460" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking forwarded update on signed zone, noixfr ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -633,23 +626,28 @@ status=$((status + ret)) ret=0 n=$((n + 1)) echo_i "checking turning on of inline signing in a secondary zone via reload ($n)" -$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA >dig.out.ns5.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "setup broken"; fi status=$((status + ret)) copy_setports ns5/named.conf.post ns5/named.conf -(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1 -(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1 +( + cd ns5 + $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits +) >/dev/null 2>&1 +( + cd ns5 + $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits +) >/dev/null 2>&1 rndc_reload ns5 10.53.0.5 -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n || ret=1 - grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1 - if [ $ret = 0 ]; then break; fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG $DIGOPTS @10.53.0.5 bits SOA >dig.out.ns5.test$n || ret=1 + grep "status: NOERROR" dig.out.ns5.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns5.test$n >/dev/null || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -657,38 +655,42 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)" ret=0 -$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1; } +$RNDCCMD 10.53.0.3 freeze dynamic >freeze.test$n 2>&1 || { + echo_i "/' < freeze.test$n" + ret=1 +} sleep 1 -$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; } +$RNDCCMD 10.53.0.3 thaw dynamic >thaw.test$n 2>&1 || { + echo_i "rndc thaw dynamic failed" + ret=1 +} sleep 1 -grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1 +grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - n=$((n + 1)) echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 freeze dynamic >freeze.test$n 2>&1 || ret=1 sleep 1 awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } { print; } - END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new + END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db >ns3/dynamic.db.new mv ns3/dynamic.db.new ns3/dynamic.db -$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 thaw dynamic >thaw.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check added record freeze1.dynamic ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - test $ret = 0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + test $ret = 0 && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -699,26 +701,25 @@ sleep 1 n=$((n + 1)) echo_i "checking rndc freeze/thaw of server ($n)" ret=0 -$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 freeze >freeze.test$n 2>&1 || ret=1 sleep 1 awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; } { print; } - END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new + END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db >ns3/dynamic.db.new mv ns3/dynamic.db.new ns3/dynamic.db -$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 thaw >thaw.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check added record freeze2.dynamic ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - test $ret = 0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ret=1 + test $ret = 0 && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -726,8 +727,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check rndc reload allows reuse of inline-signing zones ($n)" ret=0 -{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i -grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1 +{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1; } | sed 's/^/ns3 /' | cat_i +grep "not reusable" ns3/named.run >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -746,7 +747,7 @@ n=$((n + 1)) echo_i "checking that the retransfer record is added on the hidden primary ($n)" ret=0 -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone retransfer server 10.53.0.2 ${PORT} update add added.retransfer 0 A 1.2.3.4 @@ -754,38 +755,39 @@ send EOF -$DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 added.retransfer A >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that the change has not been transferred due to notify ($n)" ret=0 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 added.retransfer A >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done -if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi +if [ $ans != 1 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) n=$((n + 1)) echo_i "check rndc retransfer of a inline secondary zone works ($n)" ret=0 $RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 added.retransfer A >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done [ $ans = 1 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -796,29 +798,28 @@ echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are ret=0 # The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2, # which means it should not yet be available on ns3. -$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA >dig.out.ns3.pre.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.pre.test$n >/dev/null || ret=1 # Switch the zone to NSEC3. An "NSEC3 -> NSEC -> NSEC3" sequence is used purely # to test that multiple queued "rndc signing -nsec3param" requests are handled # properly. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1 # Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone. -sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new +sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf >ns2/named.conf.new mv ns2/named.conf.new ns2/named.conf $RNDCCMD 10.53.0.2 reconfig || ret=1 # Request ns3 to retransfer the "retransfer3" zone. $RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1 # Check whether "retransfer3" uses NSEC3 as requested. -for i in 0 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 - grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 - test $ret -eq 0 && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.post.test$n.$i || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i >/dev/null || ret=1 + grep "NSEC3" dig.out.ns3.post.test$n.$i >/dev/null || ret=1 + test $ret -eq 0 && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -826,25 +827,23 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)" ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 >/dev/null 2>&1 || ret=1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.pre.test$n || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.pre.test$n >/dev/null || ans=1 + grep "NSEC3" dig.out.ns3.pre.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done $RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n || ret=1 - grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1 - [ $ans = 0 ] && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A >dig.out.ns3.post.test$n || ret=1 + grep "status: NXDOMAIN" dig.out.ns3.post.test$n >/dev/null || ans=1 + grep "NSEC3" dig.out.ns3.post.test$n >/dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 done [ $ans = 1 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -858,25 +857,23 @@ ret=0 zone=nsec3-loop # Add secondary zone using rndc $RNDCCMD 10.53.0.7 addzone $zone \ - '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1 + '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1 # Wait until secondary zone is fully signed using NSEC -for i in 1 2 3 4 5 6 7 8 9 0 -do - ret=1 - $RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1 || ret=1 - keys=$(grep '^Done signing' signing.out.test$n | wc -l) - [ $keys -eq 3 ] && ret=0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + ret=1 + $RNDCCMD 10.53.0.7 signing -list $zone >signing.out.test$n 2>&1 || ret=1 + keys=$(grep '^Done signing' signing.out.test$n | wc -l) + [ $keys -eq 3 ] && ret=0 && break + sleep 1 done # Switch secondary zone to NSEC3 -$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone >/dev/null 2>&1 || ret=1 # Wait until secondary zone is fully signed using NSEC3 -for i in 1 2 3 4 5 6 7 8 9 0 -do - ret=1 - nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1 - test "$nsec3param" = "1 0 2 12345678" && ret=0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + ret=1 + nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1 + test "$nsec3param" = "1 0 2 12345678" && ret=0 && break + sleep 1 done # Attempt to retransfer the secondary zone from primary $RNDCCMD 10.53.0.7 retransfer $zone || ret=1 @@ -887,12 +884,14 @@ $RNDCCMD 10.53.0.7 retransfer $zone || ret=1 # instead of sending SOA queries to the signer as these may influence its # behavior in a way which may prevent the desired scenario from being # reproduced (see comment in ns7/named.conf) -for i in 1 2 3 4 5 6 7 8 9 0 -do - ret=1 - { grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1; rc=$?; } || true - [ $rc -eq 0 ] && ret=0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 0; do + ret=1 + { + grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run >/dev/null 2>&1 + rc=$? + } || true + [ $rc -eq 0 ] && ret=0 && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -918,14 +917,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 -do - ans=0 - $DIG $DIGOPTS @10.53.0.3 primary SOA > dig.out.ns3.test$n || ret=1 - grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - [ $ans = 1 ] || break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + ans=0 + $DIG $DIGOPTS @10.53.0.3 primary SOA >dig.out.ns3.test$n || ret=1 + grep "hostmaster" dig.out.ns3.test$n >/dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 done [ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -938,83 +936,82 @@ ret=1 # that the file modification time has no possibility of being equal to # the one stored during server startup. sleep 1 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null cp ns3/primary5.db.in ns3/primary.db rndc_reload ns3 10.53.0.3 -for i in 1 2 3 4 5 6 7 8 9 10 -do - if nextpart ns3/named.run | grep "zone primary.*sending notifies" > /dev/null; then - ret=0 - break - fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + if nextpart ns3/named.run | grep "zone primary.*sending notifies" >/dev/null; then + ret=0 + break + fi + sleep 1 done # Sanity check: file updates should be reflected in the signed zone, # i.e. SOA RNAME should no longer be set to "hostmaster". -$DIG $DIGOPTS @10.53.0.3 primary SOA > dig.out.ns3.test$n || ret=1 -grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 primary SOA >dig.out.ns3.test$n || ret=1 +grep "hostmaster" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that reloading errors prevent synchronization ($n)" ret=1 -$DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA >dig.out.ns3.test$n.1 || ret=1 sleep 1 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null cp ns3/primary6.db.in ns3/primary.db rndc_reload ns3 10.53.0.3 -for i in 1 2 3 4 5 6 7 8 9 10 -do - if nextpart ns3/named.run | grep "not loaded due to errors" > /dev/null - then - ret=0 - break - fi - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + if nextpart ns3/named.run | grep "not loaded due to errors" >/dev/null; then + ret=0 + break + fi + sleep 1 done # Sanity check: the SOA record should be unchanged -$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' > dig.out.ns3.test$n.2 -diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' >dig.out.ns3.test$n.2 +diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check inline-signing with an include file ($n)" ret=0 -$DIG $DIGOPTS +short @10.53.0.3 primary SOA > dig.out.ns3.test$n.1 || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA >dig.out.ns3.test$n.1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) sleep 1 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null cp ns3/primary7.db.in ns3/primary.db rndc_reload ns3 10.53.0.3 _includefile_loaded() { - $DIG $DIGOPTS @10.53.0.3 f.primary A > dig.out.ns3.test$n || return 1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || return 1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || return 1 - grep "10\.0\.0\.7" dig.out.ns3.test$n > /dev/null || return 1 - return 0 + $DIG $DIGOPTS @10.53.0.3 f.primary A >dig.out.ns3.test$n || return 1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || return 1 + grep "ANSWER: 2," dig.out.ns3.test$n >/dev/null || return 1 + grep "10\.0\.0\.7" dig.out.ns3.test$n >/dev/null || return 1 + return 0 } retry_quiet 10 _includefile_loaded # Sanity check: the SOA record should be changed -$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' > dig.out.ns3.test$n.2 -diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null && ret=1 +$DIG $DIGOPTS +short @10.53.0.3 primary SOA | grep -v '^;' >dig.out.ns3.test$n.2 +diff dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "test add/del zone combinations ($n)" ret=0 -for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z -do -$RNDCCMD 10.53.0.2 addzone test-$zone \ - '{ type primary; file "bits.db.in"; allow-transfer { any; }; };' || ret=1 -$DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n || ret=1 -grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; } -$RNDCCMD 10.53.0.3 addzone test-$zone \ - '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1 -$RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 || ret=1 +for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z; do + $RNDCCMD 10.53.0.2 addzone test-$zone \ + '{ type primary; file "bits.db.in"; allow-transfer { any; }; };' || ret=1 + $DIG $DIGOPTS @10.53.0.2 test-$zone SOA >dig.out.ns2.$zone.test$n || ret=1 + grep "status: NOERROR," dig.out.ns2.$zone.test$n >/dev/null || { + ret=1 + cat dig.out.ns2.$zone.test$n + } + $RNDCCMD 10.53.0.3 addzone test-$zone \ + '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1 + $RNDCCMD 10.53.0.3 delzone test-$zone >/dev/null 2>&1 || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1022,22 +1019,27 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing adding external keys to a inline zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n || ret=1 -for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER} -do - [ $alg = 13 -a ! -f checkecdsa ] && continue; - - case $alg in - 7) echo_i "checking NSEC3RSASHA1";; - 8) echo_i "checking RSASHA256";; - 13) echo_i "checking ECDSAP256SHA256";; - *) echo_i "checking $alg";; - esac - - dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) - rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) - test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; } - test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; } +$DIG $DIGOPTS @10.53.0.3 dnskey externalkey >dig.out.ns3.test$n || ret=1 +for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER}; do + [ $alg = 13 -a ! -f checkecdsa ] && continue + + case $alg in + 7) echo_i "checking NSEC3RSASHA1" ;; + 8) echo_i "checking RSASHA256" ;; + 13) echo_i "checking ECDSAP256SHA256" ;; + *) echo_i "checking $alg" ;; + esac + + dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l) + rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l) + test ${dnskeys:-0} -eq 3 || { + echo_i "failed $alg (dnskeys ${dnskeys:-0})" + ret=1 + } + test ${rrsigs:-0} -eq 2 || { + echo_i "failed $alg (rrsigs ${rrsigs:-0})" + ret=1 + } done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1048,21 +1050,21 @@ ret=0 key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example) cp ${key}.key import.key # import should fail -$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1 +$IMPORTKEY -f import.key import.example >/dev/null 2>&1 && ret=1 rm -f ${key}.private # private key removed; import should now succeed -$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 +$IMPORTKEY -f import.key import.example >/dev/null 2>&1 || ret=1 # now that it's an external key, re-import should succeed -$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1 +$IMPORTKEY -f import.key import.example >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)" ret=0 -$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) -$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' <dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 >/dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1070,12 +1072,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)" ret=0 -$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n || ret=1 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) -$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' <dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 >/dev/null 2>&1 || ret=1 sleep 1 -$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n || ret=1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.ns3.post.test$n || ret=1 serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) [ ${oldserial:-0} -eq ${serial:-1} ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1087,12 +1089,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)" ret=0 -$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n || ret=1 +$DIG $DIGOPTS nsec3. SOA @10.53.0.3 >dig.out.n3.pre.test$n || ret=1 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n) -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n) -$RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1 || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' <dig.out.n3.pre.test$n) +$RNDCCMD 10.53.0.3 freeze nsec3 >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 thaw nsec3 >/dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1100,9 +1102,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)" ret=0 -$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) -$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' <dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits >/dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1110,10 +1112,10 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)" ret=0 -$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 +$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n || ret=1 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) -$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' <dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits >/dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1122,12 +1124,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)" ret=0 -$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n || ret=1 +$DIG $DIGOPTS bits. SOA @10.53.0.2 >dig.out.ns2.pre.test$n || ret=1 oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n) -newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n) -$RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1 || ret=1 -$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1 && ret=1 -$RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1 || ret=1 +newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' <dig.out.ns2.pre.test$n) +$RNDCCMD 10.53.0.2 freeze bits >/dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits >/dev/null 2>&1 && ret=1 +$RNDCCMD 10.53.0.2 thaw bits >/dev/null 2>&1 || ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1 retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1137,29 +1139,28 @@ n=$((n + 1)) echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 soa inactivezsk >dig.out.ns3.pre.test$n || ret=1 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n) -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 server 10.53.0.2 ${PORT} update add added.inactivezsk 0 IN TXT added record send EOF -for i in 1 2 3 4 5 6 7 8 9 10 -do - $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1 - soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) - test ${soa1:-0} -ne ${soa2:-0} && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + $DIG $DIGOPTS @10.53.0.3 soa inactivezsk >dig.out.ns3.post.test$n || ret=1 + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n) + test ${soa1:-0} -ne ${soa2:-0} && break + sleep 1 done test ${soa1:-0} -ne ${soa2:-0} || ret=1 -$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1 -grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 -grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk >dig.out.ns3.test$n || ret=1 +grep "ANSWER: 3," dig.out.ns3.test$n >/dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1 +grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1 +grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1168,31 +1169,31 @@ n=$((n + 1)) echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk >dig.out.ns3.test$n || ret=1 # # check that DNSKEY is signed with ZSK for default algorithm # awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' -zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1 +zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}') +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n >/dev/null || ret=1 awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' -kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 +kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}') +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null && ret=1 # # check that DNSKEY is signed with KSK for alternative algorithm # awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }' -zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1 +zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \ + | $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}') +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n >/dev/null && ret=1 awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }' -kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' ) -grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 +kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n \ + | $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}') +grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1205,14 +1206,13 @@ status=$((status + ret)) # is logged (which means the zone was not modified and will not be modified any # further in response to the relevant raw zone update). wait_until_raw_zone_update_is_processed() { - zone="$1" - for i in 1 2 3 4 5 6 7 8 9 10 - do - if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" > /dev/null; then - return - fi - sleep 1 - done + zone="$1" + for i in 1 2 3 4 5 6 7 8 9 10; do + if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" >/dev/null; then + return + fi + sleep 1 + done } n=$((n + 1)) @@ -1220,14 +1220,14 @@ echo_i "checking that changes to raw zone are applied to a previously unsigned s ret=0 # Query for bar.nokeys/A and ensure the response is negative. As this zone # does not have any signing keys set up, the response must be unsigned. -$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A >dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null && ret=1 # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Add a record to the raw zone on the primary. -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone nokeys. server 10.53.0.2 ${PORT} update add bar.nokeys. 0 A 127.0.0.1 @@ -1236,9 +1236,9 @@ EOF wait_until_raw_zone_update_is_processed "nokeys" # Query for bar.nokeys/A again and ensure the signer now returns a positive, # yet still unsigned response. -$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.post.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A >dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null || ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1247,16 +1247,16 @@ echo_i "checking that changes to raw zone are not applied to a previously signed ret=0 # Query for bar.removedkeys-primary/A and ensure the response is negative. As # this zone has signing keys set up, the response must be signed. -$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1 # Remove the signing keys for this zone. mv -f ns3/Kremovedkeys-primary* ns3/removedkeys # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Add a record to the raw zone on the primary. -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone removedkeys-primary. server 10.53.0.3 ${PORT} update add bar.removedkeys-primary. 0 A 127.0.0.1 @@ -1265,9 +1265,9 @@ EOF wait_until_raw_zone_update_is_processed "removedkeys-primary" # Query for bar.removedkeys-primary/A again and ensure the signer still returns # a negative, signed response. -$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.post.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1276,14 +1276,14 @@ echo_i "checking that backlogged changes to raw zone are applied after keys beco ret=0 # Restore the signing keys for this zone. mv ns3/removedkeys/Kremovedkeys-primary* ns3 -$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary >/dev/null 2>&1 || ret=1 # Determine what a SOA record with a bumped serial number should look like. BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}') # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Bump the SOA serial number of the raw zone. -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone removedkeys-primary. server 10.53.0.3 ${PORT} update del removedkeys-primary. SOA @@ -1293,9 +1293,9 @@ EOF wait_until_raw_zone_update_is_processed "removedkeys-primary" # Query for bar.removedkeys-primary/A again and ensure the signer now returns a # positive, signed response. -$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A >dig.out.ns3.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1304,16 +1304,16 @@ echo_i "checking that changes to raw zone are not applied to a previously signed ret=0 # Query for bar.removedkeys-secondary/A and ensure the response is negative. As this # zone does have signing keys set up, the response must be signed. -$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.pre.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.pre.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1 # Remove the signing keys for this zone. mv -f ns3/Kremovedkeys-secondary* ns3/removedkeys # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Add a record to the raw zone on the primary. -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone removedkeys-secondary. server 10.53.0.2 ${PORT} update add bar.removedkeys-secondary. 0 A 127.0.0.1 @@ -1322,9 +1322,9 @@ EOF wait_until_raw_zone_update_is_processed "removedkeys-secondary" # Query for bar.removedkeys-secondary/A again and ensure the signer still returns a # negative, signed response. -$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.post.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1 -grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.post.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.post.test$n >/dev/null && ret=1 +grep "RRSIG" dig.out.ns3.pre.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1333,14 +1333,14 @@ echo_i "checking that backlogged changes to raw zone are applied after keys beco ret=0 # Restore the signing keys for this zone. mv ns3/removedkeys/Kremovedkeys-secondary* ns3 -$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary >/dev/null 2>&1 || ret=1 # Determine what a SOA record with a bumped serial number should look like. BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}') # Ensure the wait_until_raw_zone_update_is_processed() call below will ignore # log messages generated before the raw zone is updated. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Bump the SOA serial number of the raw zone on the primary. -$NSUPDATE << EOF || ret=1 +$NSUPDATE <<EOF || ret=1 zone removedkeys-secondary. server 10.53.0.2 ${PORT} update del removedkeys-secondary. SOA @@ -1350,19 +1350,19 @@ EOF wait_until_raw_zone_update_is_processed "removedkeys-secondary" # Query for bar.removedkeys-secondary/A again and ensure the signer now returns # a positive, signed response. -$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.test$n 2>&1 || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A >dig.out.ns3.test$n 2>&1 || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "RRSIG" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # Check that the file $2 for zone $1 does not contain RRSIG records # while the journal file for that zone does contain them. ensure_sigs_only_in_journal() { - origin="$1" - masterfile="$2" - $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1 - $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1 + origin="$1" + masterfile="$2" + $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG >/dev/null && ret=1 + $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG >/dev/null || ret=1 } n=$((n + 1)) @@ -1373,12 +1373,12 @@ ret=0 # Move keys into place now and load them, which will cause DNSSEC records to # only be present in the journal for the signed version of the zone. mv Kdelayedkeys* ns3/ -$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 loadkeys delayedkeys >rndc.out.ns3.pre.test$n 2>&1 || ret=1 # Wait until the zone is signed. -check_done_signing () ( - $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 || true - num=$(grep "Done signing with" signing.out.test$n | wc -l) - [ $num -eq 2 ] +check_done_signing() ( + $RNDCCMD 10.53.0.3 signing -list delayedkeys >signing.out.test$n 2>&1 || true + num=$(grep "Done signing with" signing.out.test$n | wc -l) + [ $num -eq 2 ] ) retry_quiet 10 check_done_signing || ret=1 # Halt rather than stopping the server to prevent the file from being @@ -1394,31 +1394,31 @@ start_server --noclean --restart --port ${PORT} ns3 || ret=1 # receive_secure_serial() should refrain from introducing any zone changes. stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 || ret=1 ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 || ret=1 # We can now test whether the secure zone journal was correctly processed: # unless the records contained in it were scheduled for resigning, no resigning # event will be scheduled at all since the secure zone file contains no # DNSSEC records. wait_for_log 20 "all zones loaded" ns3/named.run || ret=1 -$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1 -grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus delayedkeys >rndc.out.ns3.post.test$n 2>&1 || ret=1 +grep "next resign node:" rndc.out.ns3.post.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 zonestatus primary > rndc.out.ns3.test$n || ret=1 -grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus primary >rndc.out.ns3.test$n || ret=1 +grep "type: primary" rndc.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n || ret=1 -grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus bits >rndc.out.ns3.test$n || ret=1 +grep "type: secondary" rndc.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -1426,7 +1426,7 @@ n=$((n + 1)) echo_i "checking reload of touched inline zones ($n)" ret=0 echo_ic "pre-reload 'next key event'" -nextpart ns8/named.run > nextpart.pre$n.out +nextpart ns8/named.run >nextpart.pre$n.out count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l) echo_ic "found: $count/16" [ $count -eq 16 ] || ret=1 @@ -1435,7 +1435,7 @@ touch ns8/example??.com.db $RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i sleep 5 echo_ic "post-reload 'next key event'" -nextpart ns8/named.run > nextpart.post$n.out +nextpart ns8/named.run >nextpart.post$n.out count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l) echo_ic "found: $count/16" [ $count -eq 16 ] || ret=1 @@ -1445,24 +1445,24 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking second reload of touched inline zones ($n)" ret=0 -nextpart ns8/named.run > nextpart.pre$n.out +nextpart ns8/named.run >nextpart.pre$n.out $RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i sleep 5 -nextpart ns8/named.run > nextpart.post$n.out +nextpart ns8/named.run >nextpart.post$n.out grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" ret=0 -dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1 +dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa1 || ret=1 cp ns8/example2.db.in ns8/example.db || ret=1 -nextpart ns8/named.run > /dev/null +nextpart ns8/named.run >/dev/null rndccmd 10.53.0.8 reload || ret=1 wait_for_log 3 "all zones loaded" ns8/named.run sleep 1 -dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1 +dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa2 || ret=1 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1) soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2) ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1) @@ -1471,22 +1471,22 @@ test ${soa1:-1000} -lt ${soa2:-0} || ret=1 test ${ttl1:-0} -eq 300 || ret=1 test ${ttl2:-0} -eq 300 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check that restart with zone changes and deleted journal works ($n)" TSIG= ret=0 -dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1 +dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa1 || ret=1 stop_server --use-rndc --port ${CONTROLPORT} ns8 || ret=1 # TTL of all records change from 300 to 400 cp ns8/example3.db.in ns8/example.db || ret=1 rm -f ns8/example.db.jnl -nextpart ns8/named.run > /dev/null +nextpart ns8/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns8 || ret=1 wait_for_log 3 "all zones loaded" ns8/named.run sleep 1 -dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1 +dig_with_opts @10.53.0.8 example SOA >dig.out.ns8.test$n.soa2 || ret=1 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1) soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2) ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1) @@ -1495,7 +1495,7 @@ test ${soa1:-1000} -lt ${soa2:-0} || ret=1 test ${ttl1:-0} -eq 300 || ret=1 test ${ttl2:-0} -eq 400 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/integrity/ns1/named.conf.in b/bin/tests/system/integrity/ns1/named.conf.in index 00d9dba..c1c092f 100644 --- a/bin/tests/system/integrity/ns1/named.conf.in +++ b/bin/tests/system/integrity/ns1/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "mx-cname-fail" { diff --git a/bin/tests/system/integrity/tests.sh b/bin/tests/system/integrity/tests.sh index 65648b4..6c87273 100644 --- a/bin/tests/system/integrity/tests.sh +++ b/bin/tests/system/integrity/tests.sh @@ -22,108 +22,108 @@ n=1 echo_i "check that 'check-integrity yes; check-mx-cname fail;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx mx-cname-fail > dig.out.test$n || ret=1 -grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1 -grep "zone mx-cname-fail/IN: mx-cname-fail/MX 'cname.mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-fail >dig.out.test$n || ret=1 +grep "status: SERVFAIL," dig.out.test$n >/dev/null || ret=1 +grep "zone mx-cname-fail/IN: mx-cname-fail/MX 'cname.mx-cname-fail' is a CNAME (illegal)" ns1/named.run >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-mx-cname warn;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx mx-cname-warn > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone mx-cname-warn/IN: mx-cname-warn/MX 'cname.mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-warn >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone mx-cname-warn/IN: mx-cname-warn/MX 'cname.mx-cname-warn' is a CNAME (illegal)" ns1/named.run >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-mx-cname ignore;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx mx-cname-ignore > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone mx-cname-ignore/IN: mx-cname-ignore/MX 'cname.mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 mx mx-cname-ignore >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone mx-cname-ignore/IN: mx-cname-ignore/MX 'cname.mx-cname-ignore' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-mx-cname fail;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-fail > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-mx-cname-fail/IN: no-mx-cname-fail/MX 'cname.no-mx-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-fail >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-mx-cname-fail/IN: no-mx-cname-fail/MX 'cname.no-mx-cname-fail' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-mx-cname warn;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-warn > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-mx-cname-warn/IN: no-mx-cname-warn/MX 'cname.no-mx-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-warn >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-mx-cname-warn/IN: no-mx-cname-warn/MX 'cname.no-mx-cname-warn' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-mx-cname ignore;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-ignore > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-mx-cname-ignore/IN: no-mx-cname-ignore/MX 'cname.no-mx-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 mx no-mx-cname-ignore >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-mx-cname-ignore/IN: no-mx-cname-ignore/MX 'cname.no-mx-cname-ignore' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-srv-cname fail;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv srv-cname-fail > dig.out.test$n || ret=1 -grep "status: SERVFAIL," dig.out.test$n > /dev/null || ret=1 -grep "zone srv-cname-fail/IN: srv-cname-fail/SRV 'cname.srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-fail >dig.out.test$n || ret=1 +grep "status: SERVFAIL," dig.out.test$n >/dev/null || ret=1 +grep "zone srv-cname-fail/IN: srv-cname-fail/SRV 'cname.srv-cname-fail' is a CNAME (illegal)" ns1/named.run >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-srv-cname warn;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv srv-cname-warn > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone srv-cname-warn/IN: srv-cname-warn/SRV 'cname.srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-warn >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone srv-cname-warn/IN: srv-cname-warn/SRV 'cname.srv-cname-warn' is a CNAME (illegal)" ns1/named.run >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity yes; check-srv-cname ignore;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv srv-cname-ignore > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone srv-cname-ignore/IN: srv-cname-ignore/SRV 'cname.srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 srv srv-cname-ignore >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone srv-cname-ignore/IN: srv-cname-ignore/SRV 'cname.srv-cname-ignore' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-srv-cname fail;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-fail > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-srv-cname-fail/IN: no-srv-cname-fail/SRV 'cname.no-srv-cname-fail' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-fail >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-srv-cname-fail/IN: no-srv-cname-fail/SRV 'cname.no-srv-cname-fail' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-srv-cname warn;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-warn > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-srv-cname-warn/IN: no-srv-cname-warn/SRV 'cname.no-srv-cname-warn' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-warn >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-srv-cname-warn/IN: no-srv-cname-warn/SRV 'cname.no-srv-cname-warn' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check that 'check-integrity no; check-srv-cname ignore;' works ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-ignore > dig.out.test$n || ret=1 -grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 -grep "zone no-srv-cname-ignore/IN: no-srv-cname-ignore/SRV 'cname.no-srv-cname-ignore' is a CNAME (illegal)" ns1/named.run > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.1 srv no-srv-cname-ignore >dig.out.test$n || ret=1 +grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1 +grep "zone no-srv-cname-ignore/IN: no-srv-cname-ignore/SRV 'cname.no-srv-cname-ignore' is a CNAME (illegal)" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/isctest/__init__.py b/bin/tests/system/isctest/__init__.py new file mode 100644 index 0000000..0f2eae1 --- /dev/null +++ b/bin/tests/system/isctest/__init__.py @@ -0,0 +1,13 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from . import check +from . import query diff --git a/bin/tests/system/isctest/check.py b/bin/tests/system/isctest/check.py new file mode 100644 index 0000000..1fabad7 --- /dev/null +++ b/bin/tests/system/isctest/check.py @@ -0,0 +1,34 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from typing import Any + +import dns.rcode +import dns.message + + +# compatiblity with dnspython<2.0.0 +try: + # In dnspython>=2.0.0, dns.rcode.Rcode class is available + # pylint: disable=invalid-name + dns_rcode = dns.rcode.Rcode # type: Any +except AttributeError: + # In dnspython<2.0.0, selected rcodes are available as integers directly + # from dns.rcode + dns_rcode = dns.rcode + + +def rcode(message: dns.message.Message, expected_rcode) -> None: + assert message.rcode() == expected_rcode, str(message) + + +def noerror(message: dns.message.Message) -> None: + rcode(message, dns_rcode.NOERROR) diff --git a/bin/tests/system/isctest/query.py b/bin/tests/system/isctest/query.py new file mode 100644 index 0000000..5da1ef8 --- /dev/null +++ b/bin/tests/system/isctest/query.py @@ -0,0 +1,35 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os +from typing import Optional + +import dns.query +import dns.message + + +QUERY_TIMEOUT = 10 + + +def udp( + message: dns.message.Message, ip: str, port: Optional[int] = None +) -> dns.message.Message: + if port is None: + port = int(os.environ["PORT"]) + return dns.query.udp(message, ip, QUERY_TIMEOUT, port=port) + + +def tcp( + message: dns.message.Message, ip: str, port: Optional[int] = None +) -> dns.message.Message: + if port is None: + port = int(os.environ["PORT"]) + return dns.query.tcp(message, ip, QUERY_TIMEOUT, port=port) diff --git a/bin/tests/system/ixfr/prereq.sh b/bin/tests/system/ixfr/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/ixfr/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh index 65aedf6..0c5a282 100644 --- a/bin/tests/system/ixfr/setup.sh +++ b/bin/tests/system/ixfr/setup.sh @@ -24,8 +24,8 @@ copy_setports ns5/named.conf.in ns5/named.conf # versions of the zone, the second and third having small changes # and the fourth having a large one. -testdb () { - cat << EOF +testdb() { + cat <<EOF \$ORIGIN $1 \$TTL 15 @ 15 IN SOA ns1.test. hostmaster.test. ( @@ -43,26 +43,26 @@ ns2 IN A 10.53.0.4 ns5 IN A 10.53.0.5 EOF - i=0 - while [ $i -lt $3 ]; do - echo "host$i IN A 192.0.2.$i" - i=$((i+1)) - done + i=0 + while [ $i -lt $3 ]; do + echo "host$i IN A 192.0.2.$i" + i=$((i + 1)) + done } -testdb test. 1 60 > ns3/mytest.db -testdb test. 2 61 > ns3/mytest1.db -testdb test. 3 62 > ns3/mytest2.db -testdb test. 4 0 > ns3/mytest3.db +testdb test. 1 60 >ns3/mytest.db +testdb test. 2 61 >ns3/mytest1.db +testdb test. 3 62 >ns3/mytest2.db +testdb test. 4 0 >ns3/mytest3.db # Set up similar db files for sub.test, which will have IXFR disabled -testdb sub.test. 1 60 > ns3/subtest.db -testdb sub.test. 3 61 > ns3/subtest1.db +testdb sub.test. 1 60 >ns3/subtest.db +testdb sub.test. 3 61 >ns3/subtest1.db # Set up a large zone i=0 -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 3 > ns3/large.db +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 3 >ns3/large.db while [ $i -lt 10000 ]; do - echo "record$i 10 IN TXT this is record %i" >> ns3/large.db - i=$((i+1)) + echo "record$i 10 IN TXT this is record %i" >>ns3/large.db + i=$((i + 1)) done diff --git a/bin/tests/system/ixfr/tests.sh b/bin/tests/system/ixfr/tests.sh index f1e3b62..ca13639 100644 --- a/bin/tests/system/ixfr/tests.sh +++ b/bin/tests/system/ixfr/tests.sh @@ -21,23 +21,22 @@ set -e . ../conf.sh wait_for_serial() ( - $DIG $DIGOPTS "@$1" "$2" SOA > "$4" - serial=$(awk '$4 == "SOA" { print $7 }' "$4") - [ "$3" -eq "${serial:--1}" ] + $DIG $DIGOPTS "@$1" "$2" SOA >"$4" + serial=$(awk '$4 == "SOA" { print $7 }' "$4") + [ "$3" -eq "${serial:--1}" ] ) status=0 n=0 DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf -s" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf -s" sendcmd() { - send 10.53.0.2 "${EXTRAPORT1}" + send 10.53.0.2 "${EXTRAPORT1}" } - -n=$((n+1)) +n=$((n + 1)) echo_i "testing initial AXFR ($n)" ret=0 @@ -75,9 +74,9 @@ retry_quiet 10 wait_for_serial 10.53.0.1 nil. 1 dig.out.test$n || ret=1 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'initial AXFR' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing successful IXFR ($n)" ret=0 @@ -108,9 +107,9 @@ sleep 2 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'successful IXFR' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing AXFR fallback after IXFR failure (not exact error) ($n)" ret=0 @@ -143,9 +142,9 @@ sleep 2 $DIG $DIGOPTS @10.53.0.1 nil. TXT | grep 'fallback AXFR' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing AXFR fallback after IXFR failure (bad SOA owner) ($n)" ret=0 @@ -180,12 +179,12 @@ $RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i # malformed IXFR. Instead, check transfer progress by querying for a TXT record # at test.nil. which is present in both IXFR and AXFR (with different contents). _wait_until_transfer_is_finished() { - $DIG $DIGOPTS +tries=1 +time=1 @10.53.0.1 test.nil. TXT > dig.out.test$n.1 && - grep -q -F "serial 4" dig.out.test$n.1 + $DIG $DIGOPTS +tries=1 +time=1 @10.53.0.1 test.nil. TXT >dig.out.test$n.1 \ + && grep -q -F "serial 4" dig.out.test$n.1 } if ! retry_quiet 10 _wait_until_transfer_is_finished; then - echo_i "timed out waiting for version 4 of zone nil. to be transferred" - ret=1 + echo_i "timed out waiting for version 4 of zone nil. to be transferred" + ret=1 fi # At this point a broken server would be serving a zone with no SOA records. @@ -196,27 +195,29 @@ $RNDCCMD 10.53.0.1 refresh nil | sed 's/^/ns1 /' | cat_i # happened by now, a broken server would never serve the record which is only # present in the fallback AXFR, so checking for that is enough to verify if a # server is broken or not; if it is, it is bound to crash shortly anyway. -$DIG $DIGOPTS test.nil. TXT @10.53.0.1 > dig.out.test$n.2 || ret=1 +$DIG $DIGOPTS test.nil. TXT @10.53.0.1 >dig.out.test$n.2 || ret=1 grep -q -F "serial 4, fallback AXFR" dig.out.test$n.2 || ret=1 # Ensure the expected error is logged. nextpart ns1/named.run | grep -q -F "SOA name mismatch" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences option ($n)" # ns3 is primary; ns4 is secondary -{ $CHECKZONE test. ns3/mytest.db > /dev/null 2>&1; rc=$?; } || true -if [ $rc -ne 0 ] -then - echo_i "named-checkzone returned failure on ns3/mytest.db" +{ + $CHECKZONE test. ns3/mytest.db >/dev/null 2>&1 + rc=$? +} || true +if [ $rc -ne 0 ]; then + echo_i "named-checkzone returned failure on ns3/mytest.db" fi retry_quiet 10 wait_for_serial 10.53.0.4 test. 1 dig.out.test$n || ret=1 -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null # modify the primary sleep 1 @@ -230,16 +231,16 @@ retry_quiet 10 wait_for_serial 10.53.0.3 test. 2 dig.out.test$n || ret=1 tret=0 retry_quiet 5 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 2 dig.out.test$n || ret=1 fi wait_for_log 10 'got incremental' ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing 'request-ixfr no' option inheritance from view ($n)" ret=0 # There's a view with 2 zones. In the view, "request-ixfr yes" @@ -249,7 +250,7 @@ ret=0 sleep 1 cp ns3/subtest1.db ns3/subtest.db # change to sub.test zone, should be AXFR -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null $RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i # wait for primary to reload @@ -259,21 +260,21 @@ retry_quiet 10 wait_for_serial 10.53.0.3 sub.test. 3 dig.out.test$n || ret=1 tret=0 retry_quiet 5 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify sub.test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify sub.test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 sub.test. 3 dig.out.test$n || ret=1 fi wait_for_log 10 'got nonincremental response' ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing 'request-ixfr yes' option inheritance from view ($n)" ret=0 sleep 1 cp ns3/mytest2.db ns3/mytest.db # change to test zone, should be IXFR -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null $RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i # wait for primary to reload @@ -283,144 +284,144 @@ retry_quiet 10 wait_for_serial 10.53.0.3 test. 3 dig.out.test$n || ret=1 tret=0 retry_quiet 5 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 3 dig.out.test$n || ret=1 fi wait_for_log 10 'got incremental response' ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "testing DiG's handling of a multi message AXFR style IXFR response ($n)" ( -(sleep 10 && kill $$) 2>/dev/null & -sub=$! -$DIG -p ${PORT} ixfr=0 large @10.53.0.3 > dig.out.test$n -kill $sub + (sleep 10 && kill $$) 2>/dev/null & + sub=$! + $DIG -p ${PORT} ixfr=0 large @10.53.0.3 >dig.out.test$n + kill $sub ) lines=$(grep hostmaster.large dig.out.test$n | wc -l) test ${lines:-0} -eq 2 || ret=1 messages=$(sed -n 's/^;;.*messages \([0-9]*\),.*/\1/p' dig.out.test$n) test ${messages:-0} -gt 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'dig +notcp ixfr=<value>' vs 'dig ixfr=<value> +notcp' vs 'dig ixfr=<value>' ($n)" ret=0 # Should be "switch to TCP" response -$DIG $DIGOPTS +notcp ixfr=1 test @10.53.0.4 > dig.out1.test$n || ret=1 -$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.4 > dig.out2.test$n || ret=1 +$DIG $DIGOPTS +notcp ixfr=1 test @10.53.0.4 >dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.4 >dig.out2.test$n || ret=1 digcomp dig.out1.test$n dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { if ($7 == 3) exit(0); else exit(1);}' dig.out1.test$n || ret=1 # -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null # Should be incremental transfer. -$DIG $DIGOPTS ixfr=1 test @10.53.0.4 > dig.out3.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 test @10.53.0.4 >dig.out3.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END { if (soacnt == 6) exit(0); else exit(1);}' dig.out3.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check estimated IXFR size ($n)" ret=0 # note IXFR delta size will be slightly bigger with version 1 transaction # headers as there is no correction for the overall record length storage. # Ver1 = 4 * (6 + 10 + 10 + 17 + 5 * 4) + 2 * (13 + 10 + 4) + (6 * 4) = 330 # Ver2 = 4 * (6 + 10 + 10 + 17 + 5 * 4) + 2 * (13 + 10 + 4) = 306 -nextpart ns4/named.run | grep "IXFR delta size (306 bytes)" > /dev/null || ret=1 +nextpart ns4/named.run | grep "IXFR delta size (306 bytes)" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # make sure ns5 has transfered the zone # wait for secondary to reload tret=0 retry_quiet 5 wait_for_serial 10.53.0.5 test. 4 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.5 test. 3 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.5 test. 3 dig.out.test$n || ret=1 fi -n=$((n+1)) +n=$((n + 1)) echo_i "test 'provide-ixfr no;' (serial < current) ($n)" ret=0 -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null # Should be "AXFR style" response -$DIG $DIGOPTS ixfr=1 test @10.53.0.5 > dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 test @10.53.0.5 >dig.out1.test$n || ret=1 # Should be "switch to TCP" response -$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +$DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.5 >dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 2) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 msg="IXFR delta response disabled due to 'provide-ixfr no;' being set" -nextpart ns5/named.run | grep "$msg" > /dev/null || ret=1 +nextpart ns5/named.run | grep "$msg" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'provide-ixfr no;' (serial = current) ($n)" ret=0 # Should be "AXFR style" response -$DIG $DIGOPTS ixfr=3 test @10.53.0.5 > dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=3 test @10.53.0.5 >dig.out1.test$n || ret=1 # Should be "switch to TCP" response -$DIG $DIGOPTS ixfr=3 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +$DIG $DIGOPTS ixfr=3 +notcp test @10.53.0.5 >dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'provide-ixfr no;' (serial > current) ($n)" ret=0 # Should be "AXFR style" response -$DIG $DIGOPTS ixfr=4 test @10.53.0.5 > dig.out1.test$n || ret=1 +$DIG $DIGOPTS ixfr=4 test @10.53.0.5 >dig.out1.test$n || ret=1 # Should be "switch to TCP" response -$DIG $DIGOPTS ixfr=4 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +$DIG $DIGOPTS ixfr=4 +notcp test @10.53.0.5 >dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether dig calculates IXFR statistics correctly ($n)" ret=0 -$DIG $DIGOPTS +noedns +stat -b 10.53.0.4 @10.53.0.4 test. ixfr=2 > dig.out1.test$n -get_dig_xfer_stats dig.out1.test$n > stats.dig -diff ixfr-stats.good stats.dig > /dev/null || ret=1 +$DIG $DIGOPTS +noedns +stat -b 10.53.0.4 @10.53.0.4 test. ixfr=2 >dig.out1.test$n +get_dig_xfer_stats dig.out1.test$n >stats.dig +diff ixfr-stats.good stats.dig >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Note: in the next two tests, we use ns4 logs for checking both incoming and # outgoing transfer statistics as ns4 is both a secondary server (for ns3) and a # primary server (for dig queries from the previous test) for "test". -_wait_for_stats () { - get_named_xfer_stats ns4/named.run "$1" test "$2" > "$3" - diff ixfr-stats.good "$3" > /dev/null || return 1 - return 0 +_wait_for_stats() { + get_named_xfer_stats ns4/named.run "$1" test "$2" >"$3" + diff ixfr-stats.good "$3" >/dev/null || return 1 + return 0 } -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether named calculates incoming IXFR statistics correctly ($n)" ret=0 retry_quiet 10 _wait_for_stats 10.53.0.3 "Transfer completed" stats.incoming || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether named calculates outgoing IXFR statistics correctly ($n)" retry_quiet 10 _wait_for_stats 10.53.0.4 "IXFR ended" stats.outgoing || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "testing fallback to AXFR when max-ixfr-ratio is exceeded ($n)" -nextpart ns4/named.run > /dev/null +nextpart ns4/named.run >/dev/null sleep 1 cp ns3/mytest3.db ns3/mytest.db # change to test zone, too big for IXFR @@ -430,14 +431,14 @@ $RNDCCMD 10.53.0.3 reload | sed 's/^/ns3 /' | cat_i tret=0 retry_quiet 5 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || tret=1 if [ $tret -eq 1 ]; then - # re-noitfy after 5 seconds, then wait another 10 - $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i - retry_quiet 10 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || ret=1 + # re-noitfy after 5 seconds, then wait another 10 + $RNDCCMD 10.53.0.3 notify test | set 's/^/ns3 /' | cat_i + retry_quiet 10 wait_for_serial 10.53.0.4 test. 4 dig.out.test$n || ret=1 fi wait_for_log 10 'got nonincremental response' ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/journal/setup.sh b/bin/tests/system/journal/setup.sh index e9b0072..6017f1c 100644 --- a/bin/tests/system/journal/setup.sh +++ b/bin/tests/system/journal/setup.sh @@ -44,7 +44,7 @@ cp ns1/generic.db.in ns1/maxjournal2.db cp ns1/maxjournal2.jnl.saved ns1/maxjournal2.db.jnl cp ns1/managed-keys.bind.in ns1/managed-keys.bind -$PERL ../fromhex.pl < ns1/managed-keys.bind.jnl.in > ns1/managed-keys.bind.jnl +$PERL ../fromhex.pl <ns1/managed-keys.bind.jnl.in >ns1/managed-keys.bind.jnl copy_setports ns2/named.conf.in ns2/named.conf cp ns2/managed-keys.bind.in ns2/managed-keys.bind diff --git a/bin/tests/system/journal/tests.sh b/bin/tests/system/journal/tests.sh index 5dbceb8..79b90ba 100644 --- a/bin/tests/system/journal/tests.sh +++ b/bin/tests/system/journal/tests.sh @@ -16,11 +16,11 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" @10.53.0.1 -p "$PORT" +tcp "$@" + "$DIG" @10.53.0.1 -p "$PORT" +tcp "$@" } rndc_with_opts() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } status=0 @@ -29,26 +29,26 @@ n=0 n=$((n + 1)) echo_i "check outdated journal rolled forward (dynamic) ($n)" ret=0 -dig_with_opts changed soa > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010902' dig.out.test$n > /dev/null || ret=1 -grep 'zone changed/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null || ret=1 +dig_with_opts changed soa >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010902' dig.out.test$n >/dev/null || ret=1 +grep 'zone changed/IN: journal rollforward completed successfully using old journal format' ns1/named.run >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check outdated empty journal did not cause an error (dynamic) ($n)" ret=0 -dig_with_opts unchanged soa > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010901' dig.out.test$n > /dev/null || ret=1 +dig_with_opts unchanged soa >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010901' dig.out.test$n >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check outdated journals were updated or removed (dynamic) ($n)" ret=0 -cat -v ns1/changed.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +cat -v ns1/changed.db.jnl | grep "BIND LOG V9.2" >/dev/null || ret=1 [ -f ns1/unchanged.db.jnl ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -56,36 +56,36 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check updated journal has correct RR count (dynamic) ($n)" ret=0 -$JOURNALPRINT -x ns1/changed.db.jnl | grep "rrcount 3 " > /dev/null || ret=1 +$JOURNALPRINT -x ns1/changed.db.jnl | grep "rrcount 3 " >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check new-format journal rolled forward (dynamic) ($n)" ret=0 -dig_with_opts changed2 soa > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010902' dig.out.test$n > /dev/null || ret=1 -grep 'zone changed2/IN: journal rollforward completed successfully: success' ns1/named.run > /dev/null || ret=1 -grep 'zone changed2/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null && ret=1 +dig_with_opts changed2 soa >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010902' dig.out.test$n >/dev/null || ret=1 +grep 'zone changed2/IN: journal rollforward completed successfully: success' ns1/named.run >/dev/null || ret=1 +grep 'zone changed2/IN: journal rollforward completed successfully using old journal format' ns1/named.run >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check new-format empty journal did not cause error (dynamic) ($n)" ret=0 -dig_with_opts unchanged2 soa > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010901' dig.out.test$n > /dev/null || ret=1 -grep 'zone unchanged2/IN: journal rollforward completed successfully' ns1/named.run > /dev/null && ret=1 -grep 'zone unchanged2/IN: journal rollforward completed successfully using old journal format' ns1/named.run > /dev/null && ret=1 +dig_with_opts unchanged2 soa >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010901' dig.out.test$n >/dev/null || ret=1 +grep 'zone unchanged2/IN: journal rollforward completed successfully' ns1/named.run >/dev/null && ret=1 +grep 'zone unchanged2/IN: journal rollforward completed successfully using old journal format' ns1/named.run >/dev/null && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check new-format journals were updated or removed (dynamic) ($n)" ret=0 -cat -v ns1/changed2.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +cat -v ns1/changed2.db.jnl | grep "BIND LOG V9.2" >/dev/null || ret=1 [ -f ns1/unchanged2.db.jnl ] && ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -93,29 +93,29 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check outdated up-to-date journal succeeded (ixfr-from-differences) ($n)" ret=0 -dig_with_opts -t soa ixfr > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010902' dig.out.test$n > /dev/null || ret=1 -grep 'zone ixfr/IN: journal rollforward completed successfully using old journal format: up to date' ns1/named.run > /dev/null || ret=1 +dig_with_opts -t soa ixfr >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010902' dig.out.test$n >/dev/null || ret=1 +grep 'zone ixfr/IN: journal rollforward completed successfully using old journal format: up to date' ns1/named.run >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check outdated journal was updated (ixfr-from-differences) ($n)" ret=0 -cat -v ns1/ixfr.db.jnl | grep "BIND LOG V9.2" > /dev/null || ret=1 +cat -v ns1/ixfr.db.jnl | grep "BIND LOG V9.2" >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) n=$((n + 1)) echo_i "check journal with mixed headers succeeded (version 1,2,1,2) ($n)" ret=0 -dig_with_opts -t soa hdr1d1d2d1d2 > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010905' dig.out.test$n > /dev/null || ret=1 -grep 'zone hdr1d1d2d1d2/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run > /dev/null || ret=1 -grep 'zone_journal_compact: zone hdr1d1d2d1d2/IN: repair full journal' ns1/named.run > /dev/null || ret=1 -grep 'hdr1d1d2d1d2/IN: dns_journal_compact: success' ns1/named.run > /dev/null || ret=1 +dig_with_opts -t soa hdr1d1d2d1d2 >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010905' dig.out.test$n >/dev/null || ret=1 +grep 'zone hdr1d1d2d1d2/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run >/dev/null || ret=1 +grep 'zone_journal_compact: zone hdr1d1d2d1d2/IN: repair full journal' ns1/named.run >/dev/null || ret=1 +grep 'hdr1d1d2d1d2/IN: dns_journal_compact: success' ns1/named.run >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -132,12 +132,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check journal with mixed headers succeeded (version 2,1,2,1) ($n)" ret=0 -dig_with_opts -t soa hdr1d2d1d2d1 > dig.out.test$n -grep 'status: NOERROR' dig.out.test$n > /dev/null || ret=1 -grep '2012010905' dig.out.test$n > /dev/null || ret=1 -grep 'zone hdr1d2d1d2d1/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run > /dev/null || ret=1 -grep 'zone_journal_compact: zone hdr1d2d1d2d1/IN: repair full journal' ns1/named.run > /dev/null || ret=1 -grep 'zone hdr1d2d1d2d1/IN: dns_journal_compact: success' ns1/named.run > /dev/null || ret=1 +dig_with_opts -t soa hdr1d2d1d2d1 >dig.out.test$n +grep 'status: NOERROR' dig.out.test$n >/dev/null || ret=1 +grep '2012010905' dig.out.test$n >/dev/null || ret=1 +grep 'zone hdr1d2d1d2d1/IN: journal rollforward completed successfully using old journal format: success' ns1/named.run >/dev/null || ret=1 +grep 'zone_journal_compact: zone hdr1d2d1d2d1/IN: repair full journal' ns1/named.run >/dev/null || ret=1 +grep 'zone hdr1d2d1d2d1/IN: dns_journal_compact: success' ns1/named.run >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -165,10 +165,9 @@ echo_i "Check that journal with mixed headers can be compacted (version 1,2,1,2) ret=0 journal=ns1/d1212.jnl.saved seriallist=$($JOURNALPRINT -x $journal | awk '$1 == "Transaction:" { print $11 }') -for serial in $seriallist -do - cp $journal tmp.jnl - $JOURNALPRINT -c $serial tmp.jnl || ret=1 +for serial in $seriallist; do + cp $journal tmp.jnl + $JOURNALPRINT -c $serial tmp.jnl || ret=1 done [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -178,10 +177,9 @@ echo_i "Check that journal with mixed headers can be compacted (version 2,1,2,1) ret=0 journal=ns1/d2121.jnl.saved seriallist=$($JOURNALPRINT -x $journal | awk '$1 == "Transaction:" { print $11 }') -for serial in $seriallist -do - cp ns1/d1212.jnl.saved tmp.jnl - $JOURNALPRINT -c $serial tmp.jnl || ret=1 +for serial in $seriallist; do + cp ns1/d1212.jnl.saved tmp.jnl + $JOURNALPRINT -c $serial tmp.jnl || ret=1 done [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -189,7 +187,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check upgrade of managed-keys.bind.jnl succeeded($n)" ret=0 -$JOURNALPRINT ns1/managed-keys.bind.jnl > journalprint.out.test$n +$JOURNALPRINT ns1/managed-keys.bind.jnl >journalprint.out.test$n lines=$(awk '$1 == "add" && $5 == "SOA" && $8 == "3297" { print }' journalprint.out.test$n | wc -l) test $lines -eq 1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -212,12 +210,12 @@ n=$((n + 1)) echo_i "check max-journal-size works after journal update ($n)" ret=0 # journal was repaired, it should still be big -[ $(wc -c < ns1/maxjournal.db.jnl) -gt 12000 ] || ret=1 +[ $(wc -c <ns1/maxjournal.db.jnl) -gt 12000 ] || ret=1 # the zone hasn't been dumped yet, so 'rndc sync' should work without # needing a zone update first. rndc_with_opts 10.53.0.1 sync maxjournal check_size() ( - [ $(wc -c < ns1/maxjournal.db.jnl) -lt 4000 ] + [ $(wc -c <ns1/maxjournal.db.jnl) -lt 4000 ] ) retry_quiet 10 check_size || ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -227,12 +225,12 @@ n=$((n + 1)) echo_i "check max-journal-size works with non-updated journals ($n)" ret=0 # journal was not repaired, so it should still be big -[ $(wc -c < ns1/maxjournal2.db.jnl) -gt 12000 ] || ret=1 +[ $(wc -c <ns1/maxjournal2.db.jnl) -gt 12000 ] || ret=1 # the zone hasn't been dumped yet, so 'rndc sync' should work without # needing a zone update first. rndc_with_opts 10.53.0.1 sync maxjournal2 check_size() ( - [ $(wc -c < ns1/maxjournal2.db.jnl) -lt 4000 ] + [ $(wc -c <ns1/maxjournal2.db.jnl) -lt 4000 ] ) retry_quiet 10 check_size || ret=1 [ $ret -eq 0 ] || echo_i "failed" @@ -242,7 +240,7 @@ n=$((n + 1)) echo_i "check journal index consistency ($n)" ret=0 for jnl in ns1/*.jnl; do - $JOURNALPRINT -x $jnl 2>&1 | grep -q "Offset mismatch" && ret=1 + $JOURNALPRINT -x $jnl 2>&1 | grep -q "Offset mismatch" && ret=1 done [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) @@ -250,7 +248,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "check that journal is applied to zone with keydata placeholder record" ret=0 -grep 'managed-keys-zone: journal rollforward completed successfully: up to date' ns2/named.run > /dev/null 2>&1 || ret=1 +grep 'managed-keys-zone: journal rollforward completed successfully: up to date' ns2/named.run >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" echo_i "exit status: $status" diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index 4c44ac9..26487cd 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -69,70 +69,69 @@ VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0=" # STATE_STAT key_key() { - echo "${1}__${2}" + echo "${1}__${2}" } key_get() { - eval "echo \${$(key_key "$1" "$2")}" + eval "echo \${$(key_key "$1" "$2")}" } key_set() { - eval "$(key_key "$1" "$2")='$3'" + eval "$(key_key "$1" "$2")='$3'" } key_stat() { - $PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1" + $PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1" } # Save certain values in the KEY array. -key_save() -{ - # Save key id. - key_set "$1" ID "$KEY_ID" - # Save base filename. - key_set "$1" BASEFILE "$BASE_FILE" - # Save creation date. - key_set "$1" CREATED "${KEY_CREATED}" - # Save key change time. - key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private") - key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key") - key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state") +key_save() { + # Save key id. + key_set "$1" ID "$KEY_ID" + # Save base filename. + key_set "$1" BASEFILE "$BASE_FILE" + # Save creation date. + key_set "$1" CREATED "${KEY_CREATED}" + # Save key change time. + key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private") + key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key") + key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state") } # Clear key state. # # This will update either the KEY1, KEY2, or KEY3 array. key_clear() { - key_set "$1" "ID" 'no' - key_set "$1" "IDPAD" 'no' - key_set "$1" "EXPECT" 'no' - key_set "$1" "ROLE" 'none' - key_set "$1" "KSK" 'no' - key_set "$1" "ZSK" 'no' - key_set "$1" "FLAGS" '0' - key_set "$1" "LIFETIME" 'none' - key_set "$1" "ALG_NUM" '0' - key_set "$1" "ALG_STR" 'none' - key_set "$1" "ALG_LEN" '0' - key_set "$1" "CREATED" '0' - key_set "$1" "PUBLISHED" 'none' - key_set "$1" "SYNCPUBLISH" 'none' - key_set "$1" "ACTIVE" 'none' - key_set "$1" "RETIRED" 'none' - key_set "$1" "REVOKED" 'none' - key_set "$1" "REMOVED" 'none' - key_set "$1" "GOAL" 'none' - key_set "$1" "STATE_DNSKEY" 'none' - key_set "$1" "STATE_KRRSIG" 'none' - key_set "$1" "STATE_ZRRSIG" 'none' - key_set "$1" "STATE_DS" 'none' - key_set "$1" "EXPECT_ZRRSIG" 'no' - key_set "$1" "EXPECT_KRRSIG" 'no' - key_set "$1" "LEGACY" 'no' - key_set "$1" "PRIVATE" 'yes' - key_set "$1" "PRIVKEY_STAT" '0' - key_set "$1" "PUBKEY_STAT" '0' - key_set "$1" "STATE_STAT" '0' + key_set "$1" "ID" 'no' + key_set "$1" "IDPAD" 'no' + key_set "$1" "EXPECT" 'no' + key_set "$1" "ROLE" 'none' + key_set "$1" "KSK" 'no' + key_set "$1" "ZSK" 'no' + key_set "$1" "FLAGS" '0' + key_set "$1" "LIFETIME" 'none' + key_set "$1" "ALG_NUM" '0' + key_set "$1" "ALG_STR" 'none' + key_set "$1" "ALG_LEN" '0' + key_set "$1" "CREATED" '0' + key_set "$1" "PUBLISHED" 'none' + key_set "$1" "SYNCPUBLISH" 'none' + key_set "$1" "ACTIVE" 'none' + key_set "$1" "RETIRED" 'none' + key_set "$1" "REVOKED" 'none' + key_set "$1" "REMOVED" 'none' + key_set "$1" "GOAL" 'none' + key_set "$1" "STATE_DNSKEY" 'none' + key_set "$1" "STATE_KRRSIG" 'none' + key_set "$1" "STATE_ZRRSIG" 'none' + key_set "$1" "STATE_DS" 'none' + key_set "$1" "EXPECT_ZRRSIG" 'no' + key_set "$1" "EXPECT_KRRSIG" 'no' + key_set "$1" "LEGACY" 'no' + key_set "$1" "PRIVATE" 'yes' + key_set "$1" "PRIVKEY_STAT" '0' + key_set "$1" "PUBKEY_STAT" '0' + key_set "$1" "STATE_STAT" '0' } # Start clear. @@ -150,122 +149,122 @@ key_clear "KEY4" # Call dig with default options. _dig_with_opts() { - if [ -n "$TSIG" ]; then - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" - else - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" - fi + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi } # RNDC. _rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # Print IDs of keys used for generating RRSIG records for RRsets of type $1 # found in dig output file $2. get_keys_which_signed() { - _qtype=$1 - _output=$2 - # The key ID is the 11th column of the RRSIG record line. - awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$_output" + _qtype=$1 + _output=$2 + # The key ID is the 11th column of the RRSIG record line. + awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$_output" } # Get the key ids from key files for zone $2 in directory $1. get_keyids() { - _dir=$1 - _zone=$2 - _regex="K${_zone}.+*+*.key" + _dir=$1 + _zone=$2 + _regex="K${_zone}.+*+*.key" - find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2," + find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2," } # By default log errors and don't quit immediately. _log=1 _log_error() { - test $_log -eq 1 && echo_i "error: $1" - ret=$((ret+1)) + test $_log -eq 1 && echo_i "error: $1" + ret=$((ret + 1)) } disable_logerror() { - _log=0 + _log=0 } enable_logerror() { - _log=1 + _log=1 } # Set server key-directory ($1) and address ($2) for testing keys. set_server() { - DIR=$1 - SERVER=$2 + DIR=$1 + SERVER=$2 } # Set zone name for testing keys. set_zone() { - ZONE=$1 - DYNAMIC="no" + ZONE=$1 + DYNAMIC="no" } # By default zones are considered static. # When testing dynamic zones, call 'set_dynamic' after 'set_zone'. set_dynamic() { - DYNAMIC="yes" + DYNAMIC="yes" } # Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys. set_policy() { - POLICY=$1 - NUM_KEYS=$2 - DNSKEY_TTL=$3 - CDS_DELETE="no" + POLICY=$1 + NUM_KEYS=$2 + DNSKEY_TTL=$3 + CDS_DELETE="no" } # By default policies are considered to be secure. # If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the # system test to expect a CDS and CDNSKEY Delete record. set_cdsdelete() { - CDS_DELETE="yes" + CDS_DELETE="yes" } # Set key properties for testing keys. # $1: Key to update (KEY1, KEY2, ...) # $2: Value set_keyrole() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "ROLE" "$2" - key_set "$1" "KSK" "no" - key_set "$1" "ZSK" "no" - key_set "$1" "FLAGS" "0" + key_set "$1" "EXPECT" "yes" + key_set "$1" "ROLE" "$2" + key_set "$1" "KSK" "no" + key_set "$1" "ZSK" "no" + key_set "$1" "FLAGS" "0" - test "$2" = "ksk" && key_set "$1" "KSK" "yes" - test "$2" = "ksk" && key_set "$1" "FLAGS" "257" + test "$2" = "ksk" && key_set "$1" "KSK" "yes" + test "$2" = "ksk" && key_set "$1" "FLAGS" "257" - test "$2" = "zsk" && key_set "$1" "ZSK" "yes" - test "$2" = "zsk" && key_set "$1" "FLAGS" "256" + test "$2" = "zsk" && key_set "$1" "ZSK" "yes" + test "$2" = "zsk" && key_set "$1" "FLAGS" "256" - test "$2" = "csk" && key_set "$1" "KSK" "yes" - test "$2" = "csk" && key_set "$1" "ZSK" "yes" - test "$2" = "csk" && key_set "$1" "FLAGS" "257" + test "$2" = "csk" && key_set "$1" "KSK" "yes" + test "$2" = "csk" && key_set "$1" "ZSK" "yes" + test "$2" = "csk" && key_set "$1" "FLAGS" "257" - return 0 + return 0 } set_keylifetime() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "LIFETIME" "$2" + key_set "$1" "EXPECT" "yes" + key_set "$1" "LIFETIME" "$2" } # The algorithm value consists of three parts: # $2: Algorithm (number) # $3: Algorithm (string-format) # $4: Algorithm length set_keyalgorithm() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "ALG_NUM" "$2" - key_set "$1" "ALG_STR" "$3" - key_set "$1" "ALG_LEN" "$4" + key_set "$1" "EXPECT" "yes" + key_set "$1" "ALG_NUM" "$2" + key_set "$1" "ALG_STR" "$3" + key_set "$1" "ALG_LEN" "$4" } set_keysigning() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "EXPECT_KRRSIG" "$2" + key_set "$1" "EXPECT" "yes" + key_set "$1" "EXPECT_KRRSIG" "$2" } set_zonesigning() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "EXPECT_ZRRSIG" "$2" + key_set "$1" "EXPECT" "yes" + key_set "$1" "EXPECT_ZRRSIG" "$2" } # Set key timing metadata. Set to "none" to unset. @@ -273,8 +272,8 @@ set_zonesigning() { # $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). # $3: Value set_keytime() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "$2" "$3" + key_set "$1" "EXPECT" "yes" + key_set "$1" "$2" "$3" } # Set key timing metadata to a value plus additional time. @@ -283,12 +282,12 @@ set_keytime() { # $3: Value # $4: Additional time. set_addkeytime() { - if [ -x "$PYTHON" ]; then - # Convert "%Y%m%d%H%M%S" format to epoch seconds. - # Then, add the additional time (can be negative). - _value=$3 - _plus=$4 - $PYTHON > python.out.$ZONE.$1.$2 <<EOF + if [ -x "$PYTHON" ]; then + # Convert "%Y%m%d%H%M%S" format to epoch seconds. + # Then, add the additional time (can be negative). + _value=$3 + _plus=$4 + $PYTHON >python.out.$ZONE.$1.$2 <<EOF from datetime import datetime from datetime import timedelta _now = datetime.strptime("$_value", "%Y%m%d%H%M%S") @@ -296,9 +295,9 @@ _delta = timedelta(seconds=$_plus) _then = _now + _delta print(_then.strftime("%Y%m%d%H%M%S")); EOF - # Set the expected timing metadata. - key_set "$1" "$2" $(cat python.out.$ZONE.$1.$2) - fi + # Set the expected timing metadata. + key_set "$1" "$2" $(cat python.out.$ZONE.$1.$2) + fi } # Set key state metadata. Set to "none" to unset. @@ -306,8 +305,8 @@ EOF # $2: Key state to update (GOAL, STATE_DNSKEY, STATE_ZRRSIG, STATE_KRRSIG, or STATE_DS) # $3: Value set_keystate() { - key_set "$1" "EXPECT" "yes" - key_set "$1" "$2" "$3" + key_set "$1" "EXPECT" "yes" + key_set "$1" "$2" "$3" } # Check the key $1 with id $2. @@ -321,314 +320,314 @@ set_keystate() { # KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//') # KEY_CREATED (from the KEY_FILE) check_key() { - _dir="$DIR" - _zone="$ZONE" - _role=$(key_get "$1" ROLE) - _key_idpad="$2" - _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') - _alg_num=$(key_get "$1" ALG_NUM) - _alg_numpad=$(printf "%03d" "$_alg_num") - _alg_string=$(key_get "$1" ALG_STR) - _length=$(key_get "$1" "ALG_LEN") - _dnskey_ttl="$DNSKEY_TTL" - _lifetime=$(key_get "$1" LIFETIME) - _legacy=$(key_get "$1" LEGACY) - _private=$(key_get "$1" PRIVATE) - _flags=$(key_get "$1" FLAGS) - - _published=$(key_get "$1" PUBLISHED) - _active=$(key_get "$1" ACTIVE) - _retired=$(key_get "$1" RETIRED) - _revoked=$(key_get "$1" REVOKED) - _removed=$(key_get "$1" REMOVED) - - _goal=$(key_get "$1" GOAL) - _state_dnskey=$(key_get "$1" STATE_DNSKEY) - _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) - _state_krrsig=$(key_get "$1" STATE_KRRSIG) - _state_ds=$(key_get "$1" STATE_DS) - - _ksk="no" - _zsk="no" - if [ "$_role" = "ksk" ]; then - _ksk="yes" - elif [ "$_role" = "zsk" ]; then - _zsk="yes" - elif [ "$_role" = "csk" ]; then - _zsk="yes" - _ksk="yes" - fi - - _role2="none" - if [ "$_flags" = "257" ]; then - _role2="key-signing" - elif [ "$_flags" = "256" ]; then - _role2="zone-signing" - fi - - BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" - KEY_FILE="${BASE_FILE}.key" - PRIVATE_FILE="${BASE_FILE}.private" - STATE_FILE="${BASE_FILE}.state" - KEY_ID="${_key_id}" - - # Check file existence. - [ -s "$KEY_FILE" ] || ret=1 - if [ "$_private" = "yes" ]; then - [ -s "$PRIVATE_FILE" ] || ret=1 - fi - if [ "$_legacy" = "no" ]; then - [ -s "$STATE_FILE" ] || ret=1 - fi - [ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing" - [ "$ret" -eq 0 ] || return 0 - - # Retrieve creation date. - grep "; Created:" "$KEY_FILE" > "${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE" - KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created") - - if [ "$_private" = "yes" ]; then - grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch created in $PRIVATE_FILE" - fi - if [ "$_legacy" = "no" ]; then - grep "Generated: ${KEY_CREATED}" "$STATE_FILE" > /dev/null || _log_error "mismatch generated in $STATE_FILE" - fi - - test $_log -eq 1 && echo_i "check key file $BASE_FILE" - - # Check the public key file. - grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" > /dev/null || _log_error "mismatch top comment in $KEY_FILE" - grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" > /dev/null || _log_error "mismatch DNSKEY record in $KEY_FILE" - # Now check the private key file. - if [ "$_private" = "yes" ]; then - grep "Private-key-format: v1.3" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch private key format in $PRIVATE_FILE" - grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch algorithm in $PRIVATE_FILE" - fi - # Now check the key state file. - if [ "$_legacy" = "no" ]; then - grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" > /dev/null || _log_error "mismatch top comment in $STATE_FILE" - if [ "$_lifetime" = "none" ]; then - grep "Lifetime: " "$STATE_FILE" > /dev/null && _log_error "unexpected lifetime in $STATE_FILE" - else - grep "Lifetime: ${_lifetime}" "$STATE_FILE" > /dev/null || _log_error "mismatch lifetime in $STATE_FILE" - fi - grep "Algorithm: ${_alg_num}" "$STATE_FILE" > /dev/null || _log_error "mismatch algorithm in $STATE_FILE" - grep "Length: ${_length}" "$STATE_FILE" > /dev/null || _log_error "mismatch length in $STATE_FILE" - grep "KSK: ${_ksk}" "$STATE_FILE" > /dev/null || _log_error "mismatch ksk in $STATE_FILE" - grep "ZSK: ${_zsk}" "$STATE_FILE" > /dev/null || _log_error "mismatch zsk in $STATE_FILE" - - # Check key states. - if [ "$_goal" = "none" ]; then - grep "GoalState: " "$STATE_FILE" > /dev/null && _log_error "unexpected goal state in $STATE_FILE" - else - grep "GoalState: ${_goal}" "$STATE_FILE" > /dev/null || _log_error "mismatch goal state in $STATE_FILE" - fi - - if [ "$_state_dnskey" = "none" ]; then - grep "DNSKEYState: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey state in $STATE_FILE" - grep "DNSKEYChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey change in $STATE_FILE" - else - grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey state in $STATE_FILE" - grep "DNSKEYChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey change in $STATE_FILE" - fi - - if [ "$_state_zrrsig" = "none" ]; then - grep "ZRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig state in $STATE_FILE" - grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig change in $STATE_FILE" - else - grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig state in $STATE_FILE" - grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig change in $STATE_FILE" - fi - - if [ "$_state_krrsig" = "none" ]; then - grep "KRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig state in $STATE_FILE" - grep "KRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig change in $STATE_FILE" - else - grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig state in $STATE_FILE" - grep "KRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig change in $STATE_FILE" - fi - - if [ "$_state_ds" = "none" ]; then - grep "DSState: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds state in $STATE_FILE" - grep "DSChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds change in $STATE_FILE" - else - grep "DSState: ${_state_ds}" "$STATE_FILE" > /dev/null || _log_error "mismatch ds state in $STATE_FILE" - grep "DSChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch ds change in $STATE_FILE" - fi - fi - - return 0 + _dir="$DIR" + _zone="$ZONE" + _role=$(key_get "$1" ROLE) + _key_idpad="$2" + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$(key_get "$1" ALG_NUM) + _alg_numpad=$(printf "%03d" "$_alg_num") + _alg_string=$(key_get "$1" ALG_STR) + _length=$(key_get "$1" "ALG_LEN") + _dnskey_ttl="$DNSKEY_TTL" + _lifetime=$(key_get "$1" LIFETIME) + _legacy=$(key_get "$1" LEGACY) + _private=$(key_get "$1" PRIVATE) + _flags=$(key_get "$1" FLAGS) + + _published=$(key_get "$1" PUBLISHED) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + _goal=$(key_get "$1" GOAL) + _state_dnskey=$(key_get "$1" STATE_DNSKEY) + _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) + _state_krrsig=$(key_get "$1" STATE_KRRSIG) + _state_ds=$(key_get "$1" STATE_DS) + + _ksk="no" + _zsk="no" + if [ "$_role" = "ksk" ]; then + _ksk="yes" + elif [ "$_role" = "zsk" ]; then + _zsk="yes" + elif [ "$_role" = "csk" ]; then + _zsk="yes" + _ksk="yes" + fi + + _role2="none" + if [ "$_flags" = "257" ]; then + _role2="key-signing" + elif [ "$_flags" = "256" ]; then + _role2="zone-signing" + fi + + BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" + KEY_FILE="${BASE_FILE}.key" + PRIVATE_FILE="${BASE_FILE}.private" + STATE_FILE="${BASE_FILE}.state" + KEY_ID="${_key_id}" + + # Check file existence. + [ -s "$KEY_FILE" ] || ret=1 + if [ "$_private" = "yes" ]; then + [ -s "$PRIVATE_FILE" ] || ret=1 + fi + if [ "$_legacy" = "no" ]; then + [ -s "$STATE_FILE" ] || ret=1 + fi + [ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing" + [ "$ret" -eq 0 ] || return 0 + + # Retrieve creation date. + grep "; Created:" "$KEY_FILE" >"${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE" + KEY_CREATED=$(awk '{print $3}' <"${ZONE}.${KEY_ID}.${_alg_num}.created") + + if [ "$_private" = "yes" ]; then + grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch created in $PRIVATE_FILE" + fi + if [ "$_legacy" = "no" ]; then + grep "Generated: ${KEY_CREATED}" "$STATE_FILE" >/dev/null || _log_error "mismatch generated in $STATE_FILE" + fi + + test $_log -eq 1 && echo_i "check key file $BASE_FILE" + + # Check the public key file. + grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" >/dev/null || _log_error "mismatch top comment in $KEY_FILE" + grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" >/dev/null || _log_error "mismatch DNSKEY record in $KEY_FILE" + # Now check the private key file. + if [ "$_private" = "yes" ]; then + grep "Private-key-format: v1.3" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch private key format in $PRIVATE_FILE" + grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch algorithm in $PRIVATE_FILE" + fi + # Now check the key state file. + if [ "$_legacy" = "no" ]; then + grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" >/dev/null || _log_error "mismatch top comment in $STATE_FILE" + if [ "$_lifetime" = "none" ]; then + grep "Lifetime: " "$STATE_FILE" >/dev/null && _log_error "unexpected lifetime in $STATE_FILE" + else + grep "Lifetime: ${_lifetime}" "$STATE_FILE" >/dev/null || _log_error "mismatch lifetime in $STATE_FILE" + fi + grep "Algorithm: ${_alg_num}" "$STATE_FILE" >/dev/null || _log_error "mismatch algorithm in $STATE_FILE" + grep "Length: ${_length}" "$STATE_FILE" >/dev/null || _log_error "mismatch length in $STATE_FILE" + grep "KSK: ${_ksk}" "$STATE_FILE" >/dev/null || _log_error "mismatch ksk in $STATE_FILE" + grep "ZSK: ${_zsk}" "$STATE_FILE" >/dev/null || _log_error "mismatch zsk in $STATE_FILE" + + # Check key states. + if [ "$_goal" = "none" ]; then + grep "GoalState: " "$STATE_FILE" >/dev/null && _log_error "unexpected goal state in $STATE_FILE" + else + grep "GoalState: ${_goal}" "$STATE_FILE" >/dev/null || _log_error "mismatch goal state in $STATE_FILE" + fi + + if [ "$_state_dnskey" = "none" ]; then + grep "DNSKEYState: " "$STATE_FILE" >/dev/null && _log_error "unexpected dnskey state in $STATE_FILE" + grep "DNSKEYChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected dnskey change in $STATE_FILE" + else + grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" >/dev/null || _log_error "mismatch dnskey state in $STATE_FILE" + grep "DNSKEYChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch dnskey change in $STATE_FILE" + fi + + if [ "$_state_zrrsig" = "none" ]; then + grep "ZRRSIGState: " "$STATE_FILE" >/dev/null && _log_error "unexpected zrrsig state in $STATE_FILE" + grep "ZRRSIGChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected zrrsig change in $STATE_FILE" + else + grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" >/dev/null || _log_error "mismatch zrrsig state in $STATE_FILE" + grep "ZRRSIGChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch zrrsig change in $STATE_FILE" + fi + + if [ "$_state_krrsig" = "none" ]; then + grep "KRRSIGState: " "$STATE_FILE" >/dev/null && _log_error "unexpected krrsig state in $STATE_FILE" + grep "KRRSIGChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected krrsig change in $STATE_FILE" + else + grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" >/dev/null || _log_error "mismatch krrsig state in $STATE_FILE" + grep "KRRSIGChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch krrsig change in $STATE_FILE" + fi + + if [ "$_state_ds" = "none" ]; then + grep "DSState: " "$STATE_FILE" >/dev/null && _log_error "unexpected ds state in $STATE_FILE" + grep "DSChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected ds change in $STATE_FILE" + else + grep "DSState: ${_state_ds}" "$STATE_FILE" >/dev/null || _log_error "mismatch ds state in $STATE_FILE" + grep "DSChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch ds change in $STATE_FILE" + fi + fi + + return 0 } # Check the key timing metadata for key $1. check_timingmetadata() { - _dir="$DIR" - _zone="$ZONE" - _key_idpad=$(key_get "$1" ID) - _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') - _alg_num=$(key_get "$1" ALG_NUM) - _alg_numpad=$(printf "%03d" "$_alg_num") - - _published=$(key_get "$1" PUBLISHED) - _active=$(key_get "$1" ACTIVE) - _retired=$(key_get "$1" RETIRED) - _revoked=$(key_get "$1" REVOKED) - _removed=$(key_get "$1" REMOVED) - - _goal=$(key_get "$1" GOAL) - _state_dnskey=$(key_get "$1" STATE_DNSKEY) - _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) - _state_krrsig=$(key_get "$1" STATE_KRRSIG) - _state_ds=$(key_get "$1" STATE_DS) - - _base_file=$(key_get "$1" BASEFILE) - _key_file="${_base_file}.key" - _private_file="${_base_file}.private" - _state_file="${_base_file}.state" - _legacy=$(key_get "$1" LEGACY) - _private=$(key_get "$1" PRIVATE) - - _published=$(key_get "$1" PUBLISHED) - _syncpublish=$(key_get "$1" SYNCPUBLISH) - _active=$(key_get "$1" ACTIVE) - _retired=$(key_get "$1" RETIRED) - _revoked=$(key_get "$1" REVOKED) - _removed=$(key_get "$1" REMOVED) - - # Check timing metadata. - n=$((n+1)) - echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)" - ret=0 - - if [ "$_published" = "none" ]; then - grep "; Publish:" "${_key_file}" > /dev/null && _log_error "unexpected publish comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Publish:" "${_private_file}" > /dev/null && _log_error "unexpected publish in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Published: " "${_state_file}" > /dev/null && _log_error "unexpected publish in ${_state_file}" - fi - else - grep "; Publish: $_published" "${_key_file}" > /dev/null || _log_error "mismatch publish comment in ${_key_file} (expected ${_published})" - if [ "$_private" = "yes" ]; then - grep "Publish: $_published" "${_private_file}" > /dev/null || _log_error "mismatch publish in ${_private_file} (expected ${_published})" - fi - if [ "$_legacy" = "no" ]; then - grep "Published: $_published" "${_state_file}" > /dev/null || _log_error "mismatch publish in ${_state_file} (expected ${_published})" - fi - fi - - if [ "$_syncpublish" = "none" ]; then - grep "; SyncPublish:" "${_key_file}" > /dev/null && _log_error "unexpected syncpublish comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "SyncPublish:" "${_private_file}" > /dev/null && _log_error "unexpected syncpublish in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "PublishCDS: " "${_state_file}" > /dev/null && _log_error "unexpected syncpublish in ${_state_file}" - fi - else - grep "; SyncPublish: $_syncpublish" "${_key_file}" > /dev/null || _log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})" - if [ "$_private" = "yes" ]; then - grep "SyncPublish: $_syncpublish" "${_private_file}" > /dev/null || _log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})" - fi - if [ "$_legacy" = "no" ]; then - grep "PublishCDS: $_syncpublish" "${_state_file}" > /dev/null || _log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})" - fi - fi - - if [ "$_active" = "none" ]; then - grep "; Activate:" "${_key_file}" > /dev/null && _log_error "unexpected active comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Activate:" "${_private_file}" > /dev/null && _log_error "unexpected active in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Active: " "${_state_file}" > /dev/null && _log_error "unexpected active in ${_state_file}" - fi - else - grep "; Activate: $_active" "${_key_file}" > /dev/null || _log_error "mismatch active comment in ${_key_file} (expected ${_active})" - if [ "$_private" = "yes" ]; then - grep "Activate: $_active" "${_private_file}" > /dev/null || _log_error "mismatch active in ${_private_file} (expected ${_active})" - fi - if [ "$_legacy" = "no" ]; then - grep "Active: $_active" "${_state_file}" > /dev/null || _log_error "mismatch active in ${_state_file} (expected ${_active})" - fi - fi - - if [ "$_retired" = "none" ]; then - grep "; Inactive:" "${_key_file}" > /dev/null && _log_error "unexpected retired comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Inactive:" "${_private_file}" > /dev/null && _log_error "unexpected retired in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Retired: " "${_state_file}" > /dev/null && _log_error "unexpected retired in ${_state_file}" - fi - else - grep "; Inactive: $_retired" "${_key_file}" > /dev/null || _log_error "mismatch retired comment in ${_key_file} (expected ${_retired})" - if [ "$_private" = "yes" ]; then - grep "Inactive: $_retired" "${_private_file}" > /dev/null || _log_error "mismatch retired in ${_private_file} (expected ${_retired})" - fi - if [ "$_legacy" = "no" ]; then - grep "Retired: $_retired" "${_state_file}" > /dev/null || _log_error "mismatch retired in ${_state_file} (expected ${_retired})" - fi - fi - - if [ "$_revoked" = "none" ]; then - grep "; Revoke:" "${_key_file}" > /dev/null && _log_error "unexpected revoked comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Revoke:" "${_private_file}" > /dev/null && _log_error "unexpected revoked in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Revoked: " "${_state_file}" > /dev/null && _log_error "unexpected revoked in ${_state_file}" - fi - else - grep "; Revoke: $_revoked" "${_key_file}" > /dev/null || _log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})" - if [ "$_private" = "yes" ]; then - grep "Revoke: $_revoked" "${_private_file}" > /dev/null || _log_error "mismatch revoked in ${_private_file} (expected ${_revoked})" - fi - if [ "$_legacy" = "no" ]; then - grep "Revoked: $_revoked" "${_state_file}" > /dev/null || _log_error "mismatch revoked in ${_state_file} (expected ${_revoked})" - fi - fi - - if [ "$_removed" = "none" ]; then - grep "; Delete:" "${_key_file}" > /dev/null && _log_error "unexpected removed comment in ${_key_file}" - if [ "$_private" = "yes" ]; then - grep "Delete:" "${_private_file}" > /dev/null && _log_error "unexpected removed in ${_private_file}" - fi - if [ "$_legacy" = "no" ]; then - grep "Removed: " "${_state_file}" > /dev/null && _log_error "unexpected removed in ${_state_file}" - fi - else - grep "; Delete: $_removed" "${_key_file}" > /dev/null || _log_error "mismatch removed comment in ${_key_file} (expected ${_removed})" - if [ "$_private" = "yes" ]; then - grep "Delete: $_removed" "${_private_file}" > /dev/null || _log_error "mismatch removed in ${_private_file} (expected ${_removed})" - fi - if [ "$_legacy" = "no" ]; then - grep "Removed: $_removed" "${_state_file}" > /dev/null || _log_error "mismatch removed in ${_state_file} (expected ${_removed})" - fi - fi - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _dir="$DIR" + _zone="$ZONE" + _key_idpad=$(key_get "$1" ID) + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$(key_get "$1" ALG_NUM) + _alg_numpad=$(printf "%03d" "$_alg_num") + + _published=$(key_get "$1" PUBLISHED) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + _goal=$(key_get "$1" GOAL) + _state_dnskey=$(key_get "$1" STATE_DNSKEY) + _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) + _state_krrsig=$(key_get "$1" STATE_KRRSIG) + _state_ds=$(key_get "$1" STATE_DS) + + _base_file=$(key_get "$1" BASEFILE) + _key_file="${_base_file}.key" + _private_file="${_base_file}.private" + _state_file="${_base_file}.state" + _legacy=$(key_get "$1" LEGACY) + _private=$(key_get "$1" PRIVATE) + + _published=$(key_get "$1" PUBLISHED) + _syncpublish=$(key_get "$1" SYNCPUBLISH) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + # Check timing metadata. + n=$((n + 1)) + echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)" + ret=0 + + if [ "$_published" = "none" ]; then + grep "; Publish:" "${_key_file}" >/dev/null && _log_error "unexpected publish comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Publish:" "${_private_file}" >/dev/null && _log_error "unexpected publish in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Published: " "${_state_file}" >/dev/null && _log_error "unexpected publish in ${_state_file}" + fi + else + grep "; Publish: $_published" "${_key_file}" >/dev/null || _log_error "mismatch publish comment in ${_key_file} (expected ${_published})" + if [ "$_private" = "yes" ]; then + grep "Publish: $_published" "${_private_file}" >/dev/null || _log_error "mismatch publish in ${_private_file} (expected ${_published})" + fi + if [ "$_legacy" = "no" ]; then + grep "Published: $_published" "${_state_file}" >/dev/null || _log_error "mismatch publish in ${_state_file} (expected ${_published})" + fi + fi + + if [ "$_syncpublish" = "none" ]; then + grep "; SyncPublish:" "${_key_file}" >/dev/null && _log_error "unexpected syncpublish comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "SyncPublish:" "${_private_file}" >/dev/null && _log_error "unexpected syncpublish in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "PublishCDS: " "${_state_file}" >/dev/null && _log_error "unexpected syncpublish in ${_state_file}" + fi + else + grep "; SyncPublish: $_syncpublish" "${_key_file}" >/dev/null || _log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})" + if [ "$_private" = "yes" ]; then + grep "SyncPublish: $_syncpublish" "${_private_file}" >/dev/null || _log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})" + fi + if [ "$_legacy" = "no" ]; then + grep "PublishCDS: $_syncpublish" "${_state_file}" >/dev/null || _log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})" + fi + fi + + if [ "$_active" = "none" ]; then + grep "; Activate:" "${_key_file}" >/dev/null && _log_error "unexpected active comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Activate:" "${_private_file}" >/dev/null && _log_error "unexpected active in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Active: " "${_state_file}" >/dev/null && _log_error "unexpected active in ${_state_file}" + fi + else + grep "; Activate: $_active" "${_key_file}" >/dev/null || _log_error "mismatch active comment in ${_key_file} (expected ${_active})" + if [ "$_private" = "yes" ]; then + grep "Activate: $_active" "${_private_file}" >/dev/null || _log_error "mismatch active in ${_private_file} (expected ${_active})" + fi + if [ "$_legacy" = "no" ]; then + grep "Active: $_active" "${_state_file}" >/dev/null || _log_error "mismatch active in ${_state_file} (expected ${_active})" + fi + fi + + if [ "$_retired" = "none" ]; then + grep "; Inactive:" "${_key_file}" >/dev/null && _log_error "unexpected retired comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Inactive:" "${_private_file}" >/dev/null && _log_error "unexpected retired in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Retired: " "${_state_file}" >/dev/null && _log_error "unexpected retired in ${_state_file}" + fi + else + grep "; Inactive: $_retired" "${_key_file}" >/dev/null || _log_error "mismatch retired comment in ${_key_file} (expected ${_retired})" + if [ "$_private" = "yes" ]; then + grep "Inactive: $_retired" "${_private_file}" >/dev/null || _log_error "mismatch retired in ${_private_file} (expected ${_retired})" + fi + if [ "$_legacy" = "no" ]; then + grep "Retired: $_retired" "${_state_file}" >/dev/null || _log_error "mismatch retired in ${_state_file} (expected ${_retired})" + fi + fi + + if [ "$_revoked" = "none" ]; then + grep "; Revoke:" "${_key_file}" >/dev/null && _log_error "unexpected revoked comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Revoke:" "${_private_file}" >/dev/null && _log_error "unexpected revoked in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Revoked: " "${_state_file}" >/dev/null && _log_error "unexpected revoked in ${_state_file}" + fi + else + grep "; Revoke: $_revoked" "${_key_file}" >/dev/null || _log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})" + if [ "$_private" = "yes" ]; then + grep "Revoke: $_revoked" "${_private_file}" >/dev/null || _log_error "mismatch revoked in ${_private_file} (expected ${_revoked})" + fi + if [ "$_legacy" = "no" ]; then + grep "Revoked: $_revoked" "${_state_file}" >/dev/null || _log_error "mismatch revoked in ${_state_file} (expected ${_revoked})" + fi + fi + + if [ "$_removed" = "none" ]; then + grep "; Delete:" "${_key_file}" >/dev/null && _log_error "unexpected removed comment in ${_key_file}" + if [ "$_private" = "yes" ]; then + grep "Delete:" "${_private_file}" >/dev/null && _log_error "unexpected removed in ${_private_file}" + fi + if [ "$_legacy" = "no" ]; then + grep "Removed: " "${_state_file}" >/dev/null && _log_error "unexpected removed in ${_state_file}" + fi + else + grep "; Delete: $_removed" "${_key_file}" >/dev/null || _log_error "mismatch removed comment in ${_key_file} (expected ${_removed})" + if [ "$_private" = "yes" ]; then + grep "Delete: $_removed" "${_private_file}" >/dev/null || _log_error "mismatch removed in ${_private_file} (expected ${_removed})" + fi + if [ "$_legacy" = "no" ]; then + grep "Removed: $_removed" "${_state_file}" >/dev/null || _log_error "mismatch removed in ${_state_file} (expected ${_removed})" + fi + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } check_keytimes() { - # The script relies on Python to set keytimes. - if [ -x "$PYTHON" ]; then - - if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - check_timingmetadata "KEY1" - fi - if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - check_timingmetadata "KEY2" - fi - if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - check_timingmetadata "KEY3" - fi - if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - check_timingmetadata "KEY4" - fi - fi + # The script relies on Python to set keytimes. + if [ -x "$PYTHON" ]; then + + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY1" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY2" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY3" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY4" + fi + fi } # Check the key with key id $1 and see if it is unused. @@ -641,143 +640,142 @@ check_keytimes() { # STATE_FILE="${BASE_FILE}.state" # KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//') key_unused() { - _dir=$DIR - _zone=$ZONE - _key_idpad=$1 - _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') - _alg_num=$2 - _alg_numpad=$(printf "%03d" "$_alg_num") - - BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" - KEY_FILE="${BASE_FILE}.key" - PRIVATE_FILE="${BASE_FILE}.private" - STATE_FILE="${BASE_FILE}.state" - KEY_ID="${_key_id}" - - test $_log -eq 1 && echo_i "key unused $KEY_ID?" - - # Check file existence. - [ -s "$KEY_FILE" ] || ret=1 - [ -s "$PRIVATE_FILE" ] || ret=1 - [ -s "$STATE_FILE" ] || ret=1 - [ "$ret" -eq 0 ] || return 0 - - # Treat keys that have been removed from the zone as unused. - _check_removed=1 - grep "; Created:" "$KEY_FILE" > created.key-${KEY_ID}.test${n} || _check_removed=0 - grep "; Delete:" "$KEY_FILE" > unused.key-${KEY_ID}.test${n} || _check_removed=0 - if [ "$_check_removed" -eq 1 ]; then - _created=$(awk '{print $3}' < created.key-${KEY_ID}.test${n}) - _removed=$(awk '{print $3}' < unused.key-${KEY_ID}.test${n}) - [ "$_removed" -le "$_created" ] && return - fi - - # If no timing metadata is set, this key is unused. - grep "; Publish:" "$KEY_FILE" > /dev/null && _log_error "unexpected publish comment in $KEY_FILE" - grep "; Activate:" "$KEY_FILE" > /dev/null && _log_error "unexpected active comment in $KEY_FILE" - grep "; Inactive:" "$KEY_FILE" > /dev/null && _log_error "unexpected retired comment in $KEY_FILE" - grep "; Revoke:" "$KEY_FILE" > /dev/null && _log_error "unexpected revoked comment in $KEY_FILE" - grep "; Delete:" "$KEY_FILE" > /dev/null && _log_error "unexpected removed comment in $KEY_FILE" - - grep "Publish:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected publish in $PRIVATE_FILE" - grep "Activate:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected active in $PRIVATE_FILE" - grep "Inactive:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected retired in $PRIVATE_FILE" - grep "Revoke:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected revoked in $PRIVATE_FILE" - grep "Delete:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected removed in $PRIVATE_FILE" - - grep "Published: " "$STATE_FILE" > /dev/null && _log_error "unexpected publish in $STATE_FILE" - grep "Active: " "$STATE_FILE" > /dev/null && _log_error "unexpected active in $STATE_FILE" - grep "Retired: " "$STATE_FILE" > /dev/null && _log_error "unexpected retired in $STATE_FILE" - grep "Revoked: " "$STATE_FILE" > /dev/null && _log_error "unexpected revoked in $STATE_FILE" - grep "Removed: " "$STATE_FILE" > /dev/null && _log_error "unexpected removed in $STATE_FILE" - - return 0 + _dir=$DIR + _zone=$ZONE + _key_idpad=$1 + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$2 + _alg_numpad=$(printf "%03d" "$_alg_num") + + BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" + KEY_FILE="${BASE_FILE}.key" + PRIVATE_FILE="${BASE_FILE}.private" + STATE_FILE="${BASE_FILE}.state" + KEY_ID="${_key_id}" + + test $_log -eq 1 && echo_i "key unused $KEY_ID?" + + # Check file existence. + [ -s "$KEY_FILE" ] || ret=1 + [ -s "$PRIVATE_FILE" ] || ret=1 + [ -s "$STATE_FILE" ] || ret=1 + [ "$ret" -eq 0 ] || return 0 + + # Treat keys that have been removed from the zone as unused. + _check_removed=1 + grep "; Created:" "$KEY_FILE" >created.key-${KEY_ID}.test${n} || _check_removed=0 + grep "; Delete:" "$KEY_FILE" >unused.key-${KEY_ID}.test${n} || _check_removed=0 + if [ "$_check_removed" -eq 1 ]; then + _created=$(awk '{print $3}' <created.key-${KEY_ID}.test${n}) + _removed=$(awk '{print $3}' <unused.key-${KEY_ID}.test${n}) + [ "$_removed" -le "$_created" ] && return + fi + + # If no timing metadata is set, this key is unused. + grep "; Publish:" "$KEY_FILE" >/dev/null && _log_error "unexpected publish comment in $KEY_FILE" + grep "; Activate:" "$KEY_FILE" >/dev/null && _log_error "unexpected active comment in $KEY_FILE" + grep "; Inactive:" "$KEY_FILE" >/dev/null && _log_error "unexpected retired comment in $KEY_FILE" + grep "; Revoke:" "$KEY_FILE" >/dev/null && _log_error "unexpected revoked comment in $KEY_FILE" + grep "; Delete:" "$KEY_FILE" >/dev/null && _log_error "unexpected removed comment in $KEY_FILE" + + grep "Publish:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected publish in $PRIVATE_FILE" + grep "Activate:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected active in $PRIVATE_FILE" + grep "Inactive:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected retired in $PRIVATE_FILE" + grep "Revoke:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected revoked in $PRIVATE_FILE" + grep "Delete:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected removed in $PRIVATE_FILE" + + grep "Published: " "$STATE_FILE" >/dev/null && _log_error "unexpected publish in $STATE_FILE" + grep "Active: " "$STATE_FILE" >/dev/null && _log_error "unexpected active in $STATE_FILE" + grep "Retired: " "$STATE_FILE" >/dev/null && _log_error "unexpected retired in $STATE_FILE" + grep "Revoked: " "$STATE_FILE" >/dev/null && _log_error "unexpected revoked in $STATE_FILE" + grep "Removed: " "$STATE_FILE" >/dev/null && _log_error "unexpected removed in $STATE_FILE" + + return 0 } # Test: dnssec-verify zone $1. -dnssec_verify() -{ - n=$((n+1)) - echo_i "dnssec-verify zone ${ZONE} ($n)" - ret=0 - _dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed" - $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) +dnssec_verify() { + n=$((n + 1)) + echo_i "dnssec-verify zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "$ZONE" "@${SERVER}" AXFR >dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed" + $VERIFY -z -o "$ZONE" dig.out.axfr.test$n >verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Wait for the zone to be signed. # The apex NSEC record indicates that it is signed. _wait_for_nsec() { - _dig_with_opts "@${SERVER}" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1 - grep "NS SOA" "dig.out.nsec.test$n" > /dev/null || return 1 - grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" > /dev/null || return 1 - return 0 + _dig_with_opts "@${SERVER}" "$ZONE" NSEC >"dig.out.nsec.test$n" || return 1 + grep "NS SOA" "dig.out.nsec.test$n" >/dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" >/dev/null || return 1 + return 0 } wait_for_nsec() { - n=$((n+1)) - ret=0 - echo_i "wait for ${ZONE} to be signed ($n)" - retry_quiet 10 _wait_for_nsec || _log_error "wait for ${ZONE} to be signed failed" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + n=$((n + 1)) + ret=0 + echo_i "wait for ${ZONE} to be signed ($n)" + retry_quiet 10 _wait_for_nsec || _log_error "wait for ${ZONE} to be signed failed" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } check_numkeys() { - _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) - test "$_numkeys" -eq "$NUM_KEYS" || return 1 - return 0 + _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) + test "$_numkeys" -eq "$NUM_KEYS" || return 1 + return 0 } _check_keys() { - ret=0 - _ret=0 - - # Clear key ids. - key_set KEY1 ID "no" - key_set KEY2 ID "no" - key_set KEY3 ID "no" - key_set KEY4 ID "no" - - # Check key files. - _ids=$(get_keyids "$DIR" "$ZONE") - for _id in $_ids; do - # There are multiple key files with the same algorithm. - # Check them until a match is found. - ret=0 - echo_i "check key id $_id" - - if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - ret=0 - check_key "KEY1" "$_id" - test "$ret" -eq 0 && key_save KEY1 && continue - fi - if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - ret=0 - check_key "KEY2" "$_id" - test "$ret" -eq 0 && key_save KEY2 && continue - fi - if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - ret=0 - check_key "KEY3" "$_id" - test "$ret" -eq 0 && key_save KEY3 && continue - fi - if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - ret=0 - check_key "KEY4" "$_id" - test "$ret" -eq 0 && key_save KEY4 && continue - fi - - # This may be an unused key. Assume algorithm of KEY1. - ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)" - test "$ret" -eq 0 && continue - - # If ret is still non-zero, none of the files matched. - echo_i "failed" - _ret=1 - done - - return $_ret + ret=0 + _ret=0 + + # Clear key ids. + key_set KEY1 ID "no" + key_set KEY2 ID "no" + key_set KEY3 ID "no" + key_set KEY4 ID "no" + + # Check key files. + _ids=$(get_keyids "$DIR" "$ZONE") + for _id in $_ids; do + # There are multiple key files with the same algorithm. + # Check them until a match is found. + ret=0 + echo_i "check key id $_id" + + if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY1" "$_id" + test "$ret" -eq 0 && key_save KEY1 && continue + fi + if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY2" "$_id" + test "$ret" -eq 0 && key_save KEY2 && continue + fi + if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY3" "$_id" + test "$ret" -eq 0 && key_save KEY3 && continue + fi + if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + ret=0 + check_key "KEY4" "$_id" + test "$ret" -eq 0 && key_save KEY4 && continue + fi + + # This may be an unused key. Assume algorithm of KEY1. + ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)" + test "$ret" -eq 0 && continue + + # If ret is still non-zero, none of the files matched. + echo_i "failed" + _ret=1 + done + + return $_ret } # Check keys for a configured zone. This verifies: @@ -787,47 +785,47 @@ _check_keys() { # It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly. # Found key identifiers are stored in the right key array. check_keys() { - n=$((n+1)) - echo_i "check keys are created for zone ${ZONE} ($n)" - ret=0 - - echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" - retry_quiet 10 check_numkeys || ret=1 - if [ $ret -ne 0 ]; then - _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) - _log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)" - status=$((status+ret)) - fi - - # Temporarily don't log errors because we are searching multiple files. - disable_logerror - - retry_quiet 3 _check_keys || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - # Turn error logs on again. - enable_logerror - - ret=0 - if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - echo_i "KEY1 ID $(key_get KEY1 ID)" - test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}" - fi - if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - echo_i "KEY2 ID $(key_get KEY2 ID)" - test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}" - fi - if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - echo_i "KEY3 ID $(key_get KEY3 ID)" - test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}" - fi - if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - echo_i "KEY4 ID $(key_get KEY4 ID)" - test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}" - fi - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + n=$((n + 1)) + echo_i "check keys are created for zone ${ZONE} ($n)" + ret=0 + + echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" + retry_quiet 10 check_numkeys || ret=1 + if [ $ret -ne 0 ]; then + _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) + _log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)" + status=$((status + ret)) + fi + + # Temporarily don't log errors because we are searching multiple files. + disable_logerror + + retry_quiet 3 _check_keys || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + # Turn error logs on again. + enable_logerror + + ret=0 + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + echo_i "KEY1 ID $(key_get KEY1 ID)" + test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + echo_i "KEY2 ID $(key_get KEY2 ID)" + test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + echo_i "KEY3 ID $(key_get KEY3 ID)" + test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + echo_i "KEY4 ID $(key_get KEY4 ID)" + test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}" + fi + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Call rndc dnssec -status on server $1 for zone $3 in view $4 with policy $2 @@ -838,407 +836,406 @@ check_keys() { # it is scheduled to do so, and it shows the states for the various # DNSSEC records. check_dnssecstatus() { - _server=$1 - _policy=$2 - _zone=$3 - _view=$4 - - n=$((n+1)) - echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)" - ret=0 - - _rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed" - - if [ "$_policy" = "none" ]; then - grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}" - else - grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "bad dnssec status for signed zone ${_zone}" - if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status" - fi - if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status" - fi - if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status" - fi - if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status" - fi - fi - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _server=$1 + _policy=$2 + _zone=$3 + _view=$4 + + n=$((n + 1)) + echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)" + ret=0 + + _rndccmd $_server dnssec -status $_zone in $_view >rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed" + + if [ "$_policy" = "none" ]; then + grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n >/dev/null || log_error "bad dnssec status for unsigned zone ${_zone}" + else + grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "bad dnssec status for signed zone ${_zone}" + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status" + fi + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if # inline-signing is enabled. check_inlinesigning() { - _server=$1 - _zone=$2 - _view=$3 + _server=$1 + _zone=$2 + _view=$3 - _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 - grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 + _rndccmd $_server zonestatus $_zone in $_view >rndc.zonestatus.out.$_zone.$n || return 1 + grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n >/dev/null || return 1 } # Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if # the zone is dynamic. check_isdynamic() { - _server=$1 - _zone=$2 - _view=$3 + _server=$1 + _zone=$2 + _view=$3 - _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 - grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 + _rndccmd $_server zonestatus $_zone in $_view >rndc.zonestatus.out.$_zone.$n || return 1 + grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n >/dev/null || return 1 } # Check if RRset of type $1 in file $2 is signed with the right keys. # The right keys are the ones that expect a signature and matches the role $3. _check_signatures() { - _qtype=$1 - _file=$2 - _role=$3 - - numsigs=0 - - if [ "$_role" = "KSK" ]; then - _expect_type=EXPECT_KRRSIG - elif [ "$_role" = "ZSK" ]; then - _expect_type=EXPECT_ZRRSIG - fi - - if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null || return 1 - numsigs=$((numsigs+1)) - elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null && return 1 - fi - - if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null || return 1 - numsigs=$((numsigs+1)) - elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null && return 1 - fi - - if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null || return 1 - numsigs=$((numsigs+1)) - elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null && return 1 - fi - - if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null || return 1 - numsigs=$((numsigs+1)) - elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null && return 1 - fi - - lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l) - test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)" - test "$lines" -eq "$numsigs" || return 1 - - return 0 + _qtype=$1 + _file=$2 + _role=$3 + + numsigs=0 + + if [ "$_role" = "KSK" ]; then + _expect_type=EXPECT_KRRSIG + elif [ "$_role" = "ZSK" ]; then + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null || return 1 + numsigs=$((numsigs + 1)) + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null && return 1 + fi + + if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null || return 1 + numsigs=$((numsigs + 1)) + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null && return 1 + fi + + if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null || return 1 + numsigs=$((numsigs + 1)) + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null && return 1 + fi + + if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null || return 1 + numsigs=$((numsigs + 1)) + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null && return 1 + fi + + lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l) + test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)" + test "$lines" -eq "$numsigs" || return 1 + + return 0 } check_signatures() { - retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed" + retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed" } response_has_cds_for_key() ( - awk -v zone="${ZONE%%.}." \ - -v ttl="${DNSKEY_TTL}" \ - -v qtype="CDS" \ - -v keyid="$(key_get "${1}" ID)" \ - -v keyalg="$(key_get "${1}" ALG_NUM)" \ - -v hashalg="2" \ - 'BEGIN { ret=1; } + awk -v zone="${ZONE%%.}." \ + -v ttl="${DNSKEY_TTL}" \ + -v qtype="CDS" \ + -v keyid="$(key_get "${1}" ID)" \ + -v keyalg="$(key_get "${1}" ALG_NUM)" \ + -v hashalg="2" \ + 'BEGIN { ret=1; } $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; } END { exit ret; }' \ - "$2" + "$2" ) response_has_cdnskey_for_key() ( - awk -v zone="${ZONE%%.}." \ - -v ttl="${DNSKEY_TTL}" \ - -v qtype="CDNSKEY" \ - -v flags="$(key_get "${1}" FLAGS)" \ - -v keyalg="$(key_get "${1}" ALG_NUM)" \ - 'BEGIN { ret=1; } + awk -v zone="${ZONE%%.}." \ + -v ttl="${DNSKEY_TTL}" \ + -v qtype="CDNSKEY" \ + -v flags="$(key_get "${1}" FLAGS)" \ + -v keyalg="$(key_get "${1}" ALG_NUM)" \ + 'BEGIN { ret=1; } $1 == zone && $2 == ttl && $4 == qtype && $5 == flags && $7 == keyalg { ret=0; exit; } END { exit ret; }' \ - "$2" + "$2" ) # Test CDS and CDNSKEY publication. check_cds() { - n=$((n+1)) - echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)" - ret=0 - - _checksig=0 - - _dig_with_opts "$ZONE" "@${SERVER}" "CDS" > "dig.out.$DIR.test$n.cds" || _log_error "dig ${ZONE} CDS failed" - grep "status: NOERROR" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "mismatch status in DNS response" - - _dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" > "dig.out.$DIR.test$n.cdnskey" || _log_error "dig ${ZONE} CDNSKEY failed" - grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "mismatch status in DNS response" - - if [ "$CDS_DELETE" = "no" ]; then - grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null && _log_error "unexpected CDS DELETE record in DNS response" - grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null && _log_error "unexpected CDNSKEY DELETE record in DNS response" - else - grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "missing CDS DELETE record in DNS response" - grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "missing CDNSKEY DELETE record in DNS response" - _checksig=1 - fi - - if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)" - response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)" - _checksig=1 - elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)" - # KEY1 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. - fi - - if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)" - response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)" - _checksig=1 - elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)" - # KEY2 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. - fi - - if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)" - response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)" - _checksig=1 - elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)" - # KEY3 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. - fi - - if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)" - response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)" - _checksig=1 - elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)" - # KEY4 should not have an associated CDNSKEY, but there may be - # one for another key. Since the CDNSKEY has no field for key - # id, it is hard to check what key the CDNSKEY may belong to - # so let's skip this check for now. - fi - - test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" - test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + n=$((n + 1)) + echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)" + ret=0 + + _checksig=0 + + _dig_with_opts "$ZONE" "@${SERVER}" "CDS" >"dig.out.$DIR.test$n.cds" || _log_error "dig ${ZONE} CDS failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.cds" >/dev/null || _log_error "mismatch status in DNS response" + + _dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" >"dig.out.$DIR.test$n.cdnskey" || _log_error "dig ${ZONE} CDNSKEY failed" + grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" >/dev/null || _log_error "mismatch status in DNS response" + + if [ "$CDS_DELETE" = "no" ]; then + grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" >/dev/null && _log_error "unexpected CDS DELETE record in DNS response" + grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" >/dev/null && _log_error "unexpected CDNSKEY DELETE record in DNS response" + else + grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" >/dev/null || _log_error "missing CDS DELETE record in DNS response" + grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" >/dev/null || _log_error "missing CDNSKEY DELETE record in DNS response" + _checksig=1 + fi + + if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)" + response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)" + _checksig=1 + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)" + # KEY1 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)" + response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)" + _checksig=1 + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)" + # KEY2 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)" + response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)" + _checksig=1 + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)" + # KEY3 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then + response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)" + response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)" + _checksig=1 + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)" + # KEY4 should not have an associated CDNSKEY, but there may be + # one for another key. Since the CDNSKEY has no field for key + # id, it is hard to check what key the CDNSKEY may belong to + # so let's skip this check for now. + fi + + test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" + test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } _find_dnskey() { - _owner="${ZONE}." - _alg="$(key_get $1 ALG_NUM)" - _flags="$(key_get $1 FLAGS)" - _key_file="$(key_get $1 BASEFILE).key" + _owner="${ZONE}." + _alg="$(key_get $1 ALG_NUM)" + _flags="$(key_get $1 FLAGS)" + _key_file="$(key_get $1 BASEFILE).key" - awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file" + awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' <"$_key_file" } - # Test DNSKEY query. _check_apex_dnskey() { - _dig_with_opts "$ZONE" "@${SERVER}" "DNSKEY" > "dig.out.$DIR.test$n" || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1 - - _checksig=0 - - if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then - _pubkey=$(_find_dnskey KEY1) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 - _checksig=1 - elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - _pubkey=$(_find_dnskey KEY1) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 - fi - - if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then - _pubkey=$(_find_dnskey KEY2) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 - _checksig=1 - elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - _pubkey=$(_find_dnskey KEY2) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 - fi - - if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then - _pubkey=$(_find_dnskey KEY3) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 - _checksig=1 - elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - _pubkey=$(_find_dnskey KEY3) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 - fi - - if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then - _pubkey=$(_find_dnskey KEY4) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 - _checksig=1 - elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - _pubkey=$(_find_dnskey KEY4) - test -z "$_pubkey" && return 1 - grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 - fi - - test "$_checksig" -eq 0 && return 0 - - _check_signatures "DNSKEY" "dig.out.$DIR.test$n" "KSK" || return 1 - - return 0 + _dig_with_opts "$ZONE" "@${SERVER}" "DNSKEY" >"dig.out.$DIR.test$n" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || return 1 + + _checksig=0 + + if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY1) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY1) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1 + fi + + if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY2) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY2) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1 + fi + + if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY3) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY3) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1 + fi + + if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then + _pubkey=$(_find_dnskey KEY4) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1 + _checksig=1 + elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + _pubkey=$(_find_dnskey KEY4) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1 + fi + + test "$_checksig" -eq 0 && return 0 + + _check_signatures "DNSKEY" "dig.out.$DIR.test$n" "KSK" || return 1 + + return 0 } # Test the apex of a configured zone. This checks that the SOA and DNSKEY # RRsets are signed correctly and with the appropriate keys. check_apex() { - # Test DNSKEY query. - n=$((n+1)) - echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_apex_dnskey || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - # We retry the DNSKEY query for at most ten seconds to avoid test - # failures due to timing issues. If the DNSKEY query check passes this - # means the zone is resigned and further apex checks (SOA, CDS, CDNSKEY) - # don't need to be retried quietly. - - # Test SOA query. - n=$((n+1)) - echo_i "check SOA rrset is signed correctly for zone ${ZONE} ($n)" - ret=0 - _dig_with_opts "$ZONE" "@${SERVER}" "SOA" > "dig.out.$DIR.test$n" || _log_error "dig ${ZONE} SOA failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response" - grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*SOA.*" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing SOA record in response" - check_signatures "SOA" "dig.out.$DIR.test$n" "ZSK" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - # Test CDS and CDNSKEY publication. - check_cds + # Test DNSKEY query. + n=$((n + 1)) + echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_apex_dnskey || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + # We retry the DNSKEY query for at most ten seconds to avoid test + # failures due to timing issues. If the DNSKEY query check passes this + # means the zone is resigned and further apex checks (SOA, CDS, CDNSKEY) + # don't need to be retried quietly. + + # Test SOA query. + n=$((n + 1)) + echo_i "check SOA rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "$ZONE" "@${SERVER}" "SOA" >"dig.out.$DIR.test$n" || _log_error "dig ${ZONE} SOA failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || _log_error "mismatch status in DNS response" + grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*SOA.*" "dig.out.$DIR.test$n" >/dev/null || _log_error "missing SOA record in response" + check_signatures "SOA" "dig.out.$DIR.test$n" "ZSK" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + # Test CDS and CDNSKEY publication. + check_cds } # Test an RRset below the apex and verify it is signed correctly. check_subdomain() { - _qtype="A" - n=$((n+1)) - echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" - ret=0 - _dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response" - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response" - lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) - check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _qtype="A" + n=$((n + 1)) + echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + _dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype >"dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || _log_error "mismatch status in DNS response" + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" >/dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response" + lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) + check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Check if "CDS/CDNSKEY Published" is logged. check_cdslog() { - _dir=$1 - _zone=$2 - _key=$3 + _dir=$1 + _zone=$2 + _key=$3 - _alg=$(key_get $_key ALG_STR) - _id=$(key_get $_key ID) + _alg=$(key_get $_key ALG_STR) + _id=$(key_get $_key ID) - n=$((n+1)) - echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)" - ret=0 + n=$((n + 1)) + echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)" + ret=0 - grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 - grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" >/dev/null || ret=1 + grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" >/dev/null || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Tell named that the DS for the key in given zone has been seen in the # parent (this does not actually has to be true, we just issue the command # to make named believe it can continue with the rollover). rndc_checkds() { - _server=$1 - _dir=$2 - _key=$3 - _when=$4 - _what=$5 - _zone=$6 - _view=$7 - - _keycmd="" - if [ "${_key}" != "-" ]; then - _keyid=$(key_get $_key ID) - _keycmd=" -key ${_keyid}" - fi - - _whencmd="" - if [ "${_when}" != "now" ]; then - _whencmd=" -when ${_when}" - fi - - n=$((n+1)) - echo_i "calling rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} in ${_view} ($n)" - ret=0 - - _rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed" - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _server=$1 + _dir=$2 + _key=$3 + _when=$4 + _what=$5 + _zone=$6 + _view=$7 + + _keycmd="" + if [ "${_key}" != "-" ]; then + _keyid=$(key_get $_key ID) + _keycmd=" -key ${_keyid}" + fi + + _whencmd="" + if [ "${_when}" != "now" ]; then + _whencmd=" -when ${_when}" + fi + + n=$((n + 1)) + echo_i "calling rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} in ${_view} ($n)" + ret=0 + + _rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view >rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Tell named to schedule a key rollover. rndc_rollover() { - _server=$1 - _dir=$2 - _keyid=$3 - _when=$4 - _zone=$5 - _view=$6 - - _whencmd="" - if [ "${_when}" != "now" ]; then - _whencmd="-when ${_when}" - fi - - n=$((n+1)) - echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)" - ret=0 - - _rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed" - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + _server=$1 + _dir=$2 + _keyid=$3 + _when=$4 + _zone=$5 + _view=$6 + + _whencmd="" + if [ "${_when}" != "now" ]; then + _whencmd="-when ${_when}" + fi + + n=$((n + 1)) + echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)" + ret=0 + + _rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view >rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed" + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index db264c2..d31b53a 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -29,6 +29,7 @@ rm -f ns*/*.mkeys rm -f ns*/zones ns*/*.db.infile rm -f ns*/*.zsk1 ns*/*.zsk2 rm -f ns3/legacy-keys.* +rm -rf ns3/keys/ rm -f *.created published.test* retired.test* rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.* rm -f python.out.* diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index a6e8b3a..8debcd2 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -49,6 +49,15 @@ zone "default.kasp" { dnssec-policy "default"; }; +/* A zone with special characters. */ +zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." { + type primary; + file "i-am.special.kasp.db"; + check-names ignore; + inline-signing yes; + dnssec-policy "default"; +}; + /* checkds: Zone with one KSK. */ zone "checkds-ksk.kasp" { type primary; @@ -146,6 +155,18 @@ zone "dynamic-inline-signing.kasp" { inline-signing yes; }; +/* + * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the + * raw version of the zone. + */ +zone "dynamic-signed-inline-signing.kasp" { + type primary; + file "dynamic-signed-inline-signing.kasp.db.signed"; + key-directory "keys"; + dnssec-policy "default"; + allow-update { any; }; +}; + /* An inline-signed zone with dnssec-policy. */ zone "inline-signing.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 8af40ed..41cf379 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -17,20 +17,20 @@ echo_i "ns3/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - echo "$zone" >> zones + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >>zones } # Set in the key state files the Predecessor/Successor fields. # Key $1 is the predecessor of key $2. key_successor() { - id1=$(keyfile_to_key_id "$1") - id2=$(keyfile_to_key_id "$2") - echo "Predecessor: ${id1}" >> "${2}.state" - echo "Successor: ${id2}" >> "${1}.state" + id1=$(keyfile_to_key_id "$1") + id2=$(keyfile_to_key_id "$2") + echo "Predecessor: ${id1}" >>"${2}.state" + echo "Successor: ${id2}" >>"${1}.state" } # Make lines shorter by storing key states in environment variables. @@ -43,94 +43,100 @@ U="UNRETENTIVE" # Set up zones that will be initially signed. # for zn in default dnssec-keygen some-keys legacy-keys pregenerated \ - rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \ - dynamic dynamic-inline-signing inline-signing \ - checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ - manual-rollover multisigner-model2 -do - setup "${zn}.kasp" - cp template.db.in "$zonefile" + rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \ + dynamic dynamic-inline-signing inline-signing \ + checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ + manual-rollover multisigner-model2; do + setup "${zn}.kasp" + cp template.db.in "$zonefile" done # +# Setup special zone +# +zone="i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." +echo_i "setting up zone: $zone" +cp template.db.in "i-am.special.kasp.db" + +# # Set up RSASHA1 based zones # -for zn in rsasha1 rsasha1-nsec3 -do - if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) - then - setup "${zn}.kasp" - cp template.db.in "$zonefile" - else - # don't add to zones. - echo_i "setting up zone: ${zn}.kasp" - cp template.db.in "${zn}.kasp.db" - fi +for zn in rsasha1 rsasha1-nsec3; do + if ( + cd .. + $SHELL ../testcrypto.sh -q RSASHA1 + ); then + setup "${zn}.kasp" + cp template.db.in "$zonefile" + else + # don't add to zones. + echo_i "setting up zone: ${zn}.kasp" + cp template.db.in "${zn}.kasp.db" + fi done if [ -f ../ed25519-supported.file ]; then - setup "ed25519.kasp" - cp template.db.in "$zonefile" - cat ed25519.conf >> named.conf + setup "ed25519.kasp" + cp template.db.in "$zonefile" + cat ed25519.conf >>named.conf fi if [ -f ../ed448-supported.file ]; then - setup "ed448.kasp" - cp template.db.in "$zonefile" - cat ed448.conf >> named.conf + setup "ed448.kasp" + cp template.db.in "$zonefile" + cat ed448.conf >>named.conf fi # Set up zones that stay unsigned. -for zn in unsigned insecure max-zone-ttl -do - zone="${zn}.kasp" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - cp template.db.in $infile - cp template.db.in $zonefile +for zn in unsigned insecure max-zone-ttl; do + zone="${zn}.kasp" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in $infile + cp template.db.in $zonefile done # Some of these zones already have keys. zone="dnssec-keygen.kasp" echo_i "setting up zone: $zone" -$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1 zone="some-keys.kasp" echo_i "setting up zone: $zone" -$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone >keygen.out.$zone.1 2>&1 +$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone >keygen.out.$zone.2 2>&1 zone="legacy-keys.kasp" echo_i "setting up zone: $zone" -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1) -KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2) -echo $ZSK > legacy-keys.kasp.zsk -echo $KSK > legacy-keys.kasp.ksk +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.1) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.2) +echo $ZSK >legacy-keys.kasp.zsk +echo $KSK >legacy-keys.kasp.ksk # Predecessor keys: Tact="now-9mo" Tret="now-3mo" -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3) -KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4) -$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1 -$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1 +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.3) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.4) +$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" >settime.out.$zone.1 2>&1 +$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" >settime.out.$zone.2 2>&1 zone="pregenerated.kasp" echo_i "setting up zone: $zone" -$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1 +$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1 zone="multisigner-model2.kasp" echo_i "setting up zone: $zone" # Import the ZSK sets of the other providers into their DNSKEY RRset. -ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2) +ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.1) +ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.2) # ZSK1 will be added to the unsigned zonefile. -cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db" -cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1" +cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db" +cat "../${ZSK1}.key" | grep -v ";.*" >"${zone}.zsk1" rm -f "../${ZSK1}.*" # ZSK2 will be used with a Dynamic Update. -cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2" +cat "../${ZSK2}.key" | grep -v ";.*" >"${zone}.zsk2" rm -f "../${ZSK2}.*" zone="rumoured.kasp" @@ -138,12 +144,12 @@ echo_i "setting up zone: $zone" Tpub="now" Tact="now+1d" keytimes="-P ${Tpub} -A ${Tact}" -KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" >settime.out.$zone.2 2>&1 # # Set up zones that are already signed. @@ -154,78 +160,91 @@ setup manual-rollover.kasp T="now-1d" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# We are signing the raw version of the zone here. This is unusual and not +# common operation, but want to make sure that in such a case BIND 9 does not +# schedule a resigning operation on the raw version. Add expired signatures so +# a resign is imminent. +setup dynamic-signed-inline-signing.kasp +T="now-1d" +csktimes="-P $T -A $T -P sync $T" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +cp $infile $zonefile +$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # These signatures are still good, and can be reused. setup fresh-sigs.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # These signatures are still good, but not fresh enough, update immediately. setup unfresh-sigs.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # These signatures are still good, but the private KSK is missing. setup ksk-missing.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 -echo "KSK: yes" >> "${KSK}".state -echo "ZSK: no" >> "${KSK}".state -echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 +echo "KSK: yes" >>"${KSK}".state +echo "ZSK: no" >>"${KSK}".state +echo "Lifetime: 63072000" >>"${KSK}".state # PT2Y rm -f "${KSK}".private # These signatures are still good, but the private ZSK is missing. @@ -233,18 +252,18 @@ setup zsk-missing.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 -echo "KSK: no" >> "${ZSK}".state -echo "ZSK: yes" >> "${ZSK}".state -echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 +echo "KSK: no" >>"${ZSK}".state +echo "ZSK: yes" >>"${ZSK}".state +echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y rm -f "${ZSK}".private # These signatures are already expired, and the private ZSK is retired. @@ -252,16 +271,16 @@ setup zsk-retired.autosign T="now-6mo" ksktimes="-P $T -A $T -P sync $T" zsktimes="-P $T -A $T -I now" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 -$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 +$SETTIME -s -g HIDDEN "$ZSK" >settime.out.$zone.3 2>&1 # # The zones at enable-dnssec.autosign represent the various steps of the @@ -289,12 +308,12 @@ TpubN="now-900s" # Total: 43800 seconds TsbmN="now+43800s" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # The zone signatures have been published long enough to become OMNIPRESENT. @@ -306,12 +325,12 @@ TcotN="now-43800s" # We can submit the DS now. TsbmN="now" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # The DS has been submitted long enough ago to become OMNIPRESENT. @@ -326,13 +345,12 @@ TpubN="now-56700s" TcotN="now-55800s" TsbmN="now-12000s" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 -setup step4.enable-dnssec.autosign +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at zsk-prepub.autosign represent the various steps of a ZSK @@ -345,15 +363,15 @@ setup step1.zsk-prepub.autosign TactN="now" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # It is time to pre-publish the successor ZSK. @@ -385,15 +403,15 @@ setup step2.zsk-prepub.autosign TactN="now-694h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # After the publication interval has passed the DNSKEY of the successor ZSK @@ -442,21 +460,21 @@ TremN1="now+961h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # After the retire interval has passed the predecessor DNSKEY can be @@ -505,18 +523,18 @@ TremN1="now+30d" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" cp $infile $zonefile -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -541,21 +559,21 @@ TremN1="now+719h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -580,21 +598,21 @@ TremN1="now+718h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at ksk-doubleksk.autosign represent the various steps of a KSK @@ -607,13 +625,13 @@ setup step1.ksk-doubleksk.autosign TactN="now" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # It is time to submit the introduce the new KSK. @@ -657,15 +675,15 @@ setup step2.ksk-doubleksk.autosign TactN="now-1413h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS. @@ -718,21 +736,21 @@ TremN1="now+1490h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # The DS should be swapped now. @@ -779,21 +797,21 @@ TremN1="now+60d" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -818,21 +836,21 @@ TremN1="now+1442h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -857,21 +875,21 @@ TremN1="now+1441h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at csk-roll.autosign represent the various steps of a CSK rollover @@ -883,12 +901,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil setup step1.csk-roll.autosign TactN="now" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -911,12 +929,12 @@ setup step2.csk-roll.autosign # = now - 4464h + 3h = now - 4461h TactN="now-4461h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -960,18 +978,18 @@ TretN1="now+186d" TremN1="now+5091h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -1007,18 +1025,18 @@ TretN1="now+4460h" TremN1="now+5087h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # After the DS is swapped in step 4, also the KRRSIG records can be removed. @@ -1043,18 +1061,18 @@ TretN1="now+4458h" TremN1="now+5085h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # After the retire interval has passed the predecessor DNSKEY can be @@ -1087,18 +1105,18 @@ TretN1="now+3837h" TremN1="now+186d" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 7: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1122,18 +1140,18 @@ TretN1="now+3835h" TremN1="now+4462h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 8: # The predecessor DNSKEY can be purged. @@ -1157,18 +1175,18 @@ TretN1="now+3834h" TremN1="now+4461h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at csk-roll2.autosign represent the various steps of a CSK rollover @@ -1182,12 +1200,12 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i setup step1.csk-roll2.autosign TactN="now" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -1210,12 +1228,12 @@ setup step2.csk-roll2.autosign # = now - 4464h + 3h = now - 4461h TactN="now-4461h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -1259,18 +1277,18 @@ TretN1="now+186d" TremN1="now+4634h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -1307,18 +1325,18 @@ TretN1="now+4426h" TremN1="now+4429h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # Some time later the DS can be swapped and the old DNSKEY can be removed from @@ -1344,18 +1362,18 @@ TretN1="now+4294h" TremN1="now+4360h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1380,18 +1398,18 @@ TretN1="now+4292h" TremN1="now+4358h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 7: # The predecessor DNSKEY can be purged, but purge-keys is disabled. @@ -1415,18 +1433,18 @@ TretN1="now+2134h" TremN1="now+2200h" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Test #2375, the "three is a crowd" bug, where a new key is introduced but the # previous rollover has not finished yet. In other words, we have a key KEY2 @@ -1453,18 +1471,18 @@ TremN1="now+1490h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" -KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. -cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh index 61b049d..c488bc4 100644 --- a/bin/tests/system/kasp/ns4/setup.sh +++ b/bin/tests/system/kasp/ns4/setup.sh @@ -20,13 +20,12 @@ echo_i "ns4/setup.sh" # Set up zones that potentially will be initially signed. # for zn in inherit.inherit override.inherit none.inherit \ - inherit.override override.override none.override \ - inherit.none override.none none.none -do - zone="$zn.signed" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - cp template.db.in $zonefile + inherit.override override.override none.override \ + inherit.none override.none none.none; do + zone="$zn.signed" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile done cp example1.db.in example1.db diff --git a/bin/tests/system/kasp/ns5/setup.sh b/bin/tests/system/kasp/ns5/setup.sh index 59c7a41..47d2870 100644 --- a/bin/tests/system/kasp/ns5/setup.sh +++ b/bin/tests/system/kasp/ns5/setup.sh @@ -20,11 +20,10 @@ echo_i "ns5/setup.sh" # Set up zones that potentially will be initially signed. # for zn in inherit.inherit override.inherit none.inherit \ - inherit.override override.override none.override \ - inherit.none override.none none.none -do - zone="$zn.unsigned" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - cp template.db.in $zonefile + inherit.override override.override none.override \ + inherit.none override.none none.none; do + zone="$zn.unsigned" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile done diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 6764f1b..1c2fd01 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -17,10 +17,10 @@ echo_i "ns6/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" } # Make lines shorter by storing key states in environment variables. @@ -31,57 +31,56 @@ U="UNRETENTIVE" # The child zones (step1, step2) beneath these zones represent the various # steps of unsigning a zone. -for zn in going-insecure.kasp going-insecure-dynamic.kasp -do - # Step 1: - # Set up a zone with dnssec-policy that is going insecure. - setup step1.$zn - echo "$zone" >> zones - T="now-10d" - ksktimes="-P $T -A $T -P sync $T" - zsktimes="-P $T -A $T" - KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) - ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) - cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +for zn in going-insecure.kasp going-insecure-dynamic.kasp; do + # Step 1: + # Set up a zone with dnssec-policy that is going insecure. + setup step1.$zn + echo "$zone" >>zones + T="now-10d" + ksktimes="-P $T -A $T -P sync $T" + zsktimes="-P $T -A $T" + KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) + ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) + cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - # Step 2: - # Set up a zone with dnssec-policy that is going insecure. Don't add - # this zone to the zones file, because this zone is no longer expected - # to be fully signed. - setup step2.$zn - # The DS was withdrawn from the parent zone 26 hours ago. - Trem="now-26h" - ksktimes="-P $T -A $T -P sync $T" - zsktimes="-P $T -A $T" - KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) - ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) - $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1 - $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 - # Fake lifetime of old algorithm keys. - echo "Lifetime: 0" >> "${KSK}.state" - echo "Lifetime: 5184000" >> "${ZSK}.state" - cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" - cp $infile $zonefile - $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + # Step 2: + # Set up a zone with dnssec-policy that is going insecure. Don't add + # this zone to the zones file, because this zone is no longer expected + # to be fully signed. + setup step2.$zn + # The DS was withdrawn from the parent zone 26 hours ago. + Trem="now-26h" + ksktimes="-P $T -A $T -P sync $T" + zsktimes="-P $T -A $T" + KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) + ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) + $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" >settime.out.$zone.1 2>&1 + $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 + # Fake lifetime of old algorithm keys. + echo "Lifetime: 0" >>"${KSK}.state" + echo "Lifetime: 5184000" >>"${ZSK}.state" + cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" + private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 done # This zone is going straight to "none" policy. This is undefined behavior. setup step1.going-straight-to-none.kasp -echo "$zone" >> zones +echo "$zone" >>zones TactN="now" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" -CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK @@ -91,19 +90,19 @@ $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in # Step 1: # Introduce the first key. This will immediately be active. setup step1.algorithm-roll.kasp -echo "$zone" >> zones +echo "$zone" >>zones TactN="now" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 8 "$KSK" >> "$infile" -private_type_record $zone 8 "$ZSK" >> "$infile" +KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone 8 "$KSK" >>"$infile" +private_type_record $zone 8 "$ZSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. @@ -118,24 +117,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" zsk1times="-P ${TactN} -A ${TactN} -I now" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # The zone signatures are also OMNIPRESENT. @@ -149,24 +148,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # The DS is swapped and can become OMNIPRESENT. @@ -181,24 +180,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # The DNSKEY is removed long enough to be HIDDEN. @@ -214,24 +213,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. @@ -248,24 +247,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) -$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${KSK1}.state" -echo "Lifetime: 0" >> "${ZSK1}.state" -cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 8 "$KSK1" >> "$infile" -private_type_record $zone 8 "$ZSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +echo "Lifetime: 0" >>"${KSK1}.state" +echo "Lifetime: 0" >>"${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone 8 "$KSK1" >>"$infile" +private_type_record $zone 8 "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK @@ -275,15 +274,15 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-algorithm-roll.kasp -echo "$zone" >> zones +echo "$zone" >>zones TactN="now" csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" -CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone 5 "$CSK" >> "$infile" +CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone 5 "$CSK" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. @@ -293,17 +292,17 @@ TactN="now-3h" TpubN1="now-3h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 3: # The zone signatures are also OMNIPRESENT. @@ -315,17 +314,17 @@ TpubN1="now-9h" TactN1="now-6h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 4: # The DS is swapped and can become OMNIPRESENT. @@ -338,17 +337,17 @@ TactN1="now-35h" TsubN1="now-29h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 5: # The DNSKEY is removed long enough to be HIDDEN. @@ -362,17 +361,17 @@ TactN1="now-37h" TsubN1="now-31h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. @@ -387,22 +386,22 @@ TactN1="now-44h" TsubN1="now-38h" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. -echo "Lifetime: 0" >> "${CSK1}.state" -cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" -private_type_record $zone 5 "$CSK1" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +echo "Lifetime: 0" >>"${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" +private_type_record $zone 5 "$CSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" cp $infile $zonefile -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # Reload testing # -echo "example" >> zones +echo "example" >>zones cp example.db.in example.db setup "dynamic2inline.kasp" diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 67cfa92..1d11ba9 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -19,62 +19,60 @@ set -e $SHELL clean.sh mkdir keys +mkdir ns3/keys copy_setports ns2/named.conf.in ns2/named.conf -if ! $SHELL ../testcrypto.sh -q RSASHA1 -then - copy_setports ns3/named-fips.conf.in ns3/named.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1; then + copy_setports ns3/named-fips.conf.in ns3/named.conf else - copy_setports ns3/named-fips.conf.in ns3/named-fips.conf - copy_setports ns3/named.conf.in ns3/named.conf + copy_setports ns3/named-fips.conf.in ns3/named-fips.conf + copy_setports ns3/named.conf.in ns3/named.conf fi copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf if $SHELL ../testcrypto.sh ed25519; then - echo "yes" > ed25519-supported.file + echo "yes" >ed25519-supported.file fi if $SHELL ../testcrypto.sh ed448; then - echo "yes" > ed448-supported.file + echo "yes" >ed448-supported.file fi copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf -if ! $SHELL ../testcrypto.sh -q RSASHA1 -then - cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1; then + cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf fi copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf -if ! $SHELL ../testcrypto.sh -q RSASHA1 -then - cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1; then + cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf fi # Setup zones ( - cd ns2 - $SHELL setup.sh + cd ns2 + $SHELL setup.sh ) ( - cd ns3 - $SHELL setup.sh + cd ns3 + $SHELL setup.sh ) ( - cd ns4 - $SHELL setup.sh + cd ns4 + $SHELL setup.sh ) ( - cd ns5 - $SHELL setup.sh + cd ns5 + $SHELL setup.sh ) ( - cd ns6 - $SHELL setup.sh + cd ns6 + $SHELL setup.sh ) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index ddbbd32..611c717 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -29,22 +29,22 @@ n=0 # Call dig with default options. dig_with_opts() { - if [ -n "$TSIG" ]; then - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" - else - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" - fi + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi } # RNDC. rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # Log error and increment failure rate. log_error() { - echo_i "error: $1" - ret=$((ret+1)) + echo_i "error: $1" + ret=$((ret + 1)) } # Default next key event threshold. May be extended by wait periods. @@ -61,93 +61,93 @@ set_zone "kasp" set_policy "kasp" "4" "200" set_server "keys" "10.53.0.1" -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" ret=0 -$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 -lines=$(wc -l < "keygen.out.$POLICY.test$n") +$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" >"keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +lines=$(wc -l <"keygen.out.$POLICY.test$n") test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines" # Temporarily don't log errors because we are searching multiple files. disable_logerror # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "31536000" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "31536000" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keyrole "KEY2" "ksk" -set_keylifetime "KEY2" "31536000" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "2592000" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "2592000" set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "yes" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "16070400" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "16070400" set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" lines=$(get_keyids "$DIR" "$ZONE" | wc -l) test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" ids=$(get_keyids "$DIR" "$ZONE") for id in $ids; do - # There are four key files with the same algorithm. - # Check them until a match is found. - ret=0 && check_key "KEY1" "$id" - test "$ret" -eq 0 && continue + # There are four key files with the same algorithm. + # Check them until a match is found. + ret=0 && check_key "KEY1" "$id" + test "$ret" -eq 0 && continue - ret=0 && check_key "KEY2" "$id" - test "$ret" -eq 0 && continue + ret=0 && check_key "KEY2" "$id" + test "$ret" -eq 0 && continue - ret=0 && check_key "KEY3" "$id" - test "$ret" -eq 0 && continue + ret=0 && check_key "KEY3" "$id" + test "$ret" -eq 0 && continue - ret=0 && check_key "KEY4" "$id" + ret=0 && check_key "KEY4" "$id" - # If ret is still non-zero, non of the files matched. - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + # If ret is still non-zero, non of the files matched. + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) done # Turn error logs on again. enable_logerror -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 set_zone "kasp" set_policy "default" "1" "3600" set_server "." "10.53.0.1" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" -$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 -lines=$(wc -l < "keygen.out.$POLICY.test$n") +$KEYGEN -G -k "$POLICY" "$ZONE" >"keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +lines=$(wc -l <"keygen.out.$POLICY.test$n") test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" ids=$(get_keyids "$DIR" "$ZONE") for id in $ids; do - check_key "KEY1" "$id" - test "$ret" -eq 0 && key_save KEY1 - check_keytimes + check_key "KEY1" "$id" + test "$ret" -eq 0 && key_save KEY1 + check_keytimes done test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # dnssec-settime @@ -156,69 +156,69 @@ status=$((status+ret)) # These test builds upon the latest created key with dnssec-keygen and uses the # environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE. CMP_FILE="${BASE_FILE}.cmp" -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)" ret=0 cp "$STATE_FILE" "$CMP_FILE" -$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed" -grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE" -grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE" +$SETTIME -P +3600 "$BASE_FILE" >/dev/null || log_error "settime failed" +grep "; Publish: " "$KEY_FILE" >/dev/null || log_error "mismatch published in $KEY_FILE" +grep "Publish: " "$PRIVATE_FILE" >/dev/null || log_error "mismatch published in $PRIVATE_FILE" diff "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)" ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) -$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keystate "KEY1" "GOAL" "omnipresent" +$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" check_key "KEY1" "$id" test "$ret" -eq 0 && key_save KEY1 -set_keytime "KEY1" "PUBLISHED" "${now}" +set_keytime "KEY1" "PUBLISHED" "${now}" check_keytimes test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)" ret=0 cp "$STATE_FILE" "$CMP_FILE" -$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keystate "KEY1" "GOAL" "none" +$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "none" set_keystate "KEY1" "STATE_DNSKEY" "none" set_keystate "KEY1" "STATE_KRRSIG" "none" set_keystate "KEY1" "STATE_ZRRSIG" "none" -set_keystate "KEY1" "STATE_DS" "none" +set_keystate "KEY1" "STATE_DS" "none" check_key "KEY1" "$id" test "$ret" -eq 0 && key_save KEY1 -set_keytime "KEY1" "PUBLISHED" "none" +set_keytime "KEY1" "PUBLISHED" "none" check_keytimes test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)" ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) -$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keystate "KEY1" "GOAL" "hidden" +$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed" +set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "unretentive" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" check_key "KEY1" "$id" test "$ret" -eq 0 && key_save KEY1 -set_keytime "KEY1" "ACTIVE" "${now}" +set_keytime "KEY1" "ACTIVE" "${now}" check_keytimes test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # named @@ -228,53 +228,51 @@ status=$((status+ret)) # added as part of the last step in signing a zone. We wait for the # NSEC records to appear before proceeding with a counter to prevent # infinite loops if there is an error. -n=$((n+1)) +n=$((n + 1)) echo_i "waiting for kasp signing changes to take effect ($n)" _wait_for_done_apexnsec() { - while read -r zone - do - dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1 - grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 - grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 - done < ns3/zones - - while read -r zone - do - dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1 - grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 - grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 - done < ns6/zones - - return 0 + while read -r zone; do + dig_with_opts "$zone" @10.53.0.3 nsec >"dig.out.ns3.test$n.$zone" || return 1 + grep "NS SOA" "dig.out.ns3.test$n.$zone" >/dev/null || return 1 + grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" >/dev/null || return 1 + done <ns3/zones + + while read -r zone; do + dig_with_opts "$zone" @10.53.0.6 nsec >"dig.out.ns6.test$n.$zone" || return 1 + grep "NS SOA" "dig.out.ns6.test$n.$zone" >/dev/null || return 1 + grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" >/dev/null || return 1 + done <ns6/zones + + return 0 } retry_quiet 30 _wait_for_done_apexnsec || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Test max-zone-ttl rejects zones with too high TTL. -n=$((n+1)) +n=$((n + 1)) echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)" ret=0 set_zone "max-zone-ttl.kasp" -grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1 +grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" >/dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: default.kasp. # set_keytimes_csk_policy() { - # The first key is immediately published and activated. - created=$(key_get KEY1 CREATED) - set_keytime "KEY1" "PUBLISHED" "${created}" - set_keytime "KEY1" "ACTIVE" "${created}" - # The DS can be published if the DNSKEY and RRSIG records are - # OMNIPRESENT. This happens after max-zone-ttl (1d) plus - # publish-safety (1h) plus zone-propagation-delay (300s) = - # 86400 + 3600 + 300 = 90300. - set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 - # Key lifetime is unlimited, so not setting RETIRED and REMOVED. + # The first key is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 + # Key lifetime is unlimited, so not setting RETIRED and REMOVED. } # Check the zone with default kasp policy has loaded and is signed. @@ -282,17 +280,17 @@ set_zone "default.kasp" set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -304,7 +302,7 @@ dnssec_verify # Trigger a keymgr run. Make sure the key files are not touched if there are # no modifications to the key metadata. -n=$((n+1)) +n=$((n + 1)) echo_i "make sure key files are untouched if metadata does not change ($n)" ret=0 basefile=$(key_get KEY1 BASEFILE) @@ -312,8 +310,8 @@ privkey_stat=$(key_get KEY1 PRIVKEY_STAT) pubkey_stat=$(key_get KEY1 PUBKEY_STAT) state_stat=$(key_get KEY1 STATE_STAT) -nextpart $DIR/named.run > /dev/null -rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +nextpart $DIR/named.run >/dev/null +rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run privkey_stat2=$(key_stat "${basefile}.private") pubkey_stat2=$(key_stat "${basefile}.key") @@ -322,14 +320,14 @@ test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file sta test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "again ($n)" ret=0 -nextpart $DIR/named.run > /dev/null -rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +nextpart $DIR/named.run >/dev/null +rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run privkey_stat2=$(key_stat "${basefile}.private") pubkey_stat2=$(key_stat "${basefile}.key") @@ -338,41 +336,41 @@ test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file sta test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update zone. -n=$((n+1)) +n=$((n + 1)) echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" ret=0 cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" -rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" +rndccmd 10.53.0.3 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed" update_is_signed() { - ip_a=$1 - ip_d=$2 - - if [ "$ip_a" != "-" ]; then - dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1 - lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) - test "$lines" -eq 1 || return 1 - get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1 - fi - - if [ "$ip_d" != "-" ]; then - dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1 - grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1 - lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) - test "$lines" -eq 1 || return 1 - get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1 - fi + ip_a=$1 + ip_d=$2 + + if [ "$ip_a" != "-" ]; then + dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1 + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" >/dev/null || return 1 + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) + test "$lines" -eq 1 || return 1 + get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" >/dev/null || return 1 + fi + + if [ "$ip_d" != "-" ]; then + dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n".d || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n".d >/dev/null || return 1 + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d >/dev/null || return 1 + lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) + test "$lines" -eq 1 || return 1 + get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" >/dev/null || return 1 + fi } retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Move the private key file, a rekey event should not introduce replacement # keys. @@ -380,11 +378,11 @@ ret=0 echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)" basefile=$(key_get KEY1 BASEFILE) mv "${basefile}.private" "${basefile}.offline" -rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1 mv "${basefile}.offline" "${basefile}.private" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Nothing has changed. check_keys @@ -396,6 +394,16 @@ check_subdomain dnssec_verify # +# A zone with special characters. +# +set_zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +# It is non-trivial to adapt the tests to deal with all possible different +# escaping characters, so we will just try to verify the zone. +dnssec_verify + +# # Zone: dynamic.kasp # set_zone "dynamic.kasp" @@ -412,51 +420,51 @@ check_subdomain dnssec_verify # Update zone with nsupdate. -n=$((n+1)) +n=$((n + 1)) echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" ret=0 ( -echo zone ${ZONE} -echo server 10.53.0.3 "$PORT" -echo update del "a.${ZONE}" 300 A 10.0.0.1 -echo update add "a.${ZONE}" 300 A 10.0.0.101 -echo update add "d.${ZONE}" 300 A 10.0.0.4 -echo send + echo zone ${ZONE} + echo server 10.53.0.3 "$PORT" + echo update del "a.${ZONE}" 300 A 10.0.0.1 + echo update add "a.${ZONE}" 300 A 10.0.0.101 + echo update add "d.${ZONE}" 300 A 10.0.0.4 + echo send ) | $NSUPDATE retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update zone with nsupdate (reverting the above change). -n=$((n+1)) +n=$((n + 1)) echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" ret=0 ( -echo zone ${ZONE} -echo server 10.53.0.3 "$PORT" -echo update add "a.${ZONE}" 300 A 10.0.0.1 -echo update del "a.${ZONE}" 300 A 10.0.0.101 -echo update del "d.${ZONE}" 300 A 10.0.0.4 -echo send + echo zone ${ZONE} + echo server 10.53.0.3 "$PORT" + echo update add "a.${ZONE}" 300 A 10.0.0.1 + echo update del "a.${ZONE}" 300 A 10.0.0.101 + echo update del "d.${ZONE}" 300 A 10.0.0.4 + echo send ) | $NSUPDATE retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Update zone with freeze/thaw. -n=$((n+1)) +n=$((n + 1)) echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)" ret=0 -rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" +rndccmd 10.53.0.3 freeze "$ZONE" >/dev/null || log_error "rndc freeze zone ${ZONE} failed" sleep 1 -echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db" -rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" +echo "d.${ZONE}. 300 A 10.0.0.44" >>"${DIR}/${ZONE}.db" +rndccmd 10.53.0.3 thaw "$ZONE" >/dev/null || log_error "rndc thaw zone ${ZONE} failed" retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: dynamic-inline-signing.kasp @@ -475,17 +483,34 @@ check_subdomain dnssec_verify # Update zone with freeze/thaw. -n=$((n+1)) +n=$((n + 1)) echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" ret=0 -rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" +rndccmd 10.53.0.3 freeze "$ZONE" >/dev/null || log_error "rndc freeze zone ${ZONE} failed" sleep 1 cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" -rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" +rndccmd 10.53.0.3 thaw "$ZONE" >/dev/null || log_error "rndc thaw zone ${ZONE} failed" retry_quiet 10 update_is_signed || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) + +# +# Zone: dynamic-signed-inline-signing.kasp +# +set_zone "dynamic-signed-inline-signing.kasp" +set_dynamic +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +dnssec_verify +# Ensure no zone_resigninc for the unsigned version of the zone is triggered. +n=$((n + 1)) +echo_i "check if resigning the raw version of the zone is prevented for zone ${ZONE} ($n)" +ret=0 +grep "zone_resigninc: zone $ZONE/IN (unsigned): enter" $DIR/named.run && ret=1 +grep "error reading K$ZONE" $DIR/named.run && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) # # Zone: inline-signing.kasp @@ -514,24 +539,24 @@ set_zone "checkds-ksk.kasp" set_policy "checkds-ksk" "2" "303" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" @@ -544,33 +569,33 @@ dnssec_verify basefile=$(key_get KEY1 BASEFILE) _wait_for_metadata() { - _expr=$1 - _file=$2 - grep "$_expr" $_file > /dev/null || return 1 - return 0 + _expr=$1 + _file=$2 + grep "$_expr" $_file >/dev/null || return 1 + return 0 } -n=$((n+1)) +n=$((n + 1)) echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" now=$(date +%Y%m%d%H%M%S) rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE" retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" # DS State should be forced into RUMOURED. -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" check_keys test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" now=$(date +%Y%m%d%H%M%S) rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE" retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" # DS State should be forced into UNRETENTIVE. -set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY1" "STATE_DS" "unretentive" check_keys test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: checkds-doubleksk.kasp. @@ -584,35 +609,35 @@ set_zone "checkds-doubleksk.kasp" set_policy "checkds-doubleksk" "3" "303" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -set_keyrole "KEY2" "ksk" -set_keylifetime "KEY2" "0" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "yes" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" -set_keystate "KEY2" "STATE_DS" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" @@ -625,53 +650,53 @@ dnssec_verify basefile1=$(key_get KEY1 BASEFILE) basefile2=$(key_get KEY2 BASEFILE) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)" rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE" -grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" -grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +grep "DSPublish:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)" rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE" -grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" -grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" +grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile2}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)" -rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n -grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" -grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" >rndc.dnssec.checkds.out.$ZONE.$n +grep "DSPublish:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)" -rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n -grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" -grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" +rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" >rndc.dnssec.checkds.out.$ZONE.$n +grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile2}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)" rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE" retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state" -grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)" rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE" -grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}" retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: checkds-csk.kasp. @@ -685,17 +710,17 @@ set_zone "checkds-csk.kasp" set_policy "checkds-csk" "1" "303" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -705,147 +730,146 @@ dnssec_verify basefile=$(key_get KEY1 BASEFILE) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Set keytimes for dnssec-policy with various algorithms. # These all use the same time values. set_keytimes_algorithm_policy() { - # The first KSK is immediately published and activated. - created=$(key_get KEY1 CREATED) - set_keytime "KEY1" "PUBLISHED" "${created}" - set_keytime "KEY1" "ACTIVE" "${created}" - # Key was pregenerated. - if [ "$1" = "pregenerated" ]; then - keyfile=$(key_get KEY1 BASEFILE) - grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 - published=$(awk '{print $3}' < published.test${n}.key1) - set_keytime "KEY1" "PUBLISHED" "${published}" - set_keytime "KEY1" "ACTIVE" "${published}" - fi - published=$(key_get KEY1 PUBLISHED) - - # The DS can be published if the DNSKEY and RRSIG records are - # OMNIPRESENT. This happens after max-zone-ttl (1d) plus - # publish-safety (1h) plus zone-propagation-delay (300s) = - # 86400 + 3600 + 300 = 90300. - set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 - # Key lifetime is 10 years, 315360000 seconds. - set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 - # The key is removed after the retire time plus DS TTL (1d), - # parent propagation delay (1h), and retire safety (1h) = - # 86400 + 3600 + 3600 = 93600. - retired=$(key_get KEY1 RETIRED) - set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 - - # The first ZSKs are immediately published and activated. - created=$(key_get KEY2 CREATED) - set_keytime "KEY2" "PUBLISHED" "${created}" - set_keytime "KEY2" "ACTIVE" "${created}" - # Key was pregenerated. - if [ "$1" = "pregenerated" ]; then - keyfile=$(key_get KEY2 BASEFILE) - grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 - published=$(awk '{print $3}' < published.test${n}.key2) - set_keytime "KEY2" "PUBLISHED" "${published}" - set_keytime "KEY2" "ACTIVE" "${published}" - fi - published=$(key_get KEY2 PUBLISHED) - - # Key lifetime for KSK2 is 5 years, 157680000 seconds. - set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 - # The key is removed after the retire time plus max zone ttl (1d), zone - # propagation delay (300s), retire safety (1h), and sign delay - # (signature validity minus refresh, 9d) = - # 86400 + 300 + 3600 + 777600 = 867900. - retired=$(key_get KEY2 RETIRED) - set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 - - # Second ZSK (KEY3). - created=$(key_get KEY3 CREATED) - set_keytime "KEY3" "PUBLISHED" "${created}" - set_keytime "KEY3" "ACTIVE" "${created}" - # Key was pregenerated. - if [ "$1" = "pregenerated" ]; then - keyfile=$(key_get KEY3 BASEFILE) - grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 - published=$(awk '{print $3}' < published.test${n}.key3) - set_keytime "KEY3" "PUBLISHED" "${published}" - set_keytime "KEY3" "ACTIVE" "${published}" - fi - published=$(key_get KEY3 PUBLISHED) - - # Key lifetime for KSK3 is 1 year, 31536000 seconds. - set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 - retired=$(key_get KEY3 RETIRED) - set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 + # The first KSK is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" = "pregenerated" ]; then + keyfile=$(key_get KEY1 BASEFILE) + grep "; Publish:" "${keyfile}.key" >published.test${n}.key1 + published=$(awk '{print $3}' <published.test${n}.key1) + set_keytime "KEY1" "PUBLISHED" "${published}" + set_keytime "KEY1" "ACTIVE" "${published}" + fi + published=$(key_get KEY1 PUBLISHED) + + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 + # Key lifetime is 10 years, 315360000 seconds. + set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), and retire safety (1h) = + # 86400 + 3600 + 3600 = 93600. + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + + # The first ZSKs are immediately published and activated. + created=$(key_get KEY2 CREATED) + set_keytime "KEY2" "PUBLISHED" "${created}" + set_keytime "KEY2" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" = "pregenerated" ]; then + keyfile=$(key_get KEY2 BASEFILE) + grep "; Publish:" "${keyfile}.key" >published.test${n}.key2 + published=$(awk '{print $3}' <published.test${n}.key2) + set_keytime "KEY2" "PUBLISHED" "${published}" + set_keytime "KEY2" "ACTIVE" "${published}" + fi + published=$(key_get KEY2 PUBLISHED) + + # Key lifetime for KSK2 is 5 years, 157680000 seconds. + set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 + # The key is removed after the retire time plus max zone ttl (1d), zone + # propagation delay (300s), retire safety (1h), and sign delay + # (signature validity minus refresh, 9d) = + # 86400 + 300 + 3600 + 777600 = 867900. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 + + # Second ZSK (KEY3). + created=$(key_get KEY3 CREATED) + set_keytime "KEY3" "PUBLISHED" "${created}" + set_keytime "KEY3" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" = "pregenerated" ]; then + keyfile=$(key_get KEY3 BASEFILE) + grep "; Publish:" "${keyfile}.key" >published.test${n}.key3 + published=$(awk '{print $3}' <published.test${n}.key3) + set_keytime "KEY3" "PUBLISHED" "${published}" + set_keytime "KEY3" "ACTIVE" "${published}" + fi + published=$(key_get KEY3 PUBLISHED) + + # Key lifetime for KSK3 is 1 year, 31536000 seconds. + set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 + retired=$(key_get KEY3 RETIRED) + set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 } # # Zone: rsasha1.kasp. # -if $SHELL ../testcrypto.sh -q RSASHA1 -then - set_zone "rsasha1.kasp" - set_policy "rsasha1" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - key_clear "KEY1" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "315360000" - set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - key_clear "KEY2" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "157680000" - set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - key_clear "KEY3" - set_keyrole "KEY3" "zsk" - set_keylifetime "KEY3" "31536000" - set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" - set_keysigning "KEY3" "no" - set_zonesigning "KEY3" "yes" - - # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. - # ZSK: DNSKEY, RRSIG (zsk) published. - set_keystate "KEY1" "GOAL" "omnipresent" - set_keystate "KEY1" "STATE_DNSKEY" "rumoured" - set_keystate "KEY1" "STATE_KRRSIG" "rumoured" - set_keystate "KEY1" "STATE_DS" "hidden" - - set_keystate "KEY2" "GOAL" "omnipresent" - set_keystate "KEY2" "STATE_DNSKEY" "rumoured" - set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" - - set_keystate "KEY3" "GOAL" "omnipresent" - set_keystate "KEY3" "STATE_DNSKEY" "rumoured" - set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" - # Three keys only. - key_clear "KEY4" - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify +if $SHELL ../testcrypto.sh -q RSASHA1; then + set_zone "rsasha1.kasp" + set_policy "rsasha1" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + key_clear "KEY1" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "315360000" + set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "157680000" + set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + set_keyrole "KEY3" "zsk" + set_keylifetime "KEY3" "31536000" + set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" + set_keysigning "KEY3" "no" + set_zonesigning "KEY3" "yes" + + # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. + # ZSK: DNSKEY, RRSIG (zsk) published. + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "rumoured" + set_keystate "KEY1" "STATE_KRRSIG" "rumoured" + set_keystate "KEY1" "STATE_DS" "hidden" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "rumoured" + set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + + set_keystate "KEY3" "GOAL" "omnipresent" + set_keystate "KEY3" "STATE_DNSKEY" "rumoured" + set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" + # Three keys only. + key_clear "KEY4" + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify fi # @@ -865,12 +889,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain # Make sure the zone file is untouched. -n=$((n+1)) +n=$((n + 1)) echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)" ret=0 diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Zone: insecure.kasp. @@ -896,17 +920,17 @@ set_zone "unlimited.kasp" set_policy "unlimited" "1" "1234" set_server "ns3" "10.53.0.3" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -924,38 +948,38 @@ set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "315360000" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "315360000" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "157680000" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "157680000" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" -key_clear "KEY3" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "31536000" +key_clear "KEY3" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "yes" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" # Three keys only. @@ -1032,15 +1056,15 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy # Activation date is a day later. -set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 -set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 -set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 -set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 -set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 -set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 -set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 -set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 -set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 +set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 +set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 +set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 +set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 +set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 +set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 +set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 +set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 +set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 check_keytimes check_apex check_subdomain @@ -1063,29 +1087,29 @@ check_subdomain dnssec_verify # Update zone. -n=$((n+1)) +n=$((n + 1)) echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)" ret=0 cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db -rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" +rndccmd 10.53.0.2 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed" _wait_for_done_subdomains() { - ret=0 - dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 - check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" - if [ $ret -gt 0 ]; then return $ret; fi - - dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1 - grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1 - grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1 - check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" - return $ret + ret=0 + dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1 + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" >/dev/null || return 1 + check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" + if [ $ret -gt 0 ]; then return $ret; fi + + dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.d" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.d" >/dev/null || return 1 + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" >/dev/null || return 1 + check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" + return $ret } retry_quiet 5 _wait_for_done_subdomains || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # TODO: we might want to test: # - configuring a zone with too many active keys (should trigger retire). @@ -1094,24 +1118,23 @@ status=$((status+ret)) # # Zone: rsasha1-nsec3.kasp. # -if $SHELL ../testcrypto.sh -q RSASHA1 -then - set_zone "rsasha1-nsec3.kasp" - set_policy "rsasha1-nsec3" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" - set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" - set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify +if $SHELL ../testcrypto.sh -q RSASHA1; then + set_zone "rsasha1-nsec3.kasp" + set_policy "rsasha1-nsec3" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" + set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" + set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify fi # @@ -1198,77 +1221,77 @@ dnssec_verify # Zone: ed25519.kasp. # if [ -f ed25519-supported.file ]; then - set_zone "ed25519.kasp" - set_policy "ed25519" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "15" "ED25519" "256" - set_keyalgorithm "KEY2" "15" "ED25519" "256" - set_keyalgorithm "KEY3" "15" "ED25519" "256" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify + set_zone "ed25519.kasp" + set_policy "ed25519" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "15" "ED25519" "256" + set_keyalgorithm "KEY2" "15" "ED25519" "256" + set_keyalgorithm "KEY3" "15" "ED25519" "256" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify fi # # Zone: ed448.kasp. # if [ -f ed448-supported.file ]; then - set_zone "ed448.kasp" - set_policy "ed448" "3" "1234" - set_server "ns3" "10.53.0.3" - # Key properties. - set_keyalgorithm "KEY1" "16" "ED448" "456" - set_keyalgorithm "KEY2" "16" "ED448" "456" - set_keyalgorithm "KEY3" "16" "ED448" "456" - # Key timings and states same as above. - - check_keys - check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" - set_keytimes_algorithm_policy - check_keytimes - check_apex - check_subdomain - dnssec_verify + set_zone "ed448.kasp" + set_policy "ed448" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "16" "ED448" "456" + set_keyalgorithm "KEY2" "16" "ED448" "456" + set_keyalgorithm "KEY3" "16" "ED448" "456" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify fi # Set key times for 'autosign' policy. set_keytimes_autosign_policy() { - # The KSK was published six months ago (with settime). - created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 - set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 - set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 - # Key lifetime is 2 years, 63072000 seconds. - active=$(key_get KEY1 ACTIVE) - set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 - # The key is removed after the retire time plus DS TTL (1d), - # parent propagation delay (1h), retire safety (1h) = - # 86400 + 3600 + 3600 = 93600 - retired=$(key_get KEY1 RETIRED) - set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 - - # The ZSK was published six months ago (with settime). - created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 - set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 - # Key lifetime for KSK2 is 1 year, 31536000 seconds. - active=$(key_get KEY2 ACTIVE) - set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 - # The key is removed after the retire time plus: - # TTLsig (RRSIG TTL): 1 day (86400 seconds) - # Dprp (propagation delay): 5 minutes (300 seconds) - # retire-safety: 1 hour (3600 seconds) - # Dsgn (sign delay): 7 days (604800 seconds) - # Iret: 695100 seconds. - retired=$(key_get KEY2 RETIRED) - set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 + # The KSK was published six months ago (with settime). + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 + # Key lifetime is 2 years, 63072000 seconds. + active=$(key_get KEY1 ACTIVE) + set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), retire safety (1h) = + # 86400 + 3600 + 3600 = 93600 + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + + # The ZSK was published six months ago (with settime). + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 + # Key lifetime for KSK2 is 1 year, 31536000 seconds. + active=$(key_get KEY2 ACTIVE) + set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 + # The key is removed after the retire time plus: + # TTLsig (RRSIG TTL): 1 day (86400 seconds) + # Dprp (propagation delay): 5 minutes (300 seconds) + # retire-safety: 1 hour (3600 seconds) + # Dsgn (sign delay): 7 days (604800 seconds) + # Iret: 695100 seconds. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 } # @@ -1278,27 +1301,27 @@ set_zone "expired-sigs.autosign" set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "63072000" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "63072000" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "31536000" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK and ZSK stay OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Expect only two keys. @@ -1315,42 +1338,39 @@ dnssec_verify # Verify all signatures have been refreshed. check_rrsig_refresh() { - # Apex. - _qtypes="DNSKEY SOA NS NSEC" - for _qtype in $_qtypes - do - n=$((n+1)) - echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" - ret=0 - dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - # If this exact RRSIG is also in the zone file it is not refreshed. - _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") - grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - done - - # Below apex. - _labels="a b c ns3" - for _label in $_labels; - do - _qtypes="A NSEC" - for _qtype in $_qtypes - do - n=$((n+1)) - echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" - ret=0 - dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") - grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - done - done + # Apex. + _qtypes="DNSKEY SOA NS NSEC" + for _qtype in $_qtypes; do + n=$((n + 1)) + echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the zone file it is not refreshed. + _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") + grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + done + + # Below apex. + _labels="a b c ns3" + for _label in $_labels; do + _qtypes="A NSEC" + for _qtype in $_qtypes; do + n=$((n + 1)) + echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") + grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + done + done } check_rrsig_refresh @@ -1373,45 +1393,42 @@ dnssec_verify # Verify signature reuse. check_rrsig_reuse() { - # Apex. - _qtypes="NS NSEC" - for _qtype in $_qtypes - do - n=$((n+1)) - echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" - ret=0 - dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - # If this exact RRSIG is also in the signed zone file it is not refreshed. - _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") - $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null - grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - done - - # Below apex. - _labels="a b c ns3" - for _label in $_labels; - do - _qtypes="A NSEC" - for _qtype in $_qtypes - do - n=$((n+1)) - echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" - ret=0 - dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" - grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - # If this exact RRSIG is also in the signed zone file it is not refreshed. - _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") - $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null - grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - done - done + # Apex. + _qtypes="NS NSEC" + for _qtype in $_qtypes; do + n=$((n + 1)) + echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the signed zone file it is not refreshed. + _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype") + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + done + + # Below apex. + _labels="a b c ns3" + for _label in $_labels; do + _qtypes="A NSEC" + for _qtype in $_qtypes; do + n=$((n + 1)) + echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" + ret=0 + dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response" + grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the signed zone file it is not refreshed. + _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype") + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + done + done } check_rrsig_reuse @@ -1486,19 +1503,19 @@ set_zone "zsk-retired.autosign" set_policy "autosign" "3" "300" set_server "ns3" "10.53.0.3" # The third key is not yet expected to be signing. -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "31536000" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. -set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, # the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" @@ -1508,24 +1525,24 @@ set_keytimes_autosign_policy # The old ZSK is retired. created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "RETIRED" "${created}" -set_addkeytime "KEY2" "REMOVED" "${created}" 695100 +set_keytime "KEY2" "RETIRED" "${created}" +set_addkeytime "KEY2" "REMOVED" "${created}" 695100 # The new ZSK is immediately published. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" # And becomes active after Ipub: # DNSKEY TTL: 300 seconds # zone-propagation-delay 5 minutes (300 seconds) # publish-safety: 1 hour (3600 seconds) # Ipub: 4200 seconds published=$(key_get KEY3 PUBLISHED) -set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 +set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 # Lzsk: 1 year (31536000 seconds) active=$(key_get KEY3 ACTIVE) -set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 +set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 # Iret: 695100 seconds. retired=$(key_get KEY3 RETIRED) -set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 +set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 check_keytimes check_apex @@ -1543,27 +1560,27 @@ set_policy "migrate-to-dnssec-policy" "4" "1234" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "16070400" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "16070400" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "16070400" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" # Two keys only. @@ -1575,7 +1592,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Make sure the correct legacy keys were used (and not the removed predecessor # keys). -n=$((n+1)) +n=$((n + 1)) echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)" ret=0 kskfile=$(cat ns3/legacy-keys.kasp.ksk) @@ -1587,42 +1604,42 @@ basefile=$(key_get KEY2 BASEFILE) echo_i "filename: $basefile (expect $zskfile)" test "$DIR/$zskfile" = "$basefile" || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # KSK times. created=$(key_get KEY1 CREATED) keyfile=$(key_get KEY1 BASEFILE) -grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 -published=$(awk '{print $3}' < published.test${n}.key1) +grep "; Publish:" "${keyfile}.key" >published.test${n}.key1 +published=$(awk '{print $3}' <published.test${n}.key1) set_keytime "KEY1" "PUBLISHED" "${published}" -set_keytime "KEY1" "ACTIVE" "${published}" +set_keytime "KEY1" "ACTIVE" "${published}" published=$(key_get KEY1 PUBLISHED) # The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT. # This happens after max-zone-ttl (1d) plus publish-safety (1h) plus # zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300. set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 # Key lifetime is 6 months, 315360000 seconds. -set_addkeytime "KEY1" "RETIRED" "${published}" 16070400 +set_addkeytime "KEY1" "RETIRED" "${published}" 16070400 # The key is removed after the retire time plus DS TTL (1d), parent # propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600. retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 +set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 # ZSK times. created=$(key_get KEY2 CREATED) keyfile=$(key_get KEY2 BASEFILE) -grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 -published=$(awk '{print $3}' < published.test${n}.key2) +grep "; Publish:" "${keyfile}.key" >published.test${n}.key2 +published=$(awk '{print $3}' <published.test${n}.key2) set_keytime "KEY2" "PUBLISHED" "${published}" -set_keytime "KEY2" "ACTIVE" "${published}" +set_keytime "KEY2" "ACTIVE" "${published}" published=$(key_get KEY2 PUBLISHED) # Key lifetime is 6 months, 315360000 seconds. -set_addkeytime "KEY2" "RETIRED" "${published}" 16070400 +set_addkeytime "KEY2" "RETIRED" "${published}" 16070400 # The key is removed after the retire time plus max zone ttl (1d), zone # propagation delay (300s), retire safety (1h), and sign delay (signature # validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900. retired=$(key_get KEY2 RETIRED) -set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 +set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 check_keytimes check_apex @@ -1745,17 +1762,17 @@ check_subdomain # ns4/inherit.override.signed # ns5/override.inherit.signed # ns5/inherit.override.signed -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" set_zone "signed.tld" set_policy "default" "1" "3600" @@ -1824,11 +1841,11 @@ dnssec_verify # ns5/override.override.unsigned # ns5/override.none.unsigned # ns4/example.net (both views) -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" set_zone "inherit.inherit.signed" set_policy "test" "1" "3600" @@ -1907,23 +1924,23 @@ check_keytimes check_apex dnssec_verify # check zonestatus -n=$((n+1)) +n=$((n + 1)) echo_i "check $ZONE (view example1) zonestatus ($n)" ret=0 check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic" check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # check subdomain -n=$((n+1)) +n=$((n + 1)) echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2" wait_for_nsec @@ -1932,23 +1949,23 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" check_apex dnssec_verify # check zonestatus -n=$((n+1)) +n=$((n + 1)) echo_i "check $ZONE (view example2) zonestatus ($n)" ret=0 check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected" check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # check subdomain -n=$((n+1)) +n=$((n + 1)) echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3" wait_for_nsec @@ -1957,23 +1974,23 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" check_apex dnssec_verify # check zonestatus -n=$((n+1)) +n=$((n + 1)) echo_i "check $ZONE (view example3) zonestatus ($n)" ret=0 check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected" check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # check subdomain -n=$((n+1)) +n=$((n + 1)) echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Clear TSIG. TSIG="" @@ -1990,23 +2007,23 @@ key_clear "KEY3" key_clear "KEY4" # Key properties. -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" @@ -2018,27 +2035,27 @@ dnssec_verify # Check that the ZSKs from the other provider are published. zsks_are_published() { - dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 - # We should have three ZSKs. - lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) - test "$lines" -eq 3 || return 1 - # And one KSK. - lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) - test "$lines" -eq 1 || return 1 + dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY >"dig.out.$DIR.test$n" || return 1 + # We should have three ZSKs. + lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 3 || return 1 + # And one KSK. + lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 1 || return 1 } -n=$((n+1)) +n=$((n + 1)) echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)" ret=0 ( -echo zone ${ZONE} -echo server 10.53.0.3 "$PORT" -echo update add $(cat "${DIR}/${ZONE}.zsk2") -echo send + echo zone ${ZONE} + echo server 10.53.0.3 "$PORT" + echo update add $(cat "${DIR}/${ZONE}.zsk2") + echo send ) | $NSUPDATE retry_quiet 10 zsks_are_published || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing manual rollover. @@ -2051,24 +2068,24 @@ key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # Key properties. -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # During set up everything was set to OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" @@ -2077,12 +2094,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The first keys were published and activated a day ago. created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 -set_addkeytime "KEY1" "ACTIVE" "${created}" -86400 +set_addkeytime "KEY1" "ACTIVE" "${created}" -86400 created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400 -set_addkeytime "KEY2" "ACTIVE" "${created}" -86400 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -86400 # Key lifetimes are unlimited, so not setting RETIRED and REMOVED. check_keytimes check_apex @@ -2091,16 +2108,16 @@ dnssec_verify # Schedule KSK rollover in six months (15552000 seconds). active=$(key_get KEY1 ACTIVE) -set_addkeytime "KEY1" "RETIRED" "${active}" 15552000 +set_addkeytime "KEY1" "RETIRED" "${active}" 15552000 retired=$(key_get KEY1 RETIRED) rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE" # Rollover starts in six months, but lifetime is set to six months plus # prepublication duration = 15552000 + 7500 = 15559500 seconds. -set_keylifetime "KEY1" "15559500" -set_addkeytime "KEY1" "RETIRED" "${active}" 15559500 +set_keylifetime "KEY1" "15559500" +set_addkeytime "KEY1" "RETIRED" "${active}" 15559500 retired=$(key_get KEY1 RETIRED) # Retire interval of this policy is 26h (93600 seconds). -set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 +set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -2114,21 +2131,21 @@ set_policy "manual-rollover" "3" "3600" set_keystate "KEY1" "GOAL" "hidden" # This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. -set_keylifetime "KEY1" "93900" +set_keylifetime "KEY1" "93900" created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "RETIRED" "${created}" +set_keytime "KEY1" "RETIRED" "${created}" rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE" # New key is introduced. -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -2141,18 +2158,18 @@ set_policy "manual-rollover" "4" "3600" set_keystate "KEY2" "GOAL" "hidden" # This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. -set_keylifetime "KEY2" "93900" +set_keylifetime "KEY2" "93900" created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "RETIRED" "${created}" +set_keytime "KEY2" "RETIRED" "${created}" rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" # New key is introduced. -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "0" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "0" set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY. +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY. -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "hidden" @@ -2163,13 +2180,13 @@ check_subdomain dnssec_verify # Try to schedule a ZSK rollover for an inactive key (should fail). -n=$((n+1)) +n=$((n + 1)) echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)" ret=0 -rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n || ret=1 -grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message" +rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" >rndc.dnssec.rollover.out.$ZONE.$n || ret=1 +grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n >/dev/null || log_error "bad error message" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing DNSSEC introduction. @@ -2182,18 +2199,18 @@ set_zone "step1.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The DNSKEY and signatures are introduced first, the DS remains hidden. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" # This policy lists only one key (CSK). key_clear "KEY2" key_clear "KEY3" @@ -2205,13 +2222,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Set expected key times: # - The first key is immediately published and activated. created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${created}" -set_keytime "KEY1" "ACTIVE" "${created}" +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" # - The DS can be published if the DNSKEY and RRSIG records are # OMNIPRESENT. This happens after max-zone-ttl (12h) plus # publish-safety (5m) plus zone-propagation-delay (5m) = # 43200 + 300 + 300 = 43800. -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 # - Key lifetime is unlimited, so not setting RETIRED and REMOVED. # Various signing policy checks. @@ -2221,37 +2238,37 @@ check_subdomain dnssec_verify _check_next_key_event() { - _expect=$1 + _expect=$1 - grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1 + grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" >"keyevent.out.$ZONE.test$n" || return 1 - # Get the latest next key event. - if [ "${DYNAMIC}" = "yes" ]; then - _time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1) - else - # inline-signing zone adds "(signed)" - _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1) - fi + # Get the latest next key event. + if [ "${DYNAMIC}" = "yes" ]; then + _time=$(awk '{print $9}' <"keyevent.out.$ZONE.test$n" | tail -1) + else + # inline-signing zone adds "(signed)" + _time=$(awk '{print $10}' <"keyevent.out.$ZONE.test$n" | tail -1) + fi - # The next key event time must within threshold of the - # expected time. - _expectmin=$((_expect-next_key_event_threshold)) - _expectmax=$((_expect+next_key_event_threshold)) + # The next key event time must within threshold of the + # expected time. + _expectmin=$((_expect - next_key_event_threshold)) + _expectmax=$((_expect + next_key_event_threshold)) - test $_expectmin -le "$_time" || return 1 - test $_expectmax -ge "$_time" || return 1 + test $_expectmin -le "$_time" || return 1 + test $_expectmax -ge "$_time" || return 1 - return 0 + return 0 } check_next_key_event() { - n=$((n+1)) - echo_i "check next key event for zone ${ZONE} ($n)" - ret=0 + n=$((n + 1)) + echo_i "check next key event for zone ${ZONE} ($n)" + ret=0 - retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } @@ -2277,9 +2294,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Set expected key times: # - The key was published and activated 900 seconds ago (with settime). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -900 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 # Continue signing policy checks. check_keytimes @@ -2300,7 +2317,7 @@ set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # All signatures should be omnipresent, so the DS can be submitted. set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -2309,9 +2326,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Set expected key times: # - The key was published and activated 44700 seconds ago (with settime). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 -set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 -set_keytime "KEY1" "SYNCPUBLISH" "${created}" +set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 +set_keytime "KEY1" "SYNCPUBLISH" "${created}" # Continue signing policy checks. check_keytimes @@ -2345,9 +2362,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Set expected key times: # - The key was published and activated 56700 seconds ago (with settime). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 -set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 # Continue signing policy checks. check_keytimes @@ -2383,51 +2400,51 @@ set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" set_retired_removed() { - _Lkey=$2 - _Iret=$3 + _Lkey=$2 + _Iret=$3 - _active=$(key_get $1 ACTIVE) - set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" - _retired=$(key_get $1 RETIRED) - set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" } rollover_predecessor_keytimes() { - _addtime=$1 - - _created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" - - _created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + _addtime=$1 + + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" } # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "${Lksk}" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "${Lzsk}" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "${Lzsk}" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Initially only two keys. @@ -2457,15 +2474,15 @@ set_zone "step2.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # New ZSK (KEY3) is prepublished, but not yet signing. -key_clear "KEY3" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "${Lzsk}" +key_clear "KEY3" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "${Lzsk}" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # Key states. -set_keystate "KEY2" "GOAL" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" @@ -2505,11 +2522,11 @@ set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. # New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. -set_zonesigning "KEY2" "no" -set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" -set_zonesigning "KEY3" "yes" -set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY3" "yes" +set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" # Various signing policy checks. check_keys @@ -2520,8 +2537,8 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -2592000 # - The new ZSK is published 26 hours ago (93600 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 -set_keytime "KEY3" "ACTIVE" "${created}" +set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 +set_keytime "KEY3" "ACTIVE" "${created}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -2530,12 +2547,12 @@ check_apex # Subdomain still has good signatures of ZSK (KEY2). # Set expected zone signing on for KEY2 and off for KEY3, # testing whether signatures which are still valid are being reused. -set_zonesigning "KEY2" "yes" -set_zonesigning "KEY3" "no" +set_zonesigning "KEY2" "yes" +set_zonesigning "KEY3" "no" check_subdomain # Restore the expected zone signing properties. -set_zonesigning "KEY2" "no" -set_zonesigning "KEY3" "yes" +set_zonesigning "KEY2" "no" +set_zonesigning "KEY3" "yes" dnssec_verify # Next key event is when all the RRSIG records have been replaced with @@ -2566,9 +2583,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -3459600 # - The new ZSK is published 267 hours ago (961200 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 published=$(key_get KEY3 PUBLISHED) -set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -2600,9 +2617,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -3463200 # - The new ZSK is published 268 hours ago (964800 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 published=$(key_get KEY3 PUBLISHED) -set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -2655,26 +2672,26 @@ set_zone "step1.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "2" "7200" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "${Lksk}" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "${Lzsk}" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "${Lzsk}" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Initially only two keys. @@ -2704,18 +2721,18 @@ set_zone "step2.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). -key_clear "KEY3" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "${Lksk}" +key_clear "KEY3" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "${Lksk}" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" # Key states. -set_keystate "KEY1" "GOAL" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -2726,7 +2743,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -5086800 # - The new KSK is published now. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" # The new KSK should publish the CDS after the prepublication time. # TTLkey: 2h # DprpC: 1h @@ -2734,7 +2751,7 @@ set_keytime "KEY3" "PUBLISHED" "${created}" # IpubC: 27h (97200 seconds) IpubC=97200 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" -set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" +set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" # Continue signing policy checks. @@ -2760,8 +2777,8 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" # The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced. -set_keystate "KEY1" "STATE_DS" "unretentive" -set_keystate "KEY3" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY3" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -2774,9 +2791,9 @@ check_cdslog "$DIR" "$ZONE" KEY3 rollover_predecessor_keytimes -5184000 # - The new KSK is published 27 hours ago (97200 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 # - The new KSK CDS is published now. -set_keytime "KEY3" "SYNCPUBLISH" "${created}" +set_keytime "KEY3" "SYNCPUBLISH" "${created}" syncpub=$(key_get KEY3 SYNCPUBLISH) set_keytime "KEY3" "ACTIVE" "${syncpub}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" @@ -2789,7 +2806,7 @@ dnssec_verify # We ignore any parent registration delay, so set the DS publish time to now. rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" -rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" # Next key event is when the predecessor DS has been replaced with the # successor DS and enough time has passed such that the all validators that # have this DS RRset cached only know about the successor DS. This is the @@ -2806,11 +2823,11 @@ set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # New KSK (KEY3) DS is now OMNIPRESENT. -set_keystate "KEY3" "STATE_DS" "omnipresent" +set_keystate "KEY3" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -2821,7 +2838,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -5364000 # - The new KSK is published 77 hours ago (277200 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" syncpub=$(key_get KEY3 SYNCPUBLISH) @@ -2858,7 +2875,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -5371200 # - The new KSK is published 79 hours ago (284400 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" syncpub=$(key_get KEY3 SYNCPUBLISH) @@ -2909,13 +2926,13 @@ IretZSK=2257200 IretCSK=$IretZSK csk_rollover_predecessor_keytimes() { - _addtime=$1 + _addtime=$1 - _created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" } # @@ -2925,18 +2942,18 @@ set_zone "step1.csk-roll.autosign" set_policy "csk-roll" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "${Lcsk}" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "${Lcsk}" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # Initially only one key. key_clear "KEY2" key_clear "KEY3" @@ -2965,19 +2982,19 @@ set_zone "step2.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). -key_clear "KEY2" -set_keyrole "KEY2" "csk" -set_keylifetime "KEY2" "16070400" +key_clear "KEY2" +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" # Key states. -set_keystate "KEY1" "GOAL" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "hidden" -set_keystate "KEY2" "STATE_DS" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -2988,12 +3005,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16059600 # - The new CSK is published now. created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "PUBLISHED" "${created}" +set_keytime "KEY2" "PUBLISHED" "${created}" # - The new CSK should publish the CDS after the prepublication time. # Ipub: 3 hour (10800 seconds) Ipub="10800" set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3014,8 +3031,8 @@ set_zone "step3.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # Swap zone signing role. -set_zonesigning "KEY1" "no" -set_zonesigning "KEY2" "yes" +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" # CSK (KEY1) will be removed, so moving to UNRETENTIVE. set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" # New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED. @@ -3023,8 +3040,8 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" # The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. -set_keystate "KEY1" "STATE_DS" "unretentive" -set_keystate "KEY2" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -3037,10 +3054,10 @@ check_cdslog "$DIR" "$ZONE" KEY2 csk_rollover_predecessor_keytimes -16070400 # - The new CSK is published three hours ago, CDS must be published now. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" -set_keytime "KEY2" "SYNCPUBLISH" "${created}" +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" # - Also signatures are being introduced now. -set_keytime "KEY2" "ACTIVE" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3049,17 +3066,17 @@ check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, # testing whether signatures which are still valid are being reused. -set_zonesigning "KEY1" "yes" -set_zonesigning "KEY2" "no" +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" check_subdomain # Restore the expected zone signing properties. -set_zonesigning "KEY1" "no" -set_zonesigning "KEY2" "yes" +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" dnssec_verify # We ignore any parent registration delay, so set the DS publish time to now. rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" -rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" # Next key event is when the predecessor DS has been replaced with the # successor DS and enough time has passed such that the all validators that # have this DS RRset cached only know about the successor DS. This is the @@ -3079,9 +3096,9 @@ set_keysigning "KEY1" "no" # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" # The new CSK (KEY2) DS is now OMNIPRESENT. -set_keystate "KEY2" "STATE_DS" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -3092,10 +3109,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16084800 # - The new CSK started signing 4h ago (14400 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400 syncpub=$(key_get KEY2 SYNCPUBLISH) -set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3127,10 +3144,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16092000 # - The new CSK started signing 6h ago (21600 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 +set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600 syncpub=$(key_get KEY2 SYNCPUBLISH) -set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3168,10 +3185,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -18327600 # - The new CSK is activated 627 hours ago (2257200 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 syncpub=$(key_get KEY2 SYNCPUBLISH) -set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3203,10 +3220,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -18334800 # - The new CSK is activated 629 hours ago (2264400 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 syncpub=$(key_get KEY2 SYNCPUBLISH) -set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3262,18 +3279,18 @@ set_zone "step1.csk-roll2.autosign" set_policy "csk-roll2" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "16070400" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "16070400" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # Initially only one key. key_clear "KEY2" key_clear "KEY3" @@ -3303,19 +3320,19 @@ set_zone "step2.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). -key_clear "KEY2" -set_keyrole "KEY2" "csk" -set_keylifetime "KEY2" "16070400" +key_clear "KEY2" +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" # Key states. -set_keystate "KEY1" "GOAL" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "hidden" -set_keystate "KEY2" "STATE_DS" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -3326,12 +3343,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16059600 # - The new CSK is published now. created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "PUBLISHED" "${created}" +set_keytime "KEY2" "PUBLISHED" "${created}" # - The new CSK should publish the CDS after the prepublication time. # - Ipub: 3 hour (10800 seconds) Ipub="10800" set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3351,16 +3368,16 @@ set_zone "step3.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # CSK (KEY1) can be removed, so move to UNRETENTIVE. -set_zonesigning "KEY1" "no" -set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY1" "no" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" # New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state. -set_zonesigning "KEY2" "yes" -set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +set_zonesigning "KEY2" "yes" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" # The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. -set_keystate "KEY1" "STATE_DS" "unretentive" -set_keystate "KEY2" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -3373,10 +3390,10 @@ check_cdslog "$DIR" "$ZONE" KEY2 csk_rollover_predecessor_keytimes -16070400 # - The new CSK is published three hours ago, CDS must be published now. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" -set_keytime "KEY2" "SYNCPUBLISH" "${created}" +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" # - Also signatures are being introduced now. -set_keytime "KEY2" "ACTIVE" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3385,12 +3402,12 @@ check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, # testing whether signatures which are still valid are being reused. -set_zonesigning "KEY1" "yes" -set_zonesigning "KEY2" "no" +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" check_subdomain # Restore the expected zone signing properties. -set_zonesigning "KEY1" "no" -set_zonesigning "KEY2" "yes" +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" dnssec_verify # We ignore any parent registration delay, so set the DS publish time to now. @@ -3406,8 +3423,8 @@ rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" # positives on slow platforms by subtracting the number of seconds which # passed between key creation and invoking 'rndc dnssec -checkds'. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) -next_time=$((136800-time_passed)) +time_passed=$((now - start_time)) +next_time=$((136800 - time_passed)) check_next_key_event $next_time # @@ -3430,10 +3447,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16207200 # - The new CSK was published 41 hours (147600 seconds) ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3458,12 +3475,12 @@ set_zone "step5.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. -set_keysigning "KEY1" "no" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # The new CSK (KEY2) is now fully OMNIPRESENT. -set_keystate "KEY2" "STATE_DS" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -3474,10 +3491,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16682400 # - The new CSK was published 173 hours (622800 seconds) ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3510,10 +3527,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -16689600 # - The new CSK was published 175 hours (630000 seconds) ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" -set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" # Continue signing policy checks. @@ -3556,39 +3573,39 @@ Lzsk=31536000 IretKSK=180000 IretZSK=867600 # KSK (KEY1) is outgoing. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "${Lksk}" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "hidden" -set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "unretentive" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "unretentive" # KSK (KEY2) is incoming. -key_clear "KEY2" -set_keyrole "KEY2" "ksk" -set_keylifetime "KEY2" "${Lksk}" +key_clear "KEY2" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "${Lksk}" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "no" -set_keystate "KEY2" "GOAL" "omnipresent" -set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY2" "STATE_DS" "rumoured" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_DS" "rumoured" # We will introduce the third KSK shortly. -key_clear "KEY3" +key_clear "KEY3" # ZSK (KEY4). -key_clear "KEY4" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "${Lzsk}" +key_clear "KEY4" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "${Lzsk}" set_keyalgorithm "KEY4" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" -set_keystate "KEY4" "GOAL" "omnipresent" -set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" # Run preliminary tests. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -3598,7 +3615,7 @@ dnssec_verify # Roll over KEY2. # Set expected key lifetime, which is DNSKEY TTL plus the zone propagation delay, # plus the publish-safety: 7200s + 1h + 1d = 97200 seconds. -set_keylifetime "KEY2" "97200" +set_keylifetime "KEY2" "97200" created=$(key_get KEY2 CREATED) rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" # Update expected number of keys and key states. @@ -3606,15 +3623,15 @@ set_keystate "KEY2" "GOAL" "hidden" set_policy "ksk-doubleksk" "4" "7200" CDNSKEY="no" # New KSK (KEY3) is introduced. -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "${Lksk}" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "${Lksk}" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" -set_keystate "KEY3" "GOAL" "omnipresent" -set_keystate "KEY3" "STATE_DNSKEY" "rumoured" -set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" # Run tests again. We now expect four keys (3x KSK, 1x ZSK). check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -3627,22 +3644,22 @@ set_zone "dynamic2inline.kasp" set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # The CSK is rumoured. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -3665,29 +3682,29 @@ set_zone "step1.algorithm-roll.kasp" set_policy "rsasha256" "2" "3600" set_server "ns6" "10.53.0.6" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" # The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" @@ -3713,21 +3730,21 @@ set_zone "step1.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # The CSK (KEY1) starts in OMNIPRESENT. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -3770,31 +3787,31 @@ IretKSK=93600 IretZSK=867900 init_migration_insecure() { - key_clear "KEY1" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "${Lksk}" - set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - set_keystate "KEY1" "GOAL" "omnipresent" - set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" - set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" - set_keystate "KEY1" "STATE_DS" "omnipresent" - - key_clear "KEY2" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "${Lzsk}" - set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - set_keystate "KEY2" "GOAL" "omnipresent" - set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" - set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" - - key_clear "KEY3" - key_clear "KEY4" + key_clear "KEY1" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "${Lksk}" + set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" + set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" + set_keystate "KEY1" "STATE_DS" "omnipresent" + + key_clear "KEY2" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "${Lzsk}" + set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" + set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + + key_clear "KEY3" + key_clear "KEY4" } init_migration_insecure @@ -3837,17 +3854,17 @@ set_zone "step1.going-straight-to-none.kasp" set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # This policy only has one key. key_clear "KEY2" key_clear "KEY3" @@ -3858,8 +3875,8 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The first key is immediately published and activated. created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${created}" -set_keytime "KEY1" "ACTIVE" "${created}" +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" set_keytime "KEY1" "SYNCPUBLISH" "${created}" # Key lifetime is unlimited, so not setting RETIRED and REMOVED. check_keytimes @@ -3876,45 +3893,45 @@ rndc_reconfig ns6 10.53.0.6 # Calculate time passed to correctly check for next key events. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) +time_passed=$((now - start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" # Wait until we have seen "zone_rekey done:" message for this key. _wait_for_done_signing() { - _zone=$1 - - _ksk=$(key_get $2 KSK) - _zsk=$(key_get $2 ZSK) - if [ "$_ksk" = "yes" ]; then - _role="KSK" - _expect_type=EXPECT_KRRSIG - elif [ "$_zsk" = "yes" ]; then - _role="ZSK" - _expect_type=EXPECT_ZRRSIG - fi - - if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then - _keyid=$(key_get $2 ID) - _keyalg=$(key_get $2 ALG_STR) - echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" - grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 - fi - - return 0 + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1 + fi + + return 0 } wait_for_done_signing() { - n=$((n+1)) - echo_i "wait for zone ${ZONE} is done signing ($n)" - ret=0 + n=$((n + 1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" + ret=0 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Test dynamic zones that switch to inline-signing. @@ -3922,22 +3939,22 @@ set_zone "dynamic2inline.kasp" set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # The CSK is rumoured. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DS" "hidden" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" @@ -3995,14 +4012,14 @@ set_server "ns6" "10.53.0.6" # The DS is long enough removed from the zone to be considered HIDDEN. # This means the DNSKEY and the KSK signatures can be removed. -set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keysigning "KEY1" "no" -set_keystate "KEY2" "STATE_DNSKEY" "unretentive" -set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" -set_zonesigning "KEY2" "no" +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY2" "no" # Various signing policy checks. check_keys @@ -4063,14 +4080,14 @@ set_server "ns6" "10.53.0.6" # The DS is long enough removed from the zone to be considered HIDDEN. # This means the DNSKEY and the KSK signatures can be removed. -set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keysigning "KEY1" "no" -set_keystate "KEY2" "STATE_DNSKEY" "unretentive" -set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" -set_zonesigning "KEY2" "no" +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_zonesigning "KEY2" "no" # Various signing policy checks. check_keys @@ -4093,17 +4110,17 @@ set_server "ns6" "10.53.0.6" # The zone will go bogus after signatures expire, but remains validly signed for now. # Key properties. -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # This policy only has one key. key_clear "KEY2" key_clear "KEY3" @@ -4131,47 +4148,47 @@ set_zone "step1.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # Old RSASHA1 keys. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # New ECDSAP256SHA256 keys. -key_clear "KEY3" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +key_clear "KEY3" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -key_clear "KEY4" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "0" +key_clear "KEY4" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "0" set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" # The RSAHSHA1 keys are outroducing. -set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" -set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY2" "GOAL" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # The ECDSAP256SHA256 keys are introducing. -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" @@ -4185,9 +4202,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes 0 # - KSK must be retired since it no longer matches the policy. keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' <retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" # - The key is removed after the retire interval: # IretKSK = TTLds + DprpP + retire-safety # TTLds: 2h (7200 seconds) @@ -4195,12 +4212,12 @@ set_keytime "KEY1" "RETIRED" "${retired}" # retire-safety: 2h (7200 seconds) # IretKSK: 5h (18000 seconds) IretKSK=18000 -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" # - ZSK must be retired since it no longer matches the policy. keyfile=$(key_get KEY2 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' <retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" # - The key is removed after the retire interval: # IretZSK = TTLsig + Dprp + Dsgn + retire-safety # TTLsig: 6h (21600 seconds) @@ -4209,11 +4226,11 @@ set_keytime "KEY2" "RETIRED" "${retired}" # retire-safety: 2h (7200 seconds) # IretZSK: 25d9h (2192400 seconds) IretZSK=2192400 -set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # - The new KSK is published and activated. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" -set_keytime "KEY3" "ACTIVE" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # TTLsig: 6h (39600 seconds) # Dprp: 1h (3600 seconds) @@ -4223,8 +4240,8 @@ Ipub=28800 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" # - The new ZSK is published and activated. created=$(key_get KEY4 CREATED) -set_keytime "KEY4" "PUBLISHED" "${created}" -set_keytime "KEY4" "ACTIVE" "${created}" +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" # Continue signing policy checks. check_keytimes @@ -4263,22 +4280,22 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -10800 # - KSK must be retired since it no longer matches the policy. created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "RETIRED" "${created}" +set_keytime "KEY1" "RETIRED" "${created}" set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}" # - ZSK must be retired since it no longer matches the policy. created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "RETIRED" "${created}" +set_keytime "KEY2" "RETIRED" "${created}" set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}" # - The new keys are published 3 hours ago. created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 -set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}" created=$(key_get KEY4 CREATED) -set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 -set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 +set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 # Continue signing policy checks. check_keytimes @@ -4293,7 +4310,7 @@ dnssec_verify # should be scheduled in 6 hour: 21600 seconds. Prevent intermittent # false positives on slow platforms by subtracting the number of seconds # which passed between key creation and invoking 'rndc reconfig'. -next_time=$((21600-time_passed)) +next_time=$((21600 - time_passed)) check_next_key_event $next_time # @@ -4305,8 +4322,8 @@ set_server "ns6" "10.53.0.6" # The ECDSAP256SHA256 keys are introducing. set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" # The DS can be swapped. -set_keystate "KEY1" "STATE_DS" "unretentive" -set_keystate "KEY3" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY3" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -4320,24 +4337,24 @@ check_cdslog "$DIR" "$ZONE" KEY3 rollover_predecessor_keytimes -32400 # - And retired 6 hours ago (21600 seconds). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "RETIRED" "${created}" -21600 +set_addkeytime "KEY1" "RETIRED" "${created}" -21600 retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "RETIRED" "${created}" -21600 +set_addkeytime "KEY2" "RETIRED" "${created}" -21600 retired=$(key_get KEY2 RETIRED) -set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # - The new keys are published 9 hours ago. created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 -set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} created=$(key_get KEY4 CREATED) -set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 -set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 +set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 # Continue signing policy checks. check_keytimes @@ -4348,7 +4365,7 @@ dnssec_verify # Tell named we "saw" the parent swap the DS and see if the next key event is # scheduled at the correct time. rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" -rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" +rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" # Next key event is when the DS becomes OMNIPRESENT. This happens after the # parent propagation delay, retire safety delay, and DS TTL: # 1h + 2h + 2h = 5h = 18000 seconds. @@ -4361,17 +4378,17 @@ set_zone "step4.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. -set_keysigning "KEY1" "no" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "hidden" - -set_zonesigning "KEY2" "no" -set_keystate "KEY2" "GOAL" "hidden" -set_keystate "KEY2" "STATE_DNSKEY" "unretentive" -set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" +set_keysigning "KEY1" "no" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" # The ECDSAP256SHA256 DS is now OMNIPRESENT. -set_keystate "KEY3" "STATE_DS" "omnipresent" +set_keystate "KEY3" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -4383,25 +4400,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -136800 # - And retired 35 hours ago (126000 seconds). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "RETIRED" "${created}" -126000 +set_addkeytime "KEY1" "RETIRED" "${created}" -126000 retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "RETIRED" "${created}" -126000 +set_addkeytime "KEY2" "RETIRED" "${created}" -126000 retired=$(key_get KEY2 RETIRED) -set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # - The new keys are published 38 hours ago. created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 -set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} created=$(key_get KEY4 CREATED) -set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 -set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 +set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 # Continue signing policy checks. check_keytimes @@ -4434,25 +4451,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -144000 # - And retired 37 hours ago (133200 seconds). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "RETIRED" "${created}" -133200 +set_addkeytime "KEY1" "RETIRED" "${created}" -133200 retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "RETIRED" "${created}" -133200 +set_addkeytime "KEY2" "RETIRED" "${created}" -133200 retired=$(key_get KEY2 RETIRED) -set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # The new keys are published 40 hours ago. created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 -set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} created=$(key_get KEY4 CREATED) -set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 -set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 +set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 # Continue signing policy checks. check_keytimes @@ -4466,7 +4483,7 @@ dnssec_verify # been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent # false positives on slow platforms by subtracting the number of seconds # which passed between key creation and invoking 'rndc reconfig'. -next_time=$((25200-time_passed)) +next_time=$((25200 - time_passed)) check_next_key_event $next_time # @@ -4488,25 +4505,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes -169200 # - And retired 44 hours ago (158400 seconds). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "RETIRED" "${created}" -158400 +set_addkeytime "KEY1" "RETIRED" "${created}" -158400 retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "RETIRED" "${created}" -158400 +set_addkeytime "KEY2" "RETIRED" "${created}" -158400 retired=$(key_get KEY2 RETIRED) -set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # The new keys are published 47 hours ago. created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 -set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} created=$(key_get KEY4 CREATED) -set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 -set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 +set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 # Continue signing policy checks. check_keytimes @@ -4533,33 +4550,33 @@ set_zone "step1.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # Old RSASHA1 key. -key_clear "KEY1" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # New ECDSAP256SHA256 key. -key_clear "KEY2" -set_keyrole "KEY2" "csk" -set_keylifetime "KEY2" "0" +key_clear "KEY2" +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "yes" -set_zonesigning "KEY2" "yes" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" # The RSAHSHA1 key is outroducing. -set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # The ECDSAP256SHA256 key is introducing. -set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY2" "STATE_DS" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -4570,9 +4587,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # - CSK must be retired since it no longer matches the policy. csk_rollover_predecessor_keytimes 0 keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' <retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" # - The key is removed after the retire interval: # IretZSK = TTLsig + Dprp + Dsgn + retire-safety # TTLsig: 6h (21600 seconds) @@ -4581,11 +4598,11 @@ set_keytime "KEY1" "RETIRED" "${retired}" # retire-safety: 2h (7200 seconds) # IretZSK: 25d9h (2192400 seconds) IretCSK=2192400 -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" # - The new CSK is published and activated. created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "PUBLISHED" "${created}" -set_keytime "KEY2" "ACTIVE" "${created}" +set_keytime "KEY2" "PUBLISHED" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # TTLsig: 6h (39600 seconds) # Dprp: 1h (3600 seconds) @@ -4630,12 +4647,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -10800 # - CSK must be retired since it no longer matches the policy. created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "RETIRED" "${created}" +set_keytime "KEY1" "RETIRED" "${created}" set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}" # - The new key was published 3 hours ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 -set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" @@ -4652,7 +4669,7 @@ dnssec_verify # should be scheduled in 6 hour: 21600 seconds. Prevent intermittent # false positives on slow platforms by subtracting the number of seconds # which passed between key creation and invoking 'rndc reconfig'. -next_time=$((21600-time_passed)) +next_time=$((21600 - time_passed)) check_next_key_event $next_time # @@ -4666,8 +4683,8 @@ set_server "ns6" "10.53.0.6" # are now omnipresent, so the DS can be introduced. set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. -set_keystate "KEY1" "STATE_DS" "unretentive" -set_keystate "KEY2" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" # Various signing policy checks. check_keys @@ -4681,13 +4698,13 @@ check_cdslog "$DIR" "$ZONE" KEY2 csk_rollover_predecessor_keytimes -32400 # - And was retired 6 hours ago (21600 seconds). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "RETIRED" "${created}" -21600 +set_addkeytime "KEY1" "RETIRED" "${created}" -21600 retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" # - The new key was published 9 hours ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 -set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" @@ -4712,14 +4729,14 @@ set_zone "step4.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. -set_keysigning "KEY1" "no" -set_zonesigning "KEY1" "no" -set_keystate "KEY1" "STATE_DNSKEY" "unretentive" -set_keystate "KEY1" "STATE_KRRSIG" "unretentive" -set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "hidden" +set_keysigning "KEY1" "no" +set_zonesigning "KEY1" "no" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # The ECDSAP256SHA256 DS is now OMNIPRESENT. -set_keystate "KEY2" "STATE_DS" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" # Various signing policy checks. check_keys @@ -4731,13 +4748,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -136800 # - And retired 35 hours ago (126000 seconds). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "RETIRED" "${created}" -126000 +set_addkeytime "KEY1" "RETIRED" "${created}" -126000 retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" # - The new key was published 38 hours ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 -set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} @@ -4771,13 +4788,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -144000 # - And retired 37 hours ago (133200 seconds). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "RETIRED" "${created}" -133200 +set_addkeytime "KEY1" "RETIRED" "${created}" -133200 retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" # - The new key was published 40 hours ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 -set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} @@ -4793,7 +4810,7 @@ dnssec_verify # been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent # false positives on slow platforms by subtracting the number of seconds # which passed between key creation and invoking 'rndc reconfig'. -next_time=$((25200-time_passed)) +next_time=$((25200 - time_passed)) check_next_key_event $next_time # @@ -4815,13 +4832,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" csk_rollover_predecessor_keytimes -169200 # - And retired 44 hours ago (158400 seconds). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "RETIRED" "${created}" -158400 +set_addkeytime "KEY1" "RETIRED" "${created}" -158400 retired=$(key_get KEY1 RETIRED) -set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" # - The new key was published 47 hours ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 -set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} @@ -4836,48 +4853,48 @@ dnssec_verify check_next_key_event 3600 _check_soa_ttl() { - dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || return 1 - soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) - soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) - ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) - ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) - test ${soa1:-1000} -lt ${soa2:-0} || return 1 - test ${ttl1:-0} -eq $1 || return 1 - test ${ttl2:-0} -eq $2 || return 1 + dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa2 || return 1 + soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) + ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) + ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) + test ${soa1:-1000} -lt ${soa2:-0} || return 1 + test ${ttl1:-0} -eq $1 || return 1 + test ${ttl2:-0} -eq $2 || return 1 } -n=$((n+1)) +n=$((n + 1)) echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" TSIG= ret=0 -dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 +dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1 cp ns6/example2.db.in ns6/example.db || ret=1 -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null rndccmd 10.53.0.6 reload || ret=1 wait_for_log 3 "all zones loaded" ns6/named.run # Check that the SOA SERIAL increases and check the TTLs (should be 300 as # defined in ns6/example2.db.in). retry_quiet 10 _check_soa_ttl 300 300 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check that restart with zone changes and deleted journal works ($n)" TSIG= ret=0 -dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 +dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1 stop_server --use-rndc --port ${CONTROLPORT} ns6 # TTL of all records change from 300 to 400 cp ns6/example3.db.in ns6/example.db || ret=1 rm ns6/example.db.jnl -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns6 wait_for_log 3 "all zones loaded" ns6/named.run # Check that the SOA SERIAL increases and check the TTLs (should be changed # from 300 to 400 as defined in ns6/example3.db.in). retry_quiet 10 _check_soa_ttl 300 400 || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/keepalive/ns2/named.conf.in b/bin/tests/system/keepalive/ns2/named.conf.in index 8ccf1c4..011e1d0 100644 --- a/bin/tests/system/keepalive/ns2/named.conf.in +++ b/bin/tests/system/keepalive/ns2/named.conf.in @@ -36,7 +36,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/keepalive/ns3/named.conf.in b/bin/tests/system/keepalive/ns3/named.conf.in index 3713f13..76e5a5b 100644 --- a/bin/tests/system/keepalive/ns3/named.conf.in +++ b/bin/tests/system/keepalive/ns3/named.conf.in @@ -41,5 +41,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/keepalive/tests.sh b/bin/tests/system/keepalive/tests.sh index 7314a9e..c8b379d 100644 --- a/bin/tests/system/keepalive/tests.sh +++ b/bin/tests/system/keepalive/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" +RNDCCMD="$RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT}" n=0 status=0 @@ -24,8 +24,8 @@ status=0 echo_i "checking that dig handles TCP keepalive ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +qr +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -33,49 +33,49 @@ echo_i "checking that dig added TCP keepalive ($n)" ret=0 n=$((n + 1)) $RNDCCMD stats -grep "EDNS TCP keepalive option received" ns2/named.stats > /dev/null || ret=1 +grep "EDNS TCP keepalive option received" ns2/named.stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that TCP keepalive is added for TCP responses ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that TCP keepalive requires TCP ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking default value ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.3 > dig.out.test$n -grep "; TCP KEEPALIVE: 30.0 secs" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.3 >dig.out.test$n +grep "; TCP KEEPALIVE: 30.0 secs" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking configured value ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE: 15.0 secs" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE: 15.0 secs" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking re-configured value ($n)" ret=0 n=$((n + 1)) -$RNDCCMD tcp-timeouts 300 300 300 200 > output +$RNDCCMD tcp-timeouts 300 300 300 200 >output diff -b output expected || ret=1 -$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 > dig.out.test$n -grep "; TCP KEEPALIVE: 20.0 secs" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +keepalive foo.example @10.53.0.2 >dig.out.test$n +grep "; TCP KEEPALIVE: 20.0 secs" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -83,12 +83,12 @@ echo_i "checking server config entry ($n)" ret=0 n=$((n + 1)) $RNDCCMD stats -oka=$(grep "EDNS TCP keepalive option received" ns2/named.stats | \ - tail -1 | awk '{ print $1}') -$DIG $DIGOPTS bar.example @10.53.0.3 > dig.out.test$n +oka=$(grep "EDNS TCP keepalive option received" ns2/named.stats \ + | tail -1 | awk '{ print $1}') +$DIG $DIGOPTS bar.example @10.53.0.3 >dig.out.test$n $RNDCCMD stats -nka=$(grep "EDNS TCP keepalive option received" ns2/named.stats | \ - tail -1 | awk '{ print $1}') +nka=$(grep "EDNS TCP keepalive option received" ns2/named.stats \ + | tail -1 | awk '{ print $1}') #echo oka ':' $oka #echo nka ':' $nka if [ "$oka" -eq "$nka" ]; then ret=1; fi diff --git a/bin/tests/system/keyfromlabel/prereq.sh b/bin/tests/system/keyfromlabel/prereq.sh index 2002c2a..66a7f81 100644 --- a/bin/tests/system/keyfromlabel/prereq.sh +++ b/bin/tests/system/keyfromlabel/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh if [ -n "${SOFTHSM2_MODULE}" ] && command -v pkcs11-tool >/dev/null && command -v softhsm2-util >/dev/null; then - exit 0 + exit 0 fi echo_i "skip: softhsm2-util or pkcs11-tool not available" diff --git a/bin/tests/system/keyfromlabel/setup.sh b/bin/tests/system/keyfromlabel/setup.sh index 703814d..a809aee 100644 --- a/bin/tests/system/keyfromlabel/setup.sh +++ b/bin/tests/system/keyfromlabel/setup.sh @@ -18,5 +18,5 @@ set -e softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-keyfromlabel" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' -printf '%s' "${HSMPIN:-1234}" > pin +printf '%s' "${HSMPIN:-1234}" >pin PWD=$(pwd) diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index 5cedbf9..6c38ec6 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -19,74 +19,72 @@ set -e PWD=$(pwd) keygen() { - type="$1" - bits="$2" - zone="$3" - id="$4" - - label="${id}-${zone}" - p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') - pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 + type="$1" + bits="$2" + zone="$3" + id="$4" + + label="${id}-${zone}" + p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') + pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) >pkcs11-tool.out.$zone.$id || return 1 } keyfromlabel() { - alg="$1" - zone="$2" - id="$3" - shift 3 + alg="$1" + zone="$2" + id="$3" + shift 3 - $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1 - cat keyfromlabel.out.$zone.$id + $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>>/dev/null || return 1 + cat keyfromlabel.out.$zone.$id } infile="template.db.in" for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ - ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 - # Edwards curves are not yet supported by OpenSC - # ed25519:EC:edwards25519 ed448:EC:edwards448 -do - alg=$(echo "$algtypebits" | cut -f 1 -d :) - type=$(echo "$algtypebits" | cut -f 2 -d :) - bits=$(echo "$algtypebits" | cut -f 3 -d :) - - if $SHELL ../testcrypto.sh $alg; then - zone="$alg.example" - zonefile="zone.$alg.example.db" - ret=0 - - echo_i "Generate keys $alg $type:$bits for zone $zone" - keygen $type $bits $zone keyfromlabel-zsk || ret=1 - keygen $type $bits $zone keyfromlabel-ksk || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - # Skip dnssec-keyfromlabel if key generation failed. - test $ret -eq 0 || continue - - echo_i "Get ZSK $alg $zone $type:$bits" - ret=0 - zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk) - test -z "$zsk" && ret=1 - test "$ret" -eq 0 || echo_i "failed (zsk=$zsk)" - status=$((status+ret)) - - echo_i "Get KSK $alg $zone $type:$bits" - ret=0 - ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK) - test -z "$ksk" && ret=1 - test "$ret" -eq 0 || echo_i "failed (ksk=$ksk)" - status=$((status+ret)) - - # Skip signing if dnssec-keyfromlabel failed. - test $ret -eq 0 || continue - - echo_i "Sign zone with $ksk $zsk" - ret=0 - cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" - $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" > signer.out.$zone || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - fi + ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1; do # Edwards curves are not yet supported by OpenSC + # ed25519:EC:edwards25519 ed448:EC:edwards448 + alg=$(echo "$algtypebits" | cut -f 1 -d :) + type=$(echo "$algtypebits" | cut -f 2 -d :) + bits=$(echo "$algtypebits" | cut -f 3 -d :) + + if $SHELL ../testcrypto.sh $alg; then + zone="$alg.example" + zonefile="zone.$alg.example.db" + ret=0 + + echo_i "Generate keys $alg $type:$bits for zone $zone" + keygen $type $bits $zone keyfromlabel-zsk || ret=1 + keygen $type $bits $zone keyfromlabel-ksk || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + # Skip dnssec-keyfromlabel if key generation failed. + test $ret -eq 0 || continue + + echo_i "Get ZSK $alg $zone $type:$bits" + ret=0 + zsk=$(keyfromlabel $alg $zone keyfromlabel-zsk) + test -z "$zsk" && ret=1 + test "$ret" -eq 0 || echo_i "failed (zsk=$zsk)" + status=$((status + ret)) + + echo_i "Get KSK $alg $zone $type:$bits" + ret=0 + ksk=$(keyfromlabel $alg $zone keyfromlabel-ksk -f KSK) + test -z "$ksk" && ret=1 + test "$ret" -eq 0 || echo_i "failed (ksk=$ksk)" + status=$((status + ret)) + + # Skip signing if dnssec-keyfromlabel failed. + test $ret -eq 0 || continue + + echo_i "Sign zone with $ksk $zsk" + ret=0 + cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1 + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + fi done echo_i "exit status: $status" diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh index 1fe2bb9..3f6a76f 100644 --- a/bin/tests/system/keymgr2kasp/clean.sh +++ b/bin/tests/system/keymgr2kasp/clean.sh @@ -31,4 +31,3 @@ rm -f ./retired.* rm -f ./rndc.dnssec.* rm -f ./unused.key* rm -f ./verify.out.* - diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh index 9f53851..ef2623b 100644 --- a/bin/tests/system/keymgr2kasp/ns3/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh @@ -17,10 +17,10 @@ echo_i "ns3/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" } # Make lines shorter by storing key states in environment variables. @@ -31,87 +31,87 @@ U="UNRETENTIVE" # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. setup migrate.kasp -echo "$zone" >> zones +echo "$zone" >>zones ksktimes="-P now -A now -P sync now" zsktimes="-P now -A now" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up Single-Type Signing Scheme zones with auto-dnssec maintain to # migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;' # configured, meaning the zone is signed with a single CSK. setup csk.kasp -echo "$zone" >> zones +echo "$zone" >>zones csktimes="-P now -A now -P sync now" -CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2>keygen.out.$zone.1) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 setup csk-nosep.kasp -echo "$zone" >> zones +echo "$zone" >>zones csktimes="-P now -A now -P sync now" -CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2>keygen.out.$zone.1) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are # RSASHA256 keys, and will be migrated to a dnssec-policy that dictates # ECDSAP256SHA256 keys. setup migrate-nomatch-algnum.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone 5 "$KSK" >>"$infile" +private_type_record $zone 5 "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are # 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that # dictates 3072 bits RSASHA256 keys. setup migrate-nomatch-alglen.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone 5 "$KSK" >>"$infile" +private_type_record $zone 5 "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to default dnssec-policy. # The zone is signed with KSK/ZSK split, but the dnssec-policy uses CSK. setup migrate-nomatch-kzc.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" cp $infile $zonefile -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" -$SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +private_type_record $zone 5 "$KSK" >>"$infile" +private_type_record $zone 5 "$ZSK" >>"$infile" +$SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 # # Set up zones to test time metadata correctly sets state. @@ -119,30 +119,30 @@ $SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infi # Key states expected to be rumoured after migration. setup rumoured.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-2h" Tkey="now-300s" Tsig="now-11h" ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Key states expected to be omnipresent after migration. setup omnipresent.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh index 63121a0..d5a63e0 100644 --- a/bin/tests/system/keymgr2kasp/ns4/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh @@ -25,22 +25,22 @@ U="UNRETENTIVE" zone="view-rsasha256.kasp" algo="RSASHA256" num="8" -echo "$zone" >> zones +echo "$zone" >>zones # Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy. # The keys for these zones are in use long enough that they should start a # rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y). ksktimes="-P -186d -A -186d -P sync -186d" zsktimes="-P -186d -A -186d" -KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2) +KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2>keygen.out.$zone.2) echo_i "setting up zone $zone (external)" view="ext" zonefile="${zone}.${view}.db" -cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile" echo_i "setting up zone $zone (internal)" view="int" zonefile="${zone}.${view}.db" -cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile" diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh index e43f798..7c53890 100644 --- a/bin/tests/system/keymgr2kasp/setup.sh +++ b/bin/tests/system/keymgr2kasp/setup.sh @@ -25,10 +25,10 @@ copy_setports ns3/kasp.conf.in ns3/kasp.conf # Setup zones ( - cd ns3 - $SHELL setup.sh + cd ns3 + $SHELL setup.sh ) ( - cd ns4 - $SHELL setup.sh + cd ns4 + $SHELL setup.sh ) diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh index 6f9caae..57c1445 100644 --- a/bin/tests/system/keymgr2kasp/tests.sh +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -29,17 +29,17 @@ n=0 # Call dig with default options. dig_with_opts() { - if [ -n "$TSIG" ]; then - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" - else - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" - fi + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi } # Log error and increment failure rate. log_error() { - echo_i "error: $1" - ret=$((ret+1)) + echo_i "error: $1" + ret=$((ret + 1)) } # Default next key event threshold. May be extended by wait periods. @@ -50,29 +50,29 @@ next_key_event_threshold=100 ############################################################################### set_retired_removed() { - _Lkey=$2 - _Iret=$3 + _Lkey=$2 + _Iret=$3 - _active=$(key_get $1 ACTIVE) - set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" - _retired=$(key_get $1 RETIRED) - set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" } rollover_predecessor_keytimes() { - _addtime=$1 + _addtime=$1 - _created=$(key_get KEY1 CREATED) + _created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" - _created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" } # Policy parameters. @@ -81,7 +81,6 @@ rollover_predecessor_keytimes() { Lksk=0 Lzsk=0 - ################################################# # Test state before switching to dnssec-policy. # ################################################# @@ -90,38 +89,38 @@ Lzsk=0 # $1 $2: Algorithm number and string. # $3 $4: KSK and ZSK size. init_migration_keys() { - key_clear "KEY1" - key_set "KEY1" "LEGACY" "yes" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "none" - set_keyalgorithm "KEY1" "$1" "$2" "$3" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - key_clear "KEY2" - key_set "KEY2" "LEGACY" "yes" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "none" - set_keyalgorithm "KEY2" "$1" "$2" "$4" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - key_clear "KEY3" - key_clear "KEY4" + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "none" + set_keyalgorithm "KEY1" "$1" "$2" "$3" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "none" + set_keyalgorithm "KEY2" "$1" "$2" "$4" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" } # Set expected key states for migration tests. # $1: Goal # $2: States init_migration_states() { - set_keystate "KEY1" "GOAL" "$1" - set_keystate "KEY1" "STATE_DNSKEY" "$2" - set_keystate "KEY1" "STATE_KRRSIG" "$2" - set_keystate "KEY1" "STATE_DS" "$2" - - set_keystate "KEY2" "GOAL" "$1" - set_keystate "KEY2" "STATE_DNSKEY" "$2" - set_keystate "KEY2" "STATE_ZRRSIG" "$2" + set_keystate "KEY1" "GOAL" "$1" + set_keystate "KEY1" "STATE_DNSKEY" "$2" + set_keystate "KEY1" "STATE_KRRSIG" "$2" + set_keystate "KEY1" "STATE_DS" "$2" + + set_keystate "KEY2" "GOAL" "$1" + set_keystate "KEY2" "STATE_DNSKEY" "$2" + set_keystate "KEY2" "STATE_ZRRSIG" "$2" } # @@ -154,21 +153,21 @@ set_zone "csk.kasp" set_policy "none" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "yes" -set_keyrole "KEY1" "ksk" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "ksk" # This key also acts as a ZSK. -key_set "KEY1" "ZSK" "yes" -set_keylifetime "KEY1" "none" +key_set "KEY1" "ZSK" "yes" +set_keylifetime "KEY1" "none" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -179,9 +178,9 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key is immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" check_keytimes check_apex @@ -197,21 +196,21 @@ set_zone "csk-nosep.kasp" set_policy "none" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "yes" -set_keyrole "KEY1" "zsk" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "zsk" # Despite the missing SEP bit, this key also acts as a KSK. -key_set "KEY1" "KSK" "yes" -set_keylifetime "KEY1" "none" +key_set "KEY1" "KSK" "yes" +set_keylifetime "KEY1" "none" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -222,9 +221,9 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key is immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" check_keytimes check_apex @@ -292,15 +291,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # -P sync: now-3h # -A : now-3900s created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 # The ZSK is immediately published and activated. # -P: now-3900s # -A: now-12h created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes check_apex check_subdomain @@ -330,15 +329,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # P sync: now-3h # A : now-3900s created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 # - The ZSK is immediately published and activated. # P: now-3900s # A: now-12h created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes check_apex check_subdomain @@ -368,15 +367,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # P sync: now-3h # A : now-3900s created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 # - The ZSK is immediately published and activated. # P: now-3900s # A: now-12h created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes check_apex check_subdomain @@ -395,47 +394,46 @@ rndc_reconfig ns3 10.53.0.3 # Calculate time passed to correctly check for next key events. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) +time_passed=$((now - start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" # Wait until we have seen "zone_rekey done:" message for this key. _wait_for_done_signing() { - _zone=$1 - - _ksk=$(key_get $2 KSK) - _zsk=$(key_get $2 ZSK) - if [ "$_ksk" = "yes" ]; then - _role="KSK" - _expect_type=EXPECT_KRRSIG - elif [ "$_zsk" = "yes" ]; then - _role="ZSK" - _expect_type=EXPECT_ZRRSIG - fi - - if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then - _keyid=$(key_get $2 ID) - _keyalg=$(key_get $2 ALG_STR) - echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" - grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 - fi - - return 0 + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1 + fi + + return 0 } wait_for_done_signing() { - n=$((n+1)) - echo_i "wait for zone ${ZONE} is done signing ($n)" - ret=0 + n=$((n + 1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" + ret=0 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } - ################################################ # Test state after switching to dnssec-policy. # ################################################ @@ -478,9 +476,9 @@ rollover_predecessor_keytimes 0 # retire-safety: 1h (3600 seconds) # IretZSK: 10d65m (867900 seconds) active=$(key_get KEY2 ACTIVE) -set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" +set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY2 RETIRED) -set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # Continue signing policy checks. check_keytimes @@ -489,13 +487,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing a good migration (CSK). @@ -504,19 +502,19 @@ set_zone "csk.kasp" set_policy "default" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "no" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -529,9 +527,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key was immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" # Continue signing policy checks. check_keytimes @@ -540,12 +538,12 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" ret=0 [ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing a good migration (CSK, no SEP). @@ -554,20 +552,20 @@ set_zone "csk-nosep.kasp" set_policy "default" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "no" -set_keyrole "KEY1" "csk" -key_set "KEY1" "FLAGS" "256" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +key_set "KEY1" "FLAGS" "256" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -580,9 +578,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key was immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" # Continue signing policy checks. check_keytimes @@ -591,12 +589,12 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" ret=0 [ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Test migration to dnssec-policy, existing keys do not match key algorithm. @@ -611,24 +609,24 @@ init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "5184000" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" @@ -650,13 +648,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # IretKSK: 4h (14400 seconds) IretKSK=14400 created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' <retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" # - ZSK must be retired since it no longer matches the policy. # P: now-3900s @@ -671,17 +669,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" IretZSK=824400 Lzsk=5184000 created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 keyfile=$(key_get KEY2 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' <retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # - The new KSK is immediately published and activated. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" -set_keytime "KEY3" "ACTIVE" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # TTLsig: 11h (39600 seconds) # Dprp: 1h (3600 seconds) @@ -691,12 +689,12 @@ Ipub=46800 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" # - The ZSK is immediately published and activated. created=$(key_get KEY4 CREATED) -set_keytime "KEY4" "PUBLISHED" "${created}" -set_keytime "KEY4" "ACTIVE" "${created}" +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" active=$(key_get KEY4 ACTIVE) -set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY4 RETIRED) -set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" # Continue signing policy checks. check_keytimes @@ -705,13 +703,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" ret=0 [ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Test migration to dnssec-policy, existing keys do not match key length. @@ -727,25 +725,25 @@ init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "5184000" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" -set_keysigning "KEY4" "no" +set_keysigning "KEY4" "no" # This key is considered to be prepublished, so it is not yet signing. -set_zonesigning "KEY4" "no" +set_zonesigning "KEY4" "no" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "hidden" @@ -767,13 +765,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # IretKSK: 4h (14400 seconds) IretKSK=14400 created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' <retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" # - ZSK must be retired since it no longer matches the policy. # P: now-3900s @@ -788,17 +786,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" IretZSK=824400 Lzsk=5184000 created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 keyfile=$(key_get KEY2 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' <retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # - The new KSK is immediately published and activated. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" -set_keytime "KEY3" "ACTIVE" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # TTLsig: 11h (39600 seconds) # Dprp: 1h (3600 seconds) @@ -808,12 +806,12 @@ Ipub=46800 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" # - The ZSK is immediately published and activated. created=$(key_get KEY4 CREATED) -set_keytime "KEY4" "PUBLISHED" "${created}" -set_keytime "KEY4" "ACTIVE" "${created}" +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" active=$(key_get KEY4 ACTIVE) -set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY4 RETIRED) -set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" # Continue signing policy checks. check_keytimes @@ -822,13 +820,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" ret=0 [ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Test migration to dnssec-policy, existing keys do not match role (KSK/ZSK -> CSK). @@ -844,18 +842,18 @@ init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" -set_keyrole "KEY3" "csk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "csk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" # This key is considered to be prepublished, so it is not yet signing. set_keystate "KEY3" "STATE_ZRRSIG" "hidden" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" # Various signing policy checks. check_keys @@ -875,13 +873,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # IretKSK: 4h (14400 seconds) IretKSK=14400 created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' <retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" # - ZSK must be retired since it no longer matches the policy. # P: now-3900s @@ -896,17 +894,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" IretZSK=824400 Lzsk=5184000 created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 keyfile=$(key_get KEY2 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' <retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # - The new KSK is immediately published and activated. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" -set_keytime "KEY3" "ACTIVE" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # TTLsig: 11h (39600 seconds) # Dprp: 1h (3600 seconds) @@ -922,13 +920,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" ret=0 [ $_migratenomatch_kzc_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migratenomatch_kzc_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ######################################################## # Testing key states derived from key timing metadata. # @@ -972,13 +970,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Tkey="now-300s" (300) # Tsig="now-11h" (39600) created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -300 -set_addkeytime "KEY1" "ACTIVE" "${created}" -300 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -300 +set_addkeytime "KEY1" "ACTIVE" "${created}" -300 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200 set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -300 -set_addkeytime "KEY2" "ACTIVE" "${created}" -39600 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -300 +set_addkeytime "KEY2" "ACTIVE" "${created}" -39600 set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -988,13 +986,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing omnipresent state. @@ -1022,13 +1020,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Tkey="now-3900s" (3900) # Tsig="now-12h" (43200) created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -1038,55 +1036,54 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - +status=$((status + ret)) ###################################### # Testing good migration with views. # ###################################### init_view_migration() { - key_clear "KEY1" - key_set "KEY1" "LEGACY" "yes" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "0" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - key_clear "KEY2" - key_set "KEY2" "LEGACY" "yes" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "0" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - key_clear "KEY3" - key_clear "KEY4" - - set_keystate "KEY1" "GOAL" "omnipresent" - set_keystate "KEY1" "STATE_DNSKEY" "rumoured" - set_keystate "KEY1" "STATE_KRRSIG" "rumoured" - set_keystate "KEY1" "STATE_DS" "rumoured" - - set_keystate "KEY2" "GOAL" "omnipresent" - set_keystate "KEY2" "STATE_DNSKEY" "rumoured" - set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "0" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "0" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" + + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "rumoured" + set_keystate "KEY1" "STATE_KRRSIG" "rumoured" + set_keystate "KEY1" "STATE_DS" "rumoured" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "rumoured" + set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" } set_keytimes_view_migration() { - # Key is six months in use. - created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400 - set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400 - set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400 - created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400 - set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400 + # Key is six months in use. + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400 + set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400 + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400 } # Zone view.rsasha256.kasp (external) @@ -1104,16 +1101,16 @@ set_keytimes_view_migration check_keytimes dnssec_verify -n=$((n+1)) +n=$((n + 1)) # check subdomain echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remember legacy key tags. _migrate_ext8_ksk=$(key_get KEY1 ID) @@ -1134,16 +1131,16 @@ set_keytimes_view_migration check_keytimes dnssec_verify -n=$((n+1)) +n=$((n + 1)) # check subdomain echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remember legacy key tags. _migrate_int8_ksk=$(key_get KEY1 ID) @@ -1156,7 +1153,7 @@ rndc_reconfig ns4 10.53.0.4 # Calculate time passed to correctly check for next key events. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) +time_passed=$((now - start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" # @@ -1169,26 +1166,26 @@ init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "omnipresent" "rumoured" # Key properties, timings and metadata should be the same as legacy keys above. # However, because the keys have a lifetime, kasp will set the retired time. -key_set "KEY1" "LEGACY" "no" -set_keylifetime "KEY1" "31536000" -set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" - -key_set "KEY2" "LEGACY" "no" -set_keylifetime "KEY2" "8035200" -set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +key_set "KEY1" "LEGACY" "no" +set_keylifetime "KEY1" "31536000" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY2" "8035200" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # The ZSK needs to be replaced. -set_keystate "KEY2" "GOAL" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "8035200" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "8035200" set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "no" # not yet -set_keystate "KEY3" "STATE_DNSKEY" "rumoured" -set_keystate "KEY3" "STATE_ZRRSIG" "hidden" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # not yet +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" # Various signing policy checks (external). TSIG="$DEFAULT_HMAC:external:$VIEW1" @@ -1199,11 +1196,11 @@ set_keytimes_view_migration # Set expected key times: published=$(key_get KEY1 PUBLISHED) -set_keytime "KEY1" "ACTIVE" "${published}" +set_keytime "KEY1" "ACTIVE" "${published}" set_keytime "KEY1" "SYNCPUBLISH" "${published}" # Lifetime: 1 year (8035200 seconds) active=$(key_get KEY1 ACTIVE) -set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" +set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" # Retire interval: # DS TTL: 1d # Parent zone propagation: 3h @@ -1227,7 +1224,7 @@ retired=$(key_get KEY2 RETIRED) set_addkeytime "KEY2" "REMOVED" "${retired}" "867900" created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" # Publication interval: # DNSKEY TTL: 300s # Publish safety: 1h @@ -1262,7 +1259,7 @@ check_apex dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag" @@ -1270,7 +1267,7 @@ ret=0 [ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/legacy.run.sh.in b/bin/tests/system/legacy.run.sh.in index b523637..2004615 100644 --- a/bin/tests/system/legacy.run.sh.in +++ b/bin/tests/system/legacy.run.sh.in @@ -23,15 +23,15 @@ srcdir=@abs_srcdir@ . ${builddir}/conf.sh if [ "$CI_SERVER" != "yes" ] && [ "$(id -u)" -eq "0" ] && [ "@DEVELOPER_MODE@" != "yes" ]; then - echofail "Refusing to run test as root. Build with --enable-developer to override." >&2 - exit 1 + echofail "Refusing to run test as root. Build with --enable-developer to override." >&2 + exit 1 fi export builddir export srcdir date_with_args() ( - date "+%Y-%m-%dT%T%z" + date "+%Y-%m-%dT%T%z" ) stopservers=true @@ -39,99 +39,71 @@ stopservers=true baseport=0 if [ "${SYSTEMTEST_NO_CLEAN:-0}" -eq 1 ]; then - clean=false + clean=false else - clean=true + clean=true fi -do_run=false restart=false -log_flags="-r" -while getopts "sknp:r-:t" OPT; do - log_flags="$log_flags -$OPT$OPTARG" - if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then - OPT="${OPTARG%%=*}" - OPTARG="${OPTARG#$OPT}" - OPTARG="${OPTARG#=}" - fi - - # shellcheck disable=SC2214 - case "$OPT" in - k | keep) stopservers=false ;; - n | noclean) clean=false ;; - p | port) baseport=$OPTARG ;; - r | run) do_run=true ;; - s | skip) exit 77 ;; - t | restart) restart=true ;; - -) break ;; - *) echo "invalid option" >&2; exit 1 ;; - esac +while getopts "sknp:-:t" OPT; do + if [ "$OPT" = "-" ] && [ -n "$OPTARG" ]; then + OPT="${OPTARG%%=*}" + OPTARG="${OPTARG#$OPT}" + OPTARG="${OPTARG#=}" + fi + + # shellcheck disable=SC2214 + case "$OPT" in + k | keep) stopservers=false ;; + n | noclean) clean=false ;; + p | port) baseport=$OPTARG ;; + s | skip) exit 0 ;; + t | restart) restart=true ;; + -) break ;; + *) + echo "invalid option" >&2 + exit 1 + ;; + esac done -shift $((OPTIND-1)) - -if ! $do_run; then - if [ "$baseport" -eq 0 ]; then - log_flags="$log_flags -p 5300" - fi - env - \ - CYGWIN="$CYGWIN" \ - SYSTEMTEST_FORCE_COLOR="$SYSTEMTEST_FORCE_COLOR" \ - SYSTEMTEST_NO_CLEAN="$SYSTEMTEST_NO_CLEAN" \ - SLOT="$SLOT" \ - OPENSSL_CONF="$OPENSSL_CONF" \ - SOFTHSM2_CONF="$SOFTHSM2_CONF" \ - SOFTHSM2_MODULE="$SOFTHSM2_MODULE" \ - PATH="$PATH" \ - ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} \ - TESTS="$*" \ - TEST_SUITE_LOG=run.log \ - LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" \ - LOG_FLAGS="$log_flags" \ - TEST_LARGE_MAP="${TEST_LARGE_MAP}" \ - CI_ENABLE_ALL_TESTS="${CI_ENABLE_ALL_TESTS}" \ - ${VIRTUAL_ENV:+"VIRTUAL_ENV=${VIRTUAL_ENV}"} \ - ${PERL5LIB:+"PERL5LIB=${PERL5LIB}"} \ - make -e check - exit $? -fi +shift $((OPTIND - 1)) if [ $# -eq 0 ]; then - echofail "Usage: $0 [-k] [-n] [-p <PORT>] test-directory [test-options]" >&2; - exit 1 + echofail "Usage: $0 [-k] [-n] [-p <PORT>] test-directory [test-options]" >&2 + exit 1 fi systest=$(basename "${1%%/}") shift if [ ! -d "${srcdir}/$systest" ]; then - echofail "$0: $systest: no such test" >&2 - exit 1 + echofail "$0: $systest: no such test" >&2 + exit 1 fi if [ "${srcdir}" != "${builddir}" ]; then - if [ ! -d common ] || [ ! -r common/.prepared ]; then - cp -a "${srcdir}/common" "${builddir}" - fi - # Some tests require additional files to work for out-of-tree test runs. - for file in ckdnsrps.sh conftest.py digcomp.pl ditch.pl fromhex.pl get_core_dumps.sh kasp.sh packet.pl pytest_custom_markers.py start.pl stop.pl testcrypto.sh; do - if [ ! -r "${file}" ]; then - cp -a "${srcdir}/${file}" "${builddir}" - fi - done - if [ ! -d "$systest" ] || [ ! -r "$systest/.prepared" ]; then - mkdir -p "${builddir}/$systest" - cp -a "${srcdir}/$systest" "${builddir}/" - touch "$systest/.prepared" + if [ ! -d _common ] || [ ! -r _common/.prepared ]; then + cp -a "${srcdir}/_common" "${builddir}" + fi + # Some tests require additional files to work for out-of-tree test runs. + for file in ckdnsrps.sh conftest.py digcomp.pl ditch.pl fromhex.pl get_core_dumps.sh kasp.sh packet.pl start.pl stop.pl testcrypto.sh; do + if [ ! -r "${file}" ]; then + cp -a "${srcdir}/${file}" "${builddir}" fi + done + if [ ! -d "$systest" ] || [ ! -r "$systest/.prepared" ]; then + mkdir -p "${builddir}/$systest" + cp -a "${srcdir}/$systest" "${builddir}/" + touch "$systest/.prepared" + fi fi if [ ! -d "${systest}" ]; then - echofail "$0: $systest: no such test" >&2 - exit 1 + echofail "$0: $systest: no such test" >&2 + exit 1 fi - # Determine which ports to use for this system test. eval "$(cd "${srcdir}" && ./get_ports.sh -p "$baseport" -t "$systest")" @@ -140,170 +112,137 @@ eval "$(cd "${srcdir}" && ./get_ports.sh -p "$baseport" -t "$systest")" # retained for each run by calling start.pl with the --restart command-line # option for all invocations except the first one. start_servers() { - echoinfo "I:$systest:starting servers" - if $restart || [ "$run" -gt 0 ]; then - restart_opt="--restart" - fi - if ! $PERL start.pl ${restart_opt} --port "$PORT" "$systest"; then - echoinfo "I:$systest:starting servers failed" - return 1 - fi + echoinfo "I:$systest:starting servers" + if $restart || [ "$run" -gt 0 ]; then + restart_opt="--restart" + fi + if ! $PERL start.pl ${restart_opt} --port "$PORT" "$systest"; then + echoinfo "I:$systest:starting servers failed" + return 1 + fi } stop_servers() { - if $stopservers; then - echoinfo "I:$systest:stopping servers" - if ! $PERL stop.pl "$systest"; then - echoinfo "I:$systest:stopping servers failed" - return 1 - fi + if $stopservers; then + echoinfo "I:$systest:stopping servers" + if ! $PERL stop.pl "$systest"; then + echoinfo "I:$systest:stopping servers failed" + return 1 fi + fi } echostart "S:$systest:$(date_with_args)" -echoinfo "T:$systest:1:A" -echoinfo "A:$systest:System test $systest" -echoinfo "I:$systest:PORTS:${PORT},${TLSPORT},${HTTPPORT},${HTTPSPORT},${EXTRAPORT1},${EXTRAPORT2},${EXTRAPORT3},${EXTRAPORT4},${EXTRAPORT5},${EXTRAPORT6},${EXTRAPORT7},${EXTRAPORT8},${CONTROLPORT}" - -$PERL ${srcdir}/testsock.pl -p "$PORT" || { - echowarn "I:$systest:Network interface aliases not set up. Skipping test." - echowarn "R:$systest:FAIL" - echoend "E:$systest:$(date_with_args)" - exit 1; +echoinfo "T:$systest:1:A" +echoinfo "A:$systest:System test $systest" +echoinfo "I:$systest:PORTS:${PORT},${TLSPORT},${HTTPPORT},${HTTPSPORT},${EXTRAPORT1},${EXTRAPORT2},${EXTRAPORT3},${EXTRAPORT4},${EXTRAPORT5},${EXTRAPORT6},${EXTRAPORT7},${EXTRAPORT8},${CONTROLPORT}" + +$PERL ${srcdir}/testsock.pl -p "$PORT" || { + echowarn "I:$systest:Network interface aliases not set up. Skipping test." + echowarn "R:$systest:FAIL" + echoend "E:$systest:$(date_with_args)" + exit 1 } # Check for test-specific prerequisites. -test ! -f "$systest/prereq.sh" || ( cd "${systest}" && $SHELL prereq.sh "$@" ) +test ! -f "$systest/prereq.sh" || (cd "${systest}" && $SHELL prereq.sh "$@") result=$? if [ $result -eq 0 ]; then - : prereqs ok + : prereqs ok else - echowarn "I:$systest:Prerequisites missing, skipping test." - echowarn "R:$systest:SKIPPED"; - echoend "E:$systest:$(date_with_args)" - exit 77 + echowarn "I:$systest:Prerequisites missing, skipping test." + echowarn "R:$systest:SKIPPED" + echoend "E:$systest:$(date_with_args)" + exit 0 fi # Clean up files left from any potential previous runs except when # started with the --restart option. if ! $restart; then - if test -f "$systest/clean.sh"; then - if ! ( cd "${systest}" && $SHELL clean.sh "$@" ); then - echowarn "I:$systest:clean.sh script failed" - echofail "R:$systest:FAIL" - echoend "E:$systest:$(date_with_args)" - exit 1 - fi + if test -f "$systest/clean.sh"; then + if ! (cd "${systest}" && $SHELL clean.sh "$@"); then + echowarn "I:$systest:clean.sh script failed" + echofail "R:$systest:FAIL" + echoend "E:$systest:$(date_with_args)" + exit 1 fi + fi fi # Set up any dynamically generated test data -if test -f "$systest/setup.sh" -then - if ! ( cd "${systest}" && $SHELL setup.sh "$@" ); then - echowarn "I:$systest:setup.sh script failed" - echofail "R:$systest:FAIL" - echoend "E:$systest:$(date_with_args)" - exit 1 - fi +if test -f "$systest/setup.sh"; then + if ! (cd "${systest}" && $SHELL setup.sh "$@"); then + echowarn "I:$systest:setup.sh script failed" + echofail "R:$systest:FAIL" + echoend "E:$systest:$(date_with_args)" + exit 1 + fi fi status=0 run=0 # Run the tests if [ -r "$systest/tests.sh" ]; then - if start_servers; then - ( cd "$systest" && $SHELL tests.sh "$@" ) - status=$? - run=$((run+1)) - stop_servers || status=1 - else - status=1 - fi -fi - -if [ $status -eq 0 ]; then - if [ -n "$PYTEST" ]; then - for test in $(cd "${systest}" && find . -name "tests*.py" ! -name "tests_sh_*.py"); do - rm -f "$systest/$test.status" - if start_servers; then - run=$((run+1)) - test_status=0 - (cd "$systest" && LEGACY_TEST_RUNNER=1 "$PYTEST" -rsxX -v "$test" "$@" || echo "$?" > "$test.status") | SYSTESTDIR="$systest" cat_d - if [ -f "$systest/$test.status" ]; then - if [ "$(cat "$systest/$test.status")" = "5" ]; then - echowarn "R:$systest:SKIPPED" - else - echo_i "FAILED" - test_status=$(cat "$systest/$test.status") - fi - fi - status=$((status+test_status)) - stop_servers || status=1 - else - status=1 - fi - if [ $status -ne 0 ]; then - break - fi - done - rm -f "$systest/$test.status" - else - echoinfo "I:$systest:pytest not installed, skipping python tests" - fi + if start_servers; then + (cd "$systest" && $SHELL tests.sh "$@") + status=$? + run=$((run + 1)) + stop_servers || status=1 + else + status=1 + fi fi if [ "$run" -eq "0" ]; then - echoinfo "I:$systest:No tests were found and run" - status=255 + echoinfo "I:$systest:No tests were found and run" + status=255 fi -if $stopservers -then - : +if $stopservers; then + : else - exit $status + exit $status fi $SHELL get_core_dumps.sh "$systest" || status=1 print_outstanding_files() { - if test -d ${srcdir}/../../../.git; then - git status -su --ignored "${systest}/" 2>/dev/null | \ - sed -n -e 's|^?? \(.*\)|I:'"${systest}"':file \1 not removed|p' \ - -e 's|^!! \(.*/named.run\)$|I:'"${systest}"':file \1 not removed|p' \ - -e 's|^!! \(.*/named.memstats\)$|I:'"${systest}"':file \1 not removed|p' - fi + if test -d ${srcdir}/../../../.git; then + git status -su --ignored "${systest}/" 2>/dev/null \ + | sed -n -e 's|^?? \(.*\)|I:'"${systest}"':file \1 not removed|p' \ + -e 's|^!! \(.*/named.run\)$|I:'"${systest}"':file \1 not removed|p' \ + -e 's|^!! \(.*/named.memstats\)$|I:'"${systest}"':file \1 not removed|p' + fi } print_outstanding_files_oot() { - if test -d ${srcdir}/../../../.git; then - git -C "${srcdir}/${systest}" ls-files | sed "s|^|${systest}/|" > gitfiles.txt - find "${systest}/" -type f ! -name .prepared ! -name Makefile > testfiles.txt - grep -F -x -v -f gitfiles.txt testfiles.txt - rm -f gitfiles.txt testfiles.txt - fi + if test -d ${srcdir}/../../../.git; then + git -C "${srcdir}/${systest}" ls-files | sed "s|^|${systest}/|" >gitfiles.txt + find "${systest}/" -type f ! -name .prepared ! -name Makefile >testfiles.txt + grep -F -x -v -f gitfiles.txt testfiles.txt + rm -f gitfiles.txt testfiles.txt + fi } if [ $status -ne 0 ]; then - echofail "R:$systest:FAIL" + echofail "R:$systest:FAIL" else - echopass "R:$systest:PASS" - if $clean && ! $restart; then - ( cd "${systest}" && $SHELL clean.sh "$@" ) - if [ "${srcdir}" = "${builddir}" ]; then - print_outstanding_files - else - print_outstanding_files_oot | xargs rm -f - find "${systest}/" \( -type d -empty \) -delete 2>/dev/null - fi + echopass "R:$systest:PASS" + if $clean && ! $restart; then + (cd "${systest}" && $SHELL clean.sh "$@") + if [ "${srcdir}" = "${builddir}" ]; then + print_outstanding_files + else + print_outstanding_files_oot | xargs rm -f + find "${systest}/" \( -type d -empty \) -delete 2>/dev/null fi + fi fi NAMED_RUN_LINES_THRESHOLD=200000 find "${systest}" -type f -name "named.run" -exec wc -l {} \; | awk "\$1 > ${NAMED_RUN_LINES_THRESHOLD} { print \$2 }" | sort | while read -r LOG_FILE; do - echowarn "I:${systest}:${LOG_FILE} contains more than ${NAMED_RUN_LINES_THRESHOLD} lines, consider tweaking the test to limit disk I/O" + echowarn "I:${systest}:${LOG_FILE} contains more than ${NAMED_RUN_LINES_THRESHOLD} lines, consider tweaking the test to limit disk I/O" done echoend "E:$systest:$(date_with_args)" diff --git a/bin/tests/system/legacy/ns6/sign.sh b/bin/tests/system/legacy/ns6/sign.sh index f76b3c2..96ce285 100755 --- a/bin/tests/system/legacy/ns6/sign.sh +++ b/bin/tests/system/legacy/ns6/sign.sh @@ -22,9 +22,9 @@ infile=edns512.db.in zonefile=edns512.db outfile=edns512.db.signed -keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -g -o $zone -f $outfile -e +30y $zonefile >/dev/null 2>signer.err || cat signer.err diff --git a/bin/tests/system/legacy/ns7/sign.sh b/bin/tests/system/legacy/ns7/sign.sh index c2153f9..82c6b7e 100755 --- a/bin/tests/system/legacy/ns7/sign.sh +++ b/bin/tests/system/legacy/ns7/sign.sh @@ -22,12 +22,12 @@ infile=edns512-notcp.db.in zonefile=edns512-notcp.db outfile=edns512-notcp.db.signed -keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2>/dev/null) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -g -o $zone -f $outfile -e +30y $zonefile >/dev/null 2>signer.err || cat signer.err -keyfile_to_static_ds $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 >trusted.conf cp trusted.conf ../ns1 diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh index 44d3b11..ddb950b 100755 --- a/bin/tests/system/legacy/tests.sh +++ b/bin/tests/system/legacy/tests.sh @@ -20,10 +20,10 @@ DIGOPTS="-p ${PORT} +tries=1 +time=2" # Check whether the SOA record for the name provided in $1 can be resolved by # ns1. Return 0 if resolution succeeds as expected; return 1 otherwise. resolution_succeeds() { - _ret=0 - $DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n || _ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null || _ret=1 - return $_ret + _ret=0 + $DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA >dig.out.test$n || _ret=1 + grep "status: NOERROR" dig.out.test$n >/dev/null || _ret=1 + return $_ret } # Check whether the SOA record for the name provided in $1 can be resolved by @@ -32,16 +32,16 @@ resolution_succeeds() { # code of dig does not influence the result (the exit code for a SERVFAIL # response is 0 while the exit code for not getting a response at all is not 0). resolution_fails() { - _servfail=0 - _timeout=0 - $DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} TXT > dig.out.test$n - grep -F "status: SERVFAIL" dig.out.test$n > /dev/null && _servfail=1 - grep -F "timed out" dig.out.test$n > /dev/null && _timeout=1 - if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then - return 0 - else - return 1 - fi + _servfail=0 + _timeout=0 + $DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} TXT >dig.out.test$n + grep -F "status: SERVFAIL" dig.out.test$n >/dev/null && _servfail=1 + grep -F "timed out" dig.out.test$n >/dev/null && _timeout=1 + if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then + return 0 + else + return 1 + fi } status=0 @@ -50,12 +50,12 @@ n=0 n=$((n + 1)) echo_i "checking formerr edns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa > dig.out.1.test$n || ret=1 -grep "status: FORMERR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa >dig.out.1.test$n || ret=1 +grep "status: FORMERR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -69,12 +69,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking notimp edns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa > dig.out.1.test$n || ret=1 -grep "status: NOTIMP" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa >dig.out.1.test$n || ret=1 +grep "status: NOTIMP" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -88,12 +88,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking refused edns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa > dig.out.1.test$n || ret=1 -grep "status: REFUSED" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa >dig.out.1.test$n || ret=1 +grep "status: REFUSED" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -107,18 +107,18 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking drop edns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.2 dropedns soa > dig.out.1.test$n && ret=1 -grep "timed out" dig.out.1.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noedns @10.53.0.2 dropedns soa > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +noedns +tcp @10.53.0.2 dropedns soa > dig.out.3.test$n || ret=1 -grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.2 dropedns soa > dig.out.4.test$n && ret=1 -grep "timed out" dig.out.4.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns @10.53.0.2 dropedns soa >dig.out.1.test$n && ret=1 +grep "timed out" dig.out.1.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.2 dropedns soa >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +noedns +tcp @10.53.0.2 dropedns soa >dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.3.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.2 dropedns soa >dig.out.4.test$n && ret=1 +grep "timed out" dig.out.4.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -132,14 +132,14 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking drop edns + no tcp server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.3 dropedns-notcp soa > dig.out.1.test$n && ret=1 -grep "timed out" dig.out.1.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noedns +tcp @10.53.0.3 dropedns-notcp soa > dig.out.2.test$n && ret=1 -grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +noedns @10.53.0.3 dropedns-notcp soa > dig.out.3.test$n || ret=1 -grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.3 dropedns-notcp soa >dig.out.1.test$n && ret=1 +grep "timed out" dig.out.1.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noedns +tcp @10.53.0.3 dropedns-notcp soa >dig.out.2.test$n && ret=1 +grep "connection refused" dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.3 dropedns-notcp soa >dig.out.3.test$n || ret=1 +grep "status: NOERROR" dig.out.3.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -153,12 +153,12 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking plain dns server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.4 plain soa > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.4 plain soa > dig.out.2.test$n -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +edns @10.53.0.4 plain soa >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.4 plain soa >dig.out.2.test$n +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -172,11 +172,11 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking plain dns + no tcp server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.5 plain-notcp soa > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null && ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.5 plain-notcp soa > dig.out.2.test$n && ret=1 -grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns @10.53.0.5 plain-notcp soa >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null && ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.5 plain-notcp soa >dig.out.2.test$n && ret=1 +grep "connection refused" dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -190,19 +190,19 @@ n=$((n + 1)) echo_i "checking edns 512 server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.6 edns512 txt > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.6 edns512 txt > dig.out.2.test$n || ret=1 -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +dnssec @10.53.0.6 edns512 txt > dig.out.3.test$n && ret=1 -grep "timed out" dig.out.3.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.3.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.6 edns512 soa > dig.out.4.test$n || ret=1 -grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.4.test$n > /dev/null || ret=1 -grep "flags:.* tc[ ;]" dig.out.4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns @10.53.0.6 edns512 txt >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.6 edns512 txt >dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec @10.53.0.6 edns512 txt >dig.out.3.test$n && ret=1 +grep "timed out" dig.out.3.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.3.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.6 edns512 soa >dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.4.test$n >/dev/null || ret=1 +grep "flags:.* tc[ ;]" dig.out.4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -216,18 +216,18 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking edns 512 + no tcp server setup ($n)" ret=0 -$DIG $DIGOPTS +edns @10.53.0.7 edns512-notcp soa > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +tcp @10.53.0.7 edns512-notcp soa > dig.out.2.test$n && ret=1 -grep "connection refused" dig.out.2.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +dnssec @10.53.0.7 edns512-notcp soa > dig.out.3.test$n && ret=1 -grep "timed out" dig.out.3.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.3.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.7 edns512-notcp soa > dig.out.4.test$n || ret=1 -grep "status: NOERROR" dig.out.4.test$n > /dev/null || ret=1 -grep "EDNS: version:" dig.out.4.test$n > /dev/null || ret=1 -grep "flags:.* tc[ ;]" dig.out.4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +edns @10.53.0.7 edns512-notcp soa >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +tcp @10.53.0.7 edns512-notcp soa >dig.out.2.test$n && ret=1 +grep "connection refused" dig.out.2.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec @10.53.0.7 edns512-notcp soa >dig.out.3.test$n && ret=1 +grep "timed out" dig.out.3.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.3.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +edns +dnssec +bufsize=512 +ignore @10.53.0.7 edns512-notcp soa >dig.out.4.test$n || ret=1 +grep "status: NOERROR" dig.out.4.test$n >/dev/null || ret=1 +grep "EDNS: version:" dig.out.4.test$n >/dev/null || ret=1 +grep "flags:.* tc[ ;]" dig.out.4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -243,8 +243,8 @@ echo_i "checking recursive lookup to edns 512 + no tcp server does not cause que ret=0 sent=$(grep -c -F "sending packet to 10.53.0.7" ns1/named.run) if [ $sent -ge 10 ]; then - echo_i "ns1 sent $sent queries to ns7, expected less than 10" - ret=1 + echo_i "ns1 sent $sent queries to ns7, expected less than 10" + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -257,10 +257,10 @@ n=$((n + 1)) echo_i "checking recursive lookup to edns 512 + no tcp + trust anchor fails ($n)" # retry loop in case the server restart above causes transient failure for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - resolution_fails edns512-notcp. || ret=1 - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + resolution_fails edns512-notcp. || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/limits/tests.sh b/bin/tests/system/limits/tests.sh index f2cf0fb..92c470a 100644 --- a/bin/tests/system/limits/tests.sh +++ b/bin/tests/system/limits/tests.sh @@ -20,37 +20,37 @@ DIGOPTS="-p ${PORT}" status=0 echo_i "1000 A records" -$DIG $DIGOPTS +tcp +norec 1000.example. @10.53.0.1 a > dig.out.1000 || status=1 +$DIG $DIGOPTS +tcp +norec 1000.example. @10.53.0.1 a >dig.out.1000 || status=1 # $DIG $DIGOPTS 1000.example. @10.53.0.1 a > knowngood.dig.out.1000 digcomp knowngood.dig.out.1000 dig.out.1000 || status=1 echo_i "2000 A records" -$DIG $DIGOPTS +tcp +norec 2000.example. @10.53.0.1 a > dig.out.2000 || status=1 +$DIG $DIGOPTS +tcp +norec 2000.example. @10.53.0.1 a >dig.out.2000 || status=1 # $DIG $DIGOPTS 2000.example. @10.53.0.1 a > knowngood.dig.out.2000 digcomp knowngood.dig.out.2000 dig.out.2000 || status=1 echo_i "3000 A records" -$DIG $DIGOPTS +tcp +norec 3000.example. @10.53.0.1 a > dig.out.3000 || status=1 +$DIG $DIGOPTS +tcp +norec 3000.example. @10.53.0.1 a >dig.out.3000 || status=1 # $DIG $DIGOPTS 3000.example. @10.53.0.1 a > knowngood.dig.out.3000 digcomp knowngood.dig.out.3000 dig.out.3000 || status=1 echo_i "4000 A records" -$DIG $DIGOPTS +tcp +norec 4000.example. @10.53.0.1 a > dig.out.4000 || status=1 +$DIG $DIGOPTS +tcp +norec 4000.example. @10.53.0.1 a >dig.out.4000 || status=1 # $DIG $DIGOPTS 4000.example. @10.53.0.1 a > knowngood.dig.out.4000 digcomp knowngood.dig.out.4000 dig.out.4000 || status=1 echo_i "exactly maximum rrset" -$DIG $DIGOPTS +tcp +norec +noedns a-maximum-rrset.example. @10.53.0.1 a > dig.out.a-maximum-rrset \ - || status=1 +$DIG $DIGOPTS +tcp +norec +noedns a-maximum-rrset.example. @10.53.0.1 a >dig.out.a-maximum-rrset \ + || status=1 # $DIG $DIGOPTS a-maximum-rrset.example. @10.53.0.1 a > knowngood.dig.out.a-maximum-rrset digcomp knowngood.dig.out.a-maximum-rrset dig.out.a-maximum-rrset || status=1 echo_i "exceed maximum rrset (5000 A records)" -$DIG $DIGOPTS +tcp +norec +noadd 5000.example. @10.53.0.1 a > dig.out.exceed || status=1 +$DIG $DIGOPTS +tcp +norec +noadd 5000.example. @10.53.0.1 a >dig.out.exceed || status=1 # Look for truncation bit (tc). -grep 'flags: .*tc.*;' dig.out.exceed > /dev/null || { - echo_i "TC bit was not set" - status=1 +grep 'flags: .*tc.*;' dig.out.exceed >/dev/null || { + echo_i "TC bit was not set" + status=1 } echo_i "exit status: $status" diff --git a/bin/tests/system/logfileconfig/named1.args b/bin/tests/system/logfileconfig/named1.args index 764d4c9..f35563b 100644 --- a/bin/tests/system/logfileconfig/named1.args +++ b/bin/tests/system/logfileconfig/named1.args @@ -1 +1 @@ --c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 +-c named.conf -m record -T nosyslog -f -d 99 -D logfileconfig-ns1 -X named.lock -U 4 diff --git a/bin/tests/system/logfileconfig/named2.args b/bin/tests/system/logfileconfig/named2.args index fb9fe57..ddae5a4 100644 --- a/bin/tests/system/logfileconfig/named2.args +++ b/bin/tests/system/logfileconfig/named2.args @@ -1 +1 @@ --c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog +-c named.conf -m record -T nosyslog -f -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog diff --git a/bin/tests/system/logfileconfig/tests.sh b/bin/tests/system/logfileconfig/tests.sh index d12fd06..f5c9b45 100644 --- a/bin/tests/system/logfileconfig/tests.sh +++ b/bin/tests/system/logfileconfig/tests.sh @@ -19,72 +19,72 @@ set -e # filesystem-dependent conditions in order to prevent false negatives caused by # directory contents not being synchronized immediately after rename() returns. test_with_retry() { - if test "$@"; then - sleep 1 - if test "$@"; then - return 0 - fi - fi - return 1 + if test "$@"; then + sleep 1 + if test "$@"; then + return 0 + fi + fi + return 1 } status=0 n=0 # First run with a known good config. -n=$((n+1)) +n=$((n + 1)) echo_i "testing log file validity (only plain files allowed) ($n)" ret=0 -cat /dev/null > ns1/named_log +cat /dev/null >ns1/named_log copy_setports ns1/named.plainconf.in ns1/named.conf -nextpart ns1/named.run > /dev/null -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +nextpart ns1/named.run >/dev/null +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now try directory, expect failure -n=$((n+1)) +n=$((n + 1)) echo_i "testing directory as log file ($n)" ret=0 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null copy_setports ns1/named.dirconf.in ns1/named.conf -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now try pipe file, expect failure -n=$((n+1)) +n=$((n + 1)) echo_i "testing pipe file as log file ($n)" ret=0 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null rm -f ns1/named_pipe if mkfifo ns1/named_pipe >/dev/null 2>&1; then - copy_setports ns1/named.pipeconf.in ns1/named.conf - rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n - wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 - if [ "$ret" -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping pipe test (unable to create pipe)" + echo_i "skipping pipe test (unable to create pipe)" fi # Now try symlink file to plain file, expect success -n=$((n+1)) +n=$((n + 1)) echo_i "testing symlink to plain file as log file ($n)" ret=0 rm -f ns1/named_log ns1/named_sym touch ns1/named_log if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then - nextpart ns1/named.run > /dev/null - copy_setports ns1/named.symconf.in ns1/named.conf - rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n - wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 - if [ "$ret" -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + nextpart ns1/named.run >/dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping symlink test (unable to create symlink)" + echo_i "skipping symlink test (unable to create symlink)" fi echo_i "repeat previous tests without named -g" @@ -93,89 +93,89 @@ stop_server --use-rndc --port ${CONTROLPORT} ns1 cp named1.args ns1/named.args start_server --noclean --restart --port ${PORT} ns1 -n=$((n+1)) +n=$((n + 1)) echo_i "testing log file validity (only plain files allowed) ($n)" ret=0 -cat /dev/null > ns1/named_log +cat /dev/null >ns1/named_log copy_setports ns1/named.plainconf.in ns1/named.conf -nextpart ns1/named.run > /dev/null -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +nextpart ns1/named.run >/dev/null +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now try directory, expect failure -n=$((n+1)) +n=$((n + 1)) echo_i "testing directory as log file ($n)" ret=0 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null copy_setports ns1/named.dirconf.in ns1/named.conf -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now try pipe file, expect failure -n=$((n+1)) +n=$((n + 1)) echo_i "testing pipe file as log file ($n)" ret=0 -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null rm -f ns1/named_pipe if mkfifo ns1/named_pipe >/dev/null 2>&1; then - copy_setports ns1/named.pipeconf.in ns1/named.conf - rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n - wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 - if [ "$ret" -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping pipe test (unable to create pipe)" + echo_i "skipping pipe test (unable to create pipe)" fi # Now try symlink file to plain file, expect success -n=$((n+1)) +n=$((n + 1)) echo_i "testing symlink to plain file as log file ($n)" ret=0 rm -f ns1/named_log ns1/named_sym touch ns1/named_log if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then - nextpart ns1/named.run > /dev/null - copy_setports ns1/named.symconf.in ns1/named.conf - rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n - wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 - if [ "$ret" -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + nextpart ns1/named.run >/dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping symlink test (unable to create symlink)" + echo_i "skipping symlink test (unable to create symlink)" fi echo_i "testing logging functionality" -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "testing iso8601 timestamp ($n)" copy_setports ns1/named.iso8601.in ns1/named.conf -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n -grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 > /dev/null || ret=1 +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n +grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing iso8601-utc timestamp ($n)" ret=0 copy_setports ns1/named.iso8601-utc.in ns1/named.conf -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n -grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc > /dev/null || ret=1 +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n +grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc >/dev/null || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing explicit versions ($n)" ret=0 copy_setports ns1/named.versconf.in ns1/named.conf # a seconds since epoch version number touch ns1/named_vers.1480039317 -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n -$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n +$DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 # we are configured to retain five logfiles (a current file # and 4 backups). so files with version number 5 or higher # should be removed. @@ -183,9 +183,9 @@ test_with_retry -f ns1/named_vers.1480039317 && ret=1 test_with_retry -f ns1/named_vers.5 && ret=1 test_with_retry -f ns1/named_vers.4 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing timestamped versions ($n)" ret=0 copy_setports ns1/named.tsconf.in ns1/named.conf @@ -193,94 +193,90 @@ copy_setports ns1/named.tsconf.in ns1/named.conf touch ns1/named_ts.1480039317 # a timestamp version number touch ns1/named_ts.20150101120000120 -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n _found2() ( - $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 - # we are configured to keep three versions, so the oldest - # timestamped versions should be gone, and there should - # be two or three backup ones. - [ -f ns1/named_ts.1480039317 ] && return 1 - [ -f ns1/named_ts.20150101120000120 ] && return 1 - set -- ns1/named_ts.* - [ "$#" -eq 2 -o "$#" -eq 3 ] || return 1 + # we are configured to keep three versions, so the oldest + # timestamped versions should be gone, and there should + # be two or three backup ones. + [ -f ns1/named_ts.1480039317 ] && return 1 + [ -f ns1/named_ts.20150101120000120 ] && return 1 + set -- ns1/named_ts.* + [ "$#" -eq 2 -o "$#" -eq 3 ] || return 1 ) retry_quiet 5 _found2 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing incremented versions ($n)" ret=0 copy_setports ns1/named.incconf.in ns1/named.conf try=0 -while test $try -lt 12 -do - touch ns1/named_inc.$try - try=$((try + 1)) +while test $try -lt 12; do + touch ns1/named_inc.$try + try=$((try + 1)) done -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n _found2() ( - $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 - try=1 - while test $try -lt 12 - do - [ -f ns1/named_inc.$try ] && return 1 - try=$((try + 1)) - done - set -- ns1/named_inc.* - [ "$#" -eq 1 ] || return 1 + try=1 + while test $try -lt 12; do + [ -f ns1/named_inc.$try ] && return 1 + try=$((try + 1)) + done + set -- ns1/named_inc.* + [ "$#" -eq 1 ] || return 1 ) retry_quiet 5 _found2 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing absolute file path versions ($n)" ret=0 copy_setports ns1/named.abspathconf.in ns1/named.conf try=0 -while test $try -lt 12 -do - touch $TMPDIR/example.log.$try - try=$((try + 1)) +while test $try -lt 12; do + touch $TMPDIR/example.log.$try + try=$((try + 1)) done -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n _found2() ( - $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 - try=1 - while test $try -lt 12 - do - [ -f $TMPDIR/example.log.$try ] && return 1 - try=$((try + 1)) - done - set -- $TMPDIR/example.log.* - [ "$#" -eq 1 ] || return 1 + try=1 + while test $try -lt 12; do + [ -f $TMPDIR/example.log.$try ] && return 1 + try=$((try + 1)) + done + set -- $TMPDIR/example.log.* + [ "$#" -eq 1 ] || return 1 ) retry_quiet 5 _found2 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing unlimited versions ($n)" ret=0 copy_setports ns1/named.unlimited.in ns1/named.conf # a seconds since epoch version number touch ns1/named_unlimited.1480039317 -rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n -$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +rndc_reconfig ns1 10.53.0.1 >rndc.out.test$n +$DIG version.bind txt ch @10.53.0.1 -p ${PORT} >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 test_with_retry -f ns1/named_unlimited.1480039317 || ret=1 test_with_retry -f ns1/named_unlimited.4 || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing default logfile using named -L file ($n)" ret=0 stop_server ns1 @@ -291,7 +287,7 @@ copy_setports ns1/named.plainconf.in ns1/named.conf start_server --noclean --restart --port ${PORT} ns1 [ -f "ns1/named_deflog" ] || ret=1 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/masterfile/ns2/named.conf.in b/bin/tests/system/masterfile/ns2/named.conf.in index 1f4ef91..2a84f86 100644 --- a/bin/tests/system/masterfile/ns2/named.conf.in +++ b/bin/tests/system/masterfile/ns2/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/masterfile/tests.sh b/bin/tests/system/masterfile/tests.sh index 5755088..b625376 100644 --- a/bin/tests/system/masterfile/tests.sh +++ b/bin/tests/system/masterfile/tests.sh @@ -38,23 +38,23 @@ status=$((status + ret)) ret=0 n=$((n + 1)) echo_i "test that the nameserver is running with a missing master file ($n)" -$DIG $DIGOPTS +tcp +noall +answer example soa @10.53.0.2 > dig.out.$n -grep SOA dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +noall +answer example soa @10.53.0.2 >dig.out.$n +grep SOA dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) ret=0 n=$((n + 1)) echo_i "test that the nameserver returns SERVFAIL for a missing master file ($n)" -$DIG $DIGOPTS +tcp +all missing soa @10.53.0.2 > dig.out.$n -grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +all missing soa @10.53.0.2 >dig.out.$n +grep "status: SERVFAIL" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) ret=0 n=$((n + 1)) echo_i "test owner inheritance after "'$INCLUDE'" ($n)" -$CHECKZONE -Dq example zone/inheritownerafterinclude.db > checkzone.out$n +$CHECKZONE -Dq example zone/inheritownerafterinclude.db >checkzone.out$n diff checkzone.out$n zone/inheritownerafterinclude.good || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index 0c2e7fb..9ea1740 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -15,20 +15,20 @@ . ../../conf.sh $CHECKZONE -D -F raw -o example.db.raw example \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o ../ns3/example.db.raw example \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o ../ns3/dynamic.db.raw dynamic \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw=1 -o example.db.raw1 example-explicit \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw=0 -o example.db.compat example-compat \ - example.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \ - example.db > /dev/null 2>&1 -$CHECKZONE -D -F raw -o large.db.raw large large.db > /dev/null 2>&1 + example.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o large.db.raw large large.db >/dev/null 2>&1 -$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed > /dev/null 2>&1 -$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed > /dev/null 2>&1 -$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null -$CHECKZONE -D -F raw -o signed.db.raw signed signed.db.signed > /dev/null 2>&1 +$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed >/dev/null 2>&1 +$KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed >/dev/null 2>&1 +$SIGNER -S -f signed.db.signed -o signed signed.db >/dev/null +$CHECKZONE -D -F raw -o signed.db.raw signed signed.db.signed >/dev/null 2>&1 diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index d5fe367..c2bc0f6 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -27,5 +27,5 @@ awk 'END { for (i = 0; i < 512; i++ ) { print "a TXT", i; } for (i = 0; i < 1024; i++ ) { print "b TXT", i; } for (i = 0; i < 2000; i++ ) { print "c TXT", i; } -}' < /dev/null >> ns1/large.db +}' </dev/null >>ns1/large.db cd ns1 && $SHELL compile.sh diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index da9ec87..feb2a75 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -19,36 +19,36 @@ set -e status=0 n=1 -israw () { - # shellcheck disable=SC2016 - $PERL -e 'binmode STDIN; +israw() { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; read(STDIN, $input, 8); ($style, $version) = unpack("NN", $input); - exit 1 if ($style != 2 || $version > 1);' < "$1" || return $? + exit 1 if ($style != 2 || $version > 1);' <"$1" || return $? } -isfull () { - # there should be no whitespace at the beginning of a line - if grep '^[ ][ ]*' "$1" > /dev/null 2>&1; then - return 1 - else - return 0 - fi +isfull() { + # there should be no whitespace at the beginning of a line + if grep '^[ ][ ]*' "$1" >/dev/null 2>&1; then + return 1 + else + return 0 + fi } -rawversion () { - # shellcheck disable=SC2016 - $PERL -e 'binmode STDIN; +rawversion() { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; read(STDIN, $input, 8); if (length($input) < 8) { print "not raw\n"; exit 0; }; ($style, $version) = unpack("NN", $input); print ($style == 2 || $style == 3 ? "$version\n" : - "not raw\n");' < "$1" + "not raw\n");' <"$1" } -sourceserial () { - # shellcheck disable=SC2016 - $PERL -e 'binmode STDIN; +sourceserial() { + # shellcheck disable=SC2016 + $PERL -e 'binmode STDIN; read(STDIN, $input, 20); if (length($input) < 20) { print "UNSET\n"; exit; }; ($format, $version, $dumptime, $flags, $sourceserial) = @@ -58,12 +58,12 @@ sourceserial () { print $sourceserial . "\n"; } else { print "UNSET\n"; - }' < "$1" + }' <"$1" } -stomp () { - # shellcheck disable=SC2016 - $PERL -e 'open(my $file, "+<", $ARGV[0]); +stomp() { + # shellcheck disable=SC2016 + $PERL -e 'open(my $file, "+<", $ARGV[0]); binmode $file; seek($file, $ARGV[1], 0); for (my $i = 0; $i < $ARGV[2]; $i++) { @@ -72,17 +72,17 @@ stomp () { close($file);' "$@" } -restart () { - sleep 1 - start_server --noclean --restart --port "${PORT}" ns3 +restart() { + sleep 1 + start_server --noclean --restart --port "${PORT}" ns3 } dig_with_opts() { - "$DIG" +tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" + "$DIG" +tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" } rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" } status=0 @@ -91,27 +91,27 @@ echo_i "checking that files in raw format loaded ($n)" ret=0 set -- 1 2 3 for zone in example example-explicit example-compat; do - for server in "$@"; do - for qname in ns mx a aaaa cname dname txt rrsig nsec \ - dnskey ds cdnskey cds; do - qtype="$qname" - dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} - echo - done > dig.out.${zone}.${server}.test${n} - for qname in private-dnskey private-cdnskey; do - qtype=$(expr "$qname" : '.*-\(.*\)') - dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} - done >> dig.out.${zone}.${server}.test${n} - done - digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.2.test${n} || ret=1 - if [ "$zone" = "example" ]; then - set -- 1 2 - digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.3.test${n} || ret=1 - fi + for server in "$@"; do + for qname in ns mx a aaaa cname dname txt rrsig nsec \ + dnskey ds cdnskey cds; do + qtype="$qname" + dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} + echo + done >dig.out.${zone}.${server}.test${n} + for qname in private-dnskey private-cdnskey; do + qtype=$(expr "$qname" : '.*-\(.*\)') + dig_with_opts @10.53.0.${server} -q ${qname}.${zone}. -t ${qtype} + done >>dig.out.${zone}.${server}.test${n} + done + digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.2.test${n} || ret=1 + if [ "$zone" = "example" ]; then + set -- 1 2 + digcomp dig.out.${zone}.1.test${n} dig.out.${zone}.3.test${n} || ret=1 + fi done -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format versions ($n)" ret=0 @@ -121,158 +121,157 @@ israw ns1/example.db.compat || ret=1 [ "$(rawversion ns1/example.db.raw)" -eq 1 ] || ret=1 [ "$(rawversion ns1/example.db.raw1)" -eq 1 ] || ret=1 [ "$(rawversion ns1/example.db.compat)" -eq 0 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking source serial numbers ($n)" ret=0 [ "$(sourceserial ns1/example.db.raw)" = "UNSET" ] || ret=1 [ "$(sourceserial ns1/example.db.serial.raw)" = "3333" ] || ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "waiting for transfers to complete" -for i in 0 1 2 3 4 5 6 7 8 9 -do - test -f ns2/transfer.db.raw -a -f ns2/transfer.db.txt && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + test -f ns2/transfer.db.raw -a -f ns2/transfer.db.txt && break + sleep 1 done echo_i "checking that secondary was saved in raw format by default ($n)" ret=0 israw ns2/transfer.db.raw || ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that secondary was saved in text format when configured ($n)" ret=0 israw ns2/transfer.db.txt && ret=1 isfull ns2/transfer.db.txt && ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that secondary was saved in 'full' style when configured ($n)" ret=0 -isfull ns2/transfer.db.full > /dev/null 2>&1 || ret=1 -n=$((n+1)) +isfull ns2/transfer.db.full >/dev/null 2>&1 || ret=1 +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that secondary formerly in text format is now raw ($n)" -for i in 0 1 2 3 4 5 6 7 8 9 -do - ret=0 - israw ns2/formerly-text.db > /dev/null 2>&1 || ret=1 - [ "$(rawversion ns2/formerly-text.db)" -eq 1 ] || ret=1 - [ $ret -eq 0 ] && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + israw ns2/formerly-text.db >/dev/null 2>&1 || ret=1 + [ "$(rawversion ns2/formerly-text.db)" -eq 1 ] || ret=1 + [ $ret -eq 0 ] && break + sleep 1 done -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that large rdatasets loaded ($n)" -for i in 0 1 2 3 4 5 6 7 8 9 -do -ret=0 -for a in a b c -do - $DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" > "dig.out.ns2.test$n" - grep "status: NOERROR" "dig.out.ns2.test$n" > /dev/null || ret=1 -done -[ $ret -eq 0 ] && break -sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for a in a b c; do + $DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.test$n" + grep "status: NOERROR" "dig.out.ns2.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 done -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking format transitions: text->raw->text ($n)" ret=0 -$CHECKZONE -D -f text -F text -o baseline.txt example.nil ns1/example.db > /dev/null -$CHECKZONE -D -f text -F raw -o raw.1 example.nil baseline.txt > /dev/null -$CHECKZONE -D -f raw -F text -o text.1 example.nil raw.1 > /dev/null +$CHECKZONE -D -f text -F text -o baseline.txt example.nil ns1/example.db >/dev/null +$CHECKZONE -D -f text -F raw -o raw.1 example.nil baseline.txt >/dev/null +$CHECKZONE -D -f raw -F text -o text.1 example.nil raw.1 >/dev/null cmp -s baseline.txt text.1 || ret=0 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format loading with journal file rollforward ($n)" ret=0 -$NSUPDATE <<END > /dev/null || status=1 +$NSUPDATE <<END >/dev/null || status=1 server 10.53.0.3 ${PORT} ttl 600 update add newtext.dynamic IN TXT "added text" update delete aaaa.dynamic send END -dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic1.ns3.test$n" -grep "added text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1 -dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic2.ns3.test$n" -grep "NXDOMAIN" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || ret=1 +dig_with_opts @10.53.0.3 newtext.dynamic txt >"dig.out.dynamic1.ns3.test$n" +grep "added text" "dig.out.dynamic1.ns3.test$n" >/dev/null 2>&1 || ret=1 +dig_with_opts +comm @10.53.0.3 added.dynamic txt >"dig.out.dynamic2.ns3.test$n" +grep "NXDOMAIN" "dig.out.dynamic2.ns3.test$n" >/dev/null 2>&1 || ret=1 # using "rndc halt" ensures that we don't dump the zone file stop_server --use-rndc --halt --port ${CONTROLPORT} ns3 restart check_added_text() { - dig_with_opts @10.53.0.3 newtext.dynamic txt > "dig.out.dynamic3.ns3.test$n" || return 1 - grep "added text" "dig.out.dynamic3.ns3.test$n" > /dev/null || return 1 - return 0 + dig_with_opts @10.53.0.3 newtext.dynamic txt >"dig.out.dynamic3.ns3.test$n" || return 1 + grep "added text" "dig.out.dynamic3.ns3.test$n" >/dev/null || return 1 + return 0 } retry_quiet 10 check_added_text || ret=1 -dig_with_opts +comm @10.53.0.3 added.dynamic txt > "dig.out.dynamic4.ns3.test$n" -grep "NXDOMAIN" "dig.out.dynamic4.ns3.test$n" > /dev/null 2>&1 || ret=1 -n=$((n+1)) +dig_with_opts +comm @10.53.0.3 added.dynamic txt >"dig.out.dynamic4.ns3.test$n" +grep "NXDOMAIN" "dig.out.dynamic4.ns3.test$n" >/dev/null 2>&1 || ret=1 +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format file dumps correctly ($n)" ret=0 -$NSUPDATE <<END > /dev/null || status=1 +$NSUPDATE <<END >/dev/null || status=1 server 10.53.0.3 ${PORT} ttl 600 update add moretext.dynamic IN TXT "more text" send END -dig_with_opts @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic1.ns3.test$n" -grep "more text" "dig.out.dynamic1.ns3.test$n" > /dev/null 2>&1 || ret=1 +dig_with_opts @10.53.0.3 moretext.dynamic txt >"dig.out.dynamic1.ns3.test$n" +grep "more text" "dig.out.dynamic1.ns3.test$n" >/dev/null 2>&1 || ret=1 # using "rndc stop" will cause the zone file to flush before shutdown stop_server --use-rndc --port ${CONTROLPORT} ns3 rm ns3/*.jnl restart #shellcheck disable=SC2034 for i in 0 1 2 3 4 5 6 7 8 9; do - lret=0 - dig_with_opts +comm @10.53.0.3 moretext.dynamic txt > "dig.out.dynamic2.ns3.test$n" - grep "more text" "dig.out.dynamic2.ns3.test$n" > /dev/null 2>&1 || lret=1 - [ $lret -eq 0 ] && break; + lret=0 + dig_with_opts +comm @10.53.0.3 moretext.dynamic txt >"dig.out.dynamic2.ns3.test$n" + grep "more text" "dig.out.dynamic2.ns3.test$n" >/dev/null 2>&1 || lret=1 + [ $lret -eq 0 ] && break done [ $lret -eq 1 ] && ret=1 -n=$((n+1)) +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format zone is scheduled for resigning (compilezone) ($n)" ret=0 -rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1 -grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 -n=$((n+1)) +rndccmd 10.53.0.1 zonestatus signed >rndc.out 2>&1 || ret=1 +grep 'next resign' rndc.out >/dev/null 2>&1 || ret=1 +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "checking raw format zone is scheduled for resigning (signzone) ($n)" ret=0 -rndccmd 10.53.0.1 freeze signed > rndc.out 2>&1 || ret=1 -(cd ns1 || exit 1; $SIGNER -S -O raw -f signed.db.raw -o signed signed.db > /dev/null) +rndccmd 10.53.0.1 freeze signed >rndc.out 2>&1 || ret=1 +( + cd ns1 || exit 1 + $SIGNER -S -O raw -f signed.db.raw -o signed signed.db >/dev/null +) rndc_reload ns1 10.53.0.1 signed -rndccmd 10.53.0.1 zonestatus signed > rndc.out 2>&1 || ret=1 -grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 -n=$((n+1)) +rndccmd 10.53.0.1 zonestatus signed >rndc.out 2>&1 || ret=1 +grep 'next resign' rndc.out >/dev/null 2>&1 || ret=1 +n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh index 2d4e7cb..3998a09 100644 --- a/bin/tests/system/metadata/setup.sh +++ b/bin/tests/system/metadata/setup.sh @@ -20,41 +20,40 @@ echo_i "generating keys" # active zsk zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $czone) -echo $zsk > zsk.key +echo $zsk >zsk.key # not yet published or active pending=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P none -A none $czone) -echo $pending > pending.key +echo $pending >pending.key # published but not active standby=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -A none $czone) -echo $standby > standby.key +echo $standby >standby.key # inactive inact=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -P now-24h -A now-24h -I now $czone) -echo $inact > inact.key +echo $inact >inact.key # active ksk ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) -echo $ksk > ksk.key +echo $ksk >ksk.key # published but not YET active; will be active in 15 seconds rolling=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) -$SETTIME -A now+15s $rolling > /dev/null -echo $rolling > rolling.key +$SETTIME -A now+15s $rolling >/dev/null +echo $rolling >rolling.key # revoked revoke1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $czone) -echo $revoke1 > prerev.key +echo $revoke1 >prerev.key revoke2=$($REVOKE $revoke1) -echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key +echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" >postrev.key pzsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $pzone) -echo $pzsk > parent.zsk.key +echo $pzsk >parent.zsk.key pksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $pzone) -echo $pksk > parent.ksk.key +echo $pksk >parent.ksk.key oldstyle=$($KEYGEN -Cq -a ${DEFAULT_ALGORITHM} $pzone) -echo $oldstyle > oldstyle.key - +echo $oldstyle >oldstyle.key diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index 3a91bb7..e945f88 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -21,7 +21,7 @@ status=0 n=1 echo_i "setting key timers" -$SETTIME -A now+15s $(cat rolling.key) > /dev/null +$SETTIME -A now+15s $(cat rolling.key) >/dev/null inact=$(keyfile_to_key_id "$(cat inact.key)") ksk=$(keyfile_to_key_id "$(cat ksk.key)") @@ -33,8 +33,8 @@ standby=$(keyfile_to_key_id "$(cat standby.key)") zsk=$(keyfile_to_key_id "$(cat zsk.key)") echo_i "signing zones" -$SIGNER -Sg -o $czone $cfile > /dev/null -$SIGNER -Sg -o $pzone $pfile > /dev/null +$SIGNER -Sg -o $czone $cfile >/dev/null +$SIGNER -Sg -o $pzone $pfile >/dev/null awk '$2 ~ /RRSIG/ { type = $3; @@ -43,7 +43,7 @@ awk '$2 ~ /RRSIG/ { if ($4 ~ /'${czone}'/) { print type, id } -}' < ${cfile}.signed > sigs +}' <${cfile}.signed >sigs awk '$2 ~ /DNSKEY/ { flags = $3; @@ -51,65 +51,65 @@ awk '$2 ~ /DNSKEY/ { getline; id = $NF; print flags, id; -}' < ${cfile}.signed > keys +}' <${cfile}.signed >keys echo_i "checking that KSK signed DNSKEY only ($n)" ret=0 -grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1 -grep "SOA $ksk"'$' sigs > /dev/null && ret=1 +grep "DNSKEY $ksk"'$' sigs >/dev/null || ret=1 +grep "SOA $ksk"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that ZSK signed ($n)" ret=0 -grep "SOA $zsk"'$' sigs > /dev/null || ret=1 +grep "SOA $zsk"'$' sigs >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that standby ZSK did not sign ($n)" ret=0 -grep " $standby"'$' sigs > /dev/null && ret=1 +grep " $standby"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that inactive key did not sign ($n)" ret=0 -grep " $inact"'$' sigs > /dev/null && ret=1 +grep " $inact"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that pending key was not published ($n)" ret=0 -grep " $pending"'$' keys > /dev/null && ret=1 +grep " $pending"'$' keys >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that standby KSK did not sign but is delegated ($n)" ret=0 -grep " $rolling"'$' sigs > /dev/null && ret=1 -grep " $rolling"'$' keys > /dev/null || ret=1 -grep -E "DS[ ]*$rolling[ ]" ${pfile}.signed > /dev/null || ret=1 +grep " $rolling"'$' sigs >/dev/null && ret=1 +grep " $rolling"'$' keys >/dev/null || ret=1 +grep -E "DS[ ]*$rolling[ ]" ${pfile}.signed >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that key was revoked ($n)" ret=0 -grep " $prerev"'$' keys > /dev/null && ret=1 -grep " $postrev"'$' keys > /dev/null || ret=1 +grep " $prerev"'$' keys >/dev/null && ret=1 +grep " $postrev"'$' keys >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that revoked key self-signed ($n)" ret=0 -grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1 -grep "SOA $postrev"'$' sigs > /dev/null && ret=1 +grep "DNSKEY $postrev"'$' sigs >/dev/null || ret=1 +grep "SOA $postrev"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -118,11 +118,11 @@ echo_i "waiting 20 seconds for key changes to occur" sleep 20 echo_i "re-signing zone" -$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null +$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed >/dev/null echo_i "checking that standby KSK is now active ($n)" ret=0 -grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1 +grep "DNSKEY $rolling"'$' sigs >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -130,10 +130,10 @@ status=$((status + ret)) echo_i "checking update of an old-style key ($n)" ret=0 # printing metadata should not work with an old-style key -$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 && ret=1 -$SETTIME -f $(cat oldstyle.key) > /dev/null 2>&1 || ret=1 +$SETTIME -pall $(cat oldstyle.key) >/dev/null 2>&1 && ret=1 +$SETTIME -f $(cat oldstyle.key) >/dev/null 2>&1 || ret=1 # but now it should -$SETTIME -pall $(cat oldstyle.key) > /dev/null 2>&1 || ret=1 +$SETTIME -pall $(cat oldstyle.key) >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -142,10 +142,10 @@ echo_i "checking warning about permissions change on key with dnssec-settime ($n ret=0 # settime should print a warning about changing the permissions chmod 644 $(cat oldstyle.key).private -$SETTIME -P none $(cat oldstyle.key) > settime1.test$n 2>&1 || ret=1 -grep "warning: Permissions on the file.*have changed" settime1.test$n > /dev/null 2>&1 || ret=1 -$SETTIME -P none $(cat oldstyle.key) > settime2.test$n 2>&1 || ret=1 -grep "warning: Permissions on the file.*have changed" settime2.test$n > /dev/null 2>&1 && ret=1 +$SETTIME -P none $(cat oldstyle.key) >settime1.test$n 2>&1 || ret=1 +grep "warning: Permissions on the file.*have changed" settime1.test$n >/dev/null 2>&1 || ret=1 +$SETTIME -P none $(cat oldstyle.key) >settime2.test$n 2>&1 || ret=1 +grep "warning: Permissions on the file.*have changed" settime2.test$n >/dev/null 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -153,17 +153,17 @@ status=$((status + ret)) echo_i "checking warning about delete date < inactive date with dnssec-settime ($n)" ret=0 # settime should print a warning about delete < inactive -$SETTIME -I now+15s -D now $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 -grep "warning" tmp.out > /dev/null 2>&1 || ret=1 +$SETTIME -I now+15s -D now $(cat oldstyle.key) >tmp.out 2>&1 || ret=1 +grep "warning" tmp.out >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking no warning about delete date < inactive date with dnssec-settime when delete date is unset ($n)" ret=0 -$SETTIME -D none $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 -$SETTIME -p all $(cat oldstyle.key) > tmp.out 2>&1 || ret=1 -grep "warning" tmp.out > /dev/null 2>&1 && ret=1 +$SETTIME -D none $(cat oldstyle.key) >tmp.out 2>&1 || ret=1 +$SETTIME -p all $(cat oldstyle.key) >tmp.out 2>&1 || ret=1 +grep "warning" tmp.out >/dev/null 2>&1 && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -171,8 +171,8 @@ status=$((status + ret)) echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)" ret=0 # keygen should print a warning about delete < inactive -$KEYGEN -q -a ${DEFAULT_ALGORITHM} -I now+15s -D now $czone > tmp.out 2>&1 || ret=1 -grep "warning" tmp.out > /dev/null 2>&1 || ret=1 +$KEYGEN -q -a ${DEFAULT_ALGORITHM} -I now+15s -D now $czone >tmp.out 2>&1 || ret=1 +grep "warning" tmp.out >/dev/null 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -198,9 +198,9 @@ echo_i "checking calculation of dates for a successor key ($n)" ret=0 oldkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone) newkey=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $czone) -$SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1 -$SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1 -$SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1 +$SETTIME -A -2d -I +2d $oldkey >settime1.test$n 2>&1 || ret=1 +$SETTIME -i 1d -S $oldkey $newkey >settime2.test$n 2>&1 || ret=1 +$SETTIME -pA $newkey | grep "1970" >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -209,14 +209,14 @@ key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $czone) echo_i "checking -p output time is accepted ($n)" t=$($SETTIME -pA $key | sed 's/.*: //') -$SETTIME -Psync "$t" $key > settime2.test$n 2>&1 || ret=1 +$SETTIME -Psync "$t" $key >settime2.test$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking -up output time is accepted ($n)" t=$($SETTIME -upA $key | sed 's/.*: //') -$SETTIME -Dsync "$t" $key > settime2.test$n 2>&1 || ret=1 +$SETTIME -Dsync "$t" $key >settime2.test$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -224,7 +224,7 @@ status=$((status + ret)) echo_i "checking -p unset time is accepted ($n)" # The Delete timing metadata is unset. t=$($SETTIME -pD $key | sed 's/.*: //') -$SETTIME -Psync "$t" $key > settime2.test$n 2>&1 || ret=1 +$SETTIME -Psync "$t" $key >settime2.test$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/mirror/ns1/sign.sh b/bin/tests/system/mirror/ns1/sign.sh index ab613d5..4337500 100644 --- a/bin/tests/system/mirror/ns1/sign.sh +++ b/bin/tests/system/mirror/ns1/sign.sh @@ -13,7 +13,7 @@ . ../../conf.sh -( cd ../ns2 && $SHELL -e sign.sh ) +(cd ../ns2 && $SHELL -e sign.sh) cp ../ns2/dsset-* . @@ -21,17 +21,17 @@ zone=. infile=root.db.in zonefile=root.db -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) -keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) +keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Add a trust anchor for a name whose non-existence can be securely proved # without recursing when the root zone is mirrored. This will exercise code # attempting to send TAT queries for such names (in ns3). Key data is # irrelevant here, so just reuse the root zone key generated above. -sed "s/^\./nonexistent./;" $keyname1.key > $keyname1.modified.key +sed "s/^\./nonexistent./;" $keyname1.key >$keyname1.modified.key -keyfile_to_static_ds $keyname1 $keyname1.modified > trusted.conf +keyfile_to_static_ds $keyname1 $keyname1.modified >trusted.conf diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh index 519fd83..2cd449b 100644 --- a/bin/tests/system/mirror/ns2/sign.sh +++ b/bin/tests/system/mirror/ns2/sign.sh @@ -16,16 +16,16 @@ keys_to_trust="" for zonename in sub.example example initially-unavailable; do - zone=$zonename - infile=$zonename.db.in - zonefile=$zonename.db + zone=$zonename + infile=$zonename.db.in + zonefile=$zonename.db - keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) - keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) + keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) + keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) - cat $infile $keyname1.key $keyname2.key > $zonefile + cat $infile $keyname1.key $keyname2.key >$zonefile - $SIGNER -P -g -o $zone $zonefile > /dev/null + $SIGNER -P -g -o $zone $zonefile >/dev/null done # Only add the key for "initially-unavailable" to the list of keys trusted by @@ -39,9 +39,9 @@ zone=verify-csk infile=verify.db.in zonefile=verify-csk.db -keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) -cat $infile $keyname.key > $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) +cat $infile $keyname.key >$zonefile +$SIGNER -P -o $zone $zonefile >/dev/null keys_to_trust="$keys_to_trust $keyname" # Prepare remaining zones used in the test. @@ -50,30 +50,30 @@ UPDATED_SERIAL_BAD=$((ORIGINAL_SERIAL + 1)) UPDATED_SERIAL_GOOD=$((ORIGINAL_SERIAL + 2)) for variant in addzone axfr ixfr load reconfig untrusted; do - zone=verify-$variant - infile=verify.db.in - zonefile=verify-$variant.db - - keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2> /dev/null) - keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2> /dev/null) - - cat $infile $keyname1.key $keyname2.key > $zonefile - - # Prepare a properly signed version of the zone ("*.original.signed"). - $SIGNER -P -o $zone $zonefile > /dev/null - cp $zonefile.signed $zonefile.original.signed - # Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed"). - sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed > $zonefile.bad.signed - # Prepare another properly signed version of the zone ("*.good.signed"). - sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile > $zonefile.good - $SIGNER -P -o $zone $zonefile.good > /dev/null - rm -f $zonefile.good - - # Except for the "verify-untrusted" zone, declare the KSK used for - # signing the zone to be a trust anchor for ns3. - if [ "$variant" != "untrusted" ]; then - keys_to_trust="$keys_to_trust $keyname1" - fi + zone=verify-$variant + infile=verify.db.in + zonefile=verify-$variant.db + + keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -f KSK $zone 2>/dev/null) + keyname2=$($KEYGEN -a ${DEFAULT_ALGORITHM} $zone 2>/dev/null) + + cat $infile $keyname1.key $keyname2.key >$zonefile + + # Prepare a properly signed version of the zone ("*.original.signed"). + $SIGNER -P -o $zone $zonefile >/dev/null + cp $zonefile.signed $zonefile.original.signed + # Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed"). + sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed >$zonefile.bad.signed + # Prepare another properly signed version of the zone ("*.good.signed"). + sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile >$zonefile.good + $SIGNER -P -o $zone $zonefile.good >/dev/null + rm -f $zonefile.good + + # Except for the "verify-untrusted" zone, declare the KSK used for + # signing the zone to be a trust anchor for ns3. + if [ "$variant" != "untrusted" ]; then + keys_to_trust="$keys_to_trust $keyname1" + fi done -keyfile_to_static_ds $keys_to_trust > trusted-mirror.conf +keyfile_to_static_ds $keys_to_trust >trusted-mirror.conf diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in index b644f45..edbfed8 100644 --- a/bin/tests/system/mirror/ns3/named.conf.in +++ b/bin/tests/system/mirror/ns3/named.conf.in @@ -37,7 +37,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "." { diff --git a/bin/tests/system/mirror/setup.sh b/bin/tests/system/mirror/setup.sh index b80e797..21d1093 100644 --- a/bin/tests/system/mirror/setup.sh +++ b/bin/tests/system/mirror/setup.sh @@ -19,7 +19,7 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf -( cd ns1 && $SHELL -e sign.sh ) +(cd ns1 && $SHELL -e sign.sh) -cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed -cat ns2/verify-load.db.bad.signed > ns3/verify-load.db.mirror +cat ns2/verify-axfr.db.bad.signed >ns2/verify-axfr.db.signed +cat ns2/verify-load.db.bad.signed >ns3/verify-load.db.mirror diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh index dc6cffa..78c884e 100644 --- a/bin/tests/system/mirror/tests.sh +++ b/bin/tests/system/mirror/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT} -b 10.53.0.1 +dnssec +time=2 +tries=1 +multi" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # Wait until the transfer of the given zone to ns3 either completes # successfully or is aborted by a verification failure or a REFUSED response @@ -25,47 +25,47 @@ RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" # end with the "IXFR failed" status, which is followed by an AXFR retry and # this test needs to check what the result of the latter transfer attempt is. wait_for_transfer() { - zone=$1 - for i in 1 2 3 4 5 6 7 8 9 10; do - # Wait until a "freeing transfer context" message is logged - # after one of the transfer results we are looking for is - # logged. This is needed to prevent races when checking for - # "mirror zone is now in use" messages. - nextpartpeek ns3/named.run | \ - awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" | \ - grep "'$zone/IN'.*freeing transfer context" > /dev/null && return - sleep 1 - done - echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run" - ret=1 + zone=$1 + for i in 1 2 3 4 5 6 7 8 9 10; do + # Wait until a "freeing transfer context" message is logged + # after one of the transfer results we are looking for is + # logged. This is needed to prevent races when checking for + # "mirror zone is now in use" messages. + nextpartpeek ns3/named.run \ + | awk "matched; /'$zone\/IN'.*Transfer status: (success|verify failure|REFUSED)/ {matched=1}" \ + | grep "'$zone/IN'.*freeing transfer context" >/dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for proof of '$zone' being transferred to appear in ns3/named.run" + ret=1 } # Wait until loading the given zone on the given server either completes # successfully for the specified serial number or fails. wait_for_load() { - zone=$1 - serial=$2 - log=$3 - for i in 1 2 3 4 5 6 7 8 9 10; do - # Wait until a "zone_postload: (...): done" message is logged - # after one of the loading-related messages we are looking for - # is logged. This is needed to prevent races when checking for - # "mirror zone is now in use" messages. - nextpartpeek $log | \ - awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" | \ - grep "zone_postload: zone $zone/IN: done" > /dev/null && return - sleep 1 - done - echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log" - ret=1 + zone=$1 + serial=$2 + log=$3 + for i in 1 2 3 4 5 6 7 8 9 10; do + # Wait until a "zone_postload: (...): done" message is logged + # after one of the loading-related messages we are looking for + # is logged. This is needed to prevent races when checking for + # "mirror zone is now in use" messages. + nextpartpeek $log \ + | awk "matched; /$zone.*(loaded serial $serial|unable to load)/ {matched=1}" \ + | grep "zone_postload: zone $zone/IN: done" >/dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for proof of '$zone' being loaded to appear in $log" + ret=1 } # Trigger a reload of ns2 and wait until loading the given zone completes. reload_zone() { - zone=$1 - serial=$2 - rndc_reload ns2 10.53.0.2 - wait_for_load $zone $serial ns2/named.run + zone=$1 + serial=$2 + rndc_reload ns2 10.53.0.2 + wait_for_load $zone $serial ns2/named.run } status=0 @@ -79,11 +79,11 @@ n=$((n + 1)) echo_i "checking that an unsigned mirror zone is rejected ($n)" ret=0 wait_for_transfer verify-unsigned -$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-unsigned SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-unsigned.*Zone contains no DNSSEC keys" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-unsigned.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -92,11 +92,11 @@ echo_i "checking that a mirror zone signed using an untrusted key is rejected ($ ret=0 nextpartreset ns3/named.run wait_for_transfer verify-untrusted -$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -105,10 +105,10 @@ echo_i "checking that a mirror zone signed using a CSK without the SEP bit set i ret=0 nextpartreset ns3/named.run wait_for_transfer verify-csk -$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -117,26 +117,26 @@ echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ( ret=0 nextpartreset ns3/named.run wait_for_transfer verify-axfr -$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-axfr SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-axfr SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that an AXFR of an updated, correctly signed mirror zone is accepted ($n)" ret=0 -nextpart ns3/named.run > /dev/null -cat ns2/verify-axfr.db.good.signed > ns2/verify-axfr.db.signed +nextpart ns3/named.run >/dev/null +cat ns2/verify-axfr.db.good.signed >ns2/verify-axfr.db.signed reload_zone verify-axfr ${UPDATED_SERIAL_GOOD} -$RNDCCMD 10.53.0.3 retransfer verify-axfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 retransfer verify-axfr >/dev/null 2>&1 wait_for_transfer verify-axfr -$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-axfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-axfr.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -147,59 +147,59 @@ ret=0 wait_for_transfer verify-ixfr # Sanity check: the initial, properly signed version of the zone should have # been announced as coming into effect. -nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1 +nextpart ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null || ret=1 # Make a copy of the original zone file for reuse in journal tests below. cp ns2/verify-ixfr.db.signed ns3/verify-journal.db.mirror # Wait 1 second so that the zone file timestamp changes and the subsequent # invocation of "rndc reload" triggers a zone reload. sleep 1 -cat ns2/verify-ixfr.db.bad.signed > ns2/verify-ixfr.db.signed +cat ns2/verify-ixfr.db.bad.signed >ns2/verify-ixfr.db.signed reload_zone verify-ixfr ${UPDATED_SERIAL_BAD} # Make a copy of the bad zone journal for reuse in journal tests below. cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.bad.mirror.jnl # Trigger IXFR. -$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 refresh verify-ixfr >/dev/null 2>&1 wait_for_transfer verify-ixfr # Ensure the transfer was incremental as expected. if [ $(nextpartpeek ns3/named.run | grep "verify-ixfr.*got incremental response" | wc -l) -eq 0 ]; then - echo_i "failed: did not get an incremental response" - ret=1 + echo_i "failed: did not get an incremental response" + ret=1 fi # Ensure the new, bad version of the zone was not accepted. -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 # A positive answer is expected as the original version of the "verify-ixfr" # zone should have been successfully verified. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" >/dev/null || ret=1 # Despite the verification failure for this IXFR, this mirror zone should still # be in use as its previous version should have been verified successfully. -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that an IXFR of an updated, correctly signed mirror zone is accepted after AXFR failover ($n)" ret=0 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null # Wait 1 second so that the zone file timestamp changes and the subsequent # invocation of "rndc reload" triggers a zone reload. sleep 1 -cat ns2/verify-ixfr.db.good.signed > ns2/verify-ixfr.db.signed +cat ns2/verify-ixfr.db.good.signed >ns2/verify-ixfr.db.signed reload_zone verify-ixfr ${UPDATED_SERIAL_GOOD} # Make a copy of the good zone journal for reuse in journal tests below. cp ns2/verify-ixfr.db.signed.jnl ns3/verify-journal.db.good.mirror.jnl # Trigger IXFR. -$RNDCCMD 10.53.0.3 refresh verify-ixfr > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 refresh verify-ixfr >/dev/null 2>&1 wait_for_transfer verify-ixfr # Ensure the new, good version of the zone was accepted. -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 # The log message announcing the mirror zone coming into effect should not have # been logged this time since the mirror zone in question is expected to # already be in use before this test case is checked. -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -208,11 +208,11 @@ echo_i "checking that loading an incorrectly signed mirror zone from disk fails ret=0 nextpartreset ns3/named.run wait_for_load verify-load ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-load SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-load SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -220,7 +220,7 @@ n=$((n + 1)) echo_i "ensuring trust anchor telemetry queries are sent upstream for a mirror zone ($n)" ret=0 # ns3 is started with "-T tat=3", so TAT queries should have already been sent. -grep "_ta-[-0-9a-f]*/NULL" ns1/named.run > /dev/null || ret=1 +grep "_ta-[-0-9a-f]*/NULL" ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -228,14 +228,14 @@ n=$((n + 1)) echo_i "checking that loading a correctly signed mirror zone from disk succeeds ($n)" ret=0 stop_server --use-rndc --port ${CONTROLPORT} ns3 -cat ns2/verify-load.db.good.signed > ns3/verify-load.db.mirror -nextpart ns3/named.run > /dev/null +cat ns2/verify-load.db.good.signed >ns3/verify-load.db.mirror +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-load ${UPDATED_SERIAL_GOOD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-load SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-load.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -253,22 +253,22 @@ cp ns3/verify-journal.db.bad.mirror.jnl ns3/verify-ixfr.db.mirror.jnl # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-ixfr" {$/,/^};$/ { s/10.53.0.3/10.53.0.254/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-ixfr ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpartpeek ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-ixfr SOA" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null && ret=1 # Restore transfers for the "verify-ixfr" zone on ns2. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-ixfr" {$/,/^};$/ { s/10.53.0.254/10.53.0.3/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -280,40 +280,40 @@ ret=0 stop_server --use-rndc --port ${CONTROLPORT} ns3 cp ns3/verify-journal.db.mirror ns3/verify-ixfr.db.mirror cp ns3/verify-journal.db.good.mirror.jnl ns3/verify-ixfr.db.mirror.jnl -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 wait_for_load verify-ixfr ${UPDATED_SERIAL_GOOD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking delegations sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 foo.example A +norec > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.example A +norec >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null && ret=1 # Check that a delegation containing a DS RRset and glue is present. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1 -grep "example.*IN.*NS" dig.out.ns3.test$n > /dev/null || ret=1 -grep "example.*IN.*DS" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null || ret=1 +grep "example.*IN.*NS" dig.out.ns3.test$n >/dev/null || ret=1 +grep "example.*IN.*DS" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ns2.example.*A.*10.53.0.2" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that resolution involving a mirror zone works as expected ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 foo.example A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.example A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Ensure ns1 was not queried. -grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1 +grep "query 'foo.example/A/IN'" ns1/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -321,13 +321,13 @@ n=$((n + 1)) echo_i "checking that non-recursive queries for names below mirror zone get responded from cache ($n)" ret=0 # Issue a non-recursive query for an RRset which is expected to be in cache. -$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Ensure the response is not a delegation. -grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1 -grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n >/dev/null && ret=1 +grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -336,41 +336,41 @@ echo_i "checking that delegations from cache which improve mirror zone delegatio ret=0 # First, issue a recursive query in order to cache an RRset which is not within # the mirror zone's bailiwick. -$DIG $DIGOPTS @10.53.0.3 sub.example. NS > dig.out.ns3.test$n.1 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 sub.example. NS >dig.out.ns3.test$n.1 2>&1 || ret=1 # Ensure the child-side NS RRset is returned. -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "ANSWER: 2" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "ANSWER: 2" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Issue a non-recursive query for something below the cached zone cut. -$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A > dig.out.ns3.test$n.2 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A >dig.out.ns3.test$n.2 2>&1 || ret=1 # Ensure the cached NS RRset is returned in a delegation, along with the # parent-side DS RRset. -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "ANSWER: 0" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "ANSWER: 0" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "sub.example.*IN.*DS" dig.out.ns3.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 . DNSKEY >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 . SOA >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -380,30 +380,30 @@ ret=0 wait_for_transfer initially-unavailable # Query for a record in a zone that is set up to be mirrored, but # untransferrable from the configured primary. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.1 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n.1 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Sanity check: the authoritative server should have been queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null || ret=1 # Reconfigure ns2 so that the zone can be mirrored on ns3. sed '/^zone "initially-unavailable" {$/,/^};$/ { s/10.53.0.254/10.53.0.3/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 # Flush the cache on ns3 and retransfer the mirror zone. -$RNDCCMD 10.53.0.3 flush > /dev/null 2>&1 -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 retransfer initially-unavailable > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 flush >/dev/null 2>&1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 retransfer initially-unavailable >/dev/null 2>&1 wait_for_transfer initially-unavailable # Query for the same record again. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n.2 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n.2 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null || ret=1 # Ensure the authoritative server was not queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null && ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -414,60 +414,60 @@ ret=0 # mirrored on ns3. sed '/^zone "initially-unavailable" {$/,/^};$/ { s/10.53.0.3/10.53.0.254/ -}' ns2/named.conf > ns2/named.conf.modified +}' ns2/named.conf >ns2/named.conf.modified mv ns2/named.conf.modified ns2/named.conf rndc_reconfig ns2 10.53.0.2 # Stop ns3, update the timestamp of the zone file to one far in the past, then # restart ns3. stop_server --use-rndc --port ${CONTROLPORT} ns3 touch -t 200001010000 ns3/initially-unavailable.db.mirror -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns3 # Ensure named attempts to retransfer the zone due to its expiry. wait_for_transfer initially-unavailable # Ensure the expected messages were logged. -nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" > /dev/null || ret=1 -nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" > /dev/null || ret=1 +nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" >/dev/null || ret=1 +nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" >/dev/null || ret=1 # Query for a record in the expired zone. Resolution should still succeed. -$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +grep "NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 # Sanity check: the authoritative server should have been queried. -nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/null || ret=1 +nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that clients without cache access cannot retrieve mirror zone data ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA >dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. -grep "REFUSED" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1 +grep "REFUSED" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that outgoing transfers of mirror zones are disabled by default ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.3 . AXFR > dig.out.ns3.test$n 2>&1 || ret=1 -grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 . AXFR >dig.out.ns3.test$n 2>&1 || ret=1 +grep "; Transfer failed" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that notifies are disabled by default for mirror zones ($n)" ret=0 -grep "initially-unavailable.*sending notifies" ns3/named.run > /dev/null && ret=1 +grep "initially-unavailable.*sending notifies" ns3/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking output of \"rndc zonestatus\" for a mirror zone ($n)" ret=0 -$RNDCCMD 10.53.0.3 zonestatus . > rndc.out.ns3.test$n 2>&1 -grep "type: mirror" rndc.out.ns3.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 zonestatus . >rndc.out.ns3.test$n 2>&1 +grep "type: mirror" rndc.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -475,26 +475,26 @@ n=$((n + 1)) echo_i "checking that \"rndc reconfig\" properly handles a mirror -> secondary zone type change ($n)" ret=0 # Sanity check before we start. -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Reconfigure the zone so that it is no longer a mirror zone. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { s/type mirror;/type secondary;/ -}' ns3/named.conf > ns3/named.conf.modified +}' ns3/named.conf >ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null rndc_reconfig ns3 10.53.0.3 # Zones whose type was changed should not be reusable, which means the tested # zone should have been reloaded from disk. wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run # Ensure responses sourced from the reconfigured zone have AA=1 and AD=0. -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -502,20 +502,20 @@ n=$((n + 1)) echo_i "checking that \"rndc reconfig\" properly handles a secondary -> mirror zone type change ($n)" ret=0 # Put an incorrectly signed version of the zone in the zone file used by ns3. -nextpart ns3/named.run > /dev/null -cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror +nextpart ns3/named.run >/dev/null +cat ns2/verify-reconfig.db.bad.signed >ns3/verify-reconfig.db.mirror # Reconfigure the zone so that it is a mirror zone again. # (NOTE: Keep the embedded newline in the sed function list below.) sed '/^zone "verify-reconfig" {$/,/^};$/ { s/type secondary;/type mirror;/ -}' ns3/named.conf > ns3/named.conf.modified +}' ns3/named.conf >ns3/named.conf.modified mv ns3/named.conf.modified ns3/named.conf rndc_reconfig ns3 10.53.0.3 # The reconfigured zone should fail verification. wait_for_load verify-reconfig ${UPDATED_SERIAL_BAD} ns3/named.run -$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1 -nextpart ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-reconfig SOA" > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n >/dev/null && ret=1 +nextpart ns3/named.run | grep "No correct ${DEFAULT_ALGORITHM} signature for verify-reconfig SOA" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -523,19 +523,19 @@ n=$((n + 1)) echo_i "checking that a mirror zone can be added using rndc ($n)" ret=0 # Sanity check: the zone should not exist in the root zone. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.1 2>&1 || ret=1 -grep "NXDOMAIN" dig.out.ns3.test$n.1 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n.1 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n.1 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.1 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.1 >/dev/null || ret=1 # Mirror a zone which does not exist in the root zone. -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; primaries { 10.53.0.2; }; };' > rndc.out.ns3.test$n 2>&1 || ret=1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; primaries { 10.53.0.2; }; };' >rndc.out.ns3.test$n 2>&1 || ret=1 wait_for_transfer verify-addzone # Check whether the mirror zone was added and whether it behaves as expected. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.2 2>&1 || ret=1 -grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n.2 2>&1 || ret=1 +grep "NOERROR" dig.out.ns3.test$n.2 >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n.2 >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -543,14 +543,14 @@ n=$((n + 1)) echo_i "checking that a mirror zone can be deleted using rndc ($n)" ret=0 # Remove the mirror zone added in the previous test. -nextpart ns3/named.run > /dev/null -$RNDCCMD 10.53.0.3 delzone verify-addzone > rndc.out.ns3.test$n 2>&1 || ret=1 +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 delzone verify-addzone >rndc.out.ns3.test$n 2>&1 || ret=1 wait_for_log 20 "zone verify-addzone/IN: mirror zone is no longer in use; reverting to normal recursion" ns3/named.run || ret=1 # Check whether the mirror zone was removed. -$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n 2>&1 || ret=1 -grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 -grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA >dig.out.ns3.test$n 2>&1 || ret=1 +grep "NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n >/dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 626e18f..a3f0928 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -19,8 +19,8 @@ zonefile=sub.tld.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null -keyfile_to_initial_ds $keyname > island.conf +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null +keyfile_to_initial_ds $keyname >island.conf cp island.conf ../ns5/island.conf zone=tld @@ -29,7 +29,7 @@ zonefile=tld.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null zone=. zonefile=root.db @@ -37,18 +37,18 @@ zonefile=root.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null # Configure the resolving server with an initializing key. -keyfile_to_initial_ds $keyname > managed.conf +keyfile_to_initial_ds $keyname >managed.conf cp managed.conf ../ns2/managed.conf cp managed.conf ../ns4/managed.conf cp managed.conf ../ns5/managed.conf # Configure broken trust anchor for ns3 # Rotate each nibble in the digest by -1 -$DSFROMKEY $keyname.key | -awk '!/^; /{ +$DSFROMKEY $keyname.key \ + | awk '!/^; /{ printf "trust-anchors {\n" printf "\t\""$1"\" initial-ds " printf $4 " " $5 " " $6 " \"" @@ -76,10 +76,10 @@ awk '!/^; /{ } printf "\";\n" printf "};\n" - }' > ../ns3/broken.conf + }' >../ns3/broken.conf # Configure a static key to be used by delv. -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf # Prepare an unsupported algorithm key. unsupportedkey=Kunknown.+255+00000 @@ -88,6 +88,6 @@ cp unsupported.key "${unsupportedkey}.key" # # Save keyname and keyid for managed key id test. # -echo "$keyname" > managed.key -echo "$zskkeyname" > zone.key -keyfile_to_key_id $keyname > managed.key.id +echo "$keyname" >managed.key +echo "$zskkeyname" >zone.key +keyfile_to_key_id $keyname >managed.key.id diff --git a/bin/tests/system/mkeys/ns2/named.conf.in b/bin/tests/system/mkeys/ns2/named.conf.in index 1c77556..feed923 100644 --- a/bin/tests/system/mkeys/ns2/named.conf.in +++ b/bin/tests/system/mkeys/ns2/named.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in index 374b184..ed3bf46 100644 --- a/bin/tests/system/mkeys/ns3/named.conf.in +++ b/bin/tests/system/mkeys/ns3/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "broken.conf"; diff --git a/bin/tests/system/mkeys/ns4/named.conf.in b/bin/tests/system/mkeys/ns4/named.conf.in index 5c23708..1ad75aa 100644 --- a/bin/tests/system/mkeys/ns4/named.conf.in +++ b/bin/tests/system/mkeys/ns4/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "sub.foo" { diff --git a/bin/tests/system/mkeys/ns4/sign.sh b/bin/tests/system/mkeys/ns4/sign.sh index d364e8e..8fb8519 100644 --- a/bin/tests/system/mkeys/ns4/sign.sh +++ b/bin/tests/system/mkeys/ns4/sign.sh @@ -19,6 +19,6 @@ zonefile=sub.foo.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null -keyfile_to_initial_ds $keyname > private.conf +$SIGNER -Sg -o $zone $zonefile >/dev/null 2>/dev/null +keyfile_to_initial_ds $keyname >private.conf cp private.conf ../ns5/private.conf diff --git a/bin/tests/system/mkeys/ns5/named.conf.in b/bin/tests/system/mkeys/ns5/named.conf.in index 757d614..8669971 100644 --- a/bin/tests/system/mkeys/ns5/named.conf.in +++ b/bin/tests/system/mkeys/ns5/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "foo" { diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in index 3279859..48afcbe 100644 --- a/bin/tests/system/mkeys/ns6/named.conf.in +++ b/bin/tests/system/mkeys/ns6/named.conf.in @@ -38,7 +38,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "managed.conf"; diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh index fcbd287..2ea7aa4 100644 --- a/bin/tests/system/mkeys/ns6/setup.sh +++ b/bin/tests/system/mkeys/ns6/setup.sh @@ -30,4 +30,4 @@ cp "../ns1/${rootkey}.key" . # Configure the resolving server with an initializing key. # (We use key-format trust anchors here because otherwise the # unsupported algorithm test won't work.) -keyfile_to_initial_keys $unsupportedkey $islandkey $rootkey > managed.conf +keyfile_to_initial_keys $unsupportedkey $islandkey $rootkey >managed.conf diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in index b50246a..7ccf59e 100644 --- a/bin/tests/system/mkeys/ns7/named.conf.in +++ b/bin/tests/system/mkeys/ns7/named.conf.in @@ -39,13 +39,13 @@ controls { view view1 { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; view view2 { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh index d1a30a2..7251e30 100644 --- a/bin/tests/system/mkeys/setup.sh +++ b/bin/tests/system/mkeys/setup.sh @@ -16,8 +16,8 @@ export ALGORITHM_SET="ecc_default" # Ensure the selected algorithm set is okay. if [ "$ALGORITHM_SET" = "error" ]; then - echofail "Algorithm selection failed." >&2 - exit 1 + echofail "Algorithm selection failed." >&2 + exit 1 fi copy_setports ns1/named1.conf.in ns1/named.conf @@ -30,9 +30,9 @@ copy_setports ns7/named.conf.in ns7/named.conf cp ns5/named1.args ns5/named.args -( cd ns1 && $SHELL sign.sh ) -( cd ns4 && $SHELL sign.sh ) -( cd ns6 && $SHELL setup.sh ) +(cd ns1 && $SHELL sign.sh) +(cd ns4 && $SHELL sign.sh) +(cd ns6 && $SHELL setup.sh) cp ns2/managed.conf ns2/managed1.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index ed9dcf6..1d85160 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -18,72 +18,72 @@ export ALGORITHM_SET="ecc_default" . ../conf.sh dig_with_opts() ( - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "${PORT}" "$@" ) delv_with_opts() ( - "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" + "$DELV" -a ns1/trusted.conf -p "${PORT}" "$@" ) rndccmd() ( - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" ) mkeys_reconfig_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" reconfig . | sed "s/^/ns${nsidx} /" | cat_i ) mkeys_reload_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" - wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndc_reload "ns${nsidx}" "10.53.0.${nsidx}" + wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 ) mkeys_loadkeys_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 ) mkeys_refresh_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" managed-keys refresh | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "Returned from key fetch in keyfetch_done()" "ns${nsidx}"/named.run || return 1 ) mkeys_sync_on() ( - # No race with mkeys_refresh_on() is possible as even if the latter - # returns immediately after the expected log message is written, the - # managed-keys zone is already locked and the command below calls - # dns_zone_flush(), which also attempts to take that zone's lock - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # dns_zone_flush(), which also attempts to take that zone's lock + nsidx=$1 + nextpart "ns${nsidx}"/named.run >/dev/null + rndccmd "10.53.0.${nsidx}" managed-keys sync | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "dump_done" "ns${nsidx}"/named.run || return 1 ) mkeys_status_on() ( - # No race with mkeys_refresh_on() is possible as even if the latter - # returns immediately after the expected log message is written, the - # managed-keys zone is already locked and the command below calls - # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), - # which also attempts to take that zone's lock - nsidx=$1 - rndccmd "10.53.0.${nsidx}" managed-keys status + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), + # which also attempts to take that zone's lock + nsidx=$1 + rndccmd "10.53.0.${nsidx}" managed-keys status ) mkeys_flush_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" flush | sed "s/^/ns${nsidx} /" | cat_i ) mkeys_secroots_on() ( - nsidx=$1 - rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i + nsidx=$1 + rndccmd "10.53.0.${nsidx}" secroots | sed "s/^/ns${nsidx} /" | cat_i ) original=$(cat ns1/managed.key) @@ -96,50 +96,50 @@ rm -f dig.out.* echo_i "check for signed record ($n)" ret=0 -dig_with_opts +norec example. @10.53.0.1 TXT > dig.out.ns1.test$n || ret=1 -grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n > /dev/null || ret=1 -grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n > /dev/null || ret=1 +dig_with_opts +norec example. @10.53.0.1 TXT >dig.out.ns1.test$n || ret=1 +grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*TXT[[:space:]]*\"This is a test\.\"" dig.out.ns1.test$n >/dev/null || ret=1 +grep "^example\.[[:space:]]*[0-9]*[[:space:]]*IN[[:space:]]*RRSIG[[:space:]]*TXT[[:space:]]" dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check positive validation with valid trust anchor ($n)" ret=0 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) if [ -x "$DELV" ]; then - n=$((n+1)) - ret=0 - echo_i "check positive validation using delv ($n)" - delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1 - grep "; fully validated" delv.out$n > /dev/null || ret=1 # redundant - grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1 - grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + n=$((n + 1)) + ret=0 + echo_i "check positive validation using delv ($n)" + delv_with_opts @10.53.0.1 txt example >delv.out$n || ret=1 + grep "; fully validated" delv.out$n >/dev/null || ret=1 # redundant + grep "example..*TXT.*This is a test" delv.out$n >/dev/null || ret=1 + grep "example..*.RRSIG..*TXT" delv.out$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check for failed validation due to wrong key in managed-keys ($n)" ret=0 -dig_with_opts +noauth example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n > /dev/null && ret=1 -grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.3 txt >dig.out.ns3.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns3.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns3.test$n >/dev/null && ret=1 +grep "opcode: QUERY, status: SERVFAIL, id" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check new trust anchor can be added ($n)" ret=0 standby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # there should be two keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -153,13 +153,13 @@ count=$(grep -c "trusted since" rndc.out.$n) || true count=$(grep -c "trust pending" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check new trust anchor can't be added with bad initial key ($n)" ret=0 mkeys_refresh_on 3 || ret=1 -mkeys_status_on 3 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 3 >rndc.out.$n 2>&1 || ret=1 # there should be one key listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 @@ -170,14 +170,14 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "no trust" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "remove untrusted standby key, check timer restarts ($n)" ret=0 mkeys_sync_on 2 || ret=1 t1=$(grep "trust pending" ns2/managed-keys.bind) || true -$SETTIME -D now -K ns1 "$standby1" > /dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -191,14 +191,14 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "restore untrusted standby key, revoke original key ($n)" t1=$t2 -$SETTIME -D none -K ns1 "$standby1" > /dev/null -$SETTIME -R now -K ns1 "$original" > /dev/null +$SETTIME -D none -K ns1 "$standby1" >/dev/null +$SETTIME -R now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -207,7 +207,7 @@ mkeys_loadkeys_on 1 || ret=1 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -228,9 +228,9 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "refresh managed-keys, ensure same result ($n)" t1=$t2 @@ -241,7 +241,7 @@ t1=$t2 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -262,15 +262,15 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "restore revoked key, ensure same result ($n)" t1=$t2 -$SETTIME -R none -D now -K ns1 "$original" > /dev/null +$SETTIME -R none -D now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 -$SETTIME -D none -K ns1 "$original" > /dev/null +$SETTIME -D none -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different @@ -279,7 +279,7 @@ mkeys_loadkeys_on 1 || ret=1 sleep 1 mkeys_refresh_on 2 || ret=1 mkeys_sync_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -300,36 +300,36 @@ t2=$(grep "trust pending" ns2/managed-keys.bind) || true [ -n "$t2" ] || ret=1 [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors, add second key to bind.keys" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* -keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" > ns2/managed.conf -nextpart ns2/named.run > /dev/null +keyfile_to_initial_ds ns1/"$original" ns1/"$standby1" >ns2/managed.conf +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check that no key from bind.keys is marked as an initializing key ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 mkeys_secroots_on 2 || ret=1 -grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1 +grep '; initializing' ns2/named.secroots >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors, revert to one key in bind.keys" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* mv ns2/managed1.conf ns2/managed.conf -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check that standby key is now trusted ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -340,16 +340,16 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke original key, add new standby ($n)" ret=0 standby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) -$SETTIME -R now -K ns1 "$original" > /dev/null +$SETTIME -R now -K ns1 "$original" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # three keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -372,48 +372,66 @@ count=$(grep -c "trust pending" rndc.out.$n) || true count=$(grep -c "remove at" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke standby before it is trusted ($n)" ret=0 standby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 # four keys listed count=$(grep -c "keyid: " rndc.out.1.$n) || true -[ "$count" -eq 4 ] || { echo_i "keyid: count ($count) != 4"; ret=1; } +[ "$count" -eq 4 ] || { + echo_i "keyid: count ($count) != 4" + ret=1 +} # one revoked count=$(grep -c "trust revoked" rndc.out.1.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "trust revoked count ($count) != 1" + ret=1 +} # two pending count=$(grep -c "trust pending" rndc.out.1.$n) || true -[ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; } -$SETTIME -R now -K ns1 "$standby3" > /dev/null +[ "$count" -eq 2 ] || { + echo_i "trust pending count ($count) != 2" + ret=1 +} +$SETTIME -R now -K ns1 "$standby3" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 # now three keys listed count=$(grep -c "keyid: " rndc.out.2.$n) || true -[ "$count" -eq 3 ] || { echo_i "keyid: count ($count) != 3"; ret=1; } +[ "$count" -eq 3 ] || { + echo_i "keyid: count ($count) != 3" + ret=1 +} # one revoked count=$(grep -c "trust revoked" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust revoked count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "trust revoked count ($count) != 1" + ret=1 +} # one pending count=$(grep -c "trust pending" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; } -$SETTIME -D now -K ns1 "$standby3" > /dev/null +[ "$count" -eq 1 ] || { + echo_i "trust pending count ($count) != 1" + ret=1 +} +$SETTIME -D now -K ns1 "$standby3" >/dev/null mkeys_loadkeys_on 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait 20 seconds for key add/remove holddowns to expire ($n)" ret=0 sleep 20 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -427,17 +445,17 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke all keys, confirm roll to insecure ($n)" ret=0 -$SETTIME -D now -K ns1 "$original" > /dev/null -$SETTIME -R now -K ns1 "$standby1" > /dev/null -$SETTIME -R now -K ns1 "$standby2" > /dev/null +$SETTIME -D now -K ns1 "$original" >/dev/null +$SETTIME -R now -K ns1 "$standby1" >/dev/null +$SETTIME -R now -K ns1 "$standby2" >/dev/null mkeys_loadkeys_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # two keys listed count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -454,51 +472,51 @@ count=$(grep -c "trust revoked" rndc.out.$n) || true count=$(grep -c "remove at" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check for insecure response ($n)" ret=0 mkeys_refresh_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reset the root server ($n)" ret=0 -$SETTIME -D none -R none -K ns1 "$original" > /dev/null -$SETTIME -D now -K ns1 "$standby1" > /dev/null -$SETTIME -D now -K ns1 "$standby2" > /dev/null +$SETTIME -D none -R none -K ns1 "$original" >/dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null +$SETTIME -D now -K ns1 "$standby2" >/dev/null sleep 1 # ensure modification time changes -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null copy_setports ns1/named2.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl mkeys_reconfig_on 1 || ret=1 mkeys_reload_on 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "reinitialize trust anchors" stop_server --use-rndc --port "${CONTROLPORT}" ns2 rm -f ns2/managed-keys.bind* -nextpart ns2/named.run > /dev/null +nextpart ns2/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns2 -n=$((n+1)) +n=$((n + 1)) echo_i "check positive validation ($n)" ret=0 wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns2/named.run || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "revoke key with bad signature, check revocation is ignored ($n)" ret=0 revoked=$($REVOKE -K ns1 "$original") @@ -508,8 +526,8 @@ rm -f ns1/root.db.signed.jnl # failing. Alternatively, we could use -P to disable post-sign verification, # but we actually do want post-sign verification to happen to ensure the zone # is correct before we break it on purpose. -$SETTIME -R none -D none -K ns1 "$standby1" > /dev/null -$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null +$SETTIME -R none -D none -K ns1 "$standby1" >/dev/null +$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db >/dev/null 2>/dev/null cp -f ns1/root.db.signed ns1/root.db.tmp BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" # Less than a second may have passed since ns1 was started. If we call @@ -518,59 +536,74 @@ BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89h # "nanoseconds" field of isc_time_t, due to zone load time being seemingly # equal to master file modification time. sleep 1 -sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed +sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n >ns1/root.db.signed mkeys_reload_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 # one key listed count=$(grep -c "keyid: " rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'keyid:' count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'keyid:' count ($count) != 1" + ret=1 +} # it's the original key id count=$(grep -c "keyid: $originalid" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'keyid: $originalid' count ($count) != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'keyid: $originalid' count ($count) != 1" + ret=1 +} # not revoked count=$(grep -c "REVOKE" rndc.out.$n) || true -[ "$count" -eq 0 ] || { echo_i "'REVOKE' count ($count) != 0"; ret=1; } +[ "$count" -eq 0 ] || { + echo_i "'REVOKE' count ($count) != 0" + ret=1 +} # trust is still current count=$(grep -c "trust" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'trust' count != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'trust' count != 1" + ret=1 +} count=$(grep -c "trusted since" rndc.out.$n) || true -[ "$count" -eq 1 ] || { echo_i "'trusted since' count != 1"; ret=1; } +[ "$count" -eq 1 ] || { + echo_i "'trusted since' count != 1" + ret=1 +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check validation fails with bad DNSKEY rrset ($n)" ret=0 mkeys_flush_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "restore DNSKEY rrset, check validation succeeds again ($n)" ret=0 rm -f "${revoked}".key "${revoked}".private rm -f ns1/root.db.signed.jnl -$SETTIME -D none -R none -K ns1 "$original" > /dev/null -$SETTIME -D now -K ns1 "$standby1" > /dev/null +$SETTIME -D none -R none -K ns1 "$original" >/dev/null +$SETTIME -D now -K ns1 "$standby1" >/dev/null # Less than a second may have passed since ns1 was started. If we call # dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the # subsequent "rndc reload ." call on platforms which do not set the # "nanoseconds" field of isc_time_t, due to zone load time being seemingly # equal to master file modification time. sleep 1 -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null mkeys_reload_on 1 || ret=1 mkeys_flush_on 2 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reset the root server with no keys, check for minimal update ($n)" ret=0 # Refresh keys first to prevent previous checks from influencing this one. @@ -580,16 +613,16 @@ ret=0 # (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as # set using -T mkeytimers). mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 t1=$(grep 'next refresh:' rndc.out.1.$n) || true stop_server --use-rndc --port "${CONTROLPORT}" ns1 rm -f ns1/root.db.signed.jnl cp ns1/root.db ns1/root.db.signed -nextpart ns1/named.run > /dev/null +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns1 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 # one key listed count=$(grep -c "keyid: " rndc.out.2.$n) || true [ "$count" -eq 1 ] || ret=1 @@ -607,19 +640,19 @@ count=$(grep -c "trusted since" rndc.out.2.$n) || true t2=$(grep 'next refresh:' rndc.out.2.$n) || true [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reset the root server with no signatures, check for minimal update ($n)" ret=0 # Refresh keys first to prevent previous checks from influencing this one mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 t1=$(grep 'next refresh:' rndc.out.1.$n) || true stop_server --use-rndc --port "${CONTROLPORT}" ns1 rm -f ns1/root.db.signed.jnl -cat ns1/K*.key >> ns1/root.db.signed -nextpart ns1/named.run > /dev/null +cat ns1/K*.key >>ns1/root.db.signed +nextpart ns1/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns1 wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 # Less than a second may have passed since the last time ns2 received a @@ -627,7 +660,7 @@ wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 # timestamp to prevent minimal update from resetting it to the same timestamp. sleep 1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 +mkeys_status_on 2 >rndc.out.2.$n 2>&1 || ret=1 # one key listed count=$(grep -c "keyid: " rndc.out.2.$n) || true [ "$count" -eq 1 ] || ret=1 @@ -645,53 +678,53 @@ count=$(grep -c "trusted since" rndc.out.2.$n) || true t2=$(grep 'next refresh:' rndc.out.2.$n) || true [ "$t1" = "$t2" ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "restore root server, check validation succeeds again ($n)" ret=0 rm -f ns1/root.db.signed.jnl -$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null +$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db >/dev/null 2>/dev/null mkeys_reload_on 1 || ret=1 mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 -dig_with_opts +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 +mkeys_status_on 2 >rndc.out.$n 2>&1 || ret=1 +dig_with_opts +noauth example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries are received ($n)" ret=0 -grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1 +grep "query '_ta-[0-9a-f][0-9a-f]*/NULL/IN' approved" ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc-managed-keys destroy' ($n)" ret=0 rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 -grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1 +mkeys_status_on 2 >rndc.out.1.$n 2>&1 || ret=1 +grep "no views with managed keys" rndc.out.1.$n >/dev/null || ret=1 mkeys_reconfig_on 2 || ret=1 check_root_trust_anchor_is_present_in_status() { - mkeys_status_on 2 > rndc.out.2.$n 2>&1 || return 1 - grep "name: \." rndc.out.2.$n > /dev/null || return 1 - return 0 + mkeys_status_on 2 >rndc.out.2.$n 2>&1 || return 1 + grep "name: \." rndc.out.2.$n >/dev/null || return 1 + return 0 } retry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that trust-anchor-telemetry queries contain the correct key ($n)" ret=0 # convert the hexadecimal key from the TAT query into decimal and @@ -701,19 +734,19 @@ tatkey=$($PERL -e 'printf("%d\n", hex(@ARGV[0]));' "$tathex") realkey=$(rndccmd 10.53.0.2 secroots - | sed -n "s#.*${DEFAULT_ALGORITHM}/\([0-9][0-9]*\) ; .*managed.*#\1#p") [ "$tatkey" -eq "$realkey" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check initialization fails if managed-keys can't be created ($n)" ret=0 mkeys_secroots_on 4 || ret=1 -grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1 -grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1 -grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1 +grep '; initializing managed' ns4/named.secroots >/dev/null 2>&1 || ret=1 +grep '; managed' ns4/named.secroots >/dev/null 2>&1 && ret=1 +grep '; trusted' ns4/named.secroots >/dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check failure to contact root servers does not prevent key refreshes after restart ($n)" ret=0 # By the time we get here, ns5 should have attempted refreshing its managed @@ -723,7 +756,7 @@ ret=0 # key refresh failure instead of just a few seconds, in order to prevent races # between the next scheduled key refresh time and startup time of restarted ns5. stop_server --use-rndc --port "${CONTROLPORT}" ns5 -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns5 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 @@ -733,13 +766,13 @@ wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" count=$(grep -c "Creating key fetch" ns5/named.run) || true [ "$count" -lt 2 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" ret=0 mkeys_sync_on 5 -mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 5 >rndc.out.$n 2>&1 || ret=1 # there should be three keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -750,9 +783,9 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check key refreshes are resumed after root servers become available ($n)" ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns5 @@ -761,53 +794,53 @@ rm -f ns5/managed-keys.bind* # named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for # an "hour" until keys are refreshed again after initial failure cp ns5/named2.args ns5/named.args -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns5 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 -grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 +grep '; initializing managed' ns5/named.secroots >/dev/null 2>&1 || ret=1 # ns1 should still REFUSE queries from ns5, so resolving should be impossible -dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n > /dev/null && ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n > /dev/null && ret=1 -grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.5 txt >dig.out.ns5.a.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.a.test$n >/dev/null && ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns5.a.test$n >/dev/null && ret=1 +grep "status: SERVFAIL" dig.out.ns5.a.test$n >/dev/null || ret=1 # Allow queries from ns5 to ns1 copy_setports ns1/named3.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl -nextpart ns5/named.run > /dev/null +nextpart ns5/named.run >/dev/null mkeys_reconfig_on 1 || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 -grep '; managed' ns5/named.secroots > /dev/null || ret=1 +grep '; managed' ns5/named.secroots >/dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be # correctly refreshed and resolving should succeed -dig_with_opts +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 +dig_with_opts +noauth example. @10.53.0.5 txt >dig.out.ns5.b.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.b.test$n >/dev/null || ret=1 +grep "example..*.RRSIG..*TXT" dig.out.ns5.b.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns5.b.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns6 rm -f ns6/managed-keys.bind* -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null start_server --noclean --restart --port "${PORT}" ns6 # log when an unsupported algorithm is encountered during startup wait_for_log 20 "ignoring initial-key for 'unsupported.': algorithm is unsupported" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "ignoring unsupported algorithm in managed-keys ($n)" ret=0 -mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 6 >rndc.out.$n 2>&1 || ret=1 # there should still be only two keys listed (for . and island.) count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -815,26 +848,26 @@ count=$(grep -c "keyid: " rndc.out.$n) || true count=$(grep -c "trust" rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 -n=$((n+1)) +n=$((n + 1)) echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" ret=0 cp ns1/root.db ns1/root.db.orig ksk=$(cat ns1/managed.key) zsk=$(cat ns1/zone.key) -cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db -grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db > /dev/null || ret=1 -$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" > /dev/null 2>/dev/null || ret=1 -grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 +cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >>ns1/root.db +grep "\.[[:space:]]*IN[[:space:]]*DNSKEY[[:space:]]*257 3 255" ns1/root.db >/dev/null || ret=1 +$SIGNER -K ns1 -N unixtime -o . ns1/root.db "$ksk" "$zsk" >/dev/null 2>/dev/null || ret=1 +grep "DNSKEY.*257 3 255" ns1/root.db.signed >/dev/null || ret=1 cp ns1/root.db.orig ns1/root.db if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "ignoring unsupported algorithm in rollover ($n)" ret=0 mkeys_reload_on 1 || ret=1 mkeys_refresh_on 6 || ret=1 -mkeys_status_on 6 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 6 >rndc.out.$n 2>&1 || ret=1 # there should still be only two keys listed (for . and island.) count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 2 ] || ret=1 @@ -844,28 +877,28 @@ count=$(grep -c "trust" rndc.out.$n) || true # log when an unsupported algorithm is encountered during rollover wait_for_log 20 "Cannot compute tag for key in zone .: algorithm is unsupported" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and views ($n)" ret=0 -rndccmd 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1 -grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1 -lines=$(wc -l < rndc.out.ns7.view1.test$n) +rndccmd 10.53.0.7 managed-keys refresh in view1 >rndc.out.ns7.view1.test$n || ret=1 +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n >/dev/null || ret=1 +lines=$(wc -l <rndc.out.ns7.view1.test$n) [ "$lines" -eq 1 ] || ret=1 -rndccmd 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1 -lines=$(wc -l < rndc.out.ns7.view2.test$n) -grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 -grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 +rndccmd 10.53.0.7 managed-keys refresh >rndc.out.ns7.view2.test$n || ret=1 +lines=$(wc -l <rndc.out.ns7.view2.test$n) +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n >/dev/null || ret=1 +grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n >/dev/null || ret=1 [ "$lines" -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" ret=0 mkeys_sync_on 5 -mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +mkeys_status_on 5 >rndc.out.$n 2>&1 || ret=1 # there should be three keys listed now count=$(grep -c "keyid: " rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 @@ -876,7 +909,7 @@ count=$(grep -c "trust" rndc.out.$n) || true count=$(grep -c "trusted since" rndc.out.$n) || true [ "$count" -eq 3 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/names/tests.sh b/bin/tests/system/names/tests.sh index 9546298..f104886 100644 --- a/bin/tests/system/names/tests.sh +++ b/bin/tests/system/names/tests.sh @@ -20,29 +20,32 @@ DIGOPTS="+nosea +stat +noquest +nocomm +nocmd -p ${PORT}" status=0 echo_i "Getting message size with compression enabled" -$DIG $DIGOPTS -b 10.53.0.1 @10.53.0.1 mx example > dig.compen.test -COMPEN=$(grep ';; MSG SIZE' dig.compen.test |sed -e "s/.*: //g") -cat dig.compen.test |grep -v ';;' |sort > dig.compen.sorted.test +$DIG $DIGOPTS -b 10.53.0.1 @10.53.0.1 mx example >dig.compen.test +COMPEN=$(grep ';; MSG SIZE' dig.compen.test | sed -e "s/.*: //g") +cat dig.compen.test | grep -v ';;' | sort >dig.compen.sorted.test echo_i "Getting message size with compression disabled" -$DIG $DIGOPTS -b 10.53.0.2 @10.53.0.1 mx example > dig.compdis.test -COMPDIS=$(grep ';; MSG SIZE' dig.compdis.test |sed -e "s/.*: //g") -cat dig.compdis.test |grep -v ';;' |sort > dig.compdis.sorted.test +$DIG $DIGOPTS -b 10.53.0.2 @10.53.0.1 mx example >dig.compdis.test +COMPDIS=$(grep ';; MSG SIZE' dig.compdis.test | sed -e "s/.*: //g") +cat dig.compdis.test | grep -v ';;' | sort >dig.compdis.sorted.test # the compression disabled message should be at least twice as large as with # compression disabled, but the content should be the same echo_i "Checking if responses are identical other than in message size" -{ diff dig.compdis.sorted.test dig.compen.sorted.test >/dev/null; ret=$?; } || true +{ + diff dig.compdis.sorted.test dig.compen.sorted.test >/dev/null + ret=$? +} || true if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "Checking if message with compression disabled is significantly larger" echo_i "Disabled $COMPDIS vs enabled $COMPEN" -val=$(( (COMPDIS * 3 / 2) / COMPEN)) +val=$(((COMPDIS * 3 / 2) / COMPEN)) if [ $val -le 1 ]; then - echo_i "failed" - status=$((status + 1)) -fi; + echo_i "failed" + status=$((status + 1)) +fi echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/notify/ns2/named.conf.in b/bin/tests/system/notify/ns2/named.conf.in index bc5af9d..203f23c 100644 --- a/bin/tests/system/notify/ns2/named.conf.in +++ b/bin/tests/system/notify/ns2/named.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/notify/ns3/named.conf.in b/bin/tests/system/notify/ns3/named.conf.in index ee21f92..4761622 100644 --- a/bin/tests/system/notify/ns3/named.conf.in +++ b/bin/tests/system/notify/ns3/named.conf.in @@ -26,7 +26,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/notify/ns4/named.conf.in b/bin/tests/system/notify/ns4/named.conf.in index 95a0ff9..2f0b930 100644 --- a/bin/tests/system/notify/ns4/named.conf.in +++ b/bin/tests/system/notify/ns4/named.conf.in @@ -26,7 +26,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "x21" { diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index ba9dfe3..2953e0a 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -17,48 +17,47 @@ set -e . ../conf.sh dig_plus_opts() { - $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" + $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@" } status=0 n=0 test_start() { - n=$((n+1)) - echo_i "$* ($n)" - ret=0 + n=$((n + 1)) + echo_i "$* ($n)" + ret=0 } test_end() { - [ $ret = 0 ] || echo_i "failed" - status=$((status + ret)) + [ $ret = 0 ] || echo_i "failed" + status=$((status + ret)) } # # Wait up to 10 seconds for the servers to finish starting before testing. # -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG +tcp -p "${PORT}" example @10.53.0.2 soa > dig.out.ns2.test$n || ret=1 - grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 - grep "flags:.* aa[ ;]" dig.out.ns2.test$n > /dev/null || ret=1 - $DIG +tcp -p "${PORT}" example @10.53.0.3 soa > dig.out.ns3.test$n || ret=1 - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "flags:.* aa[ ;]" dig.out.ns3.test$n > /dev/null || ret=1 - nr=$(grep -c 'x[0-9].*sending notify to' ns2/named.run) - [ "$nr" -eq 20 ] || ret=1 - [ $ret = 0 ] && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG +tcp -p "${PORT}" example @10.53.0.2 soa >dig.out.ns2.test$n || ret=1 + grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 + grep "flags:.* aa[ ;]" dig.out.ns2.test$n >/dev/null || ret=1 + $DIG +tcp -p "${PORT}" example @10.53.0.3 soa >dig.out.ns3.test$n || ret=1 + grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 + grep "flags:.* aa[ ;]" dig.out.ns3.test$n >/dev/null || ret=1 + nr=$(grep -c 'x[0-9].*sending notify to' ns2/named.run) + [ "$nr" -eq 20 ] || ret=1 + [ $ret = 0 ] && break + sleep 1 done test_start "checking initial status" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.1" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.1" dig.out.ns2.test$n >/dev/null || ret=1 -dig_plus_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "10.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "10.0.0.1" dig.out.ns3.test$n >/dev/null || ret=1 digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 @@ -96,10 +95,10 @@ END { print "average:", average; if (average < 0.180) exit(1); if (count < 20) exit(1); -}' ns2/named.run > awk.out.ns2.test$n || ret=1 +}' ns2/named.run >awk.out.ns2.test$n || ret=1 test_end -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null sleep 1 # make sure filesystem time stamp is newer for reload. rm -f ns2/example.db @@ -109,21 +108,21 @@ kill -HUP "$(cat ns2/named.pid)" wait_for_log_re 45 "transfer of 'example/IN' from 10.53.0.2#.*success" ns3/named.run test_start "checking notify message was logged" -grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 2$' ns3/named.run > /dev/null || ret=1 +grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 2$' ns3/named.run >/dev/null || ret=1 test_end test_start "checking example2 loaded" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.2" dig.out.ns2.test$n >/dev/null || ret=1 test_end test_start "checking example2 contents have been transferred after HUP reload" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.2" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.2" dig.out.ns2.test$n >/dev/null || ret=1 -dig_plus_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "10.0.0.2" dig.out.ns3.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "10.0.0.2" dig.out.ns3.test$n >/dev/null || ret=1 digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 @@ -139,45 +138,44 @@ start_server --noclean --restart --port "${PORT}" ns2 wait_for_log_re 45 "transfer of 'example/IN' from 10.53.0.2#.*success" ns3/named.run test_start "checking notify message was logged" -grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 4$' ns3/named.run > /dev/null || ret=1 +grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 4$' ns3/named.run >/dev/null || ret=1 test_end test_start "checking example4 loaded" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.4" dig.out.ns2.test$n >/dev/null || ret=1 test_end test_start "checking example4 contents have been transferred after restart" -dig_plus_opts a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "10.0.0.4" dig.out.ns2.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "10.0.0.4" dig.out.ns2.test$n >/dev/null || ret=1 -dig_plus_opts a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 -grep "10.0.0.4" dig.out.ns3.test$n > /dev/null || ret=1 +dig_plus_opts a.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +grep "10.0.0.4" dig.out.ns3.test$n >/dev/null || ret=1 digcomp dig.out.ns2.test$n dig.out.ns3.test$n || ret=1 test_end test_start "checking notify to alternate port with primary server inheritance" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.2 ${PORT} zone x21 update add added.x21 0 in txt "test string" send EOF fn="dig.out.ns4.test$n" -for i in 1 2 3 4 5 6 7 8 9 -do - dig_plus_opts added.x21. @10.53.0.4 txt -p "$EXTRAPORT1" > "$fn" || ret=1 - grep "test string" "$fn" > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + dig_plus_opts added.x21. @10.53.0.4 txt -p "$EXTRAPORT1" >"$fn" || ret=1 + grep "test string" "$fn" >/dev/null && break + sleep 1 done -grep "test string" "$fn" > /dev/null || ret=1 +grep "test string" "$fn" >/dev/null || ret=1 test_end test_start "checking notify to multiple views using tsig" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.5 ${PORT} zone x21 key a aaaaaaaaaaaaaaaaaaaa @@ -186,25 +184,24 @@ send EOF fnb="dig.out.b.ns5.test$n" fnc="dig.out.c.ns5.test$n" -for i in 1 2 3 4 5 6 7 8 9 -do - dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ - txt > "$fnb" || ret=1 - dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ - txt > "$fnc" || ret=1 - grep "test string" "$fnb" > /dev/null && - grep "test string" "$fnc" > /dev/null && - break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9; do + dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt >"$fnb" || ret=1 + dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ + txt >"$fnc" || ret=1 + grep "test string" "$fnb" >/dev/null \ + && grep "test string" "$fnc" >/dev/null \ + && break + sleep 1 done -grep "test string" "$fnb" > /dev/null || ret=1 -grep "test string" "$fnc" > /dev/null || ret=1 -grep "sending notify to 10.53.0.5#[0-9]* : TSIG (b)" ns5/named.run > /dev/null || ret=1 -grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run > /dev/null || ret=1 +grep "test string" "$fnb" >/dev/null || ret=1 +grep "test string" "$fnc" >/dev/null || ret=1 +grep "sending notify to 10.53.0.5#[0-9]* : TSIG (b)" ns5/named.run >/dev/null || ret=1 +grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run >/dev/null || ret=1 test_end test_start "checking notify-source uses port option correctly" -grep "10.53.0.3#${EXTRAPORT2}: received notify for zone 'notify-source-port-test'" ns2/named.run > /dev/null || ret=1 +grep "10.53.0.3#${EXTRAPORT2}: received notify for zone 'notify-source-port-test'" ns2/named.run >/dev/null || ret=1 test_end # notify messages were sent to unresponsive 10.53.10.53 during the tests diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index 68bc2e4..5ddcfc0 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -17,44 +17,44 @@ echo_i "ns3/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - cp template.db.in "$zonefile" + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in "$zonefile" } for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ - nsec3-to-optout nsec3-from-optout nsec3-dynamic \ - nsec3-dynamic-change nsec3-dynamic-to-inline \ - nsec3-inline-to-dynamic nsec3-dynamic-update-inline -do - setup "${zn}.kasp" + nsec3-to-optout nsec3-from-optout nsec3-dynamic \ + nsec3-dynamic-change nsec3-dynamic-to-inline \ + nsec3-inline-to-dynamic nsec3-dynamic-update-inline; do + setup "${zn}.kasp" done -if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) -then - for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \ - nsec3-to-rsasha1-ds - do - setup "${zn}.kasp" - done - - longago="now-1y" - keytimes="-P ${longago} -A ${longago}" - O="omnipresent" - - zone="rsasha1-to-nsec3-wait.kasp" - CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2> keygen.out.$zone) - echo_i "Created key file $CSK" - $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 - - zone="nsec3-to-rsasha1-ds.kasp" - CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2> keygen.out.$zone) - echo_i "Created key file $CSK" - $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1 +if ( + cd .. + $SHELL ../testcrypto.sh -q RSASHA1 +); then + for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \ + nsec3-to-rsasha1-ds; do + setup "${zn}.kasp" + done + + longago="now-1y" + keytimes="-P ${longago} -A ${longago}" + O="omnipresent" + + zone="rsasha1-to-nsec3-wait.kasp" + CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2>keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1 + + zone="nsec3-to-rsasha1-ds.kasp" + CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2>keygen.out.$zone) + echo_i "Created key file $CSK" + $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1 else - echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported" + echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported" fi cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh index bdd1ae9..3019361 100644 --- a/bin/tests/system/nsec3/setup.sh +++ b/bin/tests/system/nsec3/setup.sh @@ -20,11 +20,11 @@ $SHELL clean.sh copy_setports ns2/named.conf.in ns2/named.conf ( - cd ns2 - $SHELL setup.sh + cd ns2 + $SHELL setup.sh ) copy_setports ns3/named.conf.in ns3/named.conf ( - cd ns3 - $SHELL setup.sh + cd ns3 + $SHELL setup.sh ) diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 117bf63..fc864a4 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -20,206 +20,206 @@ set -e # Log errors and increment $ret. log_error() { - echo_i "error: $1" - ret=$((ret+1)) + echo_i "error: $1" + ret=$((ret + 1)) } # Call dig with default options. dig_with_opts() { - $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } # Call rndc. rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } # Set zone name ($1) and policy ($2) for testing nsec3. set_zone_policy() { - ZONE=$1 - POLICY=$2 - NUM_KEYS=$3 - DNSKEY_TTL=$4 + ZONE=$1 + POLICY=$2 + NUM_KEYS=$3 + DNSKEY_TTL=$4 } # Set expected NSEC3 parameters: flags ($1), iterations ($2), and # salt length ($3). set_nsec3param() { - FLAGS=$1 - ITERATIONS=$2 - SALTLEN=$3 - # Reset salt. - SALT="" + FLAGS=$1 + ITERATIONS=$2 + SALTLEN=$3 + # Reset salt. + SALT="" } # Set expected default dnssec-policy keys values. set_key_default_values() { - key_clear $1 - - set_keyrole $1 "csk" - set_keylifetime $1 "0" - set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256" - set_keysigning $1 "yes" - set_zonesigning $1 "yes" - - set_keystate $1 "GOAL" "omnipresent" - set_keystate $1 "STATE_DNSKEY" "rumoured" - set_keystate $1 "STATE_KRRSIG" "rumoured" - set_keystate $1 "STATE_ZRRSIG" "rumoured" - set_keystate $1 "STATE_DS" "hidden" + key_clear $1 + + set_keyrole $1 "csk" + set_keylifetime $1 "0" + set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256" + set_keysigning $1 "yes" + set_zonesigning $1 "yes" + + set_keystate $1 "GOAL" "omnipresent" + set_keystate $1 "STATE_DNSKEY" "rumoured" + set_keystate $1 "STATE_KRRSIG" "rumoured" + set_keystate $1 "STATE_ZRRSIG" "rumoured" + set_keystate $1 "STATE_DS" "hidden" } # Set expected rsasha1 dnssec-policy keys values. set_key_rsasha1_values() { - key_clear $1 - - set_keyrole $1 "csk" - set_keylifetime $1 "0" - set_keyalgorithm $1 "5" "RSASHA1" "2048" - set_keysigning $1 "yes" - set_zonesigning $1 "yes" - - set_keystate $1 "GOAL" "omnipresent" - set_keystate $1 "STATE_DNSKEY" "rumoured" - set_keystate $1 "STATE_KRRSIG" "rumoured" - set_keystate $1 "STATE_ZRRSIG" "rumoured" - set_keystate $1 "STATE_DS" "hidden" + key_clear $1 + + set_keyrole $1 "csk" + set_keylifetime $1 "0" + set_keyalgorithm $1 "5" "RSASHA1" "2048" + set_keysigning $1 "yes" + set_zonesigning $1 "yes" + + set_keystate $1 "GOAL" "omnipresent" + set_keystate $1 "STATE_DNSKEY" "rumoured" + set_keystate $1 "STATE_KRRSIG" "rumoured" + set_keystate $1 "STATE_ZRRSIG" "rumoured" + set_keystate $1 "STATE_DS" "hidden" } # Update the key states. set_key_states() { - set_keystate $1 "GOAL" "$2" - set_keystate $1 "STATE_DNSKEY" "$3" - set_keystate $1 "STATE_KRRSIG" "$4" - set_keystate $1 "STATE_ZRRSIG" "$5" - set_keystate $1 "STATE_DS" "$6" + set_keystate $1 "GOAL" "$2" + set_keystate $1 "STATE_DNSKEY" "$3" + set_keystate $1 "STATE_KRRSIG" "$4" + set_keystate $1 "STATE_ZRRSIG" "$5" + set_keystate $1 "STATE_DS" "$6" } # The apex NSEC3PARAM record indicates that it is signed. _wait_for_nsec3param() { - dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1 - grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1 - grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1 - return 0 + dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1 + grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1 + return 0 } # The apex NSEC record indicates that it is signed. _wait_for_nsec() { - dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1 - grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1 - grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1 - grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1 - return 0 + dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC >"dig.out.test$n.wait" || return 1 + grep "NS SOA" "dig.out.test$n.wait" >/dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1 + grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" >/dev/null && return 1 + return 0 } # Wait for the zone to be signed. wait_for_zone_is_signed() { - n=$((n+1)) - ret=0 - echo_i "wait for ${ZONE} to be signed with $1 ($n)" - - if [ "$1" = "nsec3" ]; then - retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed" - else - retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" - fi - - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + n=$((n + 1)) + ret=0 + echo_i "wait for ${ZONE} to be signed with $1 ($n)" + + if [ "$1" = "nsec3" ]; then + retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed" + else + retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Test: check DNSSEC verify _check_dnssec_verify() { - dig_with_opts @$SERVER "${ZONE}" AXFR > "dig.out.test$n.axfr.$ZONE" || return 1 - $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" > "verify.out.test$n.$ZONE" 2>&1 || return 1 - return 0 + dig_with_opts @$SERVER "${ZONE}" AXFR >"dig.out.test$n.axfr.$ZONE" || return 1 + $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" >"verify.out.test$n.$ZONE" 2>&1 || return 1 + return 0 } # Test: check NSEC in answers _check_nsec_nsec3param() { - dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 - grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1 - return 0 + dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1 + grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" >/dev/null && return 1 + return 0 } _check_nsec_nxdomain() { - dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 - grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 - grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1 - return 0 + dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1 + grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1 + grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" >/dev/null && return 1 + return 0 } check_nsec() { - wait_for_zone_is_signed "nsec" - - n=$((n+1)) - echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" - ret=0 - check_keys - retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "verify DNSSEC for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "check NXDOMAIN response for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + wait_for_zone_is_signed "nsec" + + n=$((n + 1)) + echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)" + ret=0 + check_keys + retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "verify DNSSEC for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "check NXDOMAIN response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } # Test: check NSEC3 parameters in answers _check_nsec3_nsec3param() { - dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 - grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1 + dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1 + grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1 - if [ -z "$SALT" ]; then - SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE) - fi - return 0 + if [ -z "$SALT" ]; then + SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE) + fi + return 0 } _check_nsec3_nxdomain() { - dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 - grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 - return 0 + dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1 + grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1 + return 0 } check_nsec3() { - wait_for_zone_is_signed "nsec3" - - n=$((n+1)) - echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) - - n=$((n+1)) - echo_i "verify DNSSEC for zone ${ZONE} ($n)" - ret=0 - retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + wait_for_zone_is_signed "nsec3" + + n=$((n + 1)) + echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) + + n=$((n + 1)) + echo_i "verify DNSSEC for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } start_time="$(TZ=UTC date +%s)" @@ -238,37 +238,36 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec -if ($SHELL ../testcrypto.sh -q RSASHA1) -then - # Zone: rsasha1-to-nsec3.kasp. - set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - echo_i "initial check zone ${ZONE}" - check_nsec - - # Zone: rsasha1-to-nsec3-wait.kasp. - set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" - echo_i "initial check zone ${ZONE}" - check_nsec - - # Zone: nsec3-to-rsasha1.kasp. - set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - echo_i "initial check zone ${ZONE}" - check_nsec3 - - # Zone: nsec3-to-rsasha1-ds.kasp. - set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" - echo_i "initial check zone ${ZONE}" - check_nsec3 +if ($SHELL ../testcrypto.sh -q RSASHA1); then + # Zone: rsasha1-to-nsec3.kasp. + set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + echo_i "initial check zone ${ZONE}" + check_nsec + + # Zone: rsasha1-to-nsec3-wait.kasp. + set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + echo_i "initial check zone ${ZONE}" + check_nsec + + # Zone: nsec3-to-rsasha1.kasp. + set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + echo_i "initial check zone ${ZONE}" + check_nsec3 + + # Zone: nsec3-to-rsasha1-ds.kasp. + set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + echo_i "initial check zone ${ZONE}" + check_nsec3 fi # Zone: nsec3.kasp. @@ -355,10 +354,10 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec -n=$((n+1)) +n=$((n + 1)) echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)" ret=0 -$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1 +$NSUPDATE >update.out.$ZONE.test$n 2>&1 <<END || ret=1 server 10.53.0.3 ${PORT} zone ${ZONE}. update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG @@ -380,52 +379,51 @@ set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -if ($SHELL ../testcrypto.sh -q RSASHA1) -then - # Zone: rsasha1-to-nsec3.kasp. - set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" - set_keysigning "KEY1" "no" - set_zonesigning "KEY1" "no" - set_key_default_values "KEY2" - echo_i "check zone ${ZONE} after reconfig" - check_nsec3 - - # Zone: rsasha1-to-nsec3-wait.kasp. - set_zone_policy "rsasha1-to-nsec3-wait.kasp" "nsec3" 2 3600 - set_server "ns3" "10.53.0.3" - set_key_rsasha1_values "KEY1" - set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" - set_key_default_values "KEY2" - echo_i "check zone ${ZONE} after reconfig" - check_nsec - - # Zone: nsec3-to-rsasha1.kasp. - set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600 - set_nsec3param "1" "0" "0" - set_server "ns3" "10.53.0.3" - set_key_default_values "KEY1" - set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" - set_keysigning "KEY1" "no" - set_zonesigning "KEY1" "no" - set_key_rsasha1_values "KEY2" - echo_i "check zone ${ZONE} after reconfig" - check_nsec - - # Zone: nsec3-to-rsasha1-ds.kasp. - set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600 - set_nsec3param "1" "0" "0" - set_server "ns3" "10.53.0.3" - set_key_default_values "KEY1" - set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" - set_key_rsasha1_values "KEY2" - echo_i "check zone ${ZONE} after reconfig" - check_nsec - - key_clear "KEY1" - key_clear "KEY2" +if ($SHELL ../testcrypto.sh -q RSASHA1); then + # Zone: rsasha1-to-nsec3.kasp. + set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" + set_keysigning "KEY1" "no" + set_zonesigning "KEY1" "no" + set_key_default_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec3 + + # Zone: rsasha1-to-nsec3-wait.kasp. + set_zone_policy "rsasha1-to-nsec3-wait.kasp" "nsec3" 2 3600 + set_server "ns3" "10.53.0.3" + set_key_rsasha1_values "KEY1" + set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + set_key_default_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec + + # Zone: nsec3-to-rsasha1.kasp. + set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600 + set_nsec3param "1" "0" "0" + set_server "ns3" "10.53.0.3" + set_key_default_values "KEY1" + set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" + set_keysigning "KEY1" "no" + set_zonesigning "KEY1" "no" + set_key_rsasha1_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec + + # Zone: nsec3-to-rsasha1-ds.kasp. + set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600 + set_nsec3param "1" "0" "0" + set_server "ns3" "10.53.0.3" + set_key_default_values "KEY1" + set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + set_key_rsasha1_values "KEY2" + echo_i "check zone ${ZONE} after reconfig" + check_nsec + + key_clear "KEY1" + key_clear "KEY2" fi # Zone: nsec3.kasp. (same) @@ -507,8 +505,8 @@ check_nsec3 # Using rndc signing -nsec3param (should fail) set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600 echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings" -rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" -grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail" +rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" +grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail" check_nsec3 # Test NSEC3 and NSEC3PARAM is the same after restart @@ -523,13 +521,13 @@ ret=0 echo "stop ns3" stop_server --use-rndc --port ${CONTROLPORT} ${DIR} || ret=1 test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ret=0 echo "start ns3" start_server --noclean --restart --port ${PORT} ${DIR} test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) prevsalt="${SALT}" set_zone_policy "nsec3.kasp" "nsec3" 1 3600 diff --git a/bin/tests/system/nslookup/tests.sh b/bin/tests/system/nslookup/tests.sh index e985f19..c68b5cf 100644 --- a/bin/tests/system/nslookup/tests.sh +++ b/bin/tests/system/nslookup/tests.sh @@ -19,83 +19,83 @@ set -e status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "Check that domain names that are too big when applying a search list entry are handled cleanly ($n)" ret=0 l=012345678901234567890123456789012345678901234567890123456789012 t=0123456789012345678901234567890123456789012345678901234567890 d=$l.$l.$l.$t -$NSLOOKUP -port=${PORT} -domain=$d -type=soa example 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} -domain=$d -type=soa example 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l <nslookup.err${n}) test $lines -eq 0 || ret=1 -grep "origin = ns1.example" nslookup.out${n} > /dev/null || ret=1 +grep "origin = ns1.example" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check A only lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} a-only.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} a-only.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l <nslookup.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Server:" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c a-only.example.net nslookup.out${n}) test $lines -eq 1 || ret=1 -grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # See [GL #4044] -n=$((n+1)) +n=$((n + 1)) echo_i "Check A only lookup with a delayed stdin input ($n)" ret=0 -(sleep 6 && echo "server 10.53.0.1" && echo "a-only.example.net.") | $NSLOOKUP -port=${PORT} 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +(sleep 6 && echo "server 10.53.0.1" && echo "a-only.example.net.") | $NSLOOKUP -port=${PORT} 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l <nslookup.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Server:" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c a-only.example.net nslookup.out${n}) test $lines -eq 1 || ret=1 -grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 -grep "timed out" nslookup.out${n} > /dev/null && ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 +grep "timed out" nslookup.out${n} >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check AAAA only lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} aaaa-only.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} aaaa-only.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l <nslookup.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Server:" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c aaaa-only.example.net nslookup.out${n}) test $lines -eq 1 || ret=1 -grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check dual A + AAAA lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} dual.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} dual.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l <nslookup.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Server:" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c dual.example.net nslookup.out${n}) test $lines -eq 2 || ret=1 -grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 -grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to A only lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} cname-a-only.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} cname-a-only.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l <nslookup.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Server:" nslookup.out${n}) test $lines -eq 1 || ret=1 @@ -103,15 +103,15 @@ lines=$(grep -c "canonical name" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep a-only.example.net nslookup.out${n} | grep -cv "canonical name") test $lines -eq 1 || ret=1 -grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to AAAA only lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} cname-aaaa-only.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} cname-aaaa-only.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l <nslookup.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Server:" nslookup.out${n}) test $lines -eq 1 || ret=1 @@ -119,15 +119,15 @@ lines=$(grep -c "canonical name" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep aaaa-only.example.net nslookup.out${n} | grep -cv "canonical name") test $lines -eq 1 || ret=1 -grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check CNAME to dual A + AAAA lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} cname-dual.example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 -lines=$(wc -l < nslookup.err${n}) +$NSLOOKUP -port=${PORT} cname-dual.example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 +lines=$(wc -l <nslookup.err${n}) test $lines -eq 0 || ret=1 lines=$(grep -c "Server:" nslookup.out${n}) test $lines -eq 1 || ret=1 @@ -135,15 +135,15 @@ lines=$(grep -c "canonical name" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep dual.example.net nslookup.out${n} | grep -cv "canonical name") test $lines -eq 2 || ret=1 -grep "1.2.3.4" nslookup.out${n} > /dev/null || ret=1 -grep "2001::ffff" nslookup.out${n} > /dev/null || ret=1 +grep "1.2.3.4" nslookup.out${n} >/dev/null || ret=1 +grep "2001::ffff" nslookup.out${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "Check ANY lookup ($n)" ret=0 -$NSLOOKUP -port=${PORT} -type=ANY example.net 10.53.0.1 2> nslookup.err${n} > nslookup.out${n} || ret=1 +$NSLOOKUP -port=${PORT} -type=ANY example.net 10.53.0.1 2>nslookup.err${n} >nslookup.out${n} || ret=1 lines=$(grep -c 'Address:.10\.53\.0\.1#'"${PORT}" nslookup.out${n}) test $lines -eq 1 || ret=1 lines=$(grep -c 'origin = ns1\.example\.net' nslookup.out${n}) @@ -153,7 +153,7 @@ test $lines -eq 1 || ret=1 lines=$(grep -c 'nameserver = ns1\.example\.net.' nslookup.out${n}) test $lines -eq 1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/nsupdate/krb/setup.sh b/bin/tests/system/nsupdate/krb/setup.sh index 3d254a8..8b252df 100644 --- a/bin/tests/system/nsupdate/krb/setup.sh +++ b/bin/tests/system/nsupdate/krb/setup.sh @@ -25,7 +25,7 @@ now=$(date +%s) lifetime=$((2147483647 - now)) lifetime=$((lifetime / 3600 / 24 - 30)) -cat << EOF > "${KRB5_CONFIG}" +cat <<EOF >"${KRB5_CONFIG}" [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = false @@ -56,7 +56,7 @@ rm -rf ${KRB5_KDC_PROFILE} mkdir -p ${KRB5_KDC_PROFILE} chmod 700 ${KRB5_KDC_PROFILE} -cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf +cat <<EOF >"${KRB5_KDC_PROFILE}"/kdc.conf [kdcdefaults] kdc_ports = 50000 kdc_tcp_ports = 50000 @@ -84,7 +84,6 @@ krb5kdc -n & krb5kdcpid=$! #trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15 - kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns7.example.com@EXAMPLE.COM kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/ns8.example.com@EXAMPLE.COM kadmin.local addprinc -maxlife ${lifetime}d -randkey host/machine.example.com@EXAMPLE.COM diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh index 519497c..501f9fb 100644 --- a/bin/tests/system/nsupdate/ns3/sign.sh +++ b/bin/tests/system/nsupdate/ns3/sign.sh @@ -22,7 +22,7 @@ keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -3 - -H 1 -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +$SIGNER -P -3 - -H 1 -o $zone -k $keyname1 $zonefile $keyname2 >/dev/null zone=dnskey.test. infile=dnskey.test.db.in @@ -33,7 +33,7 @@ keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +$SIGNER -P -o $zone -k $keyname1 $zonefile $keyname2 >/dev/null zone=delegation.test. infile=delegation.test.db.in @@ -44,7 +44,7 @@ keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +$SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 >/dev/null # Just copy multisigner.db.in because it is signed with dnssec-policy. cp multisigner.test.db.in multisigner.test.db diff --git a/bin/tests/system/nsupdate/prereq.sh b/bin/tests/system/nsupdate/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/nsupdate/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index 7f8c27f..1074495 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -34,11 +34,11 @@ copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf.in.tkey copy_setports ns10/named.conf.in ns10/named.conf.in.tkey if $FEATURETEST --gssapi; then - sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey > ns9/named.conf - sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey > ns10/named.conf + sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey >ns9/named.conf + sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey >ns10/named.conf else - sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey > ns9/named.conf - sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey > ns10/named.conf + sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey >ns9/named.conf + sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey >ns10/named.conf fi rm -f ns9/named.conf.in.tkey rm -f ns10/named.conf.in.tkey @@ -46,10 +46,10 @@ rm -f ns10/named.conf.in.tkey copy_setports verylarge.in verylarge cp -f ns1/example1.db ns1/example.db -sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db -sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db -sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db > ns1/yyyymmddvv.db -sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db +sed 's/example.nil/other.nil/g' ns1/example1.db >ns1/other.db +sed 's/example.nil/unixtime.nil/g' ns1/example1.db >ns1/unixtime.db +sed 's/example.nil/yyyymmddvv.nil/g' ns1/example1.db >ns1/yyyymmddvv.db +sed 's/example.nil/keytests.nil/g' ns1/example1.db >ns1/keytests.db cp -f ns3/example.db.in ns3/example.db cp -f ns3/too-big.test.db.in ns3/too-big.test.db @@ -70,31 +70,34 @@ ns1.update.nil. A 10.53.0.2 ns2.update.nil. AAAA ::1 EOF -$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key +$TSIGKEYGEN ddns-key.example.nil >ns1/ddns.key if $FEATURETEST --md5; then - $TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key + $TSIGKEYGEN -a hmac-md5 md5-key >ns1/md5.key else - echo -n > ns1/md5.key + echo -n >ns1/md5.key fi -$TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key -$TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key -$TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key -$TSIGKEYGEN -a hmac-sha384 sha384-key > ns1/sha384.key -$TSIGKEYGEN -a hmac-sha512 sha512-key > ns1/sha512.key +$TSIGKEYGEN -a hmac-sha1 sha1-key >ns1/sha1.key +$TSIGKEYGEN -a hmac-sha224 sha224-key >ns1/sha224.key +$TSIGKEYGEN -a hmac-sha256 sha256-key >ns1/sha256.key +$TSIGKEYGEN -a hmac-sha384 sha384-key >ns1/sha384.key +$TSIGKEYGEN -a hmac-sha512 sha512-key >ns1/sha512.key if $FEATURETEST --md5; then - echo 'key "legacy-157" { algorithm "hmac-md5"; secret "mGcDSCx/fF121GOVJlITLg=="; };' > ns1/legacy157.key + echo 'key "legacy-157" { algorithm "hmac-md5"; secret "mGcDSCx/fF121GOVJlITLg=="; };' >ns1/legacy157.key else - echo "/* MD5 NOT SUPPORTED */" > ns1/legacy157.key + echo "/* MD5 NOT SUPPORTED */" >ns1/legacy157.key fi -echo 'key "legacy-161" { algorithm "hmac-sha1"; secret "N80fGvcr8JifzRUJ62R4rQ=="; };' > ns1/legacy161.key -echo 'key "legacy-162" { algorithm "hmac-sha224"; secret "nSIKzFAGS7/tvBs8JteI+Q=="; };' > ns1/legacy162.key -echo 'key "legacy-163" { algorithm "hmac-sha256"; secret "CvaupxnDeES3HnlYhTq53w=="; };' > ns1/legacy163.key -echo 'key "legacy-164" { algorithm "hmac-sha384"; secret "wDldBJwJrYfPoL1Pj4ucOQ=="; };' > ns1/legacy164.key -echo 'key "legacy-165" { algorithm "hmac-sha512"; secret "OgZrTcEa8P76hVY+xyN7Wg=="; };' > ns1/legacy165.key - -(cd ns3; $SHELL -e sign.sh) +echo 'key "legacy-161" { algorithm "hmac-sha1"; secret "N80fGvcr8JifzRUJ62R4rQ=="; };' >ns1/legacy161.key +echo 'key "legacy-162" { algorithm "hmac-sha224"; secret "nSIKzFAGS7/tvBs8JteI+Q=="; };' >ns1/legacy162.key +echo 'key "legacy-163" { algorithm "hmac-sha256"; secret "CvaupxnDeES3HnlYhTq53w=="; };' >ns1/legacy163.key +echo 'key "legacy-164" { algorithm "hmac-sha384"; secret "wDldBJwJrYfPoL1Pj4ucOQ=="; };' >ns1/legacy164.key +echo 'key "legacy-165" { algorithm "hmac-sha512"; secret "OgZrTcEa8P76hVY+xyN7Wg=="; };' >ns1/legacy165.key + +( + cd ns3 + $SHELL -e sign.sh +) cp -f ns1/many.test.db.in ns1/many.test.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 44830d4..b82bae6 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # # Uncomment when creating credential cache files. @@ -41,123 +41,150 @@ nextpartreset ns3/named.run # wait for zone transfer to complete tries=0 while true; do - if [ $tries -eq 10 ] - then - exit 1 - fi - - if grep "example.nil/IN.*Transfer status" ns2/named.run > /dev/null - then - break - else - echo_i "zones are not fully loaded, waiting..." - tries=$((tries + 1)) - sleep 1 - fi + if [ $tries -eq 10 ]; then + exit 1 + fi + + if grep "example.nil/IN.*Transfer status" ns2/named.run >/dev/null; then + break + else + echo_i "zones are not fully loaded, waiting..." + tries=$((tries + 1)) + sleep 1 + fi done has_positive_response() { - zone=$1 - type=$2 - ns=$3 - $DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1 - grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1 - grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1 - return 0 + zone=$1 + type=$2 + ns=$3 + $DIG $DIGOPTS +tcp +norec $zone $type @$ns >dig.out.post.test$n || return 1 + grep "status: NOERROR" dig.out.post.test$n >/dev/null || return 1 + grep "ANSWER: 0," dig.out.post.test$n >/dev/null && return 1 + return 0 } ret=0 echo_i "fetching first copy of zone before update" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "fetching second copy of zone before update" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "comparing pre-update copies to known good data" digcomp knowngood.ns1.before dig.out.ns1 || ret=1 digcomp knowngood.ns1.before dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log" -$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END && ret=1 server 10.53.0.1 ${PORT} zone unconfigured.test update add unconfigured.test 600 IN A 10.53.0.1 send END -grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1 +grep NOTAUTH nsupdate.out >/dev/null 2>&1 || ret=1 grep ' unconfigured.test: not authoritative' ns1/named.run \ - > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } + >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure a subdomain is mentioned in its NOTAUTH log" -$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END && ret=1 server 10.53.0.1 ${PORT} zone sub.sub.example.nil update add sub.sub.sub.example.nil 600 IN A 10.53.0.1 send END -grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1 +grep NOTAUTH nsupdate.out >/dev/null 2>&1 || ret=1 grep ' sub.sub.example.nil: not authoritative' ns1/named.run \ - > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } + >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "updating zone" # nsupdate will print a ">" prompt to stdout as it gets each input line. -$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1 +$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1 server 10.53.0.1 ${PORT} update add updated.example.nil. 600 A 10.10.10.1 add updated.example.nil. 600 TXT Foo delete t.example.nil. END -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "sleeping 5 seconds for server to incorporate changes" sleep 5 ret=0 echo_i "fetching first copy of zone after update" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "fetching second copy of zone after update" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "comparing post-update copies to known good data" digcomp knowngood.ns1.after dig.out.ns1 || ret=1 digcomp knowngood.ns1.after dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "testing local update policy" pre=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1 [ -z "$pre" ] || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "updating zone" # nsupdate will print a ">" prompt to stdout as it gets each input line. -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null <<END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >/dev/null <<END || ret=1 zone other.nil. update add new.other.nil. 600 IN A 10.10.10.1 send END -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "sleeping 5 seconds for server to incorporate changes" sleep 5 @@ -166,166 +193,207 @@ ret=0 echo_i "checking result of update" post=$($DIG $DIGOPTS +short new.other.nil. @10.53.0.1 a) || ret=1 [ "$post" = "10.10.10.1" ] || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "comparing post-update copy to known good data" digcomp knowngood.ns1.after dig.out.ns1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "testing zone consistency checks" # inserting an NS record without a corresponding A or AAAA record should fail -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END && ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END && ret=1 update add other.nil. 600 in ns ns3.other.nil. send END -grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1 +grep REFUSED nsupdate.out >/dev/null 2>&1 || ret=1 # ...but should work if an A record is inserted first: -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1 update add ns4.other.nil 600 in a 10.53.0.1 send update add other.nil. 600 in ns ns4.other.nil. send END -grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 # ...or if an AAAA record does: -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1 update add ns5.other.nil 600 in aaaa 2001:db8::1 send update add other.nil. 600 in ns ns5.other.nil. send END -grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 # ...or if the NS and A/AAAA are inserted together: -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1 update add other.nil. 600 in ns ns6.other.nil. update add ns6.other.nil 600 in a 10.53.0.1 send END -grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "sleeping 5 seconds for server to incorporate changes" sleep 5 ret=0 echo_i "checking result of update" -$DIG $DIGOPTS +short @10.53.0.1 ns other.nil > dig.out.ns1 || ret=1 -grep ns3.other.nil dig.out.ns1 > /dev/null 2>&1 && ret=1 -grep ns4.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 -grep ns5.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 -grep ns6.other.nil dig.out.ns1 > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +short @10.53.0.1 ns other.nil >dig.out.ns1 || ret=1 +grep ns3.other.nil dig.out.ns1 >/dev/null 2>&1 && ret=1 +grep ns4.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 +grep ns5.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 +grep ns6.other.nil dig.out.ns1 >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure 'check-mx ignore' allows adding MX records containing an address without a warning" -$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -k ns1/ddns.key >nsupdate.out 2>&1 <<END || ret=1 server 10.53.0.1 ${PORT} update add mx03.example.nil 600 IN MX 10 10.53.0.1 send END -grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 -grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 +grep "mx03.example.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure 'check-mx warn' allows adding MX records containing an address with a warning" -$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > nsupdate.out 2>&1 << END || ret=1 +$NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >nsupdate.out 2>&1 <<END || ret=1 update add mx03.other.nil 600 IN MX 10 10.53.0.1 send END -grep REFUSED nsupdate.out > /dev/null 2>&1 && ret=1 -grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep REFUSED nsupdate.out >/dev/null 2>&1 && ret=1 +grep "mx03.other.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "ensure 'check-mx fail' prevents adding MX records containing an address with a warning" -$NSUPDATE > nsupdate.out 2>&1 << END && ret=1 +$NSUPDATE >nsupdate.out 2>&1 <<END && ret=1 server 10.53.0.1 ${PORT} update add mx03.update.nil 600 IN MX 10 10.53.0.1 send END -grep REFUSED nsupdate.out > /dev/null 2>&1 || ret=1 -grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep REFUSED nsupdate.out >/dev/null 2>&1 || ret=1 +grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "check SIG(0) key is accepted" key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -T KEY -n ENTITY xxx) -echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +echo "" | $NSUPDATE -k ${key}.private >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check TYPE=0 update is rejected by nsupdate ($n)" -$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 +$NSUPDATE <<END >nsupdate.out 2>&1 && ret=1 server 10.53.0.1 ${PORT} ttl 300 update add example.nil. in type0 "" send END -grep "unknown class/type" nsupdate.out > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "unknown class/type" nsupdate.out >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check TYPE=0 prerequisite is handled ($n)" -$NSUPDATE -k ns1/ddns.key <<END > nsupdate.out 2>&1 || ret=1 +$NSUPDATE -k ns1/ddns.key <<END >nsupdate.out 2>&1 || ret=1 server 10.53.0.1 ${PORT} prereq nxrrset example.nil. type0 send END -$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that TYPE=0 update is handled ($n)" -echo "a0e4280000010000000100000000060001c00c000000fe000000000000" | -$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 -$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +echo "a0e4280000010000000100000000060001c00c000000fe000000000000" \ + | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that TYPE=0 additional data is handled ($n)" -echo "a0e4280000010000000000010000060001c00c000000fe000000000000" | -$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 -$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +echo "a0e4280000010000000000010000060001c00c000000fe000000000000" \ + | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that update to undefined class is handled ($n)" -echo "a0e4280000010001000000000000060101c00c000000fe000000000000" | -$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp > /dev/null || ret=1 -$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 > dig.out.ns1.$n -grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +echo "a0e4280000010001000000000000060101c00c000000fe000000000000" \ + | $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp >/dev/null || ret=1 +$DIG $DIGOPTS +tcp version.bind txt ch @10.53.0.1 >dig.out.ns1.$n +grep "status: NOERROR" dig.out.ns1.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that address family mismatch is handled ($n)" -$NSUPDATE <<END > /dev/null 2>&1 && ret=1 +$NSUPDATE <<END >/dev/null 2>&1 && ret=1 server ::1 local 127.0.0.1 update add 600 txt.example.nil in txt "test" send END -[ $ret = 0 ] || { echo_i "failed"; status=1; } - +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that unixtime serial number is correctly generated ($n)" -$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.old.test$n || ret=1 +$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 >dig.out.old.test$n || ret=1 oldserial=$(awk '{print $3}' dig.out.old.test$n) || ret=1 start=$($PERL -e 'print time()."\n";') -$NSUPDATE <<END > /dev/null 2>&1 || ret=1 +$NSUPDATE <<END >/dev/null 2>&1 || ret=1 server 10.53.0.1 ${PORT} ttl 600 update add new.unixtime.nil in a 1.2.3.4 @@ -333,55 +401,74 @@ $NSUPDATE <<END > /dev/null 2>&1 || ret=1 END now=$($PERL -e 'print time()."\n";') sleep 1 -$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 > dig.out.new.test$n || ret=1 +$DIG $DIGOPTS +short unixtime.nil. soa @10.53.0.1 >dig.out.new.test$n || ret=1 serial=$(awk '{print $3}' dig.out.new.test$n) || ret=1 -[ "$oldserial" = "$serial" ] && { echo_i "oldserial == serial"; ret=1; } +[ "$oldserial" = "$serial" ] && { + echo_i "oldserial == serial" + ret=1 +} if [ "$serial" -lt "$start" ]; then - echo_i "out-of-range serial=$serial < start=$start"; ret=1; + echo_i "out-of-range serial=$serial < start=$start" + ret=1 elif [ "$serial" -gt "$now" ]; then - echo_i "out-of-range serial=$serial > now=$now"; ret=1; + echo_i "out-of-range serial=$serial > now=$now" + ret=1 fi -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} -if $PERL -e 'use Net::DNS;' 2>/dev/null -then +if $PERL -e 'use Net::DNS;' 2>/dev/null; then + n=$((n + 1)) + ret=0 + echo_i "running update.pl test ($n)" + $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. >perl.update_test.out || ret=1 + [ $ret -eq 1 ] && { + echo_i "failed" + status=1 + } + + if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' >/dev/null; then n=$((n + 1)) ret=0 - echo_i "running update.pl test ($n)" - $PERL update_test.pl -s 10.53.0.1 -p ${PORT} update.nil. > perl.update_test.out || ret=1 - [ $ret -eq 1 ] && { echo_i "failed"; status=1; } - - if $PERL -e 'use Net::DNS; die "Net::DNS too old ($Net::DNS::VERSION < 1.01)" if ($Net::DNS::VERSION < 1.01)' > /dev/null - then - n=$((n + 1)) - ret=0 - echo_i "check for too many NSEC3 iterations log ($n)" - grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run > /dev/null || ret=1 - [ $ret -eq 1 ] && { echo_i "failed"; status=1; } - fi + echo_i "check for too many NSEC3 iterations log ($n)" + grep "updating zone 'update.nil/IN': too many NSEC3 iterations (151)" ns1/named.run >/dev/null || ret=1 + [ $ret -eq 1 ] && { + echo_i "failed" + status=1 + } + fi else - echo_i "The second part of this test requires the Net::DNS library." >&2 + echo_i "The second part of this test requires the Net::DNS library." >&2 fi n=$((n + 1)) ret=0 echo_i "fetching first copy of test zone ($n)" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "fetching second copy of test zone ($n)" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "comparing zones ($n)" digcomp dig.out.ns1 dig.out.ns2 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "SIGKILL and restart server ns1" cd ns1 @@ -390,41 +477,49 @@ rm named.pid cd .. sleep 10 if - start_server --noclean --restart --port ${PORT} ns1 + start_server --noclean --restart --port ${PORT} ns1 then - echo_i "restarted server ns1" + echo_i "restarted server ns1" else - echo_i "could not restart server ns1" - exit 1 + echo_i "could not restart server ns1" + exit 1 fi sleep 10 n=$((n + 1)) ret=0 echo_i "fetching ns1 after hard restart ($n)" -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - @10.53.0.1 axfr > dig.out.ns1.after || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil. @10.53.0.1 axfr >dig.out.ns1.after || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "comparing zones ($n)" digcomp dig.out.ns1 dig.out.ns1.after || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "begin RT #482 regression test" n=$((n + 1)) ret=0 echo_i "update primary ($n)" -$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1 +$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1 server 10.53.0.1 ${PORT} update add updated2.example.nil. 600 A 10.10.10.2 update add updated2.example.nil. 600 TXT Bar update delete c.example.nil. send END -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} sleep 5 @@ -436,14 +531,17 @@ sleep 5 n=$((n + 1)) ret=0 echo_i "update primary again ($n)" -$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1 +$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1 server 10.53.0.1 ${PORT} update add updated3.example.nil. 600 A 10.10.10.3 update add updated3.example.nil. 600 TXT Zap del d.example.nil. send END -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} sleep 5 @@ -454,10 +552,9 @@ sleep 5 n=$((n + 1)) echo_i "check to 'out of sync' message ($n)" -if grep "out of sync" ns2/named.run -then - echo_i "failed (found 'out of sync')" - status=1 +if grep "out of sync" ns2/named.run; then + echo_i "failed (found 'out of sync')" + status=1 fi echo_i "end RT #482 regression test" @@ -465,29 +562,35 @@ echo_i "end RT #482 regression test" n=$((n + 1)) ret=0 echo_i "remove nonexistent PTR record ($n)" -$NSUPDATE -k ns1/ddns.key -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -k ns1/ddns.key -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} zone example.nil. update delete nonexistent.example.nil. 0 IN PTR foo. send EOF -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "remove nonexistent SRV record ($n)" -$NSUPDATE -k ns1/ddns.key -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -k ns1/ddns.key -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} zone example.nil. update delete nonexistent.example.nil. 0 IN SRV 0 0 0 foo. send EOF -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.3 ${PORT} update add example 3600 nsec3param 1 0 0 - send @@ -495,32 +598,36 @@ EOF # the zone is not signed. The nsec3param records should be removed. # this also proves that the server is still running. -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\ - @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1 -grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example. @10.53.0.3 nsec3param >dig.out.ns3.$n || ret=1 +grep "ANSWER: 0," dig.out.ns3.$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "change the NSEC3PARAM ttl via update ($n)" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.3 ${PORT} update add nsec3param.test 3600 NSEC3PARAM 1 0 1 - send EOF -$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\ - @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1 -grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1 -grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test. @10.53.0.3 nsec3param >dig.out.ns3.$n || ret=1 +grep "ANSWER: 1," dig.out.ns3.$n >/dev/null || ret=1 +grep "3600.*NSEC3PARAM" dig.out.ns3.$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "add a new NSEC3PARAM via update ($n)" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.3 ${PORT} update add nsec3param.test 3600 NSEC3PARAM 1 0 4 - send @@ -528,23 +635,26 @@ EOF _ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1 - if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then - _ret=0 - break - fi - sleep 1 + $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM >dig.out.ns3.$n || _ret=1 + if grep "ANSWER: 2," dig.out.ns3.$n >/dev/null; then + _ret=0 + break + fi + sleep 1 done if [ $_ret -ne 0 ]; then ret=1; fi -grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi +grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((ret + status)) +fi n=$((n + 1)) ret=0 echo_i "add, delete and change the ttl of the NSEC3PARAM rrset via update ($n)" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.3 ${PORT} update delete nsec3param.test NSEC3PARAM update add nsec3param.test 7200 NSEC3PARAM 1 0 5 - @@ -553,31 +663,33 @@ EOF _ret=1 for i in 0 1 2 3 4 5 6 7 8 9; do - $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1 - if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then - _ret=0 - break - fi - sleep 1 + $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM >dig.out.ns3.$n || _ret=1 + if grep "ANSWER: 1," dig.out.ns3.$n >/dev/null; then + _ret=0 + break + fi + sleep 1 done if [ $_ret -ne 0 ]; then ret=1; fi -grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n > /dev/null || ret=1 -grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 -$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl > jp.out.ns3.$n +grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n >/dev/null || ret=1 +grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n >/dev/null || ret=1 +$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl >jp.out.ns3.$n # intermediate TTL changes. -grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -" jp.out.ns3.$n > /dev/null || ret=1 -grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -" jp.out.ns3.$n > /dev/null || ret=1 +grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -" jp.out.ns3.$n >/dev/null || ret=1 +grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -" jp.out.ns3.$n >/dev/null || ret=1 # delayed adds and deletes. -grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500" jp.out.ns3.$n > /dev/null || ret=1 -grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100" jp.out.ns3.$n > /dev/null || ret=1 -grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400" jp.out.ns3.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((ret + status)); fi - +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500" jp.out.ns3.$n >/dev/null || ret=1 +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100" jp.out.ns3.$n >/dev/null || ret=1 +grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400" jp.out.ns3.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((ret + status)) +fi ret=0 echo_i "testing that rndc stop updates the file" -$NSUPDATE -k ns1/ddns.key <<END > /dev/null || ret=1 +$NSUPDATE -k ns1/ddns.key <<END >/dev/null || ret=1 server 10.53.0.1 ${PORT} update add updated4.example.nil. 600 A 10.10.10.3 send @@ -591,120 +703,123 @@ sleep 3 rm -f ns1/*jnl start_server --noclean --restart --port ${PORT} ns1 for try in 0 1 2 3 4 5 6 7 8 9; do - iret=0 - $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - updated4.example.nil. @10.53.0.1 a > dig.out.ns1 || iret=1 - digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1 - [ "$iret" -eq 0 ] && break - sleep 1 + iret=0 + $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + updated4.example.nil. @10.53.0.1 a >dig.out.ns1 || iret=1 + digcomp knowngood.ns1.afterstop dig.out.ns1 || iret=1 + [ "$iret" -eq 0 ] && break + sleep 1 done [ "$iret" -ne 0 ] && ret=1 -[ "$ret" -eq 0 ] || { echo_i "failed"; status=1; } +[ "$ret" -eq 0 ] || { + echo_i "failed" + status=1 +} ret=0 echo_i "check that 'nsupdate -l' with a missing keyfile reports the missing file" -$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2> nsupdate.out < /dev/null && ret=1 -grep ns1/nonexistent.key nsupdate.out > /dev/null || ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 +$NSUPDATE -4 -p ${PORT} -l -k ns1/nonexistent.key 2>nsupdate.out </dev/null && ret=1 +grep ns1/nonexistent.key nsupdate.out >/dev/null || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy local' works from localhost address ($n)" -$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END || ret=1 +$NSUPDATE -k ns5/session.key >nsupdate.out.$n 2>&1 <<END || ret=1 server 10.53.0.5 ${PORT} local 127.0.0.1 update add fromlocal.local.nil. 600 A 1.2.3.4 send END -grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1 $DIG $DIGOPTS @10.53.0.5 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - fromlocal.local.nil. > dig.out.ns5.$n || ret=1 -grep fromlocal dig.out.ns5.$n > /dev/null 2>&1 || ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + fromlocal.local.nil. >dig.out.ns5.$n || ret=1 +grep fromlocal dig.out.ns5.$n >/dev/null 2>&1 || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy local' fails from non-localhost address ($n)" -grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1 -$NSUPDATE -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1 +grep 'match on session key not from localhost' ns5/named.run >/dev/null && ret=1 +$NSUPDATE -k ns5/session.key >nsupdate.out.$n 2>&1 <<END && ret=1 server 10.53.0.5 ${PORT} local 10.53.0.1 update add nonlocal.local.nil. 600 A 4.3.2.1 send END -grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1 -grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 +grep 'match on session key not from localhost' ns5/named.run >/dev/null || ret=1 $DIG $DIGOPTS @10.53.0.5 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - nonlocal.local.nil. > dig.out.ns5.$n || ret=1 -grep nonlocal dig.out.ns5.$n > /dev/null 2>&1 && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + nonlocal.local.nil. >dig.out.ns5.$n || ret=1 +grep nonlocal dig.out.ns5.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy tcp-self' refuses update of records via UDP ($n)" -$NSUPDATE > nsupdate.out.$n 2>&1 << END && ret=1 +$NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1 server 10.53.0.6 ${PORT} local 127.0.0.1 update add 1.0.0.127.in-addr.arpa. 600 PTR localhost. send END -grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 $DIG $DIGOPTS @10.53.0.6 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - -x 127.0.0.1 > dig.out.ns6.$n -grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 127.0.0.1 >dig.out.ns6.$n +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy tcp-self' permits update of records for the client's own address via TCP ($n)" -$NSUPDATE -v > nsupdate.out.$n 2>&1 << END || ret=1 +$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1 server 10.53.0.6 ${PORT} local 127.0.0.1 update add 1.0.0.127.in-addr.arpa. 600 PTR localhost. send END -grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1 $DIG $DIGOPTS @10.53.0.6 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - -x 127.0.0.1 > dig.out.ns6.$n || ret=1 -grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 127.0.0.1 >dig.out.ns6.$n || ret=1 +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that 'update-policy tcp-self' refuses update of records for a different address from the client's own address via TCP ($n)" -$NSUPDATE -v > nsupdate.out.$n 2>&1 << END && ret=1 +$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END && ret=1 server 10.53.0.6 ${PORT} local 127.0.0.1 update add 1.0.168.192.in-addr.arpa. 600 PTR localhost. send END -grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1 +grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1 $DIG $DIGOPTS @10.53.0.6 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - -x 192.168.0.1 > dig.out.ns6.$n -grep localhost. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 192.168.0.1 >dig.out.ns6.$n +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) @@ -712,99 +827,111 @@ ret=0 echo_i "check that 'update-policy subdomain' is properly enforced ($n)" # "restricted.example.nil" matches "grant ... subdomain restricted.example.nil" # and thus this UPDATE should succeed. -$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1 +$NSUPDATE -d <<END >nsupdate.out1-$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} key restricted.example.nil 1234abcd8765 update add restricted.example.nil 0 IN TXT everywhere. send END -$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1 -grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT >dig.out.1.test$n || ret=1 +grep "TXT.*everywhere" dig.out.1.test$n >/dev/null || ret=1 # "example.nil" does not match "grant ... subdomain restricted.example.nil" and # thus this UPDATE should fail. -$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1 +$NSUPDATE -d <<END >nsupdate.out2-$n 2>&1 && ret=1 server 10.53.0.1 ${PORT} key restricted.example.nil 1234abcd8765 update add example.nil 0 IN TXT everywhere. send END -$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1 -grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT >dig.out.2.test$n || ret=1 +grep "TXT.*everywhere" dig.out.2.test$n >/dev/null && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that 'update-policy zonesub' is properly enforced ($n)" # grant zonesub-key.example.nil zonesub TXT; # the A record update should be rejected as it is not in the type list -$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1 +$NSUPDATE -d <<END >nsupdate.out1-$n 2>&1 && ret=1 server 10.53.0.1 ${PORT} key zonesub-key.example.nil 1234subk8765 update add zonesub.example.nil 0 IN A 1.2.3.4 send END -$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1 -grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A >dig.out.1.test$n || ret=1 +grep "status: REFUSED" nsupdate.out1-$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.1.test$n >/dev/null || ret=1 # the TXT record update should be accepted as it is in the type list -$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1 +$NSUPDATE -d <<END >nsupdate.out2-$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} key zonesub-key.example.nil 1234subk8765 update add zonesub.example.nil 0 IN TXT everywhere. send END -$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1 -grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 -grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT >dig.out.2.test$n || ret=1 +grep "status: REFUSED" nsupdate.out2-$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.2.test$n >/dev/null || ret=1 +grep "TXT.*everywhere" dig.out.2.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check 'grant' in deny name + grant subdomain ($n)" -$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 key hmac-sha256:subkey 1234abcd8765 server 10.53.0.9 ${PORT} zone denyname.example update add foo.denyname.example 3600 IN TXT added send EOF -$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n -grep "added" dig.out.ns9.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT >dig.out.ns9.test$n +grep "added" dig.out.ns9.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check 'deny' in deny name + grant subdomain ($n)" -$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 key hmac-sha256:subkey 1234abcd8765 server 10.53.0.9 ${PORT} zone denyname.example update add denyname.example 3600 IN TXT added send EOF -$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n -grep "added" dig.out.ns9.test$n > /dev/null && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT >dig.out.ns9.test$n +grep "added" dig.out.ns9.test$n >/dev/null && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)" $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ - @10.53.0.3 dnskey | \ - awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; } + @10.53.0.3 dnskey \ + | awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; } $2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update add", $0 } - END { print "send" }' > update.in.$n + END { print "send" }' >update.in.$n $NSUPDATE update.in.$n $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ - @10.53.0.3 any > dig.out.ns3.$n + @10.53.0.3 any >dig.out.ns3.$n -grep "600.*DNSKEY" dig.out.ns3.$n > /dev/null || ret=1 -grep TYPE65534 dig.out.ns3.$n > /dev/null && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 +grep "600.*DNSKEY" dig.out.ns3.$n >/dev/null || ret=1 +grep TYPE65534 dig.out.ns3.$n >/dev/null && ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) @@ -815,51 +942,92 @@ echo_i "check notify with TSIG worked ($n)" # will have been created. [ -f ns2/update.alt.bk ] || ret=1 if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check type list options ($n)" -$NSUPDATE -T > typelist.out.T.${n} || { ret=1; echo_i "nsupdate -T failed"; } -$NSUPDATE -P > typelist.out.P.${n} || { ret=1; echo_i "nsupdate -P failed"; } -$NSUPDATE -TP > typelist.out.TP.${n} || { ret=1; echo_i "nsupdate -TP failed"; } -grep ANY typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-T)"; } -grep ANY typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-P)"; } -grep ANY typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: ANY found (-TP)"; } -grep KEYDATA typelist.out.T.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-T)"; } -grep KEYDATA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-P)"; } -grep KEYDATA typelist.out.TP.${n} > /dev/null && { ret=1; echo_i "failed: KEYDATA found (-TP)"; } -grep AAAA typelist.out.T.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-T)"; } -grep AAAA typelist.out.P.${n} > /dev/null && { ret=1; echo_i "failed: AAAA found (-P)"; } -grep AAAA typelist.out.TP.${n} > /dev/null || { ret=1; echo_i "failed: AAAA not found (-TP)"; } +$NSUPDATE -T >typelist.out.T.${n} || { + ret=1 + echo_i "nsupdate -T failed" +} +$NSUPDATE -P >typelist.out.P.${n} || { + ret=1 + echo_i "nsupdate -P failed" +} +$NSUPDATE -TP >typelist.out.TP.${n} || { + ret=1 + echo_i "nsupdate -TP failed" +} +grep ANY typelist.out.T.${n} >/dev/null && { + ret=1 + echo_i "failed: ANY found (-T)" +} +grep ANY typelist.out.P.${n} >/dev/null && { + ret=1 + echo_i "failed: ANY found (-P)" +} +grep ANY typelist.out.TP.${n} >/dev/null && { + ret=1 + echo_i "failed: ANY found (-TP)" +} +grep KEYDATA typelist.out.T.${n} >/dev/null && { + ret=1 + echo_i "failed: KEYDATA found (-T)" +} +grep KEYDATA typelist.out.P.${n} >/dev/null && { + ret=1 + echo_i "failed: KEYDATA found (-P)" +} +grep KEYDATA typelist.out.TP.${n} >/dev/null && { + ret=1 + echo_i "failed: KEYDATA found (-TP)" +} +grep AAAA typelist.out.T.${n} >/dev/null || { + ret=1 + echo_i "failed: AAAA not found (-T)" +} +grep AAAA typelist.out.P.${n} >/dev/null && { + ret=1 + echo_i "failed: AAAA found (-P)" +} +grep AAAA typelist.out.TP.${n} >/dev/null || { + ret=1 + echo_i "failed: AAAA not found (-TP)" +} if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check command list ($n)" ( -while read cmd -do - { echo "$cmd" | $NSUPDATE > /dev/null 2>&1; rc=$?; } || true - if test $rc -gt 1 ; then - echo_i "failed ($cmd)" - ret=1 + while read cmd; do + { + echo "$cmd" | $NSUPDATE >/dev/null 2>&1 + rc=$? + } || true + if test $rc -gt 1; then + echo_i "failed ($cmd)" + ret=1 fi - { echo "$cmd " | $NSUPDATE > /dev/null 2>&1; rc=$?; } || true - if test $rc -gt 1 ; then - echo_i "failed ($cmd)" - ret=1 + { + echo "$cmd " | $NSUPDATE >/dev/null 2>&1 + rc=$? + } || true + if test $rc -gt 1; then + echo_i "failed ($cmd)" + ret=1 fi -done -exit $ret -) < commandlist || ret=1 + done + exit $ret +) <commandlist || ret=1 if [ $ret -ne 0 ]; then - status=1 + status=1 fi n=$((n + 1)) @@ -868,15 +1036,14 @@ ret=0 n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms using legacy K file pairs (nsupdate -k) ($n)" -if $FEATURETEST --md5 -then - ALGS="157 161 162 163 164 165" +if $FEATURETEST --md5; then + ALGS="157 161 162 163 164 165" else - ALGS="161 162 163 164 165" - echo_i "skipping disabled md5 (157) algorithm" + ALGS="161 162 163 164 165" + echo_i "skipping disabled md5 (157) algorithm" fi for alg in $ALGS; do - $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key <<END > nsupdate.alg-$alg.out 2>&1 || ret=1 + $NSUPDATE -k ns1/legacy/Klegacy-${alg}.+${alg}+*.key <<END >nsupdate.alg-$alg.out 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 send @@ -884,27 +1051,26 @@ END done sleep 2 for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 - grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out > /dev/null || ret=1 + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 >/dev/null 2>&1 || ret=1 + grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out >/dev/null || ret=1 done if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)" -if $FEATURETEST --md5 -then - ALGS="md5 sha1 sha224 sha256 sha384 sha512" +if $FEATURETEST --md5; then + ALGS="md5 sha1 sha224 sha256 sha384 sha512" else - ALGS="sha1 sha224 sha256 sha384 sha512" - echo_i "skipping disabled md5 algorithm" + ALGS="sha1 sha224 sha256 sha384 sha512" + echo_i "skipping disabled md5 algorithm" fi for alg in $ALGS; do - $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1 + $NSUPDATE -k ns1/${alg}.key <<END >/dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 send @@ -912,19 +1078,19 @@ END done sleep 2 for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 >/dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -y) ($n)" for alg in md5 sha1 sha224 sha256 sha384 sha512; do - secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) - $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1 + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END >/dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.50 send @@ -932,47 +1098,47 @@ END done sleep 2 for alg in md5 sha1 sha224 sha256 sha384 sha512; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 >/dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that ttl is capped by max-ttl ($n)" -$NSUPDATE <<END > /dev/null || ret=1 +$NSUPDATE <<END >/dev/null || ret=1 server 10.53.0.1 ${PORT} update add cap.max-ttl.nil. 600 A 10.10.10.3 update add nocap.max-ttl.nil. 150 A 10.10.10.3 send END sleep 2 -$DIG $DIGOPTS @10.53.0.1 cap.max-ttl.nil | grep "^cap.max-ttl.nil. 300" > /dev/null 2>&1 || ret=1 -$DIG $DIGOPTS @10.53.0.1 nocap.max-ttl.nil | grep "^nocap.max-ttl.nil. 150" > /dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.1 cap.max-ttl.nil | grep "^cap.max-ttl.nil. 300" >/dev/null 2>&1 || ret=1 +$DIG $DIGOPTS @10.53.0.1 nocap.max-ttl.nil | grep "^nocap.max-ttl.nil. 150" >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "add a record which is truncated when logged. ($n)" $NSUPDATE verylarge || ret=1 -$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil > dig.out.ns1.test$n -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 -grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]" ns1/named.run > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 txt txt.update.nil >dig.out.ns1.test$n +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 +grep "adding an RR at 'txt.update.nil' TXT .* \[TRUNCATED\]" ns1/named.run >/dev/null || ret=1 if [ $ret -ne 0 ]; then - echo_i "failed" - status=1 + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that yyyymmddvv serial number is correctly generated ($n)" oldserial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1 -$NSUPDATE <<END > /dev/null 2>&1 || ret=1 +$NSUPDATE <<END >/dev/null 2>&1 || ret=1 server 10.53.0.1 ${PORT} ttl 600 update add new.yyyymmddvv.nil in a 1.2.3.4 @@ -983,38 +1149,41 @@ sleep 1 serial=$($DIG $DIGOPTS +short yyyymmddvv.nil. soa @10.53.0.1 | awk '{print $3}') || ret=1 [ "$oldserial" -ne "$serial" ] || ret=1 [ "$serial" -eq "$now" ] || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} # # Refactor to use perl to launch the parallel updates. # -if false -then -n=$((n + 1)) -echo_i "send many simultaneous updates via a update forwarder ($n)" -ret=0 -for i in 0 1 2 3 4 5 6 7 -do -( - for j in 0 1 2 3 4 5 6 7 - do +if false; then + n=$((n + 1)) + echo_i "send many simultaneous updates via a update forwarder ($n)" + ret=0 + for i in 0 1 2 3 4 5 6 7; do ( - $NSUPDATE << EOF + for j in 0 1 2 3 4 5 6 7; do + ( + $NSUPDATE <<EOF server 10.53.0.3 ${PORT} zone many.test update add $i-$j.many.test 0 IN A 1.2.3.4 send EOF + ) & + done + wait ) & - done - wait -) & -done -wait -dig axfr many.test @10.53.0.1 > dig.out.test$n -lines=$(awk '$4 == "A" { l++ } END { print l }' dig.out.test$n) -test ${lines:-0} -eq 64 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } + done + wait + dig axfr many.test @10.53.0.1 >dig.out.test$n + lines=$(awk '$4 == "A" { l++ } END { print l }' dig.out.test$n) + test ${lines:-0} -eq 64 || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } fi n=$((n + 1)) @@ -1022,16 +1191,16 @@ echo_i "check max-journal-size limits ($n)" ret=0 rm -f nsupdate.out1-$n # add one record -$NSUPDATE << EOF >> nsupdate.out1-$n 2>&1 +$NSUPDATE <<EOF >>nsupdate.out1-$n 2>&1 server 10.53.0.1 ${PORT} zone maxjournal.test update add z.maxjournal.test 300 IN A 10.20.30.40 send EOF for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - # repeatedly add and remove the same set of records to fill up - # the journal file without changing the zone content - $NSUPDATE << EOF >> nsupdate.out1-$n 2>&1 + # repeatedly add and remove the same set of records to fill up + # the journal file without changing the zone content + $NSUPDATE <<EOF >>nsupdate.out1-$n 2>&1 server 10.53.0.1 ${PORT} zone maxjournal.test update add a.maxjournal.test 300 IN A 1.2.3.4 @@ -1052,279 +1221,336 @@ size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->si sleep 1 $RNDCCMD 10.53.0.1 sync maxjournal.test check_size_lt_5000() ( - size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl) - [ "$size" -lt 5000 ] + size=$($PERL -e 'use File::stat; my $sb = stat(@ARGV[0]); printf("%s\n", $sb->size);' ns1/maxjournal.db.jnl) + [ "$size" -lt 5000 ] ) retry_quiet 20 check_size_lt_5000 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) echo_i "check check-names processing ($n)" ret=0 -$NSUPDATE << EOF > nsupdate.out1-$n 2>&1 && ret=1 +$NSUPDATE <<EOF >nsupdate.out1-$n 2>&1 && ret=1 update add # 0 in a 1.2.3.4 EOF -grep "bad owner" nsupdate.out1-$n > /dev/null || ret=1 +grep "bad owner" nsupdate.out1-$n >/dev/null || ret=1 -$NSUPDATE << EOF > nsupdate.out2-$n 2>&1 || ret=1 +$NSUPDATE <<EOF >nsupdate.out2-$n 2>&1 || ret=1 check-names off update add # 0 in a 1.2.3.4 EOF -grep "bad owner" nsupdate.out2-$n > /dev/null && ret=1 +grep "bad owner" nsupdate.out2-$n >/dev/null && ret=1 -$NSUPDATE << EOF > nsupdate.out3-$n 2>&1 && ret=1 +$NSUPDATE <<EOF >nsupdate.out3-$n 2>&1 && ret=1 update add . 0 in mx 0 # EOF -grep "bad name" nsupdate.out3-$n > /dev/null || ret=1 +grep "bad name" nsupdate.out3-$n >/dev/null || ret=1 -$NSUPDATE << EOF > nsupdate.out4-$n 2>&1 || ret=1 +$NSUPDATE <<EOF >nsupdate.out4-$n 2>&1 || ret=1 check-names off update add . 0 in mx 0 # EOF -grep "bad name" nsupdate.out4-$n > /dev/null && ret=1 +grep "bad name" nsupdate.out4-$n >/dev/null && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) echo_i "check adding of delegating NS records processing ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -v <<EOF >nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update add child.delegation.test. 3600 NS foo.example.net. update add child.delegation.test. 3600 NS bar.example.net. send EOF -$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test >dig.out.ns1.test$n +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +grep "AUTHORITY: 2" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) echo_i "check deleting of delegating NS records processing ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -v <<EOF >nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. update del child.delegation.test. 3600 NS bar.example.net. send EOF -$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test > dig.out.ns1.test$n -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +$DIG $DIGOPTS +tcp @10.53.0.3 ns child.delegation.test >dig.out.ns1.test$n +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) echo_i "check that adding too many records is blocked ($n)" ret=0 -$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -v <<EOF >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone too-big.test. update add r1.too-big.test 3600 IN TXT r1.too-big.test send EOF -grep "update failed: SERVFAIL" nsupdate.out.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT > dig.out.ns3.test$n -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "update failed: SERVFAIL" nsupdate.out.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT >dig.out.ns3.test$n +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "records in zone (4) exceeds max-records (3)" ns3/named.run >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (UDP with defaults) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that default timeout value is respected, there should be 4 tries with 3 seconds each. test $elapsed -lt 12 && ret=1 test $elapsed -gt 15 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (UDP with -u udptimeout) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE -u 4 -r 1 <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -u 4 -r 1 <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that given timeout value is respected, there should be 2 tries with 4 seconds each. test $elapsed -lt 8 && ret=1 test $elapsed -gt 12 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (UDP with -t timeout) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE -u 0 -t 8 -r 1 <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -u 0 -t 8 -r 1 <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that given timeout value is respected, there should be 2 tries with 4 seconds each. test $elapsed -lt 8 && ret=1 test $elapsed -gt 12 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (UDP with -u udptimeout -t timeout) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE -u 4 -t 30 -r 1 <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -u 4 -t 30 -r 1 <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that given timeout value is respected, there should be 2 tries with 4 seconds each, as -u takes precedence over -t. test $elapsed -lt 8 && ret=1 test $elapsed -gt 12 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check whether valid addresses are used for primary failover (TCP with -t timeout) ($n)" t1=$($PERL -e 'print time()') -$NSUPDATE -t 8 -v <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -t 8 -v <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.4 ${PORT} zone unreachable. update add unreachable. 600 A 192.0.2.1 send END t2=$($PERL -e 'print time()') -grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1 +grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "not implemented" nsupdate.out.test$n >/dev/null 2>&1 && ret=1 elapsed=$((t2 - t1)) # Check that given timeout value is respected, there should be 1 try with 8 seconds. test $elapsed -lt 8 && ret=1 test $elapsed -gt 12 && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure bad owner name is fatal in non-interactive mode ($n)" -$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 +$NSUPDATE <<END >nsupdate.out 2>&1 && ret=1 update add emptylabel..nil. 600 A 10.10.10.1 END -grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1 -grep "syntax error" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "invalid owner name: empty label" nsupdate.out >/dev/null || ret=1 +grep "syntax error" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure bad owner name is not fatal in interactive mode ($n)" -$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1 +$NSUPDATE -i <<END >nsupdate.out 2>&1 || ret=1 update add emptylabel..nil. 600 A 10.10.10.1 END -grep "invalid owner name: empty label" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "invalid owner name: empty label" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure invalid key type is fatal in non-interactive mode ($n)" -$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 +$NSUPDATE <<END >nsupdate.out 2>&1 && ret=1 key badkeytype:example abcd12345678 END -grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1 -grep "syntax error" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "unknown key type 'badkeytype'" nsupdate.out >/dev/null || ret=1 +grep "syntax error" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure invalid key type is not fatal in interactive mode ($n)" -$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1 +$NSUPDATE -i <<END >nsupdate.out 2>&1 || ret=1 key badkeytype:example abcd12345678 END -grep "unknown key type 'badkeytype'" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "unknown key type 'badkeytype'" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure unresolvable server name is fatal in non-interactive mode ($n)" -$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 +$NSUPDATE <<END >nsupdate.out 2>&1 && ret=1 server unresolvable.. END -grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1 -grep "syntax error" nsupdate.out > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "couldn't get address for 'unresolvable..':" nsupdate.out >/dev/null || ret=1 +grep "syntax error" nsupdate.out >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "ensure unresolvable server name is not fatal in interactive mode ($n)" -$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1 +$NSUPDATE -i <<END >nsupdate.out 2>&1 || ret=1 server unresolvable.. END -grep "couldn't get address for 'unresolvable..':" nsupdate.out > /dev/null || ret=1 -grep "syntax error" nsupdate.out > /dev/null && ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "couldn't get address for 'unresolvable..':" nsupdate.out >/dev/null || ret=1 +grep "syntax error" nsupdate.out >/dev/null && ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check nsupdate -4 -6 ($n)" -$NSUPDATE -4 -6 <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -4 -6 <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. update del child.delegation.test. 3600 NS bar.example.net. send END -grep "only one of -4 and -6 allowed" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "only one of -4 and -6 allowed" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check nsupdate -4 with an IPv6 server address ($n)" -$NSUPDATE -4 <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -4 <<END >nsupdate.out.test$n 2>&1 && ret=1 server fd92:7065:b8e:ffff::2 ${PORT} zone delegation.test. update del child.delegation.test. 3600 NS foo.example.net. update del child.delegation.test. 3600 NS bar.example.net. send END -grep "address family not supported" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "address family not supported" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that TKEY in a update is rejected ($n)" -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw== send END -grep "UPDATE, status: NOERROR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -grep "UPDATE, status: FORMERR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep "UPDATE, status: NOERROR" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +grep "UPDATE, status: FORMERR" nsupdate.out.test$n >/dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that max records is enforced ($n)" -nextpart ns6/named.run > /dev/null -$NSUPDATE -v > nsupdate.out.$n 2>&1 << END +nextpart ns6/named.run >/dev/null +$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END server 10.53.0.6 ${PORT} local 10.53.0.5 update del 5.0.53.10.in-addr.arpa. @@ -1333,24 +1559,24 @@ update add 5.0.53.10.in-addr.arpa. 600 PTR other. send END $DIG $DIGOPTS @10.53.0.6 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - -x 10.53.0.5 > dig.out.ns6.$n + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + -x 10.53.0.5 >dig.out.ns6.$n # the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so only the # first PTR record should be added. -grep localhost. dig.out.ns6.$n > /dev/null 2>&1 || ret=1 -grep other. dig.out.ns6.$n > /dev/null 2>&1 && ret=1 -nextpart ns6/named.run > nextpart.out.$n -grep "attempt to add more records than permitted by policy" nextpart.out.$n > /dev/null || ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 +grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1 +grep other. dig.out.ns6.$n >/dev/null 2>&1 && ret=1 +nextpart ns6/named.run >nextpart.out.$n +grep "attempt to add more records than permitted by policy" nextpart.out.$n >/dev/null || ret=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that max records for ANY is enforced ($n)" -nextpart ns6/named.run > /dev/null -$NSUPDATE -v > nsupdate.out.$n 2>&1 << END +nextpart ns6/named.run >/dev/null +$NSUPDATE -v >nsupdate.out.$n 2>&1 <<END server 10.53.0.6 ${PORT} local 10.53.0.5 update del 5.0.53.10.in-addr.arpa. @@ -1363,10 +1589,10 @@ update add 5.0.53.10.in-addr.arpa. 600 AAAA ::ffff:1.2.3.2 send END $DIG $DIGOPTS @10.53.0.6 \ - +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ - ANY -x 10.53.0.5 > dig.out.ns6.test$n -nextpart ns6/named.run > nextpart.out.test$n -grep "attempt to add more records than permitted by policy" nextpart.out.test$n > /dev/null || ret=1 + +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \ + ANY -x 10.53.0.5 >dig.out.ns6.test$n +nextpart ns6/named.run >nextpart.out.test$n +grep "attempt to add more records than permitted by policy" nextpart.out.test$n >/dev/null || ret=1 # the policy is 'grant * tcp-self . PTR(1) ANY(2) A;' so all the A # records should have been added as there is no limit and the first 2 # of the AAAA records added as they match ANY(2). @@ -1374,111 +1600,129 @@ c1=$(awk '$4 == "A" { print }' dig.out.ns6.test$n | wc -l) c2=$(awk '$4 == "AAAA" { print }' dig.out.ns6.test$n | wc -l) test "$c1" -eq 3 -a "$c2" -eq 2 || ret=1 grep "::ffff:1.2.3.2" dig.out.ns6.test$n && ret=1 -if test $ret -ne 0 -then -echo_i "failed"; status=1 +if test $ret -ne 0; then + echo_i "failed" + status=1 fi n=$((n + 1)) ret=0 echo_i "check that DS to the zone apex is ignored ($n)" -$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -nextpart ns3/named.run > /dev/null +$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +nextpart ns3/named.run >/dev/null # specify zone to override the default of adding to parent zone -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone example update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C send END msg=": attempt to add a DS record at zone apex ignored" -nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 -$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.post.test$n || ret=1 -grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 >dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" -$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C send END msg=": bad CDS RRset" -nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 -$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1 -grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" -$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -nextpart ns3/named.run > /dev/null -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +nextpart ns3/named.run >/dev/null +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== send END msg=": bad CDNSKEY RRset" -nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 -$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1 -grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +nextpart ns3/named.run | grep "$msg" >/dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)" -$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C send END retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)" -$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 -grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 >dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n >/dev/null || ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.3 ${PORT} zone multisigner.test update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== send END retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)" -$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -d <<END >nsupdate.out.test$n 2>&1 && ret=1 server 10.53.0.3 ${PORT} zone example update add example 0 in NSEC3PARAM 1 0 151 - END grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out.test$n >/dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 @@ -1488,14 +1732,17 @@ echo_i "check nsupdate retries with another server on REFUSED response ($n)" # that's what we're testing for. (failure is still expected, however, # because the address lookup for the primary doesn't use the overridden # resolv.conf file). -$NSUPDATE -D -C resolv.conf -p ${PORT} << EOF > nsupdate.out.test$n 2>&1 && ret=1 +$NSUPDATE -D -C resolv.conf -p ${PORT} <<EOF >nsupdate.out.test$n 2>&1 && ret=1 zone example update add a 3600 IN A 1.2.3.4 send EOF -grep '10.53.0.1.*REFUSED' nsupdate.out.test$n > /dev/null || ret=1 -grep 'Reply from SOA query' nsupdate.out.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +grep '10.53.0.1.*REFUSED' nsupdate.out.test$n >/dev/null || ret=1 +grep 'Reply from SOA query' nsupdate.out.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 @@ -1507,25 +1754,31 @@ echo_i "check that update is rejected if query is not allowed ($n)" update add reject.other.nil 3600 IN TXT Whatever send END -} > nsupdate.out.test$n 2>&1 -grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +} >nsupdate.out.test$n 2>&1 +grep 'failed: REFUSED' nsupdate.out.test$n >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} n=$((n + 1)) ret=0 echo_i "check that update is rejected if quota is exceeded ($n)" for loop in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do -{ - $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END + { + $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key >/dev/null 2>&1 <<END update add txt-$loop.other.nil 3600 IN TXT Whatever send END -} & + } & done wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} -if ! $FEATURETEST --gssapi ; then +if ! $FEATURETEST --gssapi; then echo_i "SKIPPED: GSSAPI tests" else n=$((n + 1)) @@ -1533,15 +1786,18 @@ else echo_i "check GSS-API TKEY request rcode against a non configured server ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} zone example.com send EOF - grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } copy_setports ns7/named2.conf.in ns7/named.conf rndc_reload ns7 10.53.0.7 @@ -1551,7 +1807,7 @@ EOF echo_i "check krb5-self match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1559,17 +1815,20 @@ EOF update add machine.example.com 3600 IN A 10.53.0.7 send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 machine.example.com A >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "machine.example.com..*A.*10.53.0.7" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-self no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1577,17 +1836,20 @@ EOF update add foo.example.com 3600 IN A 10.53.0.7 send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-subdomain match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1595,17 +1857,20 @@ EOF update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._tcp.example.com SRV >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-subdomain no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1613,17 +1878,20 @@ EOF update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs match PTR ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1631,17 +1899,20 @@ EOF update add 4.3.2.1.in-addr.arpa 3600 IN PTR machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 4.3.2.1.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 4.3.2.1.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs no-match PTR ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1649,17 +1920,20 @@ EOF update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 5.3.2.1.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 5.3.2.1.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs match SRV ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1667,17 +1941,20 @@ EOF update add _xxx.self-srv.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv.example.com ANY > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv.example.com ANY >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs no listed types match (SRV & TXT) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1686,18 +1963,21 @@ EOF update add _xxx.self-srv-no-type.example.com 3600 IN TXT a txt record send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv-no-type.example.com ANY > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep '_xxx.self-srv-no-type.example.com.*SRV.*0 0 0 machine.example.com' dig.out.ns7.test$n > /dev/null || ret=1 - grep '_xxx.self-srv-no-type.example.com.*TXT.*"a" "txt" "record"' dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 _xxx.self-srv-no-type.example.com ANY >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep '_xxx.self-srv-no-type.example.com.*SRV.*0 0 0 machine.example.com' dig.out.ns7.test$n >/dev/null || ret=1 + grep '_xxx.self-srv-no-type.example.com.*TXT.*"a" "txt" "record"' dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs no-match RDATA (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1705,17 +1985,20 @@ EOF update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs no-match TYPE (TXT) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1723,20 +2006,23 @@ EOF update add _yyy.self-srv.example.com 3600 IN TXT a-txt-record send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com TXT > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com TXT >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.pre.test$n - grep "status: NOERROR" dig.out.ns7.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.pre.test$n + grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1744,16 +2030,19 @@ EOF update delete single.ptr.self-ptr.in-addr.arpa PTR send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1761,21 +2050,24 @@ EOF update delete many.ptr.self-ptr.in-addr.arpa PTR send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 many.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.pre.test$n - grep "status: NOERROR" dig.out.ns7.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.pre.test$n + grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1783,16 +2075,19 @@ EOF update delete single.any.self-ptr.in-addr.arpa send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1800,21 +2095,24 @@ EOF update delete many.any.self-ptr.in-addr.arpa send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-ptr.in-addr.arpa PTR >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV > dig.out.ns7.pre.test$n - grep "status: NOERROR" dig.out.ns7.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV >dig.out.ns7.pre.test$n + grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1822,16 +2120,19 @@ EOF update delete single.srv.self-srv.example.com SRV send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 single.srv.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1839,21 +2140,24 @@ EOF update delete many.srv.self-srv.example.com SRV send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 many.srv.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 many.srv.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV > dig.out.ns7.pre.test$n - grep "status: NOERROR" dig.out.ns7.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV >dig.out.ns7.pre.test$n + grep "status: NOERROR" dig.out.ns7.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns7.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1861,16 +2165,19 @@ EOF update delete single.any.self-srv.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.7 single.any.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NXDOMAIN" dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.7 ${PORT} @@ -1878,18 +2185,21 @@ EOF update delete many.any.self-srv.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-srv.example.com SRV > dig.out.ns7.test$n - grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-srv.example.com SRV >dig.out.ns7.test$n + grep "status: NOERROR" dig.out.ns7.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns7.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-selfsub match ($n)" KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.8 ${PORT} @@ -1897,17 +2207,20 @@ EOF update add xxx.machine.example.com 3600 IN A 10.53.0.8 send EOF - $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A > dig.out.ns8.test$n - grep "status: NOERROR" dig.out.ns8.test$n > /dev/null || ret=1 - grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.8 xxx.machine.example.com A >dig.out.ns8.test$n + grep "status: NOERROR" dig.out.ns8.test$n >/dev/null || ret=1 + grep "xxx.machine.example.com..*A.*10.53.0.8" dig.out.ns8.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check krb5-selfsub no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.8 ${PORT} @@ -1915,17 +2228,20 @@ EOF update add foo.example.com 3600 IN A 10.53.0.8 send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n - grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A >dig.out.ns8.test$n + grep "status: NXDOMAIN" dig.out.ns8.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-self match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1933,17 +2249,20 @@ EOF update add machine.example.com 3600 IN A 10.53.0.9 send EOF - $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A > dig.out.ns9.test$n - grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1 - grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.9 machine.example.com A >dig.out.ns9.test$n + grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 + grep "machine.example.com..*A.*10.53.0.9" dig.out.ns9.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-self no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1951,17 +2270,20 @@ EOF update add foo.example.com 3600 IN A 10.53.0.9 send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n - grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A >dig.out.ns9.test$n + grep "status: NXDOMAIN" dig.out.ns9.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-subdomain match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1969,17 +2291,20 @@ EOF update add _xxx._tcp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV > dig.out.ns9.test$n - grep "status: NOERROR" dig.out.ns9.test$n > /dev/null || ret=1 - grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._tcp.example.com SRV >dig.out.ns9.test$n + grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 + grep "_xxx._tcp.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns9.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-subdomain no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.9 ${PORT} @@ -1987,17 +2312,20 @@ EOF update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n - grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV >dig.out.ns9.test$n + grep "status: NXDOMAIN" dig.out.ns9.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs match (PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2005,17 +2333,20 @@ EOF update add 4.3.2.1.in-addr.arpa 3600 IN PTR machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 4.3.2.1.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 4.3.2.1.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "4.3.2.1.in-addr.arpa.*PTR.*machine.example.com" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs no-match (PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2023,17 +2354,20 @@ EOF update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 5.3.2.1.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 5.3.2.1.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs match (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2041,17 +2375,20 @@ EOF update add _xxx.self-srv.example.com 3600 IN SRV 0 0 0 machine.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 _xxx.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 _xxx.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "_xxx.self-srv.example.com.*SRV.*0 0 0 machine.example.com" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs no-match (SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2059,20 +2396,23 @@ EOF update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 _yyy.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 _yyy.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV > dig.out.ns10.pre.test$n - grep "status: NOERROR" dig.out.ns10.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV >dig.out.ns10.pre.test$n + grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2080,16 +2420,19 @@ EOF update delete single.srv.self-srv.example.com SRV send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 single.srv.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2097,21 +2440,24 @@ EOF update delete many.srv.self-srv.example.com SRV send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 many.srv.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 many.srv.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.pre.test$n - grep "status: NOERROR" dig.out.ns10.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.pre.test$n + grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2119,16 +2465,19 @@ EOF update delete single.ptr.self-ptr.in-addr.arpa PTR send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 single.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2136,21 +2485,24 @@ EOF update delete many.ptr.self-ptr.in-addr.arpa PTR send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 many.ptr.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.pre.test$n - grep "status: NOERROR" dig.out.ns10.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.pre.test$n + grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2158,16 +2510,19 @@ EOF update delete single.any.self-ptr.in-addr.arpa send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2175,21 +2530,24 @@ EOF update delete many.any.self-ptr.in-addr.arpa send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-ptr.in-addr.arpa PTR >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV) ($n)" - $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV > dig.out.ns10.pre.test$n - grep "status: NOERROR" dig.out.ns10.pre.test$n > /dev/null || ret=1 - grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV >dig.out.ns10.pre.test$n + grep "status: NOERROR" dig.out.ns10.pre.test$n >/dev/null || ret=1 + grep "ANSWER: 1," dig.out.ns10.pre.test$n >/dev/null || ret=1 KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2197,16 +2555,19 @@ EOF update delete single.any.self-srv.example.com send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 single.any.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } - n=$((n+1)) + n=$((n + 1)) ret=0 echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2214,18 +2575,21 @@ EOF update delete many.any.self-srv.example.com send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-srv.example.com SRV > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-srv.example.com SRV >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-selfsub match ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1 + $NSUPDATE -d <<EOF >nsupdate.out.test$n 2>&1 || ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2233,17 +2597,20 @@ EOF update add xxx.machine.example.com 3600 IN A 10.53.0.10 send EOF - $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A > dig.out.ns10.test$n - grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1 - grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + $DIG $DIGOPTS +tcp @10.53.0.10 xxx.machine.example.com A >dig.out.ns10.test$n + grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1 + grep "xxx.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } n=$((n + 1)) ret=0 echo_i "check ms-selfsub no-match ($n)" KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache" export KRB5CCNAME - $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + $NSUPDATE <<EOF >nsupdate.out.test$n 2>&1 && ret=1 gsstsig realm EXAMPLE.COM server 10.53.0.10 ${PORT} @@ -2251,10 +2618,13 @@ EOF update add foo.example.com 3600 IN A 10.53.0.10 send EOF - grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n - grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } + grep "update failed: REFUSED" nsupdate.out.test$n >/dev/null || ret=1 + $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A >dig.out.ns10.test$n + grep "status: NXDOMAIN" dig.out.ns10.test$n >/dev/null || ret=1 + [ $ret = 0 ] || { + echo_i "failed" + status=1 + } fi diff --git a/bin/tests/system/nzd2nzf/prereq.sh b/bin/tests/system/nzd2nzf/prereq.sh index 7c9e25d..c3a239b 100644 --- a/bin/tests/system/nzd2nzf/prereq.sh +++ b/bin/tests/system/nzd2nzf/prereq.sh @@ -14,7 +14,7 @@ . ../conf.sh $FEATURETEST --with-lmdb || { - echo_i "This test requires LMDB support." >&2 - exit 255 + echo_i "This test requires LMDB support." >&2 + exit 255 } exit 0 diff --git a/bin/tests/system/nzd2nzf/tests.sh b/bin/tests/system/nzd2nzf/tests.sh index 2cfc58f..e48b79d 100644 --- a/bin/tests/system/nzd2nzf/tests.sh +++ b/bin/tests/system/nzd2nzf/tests.sh @@ -16,51 +16,51 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" -p "${PORT}" "$@" + "$DIG" -p "${PORT}" "$@" } rndccmd() { - "$RNDC" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "$@" } status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "querying for non-existing zone data ($n)" ret=0 -dig_with_opts @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1 -grep 'status: REFUSED' dig.out.ns1.$n > /dev/null || ret=1 +dig_with_opts @10.53.0.1 a.added.example a >dig.out.ns1.$n || ret=1 +grep 'status: REFUSED' dig.out.ns1.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "adding a new zone into default NZD using rndc addzone ($n)" rndccmd 10.53.0.1 addzone 'added.example { type primary; file "added.db"; };' 2>&1 | sed 's/^/I:ns1 /' | cat_i sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "querying for existing zone data ($n)" ret=0 -dig_with_opts @10.53.0.1 a.added.example a > dig.out.ns1.$n || ret=1 -grep 'status: NOERROR' dig.out.ns1.$n > /dev/null || ret=1 +dig_with_opts @10.53.0.1 a.added.example a >dig.out.ns1.$n || ret=1 +grep 'status: NOERROR' dig.out.ns1.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "stopping ns1" stop_server ns1 -n=$((n+1)) +n=$((n + 1)) echo_i "dumping _default.nzd to _default.nzf ($n)" -$NZD2NZF ns1/_default.nzd > ns1/_default.nzf || ret=1 +$NZD2NZF ns1/_default.nzd >ns1/_default.nzf || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that _default.nzf contains the expected content ($n)" -grep 'zone "added.example" { type primary; file "added.db"; };' ns1/_default.nzf > /dev/null || ret=1 +grep 'zone "added.example" { type primary; file "added.db"; };' ns1/_default.nzf >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "deleting _default.nzd database" rm -f ns1/_default.nzd @@ -68,18 +68,18 @@ rm -f ns1/_default.nzd echo_i "starting ns1 which should migrate the .nzf to .nzd" start_server --noclean --restart --port ${PORT} ns1 -n=$((n+1)) +n=$((n + 1)) echo_i "querying for zone data from migrated zone config ($n)" # retry loop in case the server restart above causes transient failures _do_query() ( - dig_with_opts @10.53.0.1 a.added.example a > dig.out.ns1.$n && - grep 'status: NOERROR' dig.out.ns1.$n > /dev/null + dig_with_opts @10.53.0.1 a.added.example a >dig.out.ns1.$n \ + && grep 'status: NOERROR' dig.out.ns1.$n >/dev/null ) ret=0 retry_quiet "10" _do_query || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" exit $status diff --git a/bin/tests/system/padding/ns2/named.conf.in b/bin/tests/system/padding/ns2/named.conf.in index 10ba86b..6f2a34c 100644 --- a/bin/tests/system/padding/ns2/named.conf.in +++ b/bin/tests/system/padding/ns2/named.conf.in @@ -36,7 +36,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/padding/ns3/named.conf.in b/bin/tests/system/padding/ns3/named.conf.in index a719249..1b44e47 100644 --- a/bin/tests/system/padding/ns3/named.conf.in +++ b/bin/tests/system/padding/ns3/named.conf.in @@ -41,5 +41,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/padding/ns4/named.conf.in b/bin/tests/system/padding/ns4/named.conf.in index 6828f2a..957175c 100644 --- a/bin/tests/system/padding/ns4/named.conf.in +++ b/bin/tests/system/padding/ns4/named.conf.in @@ -41,5 +41,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/padding/tests.sh b/bin/tests/system/padding/tests.sh index c952537..f20ba0b 100644 --- a/bin/tests/system/padding/tests.sh +++ b/bin/tests/system/padding/tests.sh @@ -19,30 +19,30 @@ n=0 status=0 DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" getcookie() { - awk '$2 == "COOKIE:" { + awk '$2 == "COOKIE:" { print $3; - }' < $1 + }' <$1 } echo_i "checking that dig handles padding ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +qr +padding=128 foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null || ret=1 -grep "; QUERY SIZE: 128" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +qr +padding=128 foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null || ret=1 +grep "; QUERY SIZE: 128" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that dig added padding ($n)" ret=0 n=$((n + 1)) -nextpart ns2/named.stats > /dev/null +nextpart ns2/named.stats >/dev/null $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 -nextpart ns2/named.stats | grep "EDNS padding option received" > /dev/null || ret=1 +nextpart ns2/named.stats | grep "EDNS padding option received" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -50,84 +50,90 @@ status=$((status + ret)) echo_i "checking that padding is added for TCP responses ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +padding=128 foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null || ret=1 -grep "rcvd: 128" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +vc +padding=128 foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null || ret=1 +grep "rcvd: 128" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that padding is added to valid cookie responses ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +cookie foo.example @10.53.0.2 > dig.out.testc +$DIG $DIGOPTS +cookie foo.example @10.53.0.2 >dig.out.testc cookie=$(getcookie dig.out.testc) -$DIG $DIGOPTS +cookie=$cookie +padding=128 foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null || ret=1 -grep "rcvd: 128" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +cookie=$cookie +padding=128 foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null || ret=1 +grep "rcvd: 128" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that padding must be requested (TCP) ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +vc foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that padding must be requested (valid cookie) ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +cookie=$cookie foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +cookie=$cookie foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that padding can be filtered out ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +vc +padding=128 -b 10.53.0.8 foo.example @10.53.0.2 > dig.out.test$n -grep "; PAD" dig.out.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +vc +padding=128 -b 10.53.0.8 foo.example @10.53.0.2 >dig.out.test$n +grep "; PAD" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that a TCP and padding server config enables padding ($n)" ret=0 n=$((n + 1)) -nextpart ns2/named.stats > /dev/null +nextpart ns2/named.stats >/dev/null $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 opad=$(nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}') -$DIG $DIGOPTS foo.example @10.53.0.3 > dig.out.test$n +$DIG $DIGOPTS foo.example @10.53.0.3 >dig.out.test$n $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 npad=$(nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}') -if [ "$opad" -eq "$npad" ]; then echo_i "error: opad ($opad) == npad ($npad)"; ret=1; fi +if [ "$opad" -eq "$npad" ]; then + echo_i "error: opad ($opad) == npad ($npad)" + ret=1 +fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that a padding server config should enforce TCP ($n)" ret=0 n=$((n + 1)) -nextpart ns2/named.stats > /dev/null +nextpart ns2/named.stats >/dev/null $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 opad=$(nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}') -$DIG $DIGOPTS foo.example @10.53.0.4 > dig.out.test$n +$DIG $DIGOPTS foo.example @10.53.0.4 >dig.out.test$n $RNDCCMD 10.53.0.2 stats wait_for_log_peek 5 "--- Statistics Dump ---" ns2/named.stats || ret=1 npad=$(nextpart ns2/named.stats | awk '/EDNS padding option received/ { print $1}') -if [ "$opad" -ne "$npad" ]; then echo_i "error: opad ($opad) != npad ($npad)"; ret=1; fi +if [ "$opad" -ne "$npad" ]; then + echo_i "error: opad ($opad) != npad ($npad)" + ret=1 +fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that zero-length padding option has no effect ($n)" ret=0 n=$((n + 1)) -$DIG $DIGOPTS +qr +ednsopt=12 foo.example @10.53.0.2 > dig.out.test$n.1 -grep "; PAD" dig.out.test$n.1 > /dev/null || ret=1 -$DIG $DIGOPTS +qr +ednsopt=12:00 foo.example @10.53.0.2 > dig.out.test$n.2 -grep "; PAD" dig.out.test$n.2 > /dev/null || ret=1 +$DIG $DIGOPTS +qr +ednsopt=12 foo.example @10.53.0.2 >dig.out.test$n.1 +grep "; PAD" dig.out.test$n.1 >/dev/null || ret=1 +$DIG $DIGOPTS +qr +ednsopt=12:00 foo.example @10.53.0.2 >dig.out.test$n.2 +grep "; PAD" dig.out.test$n.2 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/parallel.sh b/bin/tests/system/parallel.sh index 11a424f..11895ff 100644 --- a/bin/tests/system/parallel.sh +++ b/bin/tests/system/parallel.sh @@ -27,8 +27,8 @@ echo " exit 1; \\" echo " }" echo echo "test check: $PARALLELS" -for directory in $PARALLELDIRS ; do - echo - echo "test-$(echo "$directory" | tr _ -): check_interfaces" - echo " @${SHELL} ./legacy.run.sh -r $directory 2>&1 | tee test.output.$directory" +for directory in $PARALLELDIRS; do + echo + echo "test-$(echo "$directory" | tr _ -): check_interfaces" + echo " @${SHELL} ./legacy.run.sh -r $directory 2>&1 | tee test.output.$directory" done diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh index cb3662f..c7b99c3 100644 --- a/bin/tests/system/pending/ns1/sign.sh +++ b/bin/tests/system/pending/ns1/sign.sh @@ -17,19 +17,19 @@ zone=. infile=root.db.in zonefile=root.db -(cd ../ns2 && $SHELL -e sign.sh ) +(cd ../ns2 && $SHELL -e sign.sh) cp ../ns2/dsset-example. . cp ../ns2/dsset-example.com. . keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone $zonefile > /dev/null +$SIGNER -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/pending/ns2/named.conf.in b/bin/tests/system/pending/ns2/named.conf.in index 59824df..a403f13 100644 --- a/bin/tests/system/pending/ns2/named.conf.in +++ b/bin/tests/system/pending/ns2/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh index 4965f85..062e989 100644 --- a/bin/tests/system/pending/ns2/sign.sh +++ b/bin/tests/system/pending/ns2/sign.sh @@ -14,20 +14,20 @@ . ../../conf.sh for domain in example example.com; do - zone=${domain}. - infile=${domain}.db.in - zonefile=${domain}.db + zone=${domain}. + infile=${domain}.db.in + zonefile=${domain}.db - keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) - keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) + keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) + keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) - cat $infile $keyname1.key $keyname2.key > $zonefile + cat $infile $keyname1.key $keyname2.key >$zonefile - $SIGNER -3 bebe -o $zone $zonefile > /dev/null + $SIGNER -3 bebe -o $zone $zonefile >/dev/null done # remove "removed" record from example.com, causing the server to # send an apparently-invalid NXDOMAIN -sed '/^removed/d' example.com.db.signed > example.com.db.new +sed '/^removed/d' example.com.db.signed >example.com.db.new rm -f example.com.db.signed mv example.com.db.new example.com.db.signed diff --git a/bin/tests/system/pending/ns3/named.conf.in b/bin/tests/system/pending/ns3/named.conf.in index 29afd19..6d69d67 100644 --- a/bin/tests/system/pending/ns3/named.conf.in +++ b/bin/tests/system/pending/ns3/named.conf.in @@ -30,7 +30,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "mail.example" { diff --git a/bin/tests/system/pending/ns4/named.conf.in b/bin/tests/system/pending/ns4/named.conf.in index dfb5541..0c2e8a8 100644 --- a/bin/tests/system/pending/ns4/named.conf.in +++ b/bin/tests/system/pending/ns4/named.conf.in @@ -27,5 +27,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/pending/tests.sh b/bin/tests/system/pending/tests.sh index 362cef3..29ab3e9 100644 --- a/bin/tests/system/pending/tests.sh +++ b/bin/tests/system/pending/tests.sh @@ -16,32 +16,31 @@ set -e . ../conf.sh # replace_data dname RR old_data new_data -replace_data() -{ - if [ $# -ne 4 ]; then - echo_i "unexpected input for replace_data" - return 1 - fi - - _dname=$1 - _rr=$2 - _olddata=$3 - _newdata=$4 - - _ret=0 - $NSUPDATE -d <<END >> nsupdate.out.test 2>&1 || _ret=1 +replace_data() { + if [ $# -ne 4 ]; then + echo_i "unexpected input for replace_data" + return 1 + fi + + _dname=$1 + _rr=$2 + _olddata=$3 + _newdata=$4 + + _ret=0 + $NSUPDATE -d <<END >>nsupdate.out.test 2>&1 || _ret=1 server 10.53.0.2 ${PORT} update delete ${_dname} 30 ${_rr} ${_olddata} update add ${_dname} 30 ${_rr} ${_newdata} send END - if [ $_ret != 0 ]; then - echo_i "failed to update the test data" - return 1 - fi + if [ $_ret != 0 ]; then + echo_i "failed to update the test data" + return 1 + fi - return 0 + return 0 } status=0 diff --git a/bin/tests/system/pipelined/ns2/named.conf.in b/bin/tests/system/pipelined/ns2/named.conf.in index 3679e97..9802689 100644 --- a/bin/tests/system/pipelined/ns2/named.conf.in +++ b/bin/tests/system/pipelined/ns2/named.conf.in @@ -35,7 +35,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "examplea" { diff --git a/bin/tests/system/pipelined/ns3/named.conf.in b/bin/tests/system/pipelined/ns3/named.conf.in index d8943d5..3fe8f56 100644 --- a/bin/tests/system/pipelined/ns3/named.conf.in +++ b/bin/tests/system/pipelined/ns3/named.conf.in @@ -35,7 +35,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "exampleb" { diff --git a/bin/tests/system/pipelined/ns4/named.conf.in b/bin/tests/system/pipelined/ns4/named.conf.in index 5d4be1c..a233f6c 100644 --- a/bin/tests/system/pipelined/ns4/named.conf.in +++ b/bin/tests/system/pipelined/ns4/named.conf.in @@ -37,5 +37,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh index 26c0d31..7f761de 100644 --- a/bin/tests/system/pipelined/tests.sh +++ b/bin/tests/system/pipelined/tests.sh @@ -16,17 +16,23 @@ set -e . ../conf.sh MDIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 echo_i "check pipelined TCP queries" ret=0 -$PIPEQUERIES -p ${PORT} < input > raw || ret=1 -awk '{ print $1 " " $5 }' < raw > output -sort < output > output-sorted -diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; } -diff ref output > /dev/null && { ret=1 ; echo_i "diff out of order failed"; } +$PIPEQUERIES -p ${PORT} <input >raw || ret=1 +awk '{ print $1 " " $5 }' <raw >output +sort <output >output-sorted +diff ref output-sorted || { + ret=1 + echo_i "diff sorted failed" +} +diff ref output >/dev/null && { + ret=1 + echo_i "diff out of order failed" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -34,11 +40,17 @@ echo_i "check pipelined TCP queries using mdig" ret=0 $RNDCCMD 10.53.0.4 flush sleep 1 -$MDIG $MDIGOPTS +noall +answer +vc -f input -b 10.53.0.4 @10.53.0.4 > raw.mdig -awk '{ print $1 " " $5 }' < raw.mdig > output.mdig -sort < output.mdig > output-sorted.mdig -diff ref output-sorted.mdig || { ret=1 ; echo_i "diff sorted failed"; } -diff ref output.mdig > /dev/null && { ret=1 ; echo_i "diff out of order failed"; } +$MDIG $MDIGOPTS +noall +answer +vc -f input -b 10.53.0.4 @10.53.0.4 >raw.mdig +awk '{ print $1 " " $5 }' <raw.mdig >output.mdig +sort <output.mdig >output-sorted.mdig +diff ref output-sorted.mdig || { + ret=1 + echo_i "diff sorted failed" +} +diff ref output.mdig >/dev/null && { + ret=1 + echo_i "diff out of order failed" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -46,8 +58,8 @@ echo_i "check keep-response-order" ret=0 $RNDCCMD 10.53.0.4 flush sleep 1 -$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1 -awk '{ print $1 " " $5 }' < rawb > outputb +$PIPEQUERIES -p ${PORT} ++ <inputb >rawb || ret=1 +awk '{ print $1 " " $5 }' <rawb >outputb diff refb outputb || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -56,8 +68,8 @@ echo_i "check keep-response-order using mdig" ret=0 $RNDCCMD 10.53.0.4 flush sleep 1 -$MDIG $MDIGOPTS +noall +answer +vc -f inputb -b 10.53.0.7 @10.53.0.4 > rawb.mdig -awk '{ print $1 " " $5 }' < rawb.mdig > outputb.mdig +$MDIG $MDIGOPTS +noall +answer +vc -f inputb -b 10.53.0.7 @10.53.0.4 >rawb.mdig +awk '{ print $1 " " $5 }' <rawb.mdig >outputb.mdig diff refb outputb.mdig || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -66,15 +78,15 @@ echo_i "check mdig -4 -6" ret=0 $RNDCCMD 10.53.0.4 flush sleep 1 -$MDIG $MDIGOPTS -4 -6 -f input @10.53.0.4 > output46.mdig 2>&1 && ret=1 -grep "only one of -4 and -6 allowed" output46.mdig > /dev/null || ret=1 +$MDIG $MDIGOPTS -4 -6 -f input @10.53.0.4 >output46.mdig 2>&1 && ret=1 +grep "only one of -4 and -6 allowed" output46.mdig >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "check mdig -4 with an IPv6 server address" ret=0 -$MDIG $MDIGOPTS -4 -f input @fd92:7065:b8e:ffff::2 > output4.mdig 2>&1 && ret=1 -grep "address family not supported" output4.mdig > /dev/null || ret=1 +$MDIG $MDIGOPTS -4 -f input @fd92:7065:b8e:ffff::2 >output4.mdig 2>&1 && ret=1 +grep "address family not supported" output4.mdig >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/qmin/ns5/named.conf.in b/bin/tests/system/qmin/ns5/named.conf.in index d84d818..fac3538 100644 --- a/bin/tests/system/qmin/ns5/named.conf.in +++ b/bin/tests/system/qmin/ns5/named.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/qmin/ns6/named.conf.in b/bin/tests/system/qmin/ns6/named.conf.in index 828973c..6301fb2 100644 --- a/bin/tests/system/qmin/ns6/named.conf.in +++ b/bin/tests/system/qmin/ns6/named.conf.in @@ -39,5 +39,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/qmin/ns7/named.conf.in b/bin/tests/system/qmin/ns7/named.conf.in index 8ca3275..917e3e7 100644 --- a/bin/tests/system/qmin/ns7/named.conf.in +++ b/bin/tests/system/qmin/ns7/named.conf.in @@ -39,7 +39,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "fwd." IN { diff --git a/bin/tests/system/qmin/prereq.sh b/bin/tests/system/qmin/prereq.sh new file mode 100644 index 0000000..b6b005f --- /dev/null +++ b/bin/tests/system/qmin/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PYTHON} -c 'import dns'; then + echo_i "python dns module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/qmin/tests.sh b/bin/tests/system/qmin/tests.sh index b8d3128..6c87a16 100755 --- a/bin/tests/system/qmin/tests.sh +++ b/bin/tests/system/qmin/tests.sh @@ -16,112 +16,112 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" CLEANQL="rm -f ans*/query.log" status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "query for .good is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.5 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.5 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.good. ADDR ns3.good. ADDR ns3.good. ADDR a.bit.longer.ns.name.good. ADDR a.bit.longer.ns.name.good. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.good." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .bad is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.5 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.5 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.bad. ADDR ns3.bad. ADDR ns3.bad. ADDR a.bit.longer.ns.name.bad. ADDR a.bit.longer.ns.name.bad. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .slow is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.5 > dig.out.test$n +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.5 >dig.out.test$n sleep 5 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.slow. ADDR ns3.slow. ADDR ns3.slow. ADDR a.bit.longer.ns.name.slow. ADDR a.bit.longer.ns.name.slow. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.slow." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .ugly is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.5 > dig.out.test$n +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.5 >dig.out.test$n sleep 5 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.ugly. ADDR ns3.ugly. ADDR ns3.ugly. ADDR a.bit.longer.ns.name.ugly. ADDR a.bit.longer.ns.name.ugly. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .good is properly minimized when qname-minimization is in strict mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.good. ADDR a.bit.longer.ns.name.good. ADDR ns2.good. @@ -131,31 +131,31 @@ NS boing.good. NS good. NS zoop.boing.good. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 NS zoop.boing.good. NS ptang.zoop.boing.good. NS icky.ptang.zoop.boing.good. __EOF -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 NS icky.ptang.zoop.boing.good. NS icky.icky.ptang.zoop.boing.good. ADDR icky.icky.icky.ptang.zoop.boing.good. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .good is properly minimized when qname-minimization is in relaxed mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.7 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.7 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.good. ADDR a.bit.longer.ns.name.good. ADDR ns2.good. @@ -164,47 +164,47 @@ ADDR ns3.good. NS boing.good. NS zoop.boing.good. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 NS ptang.zoop.boing.good. NS icky.ptang.zoop.boing.good. __EOF -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 NS icky.icky.ptang.zoop.boing.good. ADDR icky.icky.icky.ptang.zoop.boing.good. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .bad fails when qname-minimization is in strict mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.6 > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.6 >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR ns2.bad. NS bad. NS boing.bad. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .bad succeeds when qname-minimization is in relaxed mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.7 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.7 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.bad. ADDR a.bit.longer.ns.name.bad. ADDR icky.icky.icky.ptang.zoop.boing.bad. @@ -213,46 +213,46 @@ ADDR ns3.bad. ADDR ns3.bad. NS boing.bad. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.bad. __EOF -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 ADDR icky.icky.icky.ptang.zoop.boing.bad. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .ugly fails when qname-minimization is in strict mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.6 > dig.out.test$n -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.6 >dig.out.test$n +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR ns2.ugly. NS boing.ugly. NS ugly. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) $RNDCCMD 10.53.0.6 flush -n=$((n+1)) +n=$((n + 1)) echo_i "query for .ugly succeeds when qname-minimization is in relaxed mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.7 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.7 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.ugly. ADDR a.bit.longer.ns.name.ugly. ADDR icky.icky.icky.ptang.zoop.boing.ugly. @@ -261,31 +261,31 @@ ADDR ns3.ugly. ADDR ns3.ugly. NS boing.ugly. __EOF -echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans3/query.log - > /dev/null || ret=1 -echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans4/query.log - > /dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans3/query.log - >/dev/null || ret=1 +echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | diff ans4/query.log - >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) $RNDCCMD 10.53.0.7 flush -n=$((n+1)) +n=$((n + 1)) echo_i "information that minimization was unsuccessful for .ugly is logged in relaxed mode ($n)" ret=0 -wait_for_log 5 "success resolving 'icky.icky.icky.ptang.zoop.boing.ugly/A' after disabling qname minimization" ns7/named.run > /dev/null || ret=1 +wait_for_log 5 "success resolving 'icky.icky.icky.ptang.zoop.boing.ugly/A' after disabling qname minimization" ns7/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .slow is properly minimized when qname-minimization is on ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.6 > dig.out.test$n +$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.slow. @10.53.0.6 >dig.out.test$n sleep 5 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "icky.icky.icky.ptang.zoop.boing.slow. 1 IN A 192.0.2.1" dig.out.test$n >/dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.slow. ADDR a.bit.longer.ns.name.slow. ADDR ns2.slow. @@ -295,31 +295,31 @@ NS boing.slow. NS slow. NS zoop.boing.slow. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 NS zoop.boing.slow. NS ptang.zoop.boing.slow. NS icky.ptang.zoop.boing.slow. __EOF -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 NS icky.ptang.zoop.boing.slow. NS icky.icky.ptang.zoop.boing.slow. ADDR icky.icky.icky.ptang.zoop.boing.slow. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .ip6.arpa succeeds and skips on proper boundaries when qname-minimization is on ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS -x 2001:4f8::1 @10.53.0.6 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. 1 IN PTR nee.com." dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS -x 2001:4f8::1 @10.53.0.6 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. 1 IN PTR nee.com." dig.out.test$n >/dev/null || ret=1 sleep 1 -grep -v ADDR ans2/query.log > ans2/query.log.trimmed -cat << __EOF | diff ans2/query.log.trimmed - > /dev/null || ret=1 +grep -v ADDR ans2/query.log >ans2/query.log.trimmed +cat <<__EOF | diff ans2/query.log.trimmed - >/dev/null || ret=1 NS 1.0.0.2.ip6.arpa. NS 8.f.4.0.1.0.0.2.ip6.arpa. NS 0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. @@ -329,19 +329,19 @@ PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for multiple label name skips after 7th label ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS more.icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "more.icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.2" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS more.icky.icky.icky.ptang.zoop.boing.good. @10.53.0.6 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "more.icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.2" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.good. ADDR a.bit.longer.ns.name.good. ADDR ns2.good. @@ -351,50 +351,50 @@ NS boing.good. NS good. NS zoop.boing.good. __EOF -cat << __EOF | diff ans3/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans3/query.log - >/dev/null || ret=1 NS zoop.boing.good. NS ptang.zoop.boing.good. NS icky.ptang.zoop.boing.good. __EOF # There's no NS icky.icky.icky.ptang.zoop.boing.good. query - we skipped it. -cat << __EOF | diff ans4/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans4/query.log - >/dev/null || ret=1 NS icky.ptang.zoop.boing.good. NS icky.icky.ptang.zoop.boing.good. ADDR more.icky.icky.icky.ptang.zoop.boing.good. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "qname minimization is disabled when forwarding ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS a.bit.longer.ns.name.fwd. @10.53.0.7 > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a.bit.longer.ns.name.fwd. @10.53.0.7 >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 grep "a.bit.longer.ns.name.fwd. 1 IN A 10.53.0.4" dig.out.test$n >/dev/null || ret=1 sleep 1 -cat << __EOF | diff ans2/query.log - > /dev/null || ret=1 +cat <<__EOF | diff ans2/query.log - >/dev/null || ret=1 ADDR a.bit.longer.ns.name.fwd. __EOF for ans in ans2; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "qname minimization resolves unusual ip6.arpa. names ($n)" ret=0 $CLEANQL -$DIG $DIGOPTS test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. txt @10.53.0.7 > dig.out.test$n 2>&1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. txt @10.53.0.7 >dig.out.test$n 2>&1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 # Expected output in dig.out.test$n: # ;; ANSWER SECTION: # test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. 1 IN TXT "long_ip6_name" -grep 'ip6\.arpa.*TXT.*long_ip6_name' dig.out.test$n > /dev/null || ret=1 +grep 'ip6\.arpa.*TXT.*long_ip6_name' dig.out.test$n >/dev/null || ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Below are test cases for GL #2665: The QNAME minimization (if enabled) should # also occur on the second query, after the RRsets have expired from cache. @@ -403,135 +403,135 @@ status=$((status+ret)) # We query for the test domain a.b.stale. in all cases (QNAME minimization off, # strict mode, and relaxed mode) and expect it to behave the same the second # time when we have a stale delegation structure in cache. -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is not minimized when qname-minimization is off ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.5 flush -$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n >/dev/null || ret=1 sleep 1 -echo "TXT a.b.stale." | diff ans2/query.log - > /dev/null || ret=1 -echo "TXT a.b.stale." | diff ans3/query.log - > /dev/null || ret=1 -test -f ans4/query.log && ret=1 +echo "TXT a.b.stale." | diff ans2/query.log - >/dev/null || ret=1 +echo "TXT a.b.stale." | diff ans3/query.log - >/dev/null || ret=1 +test -f ans4/query.log && ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is properly minimized when qname-minimization is in strict mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.6 flush -$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR ns.b.stale. ADDR ns2.stale. NS b.stale. NS stale. __EOF -test -f ans3/query.log && ret=1 -sort ans4/query.log > ans4/query.log.sorted -cat << __EOF | diff ans4/query.log.sorted - > /dev/null || ret=1 +test -f ans3/query.log && ret=1 +sort ans4/query.log >ans4/query.log.sorted +cat <<__EOF | diff ans4/query.log.sorted - >/dev/null || ret=1 ADDR ns.b.stale. NS b.stale. TXT a.b.stale. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is properly minimized when qname-minimization is in relaxed mode ($n)" ret=0 $CLEANQL $RNDCCMD 10.53.0.7 flush -$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 ADDR ns.b.stale. ADDR ns2.stale. NS b.stale. __EOF -test -f ans3/query.log && ret=1 -sort ans4/query.log > ans4/query.log.sorted -cat << __EOF | diff ans4/query.log.sorted - > /dev/null || ret=1 +test -f ans3/query.log && ret=1 +sort ans4/query.log >ans4/query.log.sorted +cat <<__EOF | diff ans4/query.log.sorted - >/dev/null || ret=1 ADDR ns.b.stale. TXT a.b.stale. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "sleep 2, allow entries in cache to go stale" sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is not minimized when qname-minimization is off (stale cache) ($n)" ret=0 $CLEANQL -$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*peekaboo" dig.out.test$n >/dev/null || ret=1 sleep 1 -echo "TXT a.b.stale." | diff ans2/query.log - > /dev/null || ret=1 -echo "TXT a.b.stale." | diff ans3/query.log - > /dev/null || ret=1 -test -f ans4/query.log && ret=1 +echo "TXT a.b.stale." | diff ans2/query.log - >/dev/null || ret=1 +echo "TXT a.b.stale." | diff ans3/query.log - >/dev/null || ret=1 +test -f ans4/query.log && ret=1 for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is properly minimized when qname-minimization is in strict mode (stale cache) ($n)" ret=0 $CLEANQL -$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 NS b.stale. NS stale. __EOF -test -f ans3/query.log && ret=1 -sort ans4/query.log > ans4/query.log.sorted -cat << __EOF | diff ans4/query.log.sorted - > /dev/null || ret=1 +test -f ans3/query.log && ret=1 +sort ans4/query.log >ans4/query.log.sorted +cat <<__EOF | diff ans4/query.log.sorted - >/dev/null || ret=1 NS b.stale. TXT a.b.stale. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "query for .stale is properly minimized when qname-minimization is in relaxed mode (stale cache) ($n)" ret=0 $CLEANQL -$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 txt a.b.stale. >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "a\.b\.stale\..*1.*IN.*TXT.*hooray" dig.out.test$n >/dev/null || ret=1 sleep 1 -sort ans2/query.log > ans2/query.log.sorted -cat << __EOF | diff ans2/query.log.sorted - > /dev/null || ret=1 +sort ans2/query.log >ans2/query.log.sorted +cat <<__EOF | diff ans2/query.log.sorted - >/dev/null || ret=1 NS b.stale. __EOF -test -f ans3/query.log && ret=1 -sort ans4/query.log > ans4/query.log.sorted -cat << __EOF | diff ans4/query.log.sorted - > /dev/null || ret=1 +test -f ans3/query.log && ret=1 +sort ans4/query.log >ans4/query.log.sorted +cat <<__EOF | diff ans4/query.log.sorted - >/dev/null || ret=1 TXT a.b.stale. __EOF for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/reclimit/ans7/ans.pl b/bin/tests/system/reclimit/ans7/ans.pl index 41a44a6..52110f1 100644 --- a/bin/tests/system/reclimit/ans7/ans.pl +++ b/bin/tests/system/reclimit/ans7/ans.pl @@ -22,9 +22,14 @@ my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; print $pidf "$$\n" or die "cannot write pid file: $!"; $pidf->close or die "cannot close pid file: $!"; sub rmpid { unlink "ans.pid"; exit 1; }; +sub term { }; $SIG{INT} = \&rmpid; -$SIG{TERM} = \&rmpid; +if ($Net::DNS::VERSION >= 1.42) { + $SIG{TERM} = \&term; +} else { + $SIG{TERM} = \&rmpid; +} my $count = 0; @@ -73,4 +78,11 @@ my $ns = Net::DNS::Nameserver->new( Verbose => $verbose, ); -$ns->main_loop; +if ($Net::DNS::VERSION >= 1.42) { + $ns->start_server(); + select(undef, undef, undef, undef); + $ns->stop_server(); + unlink "ans.pid"; +} else { + $ns->main_loop; +} diff --git a/bin/tests/system/reclimit/prereq.sh b/bin/tests/system/reclimit/prereq.sh new file mode 100644 index 0000000..0d6e2b4 --- /dev/null +++ b/bin/tests/system/reclimit/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +if ! ${PERL} -MNet::DNS::Nameserver -e ''; then + echo_i "perl Net::DNS::Nameserver module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/reclimit/tests.sh b/bin/tests/system/reclimit/tests.sh index 7e80d22..4212e2d 100644 --- a/bin/tests/system/reclimit/tests.sh +++ b/bin/tests/system/reclimit/tests.sh @@ -21,17 +21,17 @@ status=0 n=0 ns3_reset() { - copy_setports $1 ns3/named.conf - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns3 /' - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush | sed 's/^/I:ns3 /' + copy_setports $1 ns3/named.conf + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/I:ns3 /' + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush | sed 's/^/I:ns3 /' } ns3_sends_aaaa_queries() { - if grep "started AAAA fetch" ns3/named.run >/dev/null; then - return 0 - else - return 1 - fi + if grep "started AAAA fetch" ns3/named.run >/dev/null; then + return 0 + else + return 1 + fi } # Check whether the number of queries ans2 received from ns3 (this value is @@ -40,23 +40,23 @@ ns3_sends_aaaa_queries() { # - if ns3 sends AAAA queries, the query count should equal $2, # - if ns3 does not send AAAA queries, the query count should equal $3. check_query_count() { - count1=$(sed 's/[^0-9]//g;' $1) - count2=$(sed 's/[^0-9]//g;' $2) - count=$((count1 + count2)) - #echo_i "count1=$count1 count2=$count2 count=$count" - expected_count_with_aaaa=$3 - expected_count_without_aaaa=$4 - - if ns3_sends_aaaa_queries; then - expected_count=$expected_count_with_aaaa - else - expected_count=$expected_count_without_aaaa - fi - - if [ $count -ne $expected_count ]; then - echo_i "count $count (actual) != $expected_count (expected)" - ret=1 - fi + count1=$(sed 's/[^0-9]//g;' $1) + count2=$(sed 's/[^0-9]//g;' $2) + count=$((count1 + count2)) + #echo_i "count1=$count1 count2=$count2 count=$count" + expected_count_with_aaaa=$3 + expected_count_without_aaaa=$4 + + if ns3_sends_aaaa_queries; then + expected_count=$expected_count_with_aaaa + else + expected_count=$expected_count_without_aaaa + fi + + if [ $count -ne $expected_count ]; then + echo_i "count $count (actual) != $expected_count (expected)" + ret=1 + fi } echo_i "set max-recursion-depth=12" @@ -64,14 +64,14 @@ echo_i "set max-recursion-depth=12" n=$((n + 1)) echo_i "attempt excessive-depth lookup ($n)" ret=0 -echo "1000" > ans2/ans.limit -echo "1000" > ans4/ans.limit -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect1.example.org > dig.out.1.test$n || ret=1 -grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +echo "1000" >ans2/ans.limit +echo "1000" >ans4/ans.limit +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect1.example.org >dig.out.1.test$n || ret=1 +grep "status: SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 check_query_count dig.out.2.test$n dig.out.4.test$n 27 14 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -79,15 +79,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "attempt permissible lookup ($n)" ret=0 -echo "12" > ans2/ans.limit -echo "12" > ans4/ans.limit +echo "12" >ans2/ans.limit +echo "12" >ans4/ans.limit ns3_reset ns3/named1.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect2.example.org > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect2.example.org >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 check_query_count dig.out.2.test$n dig.out.4.test$n 50 26 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -97,14 +97,14 @@ echo_i "set max-recursion-depth=5" n=$((n + 1)) echo_i "attempt excessive-depth lookup ($n)" ret=0 -echo "12" > ans2/ans.limit +echo "12" >ans2/ans.limit ns3_reset ns3/named2.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect3.example.org > dig.out.1.test$n || ret=1 -grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect3.example.org >dig.out.1.test$n || ret=1 +grep "status: SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 check_query_count dig.out.2.test$n dig.out.4.test$n 13 7 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -112,15 +112,15 @@ status=$((status + ret)) n=$((n + 1)) echo_i "attempt permissible lookup ($n)" ret=0 -echo "5" > ans2/ans.limit -echo "5" > ans4/ans.limit +echo "5" >ans2/ans.limit +echo "5" >ans4/ans.limit ns3_reset ns3/named2.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect4.example.org > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect4.example.org >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 check_query_count dig.out.2.test$n dig.out.4.test$n 22 12 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -130,33 +130,39 @@ echo_i "set max-recursion-depth=100, max-recursion-queries=50" n=$((n + 1)) echo_i "attempt excessive-queries lookup ($n)" ret=0 -echo "13" > ans2/ans.limit -echo "13" > ans4/ans.limit +echo "13" >ans2/ans.limit +echo "13" >ans4/ans.limit ns3_reset ns3/named3.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.4 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect5.example.org > dig.out.1.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect5.example.org >dig.out.1.test$n || ret=1 if ns3_sends_aaaa_queries; then - grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 + grep "status: SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 fi -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.4 count txt > dig.out.4.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.4 count txt >dig.out.4.test$n || ret=1 eval count=$(cat dig.out.2.test$n) -[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +[ $count -le 50 ] || { + ret=1 + echo_i "count ($count) !<= 50" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "attempt permissible lookup ($n)" ret=0 -echo "12" > ans2/ans.limit +echo "12" >ans2/ans.limit ns3_reset ns3/named3.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect6.example.org > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect6.example.org >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 eval count=$(cat dig.out.2.test$n) -[ $count -le 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +[ $count -le 50 ] || { + ret=1 + echo_i "count ($count) !<= 50" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -165,30 +171,36 @@ echo_i "set max-recursion-depth=100, max-recursion-queries=40" n=$((n + 1)) echo_i "attempt excessive-queries lookup ($n)" ret=0 -echo "11" > ans2/ans.limit +echo "11" >ans2/ans.limit ns3_reset ns3/named4.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect7.example.org > dig.out.1.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect7.example.org >dig.out.1.test$n || ret=1 if ns3_sends_aaaa_queries; then - grep "status: SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 + grep "status: SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 fi -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 eval count=$(cat dig.out.2.test$n) -[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; } +[ $count -le 40 ] || { + ret=1 + echo_i "count ($count) !<= 40" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "attempt permissible lookup ($n)" ret=0 -echo "9" > ans2/ans.limit +echo "9" >ans2/ans.limit ns3_reset ns3/named4.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS @10.53.0.3 indirect8.example.org > dig.out.1.test$n || ret=1 -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 indirect8.example.org >dig.out.1.test$n || ret=1 +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 eval count=$(cat dig.out.2.test$n) -[ $count -le 40 ] || { ret=1; echo_i "count ($count) !<= 40"; } +[ $count -le 40 ] || { + ret=1 + echo_i "count ($count) !<= 40" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -196,14 +208,17 @@ n=$((n + 1)) echo_i "attempting NS explosion ($n)" ret=0 ns3_reset ns3/named4.conf.in -$DIG $DIGOPTS @10.53.0.2 reset > /dev/null || ret=1 -$DIG $DIGOPTS +short @10.53.0.3 ns1.1.example.net > dig.out.1.test$n || ret=1 -$DIG $DIGOPTS +short @10.53.0.2 count txt > dig.out.2.test$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 reset >/dev/null || ret=1 +$DIG $DIGOPTS +short @10.53.0.3 ns1.1.example.net >dig.out.1.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.2 count txt >dig.out.2.test$n || ret=1 eval count=$(cat dig.out.2.test$n) [ $count -lt 50 ] || ret=1 -$DIG $DIGOPTS +short @10.53.0.7 count txt > dig.out.3.test$n || ret=1 +$DIG $DIGOPTS +short @10.53.0.7 count txt >dig.out.3.test$n || ret=1 eval count=$(cat dig.out.3.test$n) -[ $count -lt 50 ] || { ret=1; echo_i "count ($count) !<= 50"; } +[ $count -lt 50 ] || { + ret=1 + echo_i "count ($count) !<= 50" +} if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/redirect/ns1/sign.sh b/bin/tests/system/redirect/ns1/sign.sh index 974e6ca..4b1b092 100644 --- a/bin/tests/system/redirect/ns1/sign.sh +++ b/bin/tests/system/redirect/ns1/sign.sh @@ -20,9 +20,9 @@ zonefile=signed.db key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null zone=nsec3 infile=example.db @@ -31,6 +31,6 @@ zonefile=nsec3.db key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -g -o $zone $zonefile >/dev/null diff --git a/bin/tests/system/redirect/ns2/named.conf.in b/bin/tests/system/redirect/ns2/named.conf.in index 9b88736..881a81f 100644 --- a/bin/tests/system/redirect/ns2/named.conf.in +++ b/bin/tests/system/redirect/ns2/named.conf.in @@ -42,7 +42,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "." { diff --git a/bin/tests/system/redirect/ns3/sign.sh b/bin/tests/system/redirect/ns3/sign.sh index 974e6ca..4b1b092 100644 --- a/bin/tests/system/redirect/ns3/sign.sh +++ b/bin/tests/system/redirect/ns3/sign.sh @@ -20,9 +20,9 @@ zonefile=signed.db key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null zone=nsec3 infile=example.db @@ -31,6 +31,6 @@ zonefile=nsec3.db key1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 $zone) key2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -3 -fk $zone) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null +$SIGNER -P -3 - -g -o $zone $zonefile >/dev/null diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh index ffe4e13..0818d67 100644 --- a/bin/tests/system/redirect/ns5/sign.sh +++ b/bin/tests/system/redirect/ns5/sign.sh @@ -21,12 +21,12 @@ zone=signed. infile=signed.db.in zonefile=signed.db -key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null) -key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null) +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2>/dev/null) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2>/dev/null) -cat $infile $key1.key $key2.key > $zonefile +cat $infile $key1.key $key2.key >$zonefile -$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out +$SIGNER -P -g -O full -o $zone $zonefile >sign.ns5.signed.out cp signed.db.signed ../ns6 @@ -35,10 +35,10 @@ zone=. infile=root.db.in zonefile=root.db -key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null) -key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null) +key1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2>/dev/null) +key2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2>/dev/null) # cat $infile $key1.key $key2.key > $zonefile -cat $infile dsset-signed. $key1.key $key2.key > $zonefile +cat $infile dsset-signed. $key1.key $key2.key >$zonefile -$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out +$SIGNER -P -g -O full -o $zone $zonefile >sign.ns5.root.out diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh index d182469..5022a83 100644 --- a/bin/tests/system/redirect/setup.sh +++ b/bin/tests/system/redirect/setup.sh @@ -22,8 +22,8 @@ copy_setports ns6/named.conf.in ns6/named.conf cp ns2/redirect.db.in ns2/redirect.db cp ns2/example.db.in ns2/example.db -( cd ns1 && $SHELL sign.sh ) +(cd ns1 && $SHELL sign.sh) cp ns4/example.db.in ns4/example.db -( cd ns3 && $SHELL sign.sh ) -( cd ns5 && $SHELL sign.sh ) +(cd ns3 && $SHELL sign.sh) +(cd ns5 && $SHELL sign.sh) diff --git a/bin/tests/system/redirect/tests.sh b/bin/tests/system/redirect/tests.sh index 83b90ad..09d40cf 100644 --- a/bin/tests/system/redirect/tests.sh +++ b/bin/tests/system/redirect/tests.sh @@ -21,33 +21,31 @@ n=1 rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" - -for conf in conf/good*.conf -do - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" + +for conf in conf/good*.conf; do + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - n=$((n + 1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "checking A zone redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -57,7 +55,7 @@ ret=0 rm -f ns2/named.stats 2>/dev/null $RNDCCMD 10.53.0.2 stats || ret=1 PRE=$(sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p" ns2/named.stats) -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 rm -f ns2/named.stats 2>/dev/null $RNDCCMD 10.53.0.2 stats || ret=1 POST=$(sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p" ns2/named.stats) @@ -68,285 +66,285 @@ status=$((status + ret)) echo_i "checking AAAA zone redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 any >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect doesn't work for acl miss ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect doesn't work for acl miss ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect doesn't work for acl miss ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 any > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.4 any >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.2 -b 10.53.0.2 any >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.2 -b 10.53.0.2 any >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 aaaa >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 any > dig.out.ns2.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns2.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.2 -b 10.53.0.2 any >dig.out.ns2.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns2.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns2.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns2.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect works for nonexist authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect works for nonexist authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect works for nonexist authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.1 any >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect doesn't work for acl miss authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 a > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 a >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect doesn't work for acl miss authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect doesn't work for acl miss authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 any > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.1 -b 10.53.0.4 any >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect works for signed nonexist, DO=0 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect works for signed nonexist, DO=0 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect works for signed nonexist, DO=0 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.1 -b 10.53.0.1 any >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect fails for signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect fails for signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect fails for signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.1 -b 10.53.0.1 any >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 a > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 a >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 aaaa >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY zone redirect fails for nsec3 signed nonexist, DO=1 authoritative ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 any > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "100.100.100.2" dig.out.ns1.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.1 -b 10.53.0.1 any >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "100.100.100.2" dig.out.ns1.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6402" dig.out.ns1.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns1.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking zone redirect works (with noerror) when qtype is not found ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -354,19 +352,19 @@ status=$((status + ret)) echo_i "checking that redirect zones reload correctly" ret=0 sleep 1 # ensure file mtime will have changed -cat ns2/example.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' > ns2/example.db -cat ns2/redirect.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' -e 's/\.1$/.2/' > ns2/redirect.db +cat ns2/example.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' >ns2/example.db +cat ns2/redirect.db.in | sed -e 's/0 0 0 0 0/1 0 0 0 0/' -e 's/\.1$/.2/' >ns2/redirect.db rndc_reload ns2 10.53.0.2 for i in 1 2 3 4 5 6 7 8 9; do - tmp=0 - $DIG $DIGOPTS +short @10.53.0.2 soa example.nil > dig.out.ns1.test$n || tmp=1 - set -- $(cat dig.out.ns1.test$n) - [ $3 = 1 ] || tmp=1 - $DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a > dig.out.ns2.test$n || tmp=1 - grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || tmp=1 - grep "100.100.100.2" dig.out.ns2.test$n > /dev/null || tmp=1 - [ $tmp -eq 0 ] && break - sleep 1 + tmp=0 + $DIG $DIGOPTS +short @10.53.0.2 soa example.nil >dig.out.ns1.test$n || tmp=1 + set -- $(cat dig.out.ns1.test$n) + [ $3 = 1 ] || tmp=1 + $DIG $DIGOPTS nonexist. @10.53.0.2 -b 10.53.0.2 a >dig.out.ns2.test$n || tmp=1 + grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || tmp=1 + grep "100.100.100.2" dig.out.ns2.test$n >/dev/null || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 done [ $tmp -eq 1 ] && ret=1 n=$((n + 1)) @@ -375,9 +373,9 @@ status=$((status + ret)) echo_i "checking A nxdomain-redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "nonexist. .*100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "nonexist. .*100.100.100.1" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -388,9 +386,9 @@ rm -f ns4/named.stats 2>/dev/null $RNDCCMD 10.53.0.4 stats || ret=1 PRE_RED=$(sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected$/\1/p" ns4/named.stats) PRE_SUC=$(sed -n -e "s/[ ]*\([0-9]*\).queries resulted in NXDOMAIN that were redirected and resulted in a successful remote lookup$/\1/p" ns4/named.stats) -$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "nonexist. .*2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 aaaa >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "nonexist. .*2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -409,138 +407,138 @@ status=$((status + ret)) echo_i "checking ANY nxdomain-redirect works for nonexist ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 any >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A nxdomain-redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA nxdomain-redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 aaaa >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY nxdomain-redirect works for signed nonexist, DO=0 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.signed. @10.53.0.4 -b 10.53.0.2 any >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A nxdomain-redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA nxdomain-redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY nxdomain-redirect fails for signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 +$DIG $DIGOPTS nonexist.signed. +dnssec @10.53.0.4 -b 10.53.0.2 any >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking A nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking AAAA nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 aaaa >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking ANY nxdomain-redirect fails for nsec3 signed nonexist, DO=1 ($n)" ret=0 -$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 any > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "100.100.100.1" dig.out.ns4.test$n > /dev/null && ret=1 -grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n > /dev/null && ret=1 -grep "IN.NSEC3" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.nsec3. +dnssec @10.53.0.4 -b 10.53.0.2 any >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "100.100.100.1" dig.out.ns4.test$n >/dev/null && ret=1 +grep "2001:ffff:ffff::6464:6401" dig.out.ns4.test$n >/dev/null && ret=1 +grep "IN.NSEC3" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking nxdomain-redirect works (with noerror) when qtype is not found ($n)" ret=0 -$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 txt > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist. @10.53.0.4 -b 10.53.0.2 txt >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking nxdomain-redirect against authoritative zone ($n)" ret=0 -$DIG $DIGOPTS nonexist.example @10.53.0.4 -b 10.53.0.2 a > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS nonexist.example @10.53.0.4 -b 10.53.0.2 a >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking tld nxdomain-redirect against signed root zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf > dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf >dig.out.ns5.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking tld nxdomain-redirect against unsigned root zone ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf > dig.out.ns6.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns6.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf >dig.out.ns6.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns6.test$n >/dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking extended error is not set on allow-recursion ($n)" ret=0 -$DIG $DIGOPTS example. @10.53.0.1 -b 10.53.0.2 soa > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "EDE" dig.out.ns1.test$n > /dev/null && ret=1 +$DIG $DIGOPTS example. @10.53.0.1 -b 10.53.0.2 soa >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "EDE" dig.out.ns1.test$n >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh index 2141a30..19a34c7 100644 --- a/bin/tests/system/resolver/ns6/keygen.sh +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -22,8 +22,8 @@ infile="${zonefile}.in" cp $infile $zonefile ksk=$($KEYGEN -q -a rsasha256 -fk $zone) zsk=$($KEYGEN -q -a rsasha256 -b 2048 $zone) -cat $ksk.key $zsk.key >> $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null +cat $ksk.key $zsk.key >>$zonefile +$SIGNER -P -o $zone $zonefile >/dev/null zone=example.net zonefile="${zone}.db" @@ -31,8 +31,8 @@ infile="${zonefile}.in" cp $infile $zonefile ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $zone) zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} $zone) -cat $ksk.key $zsk.key dsset-ds.example.net. >> $zonefile -$SIGNER -P -o $zone $zonefile > /dev/null +cat $ksk.key $zsk.key dsset-ds.example.net. >>$zonefile +$SIGNER -P -o $zone $zonefile >/dev/null # Configure a static key to be used by delv -keyfile_to_static_ds $ksk > ../ns5/trusted.conf +keyfile_to_static_ds $ksk >../ns5/trusted.conf diff --git a/bin/tests/system/resolver/prereq.sh b/bin/tests/system/resolver/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/resolver/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index 2232e5b..1ec5f86 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -17,359 +17,376 @@ set -e . ../conf.sh dig_with_opts() { - "${DIG}" -p "${PORT}" "${@}" + "${DIG}" -p "${PORT}" "${@}" } resolve_with_opts() { - "${RESOLVE}" -p "${PORT}" "${@}" + "${RESOLVE}" -p "${PORT}" "${@}" } rndccmd() { - "${RNDC}" -c ../common/rndc.conf -p "${CONTROLPORT}" -s "${@}" + "${RNDC}" -c ../_common/rndc.conf -p "${CONTROLPORT}" -s "${@}" } status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "checking non-cachable NXDOMAIN response handling ($n)" ret=0 -dig_with_opts +tcp nxdomain.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp nxdomain.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 nxdomain.example.net 2> resolve.out.ns1.test${n} || ret=1 - grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 nxdomain.example.net 2>resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: ncache nxdomain" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" - ret=0 - resolve_with_opts -b 10.53.0.8 -t a -s 10.53.0.1 www.example.org 2> resolve.out.ns1.test${n} || ret=1 - grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) - - n=$((n+1)) - echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)" - ret=0 - resolve_with_opts -b 10.53.0.1 -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 - grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" + ret=0 + resolve_with_opts -b 10.53.0.8 -t a -s 10.53.0.1 www.example.org 2>resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + n=$((n + 1)) + echo_i "checking that local bound address can be set (Can query from an allowed address) ($n)" + ret=0 + resolve_with_opts -b 10.53.0.1 -t a -s 10.53.0.1 www.example.org >resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking non-cachable NODATA response handling ($n)" ret=0 -dig_with_opts +tcp nodata.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp nodata.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking non-cachable NODATA response handling using dns_client ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 nodata.example.net 2> resolve.out.ns1.test${n} || ret=1 - grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking non-cachable NODATA response handling using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 nodata.example.net 2>resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: ncache nxrrset" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking handling of bogus referrals ($n)" # If the server has the "INSIST(!external)" bug, this query will kill it. -dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } - -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking handling of bogus referrals using dns_client ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 www.example.com 2> resolve.out.ns1.test${n} || ret=1 - grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { + echo_i "failed" + status=$((status + 1)) +} + +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking handling of bogus referrals using dns_client ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.example.com 2>resolve.out.ns1.test${n} || ret=1 + grep "resolution failed: SERVFAIL" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check handling of cname + other data / 1 ($n)" -dig_with_opts +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } +dig_with_opts +tcp cname1.example.com. a @10.53.0.1 >/dev/null || { + echo_i "failed" + status=$((status + 1)) +} -n=$((n+1)) +n=$((n + 1)) echo_i "check handling of cname + other data / 2 ($n)" -dig_with_opts +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } +dig_with_opts +tcp cname2.example.com. a @10.53.0.1 >/dev/null || { + echo_i "failed" + status=$((status + 1)) +} -n=$((n+1)) +n=$((n + 1)) echo_i "check that server is still running ($n)" -dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } +dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { + echo_i "failed" + status=$((status + 1)) +} -n=$((n+1)) +n=$((n + 1)) echo_i "checking answer IPv4 address filtering (deny) ($n)" ret=0 -dig_with_opts +tcp www.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking answer IPv6 address filtering (deny) ($n)" ret=0 -dig_with_opts +tcp www.example.net @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.example.net @10.53.0.1 aaaa >dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking answer IPv4 address filtering (accept) ($n)" ret=0 -dig_with_opts +tcp www.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.example.org @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) - -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 - grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.example.org >resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking answer IPv6 address filtering (accept) ($n)" ret=0 -dig_with_opts +tcp www.example.org @10.53.0.1 aaaa > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.example.org @10.53.0.1 aaaa >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" - ret=0 - resolve_with_opts -t aaaa -s 10.53.0.1 www.example.org > resolve.out.ns1.test${n} || ret=1 - grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t aaaa -s 10.53.0.1 www.example.org >resolve.out.ns1.test${n} || ret=1 + grep "www.example.org..*.2001:db8:beef::1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking CNAME target filtering (deny) ($n)" ret=0 -dig_with_opts +tcp badcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp badcname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking CNAME target filtering (accept) ($n)" ret=0 -dig_with_opts +tcp goodcname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp goodcname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking CNAME target filtering using dns_client (accept) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 goodcname.example.net > resolve.out.ns1.test${n} || ret=1 - grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 - grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking CNAME target filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 goodcname.example.net >resolve.out.ns1.test${n} || ret=1 + grep "goodcname.example.net..*.goodcname.example.org." resolve.out.ns1.test${n} >/dev/null || ret=1 + grep "goodcname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking CNAME target filtering (accept due to subdomain) ($n)" ret=0 -dig_with_opts +tcp cname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp cname.sub.example.org @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 cname.sub.example.org > resolve.out.ns1.test${n} || ret=1 - grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 - grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 cname.sub.example.org >resolve.out.ns1.test${n} || ret=1 + grep "cname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} >/dev/null || ret=1 + grep "ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking DNAME target filtering (deny) ($n)" ret=0 -dig_with_opts +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +dig_with_opts +tcp foo.baddname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking DNAME target filtering (accept) ($n)" ret=0 -dig_with_opts +tcp foo.gooddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp foo.gooddname.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking DNAME target filtering using dns_client (accept) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 foo.gooddname.example.net > resolve.out.ns1.test${n} || ret=1 - grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} > /dev/null || ret=1 - grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking DNAME target filtering using dns_client (accept) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 foo.gooddname.example.net >resolve.out.ns1.test${n} || ret=1 + grep "foo.gooddname.example.net..*.gooddname.example.org" resolve.out.ns1.test${n} >/dev/null || ret=1 + grep "foo.gooddname.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking DNAME target filtering (accept due to subdomain) ($n)" ret=0 -dig_with_opts +tcp www.dname.sub.example.org @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +tcp www.dname.sub.example.org @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x "${RESOLVE}" ] ; then - n=$((n+1)) - echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" - ret=0 - resolve_with_opts -t a -s 10.53.0.1 www.dname.sub.example.org > resolve.out.ns1.test${n} || ret=1 - grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} > /dev/null || ret=1 - grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if [ -x "${RESOLVE}" ]; then + n=$((n + 1)) + echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" + ret=0 + resolve_with_opts -t a -s 10.53.0.1 www.dname.sub.example.org >resolve.out.ns1.test${n} || ret=1 + grep "www.dname.sub.example.org..*.ok.sub.example.org." resolve.out.ns1.test${n} >/dev/null || ret=1 + grep "www.ok.sub.example.org..*.192.0.2.1" resolve.out.ns1.test${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check that the resolver accepts a referral response with a non-empty ANSWER section ($n)" ret=0 -dig_with_opts @10.53.0.1 foo.glue-in-answer.example.org. A > dig.ns1.out.${n} || ret=1 -grep "status: NOERROR" dig.ns1.out.${n} > /dev/null || ret=1 -grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.1 foo.glue-in-answer.example.org. A >dig.ns1.out.${n} || ret=1 +grep "status: NOERROR" dig.ns1.out.${n} >/dev/null || ret=1 +grep "foo.glue-in-answer.example.org.*192.0.2.1" dig.ns1.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" # ns5 is the recusor being tested. ns4 holds the sourcens zone containing # names with varying numbers of NS records pointing to non-existent # nameservers in the targetns zone on ns6. ret=0 -rndccmd 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test -count_fetches () { - actual=$(nextpartpeek ns5/named.run | grep -c " fetch: ns.fake${nscount}") - [ "${actual:-0}" -eq "${expected}" ] || return 1 - return 0 +rndccmd 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test +count_fetches() { + actual=$(nextpartpeek ns5/named.run | grep -c " fetch: ns.fake${nscount}") + [ "${actual:-0}" -eq "${expected}" ] || return 1 + return 0 } -for nscount in 1 2 3 4 5 6 7 8 9 10 -do - # Verify number of NS records at source server - dig_with_opts +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} - sourcerecs=$(grep NS dig.ns4.out.${nscount}.${n} | grep -cv ';') - test "${sourcerecs}" -eq "${nscount}" || ret=1 - test "${sourcerecs}" -eq "${nscount}" || echo_i "NS count incorrect for target${nscount}.sourcens" - - # Expected queries = 2 * number of NS records, up to a maximum of 10. - expected=$((nscount*2)) - if [ "$expected" -gt 10 ]; then expected=10; fi - # Count the number of logged fetches - nextpart ns5/named.run > /dev/null - dig_with_opts @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 - retry_quiet 5 count_fetches ns5/named.run $nscount $expected || { - echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"; ret=1; - } +for nscount in 1 2 3 4 5 6 7 8 9 10; do + # Verify number of NS records at source server + dig_with_opts +norecurse @10.53.0.4 target${nscount}.sourcens ns >dig.ns4.out.${nscount}.${n} + sourcerecs=$(grep NS dig.ns4.out.${nscount}.${n} | grep -cv ';') + test "${sourcerecs}" -eq "${nscount}" || ret=1 + test "${sourcerecs}" -eq "${nscount}" || echo_i "NS count incorrect for target${nscount}.sourcens" + + # Expected queries = 2 * number of NS records, up to a maximum of 10. + expected=$((nscount * 2)) + if [ "$expected" -gt 10 ]; then expected=10; fi + # Count the number of logged fetches + nextpart ns5/named.run >/dev/null + dig_with_opts @10.53.0.5 target${nscount}.sourcens A >dig.ns5.out.${nscount}.${n} || ret=1 + retry_quiet 5 count_fetches ns5/named.run $nscount $expected || { + echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" + ret=1 + } done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "RT21594 regression test check setup ($n)" ret=0 # Check that "aa" is not being set by the authoritative server. -dig_with_opts +tcp . @10.53.0.4 soa > dig.ns4.out.${n} || ret=1 -grep 'flags: qr rd;' dig.ns4.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp . @10.53.0.4 soa >dig.ns4.out.${n} || ret=1 +grep 'flags: qr rd;' dig.ns4.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "RT21594 regression test positive answers ($n)" ret=0 # Check that resolver accepts the non-authoritative positive answers. -dig_with_opts +tcp . @10.53.0.5 soa > dig.ns5.out.${n} || ret=1 -grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp . @10.53.0.5 soa >dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "RT21594 regression test NODATA answers ($n)" ret=0 # Check that resolver accepts the non-authoritative nodata answers. -dig_with_opts +tcp . @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 -grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp . @10.53.0.5 txt >dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "RT21594 regression test NXDOMAIN answers ($n)" ret=0 # Check that resolver accepts the non-authoritative positive answers. -dig_with_opts +tcp noexistent @10.53.0.5 txt > dig.ns5.out.${n} || ret=1 -grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp noexistent @10.53.0.5 txt >dig.ns5.out.${n} || ret=1 +grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" ret=0 -dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=1 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 +dig_with_opts +tcp mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=1 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=1 if [ $ret = 1 ]; then echo_i "mx priming failed"; fi -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.6 ${PORT} zone example.net update delete mail.example.net A update add mail.example.net 0 AAAA ::1 send EOF -dig_with_opts +tcp a mail.example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=2 -grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=2 +dig_with_opts +tcp a mail.example.net @10.53.0.7 >dig.ns7.out.${n} || ret=2 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=2 +grep "ANSWER: 0" dig.ns7.out.${n} >/dev/null || ret=2 if [ $ret = 2 ]; then echo_i "ncache priming failed"; fi -dig_with_opts +tcp mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=3 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=3 -dig_with_opts +tcp rrsig mail.example.net +norec @10.53.0.7 > dig.ns7.out.${n} || ret=4 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=4 -grep "ANSWER: 0" dig.ns7.out.${n} > /dev/null || ret=4 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +dig_with_opts +tcp mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=3 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=3 +dig_with_opts +tcp rrsig mail.example.net +norec @10.53.0.7 >dig.ns7.out.${n} || ret=4 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=4 +grep "ANSWER: 0" dig.ns7.out.${n} >/dev/null || ret=4 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that update a nameservers address has immediate effects ($n)" ret=0 -dig_with_opts +tcp TXT foo.moves @10.53.0.7 > dig.ns7.foo.${n} || ret=1 -grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 -$NSUPDATE << EOF +dig_with_opts +tcp TXT foo.moves @10.53.0.7 >dig.ns7.foo.${n} || ret=1 +grep "From NS 5" dig.ns7.foo.${n} >/dev/null || ret=1 +$NSUPDATE <<EOF server 10.53.0.7 ${PORT} zone server update delete ns.server A @@ -377,17 +394,20 @@ update add ns.server 300 A 10.53.0.4 send EOF sleep 1 -dig_with_opts +tcp TXT bar.moves @10.53.0.7 > dig.ns7.bar.${n} || ret=1 -grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 +dig_with_opts +tcp TXT bar.moves @10.53.0.7 >dig.ns7.bar.${n} || ret=1 +grep "From NS 4" dig.ns7.bar.${n} >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; status=1; fi +if [ $ret != 0 ]; then + echo_i "failed" + status=1 +fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking that update a nameservers glue has immediate effects ($n)" ret=0 -dig_with_opts +tcp TXT foo.child.server @10.53.0.7 > dig.ns7.foo.${n} || ret=1 -grep "From NS 5" dig.ns7.foo.${n} > /dev/null || ret=1 -$NSUPDATE << EOF +dig_with_opts +tcp TXT foo.child.server @10.53.0.7 >dig.ns7.foo.${n} || ret=1 +grep "From NS 5" dig.ns7.foo.${n} >/dev/null || ret=1 +$NSUPDATE <<EOF server 10.53.0.7 ${PORT} zone server update delete ns.child.server A @@ -395,138 +415,152 @@ update add ns.child.server 300 A 10.53.0.4 send EOF sleep 1 -dig_with_opts +tcp TXT bar.child.server @10.53.0.7 > dig.ns7.bar.${n} || ret=1 -grep "From NS 4" dig.ns7.bar.${n} > /dev/null || ret=1 +dig_with_opts +tcp TXT bar.child.server @10.53.0.7 >dig.ns7.bar.${n} || ret=1 +grep "From NS 4" dig.ns7.bar.${n} >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; status=1; fi +if [ $ret != 0 ]; then + echo_i "failed" + status=1 +fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking empty RFC 1918 reverse zones ($n)" ret=0 # Check that "aa" is being set by the resolver for RFC 1918 zones # except the one that has been deliberately disabled -dig_with_opts @10.53.0.7 -x 10.1.1.1 > dig.ns4.out.1.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 192.168.1.1 > dig.ns4.out.2.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.16.1.1 > dig.ns4.out.3.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.17.1.1 > dig.ns4.out.4.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.18.1.1 > dig.ns4.out.5.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.19.1.1 > dig.ns4.out.6.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.21.1.1 > dig.ns4.out.7.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.22.1.1 > dig.ns4.out.8.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.23.1.1 > dig.ns4.out.9.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.24.1.1 > dig.ns4.out.11.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.25.1.1 > dig.ns4.out.12.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.26.1.1 > dig.ns4.out.13.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.27.1.1 > dig.ns4.out.14.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.28.1.1 > dig.ns4.out.15.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.29.1.1 > dig.ns4.out.16.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.30.1.1 > dig.ns4.out.17.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} > /dev/null || ret=1 -dig_with_opts @10.53.0.7 -x 172.31.1.1 > dig.ns4.out.18.${n} || ret=1 -grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 10.1.1.1 >dig.ns4.out.1.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.1.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 192.168.1.1 >dig.ns4.out.2.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.2.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.16.1.1 >dig.ns4.out.3.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.3.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.17.1.1 >dig.ns4.out.4.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.4.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.18.1.1 >dig.ns4.out.5.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.5.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.19.1.1 >dig.ns4.out.6.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.6.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.21.1.1 >dig.ns4.out.7.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.7.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.22.1.1 >dig.ns4.out.8.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.8.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.23.1.1 >dig.ns4.out.9.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.9.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.24.1.1 >dig.ns4.out.11.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.11.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.25.1.1 >dig.ns4.out.12.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.12.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.26.1.1 >dig.ns4.out.13.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.13.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.27.1.1 >dig.ns4.out.14.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.14.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.28.1.1 >dig.ns4.out.15.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.15.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.29.1.1 >dig.ns4.out.16.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.16.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.30.1.1 >dig.ns4.out.17.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.17.${n} >/dev/null || ret=1 +dig_with_opts @10.53.0.7 -x 172.31.1.1 >dig.ns4.out.18.${n} || ret=1 +grep 'flags: qr aa rd ra;' dig.ns4.out.18.${n} >/dev/null || ret=1 # but this one should NOT be authoritative -dig_with_opts @10.53.0.7 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1 -grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; status=1; fi +dig_with_opts @10.53.0.7 -x 172.20.1.1 >dig.ns4.out.19.${n} || ret=1 +grep 'flags: qr rd ra;' dig.ns4.out.19.${n} >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=1 +fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking that removal of a delegation is honoured ($n)" ret=0 -dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n} -grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo_i "priming failed"; } +dig_with_opts @10.53.0.5 www.to-be-removed.tld A >dig.ns5.prime.${n} +grep "status: NOERROR" dig.ns5.prime.${n} >/dev/null || { + ret=1 + echo_i "priming failed" +} cp ns4/tld2.db ns4/tld.db rndc_reload ns4 10.53.0.4 tld old= -for i in 0 1 2 3 4 5 6 7 8 9 -do - foo=0 - dig_with_opts @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null - dig_with_opts @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n} - grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1 - [ $foo = 0 ] && break - $NSUPDATE << EOF +for i in 0 1 2 3 4 5 6 7 8 9; do + foo=0 + dig_with_opts @10.53.0.5 ns$i.to-be-removed.tld A >/dev/null + dig_with_opts @10.53.0.5 www.to-be-removed.tld A >dig.ns5.out.${n} + grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || foo=1 + [ $foo = 0 ] && break + $NSUPDATE <<EOF server 10.53.0.6 ${PORT} zone to-be-removed.tld update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld update delete to-be-removed.tld NS ns${old}.to-be-removed.tld send EOF - old=$i - sleep 1 + old=$i + sleep 1 done -[ $ret = 0 ] && ret=$foo; -if [ $ret != 0 ]; then echo_i "failed"; status=1; fi +[ $ret = 0 ] && ret=$foo +if [ $ret != 0 ]; then + echo_i "failed" + status=1 +fi -n=$((n+1)) +n=$((n + 1)) echo_i "check for improved error message with SOA mismatch ($n)" ret=0 -dig_with_opts @10.53.0.1 www.sub.broken aaaa > dig.out.ns1.test${n} || ret=1 -grep "not subdomain of zone" ns1/named.run > /dev/null || ret=1 +dig_with_opts @10.53.0.1 www.sub.broken aaaa >dig.out.ns1.test${n} || ret=1 +grep "not subdomain of zone" ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) copy_setports ns7/named2.conf.in ns7/named.conf rndccmd 10.53.0.7 reconfig 2>&1 | sed 's/^/ns7 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "check resolution on the listening port ($n)" ret=0 -dig_with_opts +tcp +tries=2 +time=5 mx example.net @10.53.0.7 > dig.ns7.out.${n} || ret=2 -grep "status: NOERROR" dig.ns7.out.${n} > /dev/null || ret=1 -grep "ANSWER: 1" dig.ns7.out.${n} > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +dig_with_opts +tcp +tries=2 +time=5 mx example.net @10.53.0.7 >dig.ns7.out.${n} || ret=2 +grep "status: NOERROR" dig.ns7.out.${n} >/dev/null || ret=1 +grep "ANSWER: 1" dig.ns7.out.${n} >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch (${n})" ret=0 # read prefetch value from config. PREFETCH=$(sed -n "s/[[:space:]]*prefetch \([0-9]\).*/\1/p" ns5/named.conf) -dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.1.${n} || ret=1 ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) interval=$((ttl1 - PREFETCH + 1)) # sleep so we are in prefetch range sleep ${interval:-0} # trigger prefetch -dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.2.${n} || ret=1 +dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.2.${n} || ret=1 ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) sleep 1 # check that prefetch occurred -dig_with_opts @10.53.0.5 fetch.tld txt > dig.out.3.${n} || ret=1 +dig_with_opts @10.53.0.5 fetch.tld txt >dig.out.3.${n} || ret=1 ttl=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) test "${ttl:-0}" -gt "${ttl2:-1}" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch of validated DS's RRSIG TTL is updated (${n})" ret=0 -dig_with_opts +dnssec @10.53.0.5 ds.example.net ds > dig.out.1.${n} || ret=1 +dig_with_opts +dnssec @10.53.0.5 ds.example.net ds >dig.out.1.${n} || ret=1 dsttl1=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.1.${n}) interval=$((dsttl1 - PREFETCH + 1)) # sleep so we are in prefetch range sleep ${interval:-0} # trigger prefetch -dig_with_opts @10.53.0.5 ds.example.net ds > dig.out.2.${n} || ret=1 +dig_with_opts @10.53.0.5 ds.example.net ds >dig.out.2.${n} || ret=1 dsttl2=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.2.${n}) sleep 1 # check that prefetch occurred -dig_with_opts @10.53.0.5 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1 +dig_with_opts @10.53.0.5 ds.example.net ds +dnssec >dig.out.3.${n} || ret=1 dsttl=$(awk '$4 == "DS" && $7 == "2" { print $2 }' dig.out.3.${n}) sigttl=$(awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}) test "${dsttl:-0}" -gt "${dsttl2:-1}" || ret=1 @@ -535,485 +569,484 @@ test "${dsttl:-0}" -eq "${sigttl:-1}" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch disabled (${n})" ret=0 -dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.7 fetch.example.net txt >dig.out.1.${n} || ret=1 ttl1=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.1.${n}) interval=$((ttl1 - PREFETCH + 1)) # sleep so we are in expire range sleep ${interval:-0} tmp_ttl=$ttl1 no_prefetch() { - # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. - # since prefetch is disabled, updated ttl must be a lower value than - # the previous one. - dig_with_opts @10.53.0.7 fetch.example.net txt > dig.out.2.${n} || return 1 - ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) - # check that prefetch has not occurred - if [ "$ttl2" -ge "${tmp_ttl}" ]; then - return 1 - fi - tmp_ttl=$ttl2 + # fetch record and ensure its ttl is in range 0 < ttl < tmp_ttl. + # since prefetch is disabled, updated ttl must be a lower value than + # the previous one. + dig_with_opts @10.53.0.7 fetch.example.net txt >dig.out.2.${n} || return 1 + ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) + # check that prefetch has not occurred + if [ "$ttl2" -ge "${tmp_ttl}" ]; then + return 1 + fi + tmp_ttl=$ttl2 } retry_quiet 3 no_prefetch || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch qtype * (${n})" ret=0 -dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.1.${n} || ret=1 ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n}) # sleep so we are in prefetch range sleep "${ttl1:-0}" # trigger prefetch -dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.2.${n} || ret=1 +dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.2.${n} || ret=1 ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) sleep 1 # check that prefetch occurred; # note that only one record is prefetched, which is the TXT record in this case, # because of the order of the records in the cache -dig_with_opts @10.53.0.5 fetchall.tld any > dig.out.3.${n} || ret=1 +dig_with_opts @10.53.0.5 fetchall.tld any >dig.out.3.${n} || ret=1 ttl3=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.3.${n}) test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that E was logged on EDNS queries in the query log (${n})" ret=0 -dig_with_opts @10.53.0.5 +edns edns.fetchall.tld any > dig.out.2.${n} || ret=1 -grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null || ret=1 -dig_with_opts @10.53.0.5 +noedns noedns.fetchall.tld any > dig.out.2.${n} || ret=1 -grep "query: noedns.fetchall.tld IN ANY" ns5/named.run > /dev/null || ret=1 -grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run > /dev/null && ret=1 +dig_with_opts @10.53.0.5 +edns edns.fetchall.tld any >dig.out.2.${n} || ret=1 +grep "query: edns.fetchall.tld IN ANY +E" ns5/named.run >/dev/null || ret=1 +dig_with_opts @10.53.0.5 +noedns noedns.fetchall.tld any >dig.out.2.${n} || ret=1 +grep "query: noedns.fetchall.tld IN ANY" ns5/named.run >/dev/null || ret=1 +grep "query: noedns.fetchall.tld IN ANY +E" ns5/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that '-t aaaa' in .digrc does not have unexpected side effects ($n)" ret=0 -echo "-t aaaa" > .digrc -(HOME="$(pwd)" dig_with_opts @10.53.0.4 . > dig.out.1.${n}) || ret=1 -(HOME="$(pwd)" dig_with_opts @10.53.0.4 . A > dig.out.2.${n}) || ret=1 -(HOME="$(pwd)" dig_with_opts @10.53.0.4 -x 127.0.0.1 > dig.out.3.${n}) || ret=1 -grep ';\..*IN.*AAAA$' dig.out.1.${n} > /dev/null || ret=1 -grep ';\..*IN.*A$' dig.out.2.${n} > /dev/null || ret=1 -grep 'extra type option' dig.out.2.${n} > /dev/null && ret=1 -grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} > /dev/null || ret=1 +echo "-t aaaa" >.digrc +(HOME="$(pwd)" dig_with_opts @10.53.0.4 . >dig.out.1.${n}) || ret=1 +(HOME="$(pwd)" dig_with_opts @10.53.0.4 . A >dig.out.2.${n}) || ret=1 +(HOME="$(pwd)" dig_with_opts @10.53.0.4 -x 127.0.0.1 >dig.out.3.${n}) || ret=1 +grep ';\..*IN.*AAAA$' dig.out.1.${n} >/dev/null || ret=1 +grep ';\..*IN.*A$' dig.out.2.${n} >/dev/null || ret=1 +grep 'extra type option' dig.out.2.${n} >/dev/null && ret=1 +grep ';1\.0\.0\.127\.in-addr\.arpa\..*IN.*PTR$' dig.out.3.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) edns=$($FEATURETEST --edns-version) -n=$((n+1)) +n=$((n + 1)) echo_i "check that EDNS version is logged (${n})" ret=0 -dig_with_opts @10.53.0.5 +edns edns0.fetchall.tld any > dig.out.2.${n} || ret=1 -grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run > /dev/null || ret=1 +dig_with_opts @10.53.0.5 +edns edns0.fetchall.tld any >dig.out.2.${n} || ret=1 +grep "query: edns0.fetchall.tld IN ANY +E(0)" ns5/named.run >/dev/null || ret=1 if test "${edns:-0}" != 0; then - dig_with_opts @10.53.0.5 +edns=1 edns1.fetchall.tld any > dig.out.2.${n} || ret=1 - grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run > /dev/null || ret=1 + dig_with_opts @10.53.0.5 +edns=1 edns1.fetchall.tld any >dig.out.2.${n} || ret=1 + grep "query: edns1.fetchall.tld IN ANY +E(1)" ns5/named.run >/dev/null || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if test "${edns:-0}" != 0; then - n=$((n+1)) - echo_i "check that edns-version is honoured (${n})" - ret=0 - dig_with_opts @10.53.0.5 +edns no-edns-version.tld > dig.out.1.${n} || ret=1 - grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run > /dev/null || ret=1 - dig_with_opts @10.53.0.5 +edns edns-version.tld > dig.out.2.${n} || ret=1 - grep "query: edns-version.tld IN A -E(0)" ns7/named.run > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + n=$((n + 1)) + echo_i "check that edns-version is honoured (${n})" + ret=0 + dig_with_opts @10.53.0.5 +edns no-edns-version.tld >dig.out.1.${n} || ret=1 + grep "query: no-edns-version.tld IN A -E(1)" ns6/named.run >/dev/null || ret=1 + dig_with_opts @10.53.0.5 +edns edns-version.tld >dig.out.2.${n} || ret=1 + grep "query: edns-version.tld IN A -E(0)" ns7/named.run >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "check that CNAME nameserver is logged correctly (${n})" ret=0 -dig_with_opts soa all-cnames @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run > /dev/null || ret=1 +dig_with_opts soa all-cnames @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "skipping nameserver 'cname.tld' because it is a CNAME, while resolving 'all-cnames/SOA'" ns5/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that unexpected opcodes are handled correctly (${n})" ret=0 -dig_with_opts soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag > dig.out.ns5.test${n} || ret=1 -grep "status: NOTIMP" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 -grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 -grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 -grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} > /dev/null && ret=1 -grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} > /dev/null && ret=1 +dig_with_opts soa all-cnames @10.53.0.5 +opcode=15 +cd +rec +ad +zflag >dig.out.ns5.test${n} || ret=1 +grep "status: NOTIMP" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "flags:[^;]* qr[; ]" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "flags:[^;]* ra[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 +grep "flags:[^;]* rd[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 +grep "flags:[^;]* cd[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 +grep "flags:[^;]* ad[; ]" dig.out.ns5.test${n} >/dev/null && ret=1 +grep "flags:[^;]*; MBZ: " dig.out.ns5.test${n} >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that EDNS client subnet with non-zeroed bits is handled correctly (${n})" ret=0 # 0001 (IPv4) 1f (31 significant bits) 00 (0) ffffffff (255.255.255.255) -dig_with_opts soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff > dig.out.ns5.test${n} || ret=1 -grep "status: FORMERR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "; EDNS: version:" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts soa . @10.53.0.5 +ednsopt=8:00011f00ffffffff >dig.out.ns5.test${n} || ret=1 +grep "status: FORMERR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "; EDNS: version:" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that dig +subnet zeros address bits correctly (${n})" ret=0 -dig_with_opts soa . @10.53.0.5 +subnet=255.255.255.255/23 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts soa . @10.53.0.5 +subnet=255.255.255.255/23 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "CLIENT-SUBNET: 255.255.254.0/23/0" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that SOA query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts soa delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts soa delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NS query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts ns delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts ns delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that A query returns data for delegation-only A apex (${n})" ret=0 -dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts a delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that CDS query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts cds delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts cds delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that AAAA query returns data for delegation-only AAAA apex (${n})" ret=0 -dig_with_opts a delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts a delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that DNSKEY query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts dnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts dnskey delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that CDNSKEY query returns data for delegation-only apex (${n})" ret=0 -dig_with_opts cdnskey delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns5.test${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts cdnskey delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns5.test${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NXDOMAIN is returned for delegation-only non-apex A data (${n})" ret=0 -dig_with_opts a a.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts a a.delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDS data (${n})" ret=0 -dig_with_opts cds cds.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts cds cds.delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NXDOMAIN is returned for delegation-only non-apex AAAA data (${n})" ret=0 -dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts aaaa aaaa.delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that NXDOMAIN is returned for delegation-only non-apex CDNSKEY data (${n})" ret=0 -dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 > dig.out.ns5.test${n} || ret=1 -grep "status: NXDOMAIN" dig.out.ns5.test${n} > /dev/null || ret=1 +dig_with_opts cdnskey cdnskey.delegation-only @10.53.0.5 >dig.out.ns5.test${n} || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check zero ttl not returned for learnt non zero ttl records (${n})" ret=0 # use prefetch disabled server -dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.7 non-zero.example.net txt >dig.out.1.${n} || ret=1 ttl1=$(awk '/"A" "short" "ttl"/ { print $2 - 2 }' dig.out.1.${n}) # sleep so we are in expire range sleep "${ttl1:-0}" # look for ttl = 1, allow for one miss at getting zero ttl zerotonine="0 1 2 3 4 5 6 7 8 9" zerotonine="$zerotonine $zerotonine $zerotonine" -for i in $zerotonine $zerotonine $zerotonine $zerotonine -do - dig_with_opts @10.53.0.7 non-zero.example.net txt > dig.out.2.${n} || ret=1 - ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) - test "${ttl2:-1}" -eq 0 && break - test "${ttl2:-1}" -ge "${ttl1:-0}" && break - "${PERL}" -e 'select(undef, undef, undef, 0.05);' +for i in $zerotonine $zerotonine $zerotonine $zerotonine; do + dig_with_opts @10.53.0.7 non-zero.example.net txt >dig.out.2.${n} || ret=1 + ttl2=$(awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}) + test "${ttl2:-1}" -eq 0 && break + test "${ttl2:-1}" -ge "${ttl1:-0}" && break + "${PERL}" -e 'select(undef, undef, undef, 0.05);' done test "${ttl2:-1}" -eq 0 && ret=1 test "${ttl2:-1}" -ge "${ttl1:-0}" || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check zero ttl is returned for learnt zero ttl records (${n})" ret=0 -dig_with_opts @10.53.0.7 zero.example.net txt > dig.out.1.${n} || ret=1 +dig_with_opts @10.53.0.7 zero.example.net txt >dig.out.1.${n} || ret=1 ttl=$(awk '/"A" "zero" "ttl"/ { print $2 }' dig.out.1.${n}) test "${ttl:-1}" -eq 0 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})" ret=0 -dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec > dig.out.$n -grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec >dig.out.$n +grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})" ret=0 -dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec > dig.out.$n -grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1 +dig_with_opts @10.53.0.6 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec >dig.out.$n +grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP ($n)" ret=0 -dig_with_opts @10.53.0.5 truncated.no-questions. a +tries=3 +time=4 > dig.ns5.out.${n} || ret=1 -grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null || ret=1 -grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.5 truncated.no-questions. a +tries=3 +time=4 >dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.ns5.out.${n} >/dev/null || ret=1 +grep "1\.2\.3\.4" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that the resolver rejects a reply with empty question section with TC=0 ($n)" ret=0 -dig_with_opts @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=4 > dig.ns5.out.${n} || ret=1 -grep "status: NOERROR" dig.ns5.out.${n} > /dev/null && ret=1 -grep "ANSWER: 1," dig.ns5.out.${n} > /dev/null && ret=1 -grep "1\.2\.3\.4" dig.ns5.out.${n} > /dev/null && ret=1 +dig_with_opts @10.53.0.5 not-truncated.no-questions. a +tries=3 +time=4 >dig.ns5.out.${n} || ret=1 +grep "status: NOERROR" dig.ns5.out.${n} >/dev/null && ret=1 +grep "ANSWER: 1," dig.ns5.out.${n} >/dev/null && ret=1 +grep "1\.2\.3\.4" dig.ns5.out.${n} >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) if ${FEATURETEST} --enable-querytrace; then - n=$((n+1)) - echo_i "check that SERVFAIL is returned for an empty question section via TCP ($n)" - ret=0 - nextpart ns5/named.run > /dev/null - # bind to local address so that addresses in log messages are consistent - # between platforms - dig_with_opts @10.53.0.5 -b 10.53.0.5 tcpalso.no-questions. a +tries=2 +timeout=15 > dig.ns5.out.${n} || ret=1 - grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 - check_namedrun() { - nextpartpeek ns5/named.run > nextpart.out.${n} - grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section, accepting it anyway as TC=1' nextpart.out.${n} > /dev/null || return 1 - grep '(tcpalso.no-questions/A): connecting via TCP' nextpart.out.${n} > /dev/null || return 1 - grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section$' nextpart.out.${n} > /dev/null || return 1 - grep '(tcpalso.no-questions/A): nextitem' nextpart.out.${n} > /dev/null || return 1 + n=$((n + 1)) + echo_i "check that SERVFAIL is returned for an empty question section via TCP ($n)" + ret=0 + nextpart ns5/named.run >/dev/null + # bind to local address so that addresses in log messages are consistent + # between platforms + dig_with_opts @10.53.0.5 -b 10.53.0.5 tcpalso.no-questions. a +tries=2 +timeout=15 >dig.ns5.out.${n} || ret=1 + grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null || ret=1 + check_namedrun() { + nextpartpeek ns5/named.run >nextpart.out.${n} + grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section, accepting it anyway as TC=1' nextpart.out.${n} >/dev/null || return 1 + grep '(tcpalso.no-questions/A): connecting via TCP' nextpart.out.${n} >/dev/null || return 1 + grep 'resolving tcpalso.no-questions/A for [^:]*: empty question section$' nextpart.out.${n} >/dev/null || return 1 + grep '(tcpalso.no-questions/A): nextitem' nextpart.out.${n} >/dev/null || return 1 return 0 - } - retry_quiet 12 check_namedrun || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + } + retry_quiet 12 check_namedrun || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "checking SERVFAIL is returned when all authoritative servers return FORMERR ($n)" ret=0 -dig_with_opts @10.53.0.5 ns.formerr-to-all. a > dig.ns5.out.${n} || ret=1 -grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.5 ns.formerr-to-all. a >dig.ns5.out.${n} || ret=1 +grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking SERVFAIL is not returned if only some authoritative servers return FORMERR ($n)" ret=0 -dig_with_opts @10.53.0.5 ns.partial-formerr. a > dig.ns5.out.${n} || ret=1 -grep "status: SERVFAIL" dig.ns5.out.${n} > /dev/null && ret=1 +dig_with_opts @10.53.0.5 ns.partial-formerr. a >dig.ns5.out.${n} || ret=1 +grep "status: SERVFAIL" dig.ns5.out.${n} >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check logged command line ($n)" ret=0 -grep "running as: .* -m record " ns1/named.run > /dev/null || ret=1 +grep "running as: .* -m record " ns1/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)" ret=0 -dig_with_opts @10.53.0.1 id.hostname txt ch > dig.ns1.out.${n} || ret=1 -grep "status: NXDOMAIN" dig.ns1.out.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.1 id.hostname txt ch >dig.ns1.out.${n} || ret=1 +grep "status: NXDOMAIN" dig.ns1.out.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that the addition section for HTTPS is populated on initial query to a recursive server ($n)" ret=0 -dig_with_opts @10.53.0.7 www.example.net https > dig.out.ns7.${n} || ret=1 -grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 -grep "flags:[^;]* ra[ ;]" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 -grep "http-server\.example\.net\..*A.*10\.53\.0\.6" dig.out.ns7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 www.example.net https >dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 +grep "flags:[^;]* ra[ ;]" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 +grep "http-server\.example\.net\..*A.*10\.53\.0\.6" dig.out.ns7.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check HTTPS loop is handled properly ($n)" ret=0 -dig_with_opts @10.53.0.7 https-loop.example.net https > dig.out.ns7.${n} || ret=1 -grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 https-loop.example.net https >dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check HTTPS -> CNAME loop is handled properly ($n)" ret=0 -dig_with_opts @10.53.0.7 https-cname-loop.example.net https > dig.out.ns7.${n} || ret=1 -grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ADDITIONAL: 2" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 https-cname-loop.example.net https >dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ADDITIONAL: 2" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns7.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check HTTPS cname chains are followed ($n)" ret=0 -dig_with_opts @10.53.0.7 https-cname.example.net https > dig.out.ns7.${n} || ret=1 -grep "status: NOERROR" dig.out.ns7.${n} > /dev/null || ret=1 -grep "ADDITIONAL: 4" dig.out.ns7.${n} > /dev/null || ret=1 -grep 'http-server\.example\.net\..*A.10\.53\.0\.6' dig.out.ns7.${n} > /dev/null || ret=1 -grep 'cname-server\.example\.net\..*CNAME.cname-next\.example\.net\.' dig.out.ns7.${n} > /dev/null || ret=1 -grep 'cname-next\.example\.net\..*CNAME.http-server\.example\.net\.' dig.out.ns7.${n} > /dev/null || ret=1 +dig_with_opts @10.53.0.7 https-cname.example.net https >dig.out.ns7.${n} || ret=1 +grep "status: NOERROR" dig.out.ns7.${n} >/dev/null || ret=1 +grep "ADDITIONAL: 4" dig.out.ns7.${n} >/dev/null || ret=1 +grep 'http-server\.example\.net\..*A.10\.53\.0\.6' dig.out.ns7.${n} >/dev/null || ret=1 +grep 'cname-server\.example\.net\..*CNAME.cname-next\.example\.net\.' dig.out.ns7.${n} >/dev/null || ret=1 +grep 'cname-next\.example\.net\..*CNAME.http-server\.example\.net\.' dig.out.ns7.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check ADB find loops are detected ($n)" ret=0 -dig_with_opts +tcp +tries=1 +timeout=5 @10.53.0.1 fake.lame.example.org > dig.out.ns1.${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.${n} > /dev/null || ret=1 +dig_with_opts +tcp +tries=1 +timeout=5 @10.53.0.1 fake.lame.example.org >dig.out.ns1.${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check handling of large referrals to unresponsive name servers ($n)" ret=0 -dig_with_opts +timeout=15 large-referral.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 -grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts +timeout=15 large-referral.example.net @10.53.0.1 a >dig.out.ns1.test${n} || ret=1 +grep "status: SERVFAIL" dig.out.ns1.test${n} >/dev/null || ret=1 # Check the total number of findname() calls triggered by a single query # for large-referral.example.net/A. findname_call_count="$(grep -c "large-referral\.example\.net.*FINDNAME" ns1/named.run || true)" if [ "${findname_call_count}" -gt 1000 ]; then - echo_i "failed: ${findname_call_count} (> 1000) findname() calls detected for large-referral.example.net" - ret=1 + echo_i "failed: ${findname_call_count} (> 1000) findname() calls detected for large-referral.example.net" + ret=1 fi # Check whether the limit of NS RRs processed for any delegation # encountered was not exceeded. if grep -Eq "dns_adb_createfind: started (A|AAAA) fetch for name ns21.fake.redirect.com" ns1/named.run; then - echo_i "failed: unexpected address fetch(es) were triggered for ns21.fake.redirect.com" - ret=1 + echo_i "failed: unexpected address fetch(es) were triggered for ns21.fake.redirect.com" + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking query resolution for a domain with a valid glueless delegation chain ($n)" ret=0 rndccmd 10.53.0.1 flush || ret=1 -dig_with_opts foo.bar.sub.tld1 @10.53.0.1 TXT > dig.out.ns1.test${n} || ret=1 -grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 -grep "IN.*TXT.*baz" dig.out.ns1.test${n} > /dev/null || ret=1 +dig_with_opts foo.bar.sub.tld1 @10.53.0.1 TXT >dig.out.ns1.test${n} || ret=1 +grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1 +grep "IN.*TXT.*baz" dig.out.ns1.test${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that correct namespace is chosen for dual-stack-servers ($n)" ret=0 # # The two priming queries are needed until we fix dual-stack-servers fully # -dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A > dig.out.prime1.${n} || ret=1 -dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA > dig.out.prime2.${n} || ret=1 -dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A > dig.out.ns9.${n} || ret=1 -grep "status: NOERROR" dig.out.ns9.${n} > /dev/null || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A >dig.out.prime1.${n} || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA >dig.out.prime2.${n} || ret=1 +dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A >dig.out.ns9.${n} || ret=1 +grep "status: NOERROR" dig.out.ns9.${n} >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check expired TTLs with qtype * (${n})" ret=0 -dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.1.${n} || ret=1 +dig_with_opts +tcp @10.53.0.5 mixedttl.tld any >dig.out.1.${n} || ret=1 ttl1=$(awk '$1 == "mixedttl.tld." && $4 == "A" { print $2 + 1 }' dig.out.1.${n}) # sleep TTL + 1 so that record has expired sleep "${ttl1:-0}" -dig_with_opts +tcp @10.53.0.5 mixedttl.tld any > dig.out.2.${n} || ret=1 +dig_with_opts +tcp @10.53.0.5 mixedttl.tld any >dig.out.2.${n} || ret=1 # check preconditions -grep "ANSWER: 3," dig.out.1.${n} > /dev/null || ret=1 +grep "ANSWER: 3," dig.out.1.${n} >/dev/null || ret=1 lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.1.${n} | wc -l) test ${lines:-1} -ne 0 && ret=1 # check behaviour (there may be 1 answer on very slow machines) -grep "ANSWER: [12]," dig.out.2.${n} > /dev/null || ret=1 +grep "ANSWER: [12]," dig.out.2.${n} >/dev/null || ret=1 lines=$(awk '$1 == "mixedttl.tld." && $2 > 30 { print }' dig.out.2.${n} | wc -l) test ${lines:-1} -ne 0 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "check resolver behavior when FORMERR for EDNS options happens (${n})" ret=0 msg="resolving options-formerr/A .* server sent FORMERR with echoed DNS COOKIE" if [ $ret != 0 ]; then echo_i "failed"; fi nextpart ns5/named.run >/dev/null -dig_with_opts +tcp @10.53.0.5 options-formerr A > dig.out.${n} || ret=1 -grep "status: NOERROR" dig.out.${n} > /dev/null || ret=1 -nextpart ns5/named.run | grep "$msg" > /dev/null || ret=1 +dig_with_opts +tcp @10.53.0.5 options-formerr A >dig.out.${n} || ret=1 +grep "status: NOERROR" dig.out.${n} >/dev/null || ret=1 +nextpart ns5/named.run | grep "$msg" >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/rndc/ns2/named.conf.in b/bin/tests/system/rndc/ns2/named.conf.in index c3ce3eb..630fa25 100644 --- a/bin/tests/system/rndc/ns2/named.conf.in +++ b/bin/tests/system/rndc/ns2/named.conf.in @@ -38,7 +38,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "nil" { diff --git a/bin/tests/system/rndc/ns3/named.conf.in b/bin/tests/system/rndc/ns3/named.conf.in index ed159b4..e3bf42e 100644 --- a/bin/tests/system/rndc/ns3/named.conf.in +++ b/bin/tests/system/rndc/ns3/named.conf.in @@ -40,7 +40,7 @@ view all { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; }; diff --git a/bin/tests/system/rndc/ns5/named.conf.in b/bin/tests/system/rndc/ns5/named.conf.in index e32fa49..51aacd3 100644 --- a/bin/tests/system/rndc/ns5/named.conf.in +++ b/bin/tests/system/rndc/ns5/named.conf.in @@ -31,5 +31,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh index 85d6b73..61ee246 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh @@ -28,10 +28,10 @@ cp ns7/include.db.in ns7/include.db # TSAN, to give the test a fighting chance not to time out. size=1000000 if $FEATURETEST --tsan; then - size=250000 + size=250000 fi awk 'END { for (i = 1; i <= '${size}'; i++) - printf "host%d IN A 10.53.0.6\n", i; }' < /dev/null >> ns6/huge.zone.db + printf "host%d IN A 10.53.0.6\n", i; }' </dev/null >>ns6/huge.zone.db copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf @@ -40,11 +40,11 @@ copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf -make_key () { - $RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \ - > ns4/key${1}.conf 2> /dev/null - grep -E -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- | \ - sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf +make_key() { + $RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \ + >ns4/key${1}.conf 2>/dev/null + grep -E -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- \ + | sed 's/allow { 10.53.0.4/allow { any/' >>ns4/named.conf } $FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 @@ -54,7 +54,7 @@ make_key 4 ${EXTRAPORT4} hmac-sha256 make_key 5 ${EXTRAPORT5} hmac-sha384 make_key 6 ${EXTRAPORT6} hmac-sha512 -cat >> ns4/named.conf <<- EOF +cat >>ns4/named.conf <<-EOF controls { inet 10.53.0.4 port ${EXTRAPORT7} diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh index 2afaf8c..701e859 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -18,15 +18,15 @@ set -e DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd" DIGOPTS="" DIGCMD="$DIG $DIGOPTS -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf -s" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf -s" status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "preparing ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >/dev/null 2>&1 <<END || ret=1 server 10.53.0.2 zone nil. update add text1.nil. 600 IN TXT "addition 1" @@ -36,748 +36,754 @@ update add text1.other. 600 IN TXT "addition 1" send END [ -s ns2/nil.db.jnl ] || { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } [ -s ns2/other.db.jnl ] || { - echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "rndc freeze" $RNDCCMD 10.53.0.2 freeze | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone was dumped ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 1" ns2/nil.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 1" ns2/nil.db >/dev/null && break + sleep 1 done -grep "addition 1" ns2/nil.db > /dev/null 2>&1 || ret=1 +grep "addition 1" ns2/nil.db >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking journal file is still present ($n)" ret=0 [ -s ns2/nil.db.jnl ] || { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone not writable ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END && ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >/dev/null 2>&1 <<END && ret=1 server 10.53.0.2 zone nil. update add text2.nil. 600 IN TXT "addition 2" send END -$DIGCMD @10.53.0.2 text2.nil. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.2 text2.nil. TXT >dig.out.1.test$n || ret=1 grep 'addition 2' dig.out.1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "rndc thaw" $RNDCCMD 10.53.0.2 thaw | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +wait_for_log 3 "zone_postload: zone nil/IN: done" ns2/named.run + +n=$((n + 1)) echo_i "checking zone now writable ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >nsupdate.out.1.test$n 2>&1 <<END || ret=1 server 10.53.0.2 zone nil. update add text3.nil. 600 IN TXT "addition 3" send END -$DIGCMD @10.53.0.2 text3.nil. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.2 text3.nil. TXT >dig.out.1.test$n || ret=1 grep 'addition 3' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "rndc sync" ret=0 $RNDCCMD 10.53.0.2 sync nil | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone was dumped ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 3" ns2/nil.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 3" ns2/nil.db >/dev/null && break + sleep 1 done -grep "addition 3" ns2/nil.db > /dev/null 2>&1 || ret=1 +grep "addition 3" ns2/nil.db >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking journal file is still present ($n)" ret=0 [ -s ns2/nil.db.jnl ] || { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone is still writable ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >nsupdate.out.1.test$n 2>&1 <<END || ret=1 server 10.53.0.2 zone nil. update add text4.nil. 600 IN TXT "addition 4" send END -$DIGCMD @10.53.0.2 text4.nil. TXT > dig.out.1.test$n || ret=1 -grep 'addition 4' dig.out.1.test$n > /dev/null || ret=1 +$DIGCMD @10.53.0.2 text4.nil. TXT >dig.out.1.test$n || ret=1 +grep 'addition 4' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "rndc sync -clean" ret=0 $RNDCCMD 10.53.0.2 sync -clean nil | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone was dumped ($n)" ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 4" ns2/nil.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 4" ns2/nil.db >/dev/null && break + sleep 1 done -grep "addition 4" ns2/nil.db > /dev/null 2>&1 || ret=1 +grep "addition 4" ns2/nil.db >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking journal file is deleted ($n)" ret=0 [ -s ns2/nil.db.jnl ] && { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone is still writable ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > /dev/null 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >/dev/null 2>&1 <<END || ret=1 server 10.53.0.2 zone nil. update add text5.nil. 600 IN TXT "addition 5" send END -$DIGCMD @10.53.0.2 text4.nil. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.2 text4.nil. TXT >dig.out.1.test$n || ret=1 grep 'addition 4' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking other journal files not removed ($n)" ret=0 [ -s ns2/other.db.jnl ] || { - echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "cleaning all zones ($n)" $RNDCCMD 10.53.0.2 sync -clean | sed 's/^/ns2 /' | cat_i -n=$((n+1)) +n=$((n + 1)) echo_i "checking all journals removed ($n)" ret=0 [ -s ns2/nil.db.jnl ] && { - echo_i "'test -s ns2/nil.db.jnl' succeeded when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' succeeded when it shouldn't have" + ret=1 } [ -s ns2/other.db.jnl ] && { - echo_i "'test -s ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1; + echo_i "'test -s ns2/other.db.jnl' succeeded when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that freezing static zones is not allowed ($n)" ret=0 -$RNDCCMD 10.53.0.2 freeze static > rndc.out.1.test$n 2>&1 && ret=1 -grep 'not dynamic' rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 freeze static >rndc.out.1.test$n 2>&1 && ret=1 +grep 'not dynamic' rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that journal is removed when serial is changed before thaw ($n)" ret=0 sleep 1 -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >nsupdate.out.1.test$n 2>&1 <<END || ret=1 server 10.53.0.2 zone other. update add text6.other. 600 IN TXT "addition 6" send END [ -s ns2/other.db.jnl ] || { - echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/other.db.jnl' failed when it shouldn't have" + ret=1 } $RNDCCMD 10.53.0.2 freeze other 2>&1 | sed 's/^/ns2 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 6" ns2/other.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 6" ns2/other.db >/dev/null && break + sleep 1 done serial=$(awk '$3 ~ /serial/ {print $1}' ns2/other.db) newserial=$((serial + 1)) -sed s/$serial/$newserial/ ns2/other.db > ns2/other.db.new -echo 'frozen TXT "frozen addition"' >> ns2/other.db.new +sed s/$serial/$newserial/ ns2/other.db >ns2/other.db.new +echo 'frozen TXT "frozen addition"' >>ns2/other.db.new mv -f ns2/other.db.new ns2/other.db $RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i sleep 1 [ -f ns2/other.db.jnl ] && { - echo_i "'test -f ns2/other.db.jnl' succeeded when it shouldn't have"; ret=1; + echo_i "'test -f ns2/other.db.jnl' succeeded when it shouldn't have" + ret=1 } -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >nsupdate.out.2.test$n 2>&1 <<END || ret=1 server 10.53.0.2 zone other. update add text7.other. 600 IN TXT "addition 7" send END -$DIGCMD @10.53.0.2 text6.other. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.2 text6.other. TXT >dig.out.1.test$n || ret=1 grep 'addition 6' dig.out.1.test$n >/dev/null || ret=1 -$DIGCMD @10.53.0.2 text7.other. TXT > dig.out.2.test$n || ret=1 +$DIGCMD @10.53.0.2 text7.other. TXT >dig.out.2.test$n || ret=1 grep 'addition 7' dig.out.2.test$n >/dev/null || ret=1 -$DIGCMD @10.53.0.2 frozen.other. TXT > dig.out.3.test$n || ret=1 +$DIGCMD @10.53.0.2 frozen.other. TXT >dig.out.3.test$n || ret=1 grep 'frozen addition' dig.out.3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that journal is kept when ixfr-from-differences is in use ($n)" ret=0 -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.1.test$n 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >nsupdate.out.1.test$n 2>&1 <<END || ret=1 server 10.53.0.2 zone nil. update add text6.nil. 600 IN TXT "addition 6" send END [ -s ns2/nil.db.jnl ] || { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } $RNDCCMD 10.53.0.2 freeze nil 2>&1 | sed 's/^/ns2 /' | cat_i -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "addition 6" ns2/nil.db > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "addition 6" ns2/nil.db >/dev/null && break + sleep 1 done serial=$(awk '$3 ~ /serial/ {print $1}' ns2/nil.db) newserial=$((serial + 1)) -sed s/$serial/$newserial/ ns2/nil.db > ns2/nil.db.new -echo 'frozen TXT "frozen addition"' >> ns2/nil.db.new +sed s/$serial/$newserial/ ns2/nil.db >ns2/nil.db.new +echo 'frozen TXT "frozen addition"' >>ns2/nil.db.new mv -f ns2/nil.db.new ns2/nil.db $RNDCCMD 10.53.0.2 thaw 2>&1 | sed 's/^/ns2 /' | cat_i sleep 1 [ -s ns2/nil.db.jnl ] || { - echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns2/nil.db.jnl' failed when it shouldn't have" + ret=1 } -$NSUPDATE -p ${PORT} -k ns2/session.key > nsupdate.out.2.test$n 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -k ns2/session.key >nsupdate.out.2.test$n 2>&1 <<END || ret=1 server 10.53.0.2 zone nil. update add text7.nil. 600 IN TXT "addition 7" send END -$DIGCMD @10.53.0.2 text6.nil. TXT > dig.out.1.test$n || ret=1 -grep 'addition 6' dig.out.1.test$n > /dev/null || ret=1 -$DIGCMD @10.53.0.2 text7.nil. TXT > dig.out.2.test$n || ret=1 -grep 'addition 7' dig.out.2.test$n > /dev/null || ret=1 -$DIGCMD @10.53.0.2 frozen.nil. TXT > dig.out.3.test$n || ret=1 +$DIGCMD @10.53.0.2 text6.nil. TXT >dig.out.1.test$n || ret=1 +grep 'addition 6' dig.out.1.test$n >/dev/null || ret=1 +$DIGCMD @10.53.0.2 text7.nil. TXT >dig.out.2.test$n || ret=1 +grep 'addition 7' dig.out.2.test$n >/dev/null || ret=1 +$DIGCMD @10.53.0.2 frozen.nil. TXT >dig.out.3.test$n || ret=1 grep 'frozen addition' dig.out.3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # temp test echo_i "dumping stats ($n)" $RNDCCMD 10.53.0.2 stats -n=$((n+1)) +n=$((n + 1)) echo_i "verifying adb records in named.stats ($n)" -grep "ADB stats" ns2/named.stats > /dev/null || ret=1 +grep "ADB stats" ns2/named.stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test using second key ($n)" ret=0 -$RNDC -s 10.53.0.2 -p ${CONTROLPORT} -c ns2/secondkey.conf status > /dev/null || ret=1 +$RNDC -s 10.53.0.2 -p ${CONTROLPORT} -c ns2/secondkey.conf status >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'rndc dumpdb' on a empty cache ($n)" ret=0 rndc_dumpdb ns3 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'rndc reload' on a zone with include files ($n)" ret=0 -grep "incl/IN: skipping load" ns2/named.run > /dev/null && ret=1 +grep "incl/IN: skipping load" ns2/named.run >/dev/null && ret=1 loads=$(grep "incl/IN: starting load" ns2/named.run | wc -l) [ "$loads" -eq 1 ] || ret=1 -$RNDCCMD 10.53.0.2 reload > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 -do - tmp=0 - grep "incl/IN: skipping load" ns2/named.run > /dev/null || tmp=1 - [ $tmp -eq 0 ] && break - sleep 1 +$RNDCCMD 10.53.0.2 reload >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9; do + tmp=0 + grep "incl/IN: skipping load" ns2/named.run >/dev/null || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 done [ $tmp -eq 1 ] && ret=1 touch ns2/static.db -$RNDCCMD 10.53.0.2 reload > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 -do - tmp=0 - loads=$(grep "incl/IN: starting load" ns2/named.run | wc -l) - [ "$loads" -eq 2 ] || tmp=1 - [ $tmp -eq 0 ] && break - sleep 1 +$RNDCCMD 10.53.0.2 reload >/dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9; do + tmp=0 + loads=$(grep "incl/IN: starting load" ns2/named.run | wc -l) + [ "$loads" -eq 2 ] || tmp=1 + [ $tmp -eq 0 ] && break + sleep 1 done [ $tmp -eq 1 ] && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) if $FEATURETEST --md5; then - echo_i "testing rndc with hmac-md5 ($n)" - ret=0 - $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 - for i in 2 3 4 5 6 - do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + echo_i "testing rndc with hmac-md5 ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status >/dev/null 2>&1 || ret=1 + for i in 2 3 4 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipping rndc with hmac-md5 ($n)" + echo_i "skipping rndc with hmac-md5 ($n)" fi -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha1 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key2.conf status > /dev/null 2>&1 || ret=1 -for i in 1 3 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key2.conf status >/dev/null 2>&1 || ret=1 +for i in 1 3 4 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT2} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha224 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key3.conf status > /dev/null 2>&1 || ret=1 -for i in 1 2 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key3.conf status >/dev/null 2>&1 || ret=1 +for i in 1 2 4 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT3} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha256 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key4.conf status > /dev/null 2>&1 || ret=1 -for i in 1 2 3 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key4.conf status >/dev/null 2>&1 || ret=1 +for i in 1 2 3 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT4} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha384 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key5.conf status > /dev/null 2>&1 || ret=1 -for i in 1 2 3 4 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key5.conf status >/dev/null 2>&1 || ret=1 +for i in 1 2 3 4 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT5} -c ns4/key${i}.conf status >/dev/null 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with hmac-sha512 ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > /dev/null 2>&1 || ret=1 -for i in 1 2 3 4 5 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status >/dev/null 2>&1 || ret=1 +for i in 1 2 3 4 5; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key${i}.conf status >/dev/null 2>&1 2>&1 && ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing single control channel with multiple algorithms ($n)" ret=0 -for i in 1 2 3 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status > /dev/null 2>&1 || ret=1 +for i in 1 2 3 4 5 6; do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT7} -c ns4/key${i}.conf status >/dev/null 2>&1 || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing automatic zones are reported ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n || ret=1 -grep "number of zones: 201 (198 automatic)" rndc.out.1.test$n > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status >rndc.out.1.test$n || ret=1 +grep "number of zones: 201 (198 automatic)" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with null command ($n)" ret=0 $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with unknown control channel command ($n)" ret=0 $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf obviouslynotacommand >/dev/null 2>&1 && ret=1 # rndc: 'obviouslynotacommand' failed: unknown command if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with querylog command ($n)" ret=0 # first enable it with querylog on option $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog on >/dev/null 2>&1 || ret=1 -grep "query logging is now on" ns4/named.run > /dev/null || ret=1 +grep "query logging is now on" ns4/named.run >/dev/null || ret=1 # query for builtin and check if query was logged (without +subnet) -$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo12345.bind +qr > dig.out.1.test$n 2>&1 || ret=1 -grep "query: foo12345.bind CH TXT.*(.*)$" ns4/named.run > /dev/null || ret=1 +$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo12345.bind +qr >dig.out.1.test$n 2>&1 || ret=1 +grep "query: foo12345.bind CH TXT.*(.*)$" ns4/named.run >/dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=127.0.0.1) -$DIG +subnet=127.0.0.1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12346.bind +qr > dig.out.2.test$n 2>&1 || ret=1 -grep "query: foo12346.bind CH TXT.*\[ECS 127\.0\.0\.1/32/0]" ns4/named.run > /dev/null || ret=1 +$DIG +subnet=127.0.0.1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12346.bind +qr >dig.out.2.test$n 2>&1 || ret=1 +grep "query: foo12346.bind CH TXT.*\[ECS 127\.0\.0\.1/32/0]" ns4/named.run >/dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=127.0.0.1/24) -$DIG +subnet=127.0.0.1/24 @10.53.0.4 -p ${PORT} -c ch -t txt foo12347.bind +qr > dig.out.3.test$n 2>&1 || ret=1 -grep "query: foo12347.bind CH TXT.*\[ECS 127\.0\.0\.0/24/0]" ns4/named.run > /dev/null || ret=1 +$DIG +subnet=127.0.0.1/24 @10.53.0.4 -p ${PORT} -c ch -t txt foo12347.bind +qr >dig.out.3.test$n 2>&1 || ret=1 +grep "query: foo12347.bind CH TXT.*\[ECS 127\.0\.0\.0/24/0]" ns4/named.run >/dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=::1) -$DIG +subnet=::1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12348.bind +qr > dig.out.4.test$n 2>&1 || ret=1 -grep "query: foo12348.bind CH TXT.*\[ECS ::1/128/0]" ns4/named.run > /dev/null || ret=1 +$DIG +subnet=::1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12348.bind +qr >dig.out.4.test$n 2>&1 || ret=1 +grep "query: foo12348.bind CH TXT.*\[ECS ::1/128/0]" ns4/named.run >/dev/null || ret=1 # toggle query logging and check again -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog > /dev/null 2>&1 || ret=1 -grep "query logging is now off" ns4/named.run > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog >/dev/null 2>&1 || ret=1 +grep "query logging is now off" ns4/named.run >/dev/null || ret=1 # query for another builtin zone and check if query was logged (without +subnet) -$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo9876.bind +qr > dig.out.5.test$n 2>&1 || ret=1 -grep "query: foo9876.bind CH TXT.*(.*)$" ns4/named.run > /dev/null && ret=1 +$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo9876.bind +qr >dig.out.5.test$n 2>&1 || ret=1 +grep "query: foo9876.bind CH TXT.*(.*)$" ns4/named.run >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) RNDCCMD4="$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf" -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc nta time limits ($n)" ret=0 -$RNDCCMD4 nta -l 2h nta1.example > rndc.out.1.test$n 2>&1 -grep "Negative trust anchor added" rndc.out.1.test$n > /dev/null || ret=1 -$RNDCCMD4 nta -l 1d nta2.example > rndc.out.2.test$n 2>&1 -grep "Negative trust anchor added" rndc.out.2.test$n > /dev/null || ret=1 -$RNDCCMD4 nta -l 1w nta3.example > rndc.out.3.test$n 2>&1 -grep "Negative trust anchor added" rndc.out.3.test$n > /dev/null || ret=1 -$RNDCCMD4 nta -l 8d nta4.example > rndc.out.4.test$n 2>&1 && ret=1 -grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n > /dev/null || ret=1 +$RNDCCMD4 nta -l 2h nta1.example >rndc.out.1.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.1.test$n >/dev/null || ret=1 +$RNDCCMD4 nta -l 1d nta2.example >rndc.out.2.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.2.test$n >/dev/null || ret=1 +$RNDCCMD4 nta -l 1w nta3.example >rndc.out.3.test$n 2>&1 +grep "Negative trust anchor added" rndc.out.3.test$n >/dev/null || ret=1 +$RNDCCMD4 nta -l 8d nta4.example >rndc.out.4.test$n 2>&1 && ret=1 +grep "NTA lifetime cannot exceed one week" rndc.out.4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc nta -class option ($n)" ret=0 -nextpart ns4/named.run > /dev/null -$RNDCCMD4 nta -c in nta1.example > rndc.out.1.test$n 2>&1 -nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1 -$RNDCCMD4 nta -c any nta1.example > rndc.out.2.test$n 2>&1 -nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null || ret=1 -$RNDCCMD4 nta -c ch nta1.example > rndc.out.3.test$n 2>&1 -nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1 -$RNDCCMD4 nta -c fake nta1.example > rndc.out.4.test$n 2>&1 && ret=1 -nextpart ns4/named.run | grep "added NTA 'nta1.example'" > /dev/null && ret=1 -grep 'unknown class' rndc.out.4.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - -for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288 -do - n=$((n+1)) - echo_i "testing rndc buffer size limits (size=${i}) ($n)" - ret=0 - $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf testgen ${i} 2>&1 > rndc.out.$i.test$n || ret=1 - { actual_size=$($GENCHECK rndc.out.$i.test$n); rc=$?; } || true - if [ "$rc" = "0" ]; then - expected_size=$((i+1)) - if [ $actual_size != $expected_size ]; then ret=1; fi - else - ret=1 - fi - - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +nextpart ns4/named.run >/dev/null +$RNDCCMD4 nta -c in nta1.example >rndc.out.1.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" >/dev/null || ret=1 +$RNDCCMD4 nta -c any nta1.example >rndc.out.2.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" >/dev/null || ret=1 +$RNDCCMD4 nta -c ch nta1.example >rndc.out.3.test$n 2>&1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" >/dev/null && ret=1 +$RNDCCMD4 nta -c fake nta1.example >rndc.out.4.test$n 2>&1 && ret=1 +nextpart ns4/named.run | grep "added NTA 'nta1.example'" >/dev/null && ret=1 +grep 'unknown class' rndc.out.4.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +for i in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288; do + n=$((n + 1)) + echo_i "testing rndc buffer size limits (size=${i}) ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf testgen ${i} 2>&1 >rndc.out.$i.test$n || ret=1 + { + actual_size=$($GENCHECK rndc.out.$i.test$n) + rc=$? + } || true + if [ "$rc" = "0" ]; then + expected_size=$((i + 1)) + if [ $actual_size != $expected_size ]; then ret=1; fi + else + ret=1 + fi + + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc -r (show result) ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r testgen 0 2>&1 > rndc.out.1.test$n || ret=1 -grep "ISC_R_SUCCESS 0" rndc.out.1.test$n > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r testgen 0 2>&1 >rndc.out.1.test$n || ret=1 +grep "ISC_R_SUCCESS 0" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing rndc with a token containing a space ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r flush '"view with a space"' 2>&1 > rndc.out.1.test$n || ret=1 -grep "not found" rndc.out.1.test$n > /dev/null && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf -r flush '"view with a space"' 2>&1 >rndc.out.1.test$n || ret=1 +grep "not found" rndc.out.1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'rndc reconfig' with a broken config ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig >/dev/null || ret=1 sleep 1 mv ns4/named.conf ns4/named.conf.save -echo "error error error" >> ns4/named.conf -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > rndc.out.1.test$n 2>&1 && ret=1 -grep "rndc: 'reconfig' failed: unexpected token" rndc.out.1.test$n > /dev/null || ret=1 +echo "error error error" >>ns4/named.conf +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig >rndc.out.1.test$n 2>&1 && ret=1 +grep "rndc: 'reconfig' failed: unexpected token" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check rndc status reports failure ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n 2>&1 || ret=1 -grep "reload/reconfig failed" rndc.out.1.test$n > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status >rndc.out.1.test$n 2>&1 || ret=1 +grep "reload/reconfig failed" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "restore working config ($n)" ret=0 mv ns4/named.conf.save ns4/named.conf sleep 1 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig > /dev/null || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf reconfig >/dev/null || ret=1 sleep 1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc status' 'reload/reconfig failure' is cleared after successful reload/reconfig ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n 2>&1 || ret=1 -grep "reload/reconfig failed" rndc.out.1.test$n > /dev/null && ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status >rndc.out.1.test$n 2>&1 || ret=1 +grep "reload/reconfig failed" rndc.out.1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test read-only control channel access ($n)" ret=0 -$RNDCCMD 10.53.0.5 status > rndc.out.1.test$n 2>&1 || ret=1 -$RNDCCMD 10.53.0.5 nta -dump > rndc.out.2.test$n 2>&1 || ret=1 -$RNDCCMD 10.53.0.5 reconfig > rndc.out.3.test$n 2>&1 && ret=1 +$RNDCCMD 10.53.0.5 status >rndc.out.1.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.5 nta -dump >rndc.out.2.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.5 reconfig >rndc.out.3.test$n 2>&1 && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test rndc status shows running on ($n)" ret=0 -$RNDCCMD 10.53.0.5 status > rndc.out.1.test$n 2>&1 || ret=1 -grep "^running on " rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.5 status >rndc.out.1.test$n 2>&1 || ret=1 +grep "^running on " rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "test 'rndc reconfig' with loading of a large zone ($n)" ret=0 -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null cp ns6/named.conf ns6/named.conf.save -echo "zone \"huge.zone\" { type primary; file \"huge.zone.db\"; };" >> ns6/named.conf +echo "zone \"huge.zone\" { type primary; file \"huge.zone.db\"; };" >>ns6/named.conf echo_i "reloading config" -$RNDCCMD 10.53.0.6 reconfig > rndc.out.1.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.6 reconfig >rndc.out.1.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "check if zone load was scheduled ($n)" wait_for_log_peek 20 "scheduled loading new zones" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check if query for the zone returns SERVFAIL ($n)" -$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone > dig.out.1.test$n -grep "SERVFAIL" dig.out.1.test$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed (ignored)"; ret=0; fi -status=$((status+ret)) +$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone >dig.out.1.test$n +grep "SERVFAIL" dig.out.1.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed (ignored)" + ret=0 +fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "wait for the zones to be loaded ($n)" wait_for_log_peek 60 "huge.zone/IN: loaded serial" ns6/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check if query for the zone returns NOERROR ($n)" -$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone > dig.out.1.test$n -grep "NOERROR" dig.out.1.test$n > /dev/null || ret=1 +$DIG @10.53.0.6 -p ${PORT} -t soa huge.zone >dig.out.1.test$n +grep "NOERROR" dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify that the full command is logged ($n)" ret=0 -$RNDCCMD 10.53.0.2 null with extra arguments > /dev/null 2>&1 -grep "received control channel command 'null with extra arguments'" ns2/named.run > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 null with extra arguments >/dev/null 2>&1 +grep "received control channel command 'null with extra arguments'" ns2/named.run >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) mv ns6/named.conf.save ns6/named.conf sleep 1 -$RNDCCMD 10.53.0.6 reconfig > /dev/null || ret=1 +$RNDCCMD 10.53.0.6 reconfig >/dev/null || ret=1 sleep 1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc \"\"' is handled ($n)" ret=0 -$RNDCCMD 10.53.0.2 "" > rndc.out.1.test$n 2>&1 && ret=1 -grep "rndc: '' failed: failure" rndc.out.1.test$n > /dev/null +$RNDCCMD 10.53.0.2 "" >rndc.out.1.test$n 2>&1 && ret=1 +grep "rndc: '' failed: failure" rndc.out.1.test$n >/dev/null if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check rndc -4 -6 ($n)" ret=0 -$RNDCCMD 10.53.0.2 -4 -6 status > rndc.out.1.test$n 2>&1 && ret=1 -grep "only one of -4 and -6 allowed" rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 -4 -6 status >rndc.out.1.test$n 2>&1 && ret=1 +grep "only one of -4 and -6 allowed" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check rndc -4 with an IPv6 server address ($n)" ret=0 -$RNDCCMD fd92:7065:b8e:ffff::2 -4 status > rndc.out.1.test$n 2>&1 && ret=1 -grep "address family not supported" rndc.out.1.test$n > /dev/null || ret=1 +$RNDCCMD fd92:7065:b8e:ffff::2 -4 status >rndc.out.1.test$n 2>&1 && ret=1 +grep "address family not supported" rndc.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check rndc nta reports adding to multiple views ($n)" ret=0 -$RNDCCMD 10.53.0.3 nta test.com > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 nta test.com >rndc.out.test$n 2>&1 || ret=1 lines=$(cat rndc.out.test$n | wc -l) [ ${lines:-0} -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc retransfer' of primary error message ($n)" ret=0 -$RNDCCMD 10.53.0.2 retransfer nil > rndc.out.test$n 2>&1 && ret=1 -grep "rndc: 'retransfer' failed: failure" rndc.out.test$n > /dev/null || ret=1 -grep "retransfer: inappropriate zone type: primary" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.2 retransfer nil >rndc.out.test$n 2>&1 && ret=1 +grep "rndc: 'retransfer' failed: failure" rndc.out.test$n >/dev/null || ret=1 +grep "retransfer: inappropriate zone type: primary" rndc.out.test$n >/dev/null || ret=1 lines=$(cat rndc.out.test$n | wc -l) [ ${lines:-0} -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc freeze' with in-view zones works ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf freeze > rndc.out.test$n 2>&1 || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf freeze >rndc.out.test$n 2>&1 || ret=1 test -s rndc.out.test$n && sed 's/^/ns2 /' rndc.out.test$n | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking non in-view zone instance is not writable ($n)" ret=0 -$NSUPDATE -p ${PORT} > /dev/null 2>&1 <<END && ret=1 +$NSUPDATE -p ${PORT} >/dev/null 2>&1 <<END && ret=1 server 10.53.0.4 zone example. update add text2.example. 600 IN TXT "addition 3" send END -$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT >dig.out.1.test$n || ret=1 grep 'addition 3' dig.out.1.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc thaw' with in-view zones works ($n)" ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf thaw > rndc.out.test$n 2>&1 || ret=1 +$RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf thaw >rndc.out.test$n 2>&1 || ret=1 test -s rndc.out.test$n && sed 's/^/ns2 /' rndc.out.test$n | cat_i if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking non in-view zone instance is now writable ($n)" ret=0 -$NSUPDATE -p ${PORT} > nsupdate.out.test$n 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} >nsupdate.out.test$n 2>&1 <<END || ret=1 server 10.53.0.4 zone example. update add text2.example. 600 IN TXT "addition 3" send END -$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.4 -p ${PORT} text2.example. TXT >dig.out.1.test$n || ret=1 grep 'addition 3' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking initial in-view zone file is loaded ($n)" ret=0 TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT >dig.out.1.test$n || ret=1 grep 'include 1' dig.out.1.test$n >/dev/null || ret=1 TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT >dig.out.2.test$n || ret=1 grep 'include 1' dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "update in-view zone ($n)" ret=0 TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$NSUPDATE -p ${PORT} -y "$TSIG" > /dev/null 2>&1 <<END || ret=1 +$NSUPDATE -p ${PORT} -y "$TSIG" >/dev/null 2>&1 <<END || ret=1 server 10.53.0.7 zone test. update add text2.test. 600 IN TXT "addition 1" send END [ -s ns7/test.db.jnl ] || { - echo_i "'test -s ns7/test.db.jnl' failed when it shouldn't have"; ret=1; + echo_i "'test -s ns7/test.db.jnl' failed when it shouldn't have" + ret=1 } if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking update ($n)" ret=0 TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text2.test. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text2.test. TXT >dig.out.1.test$n || ret=1 grep 'addition 1' dig.out.1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -nextpart ns7/named.run > /dev/null +nextpart ns7/named.run >/dev/null echo_i "rndc freeze" $RNDCCMD 10.53.0.7 freeze | sed 's/^/ns7 /' | cat_i | cat_i @@ -798,17 +804,26 @@ $RNDCCMD 10.53.0.7 reload | sed 's/^/ns7 /' | cat_i wait_for_log 3 "all zones loaded" ns7/named.run -n=$((n+1)) +n=$((n + 1)) echo_i "checking zone file edits are loaded ($n)" ret=0 TSIG="$DEFAULT_HMAC:int:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.1.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT >dig.out.1.test$n || ret=1 grep 'include 2' dig.out.1.test$n >/dev/null || ret=1 TSIG="$DEFAULT_HMAC:ext:FrSt77yPTFx6hTs4i2tKLB9LmE0=" -$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT > dig.out.2.test$n || ret=1 +$DIGCMD @10.53.0.7 -y "$TSIG" text1.test. TXT >dig.out.2.test$n || ret=1 grep 'include 2' dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) + +n=$((n + 1)) +echo_i "check rndc nta -dump reports NTAs in multiple views ($n)" +ret=0 +$RNDCCMD 10.53.0.3 nta -dump >rndc.out.test$n 2>&1 || ret=1 +lines=$(cat rndc.out.test$n | wc -l) +[ ${lines:-0} -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rndc/tests_cve-2023-3341.py b/bin/tests/system/rndc/tests_cve-2023-3341.py new file mode 100644 index 0000000..de2991b --- /dev/null +++ b/bin/tests/system/rndc/tests_cve-2023-3341.py @@ -0,0 +1,57 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import socket +import time + +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.query +import dns.rcode + + +def test_cve_2023_3341(named_port, control_port): + depth = 4500 + # Should not be more than isccc_ccmsg_setmaxsize(&conn->ccmsg, 32768) + total_len = 10 + (depth * 7) - 6 + + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + data = b"".join( + [ + total_len.to_bytes(4, "big"), # <total lenght> + b"\x00\x00\x00\x01", # <version> + b"\x01\x41", # <size><name> + ] + ) + + for i in range(depth, 0, -1): + l = (i - 1) * 7 + t = b"".join( + [ + b"\x02", # ISCCC_CCMSGTYPE_TABLE + l.to_bytes(4, "big"), # <size> + b"\x01\x41", # <size><name> + ] + ) + data = b"".join([data, t]) + + s.connect(("10.53.0.2", control_port)) + s.sendall(data) + + # Wait for named to (possibly) crash + time.sleep(10) + msg = dns.message.make_query("version.bind", "TXT", "CH") + ans = dns.query.udp(msg, "10.53.0.2", timeout=10, port=named_port) + assert ans.rcode() == dns.rcode.NOERROR diff --git a/bin/tests/system/rootkeysentinel/ns1/sign.sh b/bin/tests/system/rootkeysentinel/ns1/sign.sh index 0f20053..dd33bd9 100644 --- a/bin/tests/system/rootkeysentinel/ns1/sign.sh +++ b/bin/tests/system/rootkeysentinel/ns1/sign.sh @@ -20,16 +20,16 @@ zonefile=root.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyid=$(expr ${keyname} : 'K.+[0-9][0-9][0-9]+\(.*\)') -(cd ../ns2 && $SHELL sign.sh ${keyid:-00000} ) +(cd ../ns2 && $SHELL sign.sh ${keyid:-00000}) cp ../ns2/dsset-example. . -cat $infile $keyname.key > $zonefile +cat $infile $keyname.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns4/trusted.conf diff --git a/bin/tests/system/rootkeysentinel/ns2/sign.sh b/bin/tests/system/rootkeysentinel/ns2/sign.sh index 3e48f8a..456c96f 100644 --- a/bin/tests/system/rootkeysentinel/ns2/sign.sh +++ b/bin/tests/system/rootkeysentinel/ns2/sign.sh @@ -26,15 +26,15 @@ keyname1=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) keyname2=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone) cat $infile $keyname1.key $keyname2.key >$zonefile -echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >> $zonefile -echo root-key-sentinel-not-ta-$oldid A 10.53.0.2 >> $zonefile -echo root-key-sentinel-is-ta-$newid A 10.53.0.3 >> $zonefile -echo root-key-sentinel-not-ta-$newid A 10.53.0.4 >> $zonefile -echo old-is-ta CNAME root-key-sentinel-is-ta-$oldid >> $zonefile -echo old-not-ta CNAME root-key-sentinel-not-ta-$oldid >> $zonefile -echo new-is-ta CNAME root-key-sentinel-is-ta-$newid >> $zonefile -echo new-not-ta CNAME root-key-sentinel-not-ta-$newid >> $zonefile -echo bad-is-ta CNAME root-key-sentinel-is-ta-$badid >> $zonefile -echo bad-not-ta CNAME root-key-sentinel-not-ta-$badid >> $zonefile +echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >>$zonefile +echo root-key-sentinel-not-ta-$oldid A 10.53.0.2 >>$zonefile +echo root-key-sentinel-is-ta-$newid A 10.53.0.3 >>$zonefile +echo root-key-sentinel-not-ta-$newid A 10.53.0.4 >>$zonefile +echo old-is-ta CNAME root-key-sentinel-is-ta-$oldid >>$zonefile +echo old-not-ta CNAME root-key-sentinel-not-ta-$oldid >>$zonefile +echo new-is-ta CNAME root-key-sentinel-is-ta-$newid >>$zonefile +echo new-not-ta CNAME root-key-sentinel-not-ta-$newid >>$zonefile +echo bad-is-ta CNAME root-key-sentinel-is-ta-$badid >>$zonefile +echo bad-not-ta CNAME root-key-sentinel-not-ta-$badid >>$zonefile -$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 >/dev/null diff --git a/bin/tests/system/rootkeysentinel/tests.sh b/bin/tests/system/rootkeysentinel/tests.sh index bfe653c..3e0a487 100644 --- a/bin/tests/system/rootkeysentinel/tests.sh +++ b/bin/tests/system/rootkeysentinel/tests.sh @@ -23,22 +23,22 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" newtest() { - n=$((n + 1)) - case $# in - 1) - echo_i "$1 ($n)" - ;; - 2) - echo_i "$1" - echo_ic "$2 ($n)" - ;; - esac - ret=0 + n=$((n + 1)) + case $# in + 1) + echo_i "$1 ($n)" + ;; + 2) + echo_i "$1" + echo_ic "$2 ($n)" + ;; + esac + ret=0 } newtest "get test ids" -$DIG $DIGOPTS . dnskey +short +rrcomm @10.53.0.1 > dig.out.ns1.test$n || ret=1 -oldid=$(sed -n 's/.*key id = //p' < dig.out.ns1.test$n) +$DIG $DIGOPTS . dnskey +short +rrcomm @10.53.0.1 >dig.out.ns1.test$n || ret=1 +oldid=$(sed -n 's/.*key id = //p' <dig.out.ns1.test$n) newid=$(printf "%05u" $(((oldid + 1000) % 65536))) badid=$(printf "%05u" $(((oldid + 7777) % 65536))) oldid=$(printf "%05u" $((oldid + 0))) @@ -49,245 +49,245 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check authoritative server (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.2 example SOA > dig.out.ns2.test$n -grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.2 example SOA >dig.out.ns2.test$n +grep "status: NOERROR" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check test zone resolves with 'root-key-sentinel yes;'" " (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 example SOA > dig.out.ns3.test$n -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 example SOA >dig.out.ns3.test$n +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${oldid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${oldid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with old ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-not-ta-${oldid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${newid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with new ta, CD=1 and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${newid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${newid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect SERVFAIL)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns3.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-${badid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: SERVFAIL" dig.out.ns3.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with bad ta, CD=1 and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 +cd root-key-sentinel-is-ta-${badid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-${badid}.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-72345.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-72345.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-72345.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-72345.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-1234.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-is-ta-1234.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-1234.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 root-key-sentinel-not-ta-1234.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 old-is-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 old-is-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 old-not-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 old-not-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 new-is-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 new-is-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel yes;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.3 new-not-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 -grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 new-not-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 bad-is-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bad-is-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel yes;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.3 bad-not-ta.example A > dig.out.ns3.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.3 bad-not-ta.example A >dig.out.ns3.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 +grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check test zone resolves with 'root-key-sentinel no;'" " (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 example SOA > dig.out.ns4.test$n -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 example SOA >dig.out.ns4.test$n +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${oldid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${oldid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${oldid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${newid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${newid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${newid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${newid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${badid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-${badid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${badid}.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-${badid}.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-72345.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-72345.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with out-of-range ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-72345.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-72345.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-is-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-1234.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-is-ta-1234.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check root-key-sentinel-not-ta with no-zero-pad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-1234.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 root-key-sentinel-not-ta-1234.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 old-is-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 old-is-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "old-is-ta.*CNAME.root-key-sentinel-is-ta-${oldid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with old ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 old-not-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 old-not-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "old-not-ta.*CNAME.root-key-sentinel-not-ta-${oldid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 new-is-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 new-is-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "new-is-ta.*CNAME.root-key-sentinel-is-ta-${newid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with new ta and" " 'root-key-sentinel no;' (expect NOERROR)" -$DIG $DIGOPTS @10.53.0.4 new-not-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 -grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 new-not-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "new-not-ta.*CNAME.root-key-sentinel-not-ta-${newid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-is-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 bad-is-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 bad-is-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "bad-is-ta.*CNAME.root-key-sentinel-is-ta-${badid}.example" dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) newtest "check CNAME to root-key-sentinel-not-ta with bad ta and" " 'root-key-sentinel no;' (expect NXDOMAIN)" -$DIG $DIGOPTS @10.53.0.4 bad-not-ta.example A > dig.out.ns4.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 -grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.4 bad-not-ta.example A >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "bad-not-ta.*CNAME.root-key-sentinel-not-ta-${badid}.example." dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index 35d6211..07cd667 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -16,16 +16,19 @@ USAGE="$0: [-Px]" DEBUG= while getopts "Px" c; do - case $c in - x) set -x ;; - P) PARTIAL=set ;; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) set -x ;; + P) PARTIAL=set ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # this might be called from setup.sh to partially clean up the files @@ -42,16 +45,16 @@ rm -f */policy2.db rm -f */*.jnl if [ ${PARTIAL:-unset} = unset ]; then - rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp - rm -f ns5/requests ns5/*.perf - rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key - rm -f */*.log */*core */*.pid - rm -f ns*/named.lock - rm -f ns*/named.conf - rm -f ns*/*switch - rm -f dnsrps*.conf - rm -f dnsrpzd.conf - rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid - rm -f ns*/managed-keys.bind* - rm -f tmp + rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp + rm -f ns5/requests ns5/*.perf + rm -f */named.memstats */*.run */*.run.prev */named.stats */session.key + rm -f */*.log */*core */*.pid + rm -f ns*/named.lock + rm -f ns*/named.conf + rm -f ns*/*switch + rm -f dnsrps*.conf + rm -f dnsrpzd.conf + rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid + rm -f ns*/managed-keys.bind* + rm -f tmp fi diff --git a/bin/tests/system/rpz/qperf.sh b/bin/tests/system/rpz/qperf.sh index 146d1e2..1ec64fe 100644 --- a/bin/tests/system/rpz/qperf.sh +++ b/bin/tests/system/rpz/qperf.sh @@ -12,11 +12,11 @@ # information regarding copyright ownership. for QDIR in $(echo "$PATH" | tr : ' ') ../../../../contrib/queryperf; do - QPERF=$QDIR/queryperf - if test -f "$QPERF" -a -x "$QPERF"; then - echo $QPERF - exit 0 - fi + QPERF=$QDIR/queryperf + if test -f "$QPERF" -a -x "$QPERF"; then + echo $QPERF + exit 0 + fi done exit 0 diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 75e4957..b263fda 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -22,26 +22,32 @@ QPERF=$($SHELL qperf.sh) USAGE="$0: [-DNx]" DEBUG= while getopts "DNx" c; do - case $c in - x) set -x; DEBUG=-x ;; - D) TEST_DNSRPS="-D" ;; - N) PARTIAL=-P ;; - *) echo "$USAGE" 1>&2; exit 1 ;; - esac + case $c in + x) + set -x + DEBUG=-x + ;; + D) TEST_DNSRPS="-D" ;; + N) PARTIAL=-P ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi if [ ${NOCLEAN:-unset} = unset ]; then - $SHELL clean.sh $PARTIAL $DEBUG + $SHELL clean.sh $PARTIAL $DEBUG fi for dir in ns*; do - touch $dir/named.run - nextpart $dir/named.run > /dev/null + touch $dir/named.run + nextpart $dir/named.run >/dev/null done copy_setports ns1/named.conf.in ns1/named.conf @@ -70,7 +76,7 @@ test -z "$(grep 'dnsrps-enable yes' dnsrps.conf)" && TEST_DNSRPS= # drop,tcp-only} are used to check policy overrides in named.conf. # NO-OP is an obsolete synonym for PASSHTRU for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do - sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db + sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done # bl zones are dynamically updated. Add one zone that is updated manually. cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db @@ -86,13 +92,13 @@ cp ns5/expire.conf.in ns5/expire.conf # $2=domain name # $3=input zone file # $4=output file -signzone () { - KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2) - cat $1/$3 $1/$KEYNAME.key > $1/tmp - $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null - sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf - DSFILENAME=dsset-${2}. - rm $DSFILENAME $1/tmp +signzone() { + KEYNAME=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -K $1 $2) + cat $1/$3 $1/$KEYNAME.key >$1/tmp + $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null + sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf + DSFILENAME=dsset-${2}. + rm $DSFILENAME $1/tmp } signzone ns2 tld2s base-tld2s.db tld2s.db @@ -140,20 +146,20 @@ ns1.x.rpz-nsdname CNAME . EOF if test -n "$QPERF"; then - # Do not build the full zones if we will not use them. - $PERL -e 'for ($val = 1; $val <= 65535; ++$val) { + # Do not build the full zones if we will not use them. + $PERL -e 'for ($val = 1; $val <= 65535; ++$val) { printf("host-%05d\tA 192.168.%d.%d\n", $val, $val/256, $val%256); }' >>ns5/example.db - echo >>ns5/bl.db - echo "; rewrite some names" >>ns5/bl.db - $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) { + echo >>ns5/bl.db + echo "; rewrite some names" >>ns5/bl.db + $PERL -e 'for ($val = 2; $val <= 65535; $val += 69) { printf("host-%05d.example.tld5\tCNAME\t.\n", $val); }' >>ns5/bl.db - echo >>ns5/bl.db - echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db - $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) { + echo >>ns5/bl.db + echo "; rewrite with some not entirely trivial patricia trees" >>ns5/bl.db + $PERL -e 'for ($val = 3; $val <= 65535; $val += 69) { printf("32.%d.%d.168.192.rpz-ip \tCNAME\t.\n", $val%256, $val/256); }' >>ns5/bl.db @@ -172,8 +178,8 @@ cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db # Run dnsrpzd to get the license and prime the static policy zones if test -n "$TEST_DNSRPS"; then - DNSRPZD="$(../rpz/dnsrps -p)" - cd ns3 - "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \ - -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 + DNSRPZD="$(../rpz/dnsrps -p)" + cd ns3 + "$DNSRPZ" -D../dnsrpzd.rpzf -S../dnsrpzd.sock -C../dnsrpzd.conf \ + -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 fi diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 658250e..199e75d 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -21,16 +21,16 @@ set -e . ../conf.sh ns=10.53.0 -ns1=$ns.1 # root, defining the others -ns2=$ns.2 # authoritative server whose records are rewritten -ns3=$ns.3 # main rewriting resolver -ns4=$ns.4 # another authoritative server that is rewritten -ns5=$ns.5 # another rewriting resolver -ns6=$ns.6 # a forwarding server -ns7=$ns.7 # another rewriting resolver -ns8=$ns.8 # another rewriting resolver -ns9=$ns.9 # another rewriting resolver -ns10=$ns.10 # authoritative server +ns1=$ns.1 # root, defining the others +ns2=$ns.2 # authoritative server whose records are rewritten +ns3=$ns.3 # main rewriting resolver +ns4=$ns.4 # another authoritative server that is rewritten +ns5=$ns.5 # another rewriting resolver +ns6=$ns.6 # a forwarding server +ns7=$ns.7 # another rewriting resolver +ns8=$ns.8 # another rewriting resolver +ns9=$ns.9 # another rewriting resolver +ns10=$ns.10 # authoritative server HAVE_CORE= @@ -43,90 +43,100 @@ ARGS= USAGE="$0: [-xS]" while getopts "xS:" c; do - case $c in - x) set -x; DEBUG=-x; ARGS="$ARGS -x";; - S) SAVE_RESULTS=-S; ARGS="$ARGS -S";; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ARGS="$ARGS -x" + ;; + S) + SAVE_RESULTS=-S + ARGS="$ARGS -S" + ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # really quit on control-C trap 'exit 1' 1 2 15 TS='%H:%M:%S ' TS= -comment () { - if test -n "$TS"; then - date "+${TS}$*" | cat_i - fi +comment() { + if test -n "$TS"; then + date "+${TS}$*" | cat_i + fi } DNSRPSCMD=./dnsrps -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" if test -x "$DNSRPSCMD"; then - # speed up the many delays for dnsrpzd by waiting only 0.1 seconds - WAIT_CMD="$DNSRPSCMD -w 0.1" - TEN_SECS=100 + # speed up the many delays for dnsrpzd by waiting only 0.1 seconds + WAIT_CMD="$DNSRPSCMD -w 0.1" + TEN_SECS=100 else - WAIT_CMD="sleep 1" - TEN_SECS=10 + WAIT_CMD="sleep 1" + TEN_SECS=10 fi -digcmd () { - if test "$1" = TCP; then - shift - fi - # Default to +noauth and @$ns3 - # Also default to -bX where X is the @value so that OS X will choose - # the right IP source address. - digcmd_args=$(echo "+nocookie +noadd +time=2 +tries=1 -p ${PORT} $*" | \ - sed -e "/@/!s/.*/& @$ns3/" \ - -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ - -e '/+n?o?auth/!s/.*/+noauth &/') - #echo_i "dig $digcmd_args 1>&2 - $DIG $digcmd_args || return +digcmd() { + if test "$1" = TCP; then + shift + fi + # Default to +noauth and @$ns3 + # Also default to -bX where X is the @value so that OS X will choose + # the right IP source address. + digcmd_args=$(echo "+nocookie +noadd +time=2 +tries=1 -p ${PORT} $*" \ + | sed -e "/@/!s/.*/& @$ns3/" \ + -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ + -e '/+n?o?auth/!s/.*/+noauth &/') + #echo_i "dig $digcmd_args 1>&2 + $DIG $digcmd_args || return } # set DIGNM=file name for dig output GROUP_NM= TEST_NUM=0 -make_dignm () { - TEST_NUM=$((TEST_NUM + 1)) - DIGNM=dig.out$GROUP_NM-$TEST_NUM - while test -f $DIGNM; do - DIGNM="$DIGNM+" - done +make_dignm() { + TEST_NUM=$((TEST_NUM + 1)) + DIGNM=dig.out$GROUP_NM-$TEST_NUM + while test -f $DIGNM; do + DIGNM="$DIGNM+" + done } -setret () { - ret=1 - status=$((status + 1)) - echo_i "$*" +setret() { + ret=1 + status=$((status + 1)) + echo_i "$*" } # set $SN to the SOA serial number of a zone # $1=domain # $2=DNS server and client IP address get_sn() { - SOA=$($DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2") - SN=$(expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*' || true) - test "$SN" != "" && return - echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\` in \"$SOA\"" - exit 1 + SOA=$($DIG -p ${PORT} +short +norecurse soa "$1" "@$2" "-b$2") + SN=$(expr "$SOA" : '[^ ]* [^ ]* \([^ ]*\) .*' || true) + test "$SN" != "" && return + echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\` in \"$SOA\"" + exit 1 } -get_sn_fast () { - RSN=$($DNSRPSCMD -n "$1") - #echo "dnsrps serial for $1 is $RSN" - if test -z "$RSN"; then - echo_i "dnsrps failed to get SOA serial number for $1" - exit 1 - fi +get_sn_fast() { + RSN=$($DNSRPSCMD -n "$1") + #echo "dnsrps serial for $1 is $RSN" + if test -z "$RSN"; then + echo_i "dnsrps failed to get SOA serial number for $1" + exit 1 + fi } # check that dnsrpzd has loaded its zones @@ -134,25 +144,25 @@ get_sn_fast () { # $2=DNS server IP address FZONES=$(sed -n -e 's/^zone "\(.*\)".*\(10.53.0..\).*/Z=\1;M=\2/p' dnsrpzd.conf) dnsrps_loaded() { - test "$mode" = dnsrps || return 0 - n=0 - for V in $FZONES; do - eval "$V" - get_sn $Z $M - while true; do - get_sn_fast "$Z" - if test "$SN" -eq "0$RSN"; then - #echo "$Z @$M serial=$SN" - break - fi - n=$((n + 1)) - if test "$n" -gt $TEN_SECS; then - echo_i "dnsrps serial for $Z is $RSN instead of $SN" - exit 1 - fi - $WAIT_CMD - done + test "$mode" = dnsrps || return 0 + n=0 + for V in $FZONES; do + eval "$V" + get_sn $Z $M + while true; do + get_sn_fast "$Z" + if test "$SN" -eq "0$RSN"; then + #echo "$Z @$M serial=$SN" + break + fi + n=$((n + 1)) + if test "$n" -gt $TEN_SECS; then + echo_i "dnsrps serial for $Z is $RSN instead of $SN" + exit 1 + fi + $WAIT_CMD done + done } # check the serial number in an SOA to ensure that a policy zone has @@ -161,219 +171,219 @@ dnsrps_loaded() { # $2=domain # $3=DNS server ck_soa() { - n=0 - while true; do - if test "$mode" = dnsrps; then - get_sn_fast "$2" - test "$RSN" -eq "$1" && return - else - get_sn "$2" "$3" - test "$SN" -eq "$1" && return - fi - n=$((n + 1)) - if test "$n" -gt $TEN_SECS; then - echo_i "got serial number \"$SN\" instead of \"$1\" from $2 @$3" - return - fi - $WAIT_CMD - done + n=0 + while true; do + if test "$mode" = dnsrps; then + get_sn_fast "$2" + test "$RSN" -eq "$1" && return + else + get_sn "$2" "$3" + test "$SN" -eq "$1" && return + fi + n=$((n + 1)) + if test "$n" -gt $TEN_SECS; then + echo_i "got serial number \"$SN\" instead of \"$1\" from $2 @$3" + return + fi + $WAIT_CMD + done } # (re)load the response policy zones with the rules in the file $TEST_FILE -load_db () { - if test -n "$TEST_FILE"; then - copy_setports $TEST_FILE tmp - if $NSUPDATE -v tmp; then : - $RNDCCMD $ns3 sync - else - echo_i "failed to update policy zone with $TEST_FILE" - $RNDCCMD $ns3 sync - exit 1 - fi - rm -f tmp +load_db() { + if test -n "$TEST_FILE"; then + copy_setports $TEST_FILE tmp + if $NSUPDATE -v tmp; then + : + $RNDCCMD $ns3 sync + else + echo_i "failed to update policy zone with $TEST_FILE" + $RNDCCMD $ns3 sync + exit 1 fi + rm -f tmp + fi } # restart name server # $1 ns number # $2 rebuild bl rpz zones if "rebuild-bl-rpz" -restart () { - # try to ensure that the server really has stopped - # and won't mess with ns$1/name.pid - if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then - $RNDCCMD $ns$1 halt >/dev/null 2>&1 - if test -f ns$1/named.pid; then - sleep 1 - PID=$(cat ns$1/named.pid 2>/dev/null) - if test -n "$PID"; then - echo_i "killing ns$1 server $PID" - kill -9 $PID - fi - fi +restart() { + # try to ensure that the server really has stopped + # and won't mess with ns$1/name.pid + if test -z "$HAVE_CORE" -a -f ns$1/named.pid; then + $RNDCCMD $ns$1 halt >/dev/null 2>&1 + if test -f ns$1/named.pid; then + sleep 1 + PID=$(cat ns$1/named.pid 2>/dev/null) + if test -n "$PID"; then + echo_i "killing ns$1 server $PID" + kill -9 $PID + fi fi - rm -f ns$1/*.jnl - if [ "$2" = "rebuild-bl-rpz" ]; then - if test -f ns$1/base.db; then - for NM in ns$1/bl*.db; do - cp -f ns$1/base.db $NM - done - fi + fi + rm -f ns$1/*.jnl + if [ "$2" = "rebuild-bl-rpz" ]; then + if test -f ns$1/base.db; then + for NM in ns$1/bl*.db; do + cp -f ns$1/base.db $NM + done fi - start_server --noclean --restart --port ${PORT} ns$1 - load_db - dnsrps_loaded - sleep 1 + fi + start_server --noclean --restart --port ${PORT} ns$1 + load_db + dnsrps_loaded + sleep 1 } # $1=server and irrelevant args # $2=error message -ckalive () { - CKALIVE_NS=$(expr "$1" : '.*@ns\([1-9]\).*' || true) - if test -z "$CKALIVE_NS"; then - CKALIVE_NS=3 - fi - eval CKALIVE_IP=\$ns$CKALIVE_NS - $RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0 - HAVE_CORE=yes - setret "$2" - # restart the server to avoid stalling waiting for it to stop - restart $CKALIVE_NS "rebuild-bl-rpz" - return 0 +ckalive() { + CKALIVE_NS=$(expr "$1" : '.*@ns\([1-9]\).*' || true) + if test -z "$CKALIVE_NS"; then + CKALIVE_NS=3 + fi + eval CKALIVE_IP=\$ns$CKALIVE_NS + $RNDCCMD $CKALIVE_IP status >/dev/null 2>&1 && return 0 + HAVE_CORE=yes + setret "$2" + # restart the server to avoid stalling waiting for it to stop + restart $CKALIVE_NS "rebuild-bl-rpz" + return 0 } -resetstats () { - NSDIR=$1 - eval "${NSDIR}_CNT=''" +resetstats() { + NSDIR=$1 + eval "${NSDIR}_CNT=''" } -ckstats () { - HOST=$1 - LABEL="$2" - NSDIR="$3" - EXPECTED="$4" - $RNDCCMD $HOST stats - NEW_CNT=$(sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ - $NSDIR/named.stats | tail -1) - eval "OLD_CNT=\$${NSDIR}_CNT" - NEW_CNT=$((NEW_CNT)) - OLD_CNT=$((OLD_CNT)) - GOT=$((NEW_CNT - OLD_CNT)) - if test "$GOT" -ne "$EXPECTED"; then - setret "wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED" - fi - eval "${NSDIR}_CNT=$NEW_CNT" +ckstats() { + HOST=$1 + LABEL="$2" + NSDIR="$3" + EXPECTED="$4" + $RNDCCMD $HOST stats + NEW_CNT=$(sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ + $NSDIR/named.stats | tail -1) + eval "OLD_CNT=\$${NSDIR}_CNT" + NEW_CNT=$((NEW_CNT)) + OLD_CNT=$((OLD_CNT)) + GOT=$((NEW_CNT - OLD_CNT)) + if test "$GOT" -ne "$EXPECTED"; then + setret "wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED" + fi + eval "${NSDIR}_CNT=$NEW_CNT" } -ckstatsrange () { - HOST=$1 - LABEL="$2" - NSDIR="$3" - MIN="$4" - MAX="$5" - $RNDCCMD $HOST stats - NEW_CNT=$(sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ - $NSDIR/named.stats | tail -1) - eval "OLD_CNT=\$${NSDIR}_CNT" - NEW_CNT=$((NEW_CNT)) - OLD_CNT=$((OLD_CNT)) - GOT=$((NEW_CNT - OLD_CNT)) - if test "$GOT" -lt "$MIN" -o "$GOT" -gt "$MAX"; then - setret "wrong $LABEL $NSDIR statistics of $GOT instead of ${MIN}..${MAX}" - fi - eval "${NSDIR}_CNT=$NEW_CNT" +ckstatsrange() { + HOST=$1 + LABEL="$2" + NSDIR="$3" + MIN="$4" + MAX="$5" + $RNDCCMD $HOST stats + NEW_CNT=$(sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ + $NSDIR/named.stats | tail -1) + eval "OLD_CNT=\$${NSDIR}_CNT" + NEW_CNT=$((NEW_CNT)) + OLD_CNT=$((OLD_CNT)) + GOT=$((NEW_CNT - OLD_CNT)) + if test "$GOT" -lt "$MIN" -o "$GOT" -gt "$MAX"; then + setret "wrong $LABEL $NSDIR statistics of $GOT instead of ${MIN}..${MAX}" + fi + eval "${NSDIR}_CNT=$NEW_CNT" } # $1=message # $2=optional test file name -start_group () { - ret=0 - t=$((t + 1)) - test -n "$1" && date "+${TS}checking $1 (${t})" | cat_i - TEST_FILE=$2 - if test -n "$TEST_FILE"; then - GROUP_NM="-$TEST_FILE" - load_db - else - GROUP_NM= - fi - dnsrps_loaded - TEST_NUM=0 +start_group() { + ret=0 + t=$((t + 1)) + test -n "$1" && date "+${TS}checking $1 (${t})" | cat_i + TEST_FILE=$2 + if test -n "$TEST_FILE"; then + GROUP_NM="-$TEST_FILE" + load_db + else + GROUP_NM= + fi + dnsrps_loaded + TEST_NUM=0 } -end_group () { - if test -n "$TEST_FILE"; then - # remove the previous set of test rules - copy_setports $TEST_FILE tmp - sed -e 's/[ ]add[ ]/ delete /' tmp | $NSUPDATE - rm -f tmp - TEST_FILE= - fi - ckalive $ns3 "failed; ns3 server crashed and restarted" - dnsrps_loaded - GROUP_NM= +end_group() { + if test -n "$TEST_FILE"; then + # remove the previous set of test rules + copy_setports $TEST_FILE tmp + sed -e 's/[ ]add[ ]/ delete /' tmp | $NSUPDATE + rm -f tmp + TEST_FILE= + fi + ckalive $ns3 "failed; ns3 server crashed and restarted" + dnsrps_loaded + GROUP_NM= } -clean_result () { - if test -z "$SAVE_RESULTS"; then - rm -f $* - fi +clean_result() { + if test -z "$SAVE_RESULTS"; then + rm -f $* + fi } # $1=dig args # $2=other dig output file -ckresult () { - #ckalive "$1" "server crashed by 'dig $1'" || return 1 - expr "$1" : 'TCP ' > /dev/null && tcp=1 || tcp=0 - digarg=${1#TCP } - - if grep "flags:.* aa .*ad;" $DIGNM; then - setret "'dig $digarg' AA and AD set;" - elif grep "flags:.* aa .*ad;" $DIGNM; then - setret "'dig $digarg' AD set;" - fi +ckresult() { + #ckalive "$1" "server crashed by 'dig $1'" || return 1 + expr "$1" : 'TCP ' >/dev/null && tcp=1 || tcp=0 + digarg=${1#TCP } + + if grep "flags:.* aa .*ad;" $DIGNM; then + setret "'dig $digarg' AA and AD set;" + elif grep "flags:.* aa .*ad;" $DIGNM; then + setret "'dig $digarg' AD set;" + fi - if $PERL ../digcomp.pl $DIGNM $2 >/dev/null; then - grep -q 'Truncated, retrying in TCP' $DIGNM && trunc=1 || trunc=0 - if [ "$tcp" -ne "$trunc" ]; then - setret "'dig $digarg' wrong; no or unexpected truncation in $DIGNM" - else - clean_result ${DIGNM}* - fi - return 0 + if $PERL ../digcomp.pl $DIGNM $2 >/dev/null; then + grep -q 'Truncated, retrying in TCP' $DIGNM && trunc=1 || trunc=0 + if [ "$tcp" -ne "$trunc" ]; then + setret "'dig $digarg' wrong; no or unexpected truncation in $DIGNM" + else + clean_result ${DIGNM}* fi - setret "'dig $digarg' wrong; diff $DIGNM $2" return 0 + fi + setret "'dig $digarg' wrong; diff $DIGNM $2" + return 0 } # check only that the server does not crash # $1=target domain # $2=optional query type -nocrash () { - digcmd $* >/dev/null - ckalive "$*" "server crashed by 'dig $*'" +nocrash() { + digcmd $* >/dev/null + ckalive "$*" "server crashed by 'dig $*'" } - # check rewrite to NXDOMAIN # $1=target domain # $2=optional query type -nxdomain () { - make_dignm - digcmd $* \ - | sed -e 's/^[a-z].* IN CNAME /;xxx &/' \ - -e 's/^[a-z].* IN RRSIG /;xxx &/' \ - >$DIGNM - ckresult "$*" proto.nxdomain +nxdomain() { + make_dignm + digcmd $* \ + | sed -e 's/^[a-z].* IN CNAME /;xxx &/' \ + -e 's/^[a-z].* IN RRSIG /;xxx &/' \ + >$DIGNM + ckresult "$*" proto.nxdomain } # check rewrite to NODATA # $1=target domain # $2=optional query type -nodata () { - make_dignm - digcmd $* \ - | sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM - ckresult "$*" proto.nodata +nodata() { + make_dignm + digcmd $* \ + | sed -e 's/^[a-z].* IN CNAME /;xxx &/' >$DIGNM + ckresult "$*" proto.nodata } # check rewrite to an address @@ -381,22 +391,22 @@ nodata () { # $1=IPv4 address # $2=digcmd args # $3=optional TTL -addr () { - ADDR=$1 - make_dignm - digcmd $2 >$DIGNM - #ckalive "$2" "server crashed by 'dig $2'" || return 1 - ADDR_ESC=$(echo "$ADDR" | sed -e 's/\./\\./g') - ADDR_TTL=$(sed -n -e "s/^[-.a-z0-9]\{1,\}[ ]*\([0-9]*\) IN AA* ${ADDR_ESC}\$/\1/p" $DIGNM) - if test -z "$ADDR_TTL"; then - setret "'dig $2' wrong; no address $ADDR record in $DIGNM" - return 0 - fi - if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then - setret "'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM" - return 0 - fi - clean_result ${DIGNM}* +addr() { + ADDR=$1 + make_dignm + digcmd $2 >$DIGNM + #ckalive "$2" "server crashed by 'dig $2'" || return 1 + ADDR_ESC=$(echo "$ADDR" | sed -e 's/\./\\./g') + ADDR_TTL=$(sed -n -e "s/^[-.a-z0-9]\{1,\}[ ]*\([0-9]*\) IN AA* ${ADDR_ESC}\$/\1/p" $DIGNM) + if test -z "$ADDR_TTL"; then + setret "'dig $2' wrong; no address $ADDR record in $DIGNM" + return 0 + fi + if test -n "$3" && test "$ADDR_TTL" -ne "$3"; then + setret "'dig $2' wrong; TTL=$ADDR_TTL instead of $3 in $DIGNM" + return 0 + fi + clean_result ${DIGNM}* } # Check that a response is not rewritten @@ -404,43 +414,43 @@ addr () { # spurious differences for `dig +norecurse` # $1=optional "TCP" # remaining args for dig -nochange () { - make_dignm - digcmd $* >$DIGNM - digcmd $* @$ns1 >${DIGNM}_OK - ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK +nochange() { + make_dignm + digcmd $* >$DIGNM + digcmd $* @$ns1 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } -nochange_ns10 () { - make_dignm - digcmd $* >$DIGNM - digcmd $* @$ns10 >${DIGNM}_OK - ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK +nochange_ns10() { + make_dignm + digcmd $* >$DIGNM + digcmd $* @$ns10 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } # check against a 'here document' -here () { - make_dignm - sed -e 's/^[ ]*//' >${DIGNM}_OK - digcmd $* >$DIGNM - ckresult "$*" ${DIGNM}_OK +here() { + make_dignm + sed -e 's/^[ ]*//' >${DIGNM}_OK + digcmd $* >$DIGNM + ckresult "$*" ${DIGNM}_OK } # check dropped response DROPPED='^;; no servers could be reached' -drop () { - make_dignm - digcmd $* >$DIGNM || true - if grep "$DROPPED" $DIGNM >/dev/null; then - clean_result ${DIGNM}* - return 0 - fi - setret "'dig $1' wrong; response in $DIGNM" +drop() { + make_dignm + digcmd $* >$DIGNM || true + if grep "$DROPPED" $DIGNM >/dev/null; then + clean_result ${DIGNM}* return 0 + fi + setret "'dig $1' wrong; response in $DIGNM" + return 0 } nsd() { - $NSUPDATE -p ${PORT} << EOF + $NSUPDATE -p ${PORT} <<EOF server $1 ttl 300 update $2 $3 IN CNAME . @@ -476,39 +486,39 @@ dnsrps=0 for mode in native dnsrps; do status=0 case ${mode} in - native) - if [ -e dnsrps-only ] ; then - echo_i "'dnsrps-only' found: skipping native RPZ sub-test" - continue - else - echo_i "running native RPZ sub-test" - fi - ;; - dnsrps) - if [ -e dnsrps-off ] ; then - echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" - continue - fi - echo_i "attempting to configure servers with DNSRPS..." - stop_server --use-rndc --port ${CONTROLPORT} - $SHELL ./setup.sh -N -D $DEBUG - for server in ns*; do - resetstats $server - done - sed -n 's/^## //p' dnsrps.conf | cat_i - if grep '^#fail' dnsrps.conf >/dev/null; then - echo_i "exit status: 1" - exit 1 - fi - if grep '^#skip' dnsrps.conf > /dev/null; then - echo_i "DNSRPS sub-test skipped" - continue - else - echo_i "running DNSRPS sub-test" - start_server --noclean --restart --port ${PORT} - sleep 3 - fi - ;; + native) + if [ -e dnsrps-only ]; then + echo_i "'dnsrps-only' found: skipping native RPZ sub-test" + continue + else + echo_i "running native RPZ sub-test" + fi + ;; + dnsrps) + if [ -e dnsrps-off ]; then + echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" + continue + fi + echo_i "attempting to configure servers with DNSRPS..." + stop_server --use-rndc --port ${CONTROLPORT} + $SHELL ./setup.sh -N -D $DEBUG + for server in ns*; do + resetstats $server + done + sed -n 's/^## //p' dnsrps.conf | cat_i + if grep '^#fail' dnsrps.conf >/dev/null; then + echo_i "exit status: 1" + exit 1 + fi + if grep '^#skip' dnsrps.conf >/dev/null; then + echo_i "DNSRPS sub-test skipped" + continue + else + echo_i "running DNSRPS sub-test" + start_server --noclean --restart --port ${PORT} + sleep 3 + fi + ;; esac # make prototype files to check against rewritten results @@ -516,104 +526,104 @@ for mode in native dnsrps; do retry_quiet 10 make_proto_nodata start_group "QNAME rewrites" test1 - nochange . # 1 do not crash or rewrite root - nxdomain a0-1.tld2 # 2 - nodata a3-1.tld2 # 3 - nodata a3-2.tld2 # 4 nodata at DNAME itself - nochange sub.a3-2.tld2 # 5 miss where DNAME might work - nxdomain a4-2.tld2 # 6 rewrite based on CNAME target - nxdomain a4-2-cname.tld2 # 7 - nodata a4-3-cname.tld2 # 8 - addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement - addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard - addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME - addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain - addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone - nochange a6-1.tld2 # 14 - addr 127.6.2.1 a6-2.tld2 # 15 - addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME - addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME - addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain - addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain - nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required - nochange a5-3.tld2 +norecurse # 21 - nochange a5-4.tld2 +norecurse # 22 - nochange sub.a5-4.tld2 +norecurse # 23 - nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c - nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures - nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures - nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures - nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain - nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain - nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record - nxdomain a0-1.tld2s srv +nodnssec # 31 - drop a3-8.tld2 any # 32 drop - nochange TCP a3-9.tld2 # 33 tcp-only - here x.servfail <<'EOF' # 34 qname-wait-recurse yes + nochange . # 1 do not crash or rewrite root + nxdomain a0-1.tld2 # 2 + nodata a3-1.tld2 # 3 + nodata a3-2.tld2 # 4 nodata at DNAME itself + nochange sub.a3-2.tld2 # 5 miss where DNAME might work + nxdomain a4-2.tld2 # 6 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 # 7 + nodata a4-3-cname.tld2 # 8 + addr 12.12.12.12 a4-1.sub1.tld2 # 9 A replacement + addr 12.12.12.12 a4-1.sub2.tld2 # 10 A replacement with wildcard + addr 12.12.12.12 nxc1.sub1.tld2 # 11 replace NXDOMAIN with CNAME + addr 12.12.12.12 nxc2.sub1.tld2 # 12 replace NXDOMAIN with CNAME chain + addr 127.4.4.1 a4-4.tld2 # 13 prefer 1st conflicting QNAME zone + nochange a6-1.tld2 # 14 + addr 127.6.2.1 a6-2.tld2 # 15 + addr 56.56.56.56 a3-6.tld2 # 16 wildcard CNAME + addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME + addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain + addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain + nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required + nochange a5-3.tld2 +norecurse # 21 + nochange a5-4.tld2 +norecurse # 22 + nochange sub.a5-4.tld2 +norecurse # 23 + nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures + nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures + nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures + nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain + nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain + nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record + nxdomain a0-1.tld2s srv +nodnssec # 31 + drop a3-8.tld2 any # 32 drop + nochange TCP a3-9.tld2 # 33 tcp-only + here x.servfail <<'EOF' # 34 qname-wait-recurse yes ;; status: SERVFAIL, x EOF - addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no + addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no end_group ckstats $ns3 test1 ns3 22 ckstats $ns5 test1 ns5 1 ckstats $ns6 test1 ns6 0 start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 - nxdomain a0-1.tld2 @$ns6 # 1 - nodata a3-1.tld2 @$ns6 # 2 - nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself - nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target - nxdomain a4-2-cname.tld2 @$ns6 # 5 - nodata a4-3-cname.tld2 @$ns6 # 6 - addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement - addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard - addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone - addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME - addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain - addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 - addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME - addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME - addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain - addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain - nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c - nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs - nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 - drop a3-8.tld2 any @$ns6 # 20 drop + nxdomain a0-1.tld2 @$ns6 # 1 + nodata a3-1.tld2 @$ns6 # 2 + nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself + nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target + nxdomain a4-2-cname.tld2 @$ns6 # 5 + nodata a4-3-cname.tld2 @$ns6 # 6 + addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement + addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard + addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone + addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME + addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain + addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 + addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME + addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME + addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain + addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain + nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c + nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs + nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 + drop a3-8.tld2 any @$ns6 # 20 drop end_group ckstatsrange $ns3 test1 ns3 22 30 ckstats $ns5 test1 ns5 0 ckstats $ns6 test1 ns6 0 start_group "IP rewrites" test2 - nodata a3-1.tld2 # 1 NODATA - nochange a3-2.tld2 # 2 no policy record so no change - nochange a4-1.tld2 # 3 obsolete PASSTHRU record style - nxdomain a4-2.tld2 # 4 - nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite - nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite - nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite - nodata a4-3.tld2 # 8 - nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy - nochange a4-1-aaaa.tld2 -taaaa # 10 - addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address - addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone - nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 - addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP - nochange a4-4.tld2 # 15 PASSTHRU - nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c - addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger - nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450) + nodata a3-1.tld2 # 1 NODATA + nochange a3-2.tld2 # 2 no policy record so no change + nochange a4-1.tld2 # 3 obsolete PASSTHRU record style + nxdomain a4-2.tld2 # 4 + nochange a4-2.tld2 -taaaa # 5 no A => no policy rewrite + nochange a4-2.tld2 -ttxt # 6 no A => no policy rewrite + nxdomain a4-2.tld2 -tany # 7 no A => no policy rewrite + nodata a4-3.tld2 # 8 + nxdomain a3-1.tld2 -taaaa # 9 IPv6 policy + nochange a4-1-aaaa.tld2 -taaaa # 10 + addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address + addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone + nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 + addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP + nochange a4-4.tld2 # 15 PASSTHRU + nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c + addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger + nxdomain a7-1.tld2 # 18 secondary policy zone (RT34450) # updating an response zone policy cp ns2/blv2.tld2.db.in ns2/bl.tld2.db rndc_reload ns2 $ns2 bl.tld2 ck_soa 2 bl.tld2 $ns3 - nochange a7-1.tld2 # 19 PASSTHRU + nochange a7-1.tld2 # 19 PASSTHRU # ensure that a clock tick has occurred so that named will do the reload sleep 1 cp ns2/blv3.tld2.db.in ns2/bl.tld2.db rndc_reload ns2 $ns2 bl.tld2 ck_soa 3 bl.tld2 $ns3 - nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450) + nxdomain a7-1.tld2 # 20 secondary policy zone (RT34450) end_group ckstats $ns3 test2 ns3 12 @@ -635,29 +645,29 @@ EOF # these tests assume "min-ns-dots 0" start_group "NSDNAME rewrites" test3 - nextpart ns3/named.run > /dev/null - nochange a3-1.tld2 # 1 - nochange a3-1.tld2 +dnssec # 2 this once caused problems - nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME - nxdomain a3-1.subsub.sub1.tld2 # 4 - nxdomain a3-1.subsub.sub1.tld2 -tany # 5 - addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 - nochange a3-2.tld2. # 7 exempt rewrite by name - nochange a0-1.tld2. # 8 exempt rewrite by address block - addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME - addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME - addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 - nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash - - nxdomain a3-1.stub # 13 - nxdomain a3-1.static-stub # 14 - nochange_ns10 a3-1.stub-nomatch # 15 - nochange_ns10 a3-1.static-stub-nomatch # 16 + nextpart ns3/named.run >/dev/null + nochange a3-1.tld2 # 1 + nochange a3-1.tld2 +dnssec # 2 this once caused problems + nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME + nxdomain a3-1.subsub.sub1.tld2 # 4 + nxdomain a3-1.subsub.sub1.tld2 -tany # 5 + addr 12.12.12.12 a4-2.subsub.sub2.tld2 # 6 walled garden for *.sub2.tld2 + nochange a3-2.tld2. # 7 exempt rewrite by name + nochange a0-1.tld2. # 8 exempt rewrite by address block + addr 12.12.12.12 a4-1.tld2 # 9 prefer QNAME policy to NSDNAME + addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME + addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 + nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash + + nxdomain a3-1.stub # 13 + nxdomain a3-1.static-stub # 14 + nochange_ns10 a3-1.stub-nomatch # 15 + nochange_ns10 a3-1.static-stub-nomatch # 16 if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns + addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns fi - nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && - setret "seen: unrecognized NS rpz_rrset_find() failed: glue" + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \ + && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group if [ "$mode" = dnsrps ]; then ckstats $ns3 test3 ns3 10 @@ -667,26 +677,26 @@ EOF # these tests assume "min-ns-dots 0" start_group "NSIP rewrites" test4 - nextpart ns3/named.run > /dev/null - nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 - nochange a3-2.tld2. # 2 exempt rewrite by name - nochange a0-1.tld2. # 3 exempt rewrite by address block - nochange a3-1.tld4 # 4 different NS IP address - nxdomain a4-1.stub # 5 - nxdomain a4-1.static-stub # 6 - nochange_ns10 a4-1.stub-nomatch # 7 - nochange_ns10 a4-1.static-stub-nomatch # 8 + nextpart ns3/named.run >/dev/null + nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 + nochange a3-2.tld2. # 2 exempt rewrite by name + nochange a0-1.tld2. # 3 exempt rewrite by address block + nochange a3-1.tld4 # 4 different NS IP address + nxdomain a4-1.stub # 5 + nxdomain a4-1.static-stub # 6 + nochange_ns10 a4-1.stub-nomatch # 7 + nochange_ns10 a4-1.static-stub-nomatch # 8 if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns + addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns fi - nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && - setret "seen: unrecognized NS rpz_rrset_find() failed: glue" + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" \ + && setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group start_group "walled garden NSIP rewrites" test4a - addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 - addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 - here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 + addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 + addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 + here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 ;; status: NOERROR, x a3-1.tld2. x IN TXT "NSIP walled garden" EOF @@ -700,29 +710,29 @@ EOF # policies in ./test5 overridden by response-policy{} in ns3/named.conf # and in ns5/named.conf start_group "policy overrides" test5 - addr 127.0.0.1 a3-1.tld2 # 1 bl-given - nochange a3-2.tld2 # 2 bl-passthru - nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru) - nochange a3-4.tld2 # 4 bl-disabled - nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no - nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no - nodata a3-5.tld2 # 7 bl-nodata not needed - nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no - nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec - nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec - nxdomain a3-6.tld2 # 11 bl-nxdomain - here a3-7.tld2 -tany <<'EOF' # 12 + addr 127.0.0.1 a3-1.tld2 # 1 bl-given + nochange a3-2.tld2 # 2 bl-passthru + nochange a3-3.tld2 # 3 bl-no-op (obsolete for passthru) + nochange a3-4.tld2 # 4 bl-disabled + nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no + nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no + nodata a3-5.tld2 # 7 bl-nodata not needed + nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no + nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec + nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec + nxdomain a3-6.tld2 # 11 bl-nxdomain + here a3-7.tld2 -tany <<'EOF' # 12 ;; status: NOERROR, x a3-7.tld2. x IN CNAME txt-only.tld2. txt-only.tld2. x IN TXT "txt-only-tld2" EOF - addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname - addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname - addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 - addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 - addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 - drop a3-18.tld2 any # 18 bl-drop - nxdomain TCP a3-19.tld2 # 19 bl-tcp-only + addr 58.58.58.58 a3-8.tld2 # 13 bl_wildcname + addr 59.59.59.59 a3-9.sub9.tld2 # 14 bl_wildcname + addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 + addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 + addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 + drop a3-18.tld2 any # 18 bl-drop + nxdomain TCP a3-19.tld2 # 19 bl-tcp-only end_group ckstats $ns3 test5 ns3 12 ckstats $ns5 test5 ns5 4 @@ -747,25 +757,25 @@ EOF # superficial test for major performance bugs QPERF=$(sh qperf.sh) if test -n "$QPERF"; then - perf () { - date "+${TS}checking performance $1" | cat_i - # Dry run to prime everything - comment "before dry run $1" - $RNDCCMD $ns5 notrace - $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null - comment "before real test $1" - PFILE="ns5/$2.perf" - $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE - comment "after test $1" - X=$(sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ - | tr '\n' ' ') - if test "$X" != "$3"; then - setret "wrong results '$X' in $PFILE" - fi - ckalive $ns5 "failed; server #5 crashed" + perf() { + date "+${TS}checking performance $1" | cat_i + # Dry run to prime everything + comment "before dry run $1" + $RNDCCMD $ns5 notrace + $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >/dev/null + comment "before real test $1" + PFILE="ns5/$2.perf" + $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p ${PORT} >$PFILE + comment "after test $1" + X=$(sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ + | tr '\n' ' ') + if test "$X" != "$3"; then + setret "wrong results '$X' in $PFILE" + fi + ckalive $ns5 "failed; server #5 crashed" } - trim () { - sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf + trim() { + sed -n -e 's/.*Queries per second: *\([0-9]*\).*/\1/p' ns5/$1.perf } # get qps with rpz @@ -777,16 +787,16 @@ EOF perf 'without RPZ' norpz 'NOERROR:3000 ' NORPZ=$(trim norpz) - PERCENT=$(( (RPZ * 100 + (NORPZ / 2)) / NORPZ)) + PERCENT=$(((RPZ * 100 + (NORPZ / 2)) / NORPZ)) echo_i "$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ" MIN_PERCENT=30 if test "$PERCENT" -lt $MIN_PERCENT; then - echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps" + echo_i "$RPZ qps with rpz or $PERCENT% is below $MIN_PERCENT% of $NORPZ qps" fi if test "$PERCENT" -ge 100; then - echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" + echo_i "$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" fi ckstats $ns5 performance ns5 200 @@ -801,18 +811,18 @@ EOF kill "$OLD_PID" n=0 while true; do - NEW_PID=$(cat dnsrpzd.pid 2>/dev/null) - if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then - #echo "OLD_PID=$OLD_PID NEW_PID=$NEW_PID" - break; - fi - $DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null - n=$((n + 1)) - if test "$n" -gt $TEN_SECS; then - setret "dnsrpzd did not restart" - break - fi - $WAIT_CMD + NEW_PID=$(cat dnsrpzd.pid 2>/dev/null) + if test -n "$NEW_PID" -a "0$OLD_PID" -ne "0$NEW_PID"; then + #echo "OLD_PID=$OLD_PID NEW_PID=$NEW_PID" + break + fi + $DIG -p ${PORT} +short +norecurse a0-1.tld2 @$ns3 >/dev/null + n=$((n + 1)) + if test "$n" -gt $TEN_SECS; then + setret "dnsrpzd did not restart" + break + fi + $WAIT_CMD done fi @@ -822,7 +832,7 @@ EOF # reconfigure the ns5 primary server without the fast-expire zone, so # it can't be refreshed on ns3, and will expire in 5 seconds. - cat /dev/null > ns5/expire.conf + cat /dev/null >ns5/expire.conf rndc_reconfig ns5 10.53.0.5 # restart the main test RPZ server to see if that creates a core file @@ -838,8 +848,8 @@ EOF EMSGS=$(nextpart $runfile | grep -E -l 'invalid rpz|rpz.*failed' || true) if test -n "$EMSGS"; then setret "error messages in $runfile starting with:" - grep -E 'invalid rpz|rpz.*failed' ns*/named.run | \ - sed -e '10,$d' -e 's/^//' | cat_i + grep -E 'invalid rpz|rpz.*failed' ns*/named.run \ + | sed -e '10,$d' -e 's/^//' | cat_i fi done @@ -856,10 +866,10 @@ EOF t=$((t + 1)) echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})" - sed -e "s/^#BAD//" < ns3/named.conf.in > ns3/named.conf.tmp + sed -e "s/^#BAD//" <ns3/named.conf.in >ns3/named.conf.tmp copy_setports ns3/named.conf.tmp ns3/named.conf rm ns3/named.conf.tmp - $RNDCCMD $ns3 reconfig > /dev/null 2>&1 && setret "failed" + $RNDCCMD $ns3 reconfig >/dev/null 2>&1 && setret "failed" sleep 1 copy_setports ns3/named.conf.in ns3/named.conf $RNDCCMD $ns3 reconfig || setret "failed" @@ -867,37 +877,37 @@ EOF # reload a RPZ zone that is now deliberately broken. t=$((t + 1)) echo_i "checking rpz failed update will keep previous rpz rules (${t})" - $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.before - grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before > /dev/null || setret "failed" + $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.before + grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.before >/dev/null || setret "failed" cp ns3/broken.db.in ns3/manual-update-rpz.db rndc_reload ns3 $ns3 manual-update-rpz sleep 1 # ensure previous RPZ rules still apply. - $DIG -p ${PORT} @$ns3 walled.tld2 > dig.out.$t.after - grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after > /dev/null || setret "failed" + $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after + grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed" t=$((t + 1)) echo_i "checking reload of a mixed-case RPZ zone (${t})" # First, a sanity check: the A6-2.TLD2.mixed-case-rpz RPZ record should # cause a6-2.tld2 NOERROR answers to be rewritten to NXDOMAIN answers. - $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t.before + $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.before grep "status: NXDOMAIN" dig.out.$t.before >/dev/null || setret "failed" # Add a sibling name (a6-1.tld2.mixed-case-rpz, with "tld2" in lowercase # rather than uppercase) before A6-2.TLD.mixed-case-rpz. - nextpart ns3/named.run > /dev/null + nextpart ns3/named.run >/dev/null cp ns3/mixed-case-rpz-2.db.in ns3/mixed-case-rpz.db rndc_reload ns3 $ns3 mixed-case-rpz wait_for_log 20 "rpz: mixed-case-rpz: reload done" ns3/named.run # a6-2.tld2 NOERROR answers should still be rewritten to NXDOMAIN answers. # (The bug we try to trigger here caused a6-2.tld2.mixed-case-rpz to be # erroneously removed from the summary RPZ database after reload.) - $DIG -p ${PORT} @$ns3 a6-2.tld2. A > dig.out.$t.after + $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t.after grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed" fi t=$((t + 1)) echo_i "checking that ttl values are not zeroed when qtype is '*' (${t})" - $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 > dig.out.$t + $DIG +noall +answer -p ${PORT} @$ns3 any a3-2.tld2 >dig.out.$t ttl=$(awk '/a3-2 tld2 text/ {print $2}' dig.out.$t) if test ${ttl:=0} -eq 0; then setret "failed"; fi @@ -919,37 +929,37 @@ EOF nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2. sleep 1 rndc_reload ns7 $ns7 policy2 - $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} - grep NXDOMAIN dig.out.${t} > /dev/null || setret "failed" + $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} + grep NXDOMAIN dig.out.${t} >/dev/null || setret "failed" t=$((t + 1)) echo_i "checking that "add-soa no" at rpz zone level works (${t})" - $DIG z.x.servfail -p ${PORT} @$ns7 > dig.out.${t} - grep SOA dig.out.${t} > /dev/null && setret "failed" + $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} + grep SOA dig.out.${t} >/dev/null && setret "failed" if [ native = "$mode" ]; then t=$((t + 1)) echo_i "checking that "add-soa yes" at response-policy level works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t} - grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" fi if [ native = "$mode" ]; then t=$((t + 1)) echo_i "reconfiguring server with 'add-soa no' (${t})" cp ns3/named.conf ns3/named.conf.tmp - sed -e "s/add-soa yes/add-soa no/g" < ns3/named.conf.tmp > ns3/named.conf + sed -e "s/add-soa yes/add-soa no/g" <ns3/named.conf.tmp >ns3/named.conf rndc_reconfig ns3 $ns3 echo_i "checking that 'add-soa no' at response-policy level works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t} - grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null && setret "failed" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null && setret "failed" fi if [ native = "$mode" ]; then t=$((t + 1)) echo_i "checking that 'add-soa unset' works (${t})" - $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 > dig.out.${t} - grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed" + $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 >dig.out.${t} + grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" fi # dnsrps does not allow NS RRs in policy zones, so this check @@ -957,38 +967,36 @@ EOF if [ native = "$mode" ]; then t=$((t + 1)) echo_i "checking rpz with delegation fails correctly (${t})" - $DIG -p ${PORT} @$ns3 ns example.com > dig.out.$t - grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed" + $DIG -p ${PORT} @$ns3 ns example.com >dig.out.$t + grep "status: SERVFAIL" dig.out.$t >/dev/null || setret "failed" t=$((t + 1)) echo_i "checking policies from expired zone are no longer in effect ($t)" - $DIG -p ${PORT} @$ns3 a expired > dig.out.$t - grep "expired.*10.0.0.10" dig.out.$t > /dev/null && setret "failed" - grep "fast-expire/IN: response-policy zone expired" ns3/named.run > /dev/null || setret "failed" + $DIG -p ${PORT} @$ns3 a expired >dig.out.$t + grep "expired.*10.0.0.10" dig.out.$t >/dev/null && setret "failed" + grep "fast-expire/IN: response-policy zone expired" ns3/named.run >/dev/null || setret "failed" fi # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 scenarios. - for label in a-only no-a-no-aaaa a-plus-aaaa - do - for type in AAAA A - do + for label in a-only no-a-no-aaaa a-plus-aaaa; do + for type in AAAA A; do t=$((t + 1)) case $label in - a-only) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})" - ;; - no-a-no-aaaa) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})" - ;; - a-plus-aaaa) - echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})" - ;; + a-only) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})" + ;; + no-a-no-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})" + ;; + a-plus-aaaa) + echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})" + ;; esac ret=0 - $DIG ${label}.example -p ${PORT} $type @10.53.0.9 > dig.out.${t} - grep "status: NOERROR" dig.out.$t > /dev/null || ret=1 - grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t > /dev/null || ret=1 - grep "^rpz" dig.out.$t > /dev/null || ret=1 + $DIG ${label}.example -p ${PORT} $type @10.53.0.9 >dig.out.${t} + grep "status: NOERROR" dig.out.$t >/dev/null || ret=1 + grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t >/dev/null || ret=1 + grep "^rpz" dig.out.$t >/dev/null || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) done @@ -999,20 +1007,22 @@ EOF echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})" $RNDCCMD $ns3 flush $RNDCCMD $ns6 flush - $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd > dig.out.${t} - grep -w "1.1.1.1" dig.out.${t} > /dev/null || setret "failed" + $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd >dig.out.${t} + grep -w "1.1.1.1" dig.out.${t} >/dev/null || setret "failed" fi [ $status -ne 0 ] && pf=fail || pf=pass case $mode in - native) - native=$status - echo_i "status (native RPZ sub-test): $status ($pf)";; - - dnsrps) - dnsrps=$status - echo_i "status (DNSRPS sub-test): $status ($pf)";; - *) echo_i "invalid test mode";; + native) + native=$status + echo_i "status (native RPZ sub-test): $status ($pf)" + ;; + + dnsrps) + dnsrps=$status + echo_i "status (DNSRPS sub-test): $status ($pf)" + ;; + *) echo_i "invalid test mode" ;; esac done status=$((native + dnsrps)) diff --git a/bin/tests/system/rpzextra/ns3/named.args b/bin/tests/system/rpzextra/ns3/named.args index 970fc22..8ec9731 100644 --- a/bin/tests/system/rpzextra/ns3/named.args +++ b/bin/tests/system/rpzextra/ns3/named.args @@ -1 +1 @@ - -m record -c named.conf -d 99 -D rpzextra-ns1 -X named.lock -U 4 -T maxcachesize=2097152 + -m record -c named.conf -d 99 -f -D rpzextra-ns3 -X named.lock -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/rpzrecurse/ns3/named1.conf.in b/bin/tests/system/rpzrecurse/ns3/named1.conf.in index f838535..6a1bd11 100644 --- a/bin/tests/system/rpzrecurse/ns3/named1.conf.in +++ b/bin/tests/system/rpzrecurse/ns3/named1.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/rpzrecurse/ns3/named2.conf.in b/bin/tests/system/rpzrecurse/ns3/named2.conf.in index 40f6b49..06b2536 100644 --- a/bin/tests/system/rpzrecurse/ns3/named2.conf.in +++ b/bin/tests/system/rpzrecurse/ns3/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/rpzrecurse/ns3/named3.conf.in b/bin/tests/system/rpzrecurse/ns3/named3.conf.in index 3926bf9..ac2e19c 100644 --- a/bin/tests/system/rpzrecurse/ns3/named3.conf.in +++ b/bin/tests/system/rpzrecurse/ns3/named3.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/rpzrecurse/prereq.sh b/bin/tests/system/rpzrecurse/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/rpzrecurse/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/rpzrecurse/setup.sh b/bin/tests/system/rpzrecurse/setup.sh index 4dcd5ed..8a8ebe9 100644 --- a/bin/tests/system/rpzrecurse/setup.sh +++ b/bin/tests/system/rpzrecurse/setup.sh @@ -20,17 +20,23 @@ set -e USAGE="$0: [-DNx]" DEBUG= while getopts "DNx" c; do - case $c in - x) set -x; DEBUG=-x;; - D) TEST_DNSRPS="-D";; - N) NOCLEAN=set;; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ;; + D) TEST_DNSRPS="-D" ;; + N) NOCLEAN=set ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi [ ${NOCLEAN:-unset} = unset ] && $SHELL clean.sh $DEBUG @@ -48,20 +54,18 @@ copy_setports ns4/named.conf.in ns4/named.conf # setup policy zones for a 64-zone test i=1 -while test $i -le 64 -do - echo "\$TTL 60" > ns2/db.max$i.local - echo "@ IN SOA root.ns ns 1996072700 3600 1800 86400 60" >> ns2/db.max$i.local - echo " NS ns" >> ns2/db.max$i.local - echo "ns A 127.0.0.1" >> ns2/db.max$i.local - - j=1 - while test $j -le $i - do - echo "name$j A 10.53.0.$i" >> ns2/db.max$i.local - j=$((j + 1)) - done - i=$((i + 1)) +while test $i -le 64; do + echo "\$TTL 60" >ns2/db.max$i.local + echo "@ IN SOA root.ns ns 1996072700 3600 1800 86400 60" >>ns2/db.max$i.local + echo " NS ns" >>ns2/db.max$i.local + echo "ns A 127.0.0.1" >>ns2/db.max$i.local + + j=1 + while test $j -le $i; do + echo "name$j A 10.53.0.$i" >>ns2/db.max$i.local + j=$((j + 1)) + done + i=$((i + 1)) done # decide whether to test DNSRPS @@ -74,14 +78,14 @@ PID-FILE $CWD/dnsrpzd.pid; include $CWD/dnsrpzd-license-cur.conf -zone "policy" { type primary; file "`pwd`/ns3/policy.db"; }; +zone "policy" { type primary; file "$(pwd)/ns3/policy.db"; }; EOF sed -n -e 's/^ *//' -e "/zone.*.*primary/s@file \"@&$CWD/ns2/@p" ns2/*.conf \ - >>dnsrpzd.conf + >>dnsrpzd.conf # Run dnsrpzd to get the license and prime the static policy zones if test -n "$TEST_DNSRPS"; then - DNSRPZD="$(../rpz/dnsrps -p)" - "$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \ - -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 + DNSRPZD="$(../rpz/dnsrps -p)" + "$DNSRPZD" -D./dnsrpzd.rpzf -S./dnsrpzd.sock -C./dnsrpzd.conf \ + -w 0 -dddd -L stdout >./dnsrpzd.run 2>&1 fi diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh index eed53e8..afc1a2b 100644 --- a/bin/tests/system/rpzrecurse/tests.sh +++ b/bin/tests/system/rpzrecurse/tests.sh @@ -27,86 +27,95 @@ ARGS= USAGE="$0: [-xS]" while getopts "xS:" c; do - case $c in - x) set -x; DEBUG=-x; ARGS="$ARGS -x";; - S) SAVE_RESULTS=-S; ARGS="$ARGS -S";; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) + set -x + DEBUG=-x + ARGS="$ARGS -x" + ;; + S) + SAVE_RESULTS=-S + ARGS="$ARGS -S" + ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # really quit on control-C trap 'exit 1' 1 2 15 DNSRPSCMD=../rpz/dnsrps -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # $1 = test name (such as 1a, 1b, etc. for which named.$1.conf exists) run_server() { - TESTNAME=$1 + TESTNAME=$1 - echo_i "stopping resolver" - stop_server --use-rndc --port ${CONTROLPORT} ns2 + echo_i "stopping resolver" + stop_server --use-rndc --port ${CONTROLPORT} ns2 - sleep 1 + sleep 1 - echo_i "starting resolver using named.$TESTNAME.conf" - cp -f ns2/named.$TESTNAME.conf ns2/named.conf - start_server --noclean --restart --port ${PORT} ns2 - sleep 3 + echo_i "starting resolver using named.$TESTNAME.conf" + cp -f ns2/named.$TESTNAME.conf ns2/named.conf + start_server --noclean --restart --port ${PORT} ns2 + sleep 3 } run_query() { - TESTNAME=$1 - LINE=$2 + TESTNAME=$1 + LINE=$2 - NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) - $DIG $DIGOPTS $NAME a @10.53.0.2 -p ${PORT} -b 127.0.0.1 > dig.out.${t} - grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 && return 1 - return 0 + NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) + $DIG $DIGOPTS $NAME a @10.53.0.2 -p ${PORT} -b 127.0.0.1 >dig.out.${t} + grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 && return 1 + return 0 } # $1 = test name (such as 1a, 1b, etc. for which $1.queries exists) # $2 = line number in query file to test (the name to query is taken from this line) expect_norecurse() { - TESTNAME=$1 - LINE=$2 + TESTNAME=$1 + LINE=$2 - NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) - t=$((t + 1)) - echo_i "testing $NAME doesn't recurse (${t})" - add_test_marker 10.53.0.2 - run_query $TESTNAME $LINE || { - echo_i "test ${t} failed" - status=1 - } + NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) + t=$((t + 1)) + echo_i "testing $NAME doesn't recurse (${t})" + add_test_marker 10.53.0.2 + run_query $TESTNAME $LINE || { + echo_i "test ${t} failed" + status=1 + } } # $1 = test name (such as 1a, 1b, etc. for which $1.queries exists) # $2 = line number in query file to test (the name to query is taken from this line) expect_recurse() { - TESTNAME=$1 - LINE=$2 + TESTNAME=$1 + LINE=$2 - NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) - t=$((t + 1)) - echo_i "testing $NAME recurses (${t})" - add_test_marker 10.53.0.2 - run_query $TESTNAME $LINE && { - echo_i "test ${t} failed" - status=1 - } - return 0 + NAME=$(sed -n -e "$LINE,"'$p' ns2/$TESTNAME.queries | head -n 1) + t=$((t + 1)) + echo_i "testing $NAME recurses (${t})" + add_test_marker 10.53.0.2 + run_query $TESTNAME $LINE && { + echo_i "test ${t} failed" + status=1 + } + return 0 } add_test_marker() { - for ns in $@ - do - $RNDCCMD $ns null ---- test ${t} ---- - done + for ns in $@; do + $RNDCCMD $ns null ---- test ${t} ---- + done } native=0 @@ -114,36 +123,36 @@ dnsrps=0 for mode in native dnsrps; do status=0 case $mode in - native) - if [ -e dnsrps-only ] ; then - echo_i "'dnsrps-only' found: skipping native RPZ sub-test" - continue - else - echo_i "running native RPZ sub-test" - fi - ;; - dnsrps) - if [ -e dnsrps-off ] ; then - echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" - continue - fi - echo_i "attempting to configure servers with DNSRPS..." - stop_server --use-rndc --port ${CONTROLPORT} - $SHELL ./setup.sh -N -D $DEBUG - sed -n 's/^## //p' dnsrps.conf | cat_i - if grep '^#fail' dnsrps.conf >/dev/null; then - echo_i "exit status: 1" - exit 1 - fi - if grep '^#skip' dnsrps.conf > /dev/null; then - echo_i "DNSRPS sub-test skipped" - continue - else - echo_i "running DNSRPS sub-test" - start_server --noclean --restart --port ${PORT} - sleep 3 - fi - ;; + native) + if [ -e dnsrps-only ]; then + echo_i "'dnsrps-only' found: skipping native RPZ sub-test" + continue + else + echo_i "running native RPZ sub-test" + fi + ;; + dnsrps) + if [ -e dnsrps-off ]; then + echo_i "'dnsrps-off' found: skipping DNSRPS sub-test" + continue + fi + echo_i "attempting to configure servers with DNSRPS..." + stop_server --use-rndc --port ${CONTROLPORT} + $SHELL ./setup.sh -N -D $DEBUG + sed -n 's/^## //p' dnsrps.conf | cat_i + if grep '^#fail' dnsrps.conf >/dev/null; then + echo_i "exit status: 1" + exit 1 + fi + if grep '^#skip' dnsrps.conf >/dev/null; then + echo_i "DNSRPS sub-test skipped" + continue + else + echo_i "running DNSRPS sub-test" + start_server --noclean --restart --port ${PORT} + sleep 3 + fi + ;; esac # show whether and why DNSRPS is enabled or disabled @@ -152,8 +161,8 @@ for mode in native dnsrps; do t=$((t + 1)) echo_i "testing that l1.l0 exists without RPZ (${t})" add_test_marker 10.53.0.2 - $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} - grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + $DIG $DIGOPTS l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t} + grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { echo_i "test ${t} failed" status=1 } @@ -161,8 +170,8 @@ for mode in native dnsrps; do t=$((t + 1)) echo_i "testing that l2.l1.l0 returns SERVFAIL without RPZ (${t})" add_test_marker 10.53.0.2 - $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} > dig.out.${t} - grep "status: SERVFAIL" dig.out.${t} > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 ns @10.53.0.2 -p ${PORT} >dig.out.${t} + grep "status: SERVFAIL" dig.out.${t} >/dev/null 2>&1 || { echo_i "test ${t} failed" status=1 } @@ -179,8 +188,7 @@ for mode in native dnsrps; do # Group 2 run_server 2a for n in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 \ - 21 22 23 24 25 26 27 28 29 30 31 32 - do + 21 22 23 24 25 26 27 28 29 30 31 32; do expect_norecurse 2a $n done expect_recurse 2a 33 @@ -221,8 +229,7 @@ for mode in native dnsrps; do add_test_marker 10.53.0.2 c=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 \ - 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 - do + 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33; do run_query 4$n $i || c=$((c + 1)) done skipped=$((33 - c)) @@ -249,7 +256,7 @@ for mode in native dnsrps; do t=$((t + 1)) echo_i "running dig to cache CNAME record (${t})" add_test_marker 10.53.0.1 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t} sleep 1 echo_i "suspending authority server" PID=$(cat ns1/named.pid) @@ -257,30 +264,29 @@ for mode in native dnsrps; do echo_i "adding an NSDNAME policy" cp ns2/db.6a.00.policy.local ns2/saved.policy.local cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true sleep 1 t=$((t + 1)) echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" add_test_marker 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} & + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} & sleep 1 echo_i "removing the NSDNAME policy" cp ns2/db.6c.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true sleep 1 echo_i "resuming authority server" PID=$(cat ns1/named.pid) kill -CONT $PID add_test_marker 10.53.0.1 - for n in 1 2 3 4 5 6 7 8 9 - do + for n in 1 2 3 4 5 6 7 8 9; do sleep 1 [ -s dig.out.${t} ] || continue - grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break + grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break done - grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { echo_i "test ${t} failed" status=1 } @@ -292,20 +298,20 @@ for mode in native dnsrps; do t=$((t + 1)) echo_i "running dig to cache CNAME record (${t})" add_test_marker 10.53.0.1 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME > dig.out.${t} + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org CNAME >dig.out.${t} sleep 1 echo_i "suspending authority server" PID=$(cat ns1/named.pid) kill -STOP $PID echo_i "adding an NSDNAME policy" cp ns2/db.6b.00.policy.local ns2/db.6a.00.policy.local - $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i + $RNDC -c ../_common/rndc.conf -s 10.53.0.2 -p ${CONTROLPORT} reload 6a.00.policy.local 2>&1 | sed 's/^/ns2 /' | cat_i test -f dnsrpzd.pid && kill -USR1 $(cat dnsrpzd.pid) || true sleep 1 t=$((t + 1)) echo_i "running dig to follow CNAME (blocks, so runs in the background) (${t})" add_test_marker 10.53.0.2 - $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 > dig.out.${t} & + $DIG $DIGOPTS @10.53.0.2 -p ${PORT} www.test.example.org A +time=5 >dig.out.${t} & sleep 1 echo_i "removing the policy zone" cp ns2/named.default.conf ns2/named.conf @@ -319,9 +325,9 @@ for mode in native dnsrps; do for n in 1 2 3 4 5 6 7 8 9; do sleep 1 [ -s dig.out.${t} ] || continue - grep "status: .*," dig.out.${t} > /dev/null 2>&1 && break + grep "status: .*," dig.out.${t} >/dev/null 2>&1 && break done - grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { echo_i "test ${t} failed" status=1 } @@ -332,14 +338,13 @@ for mode in native dnsrps; do add_test_marker 10.53.0.2 run_server max i=1 - while test $i -le 64 - do - $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.${i} - grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} > /dev/null 2>&1 || { - echo_i "test $t failed: didn't get expected answer from policy zone $i" - status=1 - } - i=$((i + 1)) + while test $i -le 64; do + $DIG $DIGOPTS name$i a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.${i} + grep "^name$i.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.$i" dig.out.${t}.${i} >/dev/null 2>&1 || { + echo_i "test $t failed: didn't get expected answer from policy zone $i" + status=1 + } + i=$((i + 1)) done # Check CLIENT-IP behavior @@ -347,12 +352,12 @@ for mode in native dnsrps; do echo_i "testing CLIENT-IP behavior (${t})" add_test_marker 10.53.0.2 run_server clientip - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t} - grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t} + grep "status: NOERROR" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } - grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} > /dev/null 2>&1 || { + grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.2" dig.out.${t} >/dev/null 2>&1 || { echo_i "test $t failed: didn't get expected answer" status=1 } @@ -362,27 +367,27 @@ for mode in native dnsrps; do echo_i "testing CLIENT-IP behavior #2 (${t})" add_test_marker 10.53.0.2 run_server clientip2 - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 > dig.out.${t}.1 - grep "status: SERVFAIL" dig.out.${t}.1 > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.1 >dig.out.${t}.1 + grep "status: SERVFAIL" dig.out.${t}.1 >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 > dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 > dig.out.${t}.3 - grep "status: NOERROR" dig.out.${t}.3 > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >dig.out.${t}.3 + grep "status: NOERROR" dig.out.${t}.3 >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } - grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 > /dev/null 2>&1 || { + grep "^l2.l1.l0.[ ]*[0-9]*[ ]*IN[ ]*A[ ]*10.53.0.1" dig.out.${t}.3 >/dev/null 2>&1 || { echo_i "test $t failed: didn't get expected answer" status=1 } - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t}.4 - grep "status: SERVFAIL" dig.out.${t}.4 > /dev/null 2>&1 || { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t}.4 + grep "status: SERVFAIL" dig.out.${t}.4 >/dev/null 2>&1 || { echo_i "test $t failed: query failed" status=1 } @@ -393,18 +398,18 @@ for mode in native dnsrps; do add_test_marker 10.53.0.2 run_server log cur=$(awk 'BEGIN {l=0} /^/ {l++} END { print l }' ns2/named.run) - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 > dig.out.${t} - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >> dig.out.${t} - $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >> dig.out.${t} - sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" > /dev/null && { + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.4 >dig.out.${t} + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.3 >>dig.out.${t} + $DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p ${PORT} -b 10.53.0.2 >>dig.out.${t} + sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.4.0.53.10.rpz-client-ip.log1" >/dev/null && { echo_ic "failed: unexpected rewrite message for policy zone log1 was logged" status=1 } - sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" > /dev/null || { + sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.3.0.53.10.rpz-client-ip.log2" >/dev/null || { echo_ic "failed: expected rewrite message for policy zone log2 was not logged" status=1 } - sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" > /dev/null || { + sed -n "$cur,"'$p' <ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-Data rewrite l2.l1.l0/A/IN via 32.2.0.53.10.rpz-client-ip.log3" >/dev/null || { echo_ic "failed: expected rewrite message for policy zone log3 was not logged" status=1 } @@ -415,13 +420,13 @@ for mode in native dnsrps; do echo_i "testing wildcard behavior with 1 RPZ zone (${t})" add_test_marker 10.53.0.2 run_server wildcard1 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { echo_i "test ${t} failed" status=1 } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || { echo_i "test ${t} failed" status=1 } @@ -430,13 +435,13 @@ for mode in native dnsrps; do echo_i "testing wildcard behavior with 2 RPZ zones (${t})" add_test_marker 10.53.0.2 run_server wildcard2 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { echo_i "test ${t} failed" status=1 } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 - grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 + grep "status: NXDOMAIN" dig.out.${t}.2 >/dev/null || { echo_i "test ${t} failed" status=1 } @@ -445,13 +450,13 @@ for mode in native dnsrps; do echo_i "testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})" add_test_marker 10.53.0.2 run_server wildcard3 - $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 - grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + $DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 + grep "status: NXDOMAIN" dig.out.${t}.1 >/dev/null || { echo_i "test ${t} failed" status=1 } - $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 - grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { + $DIG $DIGOPTS test1.example.net a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 + grep "status: NOERROR" dig.out.${t}.2 >/dev/null || { echo_i "test ${t} failed" status=1 } @@ -460,13 +465,13 @@ for mode in native dnsrps; do echo_i "testing wildcard passthru before explicit drop (${t})" add_test_marker 10.53.0.2 run_server wildcard4 - $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.1 - grep "status: NOERROR" dig.out.${t}.1 > /dev/null || { + $DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.1 + grep "status: NOERROR" dig.out.${t}.1 >/dev/null || { echo_i "test ${t} failed" status=1 } - $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.2 - grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { + $DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} >dig.out.${t}.2 + grep "status: NOERROR" dig.out.${t}.2 >/dev/null || { echo_i "test ${t} failed" status=1 } @@ -477,7 +482,7 @@ for mode in native dnsrps; do echo_i "testing for invalid prefix length error (${t})" add_test_marker 10.53.0.2 run_server invalidprefixlength - grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run > /dev/null || { + grep "invalid rpz IP address \"1000.4.0.53.10.rpz-client-ip.invalidprefixlength\"; invalid prefix length of 1000$" ns2/named.run >/dev/null || { echo_ic "failed: expected that invalid prefix length error would be logged" status=1 } @@ -489,20 +494,20 @@ for mode in native dnsrps; do echo_i "timing 'nsip-wait-recurse yes' (default)" ret=0 t1=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t t2=$($PERL -e 'print time()."\n";') p1=$((t2 - t1)) echo_i "elapsed time $p1 seconds" - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush copy_setports ns3/named2.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 echo_i "timing 'nsip-wait-recurse no'" t3=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t t4=$($PERL -e 'print time()."\n";') p2=$((t4 - t3)) echo_i "elapsed time $p2 seconds" @@ -511,11 +516,11 @@ for mode in native dnsrps; do if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush # restore original named.conf copy_setports ns3/named1.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 t=$((t + 1)) @@ -524,20 +529,20 @@ for mode in native dnsrps; do echo_i "timing 'nsdname-wait-recurse yes' (default)" ret=0 t1=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.yes.$t t2=$($PERL -e 'print time()."\n";') p1=$((t2 - t1)) echo_i "elapsed time $p1 seconds" - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} flush copy_setports ns3/named3.conf.in ns3/named.conf - nextpart ns3/named.run > /dev/null - $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload > /dev/null + nextpart ns3/named.run >/dev/null + $RNDC -c ../_common/rndc.conf -s 10.53.0.3 -p ${CONTROLPORT} reload >/dev/null wait_for_log 20 "rpz: policy: reload done" ns3/named.run || ret=1 echo_i "timing 'nsdname-wait-recurse no'" t3=$($PERL -e 'print time()."\n";') - $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a > dig.out.no.$t + $DIG -p ${PORT} @10.53.0.3 foo.child.example.tld a >dig.out.no.$t t4=$($PERL -e 'print time()."\n";') p2=$((t4 - t3)) echo_i "elapsed time $p2 seconds" @@ -546,16 +551,17 @@ for mode in native dnsrps; do if test $ret != 0; then echo_i "failed"; fi status=$((status + ret)) - [ $status -ne 0 ] && pf=fail || pf=pass case $mode in - native) - native=$status - echo_i "status (native RPZ sub-test): $status ($pf)";; - dnsrps) - dnsrps=$status - echo_i "status (DNSRPS sub-test): $status ($pf)";; - *) echo_i "invalid test mode";; + native) + native=$status + echo_i "status (native RPZ sub-test): $status ($pf)" + ;; + dnsrps) + dnsrps=$status + echo_i "status (DNSRPS sub-test): $status ($pf)" + ;; + *) echo_i "invalid test mode" ;; esac done status=$((native + dnsrps)) diff --git a/bin/tests/system/rrchecker/tests.sh b/bin/tests/system/rrchecker/tests.sh index 65e9d43..0edf303 100644 --- a/bin/tests/system/rrchecker/tests.sh +++ b/bin/tests/system/rrchecker/tests.sh @@ -20,21 +20,30 @@ n=0 n=$((n + 1)) echo_i "class list ($n)" -$RRCHECKER -C > classlist.out -diff classlist.out classlist.good || { echo_i "failed"; status=$((status + 1)); } +$RRCHECKER -C >classlist.out +diff classlist.out classlist.good || { + echo_i "failed" + status=$((status + 1)) +} n=$((n + 1)) echo_i "type list ($n)" -$RRCHECKER -T > typelist.out -diff typelist.out typelist.good || { echo_i "failed"; status=$((status + 1)); } +$RRCHECKER -T >typelist.out +diff typelist.out typelist.good || { + echo_i "failed" + status=$((status + 1)) +} n=$((n + 1)) echo_i "private type list ($n)" -$RRCHECKER -P > privatelist.out -diff privatelist.out privatelist.good || { echo_i "failed"; status=$((status + 1)); } +$RRCHECKER -P >privatelist.out +diff privatelist.out privatelist.good || { + echo_i "failed" + status=$((status + 1)) +} myecho() { -cat << EOF + cat <<EOF $* EOF } @@ -42,44 +51,48 @@ EOF n=$((n + 1)) echo_i "check conversions to canonical format ($n)" ret=0 -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 0 > tempzone -$CHECKZONE -Dq . tempzone | sed '/^;/d' > checkzone.out$n -while read -r name tt cl ty rest -do - myecho "$cl $ty $rest" | $RRCHECKER -p > checker.out || { - ret=1 - echo_i "'$cl $ty $rest' not handled." - } - read -r cl0 ty0 rest0 < checker.out - test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || { - ret=1 - echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'" - } -done < checkzone.out$n -test $ret -eq 0 || { echo_i "failed"; status=$((status + 1)); } +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 0 >tempzone +$CHECKZONE -Dq . tempzone | sed '/^;/d' >checkzone.out$n +while read -r name tt cl ty rest; do + myecho "$cl $ty $rest" | $RRCHECKER -p >checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not handled." + } + read -r cl0 ty0 rest0 <checker.out + test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || { + ret=1 + echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'" + } +done <checkzone.out$n +test $ret -eq 0 || { + echo_i "failed" + status=$((status + 1)) +} n=$((n + 1)) echo_i "check conversions to and from unknown record format ($n)" ret=0 -$CHECKZONE -Dq . tempzone | sed '/^;/d' > checkzone.out$n -while read -r name tt cl ty rest -do - myecho "$cl $ty $rest" | $RRCHECKER -u > checker.out || { - ret=1 - echo_i "'$cl $ty $rest' not converted to unknown record format" - } - read -r clu tyu restu < checker.out - myecho "$clu $tyu $restu" | $RRCHECKER -p > checker.out || { - ret=1 - echo_i "'$cl $ty $rest' not converted back to canonical format" - } - read -r cl0 ty0 rest0 < checker.out - test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || { - ret=1 - echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'" - } -done < checkzone.out$n -test $ret -eq 0 || { echo_i "failed"; status=$((status + 1)); } +$CHECKZONE -Dq . tempzone | sed '/^;/d' >checkzone.out$n +while read -r name tt cl ty rest; do + myecho "$cl $ty $rest" | $RRCHECKER -u >checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not converted to unknown record format" + } + read -r clu tyu restu <checker.out + myecho "$clu $tyu $restu" | $RRCHECKER -p >checker.out || { + ret=1 + echo_i "'$cl $ty $rest' not converted back to canonical format" + } + read -r cl0 ty0 rest0 <checker.out + test "$cl $ty $rest" = "$cl0 $ty0 $rest0" || { + ret=1 + echo_i "'$cl $ty $rest' != '$cl0 $ty0 $rest0'" + } +done <checkzone.out$n +test $ret -eq 0 || { + echo_i "failed" + status=$((status + 1)) +} echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/rrl/clean.sh b/bin/tests/system/rrl/clean.sh index 739366a..88c9a56 100644 --- a/bin/tests/system/rrl/clean.sh +++ b/bin/tests/system/rrl/clean.sh @@ -14,7 +14,7 @@ # Clean up after rrl tests. rm -f dig.out* *mdig.out* -rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f */named.memstats */named.run */named.stats */log-* */session.key rm -f ns3/bl*.db */*.jnl */*.core */*.pid rm -f ns*/named.lock rm -f ns*/named.conf diff --git a/bin/tests/system/rrl/tests.sh b/bin/tests/system/rrl/tests.sh index 9465b93..9bd6643 100644 --- a/bin/tests/system/rrl/tests.sh +++ b/bin/tests/system/rrl/tests.sh @@ -17,154 +17,157 @@ set -e . ../conf.sh -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" #set -x -ns1=10.53.0.1 # root, defining the others -ns2=10.53.0.2 # test server -ns3=10.53.0.3 # secondary test server -ns4=10.53.0.4 # log-only test server -ns7=10.53.0.7 # whitelisted client +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns4=10.53.0.4 # log-only test server +ns7=10.53.0.7 # whitelisted client USAGE="$0: [-x]" while getopts "x" c; do - case $c in - x) set -x;; - *) echo "$USAGE" 1>&2; exit 1;; - esac + case $c in + x) set -x ;; + *) + echo "$USAGE" 1>&2 + exit 1 + ;; + esac done shift $((OPTIND - 1)) if test "$#" -ne 0; then - echo "$USAGE" 1>&2 - exit 1 + echo "$USAGE" 1>&2 + exit 1 fi # really quit on control-C trap 'exit 1' 1 2 15 - ret=0 -setret () { - ret=1 - echo_i "$*" +setret() { + ret=1 + echo_i "$*" } - # Wait until soon after the start of a second to make results consistent. # The start of a second credits a rate limit. # This would be far easier in C or by assuming a modern version of perl. -sec_start () { - START=$(date) - while true; do - NOW=$(date) - if test "$START" != "$NOW"; then - return - fi - $PERL -e 'select(undef, undef, undef, 0.05)' || true - done +sec_start() { + START=$(date) + while true; do + NOW=$(date) + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done } - # turn off ${HOME}/.digrc -HOME=/dev/null; export HOME +HOME=/dev/null +export HOME # $1=number of tests $2=target domain $3=dig options QNUM=1 -burst () { - BURST_LIMIT=$1; shift - BURST_DOM_BASE="$1"; shift - - XCNT=$CNT - CNT='XXX' - eval FILENAME="mdig.out-$BURST_DOM_BASE" - CNT=$XCNT - - DOMS="" - CNTS=$($PERL -e 'for ( $i = 0; $i < '$BURST_LIMIT'; $i++) { printf "%03d\n", '$QNUM' + $i; }') - for CNT in $CNTS - do - eval BURST_DOM="$BURST_DOM_BASE" - DOMS="$DOMS $BURST_DOM" - done - ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS" - $MDIG $ARGS 2>&1 | \ - tee -a full-$FILENAME | \ - sed -n -e '/^;; AUTHORITY/,/^$/d' \ - -e '/^;; ADDITIONAL/,/^$/d' \ - -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ - -e 's/;; flags.* tc .*/TC/p' \ - -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ - -e 's/;; .* status: NOERROR.*/NOERROR/p' \ - -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ - -e 's/response failed with timed out.*/drop/p' \ - -e 's/;; communications error to.*/drop/p' >> $FILENAME & - QNUM=$((QNUM + BURST_LIMIT)) +burst() { + BURST_LIMIT=$1 + shift + BURST_DOM_BASE="$1" + shift + + XCNT=$CNT + CNT='XXX' + eval FILENAME="mdig.out-$BURST_DOM_BASE" + CNT=$XCNT + + DOMS="" + CNTS=$($PERL -e 'for ( $i = 0; $i < '$BURST_LIMIT'; $i++) { printf "%03d\n", '$QNUM' + $i; }') + for CNT in $CNTS; do + eval BURST_DOM="$BURST_DOM_BASE" + DOMS="$DOMS $BURST_DOM" + done + ARGS="+burst +nocookie +continue +time=1 +tries=1 -p ${PORT} $* @$ns2 $DOMS" + $MDIG $ARGS 2>&1 \ + | tee -a full-$FILENAME \ + | sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: NOERROR.*/NOERROR/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/response failed with timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' >>$FILENAME & + QNUM=$((QNUM + BURST_LIMIT)) } # compare integers $1 and $2; ensure the difference is no more than $3 -range () { - $PERL -e 'if (abs(int($ARGV[0]) - int($ARGV[1])) > int($ARGV[2])) { exit(1) }' $1 $2 $3 +range() { + $PERL -e 'if (abs(int($ARGV[0]) - int($ARGV[1])) > int($ARGV[2])) { exit(1) }' $1 $2 $3 } # $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop # $6=NXDOMAIN $7=SERVFAIL or other errors ck_result() { - # wait to the background mdig calls to complete. - wait - BAD=no - ADDRS=$(grep -E "^$2$" mdig.out-$1 2>/dev/null | wc -l) - # count simple truncated and truncated NXDOMAIN as TC - TC=$(grep -E "^TC|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) - DROP=$(grep -E "^drop$" mdig.out-$1 2>/dev/null | wc -l) - # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN - NXDOMAIN=$(grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) - SERVFAIL=$(grep -E "^SERVFAIL$" mdig.out-$1 2>/dev/null | wc -l) - NOERROR=$(grep -E "^NOERROR$" mdig.out-$1 2>/dev/null | wc -l) - - range $ADDRS "$3" 1 || - setret "$ADDRS instead of $3 '$2' responses for $1" && - BAD=yes - - range $TC "$4" 1 || - setret "$TC instead of $4 truncation responses for $1" && - BAD=yes - - range $DROP "$5" 1 || - setret "$DROP instead of $5 dropped responses for $1" && - BAD=yes - - range $NXDOMAIN "$6" 1 || - setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" && - BAD=yes - - range $SERVFAIL "$7" 1 || - setret "$SERVFAIL instead of $7 error responses for $1" && - BAD=yes - - range $NOERROR "$8" 1 || - setret "$NOERROR instead of $8 NOERROR responses for $1" && - BAD=yes - - if test -z "$BAD"; then - rm -f mdig.out-$1 - fi + # wait to the background mdig calls to complete. + wait + BAD=no + ADDRS=$(grep -E "^$2$" mdig.out-$1 2>/dev/null | wc -l) + # count simple truncated and truncated NXDOMAIN as TC + TC=$(grep -E "^TC|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) + DROP=$(grep -E "^drop$" mdig.out-$1 2>/dev/null | wc -l) + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=$(grep -E "^NXDOMAIN|NXDOMAINTC$" mdig.out-$1 2>/dev/null | wc -l) + SERVFAIL=$(grep -E "^SERVFAIL$" mdig.out-$1 2>/dev/null | wc -l) + NOERROR=$(grep -E "^NOERROR$" mdig.out-$1 2>/dev/null | wc -l) + + range $ADDRS "$3" 1 \ + || setret "$ADDRS instead of $3 '$2' responses for $1" \ + && BAD=yes + + range $TC "$4" 1 \ + || setret "$TC instead of $4 truncation responses for $1" \ + && BAD=yes + + range $DROP "$5" 1 \ + || setret "$DROP instead of $5 dropped responses for $1" \ + && BAD=yes + + range $NXDOMAIN "$6" 1 \ + || setret "$NXDOMAIN instead of $6 NXDOMAIN responses for $1" \ + && BAD=yes + + range $SERVFAIL "$7" 1 \ + || setret "$SERVFAIL instead of $7 error responses for $1" \ + && BAD=yes + + range $NOERROR "$8" 1 \ + || setret "$NOERROR instead of $8 NOERROR responses for $1" \ + && BAD=yes + + if test -z "$BAD"; then + rm -f mdig.out-$1 + fi } - -ckstats () { - LABEL="$1"; shift - TYPE="$1"; shift - EXPECTED="$1"; shift - C=$(cat ns2/named.stats | - sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" | - tail -1) - C=$((C)) - - range "$C" $EXPECTED 1 || - setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" +ckstats() { + LABEL="$1" + shift + TYPE="$1" + shift + EXPECTED="$1" + shift + C=$(cat ns2/named.stats \ + | sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \ + | tail -1) + C=$((C)) + + range "$C" $EXPECTED 1 \ + || setret "wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" } - ######### sec_start @@ -180,13 +183,13 @@ burst 30 'y.x$CNT.a2.tld2' # IP TC drop NXDOMAIN SERVFAIL NOERROR # referrals to "." -ck_result a1.tld3 x 0 1 2 0 0 2 +ck_result a1.tld3 x 0 1 2 0 0 2 # check 13 results including 1 second delay that allows an additional response -ck_result a1.tld2 192.0.2.1 3 4 6 0 0 8 +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 8 # Check the wildcard answers. # The zone origin name of the 30 requests is counted. -ck_result 'y.x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12 +ck_result 'y.x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12 ######### sec_start @@ -196,21 +199,20 @@ burst 10 'y$CNT.a3.tld3' burst 10 'z$CNT.a4.tld2' # 10 identical recursive responses are limited -ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 5 +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 5 # 10 different recursive responses are not limited -ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 10 +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 10 # 10 different NXDOMAIN responses are limited based on the parent name. # We count 13 responses because we count truncated NXDOMAIN responses # as both truncated and NXDOMAIN. -ck_result 'z*.a4.tld2' x 0 3 5 5 0 0 +ck_result 'z*.a4.tld2' x 0 3 5 5 0 0 $RNDCCMD $ns2 stats ckstats first dropped 36 ckstats first truncated 21 - ######### sec_start @@ -223,22 +225,21 @@ burst 2 a8.tld2 -t SPF # IP TC drop NXDOMAIN SERVFAIL NOERROR # TCP responses are not rate limited -ck_result a5.tld2 192.0.2.5 10 0 0 0 0 10 +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 10 # whitelisted client is not rate limited -ck_result a6.tld2 192.0.2.6 10 0 0 0 0 10 +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 10 # Errors such as SERVFAIL are rate limited. -ck_result a7.tld4 x 0 0 8 0 2 0 +ck_result a7.tld4 x 0 0 8 0 2 0 # NODATA responses are counted as the same regardless of qtype. -ck_result a8.tld2 x 0 2 2 0 0 4 +ck_result a8.tld2 x 0 2 2 0 0 4 $RNDCCMD $ns2 stats ckstats second dropped 46 ckstats second truncated 23 - ######### sec_start @@ -248,7 +249,7 @@ sec_start QNUM=101 burst 60 'all$CNT.a9.tld2' -ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 50 +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 50 $RNDCCMD $ns2 stats ckstats final dropped 56 @@ -258,32 +259,32 @@ ckstats final truncated 23 sec_start DIGOPTS="+nocookie +nosearch +time=1 +tries=1 +ignore -p ${PORT}" -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 -$DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 +$DIG $DIGOPTS @$ns4 A a7.tld4 >/dev/null 2>&1 # regression test for GL #2839 DIGOPTS="+bufsize=4096 +ignore -p ${PORT}" -$DIG $DIGOPTS @$ns4 TXT big.tld4 > /dev/null 2>&1 +$DIG $DIGOPTS @$ns4 TXT big.tld4 >/dev/null 2>&1 -grep "would limit" ns4/named.run >/dev/null 2>&1 || -setret "\"would limit\" not found in log file." +grep "would limit" ns4/named.run >/dev/null 2>&1 \ + || setret "\"would limit\" not found in log file." -$NAMED -D rrl-ns5 -gc broken.conf > broken.out 2>&1 & +$NAMED -D rrl-ns5 -gc broken.conf >broken.out 2>&1 & sleep 2 -grep "min-table-size 1" broken.out > /dev/null || setret "min-table-size 0 was not changed to 1" +grep "min-table-size 1" broken.out >/dev/null || setret "min-table-size 0 was not changed to 1" if [ -f named.pid ]; then - kill $(cat named.pid) - setret "named should not have started, but did" + kill $(cat named.pid) + setret "named should not have started, but did" fi echo_i "exit status: $ret" diff --git a/bin/tests/system/rrsetorder/ns3/named.conf.in b/bin/tests/system/rrsetorder/ns3/named.conf.in index a5850ca..807fa37 100644 --- a/bin/tests/system/rrsetorder/ns3/named.conf.in +++ b/bin/tests/system/rrsetorder/ns3/named.conf.in @@ -34,5 +34,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/rrsetorder/ns4/named.conf.in b/bin/tests/system/rrsetorder/ns4/named.conf.in index d12f50f..d5fc527 100644 --- a/bin/tests/system/rrsetorder/ns4/named.conf.in +++ b/bin/tests/system/rrsetorder/ns4/named.conf.in @@ -30,5 +30,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/rrsetorder/ns5/named.conf.in b/bin/tests/system/rrsetorder/ns5/named.conf.in index d1a4cfa..c0836d3 100644 --- a/bin/tests/system/rrsetorder/ns5/named.conf.in +++ b/bin/tests/system/rrsetorder/ns5/named.conf.in @@ -26,5 +26,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/rrsetorder/tests.sh b/bin/tests/system/rrsetorder/tests.sh index cf8bbd1..844fefe 100644 --- a/bin/tests/system/rrsetorder/tests.sh +++ b/bin/tests/system/rrsetorder/tests.sh @@ -18,8 +18,8 @@ set -e DIGOPTS="+nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short +nocookie" dig_cmd() { - # shellcheck disable=SC2086 - "$DIG" $DIGOPTS -p "${PORT}" "$@" | grep -v '^;' + # shellcheck disable=SC2086 + "$DIG" $DIGOPTS -p "${PORT}" "$@" | grep -v '^;' } status=0 @@ -27,49 +27,47 @@ status=0 GOOD_RANDOM="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24" GOOD_RANDOM_NO=24 -if grep "^#define DNS_RDATASET_FIXED" "$TOP_BUILDDIR/config.h" > /dev/null 2>&1 ; then - test_fixed=true +if grep "^#define DNS_RDATASET_FIXED" "$TOP_BUILDDIR/config.h" >/dev/null 2>&1; then + test_fixed=true else - echo_i "Order 'fixed' disabled at compile time" - test_fixed=false + echo_i "Order 'fixed' disabled at compile time" + test_fixed=false fi # # # if $test_fixed; then - echo_i "Checking order fixed (primary)" - ret=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 - do - dig_cmd @10.53.0.1 fixed.example > dig.out.fixed || ret=1 + echo_i "Checking order fixed (primary)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do + dig_cmd @10.53.0.1 fixed.example >dig.out.fixed || ret=1 diff dig.out.fixed reference.dig.out.fixed.good >/dev/null || ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "Checking order fixed behaves as cyclic when disabled (primary)" - ret=0 - matches=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 - do - j=$((i % 4)) - dig_cmd @10.53.0.1 fixed.example > dig.out.fixed || ret=1 - if [ $i -le 4 ]; then - cp dig.out.fixed dig.out.$j - else - diff dig.out.fixed dig.out.$j >/dev/null && matches=$((matches + 1)) - fi - done - diff dig.out.0 dig.out.1 >/dev/null && ret=1 - diff dig.out.0 dig.out.2 >/dev/null && ret=1 - diff dig.out.0 dig.out.3 >/dev/null && ret=1 - diff dig.out.1 dig.out.2 >/dev/null && ret=1 - diff dig.out.1 dig.out.3 >/dev/null && ret=1 - diff dig.out.2 dig.out.3 >/dev/null && ret=1 - if [ $matches -ne 16 ]; then ret=1; fi - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + echo_i "Checking order fixed behaves as cyclic when disabled (primary)" + ret=0 + matches=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.1 fixed.example >dig.out.fixed || ret=1 + if [ $i -le 4 ]; then + cp dig.out.fixed dig.out.$j + else + diff dig.out.fixed dig.out.$j >/dev/null && matches=$((matches + 1)) + fi + done + diff dig.out.0 dig.out.1 >/dev/null && ret=1 + diff dig.out.0 dig.out.2 >/dev/null && ret=1 + diff dig.out.0 dig.out.3 >/dev/null && ret=1 + diff dig.out.1 dig.out.2 >/dev/null && ret=1 + diff dig.out.1 dig.out.3 >/dev/null && ret=1 + diff dig.out.2 dig.out.3 >/dev/null && ret=1 + if [ $matches -ne 16 ]; then ret=1; fi + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # @@ -78,15 +76,14 @@ fi echo_i "Checking order cyclic (primary + additional)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.1 cyclic.example > dig.out.cyclic || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j - else - diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.1 cyclic.example >dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -104,15 +101,14 @@ status=$((status + ret)) echo_i "Checking order cyclic (primary)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.1 cyclic2.example > dig.out.cyclic2 || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j - else - diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.1 cyclic2.example >dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -125,25 +121,21 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "Checking order random (primary)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.1 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.1 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -153,14 +145,14 @@ status=$((status + ret)) echo_i "Checking order none (primary)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.1 none.example > dig.out.none || ret=1 +dig_cmd @10.53.0.1 none.example >dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.1 none.example > dig.out.test$i || ret=1 - diff dig.out.none dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.1 none.example >dig.out.test$i || ret=1 + diff dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -169,15 +161,14 @@ status=$((status + ret)) # # if $test_fixed; then - echo_i "Checking order fixed (secondary)" - ret=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 - do - dig_cmd @10.53.0.2 fixed.example > dig.out.fixed || ret=1 + echo_i "Checking order fixed (secondary)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do + dig_cmd @10.53.0.2 fixed.example >dig.out.fixed || ret=1 diff dig.out.fixed reference.dig.out.fixed.good || ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # @@ -186,15 +177,14 @@ fi echo_i "Checking order cyclic (secondary + additional)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j - else - diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.2 cyclic.example >dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -212,15 +202,14 @@ status=$((status + ret)) echo_i "Checking order cyclic (secondary)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j - else - diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.2 cyclic2.example >dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -234,25 +223,21 @@ status=$((status + ret)) echo_i "Checking order random (secondary)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.2 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.2 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -262,14 +247,14 @@ status=$((status + ret)) echo_i "Checking order none (secondary)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.2 none.example > dig.out.none || ret=1 +dig_cmd @10.53.0.2 none.example >dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.2 none.example > dig.out.test$i || ret=1 - diff dig.out.none dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.2 none.example >dig.out.test$i || ret=1 + diff dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -280,10 +265,9 @@ stop_server ns2 echo_i "Checking for secondary's on disk copy of zone" -if [ ! -f ns2/root.bk ] -then - echo_i "failed"; - status=$((status + 1)) +if [ ! -f ns2/root.bk ]; then + echo_i "failed" + status=$((status + 1)) fi echo_i "Re-starting secondary" @@ -294,15 +278,14 @@ start_server --noclean --restart --port ${PORT} ns2 # # if $test_fixed; then - echo_i "Checking order fixed (secondary loaded from disk)" - ret=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 - do - dig_cmd @10.53.0.2 fixed.example > dig.out.fixed || ret=1 + echo_i "Checking order fixed (secondary loaded from disk)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do + dig_cmd @10.53.0.2 fixed.example >dig.out.fixed || ret=1 diff dig.out.fixed reference.dig.out.fixed.good || ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # @@ -311,15 +294,14 @@ fi echo_i "Checking order cyclic (secondary + additional, loaded from disk)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j - else - diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.2 cyclic.example >dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -337,15 +319,14 @@ status=$((status + ret)) echo_i "Checking order cyclic (secondary loaded from disk)" ret=0 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j - else - diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.2 cyclic2.example >dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -359,25 +340,21 @@ status=$((status + ret)) echo_i "Checking order random (secondary loaded from disk)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.2 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.2 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -387,14 +364,14 @@ status=$((status + ret)) echo_i "Checking order none (secondary loaded from disk)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.2 none.example > dig.out.none || ret=1 +dig_cmd @10.53.0.2 none.example >dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.2 none.example > dig.out.test$i || ret=1 - diff dig.out.none dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.2 none.example >dig.out.test$i || ret=1 + diff dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -403,15 +380,14 @@ status=$((status + ret)) # # if $test_fixed; then - echo_i "Checking order fixed (cache)" - ret=0 - for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 - do - dig_cmd @10.53.0.3 fixed.example > dig.out.fixed || ret=1 + echo_i "Checking order fixed (cache)" + ret=0 + for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do + dig_cmd @10.53.0.3 fixed.example >dig.out.fixed || ret=1 diff dig.out.fixed reference.dig.out.fixed.good || ret=1 - done - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) fi # @@ -420,17 +396,16 @@ fi echo_i "Checking order cyclic (cache + additional)" ret=0 # prime acache -dig_cmd @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1 +dig_cmd @10.53.0.3 cyclic.example >dig.out.cyclic || ret=1 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j - else - diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.3 cyclic.example >dig.out.cyclic || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic dig.out.$j + else + diff dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -448,17 +423,16 @@ status=$((status + ret)) echo_i "Checking order cyclic (cache)" ret=0 # prime acache -dig_cmd @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1 +dig_cmd @10.53.0.3 cyclic2.example >dig.out.cyclic2 || ret=1 matches=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 -do - j=$((i % 4)) - dig_cmd @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1 - if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j - else - diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) - fi +for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do + j=$((i % 4)) + dig_cmd @10.53.0.3 cyclic2.example >dig.out.cyclic2 || ret=1 + if [ $i -le 4 ]; then + cp dig.out.cyclic2 dig.out.$j + else + diff dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done diff dig.out.0 dig.out.1 >/dev/null && ret=1 diff dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -472,25 +446,21 @@ status=$((status + ret)) echo_i "Checking order random (cache)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.3 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.3 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -500,39 +470,35 @@ status=$((status + ret)) echo_i "Checking order none (cache)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.3 none.example > dig.out.none || ret=1 +dig_cmd @10.53.0.3 none.example >dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.3 none.example > dig.out.test$i || ret=1 - diff dig.out.none dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.3 none.example >dig.out.test$i || ret=1 + diff dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "Checking default order (cache)" ret=0 -for i in $GOOD_RANDOM -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do - dig_cmd @10.53.0.5 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi +for i in $GOOD_RANDOM; do + eval match$i=0 +done +for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9; do + dig_cmd @10.53.0.5 random.example >dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM; do + eval "diff dig.out.random reference.dig.out.random.good$j >/dev/null && match$j=1 match=1 || true" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 -for i in $GOOD_RANDOM -do - eval "match=\$((match + match$i))" +for i in $GOOD_RANDOM; do + eval "match=\$((match + match$i))" done echo_i "Default selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi @@ -542,14 +508,14 @@ status=$((status + ret)) echo_i "Checking default order no match in rrset-order (cache)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. -dig_cmd @10.53.0.4 nomatch.example > dig.out.nomatch || ret=1 +dig_cmd @10.53.0.4 nomatch.example >dig.out.nomatch || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.nomatch || ret=1 + grep -F -q 1.2.3.$i dig.out.nomatch || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - dig_cmd @10.53.0.4 nomatch.example > dig.out.test$i || ret=1 - diff dig.out.nomatch dig.out.test$i >/dev/null || ret=1 + dig_cmd @10.53.0.4 nomatch.example >dig.out.test$i || ret=1 + diff dig.out.nomatch dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh index 8a2f6b9..a4242a3 100755 --- a/bin/tests/system/rsabigexponent/ns1/sign.sh +++ b/bin/tests/system/rsabigexponent/ns1/sign.sh @@ -21,12 +21,12 @@ cp ../ns2/dsset-example.in dsset-example. keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) -cat $infile $keyname.key > $zonefile +cat $infile $keyname.key >$zonefile -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds $keyname > trusted.conf +keyfile_to_static_ds $keyname >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf diff --git a/bin/tests/system/rsabigexponent/ns2/named.conf.in b/bin/tests/system/rsabigexponent/ns2/named.conf.in index c81b3f6..267daa6 100644 --- a/bin/tests/system/rsabigexponent/ns2/named.conf.in +++ b/bin/tests/system/rsabigexponent/ns2/named.conf.in @@ -28,7 +28,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh index 53e2257..9ecf6c3 100755 --- a/bin/tests/system/rsabigexponent/ns2/sign.sh +++ b/bin/tests/system/rsabigexponent/ns2/sign.sh @@ -18,11 +18,10 @@ infile=example.db.in outfile=example.db.bad for i in Xexample.+008+51650.key Xexample.+008+51650.private \ - Xexample.+008+52810.key Xexample.+008+52810.private -do - cp $i $(echo $i | sed s/X/K/) + Xexample.+008+52810.key Xexample.+008+52810.private; do + cp $i $(echo $i | sed s/X/K/) done $SIGNER -g -s 20000101000000 -e 20361231235959 -o $zone \ - $infile Kexample.+008+52810.key \ - > /dev/null 2> signer.err || true + $infile Kexample.+008+52810.key \ + >/dev/null 2>signer.err || true diff --git a/bin/tests/system/rsabigexponent/ns3/named.conf.in b/bin/tests/system/rsabigexponent/ns3/named.conf.in index bc63656..6504886 100644 --- a/bin/tests/system/rsabigexponent/ns3/named.conf.in +++ b/bin/tests/system/rsabigexponent/ns3/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/rsabigexponent/tests.sh b/bin/tests/system/rsabigexponent/tests.sh index 39ebd8a..5914695 100644 --- a/bin/tests/system/rsabigexponent/tests.sh +++ b/bin/tests/system/rsabigexponent/tests.sh @@ -21,36 +21,34 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" -for f in conf/good*.conf -do - echo_i "checking '$f'" - ret=0 - $CHECKCONF $f > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for f in conf/good*.conf; do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for f in conf/bad*.conf -do - echo_i "checking '$f'" - ret=0 - $CHECKCONF $f > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for f in conf/bad*.conf; do + echo_i "checking '$f'" + ret=0 + $CHECKCONF $f >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "checking that RSA big exponent keys can't be loaded" ret=0 -grep "out of range" ns2/signer.err > /dev/null || ret=1 +grep "out of range" ns2/signer.err >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking that RSA big exponent signature can't validate" ret=0 -$DIG $DIGOPTS a.example @10.53.0.2 > dig.out.ns2 || ret=1 -$DIG $DIGOPTS a.example @10.53.0.3 > dig.out.ns3 || ret=1 -grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 -grep "status: SERVFAIL" dig.out.ns3 > /dev/null || ret=1 +$DIG $DIGOPTS a.example @10.53.0.2 >dig.out.ns2 || ret=1 +$DIG $DIGOPTS a.example @10.53.0.3 >dig.out.ns3 || ret=1 +grep "status: NOERROR" dig.out.ns2 >/dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns3 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/run.sh b/bin/tests/system/run.sh index 8e87c0f..c6d0485 100755 --- a/bin/tests/system/run.sh +++ b/bin/tests/system/run.sh @@ -17,11 +17,14 @@ # if [ -z "$1" ] || [ ! -d "$1" ]; then - echo "Usage: $0 system_test_dir [pytest_args]" - exit 2 + echo "Usage: $0 system_test_dir [pytest_args]" + exit 2 fi system_test_dir="$1" shift -(cd "$system_test_dir" || exit 2 ; /usr/bin/env python3 -m pytest "$@") +( + cd "$system_test_dir" || exit 2 + /usr/bin/env python3 -m pytest "$@" +) diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh index bbd072e..e4049d4 100755 --- a/bin/tests/system/runall.sh +++ b/bin/tests/system/runall.sh @@ -36,30 +36,30 @@ SYSTEMTEST_NO_CLEAN=${SYSTEMTEST_NO_CLEAN:-0} # Handle command line switches if present. while getopts "cn-" flag; do - case "$flag" in - c) SYSTEMTEST_FORCE_COLOR=1 ;; - n) SYSTEMTEST_NO_CLEAN=1 ;; - -) break;; - *) exit 1;; - esac + case "$flag" in + c) SYSTEMTEST_FORCE_COLOR=1 ;; + n) SYSTEMTEST_NO_CLEAN=1 ;; + -) break ;; + *) exit 1 ;; + esac done export NOCLEAN -shift $((OPTIND-1)) +shift $((OPTIND - 1)) # Obtain number of processes to use. if [ $# -eq 0 ]; then - numproc=1 + numproc=1 elif [ $# -eq 1 ]; then - if [ "$1" -ne "$1" ] 2>&1; then - # Value passed is not numeric - echo "$usage" >&2 - exit 1 - fi - numproc=$1 -else + if [ "$1" -ne "$1" ] 2>&1; then + # Value passed is not numeric echo "$usage" >&2 exit 1 + fi + numproc=$1 +else + echo "$usage" >&2 + exit 1 fi # Run the tests. @@ -70,30 +70,30 @@ export SYSTEMTEST_NO_CLEAN status=0 if [ "$NOPARALLEL" = "" ]; then - # use "make" to run tests in parallel. - make -j "$numproc" check - status=$? + # use "make" to run tests in parallel. + make -j "$numproc" check + status=$? else - # the NOPARALLEL environment variable indicates that tests must be - # run sequentially. - $PERL testsock.pl || { - cat <<-EOF + # the NOPARALLEL environment variable indicates that tests must be + # run sequentially. + $PERL testsock.pl || { + cat <<-EOF I:NOTE: System tests were skipped because they require the I: test IP addresses 10.53.0.* to be configured as alias I: addresses on the loopback interface. Please run I: "bin/tests/system/ifconfig.sh up" as root to configure them. EOF - exit 1 - } - ( - status=0 - for testdir in $SUBDIRS; do - $SHELL legacy.run.sh -r "$testdir" || status=1 - done - echo "$status" > systests.status - ) 2>&1 | tee "systests.output" - read -r status < systests.status - rm systests.status + exit 1 + } + ( + status=0 + for testdir in $SUBDIRS; do + $SHELL legacy.run.sh -r "$testdir" || status=1 + done + echo "$status" >systests.status + ) 2>&1 | tee "systests.output" + read -r status <systests.status + rm systests.status fi exit "$status" diff --git a/bin/tests/system/runsequential.sh b/bin/tests/system/runsequential.sh index 953bff0..8e18e03 100755 --- a/bin/tests/system/runsequential.sh +++ b/bin/tests/system/runsequential.sh @@ -20,7 +20,6 @@ . ./conf.sh -for d in $SEQUENTIALDIRS -do - $SHELL legacy.run.sh "${@}" "$d" 2>&1 | tee "test.output.$d" +for d in $SEQUENTIALDIRS; do + $SHELL legacy.run.sh "${@}" "$d" 2>&1 | tee "test.output.$d" done diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh index 6fd428e..ca2299b 100644 --- a/bin/tests/system/runtime/tests.sh +++ b/bin/tests/system/runtime/tests.sh @@ -16,198 +16,199 @@ set -e # shellcheck source=conf.sh . ../conf.sh -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" NAMED_DEFAULT_ARGS="-m record -d 99 -g -U 4" kill_named() { - pidfile="${1}" - if [ ! -r "${pidfile}" ]; then - return 1 - fi - - pid=$(cat "${pidfile}" 2>/dev/null) - if [ "${pid:+set}" = "set" ]; then - kill -15 "${pid}" >/dev/null 2>&1 - retries=10 - while [ "$retries" -gt 0 ]; do - if ! kill -0 "${pid}" >/dev/null 2>&1; then - break - fi - sleep 1 - retries=$((retries-1)) - done - # Timed-out - if [ "$retries" -eq 0 ]; then - echo_i "failed to kill named ($pidfile)" - return 1 - fi - fi - rm -f "${pidfile}" - return 0 + pidfile="${1}" + if [ ! -r "${pidfile}" ]; then + return 1 + fi + + pid=$(cat "${pidfile}" 2>/dev/null) + if [ "${pid:+set}" = "set" ]; then + kill -15 "${pid}" >/dev/null 2>&1 + retries=10 + while [ "$retries" -gt 0 ]; do + if ! kill -0 "${pid}" >/dev/null 2>&1; then + break + fi + sleep 1 + retries=$((retries - 1)) + done + # Timed-out + if [ "$retries" -eq 0 ]; then + echo_i "failed to kill named ($pidfile)" + return 1 + fi + fi + rm -f "${pidfile}" + return 0 } check_named_log() { - grep "$@" >/dev/null 2>&1 + grep "$@" >/dev/null 2>&1 } run_named() ( - dir="$1" - shift - run="$1" - shift - if cd "$dir" > /dev/null 2>&1 - then - "${NAMED}" "$@" ${NAMED_DEFAULT_ARGS} >> "$run" 2>&1 & - echo $! - fi + dir="$1" + shift + run="$1" + shift + if cd "$dir" >/dev/null 2>&1; then + "${NAMED}" "$@" ${NAMED_DEFAULT_ARGS} >>"$run" 2>&1 & + echo $! + fi ) check_pid() ( - return $(! kill -0 "${1}" >/dev/null 2>&1) + return $(! kill -0 "${1}" >/dev/null 2>&1) ) status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "verifying that named started normally ($n)" ret=0 [ -s ns2/named.pid ] || ret=1 -grep "unable to listen on any configured interface" ns2/named.run > /dev/null && ret=1 -grep "another named process" ns2/named.run > /dev/null && ret=1 +grep "unable to listen on any configured interface" ns2/named.run >/dev/null && ret=1 +grep "another named process" ns2/named.run >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verifying that named checks for conflicting named processes ($n)" ret=0 +test -f ns2/named.lock || ret=1 testpid=$(run_named ns2 named$n.run -c named-alt2.conf -D runtime-ns2-extra-2 -X named.lock) test -n "$testpid" || ret=1 retry_quiet 10 check_named_log "another named process" ns2/named$n.run || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 -test -n "$testpid" && kill -15 $testpid > kill$n.out 2>&1 && ret=1 +test -n "$testpid" && kill -15 $testpid >kill$n.out 2>&1 && ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +test -f ns2/named.lock || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verifying that 'lock-file none' disables process check ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt3.conf -D runtime-ns2-extra-3) test -n "$testpid" || ret=1 retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 -grep "another named process" ns2/named$n.run > /dev/null && ret=1 +grep "another named process" ns2/named$n.run >/dev/null && ret=1 kill_named ns2/named-alt3.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to reconfigure if working directory is not writable ($n)" ret=0 copy_setports ns2/named-alt4.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 -grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 reconfig >rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n >/dev/null 2>&1 || ret=1 sleep 1 -grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +grep "[^-]directory './nope' is not writable" ns2/named.run >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)" ret=0 copy_setports ns2/named-alt5.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 -grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 reconfig >rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n >/dev/null 2>&1 || ret=1 sleep 1 -grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +grep "managed-keys-directory './nope' is not writable" ns2/named.run >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to reconfigure if new-zones-directory is not writable ($n)" ret=0 copy_setports ns2/named-alt6.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 && ret=1 -grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 reconfig >rndc.out.$n 2>&1 && ret=1 +grep "failed: permission denied" rndc.out.$n >/dev/null 2>&1 || ret=1 sleep 1 -grep "new-zones-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +grep "new-zones-directory './nope' is not writable" ns2/named.run >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named recovers when configuration file is valid again ($n)" ret=0 copy_setports ns2/named1.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reconfig > rndc.out.$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.2 reconfig >rndc.out.$n 2>&1 || ret=1 [ -s ns2/named.pid ] || ret=1 kill_named ns2/named.pid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to start if working directory is not writable ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt4.conf -D runtime-ns2-extra-4) test -n "$testpid" || ret=1 retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 -grep "[^-]directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +grep "[^-]directory './nope' is not writable" ns2/named$n.run >/dev/null 2>&1 || ret=1 kill_named ns2/named.pid && ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to start if managed-keys-directory is not writable ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt5.conf -D runtime-ns2-extra-5) test -n "$testpid" || ret=1 retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 -grep "managed-keys-directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +grep "managed-keys-directory './nope' is not writable" ns2/named$n.run >/dev/null 2>&1 || ret=1 kill_named named.pid && ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named refuses to start if new-zones-directory is not writable ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt6.conf -D runtime-ns2-extra-6) test -n "$testpid" || ret=1 retry_quiet 10 check_named_log "exiting (due to fatal error)" ns2/named$n.run || ret=1 -grep "new-zones-directory './nope' is not writable" ns2/named$n.run > /dev/null 2>&1 || ret=1 +grep "new-zones-directory './nope' is not writable" ns2/named$n.run >/dev/null 2>&1 || ret=1 kill_named ns2/named.pid && ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named logs control characters in octal notation ($n)" ret=0 INSTANCE_NAME="runtime-ns2-extra-7-$(cat ctrl-chars)" testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") test -n "$testpid" || ret=1 retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 -grep 'running as.*\\177\\033' ns2/named$n.run > /dev/null || ret=1 +grep 'running as.*\\177\\033' ns2/named$n.run >/dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named escapes special characters in the logs ($n)" ret=0 INSTANCE_NAME="runtime-ns2-extra-8-$;" testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") test -n "$testpid" || ret=1 retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 -grep 'running as.*\\$\\;' ns2/named$n.run > /dev/null || ret=1 +grep 'running as.*\\$\\;' ns2/named$n.run >/dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking that named logs an ellipsis when the command line is larger than 8k bytes ($n)" ret=0 LONG_CMD_LINE=$(cat long-cmd-line) @@ -215,37 +216,40 @@ LONG_CMD_LINE=$(cat long-cmd-line) testpid=$(run_named ns2 named$n.run $LONG_CMD_LINE -c "named-alt7.conf") test -n "$testpid" || ret=1 retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 -grep "running as.*\.\.\.$" ns2/named$n.run > /dev/null || ret=1 +grep "running as.*\.\.\.$" ns2/named$n.run >/dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verifying that named switches UID ($n)" if [ "$(id -u)" -eq 0 ]; then - ret=0 - { TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX"); rc=$?; } || true - if [ "$rc" -eq 0 ]; then - copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf" - chown -R nobody: "${TEMP_NAMED_DIR}" - chmod 0700 "${TEMP_NAMED_DIR}" - testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf) - test -n "$testpid" || ret=1 - retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 - [ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1 - grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" > /dev/null && ret=1 - kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1 - test -n "$testpid" || ret=1 - test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 - else - echo_i "mktemp failed" - ret=1 - fi - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + ret=0 + { + TEMP_NAMED_DIR=$(mktemp -d "$(pwd)/ns2/tmp.XXXXXXXX") + rc=$? + } || true + if [ "$rc" -eq 0 ]; then + copy_setports ns2/named-alt9.conf.in "${TEMP_NAMED_DIR}/named-alt9.conf" + chown -R nobody: "${TEMP_NAMED_DIR}" + chmod 0700 "${TEMP_NAMED_DIR}" + testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf) + test -n "$testpid" || ret=1 + retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 + [ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1 + grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" >/dev/null && ret=1 + kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1 + test -n "$testpid" || ret=1 + test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 + else + echo_i "mktemp failed" + ret=1 + fi + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "skipped, not running as root or running on Windows" + echo_i "skipped, not running as root or running on Windows" fi echo_i "exit status: $status" diff --git a/bin/tests/system/serve-stale/ns1/root.db b/bin/tests/system/serve-stale/ns1/root.db index aef8e31..e36f2b0 100644 --- a/bin/tests/system/serve-stale/ns1/root.db +++ b/bin/tests/system/serve-stale/ns1/root.db @@ -16,3 +16,5 @@ example. 300 NS ns.example. ns.example. 300 A 10.53.0.2 slow. 300 NS ns.slow. ns.slow. 300 A 10.53.0.2 +stale. 300 NS ns.stale. +ns.stale. 300 A 10.53.0.6 diff --git a/bin/tests/system/serve-stale/ns3/named.conf.in b/bin/tests/system/serve-stale/ns3/named.conf.in new file mode 100644 index 0000000..d5f4751 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation no; + qname-minimization off; + + stale-answer-enable yes; + stale-cache-enable yes; + stale-refresh-time 30; + stale-answer-client-timeout 1800; + max-cache-ttl 24h; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "serve.stale" IN { + type primary; + notify no; + file "serve.stale.db"; +}; diff --git a/bin/tests/system/serve-stale/ns3/serve.stale.db b/bin/tests/system/serve-stale/ns3/serve.stale.db new file mode 100644 index 0000000..704f451 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/serve.stale.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +serve.stale. IN SOA ns.serve.stale. matthijs.isc.org. 1 0 0 0 0 +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 + +$ORIGIN serve.stale. +test IN NS nss1.example.nxd. +test IN NS nss2.example.nxd. diff --git a/bin/tests/system/serve-stale/ns6/named.conf.in b/bin/tests/system/serve-stale/ns6/named.conf.in new file mode 100644 index 0000000..15f5dd6 --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "stale" IN { + type primary; + notify no; + file "stale.db"; +}; + +zone "serve.stale" IN { + type primary; + notify no; + file "serve.stale.db"; +}; diff --git a/bin/tests/system/serve-stale/ns6/serve.stale.db b/bin/tests/system/serve-stale/ns6/serve.stale.db new file mode 100644 index 0000000..2b17c68 --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/serve.stale.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +serve.stale. IN SOA ns.serve.stale. matthijs.isc.org. 1 0 0 0 0 +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 + +test IN TXT "Oops, I did it again" diff --git a/bin/tests/system/serve-stale/ns6/stale.db b/bin/tests/system/serve-stale/ns6/stale.db new file mode 100644 index 0000000..4ae0068 --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/stale.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +stale. IN SOA ns.stale. matthijs.isc.org. 1 0 0 0 0 +stale. IN NS ns.stale. +ns.stale. IN A 10.53.0.6 + +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 diff --git a/bin/tests/system/serve-stale/prereq.sh b/bin/tests/system/serve-stale/prereq.sh new file mode 100644 index 0000000..7411c8a --- /dev/null +++ b/bin/tests/system/serve-stale/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MTime::HiRes -e ''; then + echo_i "perl Time::HiRes module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/serve-stale/setup.sh b/bin/tests/system/serve-stale/setup.sh index 0a0dc47..42e1ac8 100644 --- a/bin/tests/system/serve-stale/setup.sh +++ b/bin/tests/system/serve-stale/setup.sh @@ -16,6 +16,7 @@ $SHELL clean.sh copy_setports ns1/named1.conf.in ns1/named.conf -copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh index 8c5ce84..a12a006 100755 --- a/bin/tests/system/serve-stale/tests.sh +++ b/bin/tests/system/serve-stale/tests.sh @@ -15,7 +15,7 @@ set -e . ../conf.sh -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" DIG="$DIG +time=12 +tries=1" max_stale_ttl=$(sed -ne 's,^[[:space:]]*max-stale-ttl \([[:digit:]]*\).*,\1,p' $TOP_SRCDIR/bin/named/config.c) @@ -29,84 +29,84 @@ n=0 # echo_i "test server with serve-stale options set" -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TXT ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics ($n)" ret=0 rm -f ns1/named.stats -$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.1 stats >/dev/null 2>&1 [ -f ns1/named.stats ] || ret=1 cp ns1/named.stats ns1/named.stats.$n # Check first 10 lines of Cache DB statistics. After prime queries, we expect # two active TXT, one active Others, one nxrrset TXT, and one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 -grep "1 Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "2 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n >ns1/named.stats.$n.cachedb || ret=1 +grep "1 Others" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "2 TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 @@ -115,87 +115,87 @@ sleep 2 # stale for somewhere between 3500-3599 seconds. echo_i "check rndc dump stale data.example ($n)" rndc_dumpdb ns1 || ret=1 -awk '/; stale/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n | - grep "; stale data\.example.*3[56]...*TXT.*A text record with a 2 second ttl" > /dev/null 2>&1 || ret=1 +awk '/; stale/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n \ + | grep "; stale data\.example.*3[56]...*TXT.*A text record with a 2 second ttl" >/dev/null 2>&1 || ret=1 # Also make sure the not expired data does not have a stale comment. -awk '/; authanswer/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n | - grep "; authanswer longttl\.example.*[56]...*TXT.*A text record with a 600 second ttl" > /dev/null 2>&1 || ret=1 +awk '/; authanswer/ { x=$0; getline; print x, $0}' ns1/named_dump.db.test$n \ + | grep "; authanswer longttl\.example.*[56]...*TXT.*A text record with a 600 second ttl" >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+5))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+4)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+5)) & +echo_i "sending queries for tests $((n + 1))-$((n + 5))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 4)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 5)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check non-stale longttl.example TXT ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "longttl\.example\..*59[0-9].*IN.*TXT.*A text record with a 600 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "longttl\.example\..*59[0-9].*IN.*TXT.*A text record with a 600 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics ($n)" ret=0 rm -f ns1/named.stats -$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.1 stats >/dev/null 2>&1 [ -f ns1/named.stats ] || ret=1 cp ns1/named.stats ns1/named.stats.$n # Check first 10 lines of Cache DB statistics. After serve-stale queries, we # expect one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one # stale NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 -grep "1 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #!TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n >ns1/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #Others" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #!TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # Test stale-refresh-time when serve-stale is enabled via configuration. @@ -209,292 +209,315 @@ if [ $ret != 0 ]; then echo_i "failed"; fi # 7. Query data.example # 8. Check if response come from stale rrset, since the query # is still within stale-refresh-time window. -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 1-3 done above. # Step 4. -n=$((n+1)) +n=$((n + 1)) echo_i "sending query for test ($n)" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n # Step 5. echo_i "check stale data.example TXT (stale-refresh-time) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 6. -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 7. -echo_i "sending query for test $((n+1))" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) +echo_i "sending query for test $((n + 1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) # Step 8. -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT comes from cache (stale-refresh-time) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) + +# +# Test interaction with local zone +# + +n=$((n + 1)) +echo_i "check that serve-stale does not recurse for local authoritative zone ($n)" +ret=0 + +num=0 +threshold=10 +while [ $num -lt $threshold ]; do + + echo_i "dig test.serve.stale TXT ($n)" + $DIG -p ${PORT} @10.53.0.3 test.serve.stale TXT >dig.out.test$n.$num + grep "status: SERVFAIL" dig.out.test$n.$num >/dev/null || ret=1 + if [ $ret != 0 ]; then num=$threshold; fi + + sleep 1 + num=$((num + 1)) +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) # # Test disabling serve-stale via rndc. # -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns1/named.conf ($n)" ret=0 copy_setports ns1/named2.conf.in ns1/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns1 10.53.0.1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale off' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale off || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (serve-stale off) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (serve-stale off) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (serve-stale off) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (serve-stale off) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Test enabling serve-stale via rndc. # -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale on' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale on || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (serve-stale on) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (serve-stale on) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (serve-stale on) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (serve-stale on) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale off' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale off || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale reset' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale reset || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (serve-stale reset) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (serve-stale reset) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype.example\..*4.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (serve-stale reset) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*4.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*4.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (serve-stale reset) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale off' ($n)" ret=0 $RNDCCMD 10.53.0.1 serve-stale off || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=4 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Update named.conf. @@ -502,200 +525,200 @@ status=$((status+ret)) # echo_i "test server with serve-stale options set, low max-stale-ttl" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns1/named.conf ($n)" ret=0 copy_setports ns1/named3.conf.in ns1/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns1 10.53.0.1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers disabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache, re-enable serve-stale and query again ($n)" ret=0 -$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 -$RNDCCMD 10.53.0.1 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 +$RNDCCMD 10.53.0.1 serve-stale on >rndc.out.test$n.2 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TXT (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT (low max-stale-ttl) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Keep track of time so we can access these RRset later, when we expect them # to become ancient. t1=$($PERL -e 'print time()') -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics (low max-stale-ttl) ($n)" ret=0 rm -f ns1/named.stats -$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.1 stats >/dev/null 2>&1 [ -f ns1/named.stats ] || ret=1 cp ns1/named.stats ns1/named.stats.$n # Check first 10 lines of Cache DB statistics. After prime queries, we expect # two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 -grep "2 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n >ns1/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 Others" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 NXDOMAIN" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (low max-stale-ttl) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*3.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*3.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics (low max-stale-ttl) ($n)" ret=0 rm -f ns1/named.stats -$RNDCCMD 10.53.0.1 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.1 stats >/dev/null 2>&1 [ -f ns1/named.stats ] || ret=1 cp ns1/named.stats ns1/named.stats.$n # Check first 10 lines of Cache DB statistics. After serve-stale queries, we # expect one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one # stale NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n > ns1/named.stats.$n.cachedb || ret=1 -grep "1 TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #Others" ns1/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #!TXT" ns1/named.stats.$n.cachedb > /dev/null || ret=1 +grep -A 10 "++ Cache DB RRsets ++" ns1/named.stats.$n >ns1/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #Others" ns1/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #!TXT" ns1/named.stats.$n.cachedb >/dev/null || ret=1 -status=$((status+ret)) +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # Retrieve max-stale-ttl value. -interval_to_ancient=$(grep 'max-stale-ttl' ns1/named3.conf.in | awk '{ print $2 }' | tr -d ';') +interval_to_ancient=$(grep 'max-stale-ttl' ns1/named3.conf.in | awk '{ print $2 }' | tr -d ';') # We add 2 seconds to it since this is the ttl value of the records being # tested. interval_to_ancient=$((interval_to_ancient + 2)) @@ -705,52 +728,52 @@ elapsed=$((t2 - t1)) # If elapsed time so far is less than max-stale-ttl + 2 seconds, then we sleep # enough to ensure that we'll ask for ancient RRsets in the next queries. if [ $elapsed -lt $interval_to_ancient ]; then - sleep $((interval_to_ancient - elapsed)) + sleep $((interval_to_ancient - elapsed)) fi -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.1 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.1 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.1 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.1 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.1 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check ancient data.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check ancient othertype.example CAA (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check ancient nodata.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check ancient nxdomain.example TXT (low max-stale-ttl) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Test stale-refresh-time when serve-stale is enabled via rndc. # Steps for testing stale-refresh-time option (default). @@ -763,87 +786,87 @@ status=$((status+ret)) # 7. Query data.example # 8. Check if response come from stale rrset, since the query # is within stale-refresh-time window. -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache, enable responses from authoritative server ($n)" ret=0 -$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=30)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 1. -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-refresh-time rndc) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 2. -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 3. sleep 2 # Step 4. -n=$((n+1)) +n=$((n + 1)) echo_i "sending query for test ($n)" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n # Step 5. echo_i "check stale data.example TXT (stale-refresh-time rndc) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 6. -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 7. -echo_i "sending query for test $((n+1))" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) +echo_i "sending query for test $((n + 1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) # Step 8. -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT comes from cache (stale-refresh-time rndc) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Steps for testing stale-refresh-time option (disabled). # 1. Prime cache data.example txt @@ -855,519 +878,530 @@ status=$((status+ret)) # 7. Query data.example # 8. Check if response come from stale rrset, since the query # is within stale-refresh-time window. -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns1/named.conf ($n)" ret=0 copy_setports ns1/named4.conf.in ns1/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns1 10.53.0.1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.1 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=20 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache, enable responses from authoritative server ($n)" ret=0 -$RNDCCMD 10.53.0.1 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.1 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 1. -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-refresh-time disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 2. -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 3. sleep 2 # Step 4. -n=$((n+1)) +n=$((n + 1)) echo_i "sending query for test ($n)" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$n +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$n # Step 5. echo_i "check stale data.example TXT (stale-refresh-time disabled) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 6. -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Step 7. -echo_i "sending query for test $((n+1))" -$DIG -p ${PORT} @10.53.0.1 data.example TXT > dig.out.test$((n+1)) +echo_i "sending query for test $((n + 1))" +$DIG -p ${PORT} @10.53.0.1 data.example TXT >dig.out.test$((n + 1)) # Step 8. -n=$((n+1)) +n=$((n + 1)) echo_i "check data.example TXT comes from authoritative (stale-refresh-time disabled) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Now test server with no serve-stale options set. # echo_i "test server with no serve-stale options set" -n=$((n+1)) +n=$((n + 1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named1.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "restart ns3" +stop_server --use-rndc --port ${CONTROLPORT} ns3 +start_server --noclean --restart --port ${PORT} ns3 + +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TXT (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics (max-stale-ttl default) ($n)" ret=0 rm -f ns3/named.stats -$RNDCCMD 10.53.0.3 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 stats >/dev/null 2>&1 [ -f ns3/named.stats ] || ret=1 cp ns3/named.stats ns3/named.stats.$n # Check first 10 lines of Cache DB statistics. After prime queries, we expect # two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n > ns3/named.stats.$n.cachedb || ret=1 -grep "2 TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 Others" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 NXDOMAIN" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n >ns3/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 Others" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 NXDOMAIN" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep "_default: stale cache enabled; stale answers disabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep "_default: stale cache enabled; stale answers disabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of data.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of othertype.example CAA (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nodata.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nxdomain.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics (max-stale-ttl default) ($n)" ret=0 rm -f ns3/named.stats -$RNDCCMD 10.53.0.3 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.3 stats >/dev/null 2>&1 [ -f ns3/named.stats ] || ret=1 cp ns3/named.stats ns3/named.stats.$n # Check first 10 lines of Cache DB statistics. After last queries, we expect # one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one stale # NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n > ns3/named.stats.$n.cachedb || ret=1 -grep "1 TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #Others" ns3/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #!TXT" ns3/named.stats.$n.cachedb > /dev/null || ret=1 +grep -A 10 "++ Cache DB RRsets ++" ns3/named.stats.$n >ns3/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #Others" ns3/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #!TXT" ns3/named.stats.$n.cachedb >/dev/null || ret=1 -status=$((status+ret)) +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale on' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 serve-stale on >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep "_default: stale cache enabled; stale answers enabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep "_default: stale cache enabled; stale answers enabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 # Check that if we don't have stale data for a domain name, we will # not answer anything until the resolver query timeout. -n=$((n+1)) +n=$((n + 1)) echo_i "check notincache.example TXT times out (max-stale-ttl default) ($n)" ret=0 -$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 notfound.example TXT > dig.out.test$n 2>&1 && ret=1 -grep "timed out" dig.out.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 notfound.example TXT >dig.out.test$n 2>&1 && ret=1 +grep "timed out" dig.out.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) & -$DIG -p ${PORT} @10.53.0.3 notfound.example TXT > dig.out.test$((n+5)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT >dig.out.test$((n + 4)) & +$DIG -p ${PORT} @10.53.0.3 notfound.example TXT >dig.out.test$((n + 5)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check data.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*30.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*30.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check othertype.example CAA (max-stale-ttl default) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "example\..*30.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "example\..*30.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check nodata.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*30.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*30.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check nxdomain.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The notfound.example check is different than nxdomain.example because # we didn't send a prime query to add notfound.example to the cache. -n=$((n+1)) +n=$((n + 1)) echo_i "check notfound.example TXT (max-stale-ttl default) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # Now test server with serve-stale answers disabled. # echo_i "test server with serve-stale disabled" -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TTL (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TTL (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT (serve-stale answers disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics (serve-stale answers disabled) ($n)" ret=0 rm -f ns4/named.stats -$RNDCCMD 10.53.0.4 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.4 stats >/dev/null 2>&1 [ -f ns4/named.stats ] || ret=1 cp ns4/named.stats ns4/named.stats.$n # Check first 10 lines of Cache DB statistics. After prime queries, we expect # two active TXT RRsets, one active Others, one nxrrset TXT, and one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 -grep "2 TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 Others" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n >ns4/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 Others" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 NXDOMAIN" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.4 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep "_default: stale cache enabled; stale answers disabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.4 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep "_default: stale cache enabled; stale answers disabled (stale-answer-ttl=$stale_answer_ttl max-stale-ttl=$max_stale_ttl stale-refresh-time=30)" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.4 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.4 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.4 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.4 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.4 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.4 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.4 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of data.example TXT (serve-stale answers disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of othertype.example TXT (serve-stale answers disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nodata.example TXT (serve-stale answers disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nxdomain.example TXT (serve-stale answers disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics (serve-stale answers disabled) ($n)" ret=0 rm -f ns4/named.stats -$RNDCCMD 10.53.0.4 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.4 stats >/dev/null 2>&1 [ -f ns4/named.stats ] || ret=1 cp ns4/named.stats ns4/named.stats.$n # Check first 10 lines of Cache DB statistics. After last queries, we expect # one active TXT RRset, one stale TXT, one stale nxrrset TXT, and one stale # NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 -grep "1 TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #Others" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 #!TXT" ns4/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n >ns4/named.stats.$n.cachedb || ret=1 +grep "1 TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #Others" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 #!TXT" ns4/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # Dump the cache. -n=$((n+1)) +n=$((n + 1)) echo_i "dump the cache (serve-stale answers disabled) ($n)" ret=0 rndc_dumpdb ns4 -cache || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "stop ns4" stop_server --use-rndc --port ${CONTROLPORT} ns4 @@ -1383,15 +1417,15 @@ LASTWEEK=$(TZ=UTC perl -e 'my $now = time(); echo_i "mock the cache date to $LASTWEEK (serve-stale answers disabled) ($n)" ret=0 -sed -E "s/DATE [0-9]{14}/DATE $LASTWEEK/g" ns4/named_dump.db.test$n > ns4/named_dump.db.out || ret=1 +sed -E "s/DATE [0-9]{14}/DATE $LASTWEEK/g" ns4/named_dump.db.test$n >ns4/named_dump.db.out || ret=1 cp ns4/named_dump.db.out ns4/named_dump.db if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "start ns4" start_server --noclean --restart --port ${PORT} ns4 -n=$((n+1)) +n=$((n + 1)) echo_i "verify ancient cache statistics (serve-stale answers disabled) ($n)" ret=0 rm -f ns4/named.stats @@ -1400,12 +1434,12 @@ $RNDCCMD 10.53.0.4 stats #> /dev/null 2>&1 cp ns4/named.stats ns4/named.stats.$n # Check first 10 lines of Cache DB statistics. After last queries, we expect # everything to be removed or scheduled to be removed. -grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n > ns4/named.stats.$n.cachedb || ret=1 -grep "#TXT" ns4/named.stats.$n.cachedb > /dev/null && ret=1 -grep "#Others" ns4/named.stats.$n.cachedb > /dev/null && ret=1 -grep "#!TXT" ns4/named.stats.$n.cachedb > /dev/null && ret=1 -grep "#NXDOMAIN" ns4/named.stats.$n.cachedb > /dev/null && ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns4/named.stats.$n >ns4/named.stats.$n.cachedb || ret=1 +grep "#TXT" ns4/named.stats.$n.cachedb >/dev/null && ret=1 +grep "#Others" ns4/named.stats.$n.cachedb >/dev/null && ret=1 +grep "#!TXT" ns4/named.stats.$n.cachedb >/dev/null && ret=1 +grep "#NXDOMAIN" ns4/named.stats.$n.cachedb >/dev/null && ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # @@ -1413,199 +1447,199 @@ if [ $ret != 0 ]; then echo_i "failed"; fi # echo_i "test server with serve-stale cache disabled" -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache longttl.example TXT (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 longttl.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 longttl.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache othertype.example CAA (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 othertype.example CAA > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 othertype.example CAA >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "othertype\.example\..*2.*IN.*CAA.*0.*issue" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nxdomain.example TXT (serve-stale cache disabled) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*2.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*2.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify prime cache statistics (serve-stale cache disabled) ($n)" ret=0 rm -f ns5/named.stats -$RNDCCMD 10.53.0.5 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.5 stats >/dev/null 2>&1 [ -f ns5/named.stats ] || ret=1 cp ns5/named.stats ns5/named.stats.$n # Check first 10 lines of Cache DB statistics. After serve-stale queries, # we expect two active TXT RRsets, one active Others, one nxrrset TXT, and # one NXDOMAIN. -grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 -grep "2 TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 Others" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -grep "1 !TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n >ns5/named.stats.$n.cachedb || ret=1 +grep "2 TXT" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 Others" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +grep "1 !TXT" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.5 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep "_default: stale cache disabled; stale answers unavailable" rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.5 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep "_default: stale cache disabled; stale answers unavailable" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) sleep 2 -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.5 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.5 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.5 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.5 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.5 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.5 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.5 nxdomain.example TXT >dig.out.test$((n + 4)) & wait -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of data.example TXT (serve-stale cache disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of othertype.example CAA (serve-stale cache disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nodata.example TXT (serve-stale cache disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check fail of nxdomain.example TXT (serve-stale cache disabled) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "verify stale cache statistics (serve-stale cache disabled) ($n)" ret=0 rm -f ns5/named.stats -$RNDCCMD 10.53.0.5 stats > /dev/null 2>&1 +$RNDCCMD 10.53.0.5 stats >/dev/null 2>&1 [ -f ns5/named.stats ] || ret=1 cp ns5/named.stats ns5/named.stats.$n # Check first 10 lines of Cache DB statistics. After serve-stale queries, # we expect one active TXT (longttl) and the rest to be expired from cache, # but since we keep everything for 5 minutes (RBTDB_VIRTUAL) in the cache # after expiry, they still show up in the stats. -grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 -grep -F "1 Others" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -grep -F "2 TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -grep -F "1 !TXT" ns5/named.stats.$n.cachedb > /dev/null || ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n >ns5/named.stats.$n.cachedb || ret=1 +grep -F "1 Others" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +grep -F "2 TXT" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +grep -F "1 !TXT" ns5/named.stats.$n.cachedb >/dev/null || ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi # Dump the cache. -n=$((n+1)) +n=$((n + 1)) echo_i "dump the cache (serve-stale cache disabled) ($n)" ret=0 rndc_dumpdb ns5 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Check that expired records are not dumped. ret=0 grep "; expired since .* (awaiting cleanup)" ns5/named_dump.db.test$n && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Dump the cache including expired entries. -n=$((n+1)) +n=$((n + 1)) echo_i "dump the cache including expired entries (serve-stale cache disabled) ($n)" ret=0 rndc_dumpdb ns5 -expired || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Check that expired records are dumped. echo_i "check rndc dump expired data.example ($n)" ret=0 -awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; expired since .* (awaiting cleanup) data\.example\..*A text record with a 2 second ttl" > /dev/null 2>&1 || ret=1 -awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; expired since .* (awaiting cleanup) nodata\.example\." > /dev/null 2>&1 || ret=1 -awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; expired since .* (awaiting cleanup) nxdomain\.example\." > /dev/null 2>&1 || ret=1 -awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; expired since .* (awaiting cleanup) othertype\.example\." > /dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; expired since .* (awaiting cleanup) data\.example\..*A text record with a 2 second ttl" >/dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; expired since .* (awaiting cleanup) nodata\.example\." >/dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; expired since .* (awaiting cleanup) nxdomain\.example\." >/dev/null 2>&1 || ret=1 +awk '/; expired/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; expired since .* (awaiting cleanup) othertype\.example\." >/dev/null 2>&1 || ret=1 # Also make sure the not expired data does not have an expired comment. -awk '/; authanswer/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n | - grep "; authanswer longttl\.example.*A text record with a 600 second ttl" > /dev/null 2>&1 || ret=1 +awk '/; authanswer/ { x=$0; getline; print x, $0}' ns5/named_dump.db.test$n \ + | grep "; authanswer longttl\.example.*A text record with a 600 second ttl" >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "stop ns5" stop_server --use-rndc --port ${CONTROLPORT} ns5 @@ -1617,18 +1651,18 @@ FIVEMINUTESAGO=$(TZ=UTC perl -e 'my $now = time(); my ($s, $m, $h, $d, $mo, $y) = (localtime($fiveMinutesAgo))[0, 1, 2, 3, 4, 5]; printf("%04d%02d%02d%02d%02d%02d", $y+1900, $mo+1, $d, $h, $m, $s);') -n=$((n+1)) +n=$((n + 1)) echo_i "mock the cache date to $FIVEMINUTESAGO (serve-stale cache disabled) ($n)" ret=0 -sed -E "s/DATE [0-9]{14}/DATE $FIVEMINUTESAGO/g" ns5/named_dump.db > ns5/named_dump.db.out || ret=1 +sed -E "s/DATE [0-9]{14}/DATE $FIVEMINUTESAGO/g" ns5/named_dump.db >ns5/named_dump.db.out || ret=1 cp ns5/named_dump.db.out ns5/named_dump.db if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "start ns5" start_server --noclean --restart --port ${PORT} ns5 -n=$((n+1)) +n=$((n + 1)) echo_i "verify ancient cache statistics (serve-stale cache disabled) ($n)" ret=0 rm -f ns5/named.stats @@ -1637,11 +1671,11 @@ $RNDCCMD 10.53.0.5 stats #> /dev/null 2>&1 cp ns5/named.stats ns5/named.stats.$n # Check first 10 lines of Cache DB statistics. After last queries, we expect # everything to be removed or scheduled to be removed. -grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n > ns5/named.stats.$n.cachedb || ret=1 -grep -F "#TXT" ns5/named.stats.$n.cachedb > /dev/null && ret=1 -grep -F "#Others" ns5/named.stats.$n.cachedb > /dev/null && ret=1 -grep -F "#!TXT" ns5/named.stats.$n.cachedb > /dev/null && ret=1 -status=$((status+ret)) +grep -A 10 "++ Cache DB RRsets ++" ns5/named.stats.$n >ns5/named.stats.$n.cachedb || ret=1 +grep -F "#TXT" ns5/named.stats.$n.cachedb >/dev/null && ret=1 +grep -F "#Others" ns5/named.stats.$n.cachedb >/dev/null && ret=1 +grep -F "#!TXT" ns5/named.stats.$n.cachedb >/dev/null && ret=1 +status=$((status + ret)) if [ $ret != 0 ]; then echo_i "failed"; fi ################################################ @@ -1649,435 +1683,438 @@ if [ $ret != 0 ]; then echo_i "failed"; fi ################################################ echo_i "test stale-answer-client-timeout (1.8)" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named2.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "restart ns3" stop_server --use-rndc --port ${CONTROLPORT} ns3 start_server --noclean --restart --port ${PORT} ns3 -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=0)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-answer-client-timeout) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (stale-answer-client-timeout) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "delay responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt slowdown >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.slow TXT (stale-answer-client-timeout) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.slow TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null -echo_i "sending queries for tests $((n+1))-$((n+3))..." +echo_i "sending queries for tests $((n + 1))-$((n + 3))..." t1=$($PERL -e 'print time()') -$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 nodata.example TXT > dig.out.test$((n+2)) & -$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 data.slow TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 nodata.example TXT >dig.out.test$((n + 2)) & +$DIG -p ${PORT} +tries=1 +timeout=11 @10.53.0.3 data.slow TXT >dig.out.test$((n + 3)) & wait t2=$($PERL -e 'print time()') # We configured a long value of 30 seconds for resolver-query-timeout. # That should give us enough time to receive an stale answer from cache # after stale-answer-client-timeout timer of 1.8 sec triggers. -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" ret=0 wait_for_log 5 "data.example client timeout, stale answer used" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 # Configured stale-answer-client-timeout is 1.8s, we allow some extra time # just in case other tests are taking too much cpu. -[ $((t2 - t1)) -le 10 ] || { echo_i "query took $((t2 - t1))s to resolve."; ret=1; } +[ $((t2 - t1)) -le 10 ] || { + echo_i "query took $((t2 - t1))s to resolve." + ret=1 +} if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.slow TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (client timeout)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Now query for RRset not in cache. The first query should time out, but once # we enable the authoritative server, the second query should be able to get a # response. -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null -echo_i "sending queries for tests $((n+2))-$((n+4))..." +echo_i "sending queries for tests $((n + 2))-$((n + 4))..." # first dig runs in background for 10 seconds, second in background for 3 # seconds and the last for 3 seconds in the foreground. # the second RRSIG lookup triggers the issue in [GL #3622] -$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 longttl.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example RRSIG > dig.out.test$((n+4)) & -$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example TXT > dig.out.test$((n+2)) || true +$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 longttl.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example RRSIG >dig.out.test$((n + 4)) & +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example TXT >dig.out.test$((n + 2)) || true # Enable the authoritative name server after stale-answer-client-timeout. -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check not in cache longttl.example TXT times out (stale-answer-client-timeout 1.8) ($n)" ret=0 wait_for_log 4 "longttl.example client timeout, stale answer unavailable" ns3/named.run || ret=1 -grep "timed out" dig.out.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.test$n > /dev/null || ret=1 +grep "timed out" dig.out.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) wait -n=$((n+1)) +n=$((n + 1)) echo_i "check not in cache longttl.example TXT comes from authoritative (stale-answer-client-timeout 1.8) ($n)" ret=0 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check not in cache longttl.example RRSIG times out (stale-answer-client-timeout 1.8) ($n)" ret=0 -grep "timed out" dig.out.test$n > /dev/null || ret=1 -grep ";; no servers could be reached" dig.out.test$n > /dev/null || ret=1 +grep "timed out" dig.out.test$n >/dev/null || ret=1 +grep ";; no servers could be reached" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # CVE-2022-3924, GL #3619 -n=$((n+1)) +n=$((n + 1)) echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)" ret=0 num=0 # Make sure to exceed the configured value of 'recursive-clients 10;' by running # 20 parallel queries with simulated network latency. while [ $num -lt 20 ]; do - $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 & - num=$((num+1)) -done; + $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 & + num=$((num + 1)) +done check_server_responds() { - $DIG -p ${PORT} @10.53.0.3 version.bind txt ch >dig.out.test$n || return 1 - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + $DIG -p ${PORT} @10.53.0.3 version.bind txt ch >dig.out.test$n || return 1 + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 } retry_quiet 5 check_server_responds || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ############################################# # Test for stale-answer-client-timeout off. # ############################################# echo_i "test stale-answer-client-timeout (off)" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named3.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Send a query, auth server is disabled, we will enable it after a while in # order to receive an answer before resolver-query-timeout expires. Since # stale-answer-client-timeout is disabled we must receive an answer from # authoritative server. -echo_i "sending query for test $((n+2))" -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+2)) & +echo_i "sending query for test $((n + 2))" +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$((n + 2)) & sleep 3 -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Wait until dig is done. wait -n=$((n+1)) +n=$((n + 1)) echo_i "check data.example TXT comes from authoritative server (stale-answer-client-timeout off) ($n)" -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ############################################################## # Test for stale-answer-client-timeout off and CNAME record. # ############################################################## echo_i "test stale-answer-client-timeout (0) and CNAME record" -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache shortttl.cname.example (stale-answer-client-timeout off) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "shortttl\.cname\.example\..*1.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n > /dev/null || ret=1 -grep "longttl\.target\.example\..*600.*IN.*A.*10\.53\.0\.2" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "shortttl\.cname\.example\..*1.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n >/dev/null || ret=1 +grep "longttl\.target\.example\..*600.*IN.*A.*10\.53\.0\.2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 1 -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale shortttl.cname.example comes from cache (stale-answer-client-timeout off) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 shortttl.cname.example A >dig.out.test$n wait_for_log 5 "shortttl.cname.example resolver failure, stale answer used" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "shortttl\.cname\.example\..*3.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "shortttl\.cname\.example\..*3.*IN.*CNAME.*longttl\.target\.example\." dig.out.test$n >/dev/null || ret=1 # We can't reliably test the TTL of the longttl.target.example A record. -grep "longttl\.target\.example\..*IN.*A.*10\.53\.0\.2" dig.out.test$n > /dev/null || ret=1 +grep "longttl\.target\.example\..*IN.*A.*10\.53\.0\.2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check server is alive or restart ($n)" ret=0 -$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - echo_i "restart ns3" - start_server --noclean --restart --port ${PORT} serve-stale ns3 + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} serve-stale ns3 fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check server is alive or restart ($n)" ret=0 -$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - echo_i "restart ns3" - start_server --noclean --restart --port ${PORT} serve-stale ns3 + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} serve-stale ns3 fi -status=$((status+ret)) +status=$((status + ret)) ############################################# # Test for stale-answer-client-timeout 0. # ############################################# echo_i "test stale-answer-client-timeout (0)" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named4.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "restart ns3" stop_server --use-rndc --port ${CONTROLPORT} ns3 start_server --noclean --restart --port ${PORT} ns3 -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-answer-client-timeout 0)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache nodata.example TXT (stale-answer-client-timeout 0)" ret=0 -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 0) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n wait_for_log 5 "nodata.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 -grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1 +grep "example\..*3.*IN.*SOA" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) wait_for_rrset_refresh() { - $DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "EDE" dig.out.test$n > /dev/null && return 1 - grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 - grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || return 1 + $DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "EDE" dig.out.test$n >/dev/null && return 1 + grep "ANSWER: 1," dig.out.test$n >/dev/null || return 1 + grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || return 1 } # This test ensures that after we get stale data due to # stale-answer-client-timeout 0, enabling the authoritative server will allow # the RRset to be updated. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0) ($n)" retry_quiet 10 wait_for_rrset_refresh || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) wait_for_nodata_refresh() { - $DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$n - grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 - grep "ANSWER: 0," dig.out.test$n > /dev/null || return 1 - grep "example\..*[12].*IN.*SOA" dig.out.test$n > /dev/null || return 1 - return 0 + $DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$n + grep "status: NOERROR" dig.out.test$n >/dev/null || return 1 + grep "ANSWER: 0," dig.out.test$n >/dev/null || return 1 + grep "example\..*[12].*IN.*SOA" dig.out.test$n >/dev/null || return 1 + return 0 } -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale nodata.example TXT was refreshed (stale-answer-client-timeout 0) ($n)" retry_quiet 10 wait_for_nodata_refresh || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) #################################################################### # Test for stale-answer-client-timeout 0 and recursive-clients 10. # @@ -2085,48 +2122,48 @@ status=$((status+ret)) # ################################################################## echo_i "test stale-answer-client-timeout (0) and recursive-clients 10" -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.slow TXT (stale-answer-client-timeout 0) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.slow TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Run the following check twice. Sometimes a priming query interrupts the first # attempt to exceed the quota. attempt=0 while [ $ret -eq 0 ] && [ $attempt -lt 2 ]; do - n=$((n+1)) - echo_i "slow down response from authoritative server ($n)" - ret=0 - $DIG -p ${PORT} @10.53.0.2 slowdown TXT > dig.out.test$n - grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 - grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - # Let the data.slow TTL expire - sleep 2 - - n=$((n+1)) - echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 0) ($n)" - ret=0 - num=0 - # Attempt to exceed the configured value of 'recursive-clients 10;' by running - # 20 parallel queries for the stale domain which has slow auth. - while [ $num -lt 20 ]; do - $DIG +tries=1 +timeout=10 -p ${PORT} @10.53.0.3 data.slow TXT >/dev/null 2>&1 & - num=$((num+1)) - done; - # Let the dig processes finish. - wait - retry_quiet 5 check_server_responds || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - attempt=$((attempt+1)) + n=$((n + 1)) + echo_i "slow down response from authoritative server ($n)" + ret=0 + $DIG -p ${PORT} @10.53.0.2 slowdown TXT >dig.out.test$n + grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 + grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + # Let the data.slow TTL expire + sleep 2 + + n=$((n + 1)) + echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 0) ($n)" + ret=0 + num=0 + # Attempt to exceed the configured value of 'recursive-clients 10;' by running + # 20 parallel queries for the stale domain which has slow auth. + while [ $num -lt 20 ]; do + $DIG +tries=1 +timeout=10 -p ${PORT} @10.53.0.3 data.slow TXT >/dev/null 2>&1 & + num=$((num + 1)) + done + # Let the dig processes finish. + wait + retry_quiet 5 check_server_responds || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + attempt=$((attempt + 1)) done # Restart ns3 to avoid the exceeded recursive-clients limit from previous check @@ -2140,266 +2177,266 @@ start_server --noclean --restart --port ${PORT} ns3 ############################################################ echo_i "test stale-answer-client-timeout (0) and CNAME record" -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache cname1.stale.test A (stale-answer-client-timeout 0) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname1\.stale\.test\..*1.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n > /dev/null || ret=1 -grep "a1\.stale\.test\..*1.*IN.*A.*192\.0\.2\.1" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname1\.stale\.test\..*1.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n >/dev/null || ret=1 +grep "a1\.stale\.test\..*1.*IN.*A.*192\.0\.2\.1" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 1 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale cname1.stale.test A comes from cache (stale-answer-client-timeout 0) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 cname1.stale.test A >dig.out.test$n wait_for_log 5 "cname1.stale.test stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname1\.stale\.test\..*3.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n > /dev/null || ret=1 -grep "a1\.stale\.test\..*3.*IN.*A.*192\.0\.2\.1" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname1\.stale\.test\..*3.*IN.*CNAME.*a1\.stale\.test\." dig.out.test$n >/dev/null || ret=1 +grep "a1\.stale\.test\..*3.*IN.*A.*192\.0\.2\.1" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check server is alive or restart ($n)" ret=0 -$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - echo_i "restart ns3" - start_server --noclean --restart --port ${PORT} ns3 + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} ns3 fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache cname2.stale.test A (stale-answer-client-timeout 0) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname2\.stale\.test\..*1.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n > /dev/null || ret=1 -grep "a2\.stale\.test\..*300.*IN.*A.*192\.0\.2\.2" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname2\.stale\.test\..*1.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n >/dev/null || ret=1 +grep "a2\.stale\.test\..*300.*IN.*A.*192\.0\.2\.2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow CNAME record in the RRSET to become stale. sleep 1 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale cname2.stale.test A comes from cache (stale-answer-client-timeout 0) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 cname2.stale.test A >dig.out.test$n wait_for_log 5 "cname2.stale.test stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname2\.stale\.test\..*3.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname2\.stale\.test\..*3.*IN.*CNAME.*a2\.stale\.test\." dig.out.test$n >/dev/null || ret=1 # We can't reliably test the TTL of the a2.stale.test A record. -grep "a2\.stale\.test\..*IN.*A.*192\.0\.2\.2" dig.out.test$n > /dev/null || ret=1 +grep "a2\.stale\.test\..*IN.*A.*192\.0\.2\.2" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check server is alive or restart ($n)" ret=0 -$RNDCCMD 10.53.0.3 status > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 status >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - echo_i "restart ns3" - start_server --noclean --restart --port ${PORT} ns3 + echo_i "failed" + echo_i "restart ns3" + start_server --noclean --restart --port ${PORT} ns3 fi -status=$((status+ret)) +status=$((status + ret)) #################################################################### # Test for stale-answer-client-timeout 0 and stale-refresh-time 4. # #################################################################### echo_i "test stale-answer-client-timeout (0) and stale-refresh-time (4)" -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named5.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache, enable responses from authoritative server ($n)" ret=0 -$RNDCCMD 10.53.0.3 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache data.example TXT (stale-answer-client-timeout 0, stale-refresh-time 4) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*2.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # This test ensures that after we get stale data due to # stale-answer-client-timeout 0, enabling the authoritative server will allow # the RRset to be updated. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" retry_quiet 10 wait_for_rrset_refresh || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow stale-refresh-time to be activated. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "wait until resolver query times out, activating stale-refresh-time" wait_for_log 15 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache within stale-refresh-time (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example query within stale refresh time" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt enable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # We give BIND some time to ensure that after we enable authoritative server, # this RRset is still not refreshed because it was hit during # stale-refresh-time window. sleep 1 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT was not refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example query within stale refresh time" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (query within stale refresh time window)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # After the refresh-time-window, the RRset will be refreshed. sleep 4 -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example stale answer used, an attempt to refresh the RRset" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (stale data prioritized over lookup)" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE" dig.out.test$n > /dev/null && ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE" dig.out.test$n >/dev/null && ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) #################################################################### # Test serve-stale's interaction with fetch limits (cache only) # @@ -2409,108 +2446,108 @@ echo_i "test serve-stale's interaction with fetch-limits (cache only)" # We update the named configuration to enable fetch-limits. The fetch-limits # are set to 1, which is ridiciously low, but that is because for this test we # want to reach the fetch-limits. -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named6.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Disable responses from authoritative server. If we can't resolve the example # zone, fetch limits will be reached. -n=$((n+1)) +n=$((n + 1)) echo_i "disable responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"0\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Allow RRset to become stale. sleep 2 # Turn on serve-stale. -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc serve-stale on' ($n)" ret=0 $RNDCCMD 10.53.0.3 serve-stale on || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Hit the fetch-limits. We burst the name server with a small batch of queries. # Only 2 queries are required to hit the fetch-limits. The first query will # start to resolve, the second one hit the fetch-limits. burst() { - num=${1} - rm -f burst.input.$$ - while [ $num -gt 0 ]; do - num=$((num - 1)) - echo "fetch${num}.example A" >> burst.input.$$ - done - $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ - rm -f burst.input.$$ + num=${1} + rm -f burst.input.$$ + while [ $num -gt 0 ]; do + num=$((num - 1)) + echo "fetch${num}.example A" >>burst.input.$$ + done + $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ + rm -f burst.input.$$ } wait_for_fetchlimits() { - burst 2 - # We expect a query for nx.example to fail because fetch-limits for - # the domain 'example.' (and everything below) has been reached. - $DIG -p ${PORT} +tries=1 +timeout=1 @10.53.0.3 nx.example > dig.out.test$n - grep "status: SERVFAIL" dig.out.test$n > /dev/null || return 1 + burst 2 + # We expect a query for nx.example to fail because fetch-limits for + # the domain 'example.' (and everything below) has been reached. + $DIG -p ${PORT} +tries=1 +timeout=1 @10.53.0.3 nx.example >dig.out.test$n + grep "status: SERVFAIL" dig.out.test$n >/dev/null || return 1 } -n=$((n+1)) +n=$((n + 1)) echo_i "hit fetch limits ($n)" ret=0 retry_quiet 10 wait_for_fetchlimits || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Expect stale data now (because fetch-limits for the domain 'example.' (and # everything below) has been reached. But we have a stale RRset for # 'data.example/TXT' that can be used. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache (fetch-limits) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # The previous query should not have started the stale-refresh-time window. -n=$((n+1)) +n=$((n + 1)) ret=0 echo_i "check stale data.example TXT comes from cache again (fetch-limits) ($n)" -nextpart ns3/named.run > /dev/null -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n +nextpart ns3/named.run >/dev/null +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n wait_for_log 5 "data.example resolver failure, stale answer used" ns3/named.run || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "EDE: 3 (Stale Answer): (resolver failure" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "EDE: 3 (Stale Answer): (resolver failure" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "data\.example\..*3.*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ######################################################################## # Test serve-stale's interaction with fetch limits (dual-mode) # @@ -2519,115 +2556,115 @@ echo_i "test serve-stale's interaction with fetch limits (dual-mode)" # Update named configuration so that ns3 becomes a recursive resolver which is # also a secondary server for the root zone. -n=$((n+1)) +n=$((n + 1)) echo_i "updating ns3/named.conf ($n)" ret=0 copy_setports ns3/named7.conf.in ns3/named.conf if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "running 'rndc reload' ($n)" ret=0 rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check 'rndc serve-stale status' ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Flush the cache to ensure the example/NS RRset cached during previous tests # does not override the authoritative delegation found in the root zone. -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache ($n)" ret=0 -$RNDCCMD 10.53.0.3 flush > rndc.out.test$n 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 flush >rndc.out.test$n 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Test that after flush, serve-stale configuration is not reset. -n=$((n+1)) +n=$((n + 1)) echo_i "check serve-stale configuration is not reset after flush ($n)" ret=0 -$RNDCCMD 10.53.0.3 serve-stale status > rndc.out.test$n 2>&1 || ret=1 -grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.3 serve-stale status >rndc.out.test$n 2>&1 || ret=1 +grep '_default: stale cache enabled; stale answers enabled (stale-answer-ttl=3 max-stale-ttl=3600 stale-refresh-time=4)' rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # Query name server with low fetch limits. The authoritative server (ans2) is # not responding. Sending queries for multiple names in the 'example' zone # in parallel causes the fetch limit for that zone (set to 1) to be # reached. This should not trigger a crash. -echo_i "sending queries for tests $((n+1))-$((n+4))..." -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & -$DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) & -$DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) & -$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) & +echo_i "sending queries for tests $((n + 1))-$((n + 4))..." +$DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$((n + 1)) & +$DIG -p ${PORT} @10.53.0.3 othertype.example CAA >dig.out.test$((n + 2)) & +$DIG -p ${PORT} @10.53.0.3 nodata.example TXT >dig.out.test$((n + 3)) & +$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT >dig.out.test$((n + 4)) & wait # Expect SERVFAIL for the entries not in cache. -n=$((n+1)) +n=$((n + 1)) echo_i "check stale data.example TXT (fetch-limits dual-mode) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale othertype.example CAA (fetch-limits dual-mode) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nodata.example TXT (fetch-limits dual-mode) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check stale nxdomain.example TXT (fetch-limits dual-mode) ($n)" ret=0 -grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 +grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check DNS64 processing of a stale negative answer ($n)" ret=0 # configure ns3 with dns64 copy_setports ns3/named8.conf.in ns3/named.conf rndc_reload ns3 10.53.0.3 # flush cache, enable ans2 responses, make sure serve-stale is on -$RNDCCMD 10.53.0.3 flush > rndc.out.test$n.1 2>&1 || ret=1 -$DIG -p ${PORT} @10.53.0.2 txt enable > /dev/null -$RNDCCMD 10.53.0.3 serve-stale on > rndc.out.test$n.2 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 flush >rndc.out.test$n.1 2>&1 || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt enable >/dev/null +$RNDCCMD 10.53.0.3 serve-stale on >rndc.out.test$n.2 2>&1 || ret=1 # prime the cache with an AAAA NXRRSET response -$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA > dig.out.1.test$n -grep "status: NOERROR" dig.out.1.test$n > /dev/null || ret=1 -grep "2001:aaaa" dig.out.1.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA >dig.out.1.test$n +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "2001:aaaa" dig.out.1.test$n >/dev/null || ret=1 # disable responses from the auth server -$DIG -p ${PORT} @10.53.0.2 txt disable > /dev/null +$DIG -p ${PORT} @10.53.0.2 txt disable >/dev/null # wait two seconds for the previous answer to become stale sleep 2 # resend the query and wait in the background; we should get a stale answer -$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA > dig.out.2.test$n & +$DIG -p ${PORT} @10.53.0.3 a-only.example AAAA >dig.out.2.test$n & # re-enable queries after a pause, so the server gets a real answer too sleep 2 -$DIG -p ${PORT} @10.53.0.2 txt enable > /dev/null +$DIG -p ${PORT} @10.53.0.2 txt enable >/dev/null wait -grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 -grep "2001:aaaa" dig.out.2.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "2001:aaaa" dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) ########################################################### # Test serve-stale's interaction with prefetch processing # @@ -2654,52 +2691,52 @@ echo_i "test serve-stale's interaction with prefetch processing" # (DNS_EVENT_FETCHDONE). # flush cache -n=$((n+1)) +n=$((n + 1)) echo_i "flush cache ($n)" ret=0 -$RNDCCMD 10.53.0.3 flushtree example > rndc.out.test$n.1 2>&1 || ret=1 +$RNDCCMD 10.53.0.3 flushtree example >rndc.out.test$n.1 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # prime the cache with CNAME and A; CNAME expires sooner -n=$((n+1)) +n=$((n + 1)) echo_i "prime cache cname.example A (stale-answer-client-timeout 1.8) ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 cname.example A > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n > /dev/null || ret=1 -grep "target\.example\..*9.*IN.*A" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.3 cname.example A >dig.out.test$n +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n >/dev/null || ret=1 +grep "target\.example\..*9.*IN.*A" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # wait for the CNAME to be stale; A will still be valid and in prefetch window. # (the longer TTL is needed, otherwise data won't be prefetch-eligible.) sleep 7 # re-enable auth responses, but with a delay answering the A -n=$((n+1)) +n=$((n + 1)) echo_i "delay responses from authoritative server ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.2 txt slowdown >dig.out.test$n +grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # resend the query and wait in the background; we should get a stale answer -n=$((n+1)) +n=$((n + 1)) echo_i "check prefetch processing of a stale CNAME target ($n)" ret=0 -$DIG -p ${PORT} @10.53.0.3 cname.example A > dig.out.test$n & +$DIG -p ${PORT} @10.53.0.3 cname.example A >dig.out.test$n & sleep 2 wait -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 2," dig.out.test$n > /dev/null || ret=1 -grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n > /dev/null || ret=1 -grep "target\.example\..*[1-2].*IN.*A" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 +grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1 +grep "cname\.example\..*7.*IN.*CNAME.*target\.example\." dig.out.test$n >/dev/null || ret=1 +grep "target\.example\..*[1-2].*IN.*A" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/setup.sh b/bin/tests/system/setup.sh index 23145fa..73a7e78 100644 --- a/bin/tests/system/setup.sh +++ b/bin/tests/system/setup.sh @@ -17,17 +17,20 @@ . ./conf.sh -test $# -gt 0 || { echo "usage: $0 test-directory" >&2; exit 1; } +test $# -gt 0 || { + echo "usage: $0 test-directory" >&2 + exit 1 +} test=$1 shift -test -d $test || { echo "$0: $test: no such test" >&2; exit 1; } +test -d $test || { + echo "$0: $test: no such test" >&2 + exit 1 +} # Set up any dynamically generated test data -if test -f $test/setup.sh -then - ( cd $test && $SHELL setup.sh "$@" ) +if test -f $test/setup.sh; then + (cd $test && $SHELL setup.sh "$@") fi - - diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh index a94ad58..04414d2 100644 --- a/bin/tests/system/sfcache/ns1/sign.sh +++ b/bin/tests/system/sfcache/ns1/sign.sh @@ -20,19 +20,19 @@ zone=. infile=root.db.in zonefile=root.db -(cd ../ns2 && $SHELL sign.sh ) +(cd ../ns2 && $SHELL sign.sh) cp "../ns2/dsset-example." . keyname=$($KEYGEN -q -a "${DEFAULT_ALGORITHM}" -b "${DEFAULT_BITS}" -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf cp trusted.conf ../ns2/trusted.conf # ...or with an initializing key. -keyfile_to_initial_ds "$keyname" > managed.conf +keyfile_to_initial_ds "$keyname" >managed.conf diff --git a/bin/tests/system/sfcache/ns2/named.conf.in b/bin/tests/system/sfcache/ns2/named.conf.in index afb5a86..7052ac6 100644 --- a/bin/tests/system/sfcache/ns2/named.conf.in +++ b/bin/tests/system/sfcache/ns2/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh index 038d079..2f85059 100644 --- a/bin/tests/system/sfcache/ns2/sign.sh +++ b/bin/tests/system/sfcache/ns2/sign.sh @@ -23,6 +23,6 @@ zonefile=example.db keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile" +cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile" -"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null +"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" >/dev/null diff --git a/bin/tests/system/sfcache/ns5/named.conf.in b/bin/tests/system/sfcache/ns5/named.conf.in index 272d65b..36bfb96 100644 --- a/bin/tests/system/sfcache/ns5/named.conf.in +++ b/bin/tests/system/sfcache/ns5/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; include "trusted.conf"; diff --git a/bin/tests/system/sfcache/ns5/sign.sh b/bin/tests/system/sfcache/ns5/sign.sh index 6ca88de..7d70bea 100644 --- a/bin/tests/system/sfcache/ns5/sign.sh +++ b/bin/tests/system/sfcache/ns5/sign.sh @@ -18,4 +18,4 @@ set -e keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone ".") -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh index d2aeee7..a01b269 100644 --- a/bin/tests/system/sfcache/tests.sh +++ b/bin/tests/system/sfcache/tests.sh @@ -22,86 +22,86 @@ n=0 rm -f dig.out.* dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd -p "$PORT" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd -p "$PORT" "$@" } rndc_with_opts() { - "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" + "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@" } echo_i "checking DNSSEC SERVFAIL is cached ($n)" ret=0 -dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts +dnssec foo.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 rndc_dumpdb ns5 -all -awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n > sfcache.$n -grep "^; foo.example/A" sfcache.$n > /dev/null || ret=1 -n=$((n+1)) +awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n >sfcache.$n +grep "^; foo.example/A" sfcache.$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking SERVFAIL is returned from cache ($n)" ret=0 -dig_with_opts +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec foo.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking that +cd bypasses cache check ($n)" ret=0 -dig_with_opts +dnssec +cd foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +dnssec +cd foo.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "switching to non-dnssec SERVFAIL tests" ret=0 rndc_with_opts 10.53.0.5 flush 2>&1 | sed 's/^/I:ns5 /' rndc_dumpdb ns5 -all mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.1 -awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db.test$n.1 > sfcache.$n.1 +awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db.test$n.1 >sfcache.$n.1 [ -s "sfcache.$n.1" ] && ret=1 echo_i "checking SERVFAIL is cached ($n)" -dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts bar.example2. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 rndc_dumpdb ns5 -all mv ns5/named_dump.db.test$n ns5/named_dump.db.test$n.2 -awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n.2 > sfcache.$n.2 -grep "^; bar.example2/A" sfcache.$n.2 > /dev/null || ret=1 -n=$((n+1)) +awk '/Zone/{out=0} { if (out) print } /SERVFAIL/{out=1}' ns5/named_dump.db.test$n.2 >sfcache.$n.2 +grep "^; bar.example2/A" sfcache.$n.2 >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking SERVFAIL is returned from cache ($n)" ret=0 -nextpart ns5/named.run > /dev/null -dig_with_opts bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -nextpart ns5/named.run > ns5/named.run.part$n -grep 'servfail cache hit bar.example2/A (CD=0)' ns5/named.run.part$n > /dev/null || ret=1 -n=$((n+1)) +nextpart ns5/named.run >/dev/null +dig_with_opts bar.example2. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +nextpart ns5/named.run >ns5/named.run.part$n +grep 'servfail cache hit bar.example2/A (CD=0)' ns5/named.run.part$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cache is bypassed with +cd query ($n)" ret=0 -dig_with_opts +cd bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -nextpart ns5/named.run > ns5/named.run.part$n -grep 'servfail cache hit' ns5/named.run.part$n > /dev/null && ret=1 -n=$((n+1)) +dig_with_opts +cd bar.example2. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +nextpart ns5/named.run >ns5/named.run.part$n +grep 'servfail cache hit' ns5/named.run.part$n >/dev/null && ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "checking cache is used for subsequent +cd query ($n)" ret=0 -dig_with_opts +dnssec bar.example2. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1 -nextpart ns5/named.run > ns5/named.run.part$n -grep 'servfail cache hit bar.example2/A (CD=1)' ns5/named.run.part$n > /dev/null || ret=1 -n=$((n+1)) +dig_with_opts +dnssec bar.example2. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 +nextpart ns5/named.run >ns5/named.run.part$n +grep 'servfail cache hit bar.example2/A (CD=1)' ns5/named.run.part$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/shutdown/tests_shutdown.py b/bin/tests/system/shutdown/tests_shutdown.py index 89cada2..19f853b 100755 --- a/bin/tests/system/shutdown/tests_shutdown.py +++ b/bin/tests/system/shutdown/tests_shutdown.py @@ -175,8 +175,8 @@ def test_named_shutdown(named_port, control_port, kill_method): rndc = os.getenv("RNDC") assert rndc is not None - # rndc configuration resides in ../common/rndc.conf - rndc_cfg = os.path.join("..", "common", "rndc.conf") + # rndc configuration resides in ../_common/rndc.conf + rndc_cfg = os.path.join("..", "_common", "rndc.conf") assert os.path.isfile(rndc_cfg) # rndc command with default arguments. diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index 1da21bf..70a4dc7 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -67,7 +67,7 @@ pksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -fk $pzone) echo_i "setting child's activation time" # using now+30s to fix RT 24561 -$SETTIME -A now+30s $cksk2 > /dev/null +$SETTIME -A now+30s $cksk2 >/dev/null echo_i "signing child zone" czoneout=$($SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile) @@ -91,14 +91,14 @@ pkid=$(keyfile_to_key_id $pksk) echo_i "checking dnssec-signzone output matches expectations" ret=0 -echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 -echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 -echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 -echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1 +echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' >/dev/null || ret=1 +echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' >/dev/null || ret=1 +echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' >/dev/null || ret=1 +echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "parent $pzoneout" - echo_i "child $czoneout" - echo_i "failed"; + echo_i "parent $pzoneout" + echo_i "child $czoneout" + echo_i "failed" fi status=$((status + ret)) @@ -107,81 +107,81 @@ ret=0 # use an alternate output file so -x doesn't interfere with later checks pzoneout=$($SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile) czoneout=$($SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile) -echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1 -echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1 -echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1 -echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1 +echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' >/dev/null || ret=1 +echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' >/dev/null || ret=1 +echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' >/dev/null || ret=1 +echo "$czoneout" | grep 'ZSKs: 1 active, 2 present, 0 revoked' >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "parent $pzoneout" - echo_i "child $czoneout" - echo_i "failed"; + echo_i "parent $pzoneout" + echo_i "child $czoneout" + echo_i "failed" fi status=$((status + ret)) echo_i "checking parent zone DNSKEY set" ret=0 -grep "key id = $pzid" $pfile.signed > /dev/null || { - ret=1 - echo_i "missing expected parent ZSK id = $pzid" +grep "key id = $pzid" $pfile.signed >/dev/null || { + ret=1 + echo_i "missing expected parent ZSK id = $pzid" } -grep "key id = $pkid" $pfile.signed > /dev/null || { - ret=1 - echo_i "missing expected parent KSK id = $pkid" +grep "key id = $pkid" $pfile.signed >/dev/null || { + ret=1 + echo_i "missing expected parent KSK id = $pkid" } if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking parent zone DS records" ret=0 -awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out -grep -w "$ckactive" dsset.out > /dev/null || ret=1 -grep -w "$ckpublished" dsset.out > /dev/null || ret=1 +awk '$2 == "DS" {print $3}' $pfile.signed >dsset.out +grep -w "$ckactive" dsset.out >/dev/null || ret=1 +grep -w "$ckpublished" dsset.out >/dev/null || ret=1 # revoked key should not be there, hence the && -grep -w "$ckprerevoke" dsset.out > /dev/null && ret=1 -grep -w "$ckrevoked" dsset.out > /dev/null && ret=1 +grep -w "$ckprerevoke" dsset.out >/dev/null && ret=1 +grep -w "$ckrevoked" dsset.out >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking child zone DNSKEY set" ret=0 -grep "key id = $ckactive\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child KSK id = $ckactive" +grep "key id = $ckactive\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child KSK id = $ckactive" } -grep "key id = $ckpublished\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child prepublished KSK id = $ckpublished" +grep "key id = $ckpublished\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child prepublished KSK id = $ckpublished" } -grep "key id = $ckrevoked\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child revoked KSK id = $ckrevoked" +grep "key id = $ckrevoked\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child revoked KSK id = $ckrevoked" } -grep "key id = $czactive\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child ZSK id = $czactive" +grep "key id = $czactive\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child ZSK id = $czactive" } -grep "key id = $czpublished\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child prepublished ZSK id = $czpublished" +grep "key id = $czpublished\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child prepublished ZSK id = $czpublished" } -grep "key id = $czinactive\$" $cfile.signed > /dev/null || { - ret=1 - echo_i "missing expected child inactive ZSK id = $czinactive" +grep "key id = $czinactive\$" $cfile.signed >/dev/null || { + ret=1 + echo_i "missing expected child inactive ZSK id = $czinactive" } # should not be there, hence the && -grep "key id = $ckprerevoke\$" $cfile.signed > /dev/null && { - ret=1 - echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke" +grep "key id = $ckprerevoke\$" $cfile.signed >/dev/null && { + ret=1 + echo_i "found unexpected child pre-revoke ZSK id = $ckprerevoke" } -grep "key id = $czgenerated\$" $cfile.signed > /dev/null && { - ret=1 - echo_i "found unexpected child generated ZSK id = $czgenerated" +grep "key id = $czgenerated\$" $cfile.signed >/dev/null && { + ret=1 + echo_i "found unexpected child generated ZSK id = $czgenerated" } -grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && { - echo_i "found unexpected ZSK predecessor id = $czpredecessor (ignored)" +grep "key id = $czpredecessor\$" $cfile.signed >/dev/null && { + echo_i "found unexpected ZSK predecessor id = $czpredecessor (ignored)" } -grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && { - echo_i "found unexpected ZSK successor id = $czsuccessor (ignored)" +grep "key id = $czsuccessor\$" $cfile.signed >/dev/null && { + echo_i "found unexpected ZSK successor id = $czsuccessor (ignored)" } #grep "key id = $czpredecessor\$" $cfile.signed > /dev/null && ret=1 #grep "key id = $czsuccessor\$" $cfile.signed > /dev/null && ret=1 @@ -190,29 +190,29 @@ status=$((status + ret)) echo_i "checking key TTLs are correct" ret=0 -grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1 -grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1 -grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 -$SETTIME -L 45 ${czsk2} > /dev/null -grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 -$SETTIME -L 0 ${czsk2} > /dev/null -grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 +grep "${czone}. 30 IN" ${czsk1}.key >/dev/null 2>&1 || ret=1 +grep "${czone}. 30 IN" ${cksk1}.key >/dev/null 2>&1 || ret=1 +grep "${czone}. IN" ${czsk2}.key >/dev/null 2>&1 || ret=1 +$SETTIME -L 45 ${czsk2} >/dev/null +grep "${czone}. 45 IN" ${czsk2}.key >/dev/null 2>&1 || ret=1 +$SETTIME -L 0 ${czsk2} >/dev/null +grep "${czone}. IN" ${czsk2}.key >/dev/null 2>&1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking key TTLs were imported correctly" ret=0 awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \ - ${cfile}.signed || ret=1 + ${cfile}.signed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "re-signing and checking imported TTLs again" ret=0 -$SETTIME -L 15 ${czsk2} > /dev/null +$SETTIME -L 15 ${czsk2} >/dev/null czoneout=$($SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile) awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \ - ${cfile}.signed || ret=1 + ${cfile}.signed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -222,108 +222,159 @@ status=$((status + ret)) echo_i "checking child zone signatures" ret=0 # check DNSKEY signatures first -awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs +awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed >dnskey.sigs sub=0 -grep -w "$ckactive" dnskey.sigs > /dev/null || sub=1 -if [ $sub != 0 ]; then echo_i "missing ckactive $ckactive (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckactive" dnskey.sigs >/dev/null || sub=1 +if [ $sub != 0 ]; then + echo_i "missing ckactive $ckactive (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckrevoked" dnskey.sigs > /dev/null || sub=1 -if [ $sub != 0 ]; then echo_i "missing ckrevoke $ckrevoke (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckrevoked" dnskey.sigs >/dev/null || sub=1 +if [ $sub != 0 ]; then + echo_i "missing ckrevoke $ckrevoke (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czactive" dnskey.sigs > /dev/null || sub=1 -if [ $sub != 0 ]; then echo_i "missing czactive $czactive (dnskey)"; ret=1; fi +grep -w "$czactive" dnskey.sigs >/dev/null || sub=1 +if [ $sub != 0 ]; then + echo_i "missing czactive $czactive (dnskey)" + ret=1 +fi # should not be there: -echo $ret > /dev/null +echo $ret >/dev/null sync sub=0 -grep -w "$ckprerevoke" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckprerevoke" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckprerevoke $ckprerevoke (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckpublished" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckpublished" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckpublished $ckpublished (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czpublished" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czpublished" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czpublished $czpublished (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czinactive" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (dnskey)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czinactive" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czinactive $czinactive (dnskey)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czgenerated" dnskey.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (dnskey)"; ret=1; fi +grep -w "$czgenerated" dnskey.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czgenerated $czgenerated (dnskey)" + ret=1 +fi # now check other signatures first -awk '$2 == "RRSIG" && $3 != "DNSKEY" && $3 != "CDNSKEY" && $3 != "CDS" { getline; print $3 }' $cfile.signed | sort -un > other.sigs +awk '$2 == "RRSIG" && $3 != "DNSKEY" && $3 != "CDNSKEY" && $3 != "CDS" { getline; print $3 }' $cfile.signed | sort -un >other.sigs # should not be there: -echo $ret > /dev/null +echo $ret >/dev/null sync sub=0 -grep -w "$ckactive" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckactive $ckactive (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckactive" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckactive $ckactive (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckpublished" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckpublished $ckpublished (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckpublished" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckpublished $ckpublished (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckprerevoke" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckprerevoke $ckprerevoke (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckprerevoke" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckprerevoke $ckprerevoke (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$ckrevoked" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found ckrevoked $ckrevoked (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$ckrevoked" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found ckrevoked $ckrevoked (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czpublished" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czpublished $czpublished (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czpublished" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czpublished $czpublished (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czinactive" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czinactive $czinactive (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czinactive" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czinactive $czinactive (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czgenerated" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czgenerated $czgenerated (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czgenerated" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czgenerated $czgenerated (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czpredecessor" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czpredecessor $czpredecessor (other)"; ret=1; fi -echo $ret > /dev/null +grep -w "$czpredecessor" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czpredecessor $czpredecessor (other)" + ret=1 +fi +echo $ret >/dev/null sync sub=0 -grep -w "$czsuccessor" other.sigs > /dev/null && sub=1 -if [ $sub != 0 ]; then echo_i "found czsuccessor $czsuccessor (other)"; ret=1; fi +grep -w "$czsuccessor" other.sigs >/dev/null && sub=1 +if [ $sub != 0 ]; then + echo_i "found czsuccessor $czsuccessor (other)" + ret=1 +fi if [ $ret != 0 ]; then - sed 's/^/I:dnskey sigs: /' < dnskey.sigs - sed 's/^/I:other sigs: /' < other.sigs - echo_i "failed"; + sed 's/^/I:dnskey sigs: /' <dnskey.sigs + sed 's/^/I:other sigs: /' <other.sigs + echo_i "failed" fi status=$((status + ret)) echo_i "checking RRSIG expiry date correctness" -dnskey_expiry=$($CHECKZONE -o - $czone $cfile.signed 2> /dev/null | - awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' | - cut -c1-10) -soa_expiry=$($CHECKZONE -o - $czone $cfile.signed 2> /dev/null | - awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' | - cut -c1-10) +dnskey_expiry=$($CHECKZONE -o - $czone $cfile.signed 2>/dev/null \ + | awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}' \ + | cut -c1-10) +soa_expiry=$($CHECKZONE -o - $czone $cfile.signed 2>/dev/null \ + | awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}' \ + | cut -c1-10) [ $dnskey_expiry -gt $soa_expiry ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -336,14 +387,14 @@ mv $cfile.new $cfile.signed echo_i "checking dnssec-signzone output matches expectations" ret=0 -echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1 +echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking child zone signatures again" ret=0 -awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed > dnskey.sigs -grep -w "$ckpublished" dnskey.sigs > /dev/null || ret=1 +awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $3 }' $cfile.signed >dnskey.sigs +grep -w "$ckpublished" dnskey.sigs >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -357,8 +408,8 @@ status=$((status + ret)) # this also checks that the future sync record is not yet published echo_i "checking sync record deletion" ret=0 -$SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null -$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null +$SETTIME -P now -A now -Dsync now ${cksk5} >/dev/null +$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed >/dev/null mv $cfile.new $cfile.signed awk 'BEGIN { r=1 } $2 == "CDNSKEY" { r=0 } END { exit r }' $cfile.signed && ret=1 awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed && ret=1 diff --git a/bin/tests/system/sortlist/tests.sh b/bin/tests/system/sortlist/tests.sh index 894b022..d3ce7ad 100644 --- a/bin/tests/system/sortlist/tests.sh +++ b/bin/tests/system/sortlist/tests.sh @@ -35,18 +35,18 @@ $DIG $DIGOPTS a.example. @10.53.0.1 -b 10.53.0.1 >test1.dig diff test1.dig test1.good || status=1 echo_i "test 1-element sortlist statement and undocumented BIND 8 features" - cat <<EOF >test2.good +cat <<EOF >test2.good b.example. 300 IN A 10.53.0.$n EOF -$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.2 | sed 1q | \ - grep -E '10.53.0.(2|3)$' > test2.out && -$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.3 | sed 1q | \ - grep -E '10.53.0.(2|3)$' >> test2.out && -$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.4 | sed 1q | \ - grep -E '10.53.0.4$' >> test2.out && -$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.5 | sed 1q | \ - grep -E '10.53.0.5$' >> test2.out || status=1 +$DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.2 | sed 1q \ + | grep -E '10.53.0.(2|3)$' >test2.out \ + && $DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.3 | sed 1q \ + | grep -E '10.53.0.(2|3)$' >>test2.out \ + && $DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.4 | sed 1q \ + | grep -E '10.53.0.4$' >>test2.out \ + && $DIG $DIGOPTS b.example. @10.53.0.1 -b 10.53.0.5 | sed 1q \ + | grep -E '10.53.0.5$' >>test2.out || status=1 echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/spf/tests.sh b/bin/tests/system/spf/tests.sh index 07e6c19..a74f559 100644 --- a/bin/tests/system/spf/tests.sh +++ b/bin/tests/system/spf/tests.sh @@ -19,26 +19,25 @@ n=1 status=0 # Wait until all zones are loaded before checking SPF related logs -for i in 1 2 3 4 5 6 7 8 9 10 -do - grep "all zones loaded" ns1/named.run > /dev/null && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + grep "all zones loaded" ns1/named.run >/dev/null && break + sleep 1 done echo_i "checking that SPF warnings have been correctly generated ($n)" ret=0 -grep "zone spf/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 -grep "'y.spf' found type SPF" ns1/named.run > /dev/null || ret=1 -grep "'spf' found type SPF" ns1/named.run > /dev/null && ret=1 +grep "zone spf/IN: loaded serial 0" ns1/named.run >/dev/null || ret=1 +grep "'y.spf' found type SPF" ns1/named.run >/dev/null || ret=1 +grep "'spf' found type SPF" ns1/named.run >/dev/null && ret=1 -grep "zone warn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 -grep "'y.warn' found type SPF" ns1/named.run > /dev/null || ret=1 -grep "'warn' found type SPF" ns1/named.run > /dev/null && ret=1 +grep "zone warn/IN: loaded serial 0" ns1/named.run >/dev/null || ret=1 +grep "'y.warn' found type SPF" ns1/named.run >/dev/null || ret=1 +grep "'warn' found type SPF" ns1/named.run >/dev/null && ret=1 -grep "zone nowarn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 -grep "'y.nowarn' found type SPF" ns1/named.run > /dev/null && ret=1 -grep "'nowarn' found type SPF" ns1/named.run > /dev/null && ret=1 +grep "zone nowarn/IN: loaded serial 0" ns1/named.run >/dev/null || ret=1 +grep "'y.nowarn' found type SPF" ns1/named.run >/dev/null && ret=1 +grep "'nowarn' found type SPF" ns1/named.run >/dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl index 2a2d780..904aa9b 100755 --- a/bin/tests/system/start.pl +++ b/bin/tests/system/start.pl @@ -230,22 +230,13 @@ sub construct_ns_command { my $command; - if ($ENV{'USE_VALGRIND'}) { - $command = "valgrind -q --gen-suppressions=all --num-callers=48 --fullpath-after= --log-file=named-$server-valgrind-%p.log "; - - if ($ENV{'USE_VALGRIND'} eq 'helgrind') { - $command .= "--tool=helgrind "; - } else { - $command .= "--tool=memcheck --track-origins=yes --leak-check=full "; - } - - $command .= "$NAMED -m none "; + if ($taskset) { + $command = "taskset $taskset $NAMED "; + } elsif ($ENV{'USE_RR'}) { + $ENV{'_RR_TRACE_DIR'} = "."; + $command = "rr record --chaos $NAMED "; } else { - if ($taskset) { - $command = "taskset $taskset $NAMED "; - } else { - $command = "$NAMED "; - } + $command = "$NAMED "; } my $args_file = $testdir . "/" . $server . "/" . "named.args"; diff --git a/bin/tests/system/staticstub/ns2/named.conf.in b/bin/tests/system/staticstub/ns2/named.conf.in index 55483ab..a734071 100644 --- a/bin/tests/system/staticstub/ns2/named.conf.in +++ b/bin/tests/system/staticstub/ns2/named.conf.in @@ -37,7 +37,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/staticstub/ns3/sign.sh b/bin/tests/system/staticstub/ns3/sign.sh index 9d87137..ec99bb8 100755 --- a/bin/tests/system/staticstub/ns3/sign.sh +++ b/bin/tests/system/staticstub/ns3/sign.sh @@ -17,27 +17,27 @@ zone=example. infile=example.db.in zonefile=example.db -(cd ../ns4 && $SHELL -e sign.sh ) +(cd ../ns4 && $SHELL -e sign.sh) cp ../ns4/dsset-sub.example. . keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone $zonefile > /dev/null +$SIGNER -g -o $zone $zonefile >/dev/null # Configure the resolving server with a trusted key. -keyfile_to_static_ds $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 >trusted.conf zone=undelegated infile=undelegated.db.in zonefile=undelegated.db keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -g -o $zone $zonefile > /dev/null +$SIGNER -g -o $zone $zonefile >/dev/null -keyfile_to_static_ds $keyname2 >> trusted.conf +keyfile_to_static_ds $keyname2 >>trusted.conf cp trusted.conf ../ns2/trusted.conf diff --git a/bin/tests/system/staticstub/ns4/sign.sh b/bin/tests/system/staticstub/ns4/sign.sh index 0598016..c8f778e 100755 --- a/bin/tests/system/staticstub/ns4/sign.sh +++ b/bin/tests/system/staticstub/ns4/sign.sh @@ -20,6 +20,6 @@ zonefile=${zone}.db keyname1=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) keyname2=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK -n zone $zone) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -o $zone $zonefile > /dev/null +$SIGNER -o $zone $zonefile >/dev/null diff --git a/bin/tests/system/staticstub/setup.sh b/bin/tests/system/staticstub/setup.sh index 61c5621..38e2218 100755 --- a/bin/tests/system/staticstub/setup.sh +++ b/bin/tests/system/staticstub/setup.sh @@ -15,10 +15,10 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in tmp -sed 's/SERVER_CONFIG_PLACEHOLDER/server-names { "ns.example.net"; };/' tmp > ns2/named.conf +sed 's/SERVER_CONFIG_PLACEHOLDER/server-names { "ns.example.net"; };/' tmp >ns2/named.conf copy_setports ns3/named.conf.in tmp -sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp > ns3/named.conf +sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp >ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/staticstub/tests.sh b/bin/tests/system/staticstub/tests.sh index e0f5788..9e1b3f6 100755 --- a/bin/tests/system/staticstub/tests.sh +++ b/bin/tests/system/staticstub/tests.sh @@ -16,54 +16,52 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 -for conf in conf/good*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is accepted ($n)" - ret=0 - $CHECKCONF "$conf" || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/good*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is accepted ($n)" + ret=0 + $CHECKCONF "$conf" || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done -for conf in conf/bad*.conf -do - n=$((n + 1)) - echo_i "checking that $conf is rejected ($n)" - ret=0 - $CHECKCONF "$conf" >/dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +for conf in conf/bad*.conf; do + n=$((n + 1)) + echo_i "checking that $conf is rejected ($n)" + ret=0 + $CHECKCONF "$conf" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done n=$((n + 1)) echo_i "trying an axfr that should be denied (NOTAUTH) ($n)" ret=0 -$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr > dig.out.ns2.test$n || ret=1 -grep "; Transfer failed." dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data.example. @10.53.0.2 axfr >dig.out.ns2.test$n || ret=1 +grep "; Transfer failed." dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" ret=0 - $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt > dig.out.ns2.test$n \ - || ret=1 -grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt >dig.out.ns2.test$n \ + || ret=1 +grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "non recursive query for a static-stub zone with server name should be rejected ($n)" ret=0 -$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n \ - || ret=1 -grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec data.example.org. @10.53.0.2 txt >dig.out.ns2.test$n \ + || ret=1 +grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -71,15 +69,15 @@ n=$((n + 1)) echo_i "allow-query ACL ($n)" ret=0 $DIG $DIGOPTS +tcp +norec data.example. @10.53.0.2 txt -b 10.53.0.7 \ - > dig.out.ns2.test$n || ret=1 -grep "REFUSED" dig.out.ns2.test$n > /dev/null || ret=1 + >dig.out.ns2.test$n || ret=1 +grep "REFUSED" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "look for static-stub zone data with recursion (should be found) ($n)" ret=0 -$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 +$DIG $DIGOPTS +tcp +noauth data.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 digcomp knowngood.dig.out.rec dig.out.ns2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -88,11 +86,11 @@ n=$((n + 1)) echo_i "checking authoritative NS is ignored for delegation ($n)" ret=0 # the auth server returns a different (and incorrect) NS for .example. -$DIG $DIGOPTS +tcp example. @10.53.0.2 ns > dig.out.ns2.test1.$n || ret=1 -grep "ns4.example." dig.out.ns2.test1.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp example. @10.53.0.2 ns >dig.out.ns2.test1.$n || ret=1 +grep "ns4.example." dig.out.ns2.test1.$n >/dev/null || ret=1 # but static-stub configuration should still be used -$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 -grep "2nd test data" dig.out.ns2.test2.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data2.example. @10.53.0.2 txt >dig.out.ns2.test2.$n || ret=1 +grep "2nd test data" dig.out.ns2.test2.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -100,24 +98,23 @@ n=$((n + 1)) echo_i "checking queries for a child zone of the static-stub zone ($n)" ret=0 # prime the delegation to a child zone of the static-stub zone -$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt > dig.out.ns2.test1.$n || ret=1 -grep "1st sub test data" dig.out.ns2.test1.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data1.sub.example. @10.53.0.2 txt >dig.out.ns2.test1.$n || ret=1 +grep "1st sub test data" dig.out.ns2.test1.$n >/dev/null || ret=1 # temporarily disable the the parent zone copy_setports ns3/named.conf.in tmp -sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp > ns3/named.conf +sed 's/EXAMPLE_ZONE_PLACEHOLDER//' tmp >ns3/named.conf rndc_reload ns3 10.53.0.3 # query the child zone again. this should directly go to the child and # succeed. -for i in 0 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt > dig.out.ns2.test2.$n || ret=1 - grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS +tcp data2.sub.example. @10.53.0.2 txt >dig.out.ns2.test2.$n || ret=1 + grep "2nd sub test data" dig.out.ns2.test2.$n >/dev/null && break + sleep 1 done -grep "2nd sub test data" dig.out.ns2.test2.$n > /dev/null || ret=1 +grep "2nd sub test data" dig.out.ns2.test2.$n >/dev/null || ret=1 # re-enable the parent copy_setports ns3/named.conf.in tmp -sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp > ns3/named.conf +sed 's/EXAMPLE_ZONE_PLACEHOLDER/zone "example" { type primary; file "example.db.signed"; };/' tmp >ns3/named.conf rndc_reload ns3 10.53.0.3 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -126,16 +123,16 @@ n=$((n + 1)) echo_i "checking authoritative NS addresses are ignored for delegation ($n)" ret=0 # the auth server returns a different (and incorrect) A/AAA RR for .example. -$DIG $DIGOPTS +tcp example. @10.53.0.2 a > dig.out.ns2.test1.$n || ret=1 -grep "10.53.0.4" dig.out.ns2.test1.$n > /dev/null || ret=1 -$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa > dig.out.ns2.test2.$n || ret=1 -grep "::1" dig.out.ns2.test2.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp example. @10.53.0.2 a >dig.out.ns2.test1.$n || ret=1 +grep "10.53.0.4" dig.out.ns2.test1.$n >/dev/null || ret=1 +$DIG $DIGOPTS +tcp example. @10.53.0.2 aaaa >dig.out.ns2.test2.$n || ret=1 +grep "::1" dig.out.ns2.test2.$n >/dev/null || ret=1 # reload the server. this will flush the ADB. rndc_reload ns2 10.53.0.2 # ask another RR that would require delegation. static-stub configuration # should still be used instead of the authoritative A/AAAA cached above. -$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt > dig.out.ns2.test3.$n || ret=1 -grep "3rd test data" dig.out.ns2.test3.$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data3.example. @10.53.0.2 txt >dig.out.ns2.test3.$n || ret=1 +grep "3rd test data" dig.out.ns2.test3.$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -145,8 +142,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking NS of static-stub is ignored when referenced from other domain ($n)" ret=0 -$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "example com data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data.example.com. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "example com data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -154,8 +151,8 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking static-stub with a server-name ($n)" ret=0 -$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "example org data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data.example.org. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "example org data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -163,33 +160,32 @@ n=$((n + 1)) # Note: for a short term workaround we use ::1, assuming it's configured and # usable for our tests. We should eventually use the test ULA and available # checks introduced in change 2916. -if testsock6 ::1 -then - echo_i "checking IPv6 static-stub address ($n)" - ret=0 - $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 - grep "example info data" dig.out.ns2.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +if testsock6 ::1; then + echo_i "checking IPv6 static-stub address ($n)" + ret=0 + $DIG $DIGOPTS +tcp data.example.info. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 + grep "example info data" dig.out.ns2.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) else - echo_i "SKIPPED: checking IPv6 static-stub address ($n)" + echo_i "SKIPPED: checking IPv6 static-stub address ($n)" fi n=$((n + 1)) echo_i "look for static-stub zone data with DNSSEC validation ($n)" ret=0 -$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "4th test data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +dnssec data4.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "ad; QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "4th test data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "look for a child of static-stub zone data with DNSSEC validation ($n)" ret=0 -$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "ad; QUERY" dig.out.ns2.test$n > /dev/null || ret=1 -grep "3rd sub test data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +dnssec data3.sub.example. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "ad; QUERY" dig.out.ns2.test$n >/dev/null || ret=1 +grep "3rd sub test data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -198,20 +194,20 @@ n=$((n + 1)) echo_i "checking server reload with a different static-stub config ($n)" ret=0 copy_setports ns2/named.conf.in tmp -sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp > ns2/named.conf +sed 's/SERVER_CONFIG_PLACEHOLDER/server-addresses { 10.53.0.4; };/' tmp >ns2/named.conf rndc_reload ns2 10.53.0.2 -$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 -grep "2nd example org data" dig.out.ns2.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp data2.example.org. @10.53.0.2 txt >dig.out.ns2.test$n || ret=1 +grep "2nd example org data" dig.out.ns2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking static-stub of a undelegated tld resolves after DS query ($n)" ret=0 -$DIG $DIGOPTS undelegated. @10.53.0.2 ds > dig.out.ns2.ds.test$n -$DIG $DIGOPTS undelegated. @10.53.0.2 soa > dig.out.ns2.soa.test$n -grep "status: NXDOMAIN" dig.out.ns2.ds.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns2.soa.test$n > /dev/null || ret=1 +$DIG $DIGOPTS undelegated. @10.53.0.2 ds >dig.out.ns2.ds.test$n +$DIG $DIGOPTS undelegated. @10.53.0.2 soa >dig.out.ns2.soa.test$n +grep "status: NXDOMAIN" dig.out.ns2.ds.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns2.soa.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/statistics/ns2/named.conf.in b/bin/tests/system/statistics/ns2/named.conf.in index 48fb8b4..30c4651 100644 --- a/bin/tests/system/statistics/ns2/named.conf.in +++ b/bin/tests/system/statistics/ns2/named.conf.in @@ -40,7 +40,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/statistics/ns2/named2.conf.in b/bin/tests/system/statistics/ns2/named2.conf.in index d370931..39772f9 100644 --- a/bin/tests/system/statistics/ns2/named2.conf.in +++ b/bin/tests/system/statistics/ns2/named2.conf.in @@ -40,7 +40,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/statistics/prereq.sh b/bin/tests/system/statistics/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/statistics/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/statistics/tests.sh b/bin/tests/system/statistics/tests.sh index af57b60..f668e86 100644 --- a/bin/tests/system/statistics/tests.sh +++ b/bin/tests/system/statistics/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGCMD="$DIG +tcp -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf" status=0 @@ -26,19 +26,19 @@ stats=0 nsock0nstat=0 nsock1nstat=0 rndc_stats() { - _ns=$1 - _ip=$2 + _ns=$1 + _ip=$2 - $RNDCCMD -s $_ip stats > /dev/null 2>&1 || return 1 - [ -f "${_ns}/named.stats" ] || return 1 + $RNDCCMD -s $_ip stats >/dev/null 2>&1 || return 1 + [ -f "${_ns}/named.stats" ] || return 1 - last_stats=named.stats.$_ns-$stats-$n - mv ${_ns}/named.stats $last_stats - stats=$((stats+1)) + last_stats=named.stats.$_ns-$stats-$n + mv ${_ns}/named.stats $last_stats + stats=$((stats + 1)) } echo_i "fetching a.example from ns2's initial configuration ($n)" -$DIGCMD +noauth a.example. @10.53.0.2 any > dig.out.ns2.1 || ret=1 +$DIGCMD +noauth a.example. @10.53.0.2 any >dig.out.ns2.1 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -52,29 +52,29 @@ n=$((n + 1)) ret=0 echo_i "verifying adb records in named.stats ($n)" -grep "ADB stats" $last_stats > /dev/null || ret=1 +grep "ADB stats" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking for 1 entry in adb hash table in named.stats ($n)" -grep "1 Addresses in hash table" $last_stats > /dev/null || ret=1 +grep "1 Addresses in hash table" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "verifying cache statistics in named.stats ($n)" -grep "Cache Statistics" $last_stats > /dev/null || ret=1 +grep "Cache Statistics" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "checking for 2 entries in adb hash table in named.stats ($n)" -$DIGCMD a.example.info. @10.53.0.2 any > /dev/null 2>&1 +$DIGCMD a.example.info. @10.53.0.2 any >/dev/null 2>&1 rndc_stats ns2 10.53.0.2 || ret=1 -grep "2 Addresses in hash table" $last_stats > /dev/null || ret=1 +grep "2 Addresses in hash table" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -89,13 +89,13 @@ status=$((status + ret)) n=$((n + 1)) echo_i "sending queries to ns3" -$DIGCMD +tries=2 +time=1 +recurse @10.53.0.3 foo.info. any > /dev/null 2>&1 || true +$DIGCMD +tries=2 +time=1 +recurse @10.53.0.3 foo.info. any >/dev/null 2>&1 || true ret=0 echo_i "dumping updated stats for ns3 ($n)" getstats() { - rndc_stats ns3 10.53.0.3 || return 1 - grep "2 recursing clients" $last_stats > /dev/null || return 1 + rndc_stats ns3 10.53.0.3 || return 1 + grep "2 recursing clients" $last_stats >/dev/null || return 1 } retry_quiet 5 getstats || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -104,14 +104,14 @@ n=$((n + 1)) ret=0 echo_i "verifying recursing clients output in named.stats ($n)" -grep "2 recursing clients" $last_stats > /dev/null || ret=1 +grep "2 recursing clients" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "verifying active fetches output in named.stats ($n)" -grep "1 active fetches" $last_stats > /dev/null || ret=1 +grep "1 active fetches" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) @@ -128,33 +128,33 @@ n=$((n + 1)) # no status line is emitted. ret=0 echo_i "verifying queries in progress in named.stats ($n)" -grep "1 UDP queries in progress" $last_stats > /dev/null || ret=1 -grep "TCP queries in progress" $last_stats > /dev/null && ret=1 +grep "1 UDP queries in progress" $last_stats >/dev/null || ret=1 +grep "TCP queries in progress" $last_stats >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "verifying bucket size output ($n)" -grep "bucket size" $last_stats > /dev/null || ret=1 +grep "bucket size" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "checking priming queries are counted ($n)" -grep "priming queries" $last_stats > /dev/null || ret=1 +grep "priming queries" $last_stats >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "checking that zones with slash are properly shown in XML output ($n)" -if $FEATURETEST --have-libxml2 && [ -x ${CURL} ] ; then - ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones > curl.out.${n} 2>/dev/null || ret=1 - grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN">' curl.out.${n} > /dev/null || ret=1 +if $FEATURETEST --have-libxml2 && [ -x ${CURL} ]; then + ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones >curl.out.${n} 2>/dev/null || ret=1 + grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN">' curl.out.${n} >/dev/null || ret=1 else - echo_i "skipping test as libxml2 and/or curl was not found" + echo_i "skipping test as libxml2 and/or curl was not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -162,11 +162,11 @@ n=$((n + 1)) ret=0 echo_i "checking that zones return their type ($n)" -if $FEATURETEST --have-libxml2 && [ -x ${CURL} ] ; then - ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones > curl.out.${n} 2>/dev/null || ret=1 - grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN"><type>primary</type>' curl.out.${n} > /dev/null || ret=1 +if $FEATURETEST --have-libxml2 && [ -x ${CURL} ]; then + ${CURL} http://10.53.0.1:${EXTRAPORT1}/xml/v3/zones >curl.out.${n} 2>/dev/null || ret=1 + grep '<zone name="32/1.0.0.127-in-addr.example" rdataclass="IN"><type>primary</type>' curl.out.${n} >/dev/null || ret=1 else - echo_i "skipping test as libxml2 and/or curl was not found" + echo_i "skipping test as libxml2 and/or curl was not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -174,57 +174,57 @@ n=$((n + 1)) ret=0 echo_i "checking bind9.xsl vs xml ($n)" -if $FEATURETEST --have-libxml2 && "${CURL}" --http1.1 http://10.53.0.3:${EXTRAPORT1} > /dev/null 2>&1 && [ -x "${XSLTPROC}" ] ; then - $DIGCMD +notcp +recurse @10.53.0.3 soa . > dig.out.test$n.1 2>&1 - $DIGCMD +notcp +recurse @10.53.0.3 soa example > dig.out.test$n.2 2>&1 - # check multiple requests over the same socket - time1=$($PERL -e 'print time(), "\n";') - ${CURL} --http1.1 -o curl.out.${n}.xml http://10.53.0.3:${EXTRAPORT1}/xml/v3 \ - -o curl.out.${n}.xsl http://10.53.0.3:${EXTRAPORT1}/bind9.xsl 2>/dev/null || ret=1 - time2=$($PERL -e 'print time(), "\n";') - test $((time2 - time1)) -lt 5 || ret=1 - diff ${TOP_SRCDIR}/bin/named/bind9.xsl curl.out.${n}.xsl || ret=1 - ${XSLTPROC} curl.out.${n}.xsl - < curl.out.${n}.xml > xsltproc.out.${n} 2>/dev/null || ret=1 - cp curl.out.${n}.xml stats.xml.out || ret=1 +if $FEATURETEST --have-libxml2 && "${CURL}" --http1.1 http://10.53.0.3:${EXTRAPORT1} >/dev/null 2>&1 && [ -x "${XSLTPROC}" ]; then + $DIGCMD +notcp +recurse @10.53.0.3 soa . >dig.out.test$n.1 2>&1 + $DIGCMD +notcp +recurse @10.53.0.3 soa example >dig.out.test$n.2 2>&1 + # check multiple requests over the same socket + time1=$($PERL -e 'print time(), "\n";') + ${CURL} --http1.1 -o curl.out.${n}.xml http://10.53.0.3:${EXTRAPORT1}/xml/v3 \ + -o curl.out.${n}.xsl http://10.53.0.3:${EXTRAPORT1}/bind9.xsl 2>/dev/null || ret=1 + time2=$($PERL -e 'print time(), "\n";') + test $((time2 - time1)) -lt 5 || ret=1 + diff ${TOP_SRCDIR}/bin/named/bind9.xsl curl.out.${n}.xsl || ret=1 + ${XSLTPROC} curl.out.${n}.xsl - <curl.out.${n}.xml >xsltproc.out.${n} 2>/dev/null || ret=1 + cp curl.out.${n}.xml stats.xml.out || ret=1 - # - # grep for expected sections. - # - grep "<h1>ISC Bind 9 Configuration and Statistics</h1>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Server Status</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Incoming Requests by DNS Opcode</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>Incoming Queries by Query Type</h3>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Outgoing Queries per view</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>View " xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Server Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Zone Maintenance Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 - # grep "<h2>Resolver Statistics (Common)</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>Resolver Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>ADB Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>Cache Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 - # grep "<h3>Cache DB RRsets for View " xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Traffic Size Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h4>UDP Requests Received</h4>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h4>UDP Responses Sent</h4>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h4>TCP Requests Received</h4>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h4>TCP Responses Sent</h4>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Socket I/O Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>Zones for View " xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Received QTYPES per view/zone</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Response Codes per view/zone</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 - # grep "<h2>Glue cache statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Task Manager Configuration</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Tasks</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Memory Usage Summary</h2>" xsltproc.out.${n} >/dev/null || ret=1 - grep "<h2>Memory Contexts</h2>" xsltproc.out.${n} >/dev/null || ret=1 + # + # grep for expected sections. + # + grep "<h1>ISC Bind 9 Configuration and Statistics</h1>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Server Status</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Incoming Requests by DNS Opcode</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>Incoming Queries by Query Type</h3>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Outgoing Queries per view</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Server Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Zone Maintenance Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + # grep "<h2>Resolver Statistics (Common)</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>Resolver Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>ADB Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>Cache Statistics for View " xsltproc.out.${n} >/dev/null || ret=1 + # grep "<h3>Cache DB RRsets for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Traffic Size Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>UDP Requests Received</h4>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>UDP Responses Sent</h4>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>TCP Requests Received</h4>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>TCP Responses Sent</h4>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Socket I/O Statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>Zones for View " xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Received QTYPES per view/zone</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Response Codes per view/zone</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 + # grep "<h2>Glue cache statistics</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h3>View _default" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h4>Zone example" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Task Manager Configuration</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Tasks</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Memory Usage Summary</h2>" xsltproc.out.${n} >/dev/null || ret=1 + grep "<h2>Memory Contexts</h2>" xsltproc.out.${n} >/dev/null || ret=1 else - echo_i "skipping test as libxml2 and/or curl with HTTP/1.1 support and/or xsltproc was not found" + echo_i "skipping test as libxml2 and/or curl with HTTP/1.1 support and/or xsltproc was not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -232,23 +232,23 @@ n=$((n + 1)) ret=0 echo_i "checking bind9.xml socket statistics ($n)" -if $FEATURETEST --have-libxml2 && [ -e stats.xml.out ] && [ -x "${XSLTPROC}" ] ; then - # Socket statistics (expect no errors) - grep "<counter name=\"TCP4AcceptFail\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP4BindFail\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP4ConnFail\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP4OpenFail\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP4RecvErr\">0</counter>" stats.xml.out >/dev/null || ret=1 - # grep "<counter name=\"TCP4SendErr\">0</counter>" stats.xml.out >/dev/null || ret=1 +if $FEATURETEST --have-libxml2 && [ -e stats.xml.out ] && [ -x "${XSLTPROC}" ]; then + # Socket statistics (expect no errors) + grep "<counter name=\"TCP4AcceptFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4BindFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4ConnFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4OpenFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP4RecvErr\">0</counter>" stats.xml.out >/dev/null || ret=1 + # grep "<counter name=\"TCP4SendErr\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP6AcceptFail\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP6BindFail\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP6ConnFail\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP6OpenFail\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP6RecvErr\">0</counter>" stats.xml.out >/dev/null || ret=1 - grep "<counter name=\"TCP6SendErr\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6AcceptFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6BindFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6ConnFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6OpenFail\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6RecvErr\">0</counter>" stats.xml.out >/dev/null || ret=1 + grep "<counter name=\"TCP6SendErr\">0</counter>" stats.xml.out >/dev/null || ret=1 else - echo_i "skipping test as libxml2 and/or stats.xml.out file and/or xsltproc was not found" + echo_i "skipping test as libxml2 and/or stats.xml.out file and/or xsltproc was not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -258,22 +258,22 @@ echo_i "Check that 'zone-statistics full;' is processed by 'rndc reconfig' ($n)" ret=0 # off by default rndc_stats ns2 10.53.0.2 || ret=1 -sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null && ret=0 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' >/dev/null && ret=0 # turn on copy_setports ns2/named2.conf.in ns2/named.conf rndc_reconfig ns2 10.53.0.2 rndc_stats ns2 10.53.0.2 || ret=1 -sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null || ret=1 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' >/dev/null || ret=1 # turn off copy_setports ns2/named.conf.in ns2/named.conf rndc_reconfig ns2 10.53.0.2 rndc_stats ns2 10.53.0.2 || ret=1 -sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null && ret=0 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' >/dev/null && ret=0 # turn on copy_setports ns2/named2.conf.in ns2/named.conf rndc_reconfig ns2 10.53.0.2 rndc_stats ns2 10.53.0.2 || ret=1 -sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' > /dev/null || ret=1 +sed -n '/Per Zone Query Statistics/,/^++/p' $last_stats | grep -F '[example]' >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) diff --git a/bin/tests/system/statschannel/conftest.py b/bin/tests/system/statschannel/conftest.py index 363dd7a..c26935b 100644 --- a/bin/tests/system/statschannel/conftest.py +++ b/bin/tests/system/statschannel/conftest.py @@ -9,17 +9,9 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -import os import pytest -@pytest.fixture -def statsport(request): - # pylint: disable=unused-argument - env_port = os.getenv("EXTRAPORT1") - if env_port is None: - env_port = 5301 - else: - env_port = int(env_port) - - return env_port +@pytest.fixture(scope="module") +def statsport(ports): + return ports["EXTRAPORT1"] diff --git a/bin/tests/system/statschannel/generic.py b/bin/tests/system/statschannel/generic.py index bf4b038..f4b3d85 100644 --- a/bin/tests/system/statschannel/generic.py +++ b/bin/tests/system/statschannel/generic.py @@ -10,8 +10,16 @@ # information regarding copyright ownership. from datetime import datetime, timedelta +from collections import defaultdict +from time import sleep import os +import dns.message +import dns.query +import dns.rcode + +import isctest + # ISO datetime format without msec fmt = "%Y-%m-%dT%H:%M:%SZ" @@ -19,9 +27,11 @@ fmt = "%Y-%m-%dT%H:%M:%SZ" # The constants were taken from BIND 9 source code (lib/dns/zone.c) max_refresh = timedelta(seconds=2419200) # 4 weeks max_expires = timedelta(seconds=14515200) # 24 weeks -now = datetime.utcnow().replace(microsecond=0) dayzero = datetime.utcfromtimestamp(0).replace(microsecond=0) +# Wait for the secondary zone files to appear to extract their mtime +max_secondary_zone_waittime_sec = 5 + # Generic helper functions def check_expires(expires, min_time, max_time): @@ -34,21 +44,20 @@ def check_refresh(refresh, min_time, max_time): assert refresh <= max_time -def check_loaded(loaded, expected): # pylint: disable=unused-argument +def check_loaded(loaded, expected, now): # Sanity check the zone timers values - # NOTE This check has been disabled due to GL #3983 - # assert loaded == expected - # assert loaded < now - pass + assert (loaded - expected).total_seconds() < max_secondary_zone_waittime_sec + assert loaded <= now def check_zone_timers(loaded, expires, refresh, loaded_exp): + now = datetime.utcnow().replace(microsecond=0) # Sanity checks the zone timers values if expires is not None: check_expires(expires, now, now + max_expires) if refresh is not None: check_refresh(refresh, now, now + max_refresh) - check_loaded(loaded, loaded_exp) + check_loaded(loaded, loaded_exp, now) # @@ -88,12 +97,26 @@ def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs): statsport = kwargs["statsport"] zonedir = kwargs["zonedir"] - zones = fetch_zones(statsip, statsport) - - for zone in zones: - (name, loaded, expires, refresh) = load_timers(zone, False) - mtime = zone_mtime(zonedir, name) - check_zone_timers(loaded, expires, refresh, mtime) + # If any one of the zone files isn't ready, then retry until timeout. + tries = max_secondary_zone_waittime_sec + while tries >= 0: + zones = fetch_zones(statsip, statsport) + again = False + for zone in zones: + (name, loaded, expires, refresh) = load_timers(zone, False) + mtime = zone_mtime(zonedir, name) + if (mtime != dayzero) or (tries == 0): + # mtime was either retrieved successfully or no tries were + # left, run the check anyway. + check_zone_timers(loaded, expires, refresh, mtime) + else: + tries = tries - 1 + again = True + break + if again: + sleep(1) + else: + break def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): @@ -106,3 +129,101 @@ def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): name = load_zone(zone) if name == "manykeys": check_manykeys(name) + + +def create_msg(qname, qtype): + msg = dns.message.make_query( + qname, qtype, want_dnssec=True, use_edns=0, payload=4096 + ) + + return msg + + +def create_expected(data): + expected = { + "dns-tcp-requests-sizes-received-ipv4": defaultdict(int), + "dns-tcp-responses-sizes-sent-ipv4": defaultdict(int), + "dns-tcp-requests-sizes-received-ipv6": defaultdict(int), + "dns-tcp-responses-sizes-sent-ipv6": defaultdict(int), + "dns-udp-requests-sizes-received-ipv4": defaultdict(int), + "dns-udp-requests-sizes-received-ipv6": defaultdict(int), + "dns-udp-responses-sizes-sent-ipv4": defaultdict(int), + "dns-udp-responses-sizes-sent-ipv6": defaultdict(int), + } + + for k, v in data.items(): + for kk, vv in v.items(): + expected[k][kk] += vv + + return expected + + +def update_expected(expected, key, msg): + msg_len = len(msg.to_wire()) + bucket_num = (msg_len // 16) * 16 + bucket = "{}-{}".format(bucket_num, bucket_num + 15) + + expected[key][bucket] += 1 + + +def check_traffic(data, expected): + def ordered(obj): + if isinstance(obj, dict): + return sorted((k, ordered(v)) for k, v in obj.items()) + if isinstance(obj, list): + return sorted(ordered(x) for x in obj) + return obj + + ordered_data = ordered(data) + ordered_expected = ordered(expected) + + assert len(ordered_data) == 8 + assert len(ordered_expected) == 8 + assert len(data) == len(ordered_data) + assert len(expected) == len(ordered_expected) + + assert ordered_data == ordered_expected + + +def test_traffic(fetch_traffic, **kwargs): + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + + data = fetch_traffic(statsip, statsport) + exp = create_expected(data) + + msg = create_msg("short.example.", "TXT") + update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) + ans = isctest.query.udp(msg, statsip) + isctest.check.noerror(ans) + update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("long.example.", "TXT") + update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) + ans = isctest.query.udp(msg, statsip) + isctest.check.noerror(ans) + update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("short.example.", "TXT") + update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) + ans = isctest.query.tcp(msg, statsip) + isctest.check.noerror(ans) + update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("long.example.", "TXT") + update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) + ans = isctest.query.tcp(msg, statsip) + isctest.check.noerror(ans) + update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) diff --git a/bin/tests/system/statschannel/generic_dnspython.py b/bin/tests/system/statschannel/generic_dnspython.py deleted file mode 100644 index 34a0398..0000000 --- a/bin/tests/system/statschannel/generic_dnspython.py +++ /dev/null @@ -1,128 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -from collections import defaultdict - -import dns.message -import dns.query -import dns.rcode - - -TIMEOUT = 10 - - -def create_msg(qname, qtype): - msg = dns.message.make_query( - qname, qtype, want_dnssec=True, use_edns=0, payload=4096 - ) - - return msg - - -def udp_query(ip, port, msg): - ans = dns.query.udp(msg, ip, TIMEOUT, port=port) - assert ans.rcode() == dns.rcode.NOERROR - - return ans - - -def tcp_query(ip, port, msg): - ans = dns.query.tcp(msg, ip, TIMEOUT, port=port) - assert ans.rcode() == dns.rcode.NOERROR - - return ans - - -def create_expected(data): - expected = { - "dns-tcp-requests-sizes-received-ipv4": defaultdict(int), - "dns-tcp-responses-sizes-sent-ipv4": defaultdict(int), - "dns-tcp-requests-sizes-received-ipv6": defaultdict(int), - "dns-tcp-responses-sizes-sent-ipv6": defaultdict(int), - "dns-udp-requests-sizes-received-ipv4": defaultdict(int), - "dns-udp-requests-sizes-received-ipv6": defaultdict(int), - "dns-udp-responses-sizes-sent-ipv4": defaultdict(int), - "dns-udp-responses-sizes-sent-ipv6": defaultdict(int), - } - - for k, v in data.items(): - for kk, vv in v.items(): - expected[k][kk] += vv - - return expected - - -def update_expected(expected, key, msg): - msg_len = len(msg.to_wire()) - bucket_num = (msg_len // 16) * 16 - bucket = "{}-{}".format(bucket_num, bucket_num + 15) - - expected[key][bucket] += 1 - - -def check_traffic(data, expected): - def ordered(obj): - if isinstance(obj, dict): - return sorted((k, ordered(v)) for k, v in obj.items()) - if isinstance(obj, list): - return sorted(ordered(x) for x in obj) - return obj - - ordered_data = ordered(data) - ordered_expected = ordered(expected) - - assert len(ordered_data) == 8 - assert len(ordered_expected) == 8 - assert len(data) == len(ordered_data) - assert len(expected) == len(ordered_expected) - - assert ordered_data == ordered_expected - - -def test_traffic(fetch_traffic, **kwargs): - statsip = kwargs["statsip"] - statsport = kwargs["statsport"] - port = kwargs["port"] - - data = fetch_traffic(statsip, statsport) - exp = create_expected(data) - - msg = create_msg("short.example.", "TXT") - update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) - ans = udp_query(statsip, port, msg) - update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - - check_traffic(data, exp) - - msg = create_msg("long.example.", "TXT") - update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) - ans = udp_query(statsip, port, msg) - update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - - check_traffic(data, exp) - - msg = create_msg("short.example.", "TXT") - update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) - ans = tcp_query(statsip, port, msg) - update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - - check_traffic(data, exp) - - msg = create_msg("long.example.", "TXT") - update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) - ans = tcp_query(statsip, port, msg) - update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - - check_traffic(data, exp) diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh index f9429ca..5a507da 100644 --- a/bin/tests/system/statschannel/ns2/sign.sh +++ b/bin/tests/system/statschannel/ns2/sign.sh @@ -22,9 +22,9 @@ zonefile=dnssec.db.signed ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # Sign deliberately with a very short expiration date. -"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1 -keyfile_to_key_id "$ksk" > dnssec.ksk.id -keyfile_to_key_id "$zsk" > dnssec.zsk.id +"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1 +keyfile_to_key_id "$ksk" >dnssec.ksk.id +keyfile_to_key_id "$zsk" >dnssec.zsk.id zone=manykeys. infile=manykeys.db.in @@ -36,10 +36,10 @@ zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 "$zone") ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 -f KSK "$zone") zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 "$zone") # Sign deliberately with a very short expiration date. -"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1 -keyfile_to_key_id "$ksk8" > manykeys.ksk8.id -keyfile_to_key_id "$zsk8" > manykeys.zsk8.id -keyfile_to_key_id "$ksk13" > manykeys.ksk13.id -keyfile_to_key_id "$zsk13" > manykeys.zsk13.id -keyfile_to_key_id "$ksk14" > manykeys.ksk14.id -keyfile_to_key_id "$zsk14" > manykeys.zsk14.id +"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1 +keyfile_to_key_id "$ksk8" >manykeys.ksk8.id +keyfile_to_key_id "$zsk8" >manykeys.zsk8.id +keyfile_to_key_id "$ksk13" >manykeys.ksk13.id +keyfile_to_key_id "$zsk13" >manykeys.zsk13.id +keyfile_to_key_id "$ksk14" >manykeys.ksk14.id +keyfile_to_key_id "$zsk14" >manykeys.zsk14.id diff --git a/bin/tests/system/statschannel/prereq.sh b/bin/tests/system/statschannel/prereq.sh new file mode 100644 index 0000000..a0ad7a9 --- /dev/null +++ b/bin/tests/system/statschannel/prereq.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +if ! ${PERL} -MFile::Fetch -e ''; then + echo_i "perl File::Fetch module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/statschannel/setup.sh b/bin/tests/system/statschannel/setup.sh index f5ef3ee..f304fdf 100644 --- a/bin/tests/system/statschannel/setup.sh +++ b/bin/tests/system/statschannel/setup.sh @@ -15,7 +15,7 @@ . ../conf.sh for conf in ns*/named.conf.in; do - copy_setports "$conf" "$(dirname "$conf")/$(basename "$conf" .in)" + copy_setports "$conf" "$(dirname "$conf")/$(basename "$conf" .in)" done (cd ns2 && $SHELL sign.sh) diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh index f06cad4..dad9f34 100644 --- a/bin/tests/system/statschannel/tests.sh +++ b/bin/tests/system/statschannel/tests.sh @@ -17,71 +17,69 @@ set -e . ../conf.sh DIGCMD="$DIG @10.53.0.2 -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" - -if ! $FEATURETEST --have-json-c -then - unset PERL_JSON - echo_i "JSON was not configured; skipping" >&2 -elif $PERL -e 'use JSON;' 2>/dev/null -then - PERL_JSON=1 +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" + +if ! $FEATURETEST --have-json-c; then + unset PERL_JSON + echo_i "JSON was not configured; skipping" >&2 +elif $PERL -e 'use JSON;' 2>/dev/null; then + PERL_JSON=1 else - unset PERL_JSON - echo_i "JSON tests require JSON library; skipping" >&2 + unset PERL_JSON + echo_i "JSON tests require JSON library; skipping" >&2 fi -if ! $FEATURETEST --have-libxml2 -then - unset PERL_XML - echo_i "XML was not configured; skipping" >&2 -elif $PERL -e 'use XML::Simple;' 2>/dev/null -then - PERL_XML=1 +if ! $FEATURETEST --have-libxml2; then + unset PERL_XML + echo_i "XML was not configured; skipping" >&2 +elif $PERL -e 'use XML::Simple;' 2>/dev/null; then + PERL_XML=1 else - unset PERL_XML - echo_i "XML tests require XML::Simple; skipping" >&2 + unset PERL_XML + echo_i "XML tests require XML::Simple; skipping" >&2 fi if [ ! "$PERL_JSON" ] && [ ! "$PERL_XML" ]; then - echo_i "skipping all tests" - exit 0 + echo_i "skipping all tests" + exit 0 fi - getzones() { - sleep 1 - echo_i "... using $1" - case $1 in - xml) path='xml/v3/zones' ;; - json) path='json/v1/zones' ;; - *) return 1 ;; - esac - file=$($PERL fetch.pl -p ${EXTRAPORT1} $path) - cp $file $file.$1.$3 - { $PERL zones-${1}.pl $file $2 2>/dev/null | sort > zones.out.$3; result=$?; } || true - return $result + sleep 1 + echo_i "... using $1" + case $1 in + xml) path='xml/v3/zones' ;; + json) path='json/v1/zones' ;; + *) return 1 ;; + esac + file=$($PERL fetch.pl -p ${EXTRAPORT1} $path) + cp $file $file.$1.$3 + { + $PERL zones-${1}.pl $file $2 2>/dev/null | sort >zones.out.$3 + result=$? + } || true + return $result } # TODO: Move loadkeys_on to conf.sh.common loadkeys_on() { - nsidx=$1 - zone=$2 - nextpart ns${nsidx}/named.run > /dev/null - $RNDCCMD 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" ns${nsidx}/named.run + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run >/dev/null + $RNDCCMD 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log 20 "next key event" ns${nsidx}/named.run } # verify that the http server dropped the connection without replying check_http_dropped() { - if [ -x "${NC}" ] ; then - "${NC}" 10.53.0.3 "${EXTRAPORT1}" > nc.out$n || ret=1 - if test -s nc.out$n; then - ret=1 - fi - else - echo_i "skipping test as nc not found" + if [ -x "${NC}" ]; then + "${NC}" 10.53.0.3 "${EXTRAPORT1}" >nc.out$n || ret=1 + if test -s nc.out$n; then + ret=1 fi + else + echo_i "skipping test as nc not found" + fi } status=0 @@ -133,12 +131,12 @@ n=$((n + 1)) echo_i "Prepare for if-modified-since test ($n)" ret=0 i=0 -if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] ; then - URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" - ${CURL} --silent --show-error --fail --output bind9.xsl.1 $URL - ret=$? +if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ]; then + URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" + ${CURL} --silent --show-error --fail --output bind9.xsl.1 $URL + ret=$? else - echo_i "skipping test: requires libxml2 and curl" + echo_i "skipping test: requires libxml2 and curl" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -147,38 +145,38 @@ n=$((n + 1)) echo_i "checking consistency between named.stats and xml/json ($n)" ret=0 rm -f ns2/named.stats -$DIGCMD +tcp example ns > dig.out.$n || ret=1 +$DIGCMD +tcp example ns >dig.out.$n || ret=1 $RNDCCMD 10.53.0.2 stats 2>&1 | sed 's/^/I:ns1 /' query_count=$(awk '/QUERY/ {print $1}' ns2/named.stats) txt_count=$(awk '/TXT/ {print $1}' ns2/named.stats) noerror_count=$(awk '/NOERROR/ {print $1}' ns2/named.stats) if [ $PERL_XML ]; then - file=$($PERL fetch.pl -p ${EXTRAPORT1} xml/v3/server) - mv $file xml.stats - $PERL server-xml.pl > xml.fmtstats 2> /dev/null - xml_query_count=$(awk '/opcode QUERY/ { print $NF }' xml.fmtstats) - xml_query_count=${xml_query_count:-0} - [ "$query_count" -eq "$xml_query_count" ] || ret=1 - xml_txt_count=$(awk '/qtype TXT/ { print $NF }' xml.fmtstats) - xml_txt_count=${xml_txt_count:-0} - [ "$txt_count" -eq "$xml_txt_count" ] || ret=1 - xml_noerror_count=$(awk '/rcode NOERROR/ { print $NF }' xml.fmtstats) - xml_noerror_count=${xml_noerror_count:-0} - [ "$noerror_count" -eq "$xml_noerror_count" ] || ret=1 + file=$($PERL fetch.pl -p ${EXTRAPORT1} xml/v3/server) + mv $file xml.stats + $PERL server-xml.pl >xml.fmtstats 2>/dev/null + xml_query_count=$(awk '/opcode QUERY/ { print $NF }' xml.fmtstats) + xml_query_count=${xml_query_count:-0} + [ "$query_count" -eq "$xml_query_count" ] || ret=1 + xml_txt_count=$(awk '/qtype TXT/ { print $NF }' xml.fmtstats) + xml_txt_count=${xml_txt_count:-0} + [ "$txt_count" -eq "$xml_txt_count" ] || ret=1 + xml_noerror_count=$(awk '/rcode NOERROR/ { print $NF }' xml.fmtstats) + xml_noerror_count=${xml_noerror_count:-0} + [ "$noerror_count" -eq "$xml_noerror_count" ] || ret=1 fi if [ $PERL_JSON ]; then - file=$($PERL fetch.pl -p ${EXTRAPORT1} json/v1/server) - mv $file json.stats - $PERL server-json.pl > json.fmtstats 2> /dev/null - json_query_count=$(awk '/opcode QUERY/ { print $NF }' json.fmtstats) - json_query_count=${json_query_count:-0} - [ "$query_count" -eq "$json_query_count" ] || ret=1 - json_txt_count=$(awk '/qtype TXT/ { print $NF }' json.fmtstats) - json_txt_count=${json_txt_count:-0} - [ "$txt_count" -eq "$json_txt_count" ] || ret=1 - json_noerror_count=$(awk '/rcode NOERROR/ { print $NF }' json.fmtstats) - json_noerror_count=${json_noerror_count:-0} - [ "$noerror_count" -eq "$json_noerror_count" ] || ret=1 + file=$($PERL fetch.pl -p ${EXTRAPORT1} json/v1/server) + mv $file json.stats + $PERL server-json.pl >json.fmtstats 2>/dev/null + json_query_count=$(awk '/opcode QUERY/ { print $NF }' json.fmtstats) + json_query_count=${json_query_count:-0} + [ "$query_count" -eq "$json_query_count" ] || ret=1 + json_txt_count=$(awk '/qtype TXT/ { print $NF }' json.fmtstats) + json_txt_count=${json_txt_count:-0} + [ "$txt_count" -eq "$json_txt_count" ] || ret=1 + json_noerror_count=$(awk '/rcode NOERROR/ { print $NF }' json.fmtstats) + json_noerror_count=${json_noerror_count:-0} + [ "$noerror_count" -eq "$json_noerror_count" ] || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -187,19 +185,19 @@ n=$((n + 1)) ret=0 echo_i "checking malloced memory statistics xml/json ($n)" if [ $PERL_XML ]; then - file=$($PERL fetch.pl -p ${EXTRAPORT1} xml/v3/mem) - mv $file xml.mem - $PERL mem-xml.pl $file > xml.fmtmem - grep "'Malloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 - grep "'malloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 - grep "'maxmalloced' => '[0-9][0-9]*'" xml.fmtmem > /dev/null || ret=1 + file=$($PERL fetch.pl -p ${EXTRAPORT1} xml/v3/mem) + mv $file xml.mem + $PERL mem-xml.pl $file >xml.fmtmem + grep "'Malloced' => '[0-9][0-9]*'" xml.fmtmem >/dev/null || ret=1 + grep "'malloced' => '[0-9][0-9]*'" xml.fmtmem >/dev/null || ret=1 + grep "'maxmalloced' => '[0-9][0-9]*'" xml.fmtmem >/dev/null || ret=1 fi if [ $PERL_JSON ]; then - file=$($PERL fetch.pl -p ${EXTRAPORT1} json/v1/mem) - mv $file json.mem - grep '"malloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 - grep '"maxmalloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 - grep '"Malloced":[0-9][0-9]*,' json.mem > /dev/null || ret=1 + file=$($PERL fetch.pl -p ${EXTRAPORT1} json/v1/mem) + mv $file json.mem + grep '"malloced":[0-9][0-9]*,' json.mem >/dev/null || ret=1 + grep '"maxmalloced":[0-9][0-9]*,' json.mem >/dev/null || ret=1 + grep '"Malloced":[0-9][0-9]*,' json.mem >/dev/null || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -207,48 +205,46 @@ n=$((n + 1)) echo_i "checking consistency between regular and compressed output ($n)" ret=0 -if [ -x "${CURL}" ] ; then - for i in 1 2 3 4 5; do - ret=0 - if $FEATURETEST --have-libxml2; - then - URL="http://10.53.0.2:${EXTRAPORT1}/xml/v3/server" - filter_str='s#<current-time>.*</current-time>##g' - else - URL="http://10.53.0.2:${EXTRAPORT1}/json/v1/server" - filter_str='s#"current-time.*",##g' - fi - "${CURL}" -D regular.headers "$URL" 2>/dev/null | \ - sed -e "$filter_str" > regular.out || ret=1 - "${CURL}" -D compressed.headers --compressed "$URL" 2>/dev/null | \ - sed -e "$filter_str" > compressed.out || ret=1 - diff regular.out compressed.out >/dev/null || ret=1 - if [ $ret != 0 ]; then - echo_i "failed on try $i, probably a timing issue, trying again" - sleep 1 - else - break - fi - done +if [ -x "${CURL}" ]; then + for i in 1 2 3 4 5; do + ret=0 + if $FEATURETEST --have-libxml2; then + URL="http://10.53.0.2:${EXTRAPORT1}/xml/v3/server" + filter_str='s#<current-time>.*</current-time>##g' + else + URL="http://10.53.0.2:${EXTRAPORT1}/json/v1/server" + filter_str='s#"current-time.*",##g' + fi + "${CURL}" -D regular.headers "$URL" 2>/dev/null \ + | sed -e "$filter_str" >regular.out || ret=1 + "${CURL}" -D compressed.headers --compressed "$URL" 2>/dev/null \ + | sed -e "$filter_str" >compressed.out || ret=1 + diff regular.out compressed.out >/dev/null || ret=1 + if [ $ret != 0 ]; then + echo_i "failed on try $i, probably a timing issue, trying again" + sleep 1 + else + break + fi + done else - echo_i "skipping test as curl not found" + echo_i "skipping test as curl not found" fi status=$((status + ret)) n=$((n + 1)) ret=0 echo_i "checking if compressed output is really compressed ($n)" -if $FEATURETEST --with-zlib; -then - REGSIZE=$(cat regular.headers | \ - grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/") - COMPSIZE=$(cat compressed.headers | \ - grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/") - if [ ! $((REGSIZE / COMPSIZE)) -gt 2 ]; then - ret=1 - fi +if $FEATURETEST --with-zlib; then + REGSIZE=$(cat regular.headers \ + | grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/") + COMPSIZE=$(cat compressed.headers \ + | grep -i Content-Length | sed -e "s/.*: \([0-9]*\).*/\1/") + if [ ! $((REGSIZE / COMPSIZE)) -gt 2 ]; then + ret=1 + fi else - echo_i "skipped" + echo_i "skipped" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -266,21 +262,21 @@ ret=0 # The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSK and one # RRset (DNSKEY) with the KSK. So starting named with signatures that expire # almost right away, this should trigger 10 zsk and 1 ksk sign operations. -echo "${refresh_prefix} ${zsk_id}: 10" > zones.expect -echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect -echo "${sign_prefix} ${zsk_id}: 10" >> zones.expect -echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk_id}: 10" >zones.expect +echo "${refresh_prefix} ${ksk_id}: 1" >>zones.expect +echo "${sign_prefix} ${zsk_id}: 10" >>zones.expect +echo "${sign_prefix} ${ksk_id}: 1" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after zone maintenance at startup ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 0 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -289,28 +285,28 @@ n=$((n + 1)) # Test sign operations after dynamic update. ret=0 ( -# Update dnssec zone to trigger signature creation. -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me" -echo send + # Update dnssec zone to trigger signature creation. + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me" + echo send ) | $NSUPDATE # This should trigger the resign of SOA, TXT and NSEC (+3 zsk). -echo "${refresh_prefix} ${zsk_id}: 10" > zones.expect -echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect -echo "${sign_prefix} ${zsk_id}: 13" >> zones.expect -echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk_id}: 10" >zones.expect +echo "${refresh_prefix} ${ksk_id}: 1" >>zones.expect +echo "${sign_prefix} ${zsk_id}: 13" >>zones.expect +echo "${sign_prefix} ${ksk_id}: 1" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after dynamic update ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 0 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -321,23 +317,23 @@ ret=0 echo_i "fetch zone '$zone' stats data after updating DNSKEY RRset ($n)" # Add a standby DNSKEY, this triggers resigning the DNSKEY RRset. zsk=$("$KEYGEN" -K ns2 -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -$SETTIME -K ns2 -P now -A never $zsk.key > /dev/null +$SETTIME -K ns2 -P now -A never $zsk.key >/dev/null loadkeys_on 2 $zone || ret=1 # This should trigger the resign of SOA (+1 zsk) and DNSKEY (+1 ksk). -echo "${refresh_prefix} ${zsk_id}: 11" > zones.expect -echo "${refresh_prefix} ${ksk_id}: 2" >> zones.expect -echo "${sign_prefix} ${zsk_id}: 14" >> zones.expect -echo "${sign_prefix} ${ksk_id}: 2" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk_id}: 11" >zones.expect +echo "${refresh_prefix} ${ksk_id}: 2" >>zones.expect +echo "${sign_prefix} ${zsk_id}: 14" >>zones.expect +echo "${sign_prefix} ${ksk_id}: 2" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 0 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 0 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -356,29 +352,29 @@ zsk14_id=$(cat ns2/$zone.zsk14.id) # RRset (DNSKEY) with the KSKs. So starting named with signatures that expire # almost right away, this should trigger 10 zsk and 1 ksk sign operations per # key. -echo "${refresh_prefix} ${zsk8_id}: 10" > zones.expect -echo "${refresh_prefix} ${zsk13_id}: 10" >> zones.expect -echo "${refresh_prefix} ${zsk14_id}: 10" >> zones.expect -echo "${refresh_prefix} ${ksk8_id}: 1" >> zones.expect -echo "${refresh_prefix} ${ksk13_id}: 1" >> zones.expect -echo "${refresh_prefix} ${ksk14_id}: 1" >> zones.expect -echo "${sign_prefix} ${zsk8_id}: 10" >> zones.expect -echo "${sign_prefix} ${zsk13_id}: 10" >> zones.expect -echo "${sign_prefix} ${zsk14_id}: 10" >> zones.expect -echo "${sign_prefix} ${ksk8_id}: 1" >> zones.expect -echo "${sign_prefix} ${ksk13_id}: 1" >> zones.expect -echo "${sign_prefix} ${ksk14_id}: 1" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect +echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect +echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${sign_prefix} ${zsk8_id}: 10" >>zones.expect +echo "${sign_prefix} ${zsk13_id}: 10" >>zones.expect +echo "${sign_prefix} ${zsk14_id}: 10" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after zone maintenance at startup ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 2 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -387,36 +383,36 @@ n=$((n + 1)) # Test sign operations after dynamic update (many keys). ret=0 ( -# Update dnssec zone to trigger signature creation. -echo zone $zone -echo server 10.53.0.2 "$PORT" -echo update add $zone. 300 in txt "nsupdate added me" -echo send + # Update dnssec zone to trigger signature creation. + echo zone $zone + echo server 10.53.0.2 "$PORT" + echo update add $zone. 300 in txt "nsupdate added me" + echo send ) | $NSUPDATE # This should trigger the resign of SOA, TXT and NSEC (+3 zsk). -echo "${refresh_prefix} ${zsk8_id}: 10" > zones.expect -echo "${refresh_prefix} ${zsk13_id}: 10" >> zones.expect -echo "${refresh_prefix} ${zsk14_id}: 10" >> zones.expect -echo "${refresh_prefix} ${ksk8_id}: 1" >> zones.expect -echo "${refresh_prefix} ${ksk13_id}: 1" >> zones.expect -echo "${refresh_prefix} ${ksk14_id}: 1" >> zones.expect -echo "${sign_prefix} ${zsk8_id}: 13" >> zones.expect -echo "${sign_prefix} ${zsk13_id}: 13" >> zones.expect -echo "${sign_prefix} ${zsk14_id}: 13" >> zones.expect -echo "${sign_prefix} ${ksk8_id}: 1" >> zones.expect -echo "${sign_prefix} ${ksk13_id}: 1" >> zones.expect -echo "${sign_prefix} ${ksk14_id}: 1" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect +echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect +echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${sign_prefix} ${zsk8_id}: 13" >>zones.expect +echo "${sign_prefix} ${zsk13_id}: 13" >>zones.expect +echo "${sign_prefix} ${zsk14_id}: 13" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after dynamic update ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 2 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -431,21 +427,21 @@ $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /' # be cleared and thus no longer visible. But NSEC and SOA are (mistakenly) # counted double, one time because of zone_resigninc and one time because of # zone_nsec3chain. So +5 zsk in total. -echo "${refresh_prefix} ${zsk8_id}: 15" > zones.expect -echo "${refresh_prefix} ${ksk8_id}: 2" >> zones.expect -echo "${sign_prefix} ${zsk8_id}: 18" >> zones.expect -echo "${sign_prefix} ${ksk8_id}: 2" >> zones.expect -cat zones.expect | sort > zones.expect.$n +echo "${refresh_prefix} ${zsk8_id}: 15" >zones.expect +echo "${refresh_prefix} ${ksk8_id}: 2" >>zones.expect +echo "${sign_prefix} ${zsk8_id}: 18" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 2" >>zones.expect +cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. echo_i "fetching zone '$zone' stats data after dnssec-policy change ($n)" if [ $PERL_XML ]; then - getzones xml $zone x$n || ret=1 - cmp zones.out.x$n zones.expect.$n || ret=1 + getzones xml $zone x$n || ret=1 + cmp zones.out.x$n zones.expect.$n || ret=1 fi if [ $PERL_JSON ]; then - getzones json 2 j$n || ret=1 - cmp zones.out.j$n zones.expect.$n || ret=1 + getzones json 2 j$n || ret=1 + cmp zones.out.j$n zones.expect.$n || ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -453,8 +449,8 @@ n=$((n + 1)) echo_i "Check HTTP/1.1 client-side pipelined requests are handled (GET) ($n)" ret=0 -if [ -x "${NC}" ] ; then - "${NC}" 10.53.0.3 "${EXTRAPORT1}" << EOF > nc.out$n || ret=1 +if [ -x "${NC}" ]; then + "${NC}" 10.53.0.3 "${EXTRAPORT1}" <<EOF >nc.out$n || ret=1 GET /xml/v3/status HTTP/1.1 Host: 10.53.0.3:${EXTRAPORT1} @@ -463,15 +459,15 @@ Host: 10.53.0.3:${EXTRAPORT1} Connection: close EOF - lines=$(grep -c "^<statistics version" nc.out$n) - test "$lines" = 2 || ret=1 - # keep-alive not needed in HTTP/1.1, second response has close - lines=$(grep -c "^Connection: Keep-Alive" nc.out$n || true) - test "$lines" = 0 || ret=1 - lines=$(grep -c "^Connection: close" nc.out$n) - test "$lines" = 1 || ret=1 + lines=$(grep -c "^<statistics version" nc.out$n) + test "$lines" = 2 || ret=1 + # keep-alive not needed in HTTP/1.1, second response has close + lines=$(grep -c "^Connection: Keep-Alive" nc.out$n || true) + test "$lines" = 0 || ret=1 + lines=$(grep -c "^Connection: close" nc.out$n) + test "$lines" = 1 || ret=1 else - echo_i "skipping test as nc not found" + echo_i "skipping test as nc not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -480,7 +476,7 @@ n=$((n + 1)) echo_i "Check HTTP/1.1 client-side pipelined requests are handled (POST) ($n)" ret=0 if [ -x "${NC}" ]; then - "${NC}" 10.53.0.3 "${EXTRAPORT1}" << EOF > nc.out$n || ret=1 + "${NC}" 10.53.0.3 "${EXTRAPORT1}" <<EOF >nc.out$n || ret=1 POST /xml/v3/status HTTP/1.1 Host: 10.53.0.3:${EXTRAPORT1} Content-Type: application/json @@ -495,15 +491,15 @@ Connection: close {} EOF - lines=$(grep -c "^<statistics version" nc.out$n) - test "$lines" = 2 || ret=1 - # keep-alive not needed in HTTP/1.1, second response has close - lines=$(grep -c "^Connection: Keep-Alive" nc.out$n || true) - test "$lines" = 0 || ret=1 - lines=$(grep -c "^Connection: close" nc.out$n) - test "$lines" = 1 || ret=1 + lines=$(grep -c "^<statistics version" nc.out$n) + test "$lines" = 2 || ret=1 + # keep-alive not needed in HTTP/1.1, second response has close + lines=$(grep -c "^Connection: Keep-Alive" nc.out$n || true) + test "$lines" = 0 || ret=1 + lines=$(grep -c "^Connection: close" nc.out$n) + test "$lines" = 1 || ret=1 else - echo_i "skipping test as nc not found" + echo_i "skipping test as nc not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -512,23 +508,23 @@ n=$((n + 1)) echo_i "Check HTTP/1.0 keep-alive ($n)" ret=0 if [ -x "${NC}" ]; then - "${NC}" 10.53.0.3 "${EXTRAPORT1}" << EOF > nc.out$n || ret=1 + "${NC}" 10.53.0.3 "${EXTRAPORT1}" <<EOF >nc.out$n || ret=1 GET /xml/v3/status HTTP/1.0 Connection: keep-alive GET /xml/v3/status HTTP/1.0 EOF - # should be two responses - lines=$(grep -c "^<statistics version" nc.out$n) - test "$lines" = 2 || ret=1 - # first response has keep-alive, second has close - lines=$(grep -c "^Connection: Keep-Alive" nc.out$n || true) - test "$lines" = 1 || ret=1 - lines=$(grep -c "^Connection: close" nc.out$n) - test "$lines" = 1 || ret=1 + # should be two responses + lines=$(grep -c "^<statistics version" nc.out$n) + test "$lines" = 2 || ret=1 + # first response has keep-alive, second has close + lines=$(grep -c "^Connection: Keep-Alive" nc.out$n || true) + test "$lines" = 1 || ret=1 + lines=$(grep -c "^Connection: close" nc.out$n) + test "$lines" = 1 || ret=1 else - echo_i "skipping test as nc not found" + echo_i "skipping test as nc not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -537,7 +533,7 @@ n=$((n + 1)) echo_i "Check inconsistent Connection: headers ($n)" ret=0 if [ -x "${NC}" ]; then - "${NC}" 10.53.0.3 "${EXTRAPORT1}" << EOF > nc.out$n || ret=1 + "${NC}" 10.53.0.3 "${EXTRAPORT1}" <<EOF >nc.out$n || ret=1 GET /xml/v3/status HTTP/1.0 Connection: keep-alive Connection: close @@ -545,46 +541,45 @@ Connection: close GET /xml/v3/status HTTP/1.0 EOF - # should be one response (second is ignored) - lines=$(grep -c "^<statistics version" nc.out$n) - test "$lines" = 1 || ret=1 - # no keep-alive, one close - lines=$(grep -c "^Connection: Keep-Alive" nc.out$n || true) - test "$lines" = 0 || ret=1 - lines=$(grep -c "^Connection: close" nc.out$n) - test "$lines" = 1 || ret=1 + # should be one response (second is ignored) + lines=$(grep -c "^<statistics version" nc.out$n) + test "$lines" = 1 || ret=1 + # no keep-alive, one close + lines=$(grep -c "^Connection: Keep-Alive" nc.out$n || true) + test "$lines" = 0 || ret=1 + lines=$(grep -c "^Connection: close" nc.out$n) + test "$lines" = 1 || ret=1 else - echo_i "skipping test as nc not found" + echo_i "skipping test as nc not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) if [ -x "${CURL}" ] && ! ("${CURL}" --next 2>&1 | grep 'option --next: is unknown'); then - CURL_NEXT="${CURL}" + CURL_NEXT="${CURL}" fi echo_i "Check HTTP with more than 100 headers ($n)" ret=0 i=0 -if [ -x "${CURL_NEXT}" ] ; then - # build input stream. - : > header.in$n - while test $i -lt 101 - do - printf 'X-Bloat%d: VGhlIG1vc3QgY29tbW9uIHJlYXNvbiBmb3IgYmxvYXRpbmcgaXMgaGF2aW5nIGEgbG90IG9mIGdhcyBpbiB5b3VyIGd1dC4gCg==\r\n' $i >> header.in$n - i=$((i+1)) - done - printf '\r\n' >> header.in$n - - # send the requests then wait for named to close the socket. - URL="http://10.53.0.3:${EXTRAPORT1}/xml/v3/status" - "${CURL}" --silent --include --get "$URL" --next --get --header @header.in$n "$URL" > curl.out$n && ret=1 - # we expect 1 request to be processed. - lines=$(grep -c "^<statistics version" curl.out$n) - test "$lines" = 1 || ret=1 +if [ -x "${CURL_NEXT}" ]; then + # build input stream. + : >header.in$n + while test $i -lt 101; do + printf 'X-Bloat%d: VGhlIG1vc3QgY29tbW9uIHJlYXNvbiBmb3IgYmxvYXRpbmcgaXMgaGF2aW5nIGEgbG90IG9mIGdhcyBpbiB5b3VyIGd1dC4gCg==\r\n' $i >>header.in$n + i=$((i + 1)) + done + printf '\r\n' >>header.in$n + + # send the requests then wait for named to close the socket. + URL="http://10.53.0.3:${EXTRAPORT1}/xml/v3/status" + "${CURL}" --silent --include --get "$URL" --next --get --header @header.in$n "$URL" >curl.out$n && ret=1 + # we expect 1 request to be processed. + lines=$(grep -c "^<statistics version" curl.out$n) + test "$lines" = 1 || ret=1 else - echo_i "skipping test as curl with --next support not found" + echo_i "skipping test as curl with --next support not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -593,24 +588,23 @@ n=$((n + 1)) echo_i "Check HTTP/1.1 keep-alive with truncated stream ($n)" ret=0 i=0 -if [ -x "${CURL_NEXT}" ] ; then - # build input stream. - printf 'X-Bloat: ' > header.in$n - while test $i -lt 5000 - do - printf '%s' "VGhlIG1vc3QgY29tbW9uIHJlYXNvbiBmb3IgYmxvYXRpbmcgaXMgaGF2aW5nIGEgbG90IG9mIGdhcyBpbiB5b3VyIGd1dC4gCg==" >> header.in$n - i=$((i+1)) - done - printf '\r\n' >> header.in$n - - # send the requests then wait for named to close the socket. - URL="http://10.53.0.3:${EXTRAPORT1}/xml/v3/status" - "${CURL}" --silent --include --get "$URL" --next --get --header @header.in$n "$URL" > curl.out$n && ret=1 - # we expect 1 request to be processed. - lines=$(grep -c "^<statistics version" curl.out$n) - test "$lines" = 1 || ret=1 +if [ -x "${CURL_NEXT}" ]; then + # build input stream. + printf 'X-Bloat: ' >header.in$n + while test $i -lt 5000; do + printf '%s' "VGhlIG1vc3QgY29tbW9uIHJlYXNvbiBmb3IgYmxvYXRpbmcgaXMgaGF2aW5nIGEgbG90IG9mIGdhcyBpbiB5b3VyIGd1dC4gCg==" >>header.in$n + i=$((i + 1)) + done + printf '\r\n' >>header.in$n + + # send the requests then wait for named to close the socket. + URL="http://10.53.0.3:${EXTRAPORT1}/xml/v3/status" + "${CURL}" --silent --include --get "$URL" --next --get --header @header.in$n "$URL" >curl.out$n && ret=1 + # we expect 1 request to be processed. + lines=$(grep -c "^<statistics version" curl.out$n) + test "$lines" = 1 || ret=1 else - echo_i "skipping test as curl with --next support not found" + echo_i "skipping test as curl with --next support not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -619,12 +613,12 @@ n=$((n + 1)) echo_i "Check that consequtive responses do not grow excessively ($n)" ret=0 i=0 -if [ -x "${CURL}" ] ; then - URL="http://10.53.0.3:${EXTRAPORT1}/json/v1" - "${CURL}" --silent --include --header "Accept-Encoding: deflate, gzip, br, zstd" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" > curl.out$n || ret=1 - grep -a Content-Length curl.out$n | awk 'BEGIN { prev=0; } { if (prev != 0 && $2 - prev > 100) { exit(1); } prev = $2; }' || ret=1 +if [ -x "${CURL}" ]; then + URL="http://10.53.0.3:${EXTRAPORT1}/json/v1" + "${CURL}" --silent --include --header "Accept-Encoding: deflate, gzip, br, zstd" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" "$URL" >curl.out$n || ret=1 + grep -a Content-Length curl.out$n | awk 'BEGIN { prev=0; } { if (prev != 0 && $2 - prev > 100) { exit(1); } prev = $2; }' || ret=1 else - echo_i "skipping test as curl not found" + echo_i "skipping test as curl not found" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -632,21 +626,20 @@ n=$((n + 1)) echo_i "Check if-modified-since works ($n)" ret=0 -if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] ; then - URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" - # ensure over-long time stamps are ignored - ${CURL} --silent --show-error --fail --output bind9.xsl.2 $URL \ - --header 'If-Modified-Since: 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789' - if ! [ bind9.xsl.2 -nt bind9.xsl.1 ] || - ! ${CURL} --silent --show-error --fail \ - --output bind9.xsl.3 $URL \ - --time-cond bind9.xsl.1 || - [ -f bind9.xsl.3 ] - then - ret=1 - fi +if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ]; then + URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" + # ensure over-long time stamps are ignored + ${CURL} --silent --show-error --fail --output bind9.xsl.2 $URL \ + --header 'If-Modified-Since: 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789' + if ! [ bind9.xsl.2 -nt bind9.xsl.1 ] \ + || ! ${CURL} --silent --show-error --fail \ + --output bind9.xsl.3 $URL \ + --time-cond bind9.xsl.1 \ + || [ -f bind9.xsl.3 ]; then + ret=1 + fi else - echo_i "skipping test: requires libxml2 and curl" + echo_i "skipping test: requires libxml2 and curl" fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/statschannel/tests_json.py b/bin/tests/system/statschannel/tests_json.py index c459925..4f7c4a7 100755 --- a/bin/tests/system/statschannel/tests_json.py +++ b/bin/tests/system/statschannel/tests_json.py @@ -15,9 +15,11 @@ from datetime import datetime import pytest -import generic import pytest_custom_markers +pytest.register_assert_rewrite("generic") +import generic + pytestmark = pytest_custom_markers.have_json_c requests = pytest.importorskip("requests") @@ -98,8 +100,5 @@ def test_zone_with_many_keys_json(statsport): ) -def test_traffic_json(named_port, statsport): - generic_dnspython = pytest.importorskip("generic_dnspython") - generic_dnspython.test_traffic( - fetch_traffic_json, statsip="10.53.0.2", statsport=statsport, port=named_port - ) +def test_traffic_json(statsport): + generic.test_traffic(fetch_traffic_json, statsip="10.53.0.2", statsport=statsport) diff --git a/bin/tests/system/statschannel/tests_xml.py b/bin/tests/system/statschannel/tests_xml.py index 7f0b37e..5329615 100755 --- a/bin/tests/system/statschannel/tests_xml.py +++ b/bin/tests/system/statschannel/tests_xml.py @@ -16,9 +16,11 @@ import xml.etree.ElementTree as ET import pytest -import generic import pytest_custom_markers +pytest.register_assert_rewrite("generic") +import generic + pytestmark = pytest_custom_markers.have_libxml2 requests = pytest.importorskip("requests") @@ -128,8 +130,5 @@ def test_zone_with_many_keys_xml(statsport): ) -def test_traffic_xml(named_port, statsport): - generic_dnspython = pytest.importorskip("generic_dnspython") - generic_dnspython.test_traffic( - fetch_traffic_xml, statsip="10.53.0.2", statsport=statsport, port=named_port - ) +def test_traffic_xml(statsport): + generic.test_traffic(fetch_traffic_xml, statsip="10.53.0.2", statsport=statsport) diff --git a/bin/tests/system/stop.pl b/bin/tests/system/stop.pl index 572f709..24776fb 100644 --- a/bin/tests/system/stop.pl +++ b/bin/tests/system/stop.pl @@ -189,7 +189,7 @@ sub stop_rndc { my $how = $halt ? "halt" : "stop"; # Ugly, but should work. - system("$RNDC -c ../common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$test:$server /'"); + system("$RNDC -c ../_common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$test:$server /'"); return; } diff --git a/bin/tests/system/stopall.sh b/bin/tests/system/stopall.sh index 8eaa9d9..19d3f56 100644 --- a/bin/tests/system/stopall.sh +++ b/bin/tests/system/stopall.sh @@ -17,7 +17,6 @@ . ./conf.sh -for d in $SUBDIRS -do - $SHELL stop.sh $d +for d in $SUBDIRS; do + $SHELL stop.sh $d done diff --git a/bin/tests/system/stress/prereq.sh b/bin/tests/system/stress/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/stress/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/stress/tests_stress_update.py b/bin/tests/system/stress/tests_stress_update.py index d326f14..46ac1c9 100644 --- a/bin/tests/system/stress/tests_stress_update.py +++ b/bin/tests/system/stress/tests_stress_update.py @@ -24,7 +24,7 @@ def rndc_loop(test_state, server): cmdline = [ rndc, "-c", - "../common/rndc.conf", + "../_common/rndc.conf", "-p", port, "-s", diff --git a/bin/tests/system/stub/ns2/named.conf.in b/bin/tests/system/stub/ns2/named.conf.in index 1f006e0..3aa1e66 100644 --- a/bin/tests/system/stub/ns2/named.conf.in +++ b/bin/tests/system/stub/ns2/named.conf.in @@ -27,7 +27,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "child.example" { diff --git a/bin/tests/system/stub/ns3/named.conf.in b/bin/tests/system/stub/ns3/named.conf.in index e8e432f..a8e692f 100644 --- a/bin/tests/system/stub/ns3/named.conf.in +++ b/bin/tests/system/stub/ns3/named.conf.in @@ -27,7 +27,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/stub/ns5/named.conf.in b/bin/tests/system/stub/ns5/named.conf.in index 39e38cc..ce1021b 100644 --- a/bin/tests/system/stub/ns5/named.conf.in +++ b/bin/tests/system/stub/ns5/named.conf.in @@ -24,7 +24,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/stub/tests.sh b/bin/tests/system/stub/tests.sh index 9a9ca66..c9071dd 100644 --- a/bin/tests/system/stub/tests.sh +++ b/bin/tests/system/stub/tests.sh @@ -19,69 +19,81 @@ DIGOPTS="+tcp -p ${PORT}" status=0 echo_i "check that the stub zone has been saved to disk" -for i in 1 2 3 4 5 6 7 8 9 20 -do - [ -f ns3/child.example.st ] && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 20; do + [ -f ns3/child.example.st ] && break + sleep 1 done -[ -f ns3/child.example.st ] || { status=1; echo_i "failed"; } +[ -f ns3/child.example.st ] || { + status=1 + echo_i "failed" +} -for pass in 1 2 -do +for pass in 1 2; do -echo_i "trying an axfr that should be denied (NOTAUTH) (pass=$pass)" -ret=0 -$DIG $DIGOPTS child.example. @10.53.0.3 axfr > dig.out.ns3 || ret=1 -grep "; Transfer failed." dig.out.ns3 > /dev/null || ret=1 -[ $ret = 0 ] || { status=1; echo_i "failed"; } + echo_i "trying an axfr that should be denied (NOTAUTH) (pass=$pass)" + ret=0 + $DIG $DIGOPTS child.example. @10.53.0.3 axfr >dig.out.ns3 || ret=1 + grep "; Transfer failed." dig.out.ns3 >/dev/null || ret=1 + [ $ret = 0 ] || { + status=1 + echo_i "failed" + } -echo_i "look for stub zone data without recursion (should not be found) (pass=$pass)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS +norec data.child.example. \ - @10.53.0.3 txt > dig.out.ns3 || ret=1 - grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 - [ $ret = 0 ] && break - sleep 1 -done -digcomp knowngood.dig.out.norec dig.out.ns3 || ret=1 -[ $ret = 0 ] || { status=1; echo_i "failed"; } + echo_i "look for stub zone data without recursion (should not be found) (pass=$pass)" + for i in 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG $DIGOPTS +norec data.child.example. \ + @10.53.0.3 txt >dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 >/dev/null || ret=1 + [ $ret = 0 ] && break + sleep 1 + done + digcomp knowngood.dig.out.norec dig.out.ns3 || ret=1 + [ $ret = 0 ] || { + status=1 + echo_i "failed" + } -echo_i "look for stub zone data with recursion (should be found) (pass=$pass)" -ret=0 -$DIG $DIGOPTS +noauth +noadd data.child.example. @10.53.0.3 txt > dig.out.ns3 || ret=1 -digcomp knowngood.dig.out.rec dig.out.ns3 || ret=1 -[ $ret = 0 ] || { status=1; echo_i "failed"; } + echo_i "look for stub zone data with recursion (should be found) (pass=$pass)" + ret=0 + $DIG $DIGOPTS +noauth +noadd data.child.example. @10.53.0.3 txt >dig.out.ns3 || ret=1 + digcomp knowngood.dig.out.rec dig.out.ns3 || ret=1 + [ $ret = 0 ] || { + status=1 + echo_i "failed" + } -[ $pass = 1 ] && { - echo_i "stopping stub server" - stop_server ns3 + [ $pass = 1 ] && { + echo_i "stopping stub server" + stop_server ns3 - echo_i "re-starting stub server" - start_server --noclean --restart --port ${PORT} ns3 -} + echo_i "re-starting stub server" + start_server --noclean --restart --port ${PORT} ns3 + } done echo_i "check that glue record is correctly transferred from primary when minimal-responses is on" ret=0 # First ensure that zone data was transfered. for i in 1 2 3 4 5 6 7; do - [ -f ns5/example.db ] && break - sleep 1 + [ -f ns5/example.db ] && break + sleep 1 done if [ -f ns5/example.db ]; then - # If NS glue wasn't transferred, this query would fail. - $DIG $DIGOPTS +nodnssec @10.53.0.5 target.example. txt > dig.out.ns5 || ret=1 - grep 'target\.example.*TXT.*"test"' dig.out.ns5 > /dev/null || ret=1 - # Ensure both ipv4 and ipv6 glue records were transferred. - grep -E 'ns4[[:space:]]+A[[:space:]]+10.53.0.4' ns5/example.db > /dev/null || ret=1 - grep -E 'AAAA[[:space:]]+fd92:7065:b8e:ffff::4' ns5/example.db > /dev/null || ret=1 - [ $ret = 0 ] || { status=1; echo_i "failed"; } -else + # If NS glue wasn't transferred, this query would fail. + $DIG $DIGOPTS +nodnssec @10.53.0.5 target.example. txt >dig.out.ns5 || ret=1 + grep 'target\.example.*TXT.*"test"' dig.out.ns5 >/dev/null || ret=1 + # Ensure both ipv4 and ipv6 glue records were transferred. + grep -E 'ns4[[:space:]]+A[[:space:]]+10.53.0.4' ns5/example.db >/dev/null || ret=1 + grep -E 'AAAA[[:space:]]+fd92:7065:b8e:ffff::4' ns5/example.db >/dev/null || ret=1 + [ $ret = 0 ] || { status=1 - echo_i "failed: stub zone transfer failed ns4(primary) <---> ns5/example.db" + echo_i "failed" + } +else + status=1 + echo_i "failed: stub zone transfer failed ns4(primary) <---> ns5/example.db" fi echo_i "exit status: $status" diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh index 9f699a0..264e504 100644 --- a/bin/tests/system/synthfromdnssec/ns1/sign.sh +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -19,58 +19,58 @@ infile=example.db.in zonefile=example.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" -echo insecure NS ns1.insecure >> "$zonefile" -echo ns1.insecure A 10.53.0.1 >> "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" +echo insecure NS ns1.insecure >>"$zonefile" +echo ns1.insecure A 10.53.0.1 >>"$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null +$SIGNER -P -o $zone $zonefile >/dev/null zone=insecure.example infile=example.db.in zonefile=insecure.example.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null +$SIGNER -P -o $zone $zonefile >/dev/null zone=dnamed infile=dnamed.db.in zonefile=dnamed.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -$SIGNER -P -o $zone $zonefile > /dev/null +$SIGNER -P -o $zone $zonefile >/dev/null zone=minimal infile=minimal.db.in zonefile=minimal.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" # do not regenerate NSEC chain as there in a minimal NSEC record present -$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null +$SIGNER -P -Z nonsecify -o $zone $zonefile >/dev/null zone=soa-without-dnskey infile=soa-without-dnskey.db.in zonefile=soa-without-dnskey.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" # do not regenerate NSEC chain as there in a minimal NSEC record present -$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null +$SIGNER -P -Z nonsecify -o $zone $zonefile >/dev/null zone=. infile=root.db.in zonefile=root.db keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone) -cat "$infile" "$keyname.key" > "$zonefile" +cat "$infile" "$keyname.key" >"$zonefile" -$SIGNER -P -g -o $zone $zonefile > /dev/null +$SIGNER -P -g -o $zone $zonefile >/dev/null # Configure the resolving server with a static key. -keyfile_to_static_ds "$keyname" > trusted.conf +keyfile_to_static_ds "$keyname" >trusted.conf diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh index d109871..5d0ddee 100644 --- a/bin/tests/system/synthfromdnssec/setup.sh +++ b/bin/tests/system/synthfromdnssec/setup.sh @@ -24,6 +24,6 @@ copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf ( - cd ns1 - $SHELL sign.sh + cd ns1 + $SHELL sign.sh ) diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh index 1bfd00b..e4b77e4 100644 --- a/bin/tests/system/synthfromdnssec/tests.sh +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -16,7 +16,7 @@ # shellcheck source=conf.sh . ../conf.sh -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" set -e @@ -27,878 +27,867 @@ synth_default=yes rm -f dig.out.* dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" } check_ad_flag() { - if [ ${1} = yes ] - then - grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null || return 1 - else - grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null && return 1 - fi - return 0 + if [ ${1} = yes ]; then + grep "flags:[^;]* ad[^;]*; QUERY" ${2} >/dev/null || return 1 + else + grep "flags:[^;]* ad[^;]*; QUERY" ${2} >/dev/null && return 1 + fi + return 0 } check_status() { - grep "status: ${1}," ${2} > /dev/null || return 1 - return 0 + grep "status: ${1}," ${2} >/dev/null || return 1 + return 0 } check_synth_soa() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*[0-9]*.IN.SOA" ${2} > /dev/null || return 1 - grep "^${name}.*3600.IN.SOA" ${2} > /dev/null && return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.SOA" ${2} >/dev/null || return 1 + grep "^${name}.*3600.IN.SOA" ${2} >/dev/null && return 1 + return 0 ) check_nosynth_soa() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*3600.IN.SOA" ${2} > /dev/null || return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.SOA" ${2} >/dev/null || return 1 + return 0 ) check_synth_a() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} > /dev/null || return 1 - grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null && return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} >/dev/null || return 1 + grep "^${name}.*3600.IN.A.[0-2]" ${2} >/dev/null && return 1 + return 0 ) check_nosynth_a() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null || return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.A.[0-2]" ${2} >/dev/null || return 1 + return 0 ) check_synth_aaaa() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*[0-9]*.IN.AAAA" ${2} > /dev/null || return 1 - grep "^${name}.*3600.IN.A" ${2} > /dev/null && return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.AAAA" ${2} >/dev/null || return 1 + grep "^${name}.*3600.IN.A" ${2} >/dev/null && return 1 + return 0 ) check_nosynth_aaaa() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*3600.IN.AAAA" ${2} > /dev/null || return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.AAAA" ${2} >/dev/null || return 1 + return 0 ) check_synth_cname() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*[0-9]*.IN.CNAME" ${2} > /dev/null || return 1 - grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null && return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.CNAME" ${2} >/dev/null || return 1 + grep "^${name}.*3600.IN.CNAME" ${2} >/dev/null && return 1 + return 0 ) check_nosynth_cname() ( - name=$(echo "$1" | sed 's/\./\\./g') - grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null || return 1 - return 0 + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.CNAME" ${2} >/dev/null || return 1 + return 0 ) check_auth_count() { - grep "AUTHORITY: ${1}," ${2} > /dev/null || return 1 - return 0 + grep "AUTHORITY: ${1}," ${2} >/dev/null || return 1 + return 0 } -for ns in 2 4 5 6 -do - case $ns in - 2) ad=yes; description="<default>";; - 4) ad=yes; description="no";; - 5) ad=yes; description="yes";; - 6) ad=no; description="yes; dnssec-validation no";; - *) exit 1;; - esac - echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wild.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildcname.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata1nsec.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata2nsec.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 - check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1 - check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > wildnodata2nsecafterdata.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1 - check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 - [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > insecure.wildnodata2nsecafterdata.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n > /dev/null || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1 - [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 - grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +for ns in 2 4 5 6; do + case $ns in + 2) + ad=yes + description="<default>" + ;; + 4) + ad=yes + description="no" + ;; + 5) + ad=yes + description="yes" + ;; + 6) + ad=no + description="yes; dnssec-validation no" + ;; + *) exit 1 ;; + esac + echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wild.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildcname.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildnodata1nsec.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >wildnodata2nsec.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT >dig.out.txt.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n >wildnodata2nsecafterdata.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >insecure.wild.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n >insecure.wildcname.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT >dig.out.txt.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n >insecure.wildnodata2nsecafterdata.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nxdomain.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n >/dev/null || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts black.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n >/dev/null || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 + grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) done echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" ret=0 -dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +nodnssec a.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 check_ad_flag no dig.out.ns3.test$n || ret=1 check_status NOERROR dig.out.ns3.test$n || ret=1 -grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) # # ensure TTL of synthesised answers differs from direct answers. # sleep 1 -for ns in 2 4 5 6 -do - case $ns in - 2) ad=yes synth=${synth_default} description="<default>";; - 4) ad=yes synth=no description="no";; - 5) ad=yes synth=yes description="yes";; - 6) ad=no synth=no description="yes; dnssec-validation no";; - *) exit 1;; +for ns in 2 4 5 6; do + case $ns in + 2) ad=yes synth=${synth_default} description="<default>" ;; + 4) ad=yes synth=no description="no" ;; + 5) ad=yes synth=yes description="yes" ;; + 6) ad=no synth=no description="yes; dnssec-validation no" ;; + *) exit 1 ;; + esac + echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.example/A >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.example/A >/dev/null || ret=1 + fi + digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts nodata.example. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.example/AAAA >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.example/AAAA >/dev/null || ret=1 + fi + digcomp nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-a.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-a.example/A >/dev/null && ret=1 + else + check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-a.example/A >/dev/null || ret=1 + fi + digcomp wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-cname.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.example/A >/dev/null && ret=1 + else + check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.example/A >/dev/null || ret=1 + fi + grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1 + digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA >/dev/null || ret=1 + fi + digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA >/dev/null || ret=1 + fi + digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record + dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA >dig.out.a.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 + check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1 + # + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ]; then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA >/dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA >/dev/null || ret=1 + fi + digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.insecure.example/A >/dev/null || ret=1 + digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.insecure.example/AAAA >/dev/null || ret=1 + digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1 + nextpart ns1/named.run | grep b.wild-a.insecure.example/A >/dev/null || ret=1 + digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.insecure.example/A >/dev/null || ret=1 + grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n >/dev/null || ret=1 + digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA >dig.out.a.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 + check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1 + # + dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nxdomaic.minimal/A >/dev/null || ret=1 + digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run >/dev/null + dig_with_opts black.minimal. @10.53.0.${ns} aaaa >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep black.minimal/AAAA >/dev/null || ret=1 + digcomp black.out dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts soa-without-dnskey. @10.53.0.${ns} A >dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 + grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n >/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)" + ret=0 + ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i + # 2 views, _bind should always be '0 covering nsec returned' + count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l) + test $count = 2 || ret=1 + zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l) + if [ ${synth} = yes ]; then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)" + ret=0 + # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes' + count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + test $count = 2 || ret=1 + zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + if [ ${ad} = yes ]; then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + for synthesized in NXDOMAIN no-data wildcard; do + case $synthesized in + NXDOMAIN) count=1 ;; + no-data) count=4 ;; + wildcard) count=2 ;; esac - echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.example/A > /dev/null && ret=1 - else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.example/A > /dev/null || ret=1 - fi - digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null && ret=1 - else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null || ret=1 - fi - digcomp nodata.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)" + echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)" ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null && ret=1 + if [ ${synth} = yes ]; then + grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats >/dev/null || ret=1 else - check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null || ret=1 + grep "synthesized a ${synthesized} response" ns${ns}/named.stats >/dev/null && ret=1 fi - digcomp wild.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) + done - echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ]; then + echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)" ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null && ret=1 - else - check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null || ret=1 - fi - grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 - digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) + xml=xml.out$n + ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server >$xml 2>/dev/null || ret=1 + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null && ret=1 + counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CoveringNSEC">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml) + count=$(echo "$counter" | grep CoveringNSEC | wc -l) + test $count = 1 || ret=1 + zero=$(echo "$counter" | grep ">0<" | wc -l) + if [ ${synth} = yes ]; then + test $zero = 0 || ret=1 else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null || ret=1 + test $zero = 1 || ret=1 fi - digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null && ret=1 + counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CacheNSECNodes">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml) + count=$(echo "$counter" | grep CacheNSECNodes | wc -l) + test $count = 1 || ret=1 + zero=$(echo "$counter" | grep ">0<" | wc -l) + if [ ${ad} = yes ]; then + test $zero = 0 || ret=1 else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null || ret=1 + test $zero = 1 || ret=1 fi - digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" - ret=0 - # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record - dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 - check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1 - # - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - if [ ${synth} = yes ] - then - check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null && ret=1 - else - check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null || ret=1 - fi - digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1 - digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1 - digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 - nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1 - digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1 - grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 - digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 - check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1 - # - dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag no dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 - digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep nxdomaic.minimal/A > /dev/null || ret=1 - digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - nextpart ns1/named.run > /dev/null - dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1 - digcomp black.out dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 - grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" - ret=0 - dig_with_opts soa-without-dnskey. @10.53.0.${ns} A > dig.out.ns${ns}.test$n || ret=1 - check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 - check_status NOERROR dig.out.ns${ns}.test$n || ret=1 - check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 - grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)" - ret=0 - ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i - # 2 views, _bind should always be '0 covering nsec returned' - count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l) + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD; do + case $synthesized in + SynthNXDOMAIN) count=1 ;; + SynthNODATA) count=4 ;; + SynthWILDCARD) count=2 ;; + esac + + echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ]; then + grep '<counter name="'$synthesized'">'$count'</counter>' $xml >/dev/null || ret=1 + else + grep '<counter name="'$synthesized'">'0'</counter>' $xml >/dev/null || ret=1 + fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + done + else + echo_i "Skipping XML statistics checks" + fi + + if $FEATURETEST --have-json-c && [ -x "${CURL}" ]; then + echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)" + ret=0 + json=json.out$n + ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server >$json 2>/dev/null || ret=1 + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" + ret=0 + count=$(grep '"CoveringNSEC":' $json | wc -l) test $count = 2 || ret=1 - zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l) - if [ ${synth} = yes ] - then - test $zero = 1 || ret=1 + zero=$(grep '"CoveringNSEC":0' $json | wc -l) + if [ ${synth} = yes ]; then + test $zero = 1 || ret=1 else - test $zero = 2 || ret=1 + test $zero = 2 || ret=1 fi - n=$((n+1)) + n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) + status=$((status + ret)) - echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)" + echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" ret=0 - # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes' - count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + count=$(grep '"CacheNSECNodes":' $json | wc -l) test $count = 2 || ret=1 - zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) - if [ ${ad} = yes ] - then - test $zero = 1 || ret=1 + zero=$(grep '"CacheNSECNodes":0' $json | wc -l) + if [ ${ad} = yes ]; then + test $zero = 1 || ret=1 else - test $zero = 2 || ret=1 + test $zero = 2 || ret=1 fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - for synthesized in NXDOMAIN no-data wildcard - do - case $synthesized in - NXDOMAIN) count=1;; - no-data) count=4;; - wildcard) count=2;; - esac - echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)" - ret=0 - if [ ${synth} = yes ] - then - grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null || ret=1 - else - grep "synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null && ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - done - - if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ] ; then - echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)" - ret=0 - xml=xml.out$n - ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server > $xml 2>/dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" - ret=0 - counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CoveringNSEC">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml) - count=$(echo "$counter" | grep CoveringNSEC | wc -l) - test $count = 1 || ret=1 - zero=$(echo "$counter" | grep ">0<" | wc -l) - if [ ${synth} = yes ] - then - test $zero = 0 || ret=1 - else - test $zero = 1 || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" - ret=0 - counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CacheNSECNodes">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml) - count=$(echo "$counter" | grep CacheNSECNodes | wc -l) - test $count = 1 || ret=1 - zero=$(echo "$counter" | grep ">0<" | wc -l) - if [ ${ad} = yes ] - then - test $zero = 0 || ret=1 - else - test $zero = 1 || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD - do - case $synthesized in - SynthNXDOMAIN) count=1;; - SynthNODATA) count=4;; - SynthWILDCARD) count=2;; - esac - - echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" - ret=0 - if [ ${synth} = yes ] - then - grep '<counter name="'$synthesized'">'$count'</counter>' $xml > /dev/null || ret=1 - else - grep '<counter name="'$synthesized'">'0'</counter>' $xml > /dev/null || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - done - else - echo_i "Skipping XML statistics checks" - fi - - if $FEATURETEST --have-json-c && [ -x "${CURL}" ] ; then - echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)" - ret=0 - json=json.out$n - ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server > $json 2>/dev/null || ret=1 - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" - ret=0 - count=$(grep '"CoveringNSEC":' $json | wc -l) - test $count = 2 || ret=1 - zero=$(grep '"CoveringNSEC":0' $json | wc -l) - if [ ${synth} = yes ] - then - test $zero = 1 || ret=1 - else - test $zero = 2 || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" - ret=0 - count=$(grep '"CacheNSECNodes":' $json | wc -l) - test $count = 2 || ret=1 - zero=$(grep '"CacheNSECNodes":0' $json | wc -l) - if [ ${ad} = yes ] - then - test $zero = 1 || ret=1 - else - test $zero = 2 || ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - - for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD - do - case $synthesized in - SynthNXDOMAIN) count=1;; - SynthNODATA) count=4;; - SynthWILDCARD) count=2;; - esac - - echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" - ret=0 - if [ ${synth} = yes ] - then - grep '"'$synthesized'":'$count'' $json > /dev/null || ret=1 - else - grep '"'$synthesized'":' $json > /dev/null && ret=1 - fi - n=$((n+1)) - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - done - else - echo_i "Skipping JSON statistics checks" - fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + + for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD; do + case $synthesized in + SynthNXDOMAIN) count=1 ;; + SynthNODATA) count=4 ;; + SynthWILDCARD) count=2 ;; + esac + + echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ]; then + grep '"'$synthesized'":'$count'' $json >/dev/null || ret=1 + else + grep '"'$synthesized'":' $json >/dev/null && ret=1 + fi + n=$((n + 1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + done + else + echo_i "Skipping JSON statistics checks" + fi done echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)" ret=0 synth=${synth_default} -dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts b.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 check_ad_flag yes dig.out.ns3.test$n || ret=1 check_status NXDOMAIN dig.out.ns3.test$n || ret=1 -if [ ${synth} = yes ] -then - check_synth_soa . dig.out.ns3.test$n || ret=1 +if [ ${synth} = yes ]; then + check_synth_soa . dig.out.ns3.test$n || ret=1 else - check_nosynth_soa . dig.out.ns3.test$n || ret=1 + check_nosynth_soa . dig.out.ns3.test$n || ret=1 fi -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" ret=0 -dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +nodnssec b.redirect. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 check_ad_flag no dig.out.ns3.test$n || ret=1 check_status NOERROR dig.out.ns3.test$n || ret=1 -grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1 -n=$((n+1)) +grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n >/dev/null || ret=1 +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)" ret=0 -dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1 -dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +dig_with_opts dnamed.example. ns @10.53.0.5 >dig.out.ns5.test$n || ret=1 +dig_with_opts a.dnamed.example. a @10.53.0.5 >dig.out.ns5-1.test$n || ret=1 check_status NOERROR dig.out.ns5-1.test$n || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "regression test for CVE-2022-0635 ($n)" ret=0 # add DNAME to cache -dig_with_opts dname.dnamed. dname @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +dig_with_opts dname.dnamed. dname @10.53.0.5 >dig.out.ns5-1.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1 # add A record to cache at name before DNAME owner -dig_with_opts a.dnamed. a @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +dig_with_opts a.dnamed. a @10.53.0.5 >dig.out.ns5-2.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 # add NSEC record to cache at name before DNAME owner -dig_with_opts a.dnamed. aaaa @10.53.0.5 > dig.out.ns5-3.test$n || ret=1 +dig_with_opts a.dnamed. aaaa @10.53.0.5 >dig.out.ns5-3.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1 # wait for NSEC to timeout sleep 6 # use DNAME for lookup -dig_with_opts b.dname.dnamed a @10.53.0.5 > dig.out.ns5-4.test$n || ret=1 +dig_with_opts b.dname.dnamed a @10.53.0.5 >dig.out.ns5-4.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)" ret=0 #prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal' -dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +dig_with_opts internal @10.53.0.5 >dig.out.ns5-1.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1 grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1 #perform lookup in grafted zone -dig_with_opts example.internal @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +dig_with_opts example.internal @10.53.0.5 >dig.out.ns5-2.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "check synth-from-dnssec with grafted zone (primary zone) ($n)" ret=0 #prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal' -dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +dig_with_opts internal @10.53.0.5 >dig.out.ns5-1.test$n || ret=1 grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1 grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1 #perform lookup in grafted zone -dig_with_opts example.internal2 @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +dig_with_opts example.internal2 @10.53.0.5 >dig.out.ns5-2.test$n || ret=1 grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 grep '^example\.internal2\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tcp/ns2/named.conf.in b/bin/tests/system/tcp/ns2/named.conf.in index 0a97093..65c1f40 100644 --- a/bin/tests/system/tcp/ns2/named.conf.in +++ b/bin/tests/system/tcp/ns2/named.conf.in @@ -37,7 +37,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/tcp/ns3/named.conf.in b/bin/tests/system/tcp/ns3/named.conf.in index 8516d72..82ba791 100644 --- a/bin/tests/system/tcp/ns3/named.conf.in +++ b/bin/tests/system/tcp/ns3/named.conf.in @@ -38,5 +38,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/tcp/ns4/named.conf.in b/bin/tests/system/tcp/ns4/named.conf.in index a7758cc..5982230 100644 --- a/bin/tests/system/tcp/ns4/named.conf.in +++ b/bin/tests/system/tcp/ns4/named.conf.in @@ -40,5 +40,5 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/tcp/ns5/named.conf.in b/bin/tests/system/tcp/ns5/named.conf.in index bd754f7..05e56f7 100644 --- a/bin/tests/system/tcp/ns5/named.conf.in +++ b/bin/tests/system/tcp/ns5/named.conf.in @@ -41,5 +41,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/tcp/tests.sh b/bin/tests/system/tcp/tests.sh index 12ca679..2e7d30e 100644 --- a/bin/tests/system/tcp/tests.sh +++ b/bin/tests/system/tcp/tests.sh @@ -17,11 +17,11 @@ set -e . ../conf.sh dig_with_opts() { - "${DIG}" -p "${PORT}" "$@" + "${DIG}" -p "${PORT}" "$@" } rndccmd() { - "${RNDC}" -p "${CONTROLPORT}" -c ../common/rndc.conf -s "$@" + "${RNDC}" -p "${CONTROLPORT}" -c ../_common/rndc.conf -s "$@" } status=0 @@ -42,7 +42,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking TCP request statistics (resolver) ($n)" ret=0 -dig_with_opts @10.53.0.3 txt.example. > dig.out.test$n +dig_with_opts @10.53.0.3 txt.example. >dig.out.test$n sleep 1 rndccmd 10.53.0.1 stats || ret=1 rndccmd 10.53.0.2 stats || ret=1 @@ -58,7 +58,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking TCP request statistics (forwarder) ($n)" ret=0 -dig_with_opts @10.53.0.4 txt.example. > dig.out.test$n +dig_with_opts @10.53.0.4 txt.example. >dig.out.test$n sleep 1 rndccmd 10.53.0.1 stats || ret=1 rndccmd 10.53.0.2 stats || ret=1 @@ -67,36 +67,36 @@ mv ns2/named.stats ns2/named.stats.test$n ntcp12="$(grep "TCP requests received" ns1/named.stats.test$n | tail -1 | awk '{print $1}')" ntcp22="$(grep "TCP requests received" ns2/named.stats.test$n | tail -1 | awk '{print $1}')" if [ "$ntcp11" -ne "$ntcp12" ]; then ret=1; fi -if [ "$ntcp21" -ge "$ntcp22" ];then ret=1; fi +if [ "$ntcp21" -ge "$ntcp22" ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) # -------- TCP high-water tests ---------- refresh_tcp_stats() { - rndccmd 10.53.0.5 status > rndc.out.$n || ret=1 - TCP_CUR="$(sed -n "s/^tcp clients: \([0-9][0-9]*\).*/\1/p" rndc.out.$n)" - TCP_LIMIT="$(sed -n "s/^tcp clients: .*\/\([0-9][0-9]*\)/\1/p" rndc.out.$n)" - TCP_HIGH="$(sed -n "s/^TCP high-water: \([0-9][0-9]*\)/\1/p" rndc.out.$n)" + rndccmd 10.53.0.5 status >rndc.out.$n || ret=1 + TCP_CUR="$(sed -n "s/^tcp clients: \([0-9][0-9]*\).*/\1/p" rndc.out.$n)" + TCP_LIMIT="$(sed -n "s/^tcp clients: .*\/\([0-9][0-9]*\)/\1/p" rndc.out.$n)" + TCP_HIGH="$(sed -n "s/^TCP high-water: \([0-9][0-9]*\)/\1/p" rndc.out.$n)" } # Send a command to the tool script listening on 10.53.0.6. send_command() { - nextpart ans6/ans.run > /dev/null - echo "$*" | send 10.53.0.6 "${CONTROLPORT}" - wait_for_log_peek 10 "result=" ans6/ans.run || ret=1 - if ! nextpartpeek ans6/ans.run | grep -qF "result=OK"; then - return 1 - fi + nextpart ans6/ans.run >/dev/null + echo "$*" | send 10.53.0.6 "${CONTROLPORT}" + wait_for_log_peek 10 "result=" ans6/ans.run || ret=1 + if ! nextpartpeek ans6/ans.run | grep -qF "result=OK"; then + return 1 + fi } # Instructs ans6 to open $1 TCP connections to 10.53.0.5. open_connections() { - send_command "open" "${1}" 10.53.0.5 "${PORT}" || return 1 + send_command "open" "${1}" 10.53.0.5 "${PORT}" || return 1 } # Instructs ans6 to close $1 TCP connections to 10.53.0.5. close_connections() { - send_command "close" "${1}" || return 1 + send_command "close" "${1}" || return 1 } # Check TCP connections are working normally before opening @@ -104,8 +104,8 @@ close_connections() { n=$((n + 1)) echo_i "checking TCP query repsonse ($n)" ret=0 -dig_with_opts +tcp @10.53.0.5 txt.example > dig.out.test$n -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +dig_with_opts +tcp @10.53.0.5 txt.example >dig.out.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -132,9 +132,9 @@ OLD_TCP_CUR="${TCP_CUR}" TCP_ADDED=9 open_connections "${TCP_ADDED}" || ret=1 check_stats_added() { - refresh_tcp_stats - assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR + TCP_ADDED)) "current TCP clients count" || return 1 - assert_int_equal "${TCP_HIGH}" $((OLD_TCP_CUR + TCP_ADDED)) "TCP high-water value" || return 1 + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR + TCP_ADDED)) "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" $((OLD_TCP_CUR + TCP_ADDED)) "TCP high-water value" || return 1 } retry 2 check_stats_added || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -150,9 +150,9 @@ OLD_TCP_HIGH="${TCP_HIGH}" TCP_REMOVED=5 close_connections "${TCP_REMOVED}" || ret=1 check_stats_removed() { - refresh_tcp_stats - assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR - TCP_REMOVED)) "current TCP clients count" || return 1 - assert_int_equal "${TCP_HIGH}" "${OLD_TCP_HIGH}" "TCP high-water value" || return 1 + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" $((OLD_TCP_CUR - TCP_REMOVED)) "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" "${OLD_TCP_HIGH}" "TCP high-water value" || return 1 } retry 2 check_stats_removed || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -165,9 +165,9 @@ echo_i "TCP high-water: ensure tcp-clients is an upper bound ($n)" ret=0 open_connections $((TCP_LIMIT + 1)) || ret=1 check_stats_limit() { - refresh_tcp_stats - assert_int_equal "${TCP_CUR}" "${TCP_LIMIT}" "current TCP clients count" || return 1 - assert_int_equal "${TCP_HIGH}" "${TCP_LIMIT}" "TCP high-water value" || return 1 + refresh_tcp_stats + assert_int_equal "${TCP_CUR}" "${TCP_LIMIT}" "current TCP clients count" || return 1 + assert_int_equal "${TCP_HIGH}" "${TCP_LIMIT}" "TCP high-water value" || return 1 } retry 2 check_stats_limit || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi @@ -180,8 +180,8 @@ echo_i "checking TCP response recovery ($n)" ret=0 # "0" closes all connections close_connections 0 || ret=1 -dig_with_opts +tcp @10.53.0.5 txt.example > dig.out.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 +dig_with_opts +tcp @10.53.0.5 txt.example >dig.out.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -194,8 +194,8 @@ echo_i "checking that BIND 9 doesn't crash on long TCP messages ($n)" ret=0 # Avoid logging useless information. rndccmd 10.53.0.1 trace 1 || ret=1 -{ $PERL ../packet.pl -a "10.53.0.1" -p "${PORT}" -t tcp -r 300000 1996-alloc_dnsbuf-crash-test.pkt || ret=1 ; } | cat_i -dig_with_opts +tcp @10.53.0.1 txt.example > dig.out.test$n || ret=1 +{ $PERL ../packet.pl -a "10.53.0.1" -p "${PORT}" -t tcp -r 300000 1996-alloc_dnsbuf-crash-test.pkt || ret=1; } | cat_i +dig_with_opts +tcp @10.53.0.1 txt.example >dig.out.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index ceaaf37..aaf793b 100755 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -18,78 +18,77 @@ dir="" msg="cryptography" if test -z "$KEYGEN"; then - . ../conf.sh - alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS" + . ../conf.sh + alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS" else - alg="" - quiet=1 - args="-q" + alg="" + quiet=1 + args="-q" fi while test "$#" -gt 0; do - case $1 in + case $1 in -q) - if test $quiet -eq 0; then - args="$args -q" - quiet=1 - fi - ;; - rsa|RSA|rsasha1|RSASHA1) - alg="-a RSASHA1" - msg="RSA cryptography" - ;; - rsasha256|RSASHA256) - alg="-a RSASHA256" - msg="RSA cryptography" - ;; - rsasha512|RSASHA512) - alg="-a RSASHA512" - msg="RSA cryptography" - ;; - ecdsa|ECDSA|ecdsap256sha256|ECDSAP256SHA256) - alg="-a ECDSAP256SHA256" - msg="ECDSA cryptography" - ;; - ecdsap384sha384|ECDSAP384SHA384) - alg="-a ECDSAP384SHA384" - msg="ECDSA cryptography" - ;; - eddsa|EDDSA|ed25519|ED25519) - alg="-a ED25519" - msg="EDDSA cryptography" - ;; - ed448|ED448) - alg="-a ED448" - msg="EDDSA cryptography" - ;; + if test $quiet -eq 0; then + args="$args -q" + quiet=1 + fi + ;; + rsa | RSA | rsasha1 | RSASHA1) + alg="-a RSASHA1" + msg="RSA cryptography" + ;; + rsasha256 | RSASHA256) + alg="-a RSASHA256" + msg="RSA cryptography" + ;; + rsasha512 | RSASHA512) + alg="-a RSASHA512" + msg="RSA cryptography" + ;; + ecdsa | ECDSA | ecdsap256sha256 | ECDSAP256SHA256) + alg="-a ECDSAP256SHA256" + msg="ECDSA cryptography" + ;; + ecdsap384sha384 | ECDSAP384SHA384) + alg="-a ECDSAP384SHA384" + msg="ECDSA cryptography" + ;; + eddsa | EDDSA | ed25519 | ED25519) + alg="-a ED25519" + msg="EDDSA cryptography" + ;; + ed448 | ED448) + alg="-a ED448" + msg="EDDSA cryptography" + ;; *) - echo "${prog}: unknown argument" - exit 1 - ;; - esac - shift + echo "${prog}: unknown argument" + exit 1 + ;; + esac + shift done if test -z "$alg"; then - echo "${prog}: no algorithm selected" - exit 1 + echo "${prog}: no algorithm selected" + exit 1 fi if test -n "$TMPDIR"; then - dir=$(mktemp -d "$TMPDIR/XXXXXX") - args="$args -K $dir" + dir=$(mktemp -d "$TMPDIR/XXXXXX") + args="$args -K $dir" fi -if $KEYGEN $args $alg foo > /dev/null 2>&1 -then - if test -z "$dir"; then - rm -f Kfoo* - else - rm -rf "$dir" - fi +if $KEYGEN $args $alg foo >/dev/null 2>&1; then + if test -z "$dir"; then + rm -f Kfoo* + else + rm -rf "$dir" + fi else - if test $quiet -eq 0; then - echo_i "This test requires support for $msg" >&2 - fi - exit 255 + if test $quiet -eq 0; then + echo_i "This test requires support for $msg" >&2 + fi + exit 255 fi diff --git a/bin/tests/system/testsummary.sh b/bin/tests/system/testsummary.sh index 52c79b9..6d7f02c 100644 --- a/bin/tests/system/testsummary.sh +++ b/bin/tests/system/testsummary.sh @@ -31,25 +31,25 @@ keepfile=0 while getopts "n" flag; do - case $flag in - n) keepfile=1 ;; - *) exit 1 ;; - esac + case $flag in + n) keepfile=1 ;; + *) exit 1 ;; + esac done if [ "$(find . -name 'test.output.*' 2>/dev/null | wc -l)" -eq 0 ]; then - echowarn "I:No 'test.output.*' files were found." - echowarn "I:Printing summary from pre-existing 'systests.output'." + echowarn "I:No 'test.output.*' files were found." + echowarn "I:Printing summary from pre-existing 'systests.output'." else - cat test.output.* > systests.output - if [ $keepfile -eq 0 ]; then - rm -f test.output.* - fi + cat test.output.* >systests.output + if [ $keepfile -eq 0 ]; then + rm -f test.output.* + fi fi if [ ! -f systests.output ]; then - echowarn "I:No 'systests.output' file found." - exit 1 + echowarn "I:No 'systests.output' file found." + exit 1 fi status=0 @@ -58,34 +58,34 @@ echoinfo "$(grep 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output | cut -d' FAILED_TESTS=$(grep 'R:[a-z0-9_-][a-z0-9_-]*:FAIL' systests.output | cut -d':' -f2 | sort | sed -e 's/^/I: /') if [ -n "${FAILED_TESTS}" ]; then - echoinfo "I:The following system tests failed:" - echoinfo "${FAILED_TESTS}" - status=1 + echoinfo "I:The following system tests failed:" + echoinfo "${FAILED_TESTS}" + status=1 fi CRASHED_TESTS=$(find . \( -name 'core' -or -name 'core.*' -or -name '*.core' \) ! -name '*.txt' | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /') if [ -n "${CRASHED_TESTS}" ]; then - echoinfo "I:Core dumps were found for the following system tests:" - echoinfo "${CRASHED_TESTS}" + echoinfo "I:Core dumps were found for the following system tests:" + echoinfo "${CRASHED_TESTS}" fi ASSERTION_FAILED_TESTS=$(find . -name named.run -print0 | xargs -0 grep "assertion failure" | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /') if [ -n "${ASSERTION_FAILED_TESTS}" ]; then - echoinfo "I:Assertion failures were detected for the following system tests:" - echoinfo "${ASSERTION_FAILED_TESTS}" + echoinfo "I:Assertion failures were detected for the following system tests:" + echoinfo "${ASSERTION_FAILED_TESTS}" fi TSAN_REPORT_TESTS=$(find . -name 'tsan.*' | cut -d'/' -f2 | sort -u | sed -e 's/^/I: /') if [ -n "${TSAN_REPORT_TESTS}" ]; then - echoinfo "I:ThreadSanitizer reported issues for the following system tests:" - echoinfo "${TSAN_REPORT_TESTS}" + echoinfo "I:ThreadSanitizer reported issues for the following system tests:" + echoinfo "${TSAN_REPORT_TESTS}" fi RESULTS_FOUND=$(grep -c 'R:[a-z0-9_-][a-z0-9_-]*:[A-Z][A-Z]*' systests.output) TESTS_RUN=$(echo "${SUBDIRS}" | wc -w) if [ "${RESULTS_FOUND}" -ne "${TESTS_RUN}" ]; then - echofail "I:Found ${RESULTS_FOUND} test results, but ${TESTS_RUN} tests were run" - status=1 + echofail "I:Found ${RESULTS_FOUND} test results, but ${TESTS_RUN} tests were run" + status=1 fi exit $status diff --git a/bin/tests/system/timeouts/ns1/named.conf.in b/bin/tests/system/timeouts/ns1/named.conf.in index 1c46549..b7d468b 100644 --- a/bin/tests/system/timeouts/ns1/named.conf.in +++ b/bin/tests/system/timeouts/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/timeouts/prereq.sh b/bin/tests/system/timeouts/prereq.sh index 0fac912..a37df94 100644 --- a/bin/tests/system/timeouts/prereq.sh +++ b/bin/tests/system/timeouts/prereq.sh @@ -13,18 +13,16 @@ . ../conf.sh -if test -n "$PYTHON" -then - if $PYTHON -c "from dns.query import send_tcp" 2> /dev/null - then - : - else - echo_i "This test requires the dnspython >= 2.0.0 module." >&2 - exit 1 - fi -else - echo_i "This test requires Python and the dnspython module." >&2 +if test -n "$PYTHON"; then + if $PYTHON -c "from dns.query import send_tcp" 2>/dev/null; then + : + else + echo_i "This test requires the dnspython >= 2.0.0 module." >&2 exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 fi exit 0 diff --git a/bin/tests/system/timeouts/setup.sh b/bin/tests/system/timeouts/setup.sh index c4019d2..2503054 100644 --- a/bin/tests/system/timeouts/setup.sh +++ b/bin/tests/system/timeouts/setup.sh @@ -27,4 +27,4 @@ print('') for a in range(150000): print('%s IN NS a' % (a)) - print('%s IN NS b' % (a))" > ns1/large.db + print('%s IN NS b' % (a))" >ns1/large.db diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh index 864542f..72959da 100644 --- a/bin/tests/system/tkey/tests.sh +++ b/bin/tests/system/tkey/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" @10.53.0.1 -p "$PORT" "$@" + "$DIG" @10.53.0.1 -p "$PORT" "$@" } status=0 @@ -26,138 +26,137 @@ echo_i "generating new DH key ($n)" ret=0 dhkeyname=$($KEYGEN -T KEY -a DH -b 768 -n host client) || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status + echo_i "failed" + status=$((status + ret)) + echo_i "exit status: $status" + exit $status fi -status=$((status+ret)) -n=$((n+1)) - -for owner in . foo.example. -do - echo_i "creating new key using owner name \"$owner\" ($n)" - ret=0 - keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" $owner) || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "checking the new key ($n)" - ret=0 - dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 - grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null || ret=1 - grep "Some TSIG could not be validated" dig.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "deleting new key ($n)" - ret=0 - $KEYDELETE 10.53.0.1 "$PORT" "$keyname" || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) - - echo_i "checking that new key has been deleted ($n)" - ret=0 - dig_with_opts txt txt.example -k "$keyname" > dig.out.test$n || ret=1 - grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 - grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n > /dev/null && ret=1 - grep "Some TSIG could not be validated" dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then - echo_i "failed" - fi - status=$((status+ret)) - n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) + +for owner in . foo.example.; do + echo_i "creating new key using owner name \"$owner\" ($n)" + ret=0 + keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" $owner) || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) + echo_i "exit status: $status" + exit $status + fi + status=$((status + ret)) + n=$((n + 1)) + + echo_i "checking the new key ($n)" + ret=0 + dig_with_opts txt txt.example -k "$keyname" >dig.out.test$n || ret=1 + grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 + grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n >/dev/null || ret=1 + grep "Some TSIG could not be validated" dig.out.test$n >/dev/null && ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=$((status + ret)) + n=$((n + 1)) + + echo_i "deleting new key ($n)" + ret=0 + $KEYDELETE 10.53.0.1 "$PORT" "$keyname" || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=$((status + ret)) + n=$((n + 1)) + + echo_i "checking that new key has been deleted ($n)" + ret=0 + dig_with_opts txt txt.example -k "$keyname" >dig.out.test$n || ret=1 + grep "status: NOERROR" dig.out.test$n >/dev/null && ret=1 + grep "TSIG.*hmac-md5.*NOERROR" dig.out.test$n >/dev/null && ret=1 + grep "Some TSIG could not be validated" dig.out.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + fi + status=$((status + ret)) + n=$((n + 1)) done echo_i "creating new key using owner name bar.example. ($n)" ret=0 keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status + echo_i "failed" + status=$((status + ret)) + echo_i "exit status: $status" + exit $status fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "checking the key with 'rndc tsig-list' ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list >rndc.out.test$n +grep "key \"bar.example.server" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "using key in a request ($n)" ret=0 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_opts -k "$keyname" txt.example txt >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "deleting the key with 'rndc tsig-delete' ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-delete bar.example.server > /dev/null || ret=1 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null && ret=1 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "TSIG could not be validated" dig.out.test$n > /dev/null || ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-delete bar.example.server >/dev/null || ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list >rndc.out.test$n +grep "key \"bar.example.server" rndc.out.test$n >/dev/null && ret=1 +dig_with_opts -k "$keyname" txt.example txt >dig.out.test$n || ret=1 +grep "TSIG could not be validated" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "recreating the bar.example. key ($n)" ret=0 keyname=$($KEYCREATE 10.53.0.1 "$PORT" "$dhkeyname" bar.example.) || ret=1 if [ $ret != 0 ]; then - echo_i "failed" - status=$((status+ret)) - echo_i "exit status: $status" - exit $status + echo_i "failed" + status=$((status + ret)) + echo_i "exit status: $status" + exit $status fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "checking the new key with 'rndc tsig-list' ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list > rndc.out.test$n -grep "key \"bar.example.server" rndc.out.test$n > /dev/null || ret=1 +$RNDC -c ../_common/rndc.conf -s 10.53.0.1 -p "$CONTROLPORT" tsig-list >rndc.out.test$n +grep "key \"bar.example.server" rndc.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "using the new key in a request ($n)" ret=0 -dig_with_opts -k "$keyname" txt.example txt > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +dig_with_opts -k "$keyname" txt.example txt >dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then - echo_i "failed" + echo_i "failed" fi -status=$((status+ret)) -n=$((n+1)) +status=$((status + ret)) +n=$((n + 1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/tools/tests.sh b/bin/tests/system/tools/tests.sh index a7113cb..835c325 100644 --- a/bin/tests/system/tools/tests.sh +++ b/bin/tests/system/tools/tests.sh @@ -16,33 +16,42 @@ status=0 checkout() { - rc=$1 - case $rc in - 0) : ok ;; - *) echo_i "failed" - status=$((status + 1)) - return 1 ;; - esac - case $out in - *$hash*) : ok ;; - *) echo_i "expect $hash" - echo_i "output $out" - echo_i "failed" - status=$((status + 1)) ;; - esac + rc=$1 + case $rc in + 0) : ok ;; + *) + echo_i "failed" + status=$((status + 1)) + return 1 + ;; + esac + case $out in + *$hash*) : ok ;; + *) + echo_i "expect $hash" + echo_i "output $out" + echo_i "failed" + status=$((status + 1)) + ;; + esac } # test cases taken from RFC 5155 appendix A algo=1 flags=0 iters=12 salt="aabbccdd" -while read name hash -do - echo_i "checking $NSEC3HASH $name" - { out=$($NSEC3HASH $salt $algo $iters $name); rc=$?; } || true - checkout $rc +while read name hash; do + echo_i "checking $NSEC3HASH $name" + { + out=$($NSEC3HASH $salt $algo $iters $name) + rc=$? + } || true + checkout $rc - echo_i "checking $NSEC3HASH -r $name" - { out=$($NSEC3HASH -r $algo $flags $iters $salt $name); rc=$?; } || true - checkout $rc + echo_i "checking $NSEC3HASH -r $name" + { + out=$($NSEC3HASH -r $algo $flags $iters $salt $name) + rc=$? + } || true + checkout $rc done <<EOF *.w.example R53BQ7CC2UVMUBFU5OCMM6PERS9TK9EN @@ -61,46 +70,75 @@ EOF # test empty salt checkempty() { - rc=$1 - hash=CK0POJMG874LJREF7EFN8430QVIT8BSM checkout $rc && - hash=- checkout $rc + rc=$1 + hash=CK0POJMG874LJREF7EFN8430QVIT8BSM checkout $rc \ + && hash=- checkout $rc } name=com algo=1 flags=1 iters=0 echo_i "checking $NSEC3HASH '' $name" -{ out=$($NSEC3HASH '' $algo $iters $name); rc=$?; } || true +{ + out=$($NSEC3HASH '' $algo $iters $name) + rc=$? +} || true checkempty $rc echo_i "checking $NSEC3HASH - $name" -{ out=$($NSEC3HASH - $algo $iters $name); rc=$?; } || true +{ + out=$($NSEC3HASH - $algo $iters $name) + rc=$? +} || true checkempty $rc echo_i "checking $NSEC3HASH -- '' $name" -{ out=$($NSEC3HASH -- '' $algo $iters $name); rc=$?; } || true +{ + out=$($NSEC3HASH -- '' $algo $iters $name) + rc=$? +} || true checkempty $rc echo_i "checking $NSEC3HASH -- - $name" -{ out=$($NSEC3HASH -- - $algo $iters $name); rc=$?; } || true +{ + out=$($NSEC3HASH -- - $algo $iters $name) + rc=$? +} || true checkempty $rc echo_i "checking $NSEC3HASH -r '' $name" -{ out=$($NSEC3HASH -r $algo $flags $iters '' $name); rc=$?; } || true +{ + out=$($NSEC3HASH -r $algo $flags $iters '' $name) + rc=$? +} || true checkempty $rc echo_i "checking $NSEC3HASH -r - $name" -{ out=$($NSEC3HASH -r $algo $flags $iters - $name); rc=$?; } || true +{ + out=$($NSEC3HASH -r $algo $flags $iters - $name) + rc=$? +} || true checkempty $rc checkfail() { - rc=$1 - case $rc in - 0) echo_i "failed to fail" - status=$((status + 1)) - return 1 ;; - esac + rc=$1 + case $rc in + 0) + echo_i "failed to fail" + status=$((status + 1)) + return 1 + ;; + esac } echo_i "checking $NSEC3HASH missing args" -{ out=$($NSEC3HASH 00 1 0 2>&1); rc=$?; } || true +{ + out=$($NSEC3HASH 00 1 0 2>&1) + rc=$? +} || true checkfail $rc echo_i "checking $NSEC3HASH extra args" -{ out=$($NSEC3HASH 00 1 0 two names 2>&1); rc=$?; } || true +{ + out=$($NSEC3HASH 00 1 0 two names 2>&1) + rc=$? +} || true checkfail $rc echo_i "checking $NSEC3HASH bad option" -{ out=$($NSEC3HASH -? 2>&1); rc=$?; } || true +{ + out=$($NSEC3HASH -? 2>&1) + rc=$? +} || true checkfail $rc echo_i "exit status: $status" diff --git a/bin/tests/system/transport-acl/ns1/named.conf.in b/bin/tests/system/transport-acl/ns1/named.conf.in index cf0ccd5..d2a941a 100644 --- a/bin/tests/system/transport-acl/ns1/named.conf.in +++ b/bin/tests/system/transport-acl/ns1/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/transport-acl/setup.sh b/bin/tests/system/transport-acl/setup.sh index 672a5b6..f726f70 100644 --- a/bin/tests/system/transport-acl/setup.sh +++ b/bin/tests/system/transport-acl/setup.sh @@ -16,6 +16,6 @@ $SHELL clean.sh -$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 > ns1/example.db +$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 >ns1/example.db copy_setports ns1/named.conf.in ns1/named.conf diff --git a/bin/tests/system/transport-acl/tests.sh b/bin/tests/system/transport-acl/tests.sh index 9bed02b..c866462 100644 --- a/bin/tests/system/transport-acl/tests.sh +++ b/bin/tests/system/transport-acl/tests.sh @@ -20,34 +20,34 @@ dig_out_basename="dig.out.test" testing="testing allow-transfer transport ACL functionality" dig_with_opts() { - # shellcheck disable=SC2086 - "$DIG" +noadd +nosea +nostat +noquest +nocmd "$@" + # shellcheck disable=SC2086 + "$DIG" +noadd +nosea +nostat +noquest +nocmd "$@" } status=0 n=0 -run_dig_test () { - test_message="$1" - shift - n=$((n+1)) - echo_i "$test_message ($n)" - ret=0 - dig_with_opts "$@" > "$dig_out_basename$n" || ret=1 +run_dig_test() { + test_message="$1" + shift + n=$((n + 1)) + echo_i "$test_message ($n)" + ret=0 + dig_with_opts "$@" >"$dig_out_basename$n" || ret=1 } -run_dig_expect_axfr_success () { - run_dig_test "$@" - grep "; Transfer failed" "$dig_out_basename$n" > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) +run_dig_expect_axfr_success() { + run_dig_test "$@" + grep "; Transfer failed" "$dig_out_basename$n" >/dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } -run_dig_expect_axfr_failure () { - run_dig_test "$@" - grep "; Transfer failed" "$dig_out_basename$n" > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status + ret)) +run_dig_expect_axfr_failure() { + run_dig_test "$@" + grep "; Transfer failed" "$dig_out_basename$n" >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) } # generic tests @@ -61,7 +61,7 @@ run_dig_expect_axfr_success "$testing for XFR via TCP" -p "${EXTRAPORT1}" +tcp - run_dig_expect_axfr_success "$testing for XoT" -p "${EXTRAPORT1}" +tls -b 10.53.0.10 @10.53.0.2 axfr example1 -run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example1 +run_dig_expect_axfr_failure "$testing for XFR via TCP (failure expected)" -p "${EXTRAPORT2}" +tcp -b 10.53.0.10 @10.53.0.1 axfr example1 run_dig_expect_axfr_failure "$testing for XoT (failure expected)" -p "${EXTRAPORT2}" +tls -b 10.53.0.10 @10.53.0.2 axfr example1 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh index d8dbbe3..cd90cee 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh @@ -17,9 +17,8 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf -if $FEATURETEST --md5 -then - cat >> ns1/named.conf << EOF +if $FEATURETEST --md5; then + cat >>ns1/named.conf <<EOF # Conditionally included when support for MD5 is available key "md5" { secret "97rnFx24Tfna4mHPfgnerA=="; diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh index 68c5b6d..2f3059d 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -29,65 +29,71 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f status=0 -if $FEATURETEST --md5 -then - echo_i "fetching using hmac-md5 (old form)" - ret=0 - $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 - grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi - - echo_i "fetching using hmac-md5 (new form)" - ret=0 - $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 - grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi +if $FEATURETEST --md5; then + echo_i "fetching using hmac-md5 (old form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa >dig.out.md5.old || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi + + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa >dig.out.md5.new || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi else - echo_i "skipping using hmac-md5" + echo_i "skipping using hmac-md5" fi echo_i "fetching using hmac-sha1" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1 || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa >dig.out.sha1 || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha224" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224 || ret=1 -grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa >dig.out.sha224 || ret=1 +grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha256" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256 || ret=1 -grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa >dig.out.sha256 || ret=1 +grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha384" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384 || ret=1 -grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa >dig.out.sha384 || ret=1 +grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha512" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512 || ret=1 -grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa >dig.out.sha512 || ret=1 +grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi # @@ -95,227 +101,245 @@ fi # Truncated TSIG # # -if $FEATURETEST --md5 -then - echo_i "fetching using hmac-md5 (trunc)" - ret=0 - $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 - grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi +if $FEATURETEST --md5; then + echo_i "fetching using hmac-md5 (trunc)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa >dig.out.md5.trunc || ret=1 + grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi else - echo_i "skipping using hmac-md5 (trunc)" + echo_i "skipping using hmac-md5 (trunc)" fi echo_i "fetching using hmac-sha1 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa > dig.out.sha1.trunc || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa >dig.out.sha1.trunc || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha224 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa > dig.out.sha224.trunc || ret=1 -grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa >dig.out.sha224.trunc || ret=1 +grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha256 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa > dig.out.sha256.trunc || ret=1 -grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa >dig.out.sha256.trunc || ret=1 +grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha384 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa > dig.out.sha384.trunc || ret=1 -grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa >dig.out.sha384.trunc || ret=1 +grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha512-256 (trunc)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa > dig.out.sha512.trunc || ret=1 -grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa >dig.out.sha512.trunc || ret=1 +grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi - # # # Check for bad truncation. # # -if $FEATURETEST --md5 -then - echo_i "fetching using hmac-md5-80 (BADTRUNC)" - ret=0 - $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 - grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi +if $FEATURETEST --md5; then + echo_i "fetching using hmac-md5-80 (BADTRUNC)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa >dig.out.md5-80 || ret=1 + grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi else - echo_i "skipping using hmac-md5-80 (BADTRUNC)" + echo_i "skipping using hmac-md5-80 (BADTRUNC)" fi echo_i "fetching using hmac-sha1-80 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa > dig.out.sha1-80 || ret=1 -grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa >dig.out.sha1-80 || ret=1 +grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha224-112 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa > dig.out.sha224-112 || ret=1 -grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa >dig.out.sha224-112 || ret=1 +grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha256-128 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa > dig.out.sha256-128 || ret=1 -grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa >dig.out.sha256-128 || ret=1 +grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha384-192 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa > dig.out.sha384-192 || ret=1 -grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa >dig.out.sha384-192 || ret=1 +grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha512-256 (BADTRUNC)" ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa > dig.out.sha512-256 || ret=1 -grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa >dig.out.sha512-256 || ret=1 +grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "attempting fetch with bad tsig algorithm" ret=0 -$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa > dig.out.badalgo 2>&1 || ret=1 -grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -y "badalgo:invalid:$sha512" @10.53.0.1 soa >dig.out.badalgo 2>&1 || ret=1 +grep -i "Couldn't create key invalid: algorithm is unsupported" dig.out.badalgo >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "checking both OPT and TSIG records are returned when TC=1" ret=0 -$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt > dig.out.large 2>&1 || ret=1 -grep "flags:.* tc[ ;]" dig.out.large > /dev/null || ret=1 -grep "status: NOERROR" dig.out.large > /dev/null || ret=1 -grep "EDNS:" dig.out.large > /dev/null || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG -p ${PORT} +ignore +bufsize=512 large.example.nil -y "hmac-sha1:sha1:$sha1" @10.53.0.1 txt >dig.out.large 2>&1 || ret=1 +grep "flags:.* tc[ ;]" dig.out.large >/dev/null || ret=1 +grep "status: NOERROR" dig.out.large >/dev/null || ret=1 +grep "EDNS:" dig.out.large >/dev/null || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "check that dnssec-keygen won't generate TSIG keys" ret=0 -$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1 -grep "unknown algorithm" keygen.out3 > /dev/null || ret=1 +$KEYGEN -a hmac-sha256 -b 128 -n host example.net >keygen.out3 2>&1 && ret=1 +grep "unknown algorithm" keygen.out3 >/dev/null || ret=1 echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" ret=0 -$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null || ret=1 -$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 -grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp <badtime >/dev/null || ret=1 +$DIG -p ${PORT} @10.53.0.1 version.bind txt ch >dig.out.verify || ret=1 +grep "status: NOERROR" dig.out.verify >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi -if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' > /dev/null 2>&1 -then +if "$PERL" -e 'use Net::DNS; use Net::DNS::Packet;' >/dev/null 2>&1; then echo_i "check that TSIG in the wrong place returns FORMERR" ret=0 - $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d < badlocation > packet.out - grep "rcode = FORMERR" packet.out > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 + $PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t udp -d <badlocation >packet.out + grep "rcode = FORMERR" packet.out >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi fi echo_i "check that a malformed truncated response to a TSIG query is handled" ret=0 -$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1 -grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG -p $PORT @10.53.0.1 bad-tsig >dig.out.bad-tsig || ret=1 +grep "status: SERVFAIL" dig.out.bad-tsig >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi -if $FEATURETEST --md5 -then - echo_i "fetching using hmac-md5 (legacy)" - ret=0 - $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa > dig.out.md5.legacy 2>&1 || ret=1 - grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy > /dev/null || ret=1 - grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy > /dev/null || ret=1 - if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 - fi +if $FEATURETEST --md5; then + echo_i "fetching using hmac-md5 (legacy)" + ret=0 + $DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-md5-legacy.+*.key @10.53.0.1 soa >dig.out.md5.legacy 2>&1 || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.legacy >/dev/null || ret=1 + grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 + fi else - echo_i "skipping using hmac-md5" + echo_i "skipping using hmac-md5" fi echo_i "fetching using hmac-sha1 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa > dig.out.sha1.legacy 2>&1 || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy > /dev/null || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha1-legacy.+*.key @10.53.0.1 soa >dig.out.sha1.legacy 2>&1 || ret=1 +grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.legacy >/dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha224 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa > dig.out.sha224 2>&1 || ret=1 -grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha224-legacy.+*.key @10.53.0.1 soa >dig.out.sha224 2>&1 || ret=1 +grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 >/dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha256 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa > dig.out.sha256 2>&1 || ret=1 -grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha256-legacy.*.key @10.53.0.1 soa >dig.out.sha256 2>&1 || ret=1 +grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 >/dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha384 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa > dig.out.sha384 2>&1 || ret=1 -grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha384-legacy.*.key @10.53.0.1 soa >dig.out.sha384 2>&1 || ret=1 +grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 >/dev/null || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "fetching using hmac-sha512 (legacy)" ret=0 -$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa > dig.out.sha512 2>&1 || ret=1 -grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 > /dev/null || ret=1 -grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +$DIG $DIGOPTS example.nil. -k ns1/legacy/Khmac-sha512-legacy.*.key @10.53.0.1 soa >dig.out.sha512 2>&1 || ret=1 +grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 >/dev/null || ret=1 +grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 >/dev/null || ret=1 +if [ $ret -eq 1 ]; then + echo_i "failed" + status=1 fi echo_i "exit status: $status" diff --git a/bin/tests/system/tsiggss/prereq.sh b/bin/tests/system/tsiggss/prereq.sh index 0f8e2d6..1abaf8e 100644 --- a/bin/tests/system/tsiggss/prereq.sh +++ b/bin/tests/system/tsiggss/prereq.sh @@ -14,9 +14,9 @@ . ../conf.sh # enable the tsiggss test only if gssapi was enabled -$FEATURETEST --gssapi || { - echo_i "gssapi and krb5 not supported - skipping tsiggss test" - exit 255 +$FEATURETEST --gssapi || { + echo_i "gssapi and krb5 not supported - skipping tsiggss test" + exit 255 } exit 0 diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh index 37b80fd..0353cb5 100644 --- a/bin/tests/system/tsiggss/setup.sh +++ b/bin/tests/system/tsiggss/setup.sh @@ -18,4 +18,4 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf key=$($KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n HOST -T KEY key.example.nil.) -cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db +cat ns1/example.nil.db.in ns1/${key}.key >ns1/example.nil.db diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh index 97cc7bb..c37f32e 100644 --- a/bin/tests/system/tsiggss/tests.sh +++ b/bin/tests/system/tsiggss/tests.sh @@ -22,50 +22,49 @@ n=1 DIGOPTS="@10.53.0.1 -p ${PORT}" -test_update () { - num="$1" - host="$2" - type="$3" - cmd="$4" - digout="$5" - - cat <<EOF > ns1/update.txt +test_update() { + num="$1" + host="$2" + type="$3" + cmd="$4" + digout="$5" + + cat <<EOF >ns1/update.txt server 10.53.0.1 ${PORT} update add $host $cmd send answer EOF - echo_i "testing update for $host $type $cmd" - $NSUPDATE -g -d ns1/update.txt > nsupdate.out${num} 2>&1 || { - echo_i "update failed for $host $type $cmd" - sed "s/^/I:/" nsupdate.out${num} - return 1 - } - - # Verify that TKEY response is signed. - tkeyout=$(awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}) - pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0" - echo $tkeyout | grep "$pattern" > /dev/null || { - echo_i "bad tkey response (not tsig signed)" - return 1 - } - - # Weak verification that TKEY response is signed. - grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || { - echo_i "bad tkey response (not tsig signed)" - return 1 - } - - out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^${host}") - lines=$(echo "$out" | grep "$digout" | wc -l) - [ $lines -eq 1 ] || { - echo_i "dig output incorrect for $host $type $cmd: $out" - return 1 - } - return 0 + echo_i "testing update for $host $type $cmd" + $NSUPDATE -g -d ns1/update.txt >nsupdate.out${num} 2>&1 || { + echo_i "update failed for $host $type $cmd" + sed "s/^/I:/" nsupdate.out${num} + return 1 + } + + # Verify that TKEY response is signed. + tkeyout=$(awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}) + pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0" + echo $tkeyout | grep "$pattern" >/dev/null || { + echo_i "bad tkey response (not tsig signed)" + return 1 + } + + # Weak verification that TKEY response is signed. + grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || { + echo_i "bad tkey response (not tsig signed)" + return 1 + } + + out=$($DIG $DIGOPTS -t $type -q $host | grep -E "^${host}") + lines=$(echo "$out" | grep "$digout" | wc -l) + [ $lines -eq 1 ] || { + echo_i "dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 } - # Testing updates with good credentials. KRB5CCNAME="FILE:"$(pwd)/ns1/administrator.ccache export KRB5CCNAME @@ -73,24 +72,23 @@ export KRB5CCNAME echo_i "testing updates to testdc1 as administrator ($n)" ret=0 test_update $n testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to testdc2 as administrator ($n)" ret=0 test_update $n testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to denied as administrator ($n)" ret=0 -test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && ret=1 -n=$((n+1)) +test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) - +status=$((status + ret)) # Testing denied updates. KRB5CCNAME="FILE:"$(pwd)/ns1/testdenied.ccache @@ -98,44 +96,44 @@ export KRB5CCNAME echo_i "testing updates to denied (A) as a user ($n)" ret=0 -test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing updates to denied (TXT) as a user ($n)" ret=0 test_update $n testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (CNAME) ($n)" ret=0 -test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (CNAME) with auth sock ($n)" ret=0 -$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 & +$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >/dev/null 2>&1 & sleep 1 test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1 -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external update policy (A) ($n)" ret=0 -test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && ret=1 -n=$((n+1)) +test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" >/dev/null && ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "testing external policy with SIG(0) key ($n)" ret=0 -$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1 +$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END >/dev/null 2>&1 || ret=1 server 10.53.0.1 ${PORT} zone example.nil update add fred.example.nil 120 cname foo.bar. @@ -144,31 +142,34 @@ END output=$($DIG $DIGOPTS +short cname fred.example.nil.) [ -n "$output" ] || ret=1 [ $ret -eq 0 ] || echo_i "failed" -n=$((n+1)) +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "ensure too long realm name is fatal in non-interactive mode ($n)" ret=0 -$NSUPDATE <<END > nsupdate.out${n} 2>&1 && ret=1 +$NSUPDATE <<END >nsupdate.out${n} 2>&1 && ret=1 realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename END -grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1 -grep "syntax error" nsupdate.out${n} > /dev/null || ret=1 -n=$((n+1)) +grep "realm is too long" nsupdate.out${n} >/dev/null || ret=1 +grep "syntax error" nsupdate.out${n} >/dev/null || ret=1 +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "ensure too long realm name is not fatal in interactive mode ($n)" ret=0 -$NSUPDATE -i <<END > nsupdate.out${n} 2>&1 || ret=1 +$NSUPDATE -i <<END >nsupdate.out${n} 2>&1 || ret=1 realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename END -grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } -n=$((n+1)) +grep "realm is too long" nsupdate.out${n} >/dev/null || ret=1 +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} +n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) [ $status -eq 0 ] && echo_i "tsiggss tests all OK" diff --git a/bin/tests/system/ttl/ns1/named.conf.in b/bin/tests/system/ttl/ns1/named.conf.in index 51eee0c..6864614 100644 --- a/bin/tests/system/ttl/ns1/named.conf.in +++ b/bin/tests/system/ttl/ns1/named.conf.in @@ -35,7 +35,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "min-example" { diff --git a/bin/tests/system/unknown/setup.sh b/bin/tests/system/unknown/setup.sh index 0c043bf..b08a677 100644 --- a/bin/tests/system/unknown/setup.sh +++ b/bin/tests/system/unknown/setup.sh @@ -17,4 +17,7 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf -(cd ns3; $SHELL -e sign.sh) +( + cd ns3 + $SHELL -e sign.sh +) diff --git a/bin/tests/system/unknown/tests.sh b/bin/tests/system/unknown/tests.sh index f52b50e..eb61f21 100644 --- a/bin/tests/system/unknown/tests.sh +++ b/bin/tests/system/unknown/tests.sh @@ -21,144 +21,136 @@ n=0 DIGOPTS="-p ${PORT}" dig_cmd() { - # shellcheck disable=SC2086 - "$DIG" $DIGOPTS "$@" | grep -v '^;' + # shellcheck disable=SC2086 + "$DIG" $DIGOPTS "$@" | grep -v '^;' } -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of an IN A record ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 11 12 -do - ret=0 - dig_cmd +short @10.53.0.1 a$i.example a in > dig.out.$i.test$n - echo 10.0.0.1 | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3 4 5 6 7 8 9 10 11 12; do + ret=0 + dig_cmd +short @10.53.0.1 a$i.example a in >dig.out.$i.test$n + echo 10.0.0.1 | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of an IN TXT record ($n)" -for i in 1 2 3 4 5 6 7 -do - ret=0 - dig_cmd +short @10.53.0.1 txt$i.example txt in > dig.out.$i.test$n - echo '"hello"' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3 4 5 6 7; do + ret=0 + dig_cmd +short @10.53.0.1 txt$i.example txt in >dig.out.$i.test$n + echo '"hello"' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of an IN TYPE123 record ($n)" -for i in 1 2 3 -do - ret=0 - dig_cmd +short @10.53.0.1 unk$i.example type123 in > dig.out.$i.test$n - echo '\# 1 00' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3; do + ret=0 + dig_cmd +short @10.53.0.1 unk$i.example type123 in >dig.out.$i.test$n + echo '\# 1 00' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for NULL record ($n)" ret=0 -dig_cmd +short @10.53.0.1 null.example null in > dig.out.test$n +dig_cmd +short @10.53.0.1 null.example null in >dig.out.test$n echo '\# 1 00' | diff - dig.out.test$n || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "querying for empty NULL record ($n)" ret=0 -dig_cmd +short @10.53.0.1 empty.example null in > dig.out.test$n +dig_cmd +short @10.53.0.1 empty.example null in >dig.out.test$n echo '\# 0' | diff - dig.out.test$n || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of a CLASS10 TYPE1 record ($n)" -for i in 1 2 -do - ret=0 - dig_cmd +short @10.53.0.1 a$i.example a class10 > dig.out.$i.test$n - echo '\# 4 0A000001' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2; do + ret=0 + dig_cmd +short @10.53.0.1 a$i.example a class10 >dig.out.$i.test$n + echo '\# 4 0A000001' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of a CLASS10 TXT record ($n)" -for i in 1 2 3 4 -do - ret=0 - dig_cmd +short @10.53.0.1 txt$i.example txt class10 > dig.out.$i.test$n - echo '"hello"' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3 4; do + ret=0 + dig_cmd +short @10.53.0.1 txt$i.example txt class10 >dig.out.$i.test$n + echo '"hello"' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for various representations of a CLASS10 TYPE123 record ($n)" -for i in 1 2 -do - ret=0 - dig_cmd +short @10.53.0.1 unk$i.example type123 class10 > dig.out.$i.test$n - echo '\# 1 00' | diff - dig.out.$i.test$n || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2; do + ret=0 + dig_cmd +short @10.53.0.1 unk$i.example type123 class10 >dig.out.$i.test$n + echo '\# 1 00' | diff - dig.out.$i.test$n || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "querying for SOAs of zone that should have failed to load ($n)" -for i in 1 2 3 4 -do - ret=0 - $DIG $DIGOPTS @10.53.0.1 broken$i. soa in > dig.out.$i.test$n || ret=1 - grep "SERVFAIL" dig.out.$i.test$n > /dev/null || ret=1 - if [ $ret != 0 ] - then - echo_i "#$i failed" - fi - status=$((status + ret)) +for i in 1 2 3 4; do + ret=0 + $DIG $DIGOPTS @10.53.0.1 broken$i. soa in >dig.out.$i.test$n || ret=1 + grep "SERVFAIL" dig.out.$i.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then + echo_i "#$i failed" + fi + status=$((status + ret)) done -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on primary ($n)" for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_cmd @10.53.0.1 +tcp +short large.example TYPE45234 > dig.out.$i.test$n - diff -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + dig_cmd @10.53.0.1 +tcp +short large.example TYPE45234 >dig.out.$i.test$n + diff -s large.out dig.out.$i.test$n >/dev/null || { + ret=1 + echo_i "diff failed" + } + [ "$ret" -eq 0 ] && break + sleep 1 done [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on secondary ($n)" for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_cmd @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out.$i.test$n - diff -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + dig_cmd @10.53.0.2 +tcp +short large.example TYPE45234 >dig.out.$i.test$n + diff -s large.out dig.out.$i.test$n >/dev/null || { + ret=1 + echo_i "diff failed" + } + [ "$ret" -eq 0 ] && break + sleep 1 done [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) @@ -169,23 +161,29 @@ start_server --noclean --restart --port ${PORT} ns2 # server may be answering queries before zones are loaded, # so retry a few times if this query fails -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on secondary ($n)" for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_cmd @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out.$i.test$n - diff -s large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + dig_cmd @10.53.0.2 +tcp +short large.example TYPE45234 >dig.out.$i.test$n + diff -s large.out dig.out.$i.test$n >/dev/null || { + ret=1 + echo_i "diff failed" + } + [ "$ret" -eq 0 ] && break + sleep 1 done [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on inline secondary ($n)" ret=0 -dig_cmd @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out.test$n -diff large.out dig.out.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } +dig_cmd @10.53.0.3 +tcp +short large.example TYPE45234 >dig.out.test$n +diff large.out dig.out.test$n >/dev/null || { + ret=1 + echo_i "diff failed" +} [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) @@ -195,39 +193,42 @@ start_server --noclean --restart --port ${PORT} ns3 # server may be answering queries before zones are loaded, # so retry a few times if this query fails -n=$((n+1)) +n=$((n + 1)) echo_i "checking large unknown record loading on inline secondary ($n)" for try in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - dig_cmd @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out.$i.test$n - diff large.out dig.out.$i.test$n > /dev/null || { ret=1 ; echo_i "diff failed"; } - [ "$ret" -eq 0 ] && break - sleep 1 + ret=0 + dig_cmd @10.53.0.3 +tcp +short large.example TYPE45234 >dig.out.$i.test$n + diff large.out dig.out.$i.test$n >/dev/null || { + ret=1 + echo_i "diff failed" + } + [ "$ret" -eq 0 ] && break + sleep 1 done [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that '"'"\\#"'"' is not treated as the unknown escape sequence ($n)" ret=0 -dig_cmd @10.53.0.1 +tcp +short txt8.example txt > dig.out.test$n +dig_cmd @10.53.0.1 +tcp +short txt8.example txt >dig.out.test$n echo '"#" "2" "0145"' | diff - dig.out.test$n || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'TXT \# text' is not treated as the unknown escape sequence ($n)" ret=0 -dig_cmd @10.53.0.1 +tcp +short txt9.example txt > dig.out.test$n +dig_cmd @10.53.0.1 +tcp +short txt9.example txt >dig.out.test$n echo '"#" "text"' | diff - dig.out.test$n || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that 'TYPE353 \# cat' produces 'not a valid number' ($n)" ret=0 -$CHECKZONE nan.bad zones/nan.bad > check.out 2>&1 && ret=1 -grep "not a valid number" check.out > /dev/null || ret=1 +$CHECKZONE nan.bad zones/nan.bad >check.out 2>&1 && ret=1 +grep "not a valid number" check.out >/dev/null || ret=1 [ $ret = 0 ] || echo_i "failed" status=$((status + ret)) diff --git a/bin/tests/system/upforwd/prereq.sh b/bin/tests/system/upforwd/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/upforwd/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh index f2719ba..facc79d 100644 --- a/bin/tests/system/upforwd/setup.sh +++ b/bin/tests/system/upforwd/setup.sh @@ -20,28 +20,25 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named1.conf.in ns3/named.conf -if $FEATURETEST --enable-dnstap -then - cat <<'EOF' > ns3/dnstap.conf +if $FEATURETEST --enable-dnstap; then + cat <<'EOF' >ns3/dnstap.conf dnstap-identity "ns3"; dnstap-version "xxx"; dnstap-output file "dnstap.out"; dnstap { all; }; EOF else - echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf + echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf fi - # # SIG(0) required cryptographic support which may not be configured. # -keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -b 1024 -T KEY sig0.example2 2>keyname.err) -if test -n "$keyname" -then - cat ns1/example1.db $keyname.key > ns1/example2.db - echo $keyname > keyname +keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -b 1024 -T KEY sig0.example2 2>keyname.err) +if test -n "$keyname"; then + cat ns1/example1.db $keyname.key >ns1/example2.db + echo $keyname >keyname else - cat ns1/example1.db > ns1/example2.db + cat ns1/example1.db >ns1/example2.db fi -cat_i < keyname.err +cat_i <keyname.err diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh index 9b49fbd..518eac6 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -20,57 +20,65 @@ set -e . ../conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf" +RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../_common/rndc.conf" status=0 n=1 capture_dnstap() { - retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n - $RNDCCMD -s 10.53.0.3 dnstap -reopen + retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n + $RNDCCMD -s 10.53.0.3 dnstap -reopen } uq_equals_ur() { - "$DNSTAPREAD" dnstap.out.$n | - awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' > dnstapread.out$n - read UQ UR < dnstapread.out$n - echo_i "UQ=$UQ UR=$UR" - test $UQ -eq $UR || return 1 + "$DNSTAPREAD" dnstap.out.$n \ + | awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' >dnstapread.out$n + read UQ UR <dnstapread.out$n + echo_i "UQ=$UQ UR=$UR" + test $UQ -eq $UR || return 1 } echo_i "waiting for servers to be ready for testing ($n)" -for i in 1 2 3 4 5 6 7 8 9 10 -do - ret=0 - $DIG +tcp -p ${PORT} example. @10.53.0.1 soa > dig.out.ns1 || ret=1 - grep "status: NOERROR" dig.out.ns1 > /dev/null || ret=1 - $DIG +tcp -p ${PORT} example. @10.53.0.2 soa > dig.out.ns2 || ret=1 - grep "status: NOERROR" dig.out.ns2 > /dev/null || ret=1 - $DIG +tcp -p ${PORT} example. @10.53.0.3 soa > dig.out.ns3 || ret=1 - grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 - test $ret = 0 && break - sleep 1 +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + $DIG +tcp -p ${PORT} example. @10.53.0.1 soa >dig.out.ns1 || ret=1 + grep "status: NOERROR" dig.out.ns1 >/dev/null || ret=1 + $DIG +tcp -p ${PORT} example. @10.53.0.2 soa >dig.out.ns2 || ret=1 + grep "status: NOERROR" dig.out.ns2 >/dev/null || ret=1 + $DIG +tcp -p ${PORT} example. @10.53.0.3 soa >dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 >/dev/null || ret=1 + test $ret = 0 && break + sleep 1 done -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching primary copy of zone before update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching secondary 1 copy of zone before update ($n)" -$DIG $DIGOPTS example.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching secondary 2 copy of zone before update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.3 axfr > dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.3 axfr >dig.out.ns3 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "comparing pre-update copies to known good data ($n)" @@ -78,7 +86,10 @@ ret=0 digcomp knowngood.before dig.out.ns1 || ret=1 digcomp knowngood.before dig.out.ns2 || ret=1 digcomp knowngood.before dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "updating zone (signed) ($n)" ret=0 @@ -89,7 +100,10 @@ update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 TXT Foo send EOF -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "sleeping 15 seconds for server to incorporate changes" @@ -97,22 +111,28 @@ sleep 15 echo_i "fetching primary copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching secondary 1 copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "fetching secondary 2 copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.3 axfr > dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.3 axfr >dig.out.ns3 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "comparing post-update copies to known good data ($n)" @@ -120,23 +140,28 @@ ret=0 digcomp knowngood.after1 dig.out.ns1 || ret=1 digcomp knowngood.after1 dig.out.ns2 || ret=1 digcomp knowngood.after1 dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "checking 'forwarding update for zone' is logged ($n)" ret=0 -grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +grep "forwarding update for zone 'example/IN'" ns3/named.run >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) -if $FEATURETEST --enable-dnstap -then - echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" - ret=0 - capture_dnstap - uq_equals_ur || ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) +if $FEATURETEST --enable-dnstap; then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) fi echo_i "updating zone (unsigned) ($n)" @@ -148,7 +173,10 @@ update add unsigned.example. 600 A 10.10.10.1 update add unsigned.example. 600 TXT Foo send EOF -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "sleeping 15 seconds for server to incorporate changes" @@ -156,48 +184,55 @@ sleep 15 echo_i "fetching primary copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.1 axfr > dig.out.ns1 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.1 axfr >dig.out.ns1 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "fetching secondary 1 copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.2 axfr > dig.out.ns2 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "fetching secondary 2 copy of zone after update ($n)" ret=0 -$DIG $DIGOPTS example.\ - @10.53.0.3 axfr > dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +$DIG $DIGOPTS example. @10.53.0.3 axfr >dig.out.ns3 || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi echo_i "comparing post-update copies to known good data ($n)" ret=0 digcomp knowngood.after2 dig.out.ns1 || ret=1 digcomp knowngood.after2 dig.out.ns2 || ret=1 digcomp knowngood.after2 dig.out.ns3 || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi - -if $FEATURETEST --enable-dnstap -then - echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" - ret=0 - capture_dnstap - uq_equals_ur || ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi + +if $FEATURETEST --enable-dnstap; then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) fi n=$((n + 1)) -if test -f keyname -then - echo_i "checking update forwarding to with sig0 ($n)" - ret=0 - keyname=$(cat keyname) - $NSUPDATE -k $keyname.private -- - <<EOF +if test -f keyname; then + echo_i "checking update forwarding to with sig0 ($n)" + ret=0 + keyname=$(cat keyname) + $NSUPDATE -k $keyname.private -- - <<EOF local 10.53.0.1 server 10.53.0.3 ${PORT} zone example2 @@ -205,46 +240,47 @@ then update add unsigned.example2. 600 TXT Foo send EOF - $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n - grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) - - if $FEATURETEST --enable-dnstap - then - echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" - ret=0 - capture_dnstap - uq_equals_ur || ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) - fi + $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 >dig.out.ns1.test$n + grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) + + if $FEATURETEST --enable-dnstap; then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) + fi fi echo_i "attempting an update that should be rejected by ACL ($n)" ret=0 { - $NSUPDATE -- - << EOF + $NSUPDATE -- - <<EOF local 10.53.0.2 server 10.53.0.3 ${PORT} update add another.unsigned.example. 600 A 10.10.10.2 update add another.unsigned.example. 600 TXT Bar send EOF -} > nsupdate.out.$n 2>&1 && ret=1 -grep REFUSED nsupdate.out.$n > /dev/null || ret=1 -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +} >nsupdate.out.$n 2>&1 && ret=1 +grep REFUSED nsupdate.out.$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) echo_i "checking update forwarding to dead primary ($n)" count=0 ret=0 -while [ $count -lt 5 -a $ret -eq 0 ] -do -( -$NSUPDATE -- - <<EOF +while [ $count -lt 5 -a $ret -eq 0 ]; do + ( + $NSUPDATE -- - <<EOF local 10.53.0.1 server 10.53.0.3 ${PORT} zone noprimary @@ -252,23 +288,25 @@ update add unsigned.noprimary. 600 A 10.10.10.1 update add unsigned.noprimary. 600 TXT Foo send EOF -) > /dev/null 2>&1 & - $DIG -p ${PORT} +noadd +notcp +noauth noprimary. @10.53.0.3 soa > dig.out.ns3 || ret=1 - grep "status: NOERROR" dig.out.ns3 > /dev/null || ret=1 - count=$((count + 1)) + ) >/dev/null 2>&1 & + $DIG -p ${PORT} +noadd +notcp +noauth noprimary. @10.53.0.3 soa >dig.out.ns3 || ret=1 + grep "status: NOERROR" dig.out.ns3 >/dev/null || ret=1 + count=$((count + 1)) done -if [ $ret != 0 ] ; then echo_i "failed"; status=$((status + ret)); fi +if [ $ret != 0 ]; then + echo_i "failed" + status=$((status + ret)) +fi n=$((n + 1)) -if $FEATURETEST --enable-dnstap -then - echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" - ret=0 - capture_dnstap - uq_equals_ur && ret=1 - if [ $ret != 0 ] ; then echo_i "failed"; fi - status=$((status + ret)) - n=$((n + 1)) +if $FEATURETEST --enable-dnstap; then + echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)" + ret=0 + capture_dnstap + uq_equals_ur && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) fi n=$((n + 1)) @@ -277,19 +315,22 @@ echo_i "attempting updates that should exceed quota ($n)" # lower the update quota to 1. copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 -nextpart ns3/named.run > /dev/null +nextpart ns3/named.run >/dev/null for loop in 1 2 3 4 5 6 7 8 9 10; do -{ - $NSUPDATE -- - > /dev/null 2>&1 <<END + { + $NSUPDATE -- - >/dev/null 2>&1 <<END local 10.53.0.1 server 10.53.0.3 ${PORT} update add txt-$loop.unsigned.example 300 IN TXT Whatever send END -} & + } & done wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1 -[ $ret = 0 ] || { echo_i "failed"; status=1; } +[ $ret = 0 ] || { + echo_i "failed" + status=1 +} echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/verify/tests.sh b/bin/tests/system/verify/tests.sh index d40780a..4084339 100644 --- a/bin/tests/system/verify/tests.sh +++ b/bin/tests/system/verify/tests.sh @@ -14,99 +14,97 @@ set -e . ../conf.sh -failed () { - cat verify.out.$n | sed 's/^/D:/'; - echo_i "failed"; - status=1; +failed() { + cat verify.out.$n | sed 's/^/D:/' + echo_i "failed" + status=1 } n=0 status=0 -for file in zones/*.good -do - n=$((n + 1)) - zone=$(expr "$file" : 'zones/\(.*\).good') - echo_i "checking supposedly good zone: $zone ($n)" - ret=0 - case $zone in - zsk-only.*) only=-z;; - ksk-only.*) only=-z;; - *) only=;; - esac - $VERIFY ${only} -o $zone $file > verify.out.$n 2>&1 || ret=1 - [ $ret = 0 ] || failed +for file in zones/*.good; do + n=$((n + 1)) + zone=$(expr "$file" : 'zones/\(.*\).good') + echo_i "checking supposedly good zone: $zone ($n)" + ret=0 + case $zone in + zsk-only.*) only=-z ;; + ksk-only.*) only=-z ;; + *) only= ;; + esac + $VERIFY ${only} -o $zone $file >verify.out.$n 2>&1 || ret=1 + [ $ret = 0 ] || failed done -for file in zones/*.bad -do - n=$((n + 1)) - zone=$(expr "$file" : 'zones/\(.*\).bad') - echo_i "checking supposedly bad zone: $zone ($n)" - ret=0 - dumpit=0 - case $zone in - zsk-only.*) only=-z;; - ksk-only.*) only=-z;; - *) only=;; - esac - expect1= expect2= - case $zone in - *.dnskeyonly) - expect1="DNSKEY is not signed" - ;; - *.expired) - expect1="signature has expired" - expect2="No self-signed .*DNSKEY found" - ;; - *.ksk-expired) - expect1="signature has expired" - expect2="No self-signed .*DNSKEY found" - ;; - *.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec) - expect1="unexpected NSEC RRset at" - ;; - *.nsec.broken-chain) - expect1="Bad NSEC record for.*, next name mismatch" - ;; - *.bad-bitmap) - expect1="bit map mismatch" - ;; - *.missing-empty) - expect1="Missing NSEC3 record for"; - ;; - unsigned) - expect1="Zone contains no DNSSEC keys" - ;; - *.extra-nsec3) - expect1="Expected and found NSEC3 chains not equal"; - ;; - *) - dumpit=1 - ;; - esac - $VERIFY ${only} -o $zone $file > verify.out.$n 2>&1 && ret=1 - grep "${expect1:-.}" verify.out.$n > /dev/null || ret=1 - grep "${expect2:-.}" verify.out.$n > /dev/null || ret=1 - [ $ret = 0 ] || failed - [ $dumpit = 1 ] && cat verify.out.$n +for file in zones/*.bad; do + n=$((n + 1)) + zone=$(expr "$file" : 'zones/\(.*\).bad') + echo_i "checking supposedly bad zone: $zone ($n)" + ret=0 + dumpit=0 + case $zone in + zsk-only.*) only=-z ;; + ksk-only.*) only=-z ;; + *) only= ;; + esac + expect1= expect2= + case $zone in + *.dnskeyonly) + expect1="DNSKEY is not signed" + ;; + *.expired) + expect1="signature has expired" + expect2="No self-signed .*DNSKEY found" + ;; + *.ksk-expired) + expect1="signature has expired" + expect2="No self-signed .*DNSKEY found" + ;; + *.out-of-zone-nsec | *.below-bottom-of-zone-nsec | *.below-dname-nsec) + expect1="unexpected NSEC RRset at" + ;; + *.nsec.broken-chain) + expect1="Bad NSEC record for.*, next name mismatch" + ;; + *.bad-bitmap) + expect1="bit map mismatch" + ;; + *.missing-empty) + expect1="Missing NSEC3 record for" + ;; + unsigned) + expect1="Zone contains no DNSSEC keys" + ;; + *.extra-nsec3) + expect1="Expected and found NSEC3 chains not equal" + ;; + *) + dumpit=1 + ;; + esac + $VERIFY ${only} -o $zone $file >verify.out.$n 2>&1 && ret=1 + grep "${expect1:-.}" verify.out.$n >/dev/null || ret=1 + grep "${expect2:-.}" verify.out.$n >/dev/null || ret=1 + [ $ret = 0 ] || failed + [ $dumpit = 1 ] && cat verify.out.$n done n=$((n + 1)) echo_i "checking error message when -o is not used and a SOA record not at top of zone is found ($n)" ret=0 # When -o is not used, origin is set to zone file name, which should cause an error in this case -$VERIFY zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1 -grep "not at top of zone" verify.out.$n > /dev/null || ret=1 -grep "use -o to specify a different zone origin" verify.out.$n > /dev/null || ret=1 +$VERIFY zones/ksk+zsk.nsec.good >verify.out.$n 2>&1 && ret=1 +grep "not at top of zone" verify.out.$n >/dev/null || ret=1 +grep "use -o to specify a different zone origin" verify.out.$n >/dev/null || ret=1 [ $ret = 0 ] || failed n=$((n + 1)) echo_i "checking error message when an invalid -o is specified and a SOA record not at top of zone is found ($n)" ret=0 -$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1 -grep "not at top of zone" verify.out.$n > /dev/null || ret=1 -grep "use -o to specify a different zone origin" verify.out.$n > /dev/null && ret=1 +$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good >verify.out.$n 2>&1 && ret=1 +grep "not at top of zone" verify.out.$n >/dev/null || ret=1 +grep "use -o to specify a different zone origin" verify.out.$n >/dev/null && ret=1 [ $ret = 0 ] || failed echo_i "exit status: $status" diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh index 494174d..044ae7f 100644 --- a/bin/tests/system/verify/zones/genzones.sh +++ b/bin/tests/system/verify/zones/genzones.sh @@ -15,17 +15,17 @@ SYSTESTDIR=verify -dumpit () { - echo_d "${debug}: dumping ${1}" - cat "${1}" | cat_d +dumpit() { + echo_d "${debug}: dumping ${1}" + cat "${1}" | cat_d } -setup () { - echo_i "setting up $2 zone: $1" - debug="$1" - zone="$1" - file="$1.$2" - n=$((${n:-0} + 1)) +setup() { + echo_i "setting up $2 zone: $1" + debug="$1" + zone="$1" + file="$1.$2" + n=$((${n:-0} + 1)) } # A unsigned zone should fail validation. @@ -34,50 +34,50 @@ cp unsigned.db unsigned.bad # A set of nsec zones. setup zsk-only.nsec good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SP -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk-only.nsec good -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SPz -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -SPx -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec.apex-dname good -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n cp unsigned.db ${file}.tmp -echo "@ DNAME data" >> ${file}.tmp -$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n +echo "@ DNAME data" >>${file}.tmp +$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp >s.out$n || dumpit s.out$n # A set of nsec3 zones. setup zsk-only.nsec3 good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk-only.nsec3 good -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec3 good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.optout good -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec3.apex-dname good -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n cp unsigned.db ${file}.tmp -echo "@ DNAME data" >> ${file}.tmp -$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n +echo "@ DNAME data" >>${file}.tmp +$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp >s.out$n || dumpit s.out$n # # generate an NSEC record like @@ -86,9 +86,9 @@ $SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n || dumpit s.out$n # becomes foo when the zone is loaded. # setup nsec-next-name-case-mismatch good -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat << EOF > ${zone}.tmp +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat <<EOF >${zone}.tmp \$TTL 0 @ IN SOA foo . ( 1 28800 7200 604800 1800 ) @ NS foo @@ -98,141 +98,141 @@ FOO AAAA ::1 FOO A 127.0.0.2 aba CNAME FOO EOF -$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n || dumpit s.out$n -sed 's/^FOO\./foo\./' < ${file}.tmp > ${file} +$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp >s.out$n || dumpit s.out$n +sed 's/^FOO\./foo\./' <${file}.tmp >${file} # A set of zones with only DNSKEY records. setup zsk-only.dnskeyonly bad key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg.out) || dumpit kg.out$n -cat unsigned.db $key1.key > ${file} +cat unsigned.db $key1.key >${file} setup ksk-only.dnskeyonly bad key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg.out) || dumpit kg.out$n -cat unsigned.db $key1.key > ${file} +cat unsigned.db $key1.key >${file} setup ksk+zsk.dnskeyonly bad key1=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg.out) || dumpit kg.out$n key2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg.out) || dumpit kg.out$n -cat unsigned.db $key1.key $key2.key > ${file} +cat unsigned.db $key1.key $key2.key >${file} # A set of zones with expired records s="-s -2678400" setup zsk-only.nsec.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk-only.nsec.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup zsk-only.nsec3.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone}> kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk-only.nsec3.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n -$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg.out$n 2>&1 || dumpit kg.out$n +$SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n setup ksk+zsk.nsec3.expired bad -$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n -$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n -$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n || dumpit s.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} >kg1.out$n 2>&1 || dumpit kg1.out$n +$KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} >kg2.out$n 2>&1 || dumpit kg2.out$n +$SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db >s.out$n || dumpit s.out$n # ksk expired setup ksk+zsk.nsec.ksk-expired bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n -$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -Px -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n +$SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n now=$(date -u +%Y%m%d%H%M%S) exp=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}) [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file setup ksk+zsk.nsec3.ksk-expired bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n -$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n +$SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n now=$(date -u +%Y%m%d%H%M%S) exp=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}) [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file # broken nsec chain setup ksk+zsk.nsec.broken-chain bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp -$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} >${file}.tmp +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk >s.out$n || dumpit s.out$n # bad nsec bitmap setup ksk+zsk.nsec.bad-bitmap bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp -$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} >${file}.tmp +$SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk >s.out$n || dumpit s.out$n # extra NSEC record out side of zone setup ksk+zsk.nsec.out-of-zone-nsec bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +echo "out-of-zone. 3600 IN NSEC ${zone}. A" >>${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n # extra NSEC record below bottom of zone setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >>${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk >s.out$n || dumpit s.out$n # dnssec-signzone signs any node with a NSEC record. -awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file} +awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp >${file} # extra NSEC record below DNAME setup ksk+zsk.nsec.below-dname-nsec bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n -echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file} -$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n +echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >>${file} +$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n # missing NSEC3 record at empty node # extract the hash fields from the empty node's NSEC 3 record then fix up # the NSEC3 chain to remove it setup ksk+zsk.nsec3.missing-empty bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n a=$(awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}) b=$(awk '$4 == "NSEC3" && NF == 9 { print $9; }' ${file}) awk ' $4 == "NSEC3" && $9 == "'$a'" { $9 = "'$b'"; print; next; } $4 == "NSEC3" && NF == 9 { next; } -{ print; }' ${file} > ${file}.tmp -$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n || dumpit s.out$n +{ print; }' ${file} >${file}.tmp +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk >s.out$n || dumpit s.out$n # extra NSEC3 record setup ksk+zsk.nsec3.extra-nsec3 bad -zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2> kg1.out$n) || dumpit kg1.out$n -ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2> kg2.out$n) || dumpit kg2.out$n -cat unsigned.db $ksk.key $zsk.key > $file -$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n || dumpit s.out$n +zsk=$($KEYGEN -a ${DEFAULT_ALGORITHM} ${zone} 2>kg1.out$n) || dumpit kg1.out$n +ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -fK ${zone} 2>kg2.out$n) || dumpit kg2.out$n +cat unsigned.db $ksk.key $zsk.key >$file +$SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk >s.out$n || dumpit s.out$n awk ' BEGIN { ZONE="'${zone}'."; @@ -241,7 +241,7 @@ $4 == "NSEC3" && NF == 9 { $1 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3H." ZONE; $9 = "H9P7U7TR2U91D0V0LJS9L1GIDNP90U3I"; print; -}' ${file} > ${file}.tmp -cat ${file}.tmp >> ${file} +}' ${file} >${file}.tmp +cat ${file}.tmp >>${file} rm -f ${file}.tmp -$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n || dumpit s.out$n +$SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk >s.out$n || dumpit s.out$n diff --git a/bin/tests/system/views/ns2/named1.conf.in b/bin/tests/system/views/ns2/named1.conf.in index 4a257c0..d79a35e 100644 --- a/bin/tests/system/views/ns2/named1.conf.in +++ b/bin/tests/system/views/ns2/named1.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/views/ns2/named2.conf.in b/bin/tests/system/views/ns2/named2.conf.in index 8a4d773..8819f50 100644 --- a/bin/tests/system/views/ns2/named2.conf.in +++ b/bin/tests/system/views/ns2/named2.conf.in @@ -39,7 +39,7 @@ view "internal" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { @@ -74,7 +74,7 @@ view "external" { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/views/ns3/named1.conf.in b/bin/tests/system/views/ns3/named1.conf.in index b4fbf41..a4cb243 100644 --- a/bin/tests/system/views/ns3/named1.conf.in +++ b/bin/tests/system/views/ns3/named1.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/views/ns3/named2.conf.in b/bin/tests/system/views/ns3/named2.conf.in index 0ef2009..0f819fa 100644 --- a/bin/tests/system/views/ns3/named2.conf.in +++ b/bin/tests/system/views/ns3/named2.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/views/ns5/named.conf.in b/bin/tests/system/views/ns5/named.conf.in index 4c4ee4e..23556a7 100644 --- a/bin/tests/system/views/ns5/named.conf.in +++ b/bin/tests/system/views/ns5/named.conf.in @@ -36,7 +36,7 @@ controls { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "child.clone" { diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh index e0cca83..9ccf5d0 100644 --- a/bin/tests/system/views/setup.sh +++ b/bin/tests/system/views/setup.sh @@ -28,11 +28,11 @@ copy_setports ns5/named.conf.in ns5/named.conf # same source of "random" data and we want different keys for # internal and external instances of inline. # -$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -q inline > /dev/null 2>&1 -$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -qfk inline > /dev/null 2>&1 -k1=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline 2> /dev/null) -k2=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline 2> /dev/null) -$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline > /dev/null 2>&1 -$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline > /dev/null 2>&1 +$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -q inline >/dev/null 2>&1 +$KEYGEN -K ns2/internal -a ${DEFAULT_ALGORITHM} -qfk inline >/dev/null 2>&1 +k1=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline 2>/dev/null) +k2=$($KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline 2>/dev/null) +$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -q inline >/dev/null 2>&1 +$KEYGEN -K ns2/external -a ${DEFAULT_ALGORITHM} -qfk inline >/dev/null 2>&1 test -n "$k1" && rm -f ns2/external/"$k1".* test -n "$k2" && rm -f ns2/external/"$k2".* diff --git a/bin/tests/system/views/tests.sh b/bin/tests/system/views/tests.sh index 06cb3b1..27c3285 100644 --- a/bin/tests/system/views/tests.sh +++ b/bin/tests/system/views/tests.sh @@ -17,22 +17,22 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth -p "${PORT}" "$@" + "$DIG" +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth -p "${PORT}" "$@" } dig_with_shortopts() { - "$DIG" +tcp +short -p "${PORT}" "$@" + "$DIG" +tcp +short -p "${PORT}" "$@" } -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 echo_i "fetching a.example from ns2's initial configuration" -dig_with_opts a.example. @10.53.0.2 any > dig.out.ns2.1 || status=1 +dig_with_opts a.example. @10.53.0.2 any >dig.out.ns2.1 || status=1 echo_i "fetching a.example from ns3's initial configuration" -dig_with_opts a.example. @10.53.0.3 any > dig.out.ns3.1 || status=1 +dig_with_opts a.example. @10.53.0.3 any >dig.out.ns3.1 || status=1 echo_i "copying in new configurations for ns2 and ns3" rm -f ns2/named.conf ns3/named.conf ns2/example.db @@ -41,30 +41,30 @@ copy_setports ns2/named2.conf.in ns2/named.conf copy_setports ns3/named2.conf.in ns3/named.conf echo_i "reloading ns2 and ns3 with rndc" -nextpart ns2/named.run > /dev/null -nextpart ns3/named.run > /dev/null +nextpart ns2/named.run >/dev/null +nextpart ns3/named.run >/dev/null rndc_reload ns2 10.53.0.2 rndc_reload ns3 10.53.0.3 echo_i "wait for reload to complete" ret=0 _check_reload() ( - nextpartpeek ns2/named.run | grep "all zones loaded" > /dev/null && \ - nextpartpeek ns3/named.run | grep "all zones loaded" > /dev/null && \ - nextpartpeek ns3/named.run | grep "zone_dump: zone example/IN: enter" > /dev/null + nextpartpeek ns2/named.run | grep "all zones loaded" >/dev/null \ + && nextpartpeek ns3/named.run | grep "all zones loaded" >/dev/null \ + && nextpartpeek ns3/named.run | grep "zone_dump: zone example/IN: enter" >/dev/null ) retry_quiet 10 _check_reload || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "fetching a.example from ns2's 10.53.0.4, source address 10.53.0.4" -dig_with_opts -b 10.53.0.4 a.example. @10.53.0.4 any > dig.out.ns4.2 || status=1 +dig_with_opts -b 10.53.0.4 a.example. @10.53.0.4 any >dig.out.ns4.2 || status=1 echo_i "fetching a.example from ns2's 10.53.0.2, source address 10.53.0.2" -dig_with_opts -b 10.53.0.2 a.example. @10.53.0.2 any > dig.out.ns2.2 || status=1 +dig_with_opts -b 10.53.0.2 a.example. @10.53.0.2 any >dig.out.ns2.2 || status=1 echo_i "fetching a.example from ns3's 10.53.0.3, source address defaulted" -dig_with_opts @10.53.0.3 a.example. any > dig.out.ns3.2 || status=1 +dig_with_opts @10.53.0.3 a.example. any >dig.out.ns3.2 || status=1 echo_i "comparing ns3's initial a.example to one from reconfigured 10.53.0.2" digcomp dig.out.ns3.1 dig.out.ns2.2 || status=1 @@ -77,14 +77,13 @@ digcomp dig.out.ns2.1 dig.out.ns4.2 || status=1 echo_i "comparing ns2's initial a.example to one from reconfigured 10.53.0.3" echo_i "(should be different)" -if $PERL ../digcomp.pl dig.out.ns2.1 dig.out.ns3.2 >/dev/null -then - echo_i "no differences found. something's wrong." - status=1 +if $PERL ../digcomp.pl dig.out.ns2.1 dig.out.ns3.2 >/dev/null; then + echo_i "no differences found. something's wrong." + status=1 fi echo_i "updating cloned zone in internal view" -$NSUPDATE << EOF +$NSUPDATE <<EOF server 10.53.0.2 ${PORT} zone clone update add b.clone. 300 in a 10.1.0.3 @@ -98,8 +97,8 @@ ret=0 one=$(dig_with_shortopts -b 10.53.0.2 @10.53.0.2 b.clone a) two=$(dig_with_shortopts -b 10.53.0.4 @10.53.0.2 b.clone a) if [ "$one" != "$two" ]; then - echo_i "'$one' does not match '$two'" - ret=1 + echo_i "'$one' does not match '$two'" + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -110,19 +109,25 @@ one=$(dig_with_shortopts -b 10.53.0.2 @10.53.0.2 child.clone txt) two=$(dig_with_shortopts -b 10.53.0.4 @10.53.0.2 child.clone txt) three=$(dig_with_shortopts @10.53.0.3 child.clone txt) four=$(dig_with_shortopts @10.53.0.5 child.clone txt) -echo "$three" | grep NS3 > /dev/null || { ret=1; echo_i "expected response from NS3 got '$three'"; } -echo "$four" | grep NS5 > /dev/null || { ret=1; echo_i "expected response from NS5 got '$four'"; } +echo "$three" | grep NS3 >/dev/null || { + ret=1 + echo_i "expected response from NS3 got '$three'" +} +echo "$four" | grep NS5 >/dev/null || { + ret=1 + echo_i "expected response from NS5 got '$four'" +} if [ "$one" = "$two" ]; then - echo_i "'$one' matches '$two'" - ret=1 + echo_i "'$one' matches '$two'" + ret=1 fi if [ "$one" != "$three" ]; then - echo_i "'$one' does not match '$three'" - ret=1 + echo_i "'$one' does not match '$three'" + ret=1 fi if [ "$two" != "$four" ]; then - echo_i "'$two' does not match '$four'" - ret=1 + echo_i "'$two' does not match '$four'" + ret=1 fi if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -130,11 +135,11 @@ status=$((status + ret)) echo_i "verifying inline zones work with views" ret=0 wait_for_signed() { - "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.2 +dnssec DNSKEY inline > dig.out.internal - "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.5 +dnssec DNSKEY inline > dig.out.external - grep "ANSWER: 4," dig.out.internal > /dev/null || return 1 - grep "ANSWER: 4," dig.out.external > /dev/null || return 1 - return 0 + "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.2 +dnssec DNSKEY inline >dig.out.internal + "$DIG" -p "${PORT}" @10.53.0.2 -b 10.53.0.5 +dnssec DNSKEY inline >dig.out.external + grep "ANSWER: 4," dig.out.internal >/dev/null || return 1 + grep "ANSWER: 4," dig.out.external >/dev/null || return 1 + return 0 } retry_quiet 10 wait_for_signed || ret=1 int=$(awk '$4 == "DNSKEY" { print $8 }' dig.out.internal | sort) @@ -150,11 +155,11 @@ copy_setports ns2/named3.conf.in ns2/named.conf i=1 while [ $i -lt 50 ]; do - ret=0 - zone_name=$(printf "example%03d.com" $i) + ret=0 + zone_name=$(printf "example%03d.com" $i) - # Add a new zone to the configuration. - cat >> ns2/zones.conf <<-EOF + # Add a new zone to the configuration. + cat >>ns2/zones.conf <<-EOF zone "${zone_name}" { type primary; file "db.${zone_name}"; @@ -164,8 +169,8 @@ while [ $i -lt 50 ]; do }; EOF - # Create a master file for the zone. - cat > "ns2/db.${zone_name}" <<-EOF + # Create a master file for the zone. + cat >"ns2/db.${zone_name}" <<-EOF \$TTL 86400 @ IN SOA localhost. hostmaster.localhost ( 1612542642 ; serial @@ -178,10 +183,13 @@ while [ $i -lt 50 ]; do localhost IN A 127.0.0.1 EOF - $KEYGEN -q -Kns2 -fk -aecdsa256 "${zone_name}" > /dev/null - $RNDCCMD 10.53.0.2 reconfig || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; break; fi - i=$((i + 1)) + $KEYGEN -q -Kns2 -fk -aecdsa256 "${zone_name}" >/dev/null + $RNDCCMD 10.53.0.2 reconfig || ret=1 + if [ $ret != 0 ]; then + echo_i "failed" + break + fi + i=$((i + 1)) done status=$((status + ret)) diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh index d414bb1..d1d8626 100755 --- a/bin/tests/system/wildcard/ns1/sign.sh +++ b/bin/tests/system/wildcard/ns1/sign.sh @@ -27,12 +27,12 @@ zonefile=nsec.db outfile=nsec.db.signed dssets="$dssets dsset-${zone}." -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" zone=private.nsec @@ -40,15 +40,15 @@ infile=private.nsec.db.in zonefile=private.nsec.db outfile=private.nsec.db.signed -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_ds $keyname2 > private.nsec.conf +keyfile_to_static_ds $keyname2 >private.nsec.conf zone=nsec3 infile=nsec3.db.in @@ -56,12 +56,12 @@ zonefile=nsec3.db outfile=nsec3.db.signed dssets="$dssets dsset-${zone}." -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" zone=private.nsec3 @@ -69,27 +69,27 @@ infile=private.nsec3.db.in zonefile=private.nsec3.db outfile=private.nsec3.db.signed -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) -cat $infile $keyname1.key $keyname2.key > $zonefile +cat $infile $keyname1.key $keyname2.key >$zonefile -$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_ds $keyname2 > private.nsec3.conf +keyfile_to_static_ds $keyname2 >private.nsec3.conf zone=. infile=root.db.in zonefile=root.db outfile=root.db.signed -keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) -keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2> /dev/null) +keyname1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) +keyname2=$($KEYGEN -f KSK -a ${DEFAULT_ALGORITHM} -n zone $zone 2>/dev/null) cat $infile $keyname1.key $keyname2.key $dssets >$zonefile -$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +$SIGNER -o $zone -f $outfile $zonefile >/dev/null 2>signer.err || cat signer.err echo_i "signed $zone" -keyfile_to_static_ds $keyname2 > trusted.conf +keyfile_to_static_ds $keyname2 >trusted.conf diff --git a/bin/tests/system/wildcard/ns2/named.conf.in b/bin/tests/system/wildcard/ns2/named.conf.in index a9a2a70..9d90299 100644 --- a/bin/tests/system/wildcard/ns2/named.conf.in +++ b/bin/tests/system/wildcard/ns2/named.conf.in @@ -26,5 +26,5 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/wildcard/ns3/named.conf.in b/bin/tests/system/wildcard/ns3/named.conf.in index 0b958fa..f7e20ea 100644 --- a/bin/tests/system/wildcard/ns3/named.conf.in +++ b/bin/tests/system/wildcard/ns3/named.conf.in @@ -28,5 +28,5 @@ include "../ns1/trusted.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/wildcard/ns5/named.conf.in b/bin/tests/system/wildcard/ns5/named.conf.in index 1cd358d..3668ee3 100644 --- a/bin/tests/system/wildcard/ns5/named.conf.in +++ b/bin/tests/system/wildcard/ns5/named.conf.in @@ -28,5 +28,5 @@ include "../ns1/trusted.conf"; zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; diff --git a/bin/tests/system/wildcard/tests.sh b/bin/tests/system/wildcard/tests.sh index b956874..204b5ff 100644 --- a/bin/tests/system/wildcard/tests.sh +++ b/bin/tests/system/wildcard/tests.sh @@ -25,124 +25,124 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned auth ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec +norec @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned non-validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns2.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns2.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns3.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned validating + CD ($n)" ret=0 -$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns5.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns5.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that returned NSEC wildcard non-existence proof validates ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC' dig.out.ns4.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC wildcard non-existence proof is returned private, validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns3.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns3.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that returned NSEC wildcard non-existence proof for private zone validates ($n)" ret=0 -$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns4.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.private.nsec @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep -i 'a\.wild\.private\.nsec\..*NSEC.*private\.nsec\..*NSEC' dig.out.ns4.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned auth ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 > dig.out.ns1.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec3 +norec @10.53.0.1 >dig.out.ns1.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned non-validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 > dig.out.ns2.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns2.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.2 >dig.out.ns2.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns2.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns2.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns3.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns3.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned validating + CD ($n)" ret=0 -$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns5.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n > /dev/null && ret=1 +$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 >dig.out.ns5.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns5.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns5.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that returned NSEC3 wildcard non-existence proof validates ($n)" ret=0 -$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns4.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.nsec3 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A' dig.out.ns4.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that NSEC3 wildcard non-existence proof is returned private, validating ($n)" ret=0 -$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 -grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n > /dev/null && ret=1 +$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.3 >dig.out.ns3.test$n || ret=1 +grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns3.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns3.test$n >/dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking that returned NSEC3 wildcard non-existence proof for private zone validates ($n)" ret=0 -$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 > dig.out.ns4.test$n || ret=1 -grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n > /dev/null || ret=1 -grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n > /dev/null || ret=1 +$DIG $DIGOPTS a b.wild.private.nsec3 @10.53.0.4 >dig.out.ns4.test$n || ret=1 +grep -i 'UDBSP4R8OUOT6HSO39VD8B5LMOSHRD5N\.private\.nsec3\..*NSEC3.*ASDRUIB7GO00OR92S5OUGI404LT27RNU' dig.out.ns4.test$n >/dev/null || ret=1 +grep -i 'flags:.* ad[ ;]' dig.out.ns4.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -151,95 +151,95 @@ echo_i "checking RFC 4592 responses ..." n=$((n + 1)) echo_i "checking RFC 4592: host3.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN > dig.out.ns1.test$n || ret=1 -grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host3.example. MX IN >dig.out.ns1.test$n || ret=1 +grep '^host3.example..*IN.MX.10 host1.example.' dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: host3.example. QTYPE=A, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host3.example. A IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host3.example. A IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: foo.bar.example. QTYPE=TXT, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN > dig.out.ns1.test$n || ret=1 -grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n > /dev/null || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 foo.bar.example TXT IN >dig.out.ns1.test$n || ret=1 +grep '^foo.bar.example..*IN.TXT."this is a wildcard"' dig.out.ns1.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 1," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host1.example MX IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: host1.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host1.example MX IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host1.example MX IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: sub.*.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 "sub.*.example." MX IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: _telnet._tcp.host1.example. QTYPE=SRV, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 _telnet._tcp.host1.example. SRV IN >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: host.subdel.example. QTYPE=A, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 -grep "AUTHORITY: 2," dig.out.ns1.test$n > /dev/null || ret=1 -grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n > /dev/null || ret=1 -grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 host.subdel.example A IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 +grep "AUTHORITY: 2," dig.out.ns1.test$n >/dev/null || ret=1 +grep "subdel.example..*IN.NS.ns.example.com." dig.out.ns1.test$n >/dev/null || ret=1 +grep "subdel.example..*IN.NS.ns.example.net." dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: ghost.*.example. QTYPE=MX, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN > dig.out.ns1.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 "ghost.*.example" MX IN >dig.out.ns1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) echo_i "checking RFC 4592: _foo._udp.bar.example. QTYPE=SRV, QCLASS=IN ($n)" ret=0 -$DIG $DIGOPTS @10.53.0.1 "_foo._udp.bar.example" SRV IN > dig.out.ns1.test$n || ret=1 -grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 -grep "ANSWER: 0," dig.out.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.1 "_foo._udp.bar.example" SRV IN >dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns1.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -247,33 +247,43 @@ n=$((n + 1)) echo_i "check wild card expansions by code point ($n)" ret=0 i=0 -while test $i -lt 256 -do - x=$(expr 00$i : '.*\(...\)$' || true) - $DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT > dig.out.ns1.$x.test$n - if test $i -le 32 -o $i -ge 127 - then - grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } - # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64 - elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \ - $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92 - then - case $i in - 34) a='"';; - 36) a='$';; - 40) a='(';; - 41) a=')';; - 46) a='\.';; - 59) a=';';; - 64) a='@';; - 92) a='\\';; - *) a=''; echo_i "code point $x failed" ; ret=1 ;; - esac - grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n > /dev/null || { echo_i "code point $x failed" ; ret=1; } - else - grep '^\\' dig.out.ns1.$x.test$n && { echo_i "code point $x failed" ; ret=1; } - fi - i=$((i + 1)) +while test $i -lt 256; do + x=$(expr 00$i : '.*\(...\)$' || true) + $DIG $DIGOPTS @10.53.0.1 "\\$x.example" TXT >dig.out.ns1.$x.test$n + if test $i -le 32 -o $i -ge 127; then + grep '^\\'"$x"'\.example\..*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n >/dev/null || { + echo_i "code point $x failed" + ret=1 + } + # "=34 $=36 (=40 )=41 .=46 ;=59 \=92 @=64 + elif test $i -eq 34 -o $i -eq 36 -o $i -eq 40 -o $i -eq 41 -o \ + $i -eq 46 -o $i -eq 59 -o $i -eq 64 -o $i -eq 92; then + case $i in + 34) a='"' ;; + 36) a='$' ;; + 40) a='(' ;; + 41) a=')' ;; + 46) a='\.' ;; + 59) a=';' ;; + 64) a='@' ;; + 92) a='\\' ;; + *) + a='' + echo_i "code point $x failed" + ret=1 + ;; + esac + grep '^\\'"$a"'\.example.*.*TXT.*"this is a wildcard"$' dig.out.ns1.$x.test$n >/dev/null || { + echo_i "code point $x failed" + ret=1 + } + else + grep '^\\' dig.out.ns1.$x.test$n && { + echo_i "code point $x failed" + ret=1 + } + fi + i=$((i + 1)) done if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/xfer/ns1/named1.conf.in b/bin/tests/system/xfer/ns1/named1.conf.in index d7ce420..74111e0 100644 --- a/bin/tests/system/xfer/ns1/named1.conf.in +++ b/bin/tests/system/xfer/ns1/named1.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/xfer/ns1/named2.conf.in b/bin/tests/system/xfer/ns1/named2.conf.in index b349c33..401de47 100644 --- a/bin/tests/system/xfer/ns1/named2.conf.in +++ b/bin/tests/system/xfer/ns1/named2.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/xfer/ns1/named3.conf.in b/bin/tests/system/xfer/ns1/named3.conf.in index 05af961..b195986 100644 --- a/bin/tests/system/xfer/ns1/named3.conf.in +++ b/bin/tests/system/xfer/ns1/named3.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/xfer/ns2/named.conf.in b/bin/tests/system/xfer/ns2/named.conf.in index b81bd1c..81649ff 100644 --- a/bin/tests/system/xfer/ns2/named.conf.in +++ b/bin/tests/system/xfer/ns2/named.conf.in @@ -46,7 +46,7 @@ acl tzkey { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/xfer/ns3/named.conf.in b/bin/tests/system/xfer/ns3/named.conf.in index 16d0759..dcc6472 100644 --- a/bin/tests/system/xfer/ns3/named.conf.in +++ b/bin/tests/system/xfer/ns3/named.conf.in @@ -40,7 +40,7 @@ key tsigzone. { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "example" { diff --git a/bin/tests/system/xfer/ns6/named.conf.in b/bin/tests/system/xfer/ns6/named.conf.in index 87397b0..142383c 100644 --- a/bin/tests/system/xfer/ns6/named.conf.in +++ b/bin/tests/system/xfer/ns6/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -35,7 +35,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "primary" { diff --git a/bin/tests/system/xfer/ns7/named.conf.in b/bin/tests/system/xfer/ns7/named.conf.in index 47a9b05..41ea1cb 100644 --- a/bin/tests/system/xfer/ns7/named.conf.in +++ b/bin/tests/system/xfer/ns7/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; @@ -34,7 +34,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "primary2" { diff --git a/bin/tests/system/xfer/ns8/named.conf.in b/bin/tests/system/xfer/ns8/named.conf.in index 831e934..3846d4e 100644 --- a/bin/tests/system/xfer/ns8/named.conf.in +++ b/bin/tests/system/xfer/ns8/named.conf.in @@ -11,7 +11,7 @@ * information regarding copyright ownership. */ -include "../../common/rndc.key"; +include "../../_common/rndc.key"; controls { inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; diff --git a/bin/tests/system/xfer/prereq.sh b/bin/tests/system/xfer/prereq.sh index c7b7828..c517aed 100644 --- a/bin/tests/system/xfer/prereq.sh +++ b/bin/tests/system/xfer/prereq.sh @@ -16,11 +16,15 @@ # macOS ships with Net::DNS 0.74 which does not work with # HMAC-SHA256, despite the workarounds in ans.pl -if perl -MNet::DNS -e 'exit $Net::DNS::VERSION >= 1.0' -then - version=$(perl -MNet::DNS -e 'print $Net::DNS::VERSION') - echo_i "perl Net::DNS $version is too old - skipping xfer test" - exit 1 +if ${PERL} -MNet::DNS -e 'exit ($Net::DNS::VERSION >= 1.0)'; then + version=$(${PERL} -MNet::DNS -e 'print $Net::DNS::VERSION') + echo_i "perl Net::DNS $version is too old - skipping xfer test" + exit 1 +fi + +if ! ${PERL} -MDigest::HMAC -e ''; then + echo_i "perl Digest::HMAC module is required" + exit 1 fi exit 0 diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh index ff64d8f..bd885d2 100644 --- a/bin/tests/system/xfer/setup.sh +++ b/bin/tests/system/xfer/setup.sh @@ -21,7 +21,7 @@ $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 6 3 >ns6/primary.db $SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 7 >ns7/primary2.db cp -f ns4/root.db.in ns4/root.db -$PERL -e 'for ($i=0;$i<10000;$i++){ printf("x%u 0 in a 10.53.0.1\n", $i);}' >> ns4/root.db +$PERL -e 'for ($i=0;$i<10000;$i++){ printf("x%u 0 in a 10.53.0.1\n", $i);}' >>ns4/root.db copy_setports ns1/named1.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf @@ -39,7 +39,7 @@ touch -t 200101010000 ns2/sec.db cp ns2/mapped.db.in ns2/mapped.db -$PERL -e 'for ($i=0;$i<4096;$i++){ printf("name%u 259200 A 1.2.3.4\nname%u 259200 TXT \"Hello World %u\"\n", $i, $i, $i);}' > ns8/small.db -$PERL -e 'printf("large IN TYPE45234 \\# 48000 "); for ($i=0;$i<16*3000;$i++) { printf("%02x", $i % 256); } printf("\n");' > ns8/large.db +$PERL -e 'for ($i=0;$i<4096;$i++){ printf("name%u 259200 A 1.2.3.4\nname%u 259200 TXT \"Hello World %u\"\n", $i, $i, $i);}' >ns8/small.db +$PERL -e 'printf("large IN TYPE45234 \\# 48000 "); for ($i=0;$i<16*3000;$i++) { printf("%02x", $i % 256); } printf("\n");' >ns8/large.db cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh index f012d8b..a2c0adb 100755 --- a/bin/tests/system/xfer/tests.sh +++ b/bin/tests/system/xfer/tests.sh @@ -16,68 +16,68 @@ set -e . ../conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" NS_PARAMS="-X named.lock -m record -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152" status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "testing basic zone transfer functionality (from primary) ($n)" tmp=0 -$DIG $DIGOPTS example. @10.53.0.2 axfr > dig.out.ns2.test$n || tmp=1 +$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2.test$n || tmp=1 grep "^;" dig.out.ns2.test$n | cat_i digcomp dig1.good dig.out.ns2.test$n || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing basic zone transfer functionality (from secondary) ($n)" tmp=0 # # Spin to allow the zone to transfer. # -wait_for_xfer () { - ZONE=$1 - SERVER=$2 - $DIG $DIGOPTS $ZONE @$SERVER axfr > dig.out.test$n || return 1 - grep "^;" dig.out.test$n > /dev/null && return 1 - return 0 +wait_for_xfer() { + ZONE=$1 + SERVER=$2 + $DIG $DIGOPTS $ZONE @$SERVER axfr >dig.out.test$n || return 1 + grep "^;" dig.out.test$n >/dev/null && return 1 + return 0 } retry_quiet 25 wait_for_xfer example. 10.53.0.3 || tmp=1 grep "^;" dig.out.test$n | cat_i digcomp dig1.good dig.out.test$n || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing zone transfer functionality (fallback to DNS after DoT failed) ($n)" tmp=0 retry_quiet 25 wait_for_xfer dot-fallback. 10.53.0.2 || tmp=1 grep "^;" dig.out.test$n | cat_i digcomp dig3.good dig.out.test$n || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing TSIG signed zone transfers ($n)" tmp=0 -$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1 +$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 >dig.out.ns2.test$n || tmp=1 grep "^;" dig.out.ns2.test$n | cat_i # # Spin to allow the zone to transfer. # -wait_for_xfer_tsig () { - $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1 - grep "^;" dig.out.ns3.test$n > /dev/null && return 1 - return 0 +wait_for_xfer_tsig() { + $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 >dig.out.ns3.test$n || return 1 + grep "^;" dig.out.ns3.test$n >/dev/null && return 1 + return 0 } retry_quiet 25 wait_for_xfer_tsig || tmp=1 grep "^;" dig.out.ns3.test$n | cat_i digcomp dig.out.ns2.test$n dig.out.ns3.test$n || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) echo_i "reload servers for in preparation for ixfr-from-differences tests" @@ -121,53 +121,53 @@ rndc_reload ns7 10.53.0.7 sleep 3 -n=$((n+1)) +n=$((n + 1)) echo_i "testing zone is dumped after successful transfer ($n)" tmp=0 $DIG $DIGOPTS +noall +answer +multi @10.53.0.2 \ - secondary. soa > dig.out.ns2.test$n || tmp=1 -grep "1397051952 ; serial" dig.out.ns2.test$n > /dev/null 2>&1 || tmp=1 -grep "1397051952 ; serial" ns2/sec.db > /dev/null 2>&1 || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) + secondary. soa >dig.out.ns2.test$n || tmp=1 +grep "1397051952 ; serial" dig.out.ns2.test$n >/dev/null 2>&1 || tmp=1 +grep "1397051952 ; serial" ns2/sec.db >/dev/null 2>&1 || tmp=1 +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences yes; ($n)" tmp=0 echo_i "wait for reloads..." wait_for_reloads() ( - $DIG $DIGOPTS @10.53.0.6 +noall +answer soa primary > dig.out.soa1.ns6.test$n - grep "1397051953" dig.out.soa1.ns6.test$n > /dev/null || return 1 - $DIG $DIGOPTS @10.53.0.1 +noall +answer soa secondary > dig.out.soa2.ns1.test$n - grep "1397051953" dig.out.soa2.ns1.test$n > /dev/null || return 1 - $DIG $DIGOPTS @10.53.0.2 +noall +answer soa example > dig.out.soa3.ns2.test$n - grep "1397051953" dig.out.soa3.ns2.test$n > /dev/null || return 1 - return 0 + $DIG $DIGOPTS @10.53.0.6 +noall +answer soa primary >dig.out.soa1.ns6.test$n + grep "1397051953" dig.out.soa1.ns6.test$n >/dev/null || return 1 + $DIG $DIGOPTS @10.53.0.1 +noall +answer soa secondary >dig.out.soa2.ns1.test$n + grep "1397051953" dig.out.soa2.ns1.test$n >/dev/null || return 1 + $DIG $DIGOPTS @10.53.0.2 +noall +answer soa example >dig.out.soa3.ns2.test$n + grep "1397051953" dig.out.soa3.ns2.test$n >/dev/null || return 1 + return 0 ) retry_quiet 20 wait_for_reloads || tmp=1 echo_i "wait for transfers..." wait_for_transfers() ( - a=0 b=0 c=0 d=0 - $DIG $DIGOPTS @10.53.0.3 +noall +answer soa example > dig.out.soa1.ns3.test$n - grep "1397051953" dig.out.soa1.ns3.test$n > /dev/null && a=1 - $DIG $DIGOPTS @10.53.0.3 +noall +answer soa primary > dig.out.soa2.ns3.test$n - grep "1397051953" dig.out.soa2.ns3.test$n > /dev/null && b=1 - $DIG $DIGOPTS @10.53.0.6 +noall +answer soa secondary > dig.out.soa3.ns6.test$n - grep "1397051953" dig.out.soa3.ns6.test$n > /dev/null && c=1 - [ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0 - - # re-notify if necessary - $RNDCCMD 10.53.0.6 notify primary 2>&1 | sed 's/^/ns6 /' | cat_i - $RNDCCMD 10.53.0.1 notify secondary 2>&1 | sed 's/^/ns1 /' | cat_i - $RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i - return 1 + a=0 b=0 c=0 d=0 + $DIG $DIGOPTS @10.53.0.3 +noall +answer soa example >dig.out.soa1.ns3.test$n + grep "1397051953" dig.out.soa1.ns3.test$n >/dev/null && a=1 + $DIG $DIGOPTS @10.53.0.3 +noall +answer soa primary >dig.out.soa2.ns3.test$n + grep "1397051953" dig.out.soa2.ns3.test$n >/dev/null && b=1 + $DIG $DIGOPTS @10.53.0.6 +noall +answer soa secondary >dig.out.soa3.ns6.test$n + grep "1397051953" dig.out.soa3.ns6.test$n >/dev/null && c=1 + [ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0 + + # re-notify if necessary + $RNDCCMD 10.53.0.6 notify primary 2>&1 | sed 's/^/ns6 /' | cat_i + $RNDCCMD 10.53.0.1 notify secondary 2>&1 | sed 's/^/ns1 /' | cat_i + $RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i + return 1 ) retry_quiet 20 wait_for_transfers || tmp=1 $DIG $DIGOPTS example. \ - @10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1 + @10.53.0.3 axfr >dig.out.ns3.test$n || tmp=1 grep "^;" dig.out.ns3.test$n | cat_i digcomp dig2.good dig.out.ns3.test$n || tmp=1 @@ -176,20 +176,20 @@ digcomp dig2.good dig.out.ns3.test$n || tmp=1 test -f ns3/example.bk || tmp=1 test -f ns3/example.bk.jnl || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences primary; (primary zone) ($n)" tmp=0 $DIG $DIGOPTS primary. \ - @10.53.0.6 axfr > dig.out.ns6.test$n || tmp=1 + @10.53.0.6 axfr >dig.out.ns6.test$n || tmp=1 grep "^;" dig.out.ns6.test$n | cat_i $DIG $DIGOPTS primary. \ - @10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1 -grep "^;" dig.out.ns3.test$n > /dev/null && cat_i < dig.out.ns3.test$n + @10.53.0.3 axfr >dig.out.ns3.test$n || tmp=1 +grep "^;" dig.out.ns3.test$n >/dev/null && cat_i <dig.out.ns3.test$n digcomp dig.out.ns6.test$n dig.out.ns3.test$n || tmp=1 @@ -197,19 +197,19 @@ digcomp dig.out.ns6.test$n dig.out.ns3.test$n || tmp=1 test -f ns3/primary.bk || tmp=1 test -f ns3/primary.bk.jnl || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences primary; (secondary zone) ($n)" tmp=0 $DIG $DIGOPTS secondary. \ - @10.53.0.6 axfr > dig.out.ns6.test$n || tmp=1 + @10.53.0.6 axfr >dig.out.ns6.test$n || tmp=1 grep "^;" dig.out.ns6.test$n | cat_i $DIG $DIGOPTS secondary. \ - @10.53.0.1 axfr > dig.out.ns1.test$n || tmp=1 + @10.53.0.1 axfr >dig.out.ns1.test$n || tmp=1 grep "^;" dig.out.ns1.test$n | cat_i digcomp dig.out.ns6.test$n dig.out.ns1.test$n || tmp=1 @@ -218,10 +218,10 @@ digcomp dig.out.ns6.test$n dig.out.ns1.test$n || tmp=1 test -f ns6/sec.bk || tmp=1 test -f ns6/sec.bk.jnl && tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)" tmp=0 @@ -229,19 +229,19 @@ tmp=0 test -f ns7/primary2.db || tmp=1 test -f ns7/primary2.db.jnl && tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)" tmp=0 $DIG $DIGOPTS secondary. \ - @10.53.0.1 axfr > dig.out.ns1.test$n || tmp=1 + @10.53.0.1 axfr >dig.out.ns1.test$n || tmp=1 grep "^;" dig.out.ns1.test$n | cat_i $DIG $DIGOPTS secondary. \ - @10.53.0.7 axfr > dig.out.ns7.test$n || tmp=1 + @10.53.0.7 axfr >dig.out.ns7.test$n || tmp=1 grep "^;" dig.out.ns7.test$n | cat_i digcomp dig.out.ns7.test$n dig.out.ns1.test$n || tmp=1 @@ -250,30 +250,29 @@ digcomp dig.out.ns7.test$n dig.out.ns1.test$n || tmp=1 test -f ns7/sec.bk || tmp=1 test -f ns7/sec.bk.jnl || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that a multi-message uncompressable zone transfers ($n)" -$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA > axfr.out -if test $(wc -l < axfr.out) != 2 -then - echo_i "failed" - status=$((status+1)) +$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out +if test $(wc -l <axfr.out) != 2; then + echo_i "failed" + status=$((status + 1)) fi # now we test transfers with assorted TSIG glitches DIGCMD="$DIG $DIGOPTS @10.53.0.4" sendcmd() { - send 10.53.0.5 "$EXTRAPORT1" + send 10.53.0.5 "$EXTRAPORT1" } echo_i "testing that incorrectly signed transfers will fail..." -n=$((n+1)) +n=$((n + 1)) echo_i "initial correctly-signed transfer should succeed ($n)" -sendcmd < ans5/goodaxfr +sendcmd <ans5/goodaxfr # Initially, ns4 is not authoritative for anything. # Now that ans is up and running with the right data, we make ns4 @@ -292,140 +291,140 @@ nextpart ns4/named.run >/dev/null rndc_reload ns4 10.53.0.4 wait_for_soa() ( - $DIGCMD nil. SOA > dig.out.ns4.test$n - grep SOA dig.out.ns4.test$n > /dev/null + $DIGCMD nil. SOA >dig.out.ns4.test$n + grep SOA dig.out.ns4.test$n >/dev/null ) retry_quiet 10 wait_for_soa -nextpart ns4/named.run | grep "Transfer status: success" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: success" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'initial AXFR' >/dev/null || { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "unsigned transfer ($n)" -sendcmd < ans5/unsigned +sendcmd <ans5/unsigned sleep 1 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i sleep 2 -nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'unsigned AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "bad keydata ($n)" -sendcmd < ans5/badkeydata +sendcmd <ans5/badkeydata $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i sleep 2 -nextpart ns4/named.run | grep "Transfer status: tsig verify failure" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: tsig verify failure" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'bad keydata AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "partially-signed transfer ($n)" -sendcmd < ans5/partial +sendcmd <ans5/partial $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i sleep 2 -nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'partially signed AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "unknown key ($n)" -sendcmd < ans5/unknownkey +sendcmd <ans5/unknownkey $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i sleep 2 -nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'unknown key AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "incorrect key ($n)" -sendcmd < ans5/wrongkey +sendcmd <ans5/wrongkey $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i sleep 2 -nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "bad question section ($n)" -sendcmd < ans5/wrongname +sendcmd <ans5/wrongname $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i sleep 2 -nextpart ns4/named.run | grep "question name mismatch" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "question name mismatch" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'wrong question AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "bad message id ($n)" -sendcmd < ans5/badmessageid +sendcmd <ans5/badmessageid # Uncomment to see AXFR stream with mismatching IDs. # $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all @@ -434,36 +433,36 @@ $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i sleep 2 -nextpart ns4/named.run | grep "unexpected message id" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "unexpected message id" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'bad message id' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "mismatched SOA ($n)" -sendcmd < ans5/soamismatch +sendcmd <ans5/soamismatch $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i sleep 2 -nextpart ns4/named.run | grep "Transfer status: FORMERR" > /dev/null || { - echo_i "failed: expected status was not logged" - status=$((status+1)) +nextpart ns4/named.run | grep "Transfer status: FORMERR" >/dev/null || { + echo_i "failed: expected status was not logged" + status=$((status + 1)) } $DIGCMD nil. TXT | grep 'SOA mismatch AXFR' >/dev/null && { - echo_i "failed" - status=$((status+1)) + echo_i "failed" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "check that we ask for and get a EDNS EXPIRE response ($n)" # force a refresh query $RNDCCMD 10.53.0.7 refresh edns-expire 2>&1 | sed 's/^/ns7 /' | cat_i @@ -472,57 +471,57 @@ sleep 10 # there may be multiple log entries so get the last one. expire=$(awk '/edns-expire\/IN: got EDNS EXPIRE of/ { x=$9 } END { print x }' ns7/named.run) test ${expire:-0} -gt 0 -a ${expire:-0} -lt 1814400 || { - echo_i "failed (expire=${expire:-0})" - status=$((status+1)) + echo_i "failed (expire=${expire:-0})" + status=$((status + 1)) } -n=$((n+1)) +n=$((n + 1)) echo_i "test smaller transfer TCP message size ($n)" $DIG $DIGOPTS example. @10.53.0.8 axfr \ - -y key1.:1234abcd8765 > dig.out.msgsize.test$n || status=1 + -y key1.:1234abcd8765 >dig.out.msgsize.test$n || status=1 -bytes=$(wc -c < dig.out.msgsize.test$n) +bytes=$(wc -c <dig.out.msgsize.test$n) if [ $bytes -ne 459357 ]; then - echo_i "failed axfr size check" - status=$((status+1)) + echo_i "failed axfr size check" + status=$((status + 1)) fi num_messages=$(cat ns8/named.run | grep "sending TCP message of" | wc -l) if [ $num_messages -le 300 ]; then - echo_i "failed transfer message count check" - status=$((status+1)) + echo_i "failed transfer message count check" + status=$((status + 1)) fi -n=$((n+1)) +n=$((n + 1)) echo_i "test mapped zone with out of zone data ($n)" tmp=0 -$DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.1.test$n -grep "status: NOERROR," dig.out.1.test$n > /dev/null || tmp=1 +$DIG -p ${PORT} txt mapped @10.53.0.3 >dig.out.1.test$n +grep "status: NOERROR," dig.out.1.test$n >/dev/null || tmp=1 stop_server ns3 start_server --noclean --restart --port ${PORT} ns3 -check_mapped () { - $DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.2.test$n - grep "status: NOERROR," dig.out.2.test$n > /dev/null || return 1 - $DIG -p ${PORT} axfr mapped @10.53.0.3 > dig.out.3.test$n - digcomp knowngood.mapped dig.out.3.test$n || return 1 - return 0 +check_mapped() { + $DIG -p ${PORT} txt mapped @10.53.0.3 >dig.out.2.test$n + grep "status: NOERROR," dig.out.2.test$n >/dev/null || return 1 + $DIG -p ${PORT} axfr mapped @10.53.0.3 >dig.out.3.test$n + digcomp knowngood.mapped dig.out.3.test$n || return 1 + return 0 } retry_quiet 10 check_mapped || tmp=1 [ "$tmp" -ne 0 ] && echo_i "failed" -status=$((status+tmp)) +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "test that a zone with too many records is rejected (AXFR) ($n)" tmp=0 grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "test that a zone with too many records is rejected (IXFR) ($n)" tmp=0 -nextpart ns6/named.run > /dev/null -$NSUPDATE << EOF +nextpart ns6/named.run >/dev/null +$NSUPDATE <<EOF zone ixfr-too-big server 10.53.0.1 ${PORT} update add the-31st-record.ixfr-too-big 0 TXT this is it @@ -530,10 +529,10 @@ send EOF msg="'ixfr-too-big/IN' from 10.53.0.1#${PORT}: Transfer status: too many records" wait_for_log 10 "$msg" ns6/named.run || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether dig calculates AXFR statistics correctly ($n)" tmp=0 # Loop until the secondary server manages to transfer the "xfer-stats" zone so @@ -541,56 +540,56 @@ tmp=0 # Use -b so that we can discern between incoming and outgoing transfers in ns3 # logs later on. wait_for_xfer() ( - $DIG $DIGOPTS +noedns +stat -b 10.53.0.2 @10.53.0.3 xfer-stats. AXFR > dig.out.ns3.test$n - grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || return 0 - return 1 + $DIG $DIGOPTS +noedns +stat -b 10.53.0.2 @10.53.0.3 xfer-stats. AXFR >dig.out.ns3.test$n + grep "; Transfer failed" dig.out.ns3.test$n >/dev/null || return 0 + return 1 ) if retry_quiet 10 wait_for_xfer; then - get_dig_xfer_stats dig.out.ns3.test$n > stats.dig - diff axfr-stats.good stats.dig || tmp=1 + get_dig_xfer_stats dig.out.ns3.test$n >stats.dig + diff axfr-stats.good stats.dig || tmp=1 else - echo_i "timed out waiting for zone transfer" + echo_i "timed out waiting for zone transfer" fi -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) # Note: in the next two tests, we use ns3 logs for checking both incoming and # outgoing transfer statistics as ns3 is both a secondary server (for ns1) and a # primary server (for dig queries from the previous test) for "xfer-stats". -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether named calculates incoming AXFR statistics correctly ($n)" tmp=0 -get_named_xfer_stats ns3/named.run 10.53.0.1 xfer-stats "Transfer completed" > stats.incoming +get_named_xfer_stats ns3/named.run 10.53.0.1 xfer-stats "Transfer completed" >stats.incoming diff axfr-stats.good stats.incoming || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "checking whether named calculates outgoing AXFR statistics correctly ($n)" tmp=0 check_xfer_stats() { - get_named_xfer_stats ns3/named.run 10.53.0.2 xfer-stats "AXFR ended" > stats.outgoing - diff axfr-stats.good stats.outgoing > /dev/null + get_named_xfer_stats ns3/named.run 10.53.0.2 xfer-stats "AXFR ended" >stats.outgoing + diff axfr-stats.good stats.outgoing >/dev/null } retry_quiet 10 check_xfer_stats || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) -n=$((n+1)) +n=$((n + 1)) echo_i "test that transfer-source uses port option correctly ($n)" tmp=0 -grep "10.53.0.3#${EXTRAPORT1} (primary): query 'primary/SOA/IN' approved" ns6/named.run > /dev/null || tmp=1 -if test $tmp != 0 ; then echo_i "failed"; fi -status=$((status+tmp)) +grep "10.53.0.3#${EXTRAPORT1} (primary): query 'primary/SOA/IN' approved" ns6/named.run >/dev/null || tmp=1 +if test $tmp != 0; then echo_i "failed"; fi +status=$((status + tmp)) wait_for_message() ( - nextpartpeek ns6/named.run > wait_for_message.$n - grep -F "$1" wait_for_message.$n >/dev/null + nextpartpeek ns6/named.run >wait_for_message.$n + grep -F "$1" wait_for_message.$n >/dev/null ) -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "test max-transfer-time-in with 1 second timeout ($n)" stop_server ns1 copy_setports ns1/named2.conf.in ns1/named.conf @@ -599,11 +598,11 @@ sleep 1 $RNDCCMD 10.53.0.6 retransfer axfr-max-transfer-time 2>&1 | sed 's/^/ns6 /' | cat_i tmp=0 retry_quiet 10 wait_for_message "maximum transfer time exceeded: timed out" || tmp=1 -status=$((status+tmp)) +status=$((status + tmp)) -nextpart ns6/named.run > /dev/null +nextpart ns6/named.run >/dev/null -n=$((n+1)) +n=$((n + 1)) echo_i "test max-transfer-idle-in with 50 seconds timeout ($n)" stop_server ns1 copy_setports ns1/named3.conf.in ns1/named.conf @@ -614,14 +613,14 @@ $RNDCCMD 10.53.0.6 retransfer axfr-max-idle-time 2>&1 | sed 's/^/ns6 /' | cat_i tmp=0 retry_quiet 60 wait_for_message "maximum idle time exceeded: timed out" || tmp=1 if [ $tmp -eq 0 ]; then - now=$(date +%s) - diff=$((now - start)) - # we expect a timeout in 50 seconds - test $diff -lt 50 && tmp=1 - test $diff -ge 59 && tmp=1 - if test $tmp != 0 ; then echo_i "unexpected diff value: ${diff}"; fi + now=$(date +%s) + diff=$((now - start)) + # we expect a timeout in 50 seconds + test $diff -lt 50 && tmp=1 + test $diff -ge 59 && tmp=1 + if test $tmp != 0; then echo_i "unexpected diff value: ${diff}"; fi fi -status=$((status+tmp)) +status=$((status + tmp)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/xferquota/ns2/named.conf.in b/bin/tests/system/xferquota/ns2/named.conf.in index f21938e..a82fa44 100644 --- a/bin/tests/system/xferquota/ns2/named.conf.in +++ b/bin/tests/system/xferquota/ns2/named.conf.in @@ -29,7 +29,7 @@ options { zone "." { type hint; - file "../../common/root.hint"; + file "../../_common/root.hint"; }; zone "changing." { diff --git a/bin/tests/system/xferquota/tests.sh b/bin/tests/system/xferquota/tests.sh index 46dfba0..4f4eed1 100755 --- a/bin/tests/system/xferquota/tests.sh +++ b/bin/tests/system/xferquota/tests.sh @@ -16,7 +16,7 @@ set -e . ../conf.sh DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" # # Perform tests @@ -25,35 +25,35 @@ RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" count=0 ticks=0 while [ $count != 300 ]; do - if [ $ticks = 1 ]; then - echo_i "Changing test zone..." - cp -f ns1/changing2.db ns1/changing.db - kill -HUP $(cat ns1/named.pid) - fi - sleep 1 - ticks=$((ticks + 1)) - seconds=$((ticks * 1)) - if [ $ticks = 360 ]; then - echo_i "Took too long to load zones" - exit 1 - fi - count=$(cat ns2/zone*.bk | grep xyzzy | wc -l) - echo_i "Have $count zones up in $seconds seconds" + if [ $ticks = 1 ]; then + echo_i "Changing test zone..." + cp -f ns1/changing2.db ns1/changing.db + kill -HUP $(cat ns1/named.pid) + fi + sleep 1 + ticks=$((ticks + 1)) + seconds=$((ticks * 1)) + if [ $ticks = 360 ]; then + echo_i "Took too long to load zones" + exit 1 + fi + count=$(cat ns2/zone*.bk | grep xyzzy | wc -l) + echo_i "Have $count zones up in $seconds seconds" done status=0 -$DIG $DIGOPTS zone000099.example. @10.53.0.1 axfr > dig.out.ns1 || status=1 +$DIG $DIGOPTS zone000099.example. @10.53.0.1 axfr >dig.out.ns1 || status=1 -$DIG $DIGOPTS zone000099.example. @10.53.0.2 axfr > dig.out.ns2 || status=1 +$DIG $DIGOPTS zone000099.example. @10.53.0.2 axfr >dig.out.ns2 || status=1 digcomp dig.out.ns1 dig.out.ns2 || status=1 sleep 15 -$DIG $DIGOPTS a.changing. @10.53.0.1 a > dig.out.ns1 || status=1 +$DIG $DIGOPTS a.changing. @10.53.0.1 a >dig.out.ns1 || status=1 -$DIG $DIGOPTS a.changing. @10.53.0.2 a > dig.out.ns2 || status=1 +$DIG $DIGOPTS a.changing. @10.53.0.2 a >dig.out.ns2 || status=1 digcomp dig.out.ns1 dig.out.ns2 || status=1 diff --git a/bin/tests/system/zero/prereq.sh b/bin/tests/system/zero/prereq.sh new file mode 100644 index 0000000..c52be9c --- /dev/null +++ b/bin/tests/system/zero/prereq.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../conf.sh + +if ! ${PERL} -MNet::DNS -e ''; then + echo_i "perl Net::DNS module is required" + exit 1 +fi + +exit 0 diff --git a/bin/tests/system/zero/setup.sh b/bin/tests/system/zero/setup.sh index bf58ee5..794f6a9 100644 --- a/bin/tests/system/zero/setup.sh +++ b/bin/tests/system/zero/setup.sh @@ -18,4 +18,4 @@ copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 4 | sed -e 's/^$TTL 3600$/$TTL 0 ; force TTL to zero/' -e 's/86400.IN SOA/0 SOA/' > ns2/example.db +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 4 | sed -e 's/^$TTL 3600$/$TTL 0 ; force TTL to zero/' -e 's/86400.IN SOA/0 SOA/' >ns2/example.db diff --git a/bin/tests/system/zero/tests.sh b/bin/tests/system/zero/tests.sh index f5e2038..006552f 100644 --- a/bin/tests/system/zero/tests.sh +++ b/bin/tests/system/zero/tests.sh @@ -17,107 +17,135 @@ set -e . ../conf.sh dig_with_opts() { - "$DIG" -p "${PORT}" "$@" + "$DIG" -p "${PORT}" "$@" } wait_for_pid() ( - for pid in "$@"; do - kill -0 "$pid" 2>/dev/null && return 1 - done - return 0 + for pid in "$@"; do + kill -0 "$pid" 2>/dev/null && return 1 + done + return 0 ) status=0 n=0 -n=$((n+1)) +n=$((n + 1)) echo_i "check lookups against TTL=0 records ($n)" i=0 ret=0 passes=10 -dig_with_opts @10.53.0.2 axfr example | grep -v "^ds0" | \ -awk '$2 == "0" { print "-q", $1, $4; print "-q", "zzz"$1, $4;}' > query.list +dig_with_opts @10.53.0.2 axfr example | grep -v "^ds0" \ + | awk '$2 == "0" { print "-q", $1, $4; print "-q", "zzz"$1, $4;}' >query.list # add 1/5 second per query -timeout=$(($(wc -l < query.list) / 5)) -while [ $i -lt $passes ] -do - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.1.test$n" 2>&1) & pid1="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.2.test$n" 2>&1) & pid2="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.3.test$n" 2>&1) & pid3="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.4.test$n" 2>&1) & pid4="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.5.test$n" 2>&1) & pid5="$!" - (dig_with_opts -d +qr @10.53.0.3 -f query.list > "dig.out$i.6.test$n" 2>&1) & pid6="$!" - - retry_quiet "$timeout" wait_for_pid "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" || { echo_i "wait_for_pid failed"; ret=1; } - kill -TERM "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" 2>/dev/null || true - - wait "$pid1" || { echo_i "wait $pid1 (dig.out$i.1.test$n) failed with $?"; ret=1; } - wait "$pid2" || { echo_i "wait $pid2 (dig.out$i.2.test$n) failed with $?"; ret=1; } - wait "$pid3" || { echo_i "wait $pid3 (dig.out$i.3.test$n) failed with $?"; ret=1; } - wait "$pid4" || { echo_i "wait $pid4 (dig.out$i.4.test$n) failed with $?"; ret=1; } - wait "$pid5" || { echo_i "wait $pid5 (dig.out$i.5.test$n) failed with $?"; ret=1; } - wait "$pid6" || { echo_i "wait $pid6 (dig.out$i.6.test$n) failed with $?"; ret=1; } - - grep "status: SERVFAIL" "dig.out$i.1.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.2.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.3.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.4.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.5.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.6.test$n" > /dev/null && ret=1 - [ $ret = 1 ] && break - i=$((i+1)) - echo_i "successfully completed pass $i of $passes" +timeout=$(($(wc -l <query.list) / 5)) +while [ $i -lt $passes ]; do + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.1.test$n" 2>&1) & + pid1="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.2.test$n" 2>&1) & + pid2="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.3.test$n" 2>&1) & + pid3="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.4.test$n" 2>&1) & + pid4="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.5.test$n" 2>&1) & + pid5="$!" + (dig_with_opts -d +qr @10.53.0.3 -f query.list >"dig.out$i.6.test$n" 2>&1) & + pid6="$!" + + retry_quiet "$timeout" wait_for_pid "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" || { + echo_i "wait_for_pid failed" + ret=1 + } + kill -TERM "$pid1" "$pid2" "$pid3" "$pid4" "$pid5" "$pid6" 2>/dev/null || true + + wait "$pid1" || { + echo_i "wait $pid1 (dig.out$i.1.test$n) failed with $?" + ret=1 + } + wait "$pid2" || { + echo_i "wait $pid2 (dig.out$i.2.test$n) failed with $?" + ret=1 + } + wait "$pid3" || { + echo_i "wait $pid3 (dig.out$i.3.test$n) failed with $?" + ret=1 + } + wait "$pid4" || { + echo_i "wait $pid4 (dig.out$i.4.test$n) failed with $?" + ret=1 + } + wait "$pid5" || { + echo_i "wait $pid5 (dig.out$i.5.test$n) failed with $?" + ret=1 + } + wait "$pid6" || { + echo_i "wait $pid6 (dig.out$i.6.test$n) failed with $?" + ret=1 + } + + grep "status: SERVFAIL" "dig.out$i.1.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.2.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.3.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.4.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.5.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.6.test$n" >/dev/null && ret=1 + [ $ret = 1 ] && break + i=$((i + 1)) + echo_i "successfully completed pass $i of $passes" done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) repeat_query() ( - i=0 - while [ "$i" -lt "$1" ]; do - dig_with_opts +short "@$2" "$3" | tee "dig.out$i.test$n" || return 1 - i=$((i+1)) - done + i=0 + while [ "$i" -lt "$1" ]; do + dig_with_opts +short "@$2" "$3" | tee "dig.out$i.test$n" || return 1 + i=$((i + 1)) + done ) count_unique() ( - repeat_query "$@" | sort -u | wc -l + repeat_query "$@" | sort -u | wc -l ) -n=$((n+1)) +n=$((n + 1)) echo_i "check repeated recursive lookups of non recurring TTL=0 responses get new values ($n)" ret=0 repeats=9 count=$(count_unique "$repeats" 10.53.0.3 foo.increment) -if [ "$count" -ne "$repeats" ] ; then echo_i "failed (count=$count, repeats=$repeats)"; ret=1; fi -status=$((status+ret)) +if [ "$count" -ne "$repeats" ]; then + echo_i "failed (count=$count, repeats=$repeats)" + ret=1 +fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check lookups against TTL=1 records ($n)" i=0 passes=10 ret=0 -while [ $i -lt $passes ] -do - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.1.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.2.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.3.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.4.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.5.test$n" || ret=1 - dig_with_opts @10.53.0.3 www.one.tld > "dig.out$i.6.test$n" || ret=1 - grep "status: SERVFAIL" "dig.out$i.1.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.2.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.3.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.4.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.5.test$n" > /dev/null && ret=1 - grep "status: SERVFAIL" "dig.out$i.6.test$n" > /dev/null && ret=1 - [ $ret = 1 ] && break - i=$((i+1)) - echo_i "successfully completed pass $i of $passes" - sleep 1 +while [ $i -lt $passes ]; do + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.1.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.2.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.3.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.4.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.5.test$n" || ret=1 + dig_with_opts @10.53.0.3 www.one.tld >"dig.out$i.6.test$n" || ret=1 + grep "status: SERVFAIL" "dig.out$i.1.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.2.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.3.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.4.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.5.test$n" >/dev/null && ret=1 + grep "status: SERVFAIL" "dig.out$i.6.test$n" >/dev/null && ret=1 + [ $ret = 1 ] && break + i=$((i + 1)) + echo_i "successfully completed pass $i of $passes" + sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ "$status" -eq 0 ] || exit 1 diff --git a/bin/tests/system/zonechecks/setup.sh b/bin/tests/system/zonechecks/setup.sh index 76e8a19..ffefaf3 100644 --- a/bin/tests/system/zonechecks/setup.sh +++ b/bin/tests/system/zonechecks/setup.sh @@ -18,16 +18,16 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 > ns1/primary.db -$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 > ns1/duplicate.db +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 >ns1/primary.db +$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 >ns1/duplicate.db cp bigserial.db ns1/ cd ns1 touch primary.db.signed -echo '$INCLUDE "primary.db.signed"' >> primary.db -$KEYGEN -a ${DEFAULT_ALGORITHM} -q primary.example > /dev/null 2>&1 -$KEYGEN -a ${DEFAULT_ALGORITHM} -qfk primary.example > /dev/null 2>&1 -$SIGNER -SD -o primary.example primary.db > /dev/null \ - 2> signer.err || cat signer.err -echo '$INCLUDE "soa.db"' > reload.db -echo '@ 0 NS .' >> reload.db -echo '@ 0 SOA . . 1 0 0 0 0' > soa.db +echo '$INCLUDE "primary.db.signed"' >>primary.db +$KEYGEN -a ${DEFAULT_ALGORITHM} -q primary.example >/dev/null 2>&1 +$KEYGEN -a ${DEFAULT_ALGORITHM} -qfk primary.example >/dev/null 2>&1 +$SIGNER -SD -o primary.example primary.db >/dev/null \ + 2>signer.err || cat signer.err +echo '$INCLUDE "soa.db"' >reload.db +echo '@ 0 NS .' >>reload.db +echo '@ 0 SOA . . 1 0 0 0 0' >soa.db diff --git a/bin/tests/system/zonechecks/tests.sh b/bin/tests/system/zonechecks/tests.sh index 958bfed..5d6b8a2 100644 --- a/bin/tests/system/zonechecks/tests.sh +++ b/bin/tests/system/zonechecks/tests.sh @@ -16,164 +16,163 @@ set -e . ../conf.sh DIGOPTS="-p ${PORT}" -RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" +RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s" status=0 # echo_i "checking that we detect a NS which refers to a CNAME" -if $CHECKZONE . cname.db > cname.out 2>&1 -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE . cname.db >cname.out 2>&1; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "is a CNAME" cname.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "is a CNAME" cname.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which is below a DNAME" -if $CHECKZONE . dname.db > dname.out 2>&1 -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE . dname.db >dname.out 2>&1; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "is below a DNAME" dname.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "is below a DNAME" dname.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which has no address records (A/AAAA)" -if $CHECKZONE . noaddress.db > noaddress.out -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE . noaddress.db >noaddress.out; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "has no address records" noaddress.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "has no address records" noaddress.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which has no records" -if $CHECKZONE . nxdomain.db > nxdomain.out -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE . nxdomain.db >nxdomain.out; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "has no address records" noaddress.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "has no address records" noaddress.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which looks like a A record (fail)" -if $CHECKZONE -n fail . a.db > a.out 2>&1 -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE -n fail . a.db >a.out 2>&1; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "appears to be an address" a.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "appears to be an address" a.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which looks like a A record (warn=default)" -if $CHECKZONE . a.db > a.out 2>&1 -then - if grep "appears to be an address" a.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi +if $CHECKZONE . a.db >a.out 2>&1; then + if grep "appears to be an address" a.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi else - echo_i "failed (status)"; status=$((status + 1)) + echo_i "failed (status)" + status=$((status + 1)) fi # echo_i "checking that we detect a NS which looks like a A record (ignore)" -if $CHECKZONE -n ignore . a.db > a.out 2>&1 -then - if grep "appears to be an address" a.out > /dev/null - then - echo_i "failed (message)"; status=$((status + 1)) - else - : - fi +if $CHECKZONE -n ignore . a.db >a.out 2>&1; then + if grep "appears to be an address" a.out >/dev/null; then + echo_i "failed (message)" + status=$((status + 1)) + else + : + fi else - echo_i "failed (status)"; status=$((status + 1)) + echo_i "failed (status)" + status=$((status + 1)) fi # echo_i "checking that we detect a NS which looks like a AAAA record (fail)" -if $CHECKZONE -n fail . aaaa.db > aaaa.out 2>&1 -then - echo_i "failed (status)"; status=$((status + 1)) +if $CHECKZONE -n fail . aaaa.db >aaaa.out 2>&1; then + echo_i "failed (status)" + status=$((status + 1)) else - if grep "appears to be an address" aaaa.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi + if grep "appears to be an address" aaaa.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi fi # echo_i "checking that we detect a NS which looks like a AAAA record (warn=default)" -if $CHECKZONE . aaaa.db > aaaa.out 2>&1 -then - if grep "appears to be an address" aaaa.out > /dev/null - then - : - else - echo_i "failed (message)"; status=$((status + 1)) - fi +if $CHECKZONE . aaaa.db >aaaa.out 2>&1; then + if grep "appears to be an address" aaaa.out >/dev/null; then + : + else + echo_i "failed (message)" + status=$((status + 1)) + fi else - echo_i "failed (status)"; status=$((status + 1)) + echo_i "failed (status)" + status=$((status + 1)) fi # echo_i "checking that we detect a NS which looks like a AAAA record (ignore)" -if $CHECKZONE -n ignore . aaaa.db > aaaa.out 2>&1 -then - if grep "appears to be an address" aaaa.out > /dev/null - then - echo_i "failed (message)"; status=$((status + 1)) - else - : - fi +if $CHECKZONE -n ignore . aaaa.db >aaaa.out 2>&1; then + if grep "appears to be an address" aaaa.out >/dev/null; then + echo_i "failed (message)" + status=$((status + 1)) + else + : + fi else - echo_i "failed (status)"; status=$((status + 1)) + echo_i "failed (status)" + status=$((status + 1)) fi # echo_i "checking 'rdnc zonestatus' output" ret=0 -for i in 0 1 2 3 4 5 6 7 8 9 -do - $RNDCCMD 10.53.0.1 zonestatus primary.example > rndc.out.pri 2>&1 - grep "zone not loaded" rndc.out.pri > /dev/null || break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $RNDCCMD 10.53.0.1 zonestatus primary.example >rndc.out.pri 2>&1 + grep "zone not loaded" rndc.out.pri >/dev/null || break + sleep 1 done checkfor() { - grep "$1" $2 > /dev/null || { - ret=1; - echo_i "missing string '$1' from '$2'" - } + grep "$1" $2 >/dev/null || { + ret=1 + echo_i "missing string '$1' from '$2'" + } } checkfor "name: primary.example" rndc.out.pri checkfor "type: primary" rndc.out.pri @@ -189,11 +188,10 @@ checkfor "next resign node: " rndc.out.pri checkfor "next resign time: " rndc.out.pri checkfor "dynamic: yes" rndc.out.pri checkfor "frozen: no" rndc.out.pri -for i in 0 1 2 3 4 5 6 7 8 9 -do - $RNDCCMD 10.53.0.2 zonestatus primary.example > rndc.out.sec 2>&1 - grep "zone not loaded" rndc.out.sec > /dev/null || break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $RNDCCMD 10.53.0.2 zonestatus primary.example >rndc.out.sec 2>&1 + grep "zone not loaded" rndc.out.sec >/dev/null || break + sleep 1 done checkfor "name: primary.example" rndc.out.sec checkfor "type: secondary" rndc.out.sec @@ -203,34 +201,31 @@ checkfor "nodes: " rndc.out.sec checkfor "next refresh: " rndc.out.sec checkfor "expires: " rndc.out.sec checkfor "secure: yes" rndc.out.sec -for i in 0 1 2 3 4 5 6 7 8 9 -do - $RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.prereload 2>&1 - grep "zone not loaded" rndc.out.prereload > /dev/null || break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $RNDCCMD 10.53.0.1 zonestatus reload.example >rndc.out.prereload 2>&1 + grep "zone not loaded" rndc.out.prereload >/dev/null || break + sleep 1 done checkfor "files: reload.db, soa.db$" rndc.out.prereload -echo "@ 0 SOA . . 2 0 0 0 0" > ns1/soa.db +echo "@ 0 SOA . . 2 0 0 0 0" >ns1/soa.db $RNDCCMD 10.53.0.1 reload reload.example | sed 's/^/ns1 /' | cat_i -for i in 0 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS reload.example SOA @10.53.0.1 > dig.out - grep " 2 0 0 0 0" dig.out >/dev/null && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS reload.example SOA @10.53.0.1 >dig.out + grep " 2 0 0 0 0" dig.out >/dev/null && break + sleep 1 done -$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.postreload 2>&1 +$RNDCCMD 10.53.0.1 zonestatus reload.example >rndc.out.postreload 2>&1 checkfor "files: reload.db, soa.db$" rndc.out.postreload sleep 1 -echo "@ 0 SOA . . 3 0 0 0 0" > ns1/reload.db -echo "@ 0 NS ." >> ns1/reload.db +echo "@ 0 SOA . . 3 0 0 0 0" >ns1/reload.db +echo "@ 0 NS ." >>ns1/reload.db rndc_reload ns1 10.53.0.1 reload.example -for i in 0 1 2 3 4 5 6 7 8 9 -do - $DIG $DIGOPTS reload.example SOA @10.53.0.1 > dig.out - grep " 3 0 0 0 0" dig.out >/dev/null && break - sleep 1 +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS reload.example SOA @10.53.0.1 >dig.out + grep " 3 0 0 0 0" dig.out >/dev/null && break + sleep 1 done -$RNDCCMD 10.53.0.1 zonestatus reload.example > rndc.out.removeinclude 2>&1 +$RNDCCMD 10.53.0.1 zonestatus reload.example >rndc.out.removeinclude 2>&1 checkfor "files: reload.db$" rndc.out.removeinclude if [ $ret != 0 ]; then echo_i "failed"; fi @@ -238,18 +233,18 @@ status=$((status + ret)) echo_i "checking 'rdnc zonestatus' with duplicated zone name" ret=0 -$RNDCCMD 10.53.0.1 zonestatus duplicate.example > rndc.out.duplicate 2>&1 && ret=1 +$RNDCCMD 10.53.0.1 zonestatus duplicate.example >rndc.out.duplicate 2>&1 && ret=1 checkfor "zone 'duplicate.example' was found in multiple views" rndc.out.duplicate -$RNDCCMD 10.53.0.1 zonestatus duplicate.example in primary > rndc.out.duplicate 2>&1 || ret=1 +$RNDCCMD 10.53.0.1 zonestatus duplicate.example in primary >rndc.out.duplicate 2>&1 || ret=1 checkfor "name: duplicate.example" rndc.out.duplicate -$RNDCCMD 10.53.0.1 zonestatus nosuchzone.example > rndc.out.duplicate 2>&1 && ret=1 +$RNDCCMD 10.53.0.1 zonestatus nosuchzone.example >rndc.out.duplicate 2>&1 && ret=1 checkfor "no matching zone 'nosuchzone.example' in any view" rndc.out.duplicate if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking 'rdnc zonestatus' with big serial value" ret=0 -$RNDCCMD 10.53.0.1 zonestatus bigserial.example > rndc.out.bigserial 2>&1 +$RNDCCMD 10.53.0.1 zonestatus bigserial.example >rndc.out.bigserial 2>&1 checkfor "serial: 3003113544" rndc.out.bigserial if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) |