diff options
Diffstat (limited to '')
24 files changed, 1663 insertions, 0 deletions
diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh new file mode 100644 index 0000000..bd86173 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/clean.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ./*/named.memstats +rm -f ./*/named.conf +rm -f ./*/named.run +rm -f ./*/named.run.prev +rm -f ./*/named.stats +rm -f ./dig.out.* +rm -f ./ns1/K*+*+*.key +rm -f ./ns1/K*+*+*.private +rm -f ./ns1/dsset-* +rm -f ./ns1/example.db +rm -f ./ns1/example.db.signed +rm -f ./ns1/insecure.example.db +rm -f ./ns1/insecure.example.db.signed +rm -f ./ns1/dnamed.db +rm -f ./ns1/dnamed.db.signed +rm -f ./ns1/minimal.db +rm -f ./ns1/minimal.db.signed +rm -f ./ns1/root.db +rm -f ./ns1/root.db.signed +rm -f ./ns1/soa-without-dnskey.db +rm -f ./ns1/soa-without-dnskey.db.signed +rm -f ./ns1/trusted.conf +rm -f ./ns2/named_dump.db +rm -f ./ns*/managed-keys.bind* +rm -f ./nodata.out ./insecure.nodata.out +rm -f ./nxdomain.out ./insecure.nxdomain.out +rm -f ./wild.out ./insecure.wild.out +rm -f ./wildcname.out ./insecure.wildcname.out +rm -f ./wildnodata1nsec.out ./insecure.wildnodata1nsec.out +rm -f ./wildnodata2nsec.out ./insecure.wildnodata2nsec.out +rm -f ./wildnodata2nsecafterdata.out ./insecure.wildnodata2nsecafterdata.out +rm -f ./minimal.nxdomain.out +rm -f ./black.out +rm -f ./xml.out* +rm -f ./json.out* diff --git a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in new file mode 100644 index 0000000..61dfcf8 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 1 3600 1200 604800 5 +@ NS ns1 +ns1 A 10.53.0.1 +a A 10.53.0.1 +dname DNAME example. diff --git a/bin/tests/system/synthfromdnssec/ns1/example.db.in b/bin/tests/system/synthfromdnssec/ns1/example.db.in new file mode 100644 index 0000000..79d5c27 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/example.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 1 3600 1200 604800 3600 +@ NS ns1 +ns1 A 10.53.0.1 +nodata TXT nodata +*.wild-a A 1.2.3.4 +*.wild-cname CNAME ns1 +*.wild-1-nsec A 1.2.3.4 +*.wild-2-nsec A 1.2.3.4 +_x.wild-2-nsec TXT a name beween wild-2-nsec and a.wild-2-nsec +*.wild-2-nsec-afterdata A 1.2.3.4 +*.wild-2-nsec-afterdata AAAA 2002::1 +_x.wild-2-nsec-afterdata TXT a name beween wild-2-nsec-afterdata and a.wild-2-nsec-afterdata +dnamed DNAME dnamed. diff --git a/bin/tests/system/synthfromdnssec/ns1/minimal.db.in b/bin/tests/system/synthfromdnssec/ns1/minimal.db.in new file mode 100644 index 0000000..2df3890 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/minimal.db.in @@ -0,0 +1,46 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +minimal. 3600 SOA ns1.minimal. hostmaster.minimal. ( + 1 ; serial + 3600 ; refresh (1 hour) + 1200 ; retry (20 minutes) + 604800 ; expire (1 week) + 3600 ; minimum (1 hour) + ) + 3600 NS ns1.minimal. + 3600 NSEC badtypemap.minimal. NS SOA RRSIG NSEC DNSKEY +; bad NSEC type map without RRSIG or NSEC +badtypemap.minimal. 3600 NSEC black.minimal. A +badtypemap.minimal. 3600 A 1.2.3.4 +badtypemap.minimal. 3600 AAAA 2002::1 +; cloudflare black lie +black.minimal. 3600 NSEC \000.black.minimal. RRSIG NSEC +; +dnamed.minimal. 3600 DNAME dnamed. + 3600 NSEC insecure.minimal. DNAME RRSIG NSEC +insecure.minimal. 3600 NS ns1.insecure.minimal. + 3600 NSEC nodata.minimal. NS RRSIG NSEC +nodata.minimal. 3600 TXT "nodata" + 3600 NSEC ns1.minimal. TXT RRSIG NSEC +; incomplete chain pointing at non-existent ns2.minimal +ns1.minimal. 3600 A 10.53.0.1 + 3600 NSEC ns2.minimal. A RRSIG NSEC +; minimal response for nxdomain.minimal. +nxdomaia.minimal. 3600 NSEC nxdomaiz.minimal. RRSIG NSEC +; +*.wild-a.minimal. 3600 A 1.2.3.4 + 3600 NSEC *.wild-cname.minimal. A RRSIG NSEC +*.wild-cname.minimal. 3600 CNAME ns1.minimal. + 3600 NSEC minimal. CNAME RRSIG NSEC +; glue +ns1.insecure.minimal. 3600 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in new file mode 100644 index 0000000..9a86e24 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +statistics-channels { + inet 10.53.0.1 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +zone "example" { + type primary; + file "example.db.signed"; +}; + +zone "insecure.example" { + type primary; + file "insecure.example.db.signed"; +}; + +zone "dnamed" { + type primary; + file "dnamed.db.signed"; +}; + +zone "minimal" { + type primary; + file "minimal.db.signed"; +}; + +zone "soa-without-dnskey" { + type primary; + file "soa-without-dnskey.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns1/root.db.in b/bin/tests/system/synthfromdnssec/ns1/root.db.in new file mode 100644 index 0000000..bade656 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/root.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 1 3600 1200 604800 3600 +@ NS ns1 +ns1 A 10.53.0.1 +example NS ns1.example +fun NS ns1.example +ns1.example A 10.53.0.1 +dnamed NS ns1.dnamed +ns1.dnamed A 10.53.0.1 +minimal NS ns1.minimal +ns1.minimal A 10.53.0.1 +soa-without-dnskey NS ns1.soa-without-dnskey +ns1.soa-without-dnskey A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh new file mode 100644 index 0000000..9f699a0 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -0,0 +1,76 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +zone=example +infile=example.db.in +zonefile=example.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" +echo insecure NS ns1.insecure >> "$zonefile" +echo ns1.insecure A 10.53.0.1 >> "$zonefile" + +$SIGNER -P -o $zone $zonefile > /dev/null + +zone=insecure.example +infile=example.db.in +zonefile=insecure.example.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -o $zone $zonefile > /dev/null + +zone=dnamed +infile=dnamed.db.in +zonefile=dnamed.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -o $zone $zonefile > /dev/null + +zone=minimal +infile=minimal.db.in +zonefile=minimal.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +# do not regenerate NSEC chain as there in a minimal NSEC record present +$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null + +zone=soa-without-dnskey +infile=soa-without-dnskey.db.in +zonefile=soa-without-dnskey.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +# do not regenerate NSEC chain as there in a minimal NSEC record present +$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null + +zone=. +infile=root.db.in +zonefile=root.db + +keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -b ${DEFAULT_BITS} -n zone $zone) +cat "$infile" "$keyname.key" > "$zonefile" + +$SIGNER -P -g -o $zone $zonefile > /dev/null + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$keyname" > trusted.conf diff --git a/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in b/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in new file mode 100644 index 0000000..a8ad40c --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +soa-without-dnskey. 3600 SOA ns1.soa-without-dnskey. hostmaster.soa-without-dnskey. ( + 1 ; serial + 3600 ; refresh (1 hour) + 1200 ; retry (20 minutes) + 604800 ; expire (1 week) + 3600 ; minimum (1 hour) + ) + 3600 NS ns1.soa-without-dnskey. + 3600 NSEC ns1.soa-without-dnskey. NS SOA RRSIG NSEC +ns1.soa-without-dnskey. 3600 A 10.53.0.1 + 3600 NSEC soa-without-dnskey. A RRSIG NSEC diff --git a/bin/tests/system/synthfromdnssec/ns2/example.internal.db b/bin/tests/system/synthfromdnssec/ns2/example.internal.db new file mode 100644 index 0000000..938159b --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns2/example.internal.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2 hostmaster 1 3600 1200 604800 3600 +@ NS ns2 +@ A 1.2.3.4 +ns2 A 10.53.0.2 diff --git a/bin/tests/system/synthfromdnssec/ns2/named.conf.in b/bin/tests/system/synthfromdnssec/ns2/named.conf.in new file mode 100644 index 0000000..f4b5059 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns2/named.conf.in @@ -0,0 +1,57 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +statistics-channels { + inet 10.53.0.2 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +zone "example.internal" { + type primary; + file "example.internal.db"; +}; + +zone "example.internal2" { + type primary; + file "example.internal.db"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns2/root.hints b/bin/tests/system/synthfromdnssec/ns2/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns2/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns3/named.conf.in b/bin/tests/system/synthfromdnssec/ns3/named.conf.in new file mode 100644 index 0000000..874143a --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns3/named.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +statistics-channels { + inet 10.53.0.3 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +zone "." { + type redirect; + file "redirect.db"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns3/redirect.db b/bin/tests/system/synthfromdnssec/ns3/redirect.db new file mode 100644 index 0000000..c529ad2 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns3/redirect.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns.example.net hostmaster.example.net 0 0 0 0 0 +@ IN NS ns.example.net +; +; NS records do not need address records in this zone as it is not in the +; normal namespace. +; +*.redirect. IN A 100.100.100.2 +*.redirect. IN AAAA 2001:ffff:ffff::100.100.100.2 diff --git a/bin/tests/system/synthfromdnssec/ns3/root.hints b/bin/tests/system/synthfromdnssec/ns3/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns3/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns4/named.conf.in b/bin/tests/system/synthfromdnssec/ns4/named.conf.in new file mode 100644 index 0000000..c9d9210 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns4/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; + synth-from-dnssec no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +statistics-channels { + inet 10.53.0.4 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns4/root.hints b/bin/tests/system/synthfromdnssec/ns4/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns4/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns5/internal2.db b/bin/tests/system/synthfromdnssec/ns5/internal2.db new file mode 100644 index 0000000..4f07f70 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns5/internal2.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns5 hostmaster 1 3600 1200 604800 3600 +@ NS ns5 +ns5 A 10.53.0.5 +example NS ns2.example +ns2.example A 10.53.0.2 diff --git a/bin/tests/system/synthfromdnssec/ns5/named.conf.in b/bin/tests/system/synthfromdnssec/ns5/named.conf.in new file mode 100644 index 0000000..4249548 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns5/named.conf.in @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + query-source address 10.53.0.5; + notify-source 10.53.0.5; + transfer-source 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation yes; + synth-from-dnssec yes; + validate-except { example.internal; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +statistics-channels { + inet 10.53.0.5 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +zone "example.internal" { + type forward; + forward only; + forwarders { 10.53.0.2; }; +}; + +zone "internal2" { + type primary; + file "internal2.db"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns5/root.hints b/bin/tests/system/synthfromdnssec/ns5/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns5/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns6/named.conf.in b/bin/tests/system/synthfromdnssec/ns6/named.conf.in new file mode 100644 index 0000000..c10e0f7 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns6/named.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-validation no; + synth-from-dnssec yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +statistics-channels { + inet 10.53.0.6 port @EXTRAPORT1@ allow { any; }; +}; + +zone "." { + type hint; + file "root.hints"; +}; + +include "../ns1/trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns6/root.hints b/bin/tests/system/synthfromdnssec/ns6/root.hints new file mode 100644 index 0000000..6b80b9e --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns6/root.hints @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS ns1 +ns1 A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh new file mode 100644 index 0000000..d109871 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/setup.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf + +( + cd ns1 + $SHELL sign.sh +) diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh new file mode 100644 index 0000000..1bfd00b --- /dev/null +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -0,0 +1,904 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# set -e +# +# shellcheck source=conf.sh +. ../conf.sh + +RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" + +set -e + +status=0 +n=1 +synth_default=yes + +rm -f dig.out.* + +dig_with_opts() { + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +check_ad_flag() { + if [ ${1} = yes ] + then + grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null || return 1 + else + grep "flags:[^;]* ad[^;]*; QUERY" ${2} > /dev/null && return 1 + fi + return 0 +} + +check_status() { + grep "status: ${1}," ${2} > /dev/null || return 1 + return 0 +} + +check_synth_soa() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.SOA" ${2} > /dev/null || return 1 + grep "^${name}.*3600.IN.SOA" ${2} > /dev/null && return 1 + return 0 +) + +check_nosynth_soa() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.SOA" ${2} > /dev/null || return 1 + return 0 +) + +check_synth_a() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.A.[0-2]" ${2} > /dev/null || return 1 + grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null && return 1 + return 0 +) + +check_nosynth_a() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.A.[0-2]" ${2} > /dev/null || return 1 + return 0 +) + +check_synth_aaaa() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.AAAA" ${2} > /dev/null || return 1 + grep "^${name}.*3600.IN.A" ${2} > /dev/null && return 1 + return 0 +) + +check_nosynth_aaaa() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.AAAA" ${2} > /dev/null || return 1 + return 0 +) + +check_synth_cname() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*[0-9]*.IN.CNAME" ${2} > /dev/null || return 1 + grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null && return 1 + return 0 +) + +check_nosynth_cname() ( + name=$(echo "$1" | sed 's/\./\\./g') + grep "^${name}.*3600.IN.CNAME" ${2} > /dev/null || return 1 + return 0 +) + +check_auth_count() { + grep "AUTHORITY: ${1}," ${2} > /dev/null || return 1 + return 0 +} + +for ns in 2 4 5 6 +do + case $ns in + 2) ad=yes; description="<default>";; + 4) ad=yes; description="no";; + 5) ad=yes; description="yes";; + 6) ad=no; description="yes; dnssec-validation no";; + *) exit 1;; + esac + echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nxdomain.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n nodata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wild.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildcname.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-1-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata1nsec.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > wildnodata2nsec.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 + check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > wildnodata2nsecafterdata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nxdomain.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure negative NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nodata.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.nodata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_a a.wild-a.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wild.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname a.wild-cname.insecure.example. dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.ns${ns}.test$n > insecure.wildcname.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-1-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 4 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata1nsec.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec.insecure.example. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n insecure.wildnodata2nsec.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1 + check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1 + [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > insecure.wildnodata2nsecafterdata.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n > /dev/null || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1 + [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 + grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + +done + +echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +dig_with_opts +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +check_ad_flag no dig.out.ns3.test$n || ret=1 +check_status NOERROR dig.out.ns3.test$n || ret=1 +grep 'a\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# ensure TTL of synthesised answers differs from direct answers. +# +sleep 1 + +for ns in 2 4 5 6 +do + case $ns in + 2) ad=yes synth=${synth_default} description="<default>";; + 4) ad=yes synth=no description="no";; + 5) ad=yes synth=yes description="yes";; + 6) ad=no synth=no description="yes; dnssec-validation no";; + *) exit 1;; + esac + echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.example/A > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.example/A > /dev/null || ret=1 + fi + digcomp nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.example/AAAA > /dev/null || ret=1 + fi + digcomp nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null && ret=1 + else + check_nosynth_a b.wild-a.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-a.example/A > /dev/null || ret=1 + fi + digcomp wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null && ret=1 + else + check_nosynth_cname b.wild-cname.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.example/A > /dev/null || ret=1 + fi + grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + digcomp wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-1-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-1-nsec.example/AAAA > /dev/null || ret=1 + fi + digcomp wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-2-nsec.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec.example/AAAA > /dev/null || ret=1 + fi + digcomp wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record + dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 + check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1 + # + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + if [ ${synth} = yes ] + then + check_synth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null && ret=1 + else + check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null || ret=1 + fi + digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.insecure.example/A > /dev/null || ret=1 + digcomp insecure.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts nodata.insecure.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nodata.insecure.example/AAAA > /dev/null || ret=1 + digcomp insecure.nodata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + grep "b\.wild-a\.insecure\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + nextpart ns1/named.run | grep b.wild-a.insecure.example/A > /dev/null || ret=1 + digcomp insecure.wild.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard CNAME response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-cname.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_cname b.wild-cname.insecure.example dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep b.wild-cname.insecure.example/A > /dev/null || ret=1 + grep "ns1.insecure.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1 + digcomp insecure.wildcname.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard NODATA 1 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-1-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata1nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard NODATA 2 NSEC response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-2-nsec.insecure.example. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata2nsec.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1 + check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1 + # + dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag no dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1 + digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep nxdomaic.minimal/A > /dev/null || ret=1 + digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + nextpart ns1/named.run > /dev/null + dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1 + digcomp black.out dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1 + grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)" + ret=0 + dig_with_opts soa-without-dnskey. @10.53.0.${ns} A > dig.out.ns${ns}.test$n || ret=1 + check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1 + check_status NOERROR dig.out.ns${ns}.test$n || ret=1 + check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1 + grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)" + ret=0 + ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i + # 2 views, _bind should always be '0 covering nsec returned' + count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l) + test $count = 2 || ret=1 + zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l) + if [ ${synth} = yes ] + then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check 'rndc stats' output for 'cache NSEC auxiliary database nodes' (synth-from-dnssec ${description};) ($n)" + ret=0 + # 2 views, _bind should always be '0 cache NSEC auxiliary database nodes' + count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + test $count = 2 || ret=1 + zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l) + if [ ${ad} = yes ] + then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + for synthesized in NXDOMAIN no-data wildcard + do + case $synthesized in + NXDOMAIN) count=1;; + no-data) count=4;; + wildcard) count=2;; + esac + echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ] + then + grep "$count synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null || ret=1 + else + grep "synthesized a ${synthesized} response" ns${ns}/named.stats > /dev/null && ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + done + + if ${FEATURETEST} --have-libxml2 && [ -x "${CURL}" ] ; then + echo_i "getting XML statisistcs for (synth-from-dnssec ${description};) ($n)" + ret=0 + xml=xml.out$n + ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/xml/v3/server > $xml 2>/dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check XML for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" + ret=0 + counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CoveringNSEC">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml) + count=$(echo "$counter" | grep CoveringNSEC | wc -l) + test $count = 1 || ret=1 + zero=$(echo "$counter" | grep ">0<" | wc -l) + if [ ${synth} = yes ] + then + test $zero = 0 || ret=1 + else + test $zero = 1 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check XML for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" + ret=0 + counter=$(sed -n 's;.*<view name="_default">.*\(<counter name="CacheNSECNodes">[0-9]*</counter>\).*</view><view.*;\1;gp' $xml) + count=$(echo "$counter" | grep CacheNSECNodes | wc -l) + test $count = 1 || ret=1 + zero=$(echo "$counter" | grep ">0<" | wc -l) + if [ ${ad} = yes ] + then + test $zero = 0 || ret=1 + else + test $zero = 1 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD + do + case $synthesized in + SynthNXDOMAIN) count=1;; + SynthNODATA) count=4;; + SynthWILDCARD) count=2;; + esac + + echo_i "check XML for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ] + then + grep '<counter name="'$synthesized'">'$count'</counter>' $xml > /dev/null || ret=1 + else + grep '<counter name="'$synthesized'">'0'</counter>' $xml > /dev/null || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + done + else + echo_i "Skipping XML statistics checks" + fi + + if $FEATURETEST --have-json-c && [ -x "${CURL}" ] ; then + echo_i "getting JSON statisistcs for (synth-from-dnssec ${description};) ($n)" + ret=0 + json=json.out$n + ${CURL} http://10.53.0.${ns}:${EXTRAPORT1}/json/v1/server > $json 2>/dev/null || ret=1 + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check JSON for 'CoveringNSEC' with (synth-from-dnssec ${description};) ($n)" + ret=0 + count=$(grep '"CoveringNSEC":' $json | wc -l) + test $count = 2 || ret=1 + zero=$(grep '"CoveringNSEC":0' $json | wc -l) + if [ ${synth} = yes ] + then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + echo_i "check JSON for 'CacheNSECNodes' with (synth-from-dnssec ${description};) ($n)" + ret=0 + count=$(grep '"CacheNSECNodes":' $json | wc -l) + test $count = 2 || ret=1 + zero=$(grep '"CacheNSECNodes":0' $json | wc -l) + if [ ${ad} = yes ] + then + test $zero = 1 || ret=1 + else + test $zero = 2 || ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + for synthesized in SynthNXDOMAIN SynthNODATA SynthWILDCARD + do + case $synthesized in + SynthNXDOMAIN) count=1;; + SynthNODATA) count=4;; + SynthWILDCARD) count=2;; + esac + + echo_i "check JSON for '$synthesized}' with (synth-from-dnssec ${description};) ($n)" + ret=0 + if [ ${synth} = yes ] + then + grep '"'$synthesized'":'$count'' $json > /dev/null || ret=1 + else + grep '"'$synthesized'":' $json > /dev/null && ret=1 + fi + n=$((n+1)) + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + done + else + echo_i "Skipping JSON statistics checks" + fi +done + +echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +synth=${synth_default} +dig_with_opts b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +check_ad_flag yes dig.out.ns3.test$n || ret=1 +check_status NXDOMAIN dig.out.ns3.test$n || ret=1 +if [ ${synth} = yes ] +then + check_synth_soa . dig.out.ns3.test$n || ret=1 +else + check_nosynth_soa . dig.out.ns3.test$n || ret=1 +fi +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)" +ret=0 +dig_with_opts +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +check_ad_flag no dig.out.ns3.test$n || ret=1 +check_status NOERROR dig.out.ns3.test$n || ret=1 +grep 'b\.redirect\..*300.IN.A.100\.100\.100\.2' dig.out.ns3.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)" +ret=0 +dig_with_opts dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1 +dig_with_opts a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +check_status NOERROR dig.out.ns5-1.test$n || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "regression test for CVE-2022-0635 ($n)" +ret=0 +# add DNAME to cache +dig_with_opts dname.dnamed. dname @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-1.test$n >/dev/null || ret=1 +# add A record to cache at name before DNAME owner +dig_with_opts a.dnamed. a @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 +# add NSEC record to cache at name before DNAME owner +dig_with_opts a.dnamed. aaaa @10.53.0.5 > dig.out.ns5-3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-3.test$n >/dev/null || ret=1 +# wait for NSEC to timeout +sleep 6 +# use DNAME for lookup +dig_with_opts b.dname.dnamed a @10.53.0.5 > dig.out.ns5-4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5-4.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)" +ret=0 +#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal' +dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1 +grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1 +#perform lookup in grafted zone +dig_with_opts example.internal @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 +grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check synth-from-dnssec with grafted zone (primary zone) ($n)" +ret=0 +#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal' +dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1 +grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1 +#perform lookup in grafted zone +dig_with_opts example.internal2 @10.53.0.5 > dig.out.ns5-2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1 +grep '^example\.internal2\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/synthfromdnssec/tests_sh_synthfromdnssec.py b/bin/tests/system/synthfromdnssec/tests_sh_synthfromdnssec.py new file mode 100644 index 0000000..5cbf848 --- /dev/null +++ b/bin/tests/system/synthfromdnssec/tests_sh_synthfromdnssec.py @@ -0,0 +1,14 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + + +def test_synthfromdnssec(run_tests_sh): + run_tests_sh() |