summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/synthfromdnssec/tests.sh
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--bin/tests/system/synthfromdnssec/tests.sh904
1 files changed, 904 insertions, 0 deletions
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
new file mode 100644
index 0000000..1bfd00b
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -0,0 +1,904 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# set -e
+#
+# shellcheck source=conf.sh
+. ../conf.sh
+
+RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
+
+set -e
+
+status=0
+n=1
+synth_default=yes
+
+rm -f dig.out.*
+
+dig_with_opts() {
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+check_ad_flag() {
+ if [ ${1} = yes ]
+ then
+ grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null || return 1
+ else
+ grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null && return 1
+ fi
+ return 0
+}
+
+check_status() {
+ grep "status: ${1}," ${2} > /dev/null || return 1
+ return 0
+}
+
+check_synth_soa() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*[0-9]*.IN.SOA" ${2} > /dev/null || return 1
+ grep "^${name}.*3600.IN.SOA" ${2} > /dev/null && return 1
+ return 0
+)
+
+check_nosynth_soa() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*3600.IN.SOA" ${2} > /dev/null || return 1
+ return 0
+)
+
+check_synth_a() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} > /dev/null || return 1
+ grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null && return 1
+ return 0
+)
+
+check_nosynth_a() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null || return 1
+ return 0
+)
+
+check_synth_aaaa() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*[0-9]*.IN.AAAA" ${2} > /dev/null || return 1
+ grep "^${name}.*3600.IN.A" ${2} > /dev/null && return 1
+ return 0
+)
+
+check_nosynth_aaaa() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*3600.IN.AAAA" ${2} > /dev/null || return 1
+ return 0
+)
+
+check_synth_cname() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*[0-9]*.IN.CNAME" ${2} > /dev/null || return 1
+ grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null && return 1
+ return 0
+)
+
+check_nosynth_cname() (
+ name=$(echo "$1" | sed 's/\./\\./g')
+ grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null || return 1
+ return 0
+)
+
+check_auth_count() {
+ grep "AUTHORITY: ${1}," ${2} > /dev/null || return 1
+ return 0
+}
+
+for ns in 2 4 5 6
+do
+ case $ns in
+ 2) ad=yes; description="<default>";;
+ 4) ad=yes; description="no";;
+ 5) ad=yes; description="yes";;
+ 6) ad=no; description="yes; dnssec-validation no";;
+ *) exit 1;;
+ esac
+ echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wild.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildcname.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ check_auth_count 4 dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata1nsec.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ check_auth_count 6 dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata2nsec.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
+ check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1
+ check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > wildnodata2nsecafterdata.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ check_auth_count 4 dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ check_auth_count 6 dig.out.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1
+ check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
+ [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > insecure.wildnodata2nsecafterdata.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n > /dev/null || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
+ grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+done
+
+echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+check_ad_flag no dig.out.ns3.test$n || ret=1
+check_status NOERROR dig.out.ns3.test$n || ret=1
+grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# ensure TTL of synthesised answers differs from direct answers.
+#
+sleep 1
+
+for ns in 2 4 5 6
+do
+ case $ns in
+ 2) ad=yes synth=${synth_default} description="<default>";;
+ 4) ad=yes synth=no description="no";;
+ 5) ad=yes synth=yes description="yes";;
+ 6) ad=no synth=no description="yes; dnssec-validation no";;
+ *) exit 1;;
+ esac
+ echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.example/A > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.example/A > /dev/null || ret=1
+ fi
+ digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null || ret=1
+ fi
+ digcomp nodata.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null && ret=1
+ else
+ check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null || ret=1
+ fi
+ digcomp wild.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null && ret=1
+ else
+ check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null || ret=1
+ fi
+ grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+ digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null || ret=1
+ fi
+ digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null || ret=1
+ fi
+ digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record
+ dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
+ check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1
+ #
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ if [ ${synth} = yes ]
+ then
+ check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null && ret=1
+ else
+ check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null || ret=1
+ fi
+ digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1
+ digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1
+ digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+ nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1
+ digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1
+ grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
+ digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
+ check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1
+ #
+ dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+ digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep nxdomaic.minimal/A > /dev/null || ret=1
+ digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ nextpart ns1/named.run > /dev/null
+ dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
+ digcomp black.out dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+ grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ dig_with_opts soa-without-dnskey. @10.53.0.${ns} A > dig.out.ns${ns}.test$n || ret=1
+ check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+ check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+ check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
+ grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i
+ # 2 views, _bind should always be '0 covering nsec returned'
+ count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l)
+ test $count = 2 || ret=1
+ zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l)
+ if [ ${synth} = yes ]
+ then
+ test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes'
+ count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
+ test $count = 2 || ret=1
+ zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
+ if [ ${ad} = yes ]
+ then
+ test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ for synthesized in NXDOMAIN no-data wildcard
+ do
+ case $synthesized in
+ NXDOMAIN) count=1;;
+ no-data) count=4;;
+ wildcard) count=2;;
+ esac
+ echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ if [ ${synth} = yes ]
+ then
+ grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null || ret=1
+ else
+ grep "synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null && ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ done
+
+ if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ] ; then
+ echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ xml=xml.out$n
+ ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server > $xml 2>/dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CoveringNSEC">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml)
+ count=$(echo "$counter" | grep CoveringNSEC | wc -l)
+ test $count = 1 || ret=1
+ zero=$(echo "$counter" | grep ">0<" | wc -l)
+ if [ ${synth} = yes ]
+ then
+ test $zero = 0 || ret=1
+ else
+ test $zero = 1 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CacheNSECNodes">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml)
+ count=$(echo "$counter" | grep CacheNSECNodes | wc -l)
+ test $count = 1 || ret=1
+ zero=$(echo "$counter" | grep ">0<" | wc -l)
+ if [ ${ad} = yes ]
+ then
+ test $zero = 0 || ret=1
+ else
+ test $zero = 1 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD
+ do
+ case $synthesized in
+ SynthNXDOMAIN) count=1;;
+ SynthNODATA) count=4;;
+ SynthWILDCARD) count=2;;
+ esac
+
+ echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ if [ ${synth} = yes ]
+ then
+ grep '<counter name="'$synthesized'">'$count'</counter>' $xml > /dev/null || ret=1
+ else
+ grep '<counter name="'$synthesized'">'0'</counter>' $xml > /dev/null || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ done
+ else
+ echo_i "Skipping XML statistics checks"
+ fi
+
+ if $FEATURETEST --have-json-c && [ -x "${CURL}" ] ; then
+ echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ json=json.out$n
+ ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server > $json 2>/dev/null || ret=1
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ count=$(grep '"CoveringNSEC":' $json | wc -l)
+ test $count = 2 || ret=1
+ zero=$(grep '"CoveringNSEC":0' $json | wc -l)
+ if [ ${synth} = yes ]
+ then
+ test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ count=$(grep '"CacheNSECNodes":' $json | wc -l)
+ test $count = 2 || ret=1
+ zero=$(grep '"CacheNSECNodes":0' $json | wc -l)
+ if [ ${ad} = yes ]
+ then
+ test $zero = 1 || ret=1
+ else
+ test $zero = 2 || ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+ for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD
+ do
+ case $synthesized in
+ SynthNXDOMAIN) count=1;;
+ SynthNODATA) count=4;;
+ SynthWILDCARD) count=2;;
+ esac
+
+ echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)"
+ ret=0
+ if [ ${synth} = yes ]
+ then
+ grep '"'$synthesized'":'$count'' $json > /dev/null || ret=1
+ else
+ grep '"'$synthesized'":' $json > /dev/null && ret=1
+ fi
+ n=$((n+1))
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ done
+ else
+ echo_i "Skipping JSON statistics checks"
+ fi
+done
+
+echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+synth=${synth_default}
+dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+check_ad_flag yes dig.out.ns3.test$n || ret=1
+check_status NXDOMAIN dig.out.ns3.test$n || ret=1
+if [ ${synth} = yes ]
+then
+ check_synth_soa . dig.out.ns3.test$n || ret=1
+else
+ check_nosynth_soa . dig.out.ns3.test$n || ret=1
+fi
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
+ret=0
+dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+check_ad_flag no dig.out.ns3.test$n || ret=1
+check_status NOERROR dig.out.ns3.test$n || ret=1
+grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)"
+ret=0
+dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1
+dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+check_status NOERROR dig.out.ns5-1.test$n || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "regression test for CVE-2022-0635 ($n)"
+ret=0
+# add DNAME to cache
+dig_with_opts dname.dnamed. dname @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1
+# add A record to cache at name before DNAME owner
+dig_with_opts a.dnamed. a @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
+# add NSEC record to cache at name before DNAME owner
+dig_with_opts a.dnamed. aaaa @10.53.0.5 > dig.out.ns5-3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1
+# wait for NSEC to timeout
+sleep 6
+# use DNAME for lookup
+dig_with_opts b.dname.dnamed a @10.53.0.5 > dig.out.ns5-4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)"
+ret=0
+#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
+dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
+grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
+#perform lookup in grafted zone
+dig_with_opts example.internal @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
+grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "check synth-from-dnssec with grafted zone (primary zone) ($n)"
+ret=0
+#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
+dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
+grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
+#perform lookup in grafted zone
+dig_with_opts example.internal2 @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
+grep '^example\.internal2\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1