diff options
Diffstat (limited to '')
-rw-r--r-- | bin/tests/system/synthfromdnssec/tests.sh | 904 |
1 files changed, 904 insertions, 0 deletions
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh new file mode 100644 index 0000000..1bfd00b --- /dev/null +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -0,0 +1,904 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# set -e +# +# shellcheck source=conf.sh +. ../conf.sh + +RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" + +set -e + +status=0 +n=1 +synth_default=yes + +rm -f dig.out.* + +dig_with_opts() { + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +check_ad_flag() { + if [ ${1} = yes ] + then + grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null || return 1 + else + grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null && return 1 + fi + return 0 +} + +check_status() { + grep "status: ${1}," ${2} > /dev/null || return 1 + return 0 +} + +check_synth_soa() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.SOA" ${2} > /dev/null || return 1 + grep "^${name}.*3600.IN.SOA" ${2} > /dev/null && return 1 + return 0 +) + +check_nosynth_soa() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.SOA" ${2} > /dev/null || return 1 + return 0 +) + +check_synth_a() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} > /dev/null || return 1 + grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null && return 1 + return 0 +) + +check_nosynth_a() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null || return 1 + return 0 +) + +check_synth_aaaa() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.AAAA" ${2} > /dev/null || return 1 + grep "^${name}.*3600.IN.A" ${2} > /dev/null && return 1 + return 0 +) + +check_nosynth_aaaa() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.AAAA" ${2} > /dev/null || return 1 + return 0 +) + +check_synth_cname() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.CNAME" ${2} > /dev/null || return 1 + grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null && return 1 + return 0 +) + +check_nosynth_cname() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null || return 1 + return 0 +) + +check_auth_count() { + grep "AUTHORITY: ${1}," ${2} > /dev/null || return 1 + return 0 +} + +for ns in 2 4 5 6 +do + case $ns in + 2) ad=yes; description="<default>";; + 4) ad=yes; description="no";; + 5) ad=yes; description="yes";; + 6) ad=no; description="yes; dnssec-validation no";; + *) exit 1;; + esac + echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wild.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildcname.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata1nsec.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata2nsec.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > wildnodata2nsecafterdata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > insecure.wildnodata2nsecafterdata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n > /dev/null || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 + grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + +done + +echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +check_ad_flag no dig.out.ns3.test$n || ret=1 +check_status NOERROR dig.out.ns3.test$n || ret=1 +grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# ensure TTL of synthesised answers differs from direct answers. +# +sleep 1 + +for ns in 2 4 5 6 +do + case $ns in + 2) ad=yes synth=${synth_default} description="<default>";; + 4) ad=yes synth=no description="no";; + 5) ad=yes synth=yes description="yes";; + 6) ad=no synth=no description="yes; dnssec-validation no";; + *) exit 1;; + esac + echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.example/A > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.example/A > /dev/null || ret=1 + fi + digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null || ret=1 + fi + digcomp nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null && ret=1 + else + check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null || ret=1 + fi + digcomp wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null && ret=1 + else + check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null || ret=1 + fi + grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null || ret=1 + fi + digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null || ret=1 + fi + digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record + dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 + check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1 + # + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null || ret=1 + fi + digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1 + digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1 + digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1 + digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1 + grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 + check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1 + # + dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nxdomaic.minimal/A > /dev/null || ret=1 + digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1 + digcomp black.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts soa-without-dnskey. @10.53.0.${ns} A > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 + grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)" + ret=0 + ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i + # 2 views, _bind should always be '0 covering nsec returned' + count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l) + test $count = 2 || ret=1 + zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l) + if [ ${synth} = yes ] + then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)" + ret=0 + # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes' + count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + test $count = 2 || ret=1 + zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + if [ ${ad} = yes ] + then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + for synthesized in NXDOMAIN no-data wildcard + do + case $synthesized in + NXDOMAIN) count=1;; + no-data) count=4;; + wildcard) count=2;; + esac + echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ] + then + grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null || ret=1 + else + grep "synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null && ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + done + + if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ] ; then + echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)" + ret=0 + xml=xml.out$n + ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server > $xml 2>/dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" + ret=0 + counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CoveringNSEC">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml) + count=$(echo "$counter" | grep CoveringNSEC | wc -l) + test $count = 1 || ret=1 + zero=$(echo "$counter" | grep ">0<" | wc -l) + if [ ${synth} = yes ] + then + test $zero = 0 || ret=1 + else + test $zero = 1 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" + ret=0 + counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CacheNSECNodes">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml) + count=$(echo "$counter" | grep CacheNSECNodes | wc -l) + test $count = 1 || ret=1 + zero=$(echo "$counter" | grep ">0<" | wc -l) + if [ ${ad} = yes ] + then + test $zero = 0 || ret=1 + else + test $zero = 1 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD + do + case $synthesized in + SynthNXDOMAIN) count=1;; + SynthNODATA) count=4;; + SynthWILDCARD) count=2;; + esac + + echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ] + then + grep '<counter name="'$synthesized'">'$count'</counter>' $xml > /dev/null || ret=1 + else + grep '<counter name="'$synthesized'">'0'</counter>' $xml > /dev/null || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + done + else + echo_i "Skipping XML statistics checks" + fi + + if $FEATURETEST --have-json-c && [ -x "${CURL}" ] ; then + echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)" + ret=0 + json=json.out$n + ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server > $json 2>/dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" + ret=0 + count=$(grep '"CoveringNSEC":' $json | wc -l) + test $count = 2 || ret=1 + zero=$(grep '"CoveringNSEC":0' $json | wc -l) + if [ ${synth} = yes ] + then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" + ret=0 + count=$(grep '"CacheNSECNodes":' $json | wc -l) + test $count = 2 || ret=1 + zero=$(grep '"CacheNSECNodes":0' $json | wc -l) + if [ ${ad} = yes ] + then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD + do + case $synthesized in + SynthNXDOMAIN) count=1;; + SynthNODATA) count=4;; + SynthWILDCARD) count=2;; + esac + + echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ] + then + grep '"'$synthesized'":'$count'' $json > /dev/null || ret=1 + else + grep '"'$synthesized'":' $json > /dev/null && ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + done + else + echo_i "Skipping JSON statistics checks" + fi +done + +echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +synth=${synth_default} +dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +check_ad_flag yes dig.out.ns3.test$n || ret=1 +check_status NXDOMAIN dig.out.ns3.test$n || ret=1 +if [ ${synth} = yes ] +then + check_synth_soa . dig.out.ns3.test$n || ret=1 +else + check_nosynth_soa . dig.out.ns3.test$n || ret=1 +fi +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +check_ad_flag no dig.out.ns3.test$n || ret=1 +check_status NOERROR dig.out.ns3.test$n || ret=1 +grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)" +ret=0 +dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +check_status NOERROR dig.out.ns5-1.test$n || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "regression test for CVE-2022-0635 ($n)" +ret=0 +# add DNAME to cache +dig_with_opts dname.dnamed. dname @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1 +# add A record to cache at name before DNAME owner +dig_with_opts a.dnamed. a @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 +# add NSEC record to cache at name before DNAME owner +dig_with_opts a.dnamed. aaaa @10.53.0.5 > dig.out.ns5-3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1 +# wait for NSEC to timeout +sleep 6 +# use DNAME for lookup +dig_with_opts b.dname.dnamed a @10.53.0.5 > dig.out.ns5-4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)" +ret=0 +#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal' +dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1 +grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1 +#perform lookup in grafted zone +dig_with_opts example.internal @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 +grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check synth-from-dnssec with grafted zone (primary zone) ($n)" +ret=0 +#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal' +dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1 +grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1 +#perform lookup in grafted zone +dig_with_opts example.internal2 @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 +grep '^example\.internal2\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |